summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/manifests/site.pp1
-rw-r--r--puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg2
-rw-r--r--puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg11
-rw-r--r--puppet/modules/site_check_mk/manifests/agent/tapicero.pp26
-rw-r--r--puppet/modules/site_config/manifests/default.pp7
-rw-r--r--puppet/modules/site_config/manifests/remove.pp5
-rw-r--r--puppet/modules/site_config/manifests/remove/files.pp (renamed from puppet/modules/site_config/manifests/remove_files.pp)9
-rw-r--r--puppet/modules/site_config/manifests/remove/tapicero.pp57
-rw-r--r--puppet/modules/site_couchdb/manifests/add_users.pp11
-rw-r--r--puppet/modules/site_couchdb/manifests/init.pp6
-rwxr-xr-xpuppet/modules/tapicero/files/tapicero.init60
-rw-r--r--puppet/modules/tapicero/manifests/init.pp137
-rw-r--r--puppet/modules/tapicero/templates/tapicero.yaml.erb52
13 files changed, 70 insertions, 314 deletions
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
index 912234ac..91dd2d3c 100644
--- a/puppet/manifests/site.pp
+++ b/puppet/manifests/site.pp
@@ -20,7 +20,6 @@ if member($services, 'openvpn') {
if member($services, 'couchdb') {
include site_couchdb
- include tapicero
}
if member($services, 'webapp') {
diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg
index 95ddd2ca..0f378a5a 100644
--- a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg
+++ b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg
@@ -6,7 +6,7 @@
I 127.0.0.1 localhost:5984 .* ok
# https://leap.se/code/issues/5246
I Shutting down group server
- # ignore bigcouch conflict errors, mainly coming from tapicero creating new users
+ # ignore bigcouch conflict errors
I Error in process.*{{nocatch,conflict}
# ignore "Uncaught error in HTTP request: {exit, normal}" error
# it's suppressed in later versions of bigcouch anhow
diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg
deleted file mode 100644
index d98f5094..00000000
--- a/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg
+++ /dev/null
@@ -1,11 +0,0 @@
-/var/log/leap/tapicero.log
-# Ignore transient Tapicero errors when creating a db (#6511)
- I tapicero.*(Creating database|Checking security of|Writing security to|Uploading design doc to) user-.* failed (\(trying again soon\)|(twice )?due to): (RestClient::ResourceNotFound|RestClient::InternalServerError): (404 Resource Not Found|500 Internal Server Error)
- C tapicero.*RestClient::InternalServerError:
-# possible race condition between multiple tapicero
-# instances, so we ignore it
-# see https://leap.se/code/issues/5168
- I tapicero.*RestClient::PreconditionFailed:
- C tapicero.*Creating database.*failed due to:
- C tapicero.*failed
- W tapicero.*Couch stream ended unexpectedly.
diff --git a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp
deleted file mode 100644
index 8505b34a..00000000
--- a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp
+++ /dev/null
@@ -1,26 +0,0 @@
-# sets up tapicero monitoring
-class site_check_mk::agent::tapicero {
-
- include ::site_nagios::plugins
-
- # watch logs
- file { '/etc/check_mk/logwatch.d/tapicero.cfg':
- source => 'puppet:///modules/site_check_mk/agent/logwatch/tapicero.cfg',
- }
-
- # local nagios plugin checks via mrpe
- augeas {
- 'Tapicero_Procs':
- incl => '/etc/check_mk/mrpe.cfg',
- lens => 'Spacevars.lns',
- changes => [
- 'rm /files/etc/check_mk/mrpe.cfg/Tapicero_Procs',
- "set Tapicero_Procs \"/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 --ereg-argument-array='^tapicero$'\"" ],
- require => File['/etc/check_mk/mrpe.cfg'];
- 'Tapicero_Heartbeat':
- incl => '/etc/check_mk/mrpe.cfg',
- lens => 'Spacevars.lns',
- changes => 'set Tapicero_Heartbeat \'/usr/local/lib/nagios/plugins/check_last_regex_in_log -f /var/log/leap/tapicero.log -r "tapicero" -w 1200 -c 2400\'',
- require => File['/etc/check_mk/mrpe.cfg'];
- }
-}
diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp
index e69e4b7b..6b10dc19 100644
--- a/puppet/modules/site_config/manifests/default.pp
+++ b/puppet/modules/site_config/manifests/default.pp
@@ -1,3 +1,4 @@
+# common things to set up on every node
class site_config::default {
tag 'leap_base'
@@ -29,7 +30,7 @@ class site_config::default {
# i.e. openstack/aws nodes, vagrant nodes
# fix dhclient from changing resolver information
- if $::dhcp_enabled == 'true' {
+ if $::dhcp_enabled == 'true' {
include site_config::dhclient
}
@@ -58,7 +59,9 @@ class site_config::default {
# set up core leap files and directories
include site_config::files
- include site_config::remove_files
+
+ # remove leftovers from previous deploys
+ include site_config::remove
if ! member($services, 'mx') {
include site_postfix::satellite
diff --git a/puppet/modules/site_config/manifests/remove.pp b/puppet/modules/site_config/manifests/remove.pp
new file mode 100644
index 00000000..00502c0a
--- /dev/null
+++ b/puppet/modules/site_config/manifests/remove.pp
@@ -0,0 +1,5 @@
+# remove leftovers from previous deploys
+class site_config::remove {
+ include site_config::remove::files
+ include site_config::remove::tapicero
+}
diff --git a/puppet/modules/site_config/manifests/remove_files.pp b/puppet/modules/site_config/manifests/remove/files.pp
