diff options
Diffstat (limited to 'puppet')
18 files changed, 275 insertions, 70 deletions
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 9da2174c..c8502bc7 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -22,4 +22,8 @@ node 'default' { if 'webapp' in $services { include site_webapp } + + if 'ca' in $services { + include site_ca_daemon + } } diff --git a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf index 79ad931d..0dff2cd6 100644 --- a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf +++ b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf @@ -3,8 +3,8 @@ Listen 0.0.0.0:6984 <VirtualHost *:6984> SSLEngine On SSLProxyEngine On - SSLCertificateKeyFile /etc/couchdb/server_key.pem - SSLCertificateFile /etc/couchdb/server_cert.pem + SSLCertificateKeyFile /etc/x509/keys/leap_couchdb.key + SSLCertificateFile /etc/x509/certs/leap_couchdb.crt ProxyPass / http://127.0.0.1:5984/ ProxyPassReverse / http://127.0.0.1:5984/ </VirtualHost> diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 37c4a727..05d5f69d 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -19,8 +19,8 @@ RequestHeader set X_FORWARDED_PROTO 'https' - DocumentRoot /srv/leap_webapp/public - Alias /1 /srv/leap_webapp/public + DocumentRoot /srv/leap-webapp/public + Alias /1 /srv/leap-webapp/public # Check for maintenance file and redirect all requests RewriteEngine On diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 85e7289b..8c820788 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -21,8 +21,8 @@ RequestHeader set X_FORWARDED_PROTO 'https' - DocumentRoot /srv/leap_webapp/public - Alias /1 /srv/leap_webapp/public + DocumentRoot /srv/leap-webapp/public + Alias /1 /srv/leap-webapp/public RewriteEngine On # Check for maintenance file and redirect all requests diff --git a/puppet/modules/site_ca_daemon/manifests/apache.pp b/puppet/modules/site_ca_daemon/manifests/apache.pp new file mode 100644 index 00000000..ab6b08fd --- /dev/null +++ b/puppet/modules/site_ca_daemon/manifests/apache.pp @@ -0,0 +1,62 @@ +class site_ca_daemon::apache { + + $api_domain = hiera('api_domain') + $x509 = hiera('x509') + $commercial_key = $x509['commercial_key'] + $commercial_cert = $x509['commercial_cert'] + $commercial_root = $x509['commercial_ca_cert'] + $api_key = $x509['key'] + $api_cert = $x509['cert'] + $api_root = $x509['ca_cert'] + + $apache_no_default_site = true + include apache::ssl + + apache::module { + 'alias': ensure => present; + 'rewrite': ensure => present; + 'headers': ensure => present; + } + + class { 'passenger': use_munin => false } + + apache::vhost::file { + 'leap_ca_daemon': + content => template('site_apache/vhosts.d/leap_ca_daemon.conf.erb') + } + + apache::vhost::file { + 'api': + content => template('site_apache/vhosts.d/api.conf.erb') + } + + x509::key { + 'leap_ca_daemon': + content => $commercial_key, + notify => Service[apache]; + + 'leap_api': + content => $api_key, + notify => Service[apache]; + } + + x509::cert { + 'leap_ca_daemon': + content => $commercial_cert, + notify => Service[apache]; + + 'leap_api': + content => $api_cert, + notify => Service[apache]; + } + + x509::ca { + 'leap_ca_daemon': + content => $commercial_root, + notify => Service[apache]; + + 'leap_api': + content => $api_root, + notify => Service[apache]; + } +} diff --git a/puppet/modules/site_ca_daemon/manifests/couchdb.pp b/puppet/modules/site_ca_daemon/manifests/couchdb.pp new file mode 100644 index 00000000..f446a05b --- /dev/null +++ b/puppet/modules/site_ca_daemon/manifests/couchdb.pp @@ -0,0 +1,16 @@ +class site_ca_daemon::couchdb { + + $ca = hiera('ca_daemon') + $couchdb_host = $ca['couchdb_hosts'] + $couchdb_user = $ca['couchdb_user']['username'] + $couchdb_password = $ca['couchdb_user']['password'] + + file { + '/etc/leap/leap_ca.yaml': + content => template('site_ca_daemon/leap_ca.yaml.erb'), + owner => leap_ca_daemon, + group => leap_ca_daemon, + mode => '0600'; + } + +} diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp new file mode 100644 index 00000000..db76e0fb --- /dev/null +++ b/puppet/modules/site_ca_daemon/manifests/init.pp @@ -0,0 +1,76 @@ +class site_ca_daemon { + + #$definition_files = hiera('definition_files') + #$provider = $definition_files['provider'] + #$eip_service = $definition_files['eip_service'] + $x509 = hiera('x509') + + Class[Ruby] -> Class[rubygems] -> Class[bundler::install] + + class { 'ruby': ruby_version => '1.9.3' } + + class { 'bundler::install': install_method => 'package' } + + include rubygems + #include site_ca_daemon::apache + include site_ca_daemon::couchdb + + group { 'leap_ca_daemon': + ensure => present, + allowdupe => false; + } + + user { 'leap_ca_daemon': + ensure => present, + allowdupe => false, + gid => 'leap_ca_daemon', + home => '/srv/leap_ca_daemon', + require => [ Group['leap_ca_daemon'] ]; + } + + + x509::key { + 'leap_ca_daemon': + content => $x509['key'], + #notify => Service[apache]; + } + + x509::cert { + 'leap_ca_daemon': + content => $x509['cert'], + #notify => Service[apache]; + } + + x509::ca { + 'leap_ca_daemon': + content => $x509['ca_cert'], + #notify => Service[apache]; + } + + + file { '/srv/leap_ca_daemon': + ensure => directory, + owner => 'leap_ca_daemon', + group => 'leap_ca_daemon', + require => User['leap_ca_daemon']; + } + + vcsrepo { '/srv/leap_ca_daemon': + ensure => present, + revision => 'origin/master', + provider => git, + source => 'git://code.leap.se/leap_ca', + owner => 'leap_ca_daemon', + group => 'leap_ca_daemon', + require => [ User['leap_ca_daemon'], Group['leap_ca_daemon'] ], + notify => Exec['bundler_update'] + } + + exec { 'bundler_update': + cwd => '/srv/leap_ca_daemon', + command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install"', + unless => '/usr/bin/bundle check', + require => [ Class['bundler::install'], Vcsrepo['/srv/leap_ca_daemon'] ]; + } + +} diff --git a/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb b/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb new file mode 100644 index 00000000..e0b95278 --- /dev/null +++ b/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb @@ -0,0 +1,31 @@ +# +# Default configuration options for LEAP Certificate Authority Daemon +# + +# +# Certificate Authority +# +ca_key_path: "/etc/x509/keys/leap_ca_daemon.key" +ca_key_password: nil +ca_cert_path: "/etc/x509/certs/leap_ca_daemon.crt" + +# +# Certificate pool +# +max_pool_size: 100 +client_cert_lifespan: 2 +client_cert_bit_size: 2024 +client_cert_hash: "SHA256" + +# +# Database +# +db_name: "client_certificates" +couch_connection: + protocol: "https" + host: <%= couchdb_host %> + port: 6984 + username: <%= couchdb_user %> + password: <%= couchdb_password %> + prefix: "" + suffix: "" diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp new file mode 100644 index 00000000..06cd5c01 --- /dev/null +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -0,0 +1,20 @@ +class site_config::hosts() { + + $hosts = hiera('hosts','') + $hostname = hiera('name') + + file { "/etc/hostname": + ensure => present, + content => $hostname + } + + exec { "/bin/hostname $hostname": + subscribe => [ File['/etc/hostname'], File['/etc/hosts'] ], + refreshonly => true; + } + + file { '/etc/hosts': + content => template('site_config/hosts'), + mode => '0644', owner => root, group => root; + } +} diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp index 7f67ad4e..bab186d0 100644 --- a/puppet/modules/site_config/manifests/init.pp +++ b/puppet/modules/site_config/manifests/init.pp @@ -11,4 +11,13 @@ class site_config { # configure /etc/resolv.conf include site_config::resolvconf + + # configure /etc/hosts + stage { 'initial': + before => Stage['main'], + } + + class { 'site_config::hosts': + stage => initial, + } } diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts new file mode 100644 index 00000000..c516eaf8 --- /dev/null +++ b/puppet/modules/site_config/templates/hosts @@ -0,0 +1,13 @@ +# This file is managed by puppet, any changes will be overwritten! + +127.0.0.1 localhost +<%- if hosts.to_s != '' then -%> +<%= hosts %> +<% end -%> + +# The following lines are desirable for IPv6 capable hosts +::1 ip6-localhost ip6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp index 92170780..02aae0c3 100644 --- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp +++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp @@ -1,36 +1,25 @@ define site_couchdb::apache_ssl_proxy ($key, $cert) { $apache_no_default_site = true - include apache::ssl + include apache apache::module { - 'rewrite': ensure => present; 'proxy': ensure => present; 'proxy_http': ensure => present; + 'rewrite': ensure => present; + 'ssl': ensure => present; } apache::vhost::file { 'couchdb_proxy': } - # prevent 0-default.conf and 0-default_ssl.conf from apache module - # from starting on port 80 / 443 - file { '/etc/apache2/ports.conf': - content => '', - mode => '0644', - owner => 'root', - group => 'root', - } - file { '/etc/couchdb/server_cert.pem': - mode => '0644', - owner => 'couchdb', - group => 'couchdb', - content => $cert, - notify => Service[apache], + x509::key { + 'leap_couchdb': + content => $x509['key'], + notify => Service[apache]; } - file { '/etc/couchdb/server_key.pem': - mode => '0600', - owner => 'couchdb', - group => 'couchdb', - content => $key, - notify => Service[apache], + x509::cert { + 'leap_couchdb': + content => $x509['cert'], + notify => Service[apache]; } } diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp index 25ea7a0b..333511b5 100644 --- a/puppet/modules/site_couchdb/manifests/configure.pp +++ b/puppet/modules/site_couchdb/manifests/configure.pp @@ -1,9 +1,4 @@ class site_couchdb::configure { - Class[site_couchdb::package] -> Class[couchdb] - - class { 'couchdb': - require => Class['site_couchdb::package'], } - file { '/etc/init.d/couchdb': source => 'puppet:///modules/site_couchdb/couchdb', diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 10408094..04f2ca1a 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,5 +1,7 @@ class site_couchdb { + include couchdb + $x509 = hiera('x509') $key = $x509['key'] $cert = $x509['cert'] @@ -15,21 +17,17 @@ class site_couchdb { $couchdb_ca_daemon_user = $couchdb_ca_daemon['username'] $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password'] - Class['site_couchdb::package'] - -> Exec['refresh_apt'] - -> Package ['couchdb'] + Package ['couchdb'] -> File['/etc/init.d/couchdb'] -> File['/etc/couchdb/local.ini'] -> File['/etc/couchdb/local.d/admin.ini'] -> File['/etc/couchdb/couchdb.netrc'] - -> Couchdb::Create_db[leap_web] - -> Couchdb::Create_db[leap_ca] + -> Couchdb::Create_db['users'] + -> Couchdb::Create_db['client_certificates'] -> Couchdb::Add_user[$couchdb_webapp_user] -> Couchdb::Add_user[$couchdb_ca_daemon_user] -> Site_couchdb::Apache_ssl_proxy['apache_ssl_proxy'] - # Setup couchdb - include site_couchdb::package include site_couchdb::configure include couchdb::deploy_config @@ -54,11 +52,11 @@ class site_couchdb { pw => $couchdb_ca_daemon_pw } - couchdb::create_db { 'leap_web': + couchdb::create_db { 'users': readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }" } - couchdb::create_db { 'leap_ca': + couchdb::create_db { 'client_certificates': readers => "{ \"names\": [], \"roles\": [\"certs\"] }" } } diff --git a/puppet/modules/site_couchdb/manifests/package.pp b/puppet/modules/site_couchdb/manifests/package.pp deleted file mode 100644 index c091316a..00000000 --- a/puppet/modules/site_couchdb/manifests/package.pp +++ /dev/null @@ -1,13 +0,0 @@ -class site_couchdb::package { - - # for now, we need to install couchdb from unstable, - # because of this bug while installing: - # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681549 - # can be removed when couchdb/1.2.0-2 is integrated into testing - apt::sources_list { 'unstable.list': - source => [ 'puppet:///modules/site_apt/unstable.list'], - } - apt::preferences_snippet{ - 'couchdb': release => 'unstable', priority => 999; - } -} diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index 12c1bd8f..4c43ec05 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -1,22 +1,26 @@ class site_openvpn::keys { - file { '/etc/openvpn/keys/ca.crt': - content => $site_openvpn::x509_config['ca_cert'], - mode => '0644', + x509::key { + 'leap_openvpn': + content => $site_openvpn::x509_config['key'], + notify => Service[openvpn]; } - file { '/etc/openvpn/keys/dh.pem': - content => $site_openvpn::x509_config['dh'], - mode => '0644', + x509::cert { + 'leap_openvpn': + content => $site_openvpn::x509_config['cert'], + notify => Service[openvpn]; } - file { '/etc/openvpn/keys/server.key': - content => $site_openvpn::x509_config['key'], - mode => '0600', + x509::ca { + 'leap_openvpn': + content => $site_openvpn::x509_config['ca_cert'], + notify => Service[openvpn]; } - file { '/etc/openvpn/keys/server.crt': - content => $site_openvpn::x509_config['cert'], + file { '/etc/openvpn/keys/dh.pem': + content => $site_openvpn::x509_config['dh'], mode => '0644', } + } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 6fc3a3c2..c4f64225 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -69,15 +69,15 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana openvpn::option { "ca $openvpn_configname": key => 'ca', - value => '/etc/openvpn/keys/ca.crt', + value => '/usr/local/share/ca-certificates/leap_openvpn.crt', server => $openvpn_configname; "cert $openvpn_configname": key => 'cert', - value => '/etc/openvpn/keys/server.crt', + value => '/etc/x509/certs/leap_openvpn.crt', server => $openvpn_configname; "key $openvpn_configname": key => 'key', - value => '/etc/openvpn/keys/server.key', + value => '/etc/x509/keys/leap_openvpn.key', server => $openvpn_configname; "dh $openvpn_configname": key => 'dh', diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb index f5132599..e5678680 100644 --- a/puppet/modules/site_webapp/templates/couchdb.yml.erb +++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb @@ -1,7 +1,8 @@ production: + prefix: "" protocol: 'https' host: <%= couchdb_host %> - port: 443 + port: 6984 username: <%= couchdb_user %> password: <%= couchdb_password %> |