summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/manifests/site.pp4
-rw-r--r--puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf4
-rw-r--r--puppet/modules/site_apache/templates/vhosts.d/api.conf.erb4
-rw-r--r--puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb4
-rw-r--r--puppet/modules/site_ca_daemon/manifests/apache.pp62
-rw-r--r--puppet/modules/site_ca_daemon/manifests/couchdb.pp16
-rw-r--r--puppet/modules/site_ca_daemon/manifests/init.pp76
-rw-r--r--puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb31
-rw-r--r--puppet/modules/site_config/manifests/hosts.pp20
-rw-r--r--puppet/modules/site_config/manifests/init.pp9
-rw-r--r--puppet/modules/site_config/templates/hosts13
-rw-r--r--puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp33
-rw-r--r--puppet/modules/site_couchdb/manifests/configure.pp5
-rw-r--r--puppet/modules/site_couchdb/manifests/init.pp16
-rw-r--r--puppet/modules/site_couchdb/manifests/package.pp13
-rw-r--r--puppet/modules/site_openvpn/manifests/keys.pp26
-rw-r--r--puppet/modules/site_openvpn/manifests/server_config.pp6
-rw-r--r--puppet/modules/site_webapp/templates/couchdb.yml.erb3
18 files changed, 275 insertions, 70 deletions
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
index 9da2174c..c8502bc7 100644
--- a/puppet/manifests/site.pp
+++ b/puppet/manifests/site.pp
@@ -22,4 +22,8 @@ node 'default' {
if 'webapp' in $services {
include site_webapp
}
+
+ if 'ca' in $services {
+ include site_ca_daemon
+ }
}
diff --git a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf
index 79ad931d..0dff2cd6 100644
--- a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf
+++ b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf
@@ -3,8 +3,8 @@ Listen 0.0.0.0:6984
<VirtualHost *:6984>
SSLEngine On
SSLProxyEngine On
- SSLCertificateKeyFile /etc/couchdb/server_key.pem
- SSLCertificateFile /etc/couchdb/server_cert.pem
+ SSLCertificateKeyFile /etc/x509/keys/leap_couchdb.key
+ SSLCertificateFile /etc/x509/certs/leap_couchdb.crt
ProxyPass / http://127.0.0.1:5984/
ProxyPassReverse / http://127.0.0.1:5984/
</VirtualHost>
diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
index 37c4a727..05d5f69d 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
@@ -19,8 +19,8 @@
RequestHeader set X_FORWARDED_PROTO 'https'
- DocumentRoot /srv/leap_webapp/public
- Alias /1 /srv/leap_webapp/public
+ DocumentRoot /srv/leap-webapp/public
+ Alias /1 /srv/leap-webapp/public
# Check for maintenance file and redirect all requests
RewriteEngine On
diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb
index 85e7289b..8c820788 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb
@@ -21,8 +21,8 @@
RequestHeader set X_FORWARDED_PROTO 'https'
- DocumentRoot /srv/leap_webapp/public
- Alias /1 /srv/leap_webapp/public
+ DocumentRoot /srv/leap-webapp/public
+ Alias /1 /srv/leap-webapp/public
RewriteEngine On
# Check for maintenance file and redirect all requests
diff --git a/puppet/modules/site_ca_daemon/manifests/apache.pp b/puppet/modules/site_ca_daemon/manifests/apache.pp
new file mode 100644
index 00000000..ab6b08fd
--- /dev/null
+++ b/puppet/modules/site_ca_daemon/manifests/apache.pp
@@ -0,0 +1,62 @@
+class site_ca_daemon::apache {
+
+ $api_domain = hiera('api_domain')
+ $x509 = hiera('x509')
+ $commercial_key = $x509['commercial_key']
+ $commercial_cert = $x509['commercial_cert']
+ $commercial_root = $x509['commercial_ca_cert']
+ $api_key = $x509['key']
+ $api_cert = $x509['cert']
+ $api_root = $x509['ca_cert']
+
+ $apache_no_default_site = true
+ include apache::ssl
+
+ apache::module {
+ 'alias': ensure => present;
+ 'rewrite': ensure => present;
+ 'headers': ensure => present;
+ }
+
+ class { 'passenger': use_munin => false }
+
+ apache::vhost::file {
+ 'leap_ca_daemon':
+ content => template('site_apache/vhosts.d/leap_ca_daemon.conf.erb')
+ }
+