index 07487d6a..feff7c05 100644
--- a/puppet/modules/site_config/manifests/remove_files.pp
+++ b/puppet/modules/site_config/manifests/remove/files.pp
@@ -9,7 +9,7 @@
# release.
#
-class site_config::remove_files {
+class site_config::remove::files {
#
# Platform 0.8 removals
@@ -44,13 +44,6 @@ class site_config::remove_files {
'/etc/leap/soledad-server.conf':;
}
- if member($::services, 'webapp') {
- tidy {
- '/etc/apache/sites-enabled/leap_webapp.conf':
- notify => Service['apache'];
- }
- }
-
# leax-mx logged to /var/log/leap_mx.log in the past
# we need to use a dumb exec here because file_line doesn't
# allow removing lines that match a regex in the current version
diff --git a/puppet/modules/site_config/manifests/remove/tapicero.pp b/puppet/modules/site_config/manifests/remove/tapicero.pp
new file mode 100644
index 00000000..765f7428
--- /dev/null
+++ b/puppet/modules/site_config/manifests/remove/tapicero.pp
@@ -0,0 +1,57 @@
+# remove tapicero leftovers from previous deploys
+class site_config::remove::tapicero {
+
+ exec { 'kill_tapicero':
+ onlyif => '/usr/bin/test -s /var/run/tapicero.pid',
+ command => '/usr/bin/pkill --pidfile /var/run/tapicero.pid'
+ }
+
+ user { 'tapicero':
+ ensure => absent;
+ }
+
+ group { 'tapicero':
+ ensure => absent,
+ require => User['tapicero'];
+ }
+
+ tidy {
+ '/srv/leap/tapicero':
+ recurse => true,
+ require => [ Exec['kill_tapicero'] ];
+ '/var/lib/leap/tapicero':
+ require => [ Exec['kill_tapicero'] ];
+ '/var/run/tapicero':
+ require => [ Exec['kill_tapicero'] ];
+ '/etc/leap/tapicero.yaml':
+ require => [ Exec['kill_tapicero'] ];
+ '/etc/init.d/tapicero':
+ require => [ Exec['kill_tapicero'] ];
+ 'tapicero_logs':
+ path => '/var/log/leap',
+ recurse => true,
+ matches => 'tapicero*',
+ require => [ Exec['kill_tapicero'] ];
+ '/etc/check_mk/logwatch.d/tapicero.cfg':;
+ 'checkmk_logwatch_spool':
+ path => '/var/lib/check_mk/logwatch',
+ recurse => true,
+ matches => '*tapicero.log',
+ require => [ Exec['kill_tapicero'] ];
+ }
+
+ # remove local nagios plugin checks via mrpe
+ augeas {
+ 'Tapicero_Procs':
+ incl => '/etc/check_mk/mrpe.cfg',
+ lens => 'Spacevars.lns',
+ changes => 'rm /files/etc/check_mk/mrpe.cfg/Tapicero_Procs',
+ require => File['/etc/check_mk/mrpe.cfg'];
+ 'Tapicero_Heartbeat':
+ incl => '/etc/check_mk/mrpe.cfg',
+ lens => 'Spacevars.lns',
+ changes => 'rm Tapicero_Heartbeat',
+ require => File['/etc/check_mk/mrpe.cfg'];
+ }
+
+}
diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp
index 2f734ed4..c905316b 100644
--- a/puppet/modules/site_couchdb/manifests/add_users.pp
+++ b/puppet/modules/site_couchdb/manifests/add_users.pp
@@ -1,3 +1,4 @@
+# add couchdb users for all services
class site_couchdb::add_users {
