summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/manifests/setup.pp16
-rw-r--r--puppet/manifests/site.pp30
m---------puppet/modules/apache0
m---------puppet/modules/apt0
m---------puppet/modules/couchdb0
m---------puppet/modules/haproxy0
-rw-r--r--puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf10
-rw-r--r--puppet/modules/site_apache/templates/vhosts.d/api.conf.erb3
-rw-r--r--puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb7
-rw-r--r--puppet/modules/site_apt/files/keys/cloudant-key.asc52
-rw-r--r--puppet/modules/site_apt/files/keys/leap_key.asc63
-rw-r--r--puppet/modules/site_apt/manifests/dist_upgrade.pp6
-rw-r--r--puppet/modules/site_apt/manifests/init.pp35
-rw-r--r--puppet/modules/site_apt/manifests/leap_repo.pp14
-rw-r--r--puppet/modules/site_apt/templates/preferences.include_squeeze25
-rw-r--r--puppet/modules/site_apt/templates/secondary.list (renamed from puppet/modules/site_apt/templates/fallback.list)0
-rw-r--r--puppet/modules/site_ca_daemon/manifests/apache.pp62
-rw-r--r--puppet/modules/site_ca_daemon/manifests/couchdb.pp16
-rw-r--r--puppet/modules/site_ca_daemon/manifests/init.pp103
-rw-r--r--puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb31
-rw-r--r--puppet/modules/site_config/files/xterm-title.sh8
-rw-r--r--puppet/modules/site_config/manifests/base_packages.pp28
-rw-r--r--puppet/modules/site_config/manifests/default.pp18
-rw-r--r--puppet/modules/site_config/manifests/dhclient.pp30
-rw-r--r--puppet/modules/site_config/manifests/hosts.pp30
-rw-r--r--puppet/modules/site_config/manifests/params.pp25
-rw-r--r--puppet/modules/site_config/manifests/resolvconf.pp11
-rw-r--r--puppet/modules/site_config/manifests/ruby.pp14
-rw-r--r--puppet/modules/site_config/manifests/shell.pp22
-rw-r--r--puppet/modules/site_config/manifests/slow.pp2
-rw-r--r--puppet/modules/site_config/manifests/sshd.pp2
-rw-r--r--puppet/modules/site_config/templates/hosts8
-rw-r--r--puppet/modules/site_config/templates/reload_dhclient.erb13
-rwxr-xr-xpuppet/modules/site_couchdb/files/couchdb160
-rw-r--r--puppet/modules/site_couchdb/files/local.ini4
-rw-r--r--puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp25
-rw-r--r--puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp5
-rw-r--r--puppet/modules/site_couchdb/manifests/configure.pp27
-rw-r--r--puppet/modules/site_couchdb/manifests/init.pp71
-rw-r--r--puppet/modules/site_couchdb/manifests/stunnel.pp104
-rw-r--r--puppet/modules/site_haproxy/manifests/init.pp26
-rw-r--r--puppet/modules/site_nagios/manifests/server.pp2
-rw-r--r--puppet/modules/site_nickserver/manifests/init.pp162
-rw-r--r--puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb23
-rw-r--r--puppet/modules/site_nickserver/templates/nickserver.yml.erb19
-rw-r--r--puppet/modules/site_openvpn/README20
-rw-r--r--puppet/modules/site_openvpn/manifests/init.pp166
-rw-r--r--puppet/modules/site_openvpn/manifests/resolver.pp96
-rw-r--r--puppet/modules/site_openvpn/manifests/server_config.pp17
-rw-r--r--puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb11
-rw-r--r--puppet/modules/site_shorewall/manifests/couchdb.pp7
-rw-r--r--puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp51
-rw-r--r--puppet/modules/site_shorewall/manifests/couchdb/dnat.pp21
-rw-r--r--puppet/modules/site_shorewall/manifests/defaults.pp14
-rw-r--r--puppet/modules/site_shorewall/manifests/dnat.pp19