+ apache::vhost::file {
+ 'api':
+ content => template('site_apache/vhosts.d/api.conf.erb')
+ }
+
+ x509::key {
+ 'leap_ca_daemon':
+ content => $commercial_key,
+ notify => Service[apache];
+
+ 'leap_api':
+ content => $api_key,
+ notify => Service[apache];
+ }
+
+ x509::cert {
+ 'leap_ca_daemon':
+ content => $commercial_cert,
+ notify => Service[apache];
+
+ 'leap_api':
+ content => $api_cert,
+ notify => Service[apache];
+ }
+
+ x509::ca {
+ 'leap_ca_daemon':
+ content => $commercial_root,
+ notify => Service[apache];
+
+ 'leap_api':
+ content => $api_root,
+ notify => Service[apache];
+ }
+}
diff --git a/puppet/modules/site_ca_daemon/manifests/couchdb.pp b/puppet/modules/site_ca_daemon/manifests/couchdb.pp
new file mode 100644
index 00000000..f446a05b
--- /dev/null
+++ b/puppet/modules/site_ca_daemon/manifests/couchdb.pp
@@ -0,0 +1,16 @@
+class site_ca_daemon::couchdb {
+
+ $ca = hiera('ca_daemon')
+ $couchdb_host = $ca['couchdb_hosts']
+ $couchdb_user = $ca['couchdb_user']['username']
+ $couchdb_password = $ca['couchdb_user']['password']
+
+ file {
+ '/etc/leap/leap_ca.yaml':
+ content => template('site_ca_daemon/leap_ca.yaml.erb'),
+ owner => leap_ca_daemon,
+ group => leap_ca_daemon,
+ mode => '0600';
+ }
+
+}
diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp
new file mode 100644
index 00000000..db76e0fb
--- /dev/null
+++ b/puppet/modules/site_ca_daemon/manifests/init.pp
@@ -0,0 +1,76 @@
+class site_ca_daemon {
+
+ #$definition_files = hiera('definition_files')
+ #$provider = $definition_files['provider']
+ #$eip_service = $definition_files['eip_service']
+ $x509 = hiera('x509')
+
+ Class[Ruby] -> Class[rubygems] -> Class[bundler::install]
+
+ class { 'ruby': ruby_version => '1.9.3' }
+
+ class { 'bundler::install': install_method => 'package' }
+
+ include rubygems
+ #include site_ca_daemon::apache
+ include site_ca_daemon::couchdb
+
+ group { 'leap_ca_daemon':
+ ensure => present,
+ allowdupe => false;
+ }
+
+ user { 'leap_ca_daemon':
+ ensure => present,
+ allowdupe => false,
+ gid => 'leap_ca_daemon',
+ home => '/srv/leap_ca_daemon',
+ require => [ Group['leap_ca_daemon'] ];
+ }
+
+
+ x509::key {
+ 'leap_ca_daemon':
+ content => $x509['key'],
+ #notify => Service[apache];
+ }
+
+ x509::cert {
+ 'leap_ca_daemon':
+ content => $x509['cert'],
+ #notify => Service[apache];
+ }
+
+ x509::ca {
+ 'leap_ca_daemon':
+ content => $x509['ca_cert'],
+ #notify => Service[apache];
+ }
+
+
+ file { '/srv/leap_ca_daemon':
+ ensure => directory,
+ owner => 'leap_ca_daemon',
+ group => 'leap_ca_daemon',
+ require => User['leap_ca_daemon'];
+ }
+
+ vcsrepo { '/srv/leap_ca_daemon':
+ ensure => present,
+ revision => 'origin/master',
+ provider => git,
+ source => 'git://code.leap.se/leap_ca',
+ owner => 'leap_ca_daemon',
+ group => 'leap_ca_daemon',
+ require => [ User['leap_ca_daemon'], Group['leap_ca_daemon'] ],
+ notify => Exec['bundler_update']
+ }
+
+ exec { 'bundler_update':
+ cwd => '/srv/leap_ca_daemon',
+ command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install"',
+ unless => '/usr/bin/bundle check',
+ require => [ Class['bundler::install'], Vcsrepo['/srv/leap_ca_daemon'] ];
+ }
+
+}
diff --git a/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb b/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb
new file mode 100644
index 00000000..e0b95278
--- /dev/null
+++ b/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb
@@ -0,0 +1,31 @@
+#
+# Default configuration options for LEAP Certificate Authority Daemon
+#
+
+#
+# Certificate Authority
+#
+ca_key_path: "/etc/x509/keys/leap_ca_daemon.key"
+ca_key_password: nil
+ca_cert_path: "/etc/x509/certs/leap_ca_daemon.crt"
+
+#
+# Certificate pool
+#
+max_pool_size: 100
+client_cert_lifespan: 2
+client_cert_bit_size: 2024
+client_cert_hash: "SHA256"
+
+#
+# Database
+#
+db_name: "client_certificates"
+couch_connection:
+ protocol: "https"
+ host: <%= couchdb_host %>
+ port: 6984
+ username: <%= couchdb_user %>
+ password: <%= couchdb_password %>
+ prefix: ""
+ suffix: ""
diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp
new file mode 100644
index 00000000..06cd5c01
--- /dev/null
+++ b/puppet/modules/site_config/manifests/hosts.pp
@@ -0,0 +1,20 @@
+class site_config::hosts() {
+
+ $hosts = hiera('hosts','')
+ $hostname = hiera('name')
+
+ file { "/etc/hostname":
+ ensure => present,
+ content => $hostname
+ }
+
+ exec { "/bin/hostname $hostname":
+ subscribe => [ File['/etc/hostname'], File['/etc/hosts'] ],
+ refreshonly => true;
+ }
+
+ file { '/etc/hosts':
+ content => template('site_config/hosts'),
+ mode => '0644', owner => root, group => root;
+ }
+}
diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp
index 7f67ad4e..bab186d0 100644
--- a/puppet/modules/site_config/manifests/init.pp
+++ b/puppet/modules/site_config/manifests/init.pp
@@ -11,4 +11,13 @@ class site_config {
# configure /etc/resolv.conf
include site_config::resolvconf
+
+ # configure /etc/hosts
+ stage { 'initial':
+ before => Stage['main'],
+ }
+
+ class { 'site_config::hosts':
+ stage => initial,
+ }
}
diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts
new file mode 100644
index 00000000..c516eaf8
--- /dev/null
+++ b/puppet/modules/site_config/templates/hosts
@@ -0,0 +1,13 @@
+# This file is managed by puppet, any changes will be overwritten!
+
+127.0.0.1 localhost
+<%- if hosts.to_s != '' then -%>
+<%= hosts %>
+<% end -%>
+
+# The following lines are desirable for IPv6 capable hosts
+::1 ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp
index 92170780..02aae0c3 100644
--- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp
+++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp
@@ -1,36 +1,25 @@
define site_couchdb::apache_ssl_proxy ($key, $cert) {
$apache_no_default_site = true
- include apache::ssl
+ include apache
apache::module {
- 'rewrite': ensure => present;
'proxy': ensure => present;
'proxy_http': ensure => present;
+ 'rewrite': ensure => present;
+ 'ssl': ensure => present;
}
apache::vhost::file { 'couchdb_proxy': }
- # prevent 0-default.conf and 0-default_ssl.conf from apache module
- # from starting on port 80 / 443
- file { '/etc/apache2/ports.conf':
- content => '',
- mode => '0644',
- owner => 'root',
- group => 'root',
- }
- file { '/etc/couchdb/server_cert.pem':
- mode => '0644',
- owner => 'couchdb',
- group => 'couchdb',
- content => $cert,
- notify => Service[apache],
+ x509::key {
+ 'leap_couchdb':
+ content => $x509['key'],
+ notify => Service[apache];
}
- file { '/etc/couchdb/server_key.pem':
- mode => '0600',
- owner => 'couchdb',
- group => 'couchdb',
- content => $key,
- notify => Service[apache],
+ x509::cert {
+ 'leap_couchdb':
+ content => $x509['cert'],
+ notify => Service[apache];
}
}
diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp
index 25ea7a0b..333511b5 100644
--- a/puppet/modules/site_couchdb/manifests/configure.pp
+++ b/puppet/modules/site_couchdb/manifests/configure.pp
@@ -1,9 +1,4 @@
class site_couchdb::configure {
- Class[site_couchdb::package] -> Class[couchdb]
-
- class { 'couchdb':
- require => Class['site_couchdb::package'], }
-
file { '/etc/init.d/couchdb':
source => 'puppet:///modules/site_couchdb/couchdb',
diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp
index 10408094..04f2ca1a 100644
--- a/puppet/modules/site_couchdb/manifests/init.pp
+++ b/puppet/modules/site_couchdb/manifests/init.pp
@@ -1,5 +1,7 @@
class site_couchdb {
+ include couchdb
+
$x509 = hiera('x509')
$key = $x509['key']
$cert = $x509['cert']
@@ -15,21 +17,17 @@ class site_couchdb {
$couchdb_ca_daemon_user = $couchdb_ca_daemon['username']
$couchdb_ca_daemon_pw = $couchdb_ca_daemon['password']
- Class['site_couchdb::package']
- -> Exec['refresh_apt']