Class['site_couchdb::create_dbs']
@@ -35,16 +36,6 @@ class site_couchdb::add_users {
require => Couchdb::Query::Setup['localhost']
}
- ### tapicero couchdb user
- ### admin: needs to be able to create user-<uuid> databases
- ### read: users
- couchdb::add_user { $site_couchdb::couchdb_tapicero_user:
- roles => '["users"]',
- pw => $site_couchdb::couchdb_tapicero_pw,
- salt => $site_couchdb::couchdb_tapicero_salt,
- require => Couchdb::Query::Setup['localhost']
- }
-
## webapp couchdb user
## read/write: users, tokens, sessions, tickets, identities, customer
couchdb::add_user { $site_couchdb::couchdb_webapp_user:
diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp
index 6b6ddd3a..1ec15f00 100644
--- a/puppet/modules/site_couchdb/manifests/init.pp
+++ b/puppet/modules/site_couchdb/manifests/init.pp
@@ -26,11 +26,6 @@ class site_couchdb {
$couchdb_soledad_pw = $couchdb_soledad['password']
$couchdb_soledad_salt = $couchdb_soledad['salt']
- $couchdb_tapicero = $couchdb_users['tapicero']
- $couchdb_tapicero_user = $couchdb_tapicero['username']
- $couchdb_tapicero_pw = $couchdb_tapicero['password']
- $couchdb_tapicero_salt = $couchdb_tapicero['salt']
-
$couchdb_webapp = $couchdb_users['webapp']
$couchdb_webapp_user = $couchdb_webapp['username']
$couchdb_webapp_pw = $couchdb_webapp['password']
@@ -66,6 +61,5 @@ class site_couchdb {
if $couchdb_backup { include site_couchdb::backup }
include site_check_mk::agent::couchdb
- include site_check_mk::agent::tapicero
}
diff --git a/puppet/modules/tapicero/files/tapicero.init b/puppet/modules/tapicero/files/tapicero.init
deleted file mode 100755
index 7a9af45f..00000000
--- a/puppet/modules/tapicero/files/tapicero.init
+++ /dev/null
@@ -1,60 +0,0 @@
-#!/bin/sh
-
-### BEGIN INIT INFO
-# Provides: tapicero
-# Required-Start: $remote_fs $syslog
-# Required-Stop: $remote_fs $syslog
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: tapicero initscript
-# Description: Controls tapicero daemon
-### END INIT INFO
-
-PATH=/sbin:/usr/sbin:/bin:/usr/bin
-BUNDLER=/usr/bin/bundle
-NAME=tapicero
-HOME="/srv/leap"
-DAEMON="${HOME}/${NAME}/bin/${NAME}"
-BUNDLE_GEMFILE="${HOME}/${NAME}/Gemfile"
-
-export BUNDLE_GEMFILE
-
-# exit if the daemon doesn't exist
-[ -x "$DAEMON" ] || exit 0
-
-. /lib/init/vars.sh
-. /lib/lsb/init-functions
-
-if [ "$VERBOSE" != no ]; then
- OPTIONS="--verbose"
-else
- OPTIONS=""
-fi
-
-case "$1" in
- start)
- $BUNDLER exec $DAEMON start $OPTIONS
- exit $?
- ;;
- stop)
- $BUNDLER exec $DAEMON stop $OPTIONS
- exit $?
- ;;
- restart)
- $BUNDLER exec $DAEMON restart $OPTIONS
- exit $?
- ;;
- reload)
- $BUNDLER exec $DAEMON reload $OPTIONS
- exit $?
- ;;
- status)
- $BUNDLER exec $DAEMON status $OPTIONS
- exit $?