-rw-r--r--puppet/modules/site_shorewall/manifests/dnat_rule.pp55
-rw-r--r--puppet/modules/site_shorewall/manifests/eip.pp77
-rw-r--r--puppet/modules/site_shorewall/manifests/webapp.pp1
-rw-r--r--puppet/modules/site_sshd/manifests/authorized_keys.pp19
-rw-r--r--puppet/modules/site_sshd/manifests/deploy_authorized_keys.pp9
-rw-r--r--puppet/modules/site_sshd/manifests/init.pp32
-rw-r--r--puppet/modules/site_sshd/manifests/mosh.pp21
-rw-r--r--puppet/modules/site_sshd/manifests/ssh_key.pp3
-rw-r--r--puppet/modules/site_sshd/templates/authorized_keys.erb6
-rw-r--r--puppet/modules/site_stunnel/manifests/clients.pp26
-rw-r--r--puppet/modules/site_stunnel/manifests/init.pp17
-rw-r--r--puppet/modules/site_stunnel/manifests/setup.pp24
-rw-r--r--puppet/modules/site_tor/manifests/init.pp1
-rw-r--r--puppet/modules/site_webapp/files/migrate_design_documents16
-rw-r--r--puppet/modules/site_webapp/manifests/apache.pp3
-rw-r--r--puppet/modules/site_webapp/manifests/couchdb.pp75
-rw-r--r--puppet/modules/site_webapp/manifests/haproxy.pp14
-rw-r--r--puppet/modules/site_webapp/manifests/init.pp95
-rw-r--r--puppet/modules/site_webapp/templates/config.yml.erb10
-rw-r--r--puppet/modules/site_webapp/templates/couchdb.yml.admin.erb9
-rw-r--r--puppet/modules/site_webapp/templates/couchdb.yml.erb9
-rw-r--r--puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb16
m---------puppet/modules/stdlib0
m---------puppet/modules/stunnel0
-rw-r--r--puppet/modules/try/manifests/file.pp13
m---------puppet/modules/vcsrepo8
81 files changed, 1579 insertions, 714 deletions
diff --git a/puppet/manifests/setup.pp b/puppet/manifests/setup.pp
new file mode 100644
index 00000000..80e7ffc2
--- /dev/null
+++ b/puppet/manifests/setup.pp
@@ -0,0 +1,16 @@
+#
+# this is applied before each run of site.pp
+#
+$services = ''
+
+Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' }
+
+include site_config::hosts
+
+include site_apt
+
+package { 'facter':
+ ensure => latest,
+ require => Exec['refresh_apt']
+}
+
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
index 1ec806d9..08cbbb9e 100644
--- a/puppet/manifests/site.pp
+++ b/puppet/manifests/site.pp
@@ -1,39 +1,39 @@
# set a default exec path
Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' }
-stage { 'initial':
- before => Stage['main'],
-}
+# parse services for host
+$services=join(hiera_array('services'), ' ')
+notice("Services for ${fqdn}: ${services}")
+
+# make sure apt is updated before any packages are installed
+include apt::update
+Package { require => Exec['apt_updated'] }
+
+include stdlib
import 'common'
include site_config::default
include site_config::slow
-# parse services for host
-$services=hiera_array('services')
-notice("Services for ${fqdn}: ${services}")
# configure eip
-if 'openvpn' in $services {
+if $services =~ /\bopenvpn\b/ {
include site_openvpn
}
-if 'couchdb' in $services {
+if $services =~ /\bcouchdb\b/ {
include site_couchdb
}
-if 'webapp' in $services {
+if $services =~ /\bwebapp\b/ {
include site_webapp
+ include site_nickserver
}
-if 'ca' in $services {
- include site_ca_daemon
-}
-
-if 'monitor' in $services {
+if $services =~ /\bmonitor\b/ {
include site_nagios
}
-if 'tor' in $services {
+if $services =~ /\btor\b/ {
include site_tor
}
diff --git a/puppet/modules/apache b/puppet/modules/apache
-Subproject 077d4d1508b9ff3355f73ff8597991043b3ba5d
+Subproject c3e92a9b3cb02f1546b6b1570f10a968d380005