- -> Package ['couchdb']
+ Package ['couchdb']
-> File['/etc/init.d/couchdb']
-> File['/etc/couchdb/local.ini']
-> File['/etc/couchdb/local.d/admin.ini']
-> File['/etc/couchdb/couchdb.netrc']
- -> Couchdb::Create_db[leap_web]
- -> Couchdb::Create_db[leap_ca]
+ -> Couchdb::Create_db['users']
+ -> Couchdb::Create_db['client_certificates']
-> Couchdb::Add_user[$couchdb_webapp_user]
-> Couchdb::Add_user[$couchdb_ca_daemon_user]
-> Site_couchdb::Apache_ssl_proxy['apache_ssl_proxy']
- # Setup couchdb
- include site_couchdb::package
include site_couchdb::configure
include couchdb::deploy_config
@@ -54,11 +52,11 @@ class site_couchdb {
pw => $couchdb_ca_daemon_pw
}
- couchdb::create_db { 'leap_web':
+ couchdb::create_db { 'users':
readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }"
}
- couchdb::create_db { 'leap_ca':
+ couchdb::create_db { 'client_certificates':
readers => "{ \"names\": [], \"roles\": [\"certs\"] }"
}
}
diff --git a/puppet/modules/site_couchdb/manifests/package.pp b/puppet/modules/site_couchdb/manifests/package.pp
deleted file mode 100644
index c091316a..00000000
--- a/puppet/modules/site_couchdb/manifests/package.pp
+++ /dev/null
@@ -1,13 +0,0 @@
-class site_couchdb::package {
-
- # for now, we need to install couchdb from unstable,
- # because of this bug while installing:
- # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681549
- # can be removed when couchdb/1.2.0-2 is integrated into testing
- apt::sources_list { 'unstable.list':
- source => [ 'puppet:///modules/site_apt/unstable.list'],
- }
- apt::preferences_snippet{
- 'couchdb': release => 'unstable', priority => 999;
- }
-}
diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp
index 12c1bd8f..4c43ec05 100644
--- a/puppet/modules/site_openvpn/manifests/keys.pp
+++ b/puppet/modules/site_openvpn/manifests/keys.pp
@@ -1,22 +1,26 @@
class site_openvpn::keys {
- file { '/etc/openvpn/keys/ca.crt':
- content => $site_openvpn::x509_config['ca_cert'],
- mode => '0644',
+ x509::key {
+ 'leap_openvpn':
+ content => $site_openvpn::x509_config['key'],
+ notify => Service[openvpn];
}
- file { '/etc/openvpn/keys/dh.pem':
- content => $site_openvpn::x509_config['dh'],
- mode => '0644',
+ x509::cert {
+ 'leap_openvpn':
+ content => $site_openvpn::x509_config['cert'],
+ notify => Service[openvpn];
}
- file { '/etc/openvpn/keys/server.key':
- content => $site_openvpn::x509_config['key'],
- mode => '0600',
+ x509::ca {
+ 'leap_openvpn':
+ content => $site_openvpn::x509_config['ca_cert'],
+ notify => Service[openvpn];
}
- file { '/etc/openvpn/keys/server.crt':
- content => $site_openvpn::x509_config['cert'],
+ file { '/etc/openvpn/keys/dh.pem':
+ content => $site_openvpn::x509_config['dh'],
mode => '0644',
}
+
}
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 6fc3a3c2..c4f64225 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -69,15 +69,15 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana
openvpn::option {
"ca $openvpn_configname":
key => 'ca',
- value => '/etc/openvpn/keys/ca.crt',
+ value => '/usr/local/share/ca-certificates/leap_openvpn.crt',
server => $openvpn_configname;
"cert $openvpn_configname":
key => 'cert',
- value => '/etc/openvpn/keys/server.crt',
+ value => '/etc/x509/certs/leap_openvpn.crt',
server => $openvpn_configname;
"key $openvpn_configname":
key => 'key',
- value => '/etc/openvpn/keys/server.key',
+ value => '/etc/x509/keys/leap_openvpn.key',
server => $openvpn_configname;
"dh $openvpn_configname":
key => 'dh',
diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb
index f5132599..e5678680 100644
--- a/puppet/modules/site_webapp/templates/couchdb.yml.erb
+++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb
@@ -1,7 +1,8 @@
production:
+ prefix: ""
protocol: 'https'
host: <%= couchdb_host %>
- port: 443
+ port: 6984
username: <%= couchdb_user %>
password: <%= couchdb_password %>