- ;;
- *)
- echo "Usage: /etc/init.d/$NAME {start|stop|reload|restart|status}"
- exit 1
-esac
-
-exit 0
diff --git a/puppet/modules/tapicero/manifests/init.pp b/puppet/modules/tapicero/manifests/init.pp
deleted file mode 100644
index ca8488c8..00000000
--- a/puppet/modules/tapicero/manifests/init.pp
+++ /dev/null
@@ -1,137 +0,0 @@
-class tapicero {
- tag 'leap_service'
-
- $couchdb = hiera('couch')
- $couchdb_port = $couchdb['port']
-
- $couchdb_users = $couchdb['users']
-
- $couchdb_admin_user = $couchdb_users['admin']['username']
- $couchdb_admin_password = $couchdb_users['admin']['password']
-
- $couchdb_soledad_user = $couchdb_users['soledad']['username']
- $couchdb_leap_mx_user = $couchdb_users['leap_mx']['username']
-
- $couchdb_mode = $couchdb['mode']
- $couchdb_replication = $couchdb['replication']
-
- $sources = hiera('sources')
-
- Class['site_config::default'] -> Class['tapicero']
-
- include site_config::ruby::dev
-
- #
- # USER AND GROUP
- #
-
- group { 'tapicero':
- ensure => present,
- allowdupe => false;
- }
-
- user { 'tapicero':
- ensure => present,
- allowdupe => false,
- gid => 'tapicero',
- home => '/srv/leap/tapicero',
- require => Group['tapicero'];
- }
-
- #
- # TAPICERO FILES
- #
-
- file {
-
- #
- # TAPICERO DIRECTORIES
- #
-
- '/srv/leap/tapicero':
- ensure => directory,
- owner => 'tapicero',
- group => 'tapicero',
- require => User['tapicero'];
-
- '/var/lib/leap/tapicero':
- ensure => directory,
- owner => 'tapicero',
- group => 'tapicero',
- require => User['tapicero'];
-
- # for pid file
- '/var/run/tapicero':
- ensure => directory,
- owner => 'tapicero',
- group => 'tapicero',
- require => User['tapicero'];
-
- #
- # TAPICERO CONFIG
- #
-
- '/etc/leap/tapicero.yaml':
- content => template('tapicero/tapicero.yaml.erb'),
- owner => 'tapicero',
- group => 'tapicero',
- mode => '0600',
- notify => Service['tapicero'];
-
- #
- # TAPICERO INIT
- #
-
- '/etc/init.d/tapicero':
- source => 'puppet:///modules/tapicero/tapicero.init',
- owner => root,
- group => 0,
- mode => '0755',
- require => Vcsrepo['/srv/leap/tapicero'];
- }
-
- #
- # TAPICERO CODE
- #
-
- vcsrepo { '/srv/leap/tapicero':
- ensure => present,
- force => true,
- revision => $sources['tapicero']['revision'],
- provider => $sources['tapicero']['type'],
- source => $sources['tapicero']['source'],
- owner => 'tapicero',
- group => 'tapicero',
- require => [ User['tapicero'], Group['tapicero'] ],
- notify => Exec['tapicero_bundler_update']
- }
-
- exec { 'tapicero_bundler_update':
- cwd => '/srv/leap/tapicero',
- command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle --without test development"',
- unless => '/usr/bin/bundle check',
- user => 'tapicero',
- timeout => 600,
- require => [
- Class['bundler::install'],
- Vcsrepo['/srv/leap/tapicero'],
- Class['site_config::ruby::dev'] ],
- notify => Service['tapicero'];
- }
-
- #
- # TAPICERO DAEMON
- #
-
- service { 'tapicero':
- ensure => running,
- enable => true,
- hasstatus => false,
- hasrestart => true,
- require => [ File['/etc/init.d/tapicero'],
- File['/var/run/tapicero'],
- Couchdb::Add_user[$::site_couchdb::couchdb_tapicero_user] ];
- }
-
- leap::logfile { 'tapicero': }
-}
diff --git a/puppet/modules/tapicero/templates/tapicero.yaml.erb b/puppet/modules/tapicero/templates/tapicero.yaml.erb
deleted file mode 100644
index 8b08b49c..00000000
--- a/puppet/modules/tapicero/templates/tapicero.yaml.erb
+++ /dev/null
@@ -1,52 +0,0 @@
-<%- require 'json' -%>
-
-#
-# Default configuration options for Tapicero
-#
-
-# couch connection configuration
-connection:
- protocol: "http"
- host: "localhost"
- port: <%= @couchdb_port %>
- username: <%= @couchdb_admin_user %>
- password: <%= @couchdb_admin_password %>
- prefix : ""
- suffix : ""
- netrc: "/etc/couchdb/couchdb.netrc"
-
-# file to store the last processed user record in so we can resume after
-# a restart:
-seq_dir: "/var/lib/leap/tapicero/"
-
-# Configure log_file like this if you want to log to a file instead of syslog:
-#log_file: "/var/log/leap/tapicero.log"
-#log_level: debug
-log_level: info
-
-# tapicero specific options
-options:
- # prefix for per user databases:
- db_prefix: "user-"
- mode: <%= @couchdb_mode %>
-<%- if @couchdb_replication %>
- replication: <%= @couchdb_replication.to_json %>
-<%- end -%>
-
- # security settings to be used for the per user databases
- security:
- admins:
- names:
- # We explicitly allow the admin user to access per user databases, even
- # though admin access ignores per database security we just do this to be
- # explicit about this
- - <%= @couchdb_admin_user %>
- roles: []
- members:
- names:
- - <%= @couchdb_soledad_user %>
- - <%= @couchdb_leap_mx_user %>
- roles:
- - replication
-
-