diff --git a/puppet/modules/apt b/puppet/modules/apt
-Subproject f16a0727dce187d07389388da8b816f7b520205
+Subproject 1a72a99693c1d77bfe891546408f88264fca98e
diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb
-Subproject b915a67c6e7e3b1b75400dbbd4a9ac961c8eb03
+Subproject 20deb0652ccfe105eddec6ba2ad32b8d633705f
diff --git a/puppet/modules/haproxy b/puppet/modules/haproxy
new file mode 160000
+Subproject b398f3cb0a67d1170d0564a3f03977f9a08c2b6
diff --git a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf
deleted file mode 100644
index 0dff2cd6..00000000
--- a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf
+++ /dev/null
@@ -1,10 +0,0 @@
-Listen 0.0.0.0:6984
-
-<VirtualHost *:6984>
- SSLEngine On
- SSLProxyEngine On
- SSLCertificateKeyFile /etc/x509/keys/leap_couchdb.key
- SSLCertificateFile /etc/x509/certs/leap_couchdb.crt
- ProxyPass / http://127.0.0.1:5984/
- ProxyPassReverse / http://127.0.0.1:5984/
-</VirtualHost>
diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
index cdfcbd68..ae894cd4 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
@@ -21,8 +21,7 @@ Listen 0.0.0.0:<%= api_port %>
RequestHeader set X_FORWARDED_PROTO 'https'
- DocumentRoot /srv/leap-webapp/public
- Alias /1 /srv/leap-webapp/public
+ DocumentRoot /srv/leap/webapp/public
# Check for maintenance file and redirect all requests
RewriteEngine On
diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb
index 4928cdd6..4b051699 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb
@@ -21,8 +21,7 @@
RequestHeader set X_FORWARDED_PROTO 'https'
- DocumentRoot /srv/leap-webapp/public
- Alias /1 /srv/leap-webapp/public
+ DocumentRoot /srv/leap/webapp/public
RewriteEngine On
# Check for maintenance file and redirect all requests
@@ -37,10 +36,10 @@
PassengerFriendlyErrorPages off
SetEnv TMPDIR /var/tmp
- <% if (defined? @services) and (services.is_a? Array) and (@services.include? 'monitor') -%>
+ <% if (defined? @services) and (@services.include? 'monitor') -%>
<DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3|/etc/nagios3/stylesheets)>
PassengerEnabled off
- AllowOverride all
+ AllowOverride all
</DirectoryMatch>
<% end -%>
</VirtualHost>
diff --git a/puppet/modules/site_apt/files/keys/cloudant-key.asc b/puppet/modules/site_apt/files/keys/cloudant-key.asc
new file mode 100644
index 00000000..99716a3c
--- /dev/null
+++ b/puppet/modules/site_apt/files/keys/cloudant-key.asc
@@ -0,0 +1,52 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+mQINBFE7fhIBEACrDREcODnhdugNozMeBawOm2irpNCP54yMljST/DOXx1uo3gQw
+HnVcQ4lL7lXhbfL6Tp0WhrNYTWbbWHO0DaQbW0GQMHa2BGG0Xm0HPrjr3j55tAcM
+NPr0ArDuplq4Py2pwviZiEtQkkn+biH9oV+N3jNO+8+zVHLVU7pHaX6Yd7HAxFM8
+XX+7SeVtplZ7nvSxUREiMNxQb9o0kYNRPS+b0UjiIXHrFO9afl7lTdg/I8AhKWa0
+3jJoY/IRvVopJblISQNGFipR11Lpu5sOHghgz4V8mk/in7JLMmoqSl5DP5VhRII8
+OyADBjaUJD2mkv5cGaevqpB4AId78X9+Y62gFJrGkIHY9uBxIUkRe+leYI4Zz4Bm
+D9qBIbEY/kKkblTlC1G7u3qbGQcsbCRVIOnhruCih7vifcP40YwGUk5NmDA5AE78
+OovCGYGp4zMepDTSJxGT3sJOTEbzN09so6C7fQWBeQiiG5Uepp1q+VnaGpT1L4rc
+Y6yRbu9dOFj6WzY4W5HtnbalzTIEYy+SIGZqRkJt6jREYLiFfyrpSFIgGoJAs0yx
+9M0McXfeOod69TPufB1PeppnBwFcTmYNYxakusQxAebRDPEBZqoEgl0gMmxWbAdI
+nxGMWWnSsN/Dj0dXRf1MG/5akOhX2zQcUzBOE2m/Xr5kjDPYFtFxVJDGzQARAQAB
+tDNDbG91ZGFudCBQYWNrYWdlIFNpZ25pbmcgS2V5IDxzdXBwb3J0QGNsb3VkYW50
+LmNvbT6JAj4EEwECACgFAlE7fhICGwMFCQHhM4AGCwkIBwMCBhUIAgkKCwQWAgMB
+Ah4BAheAAAoJEFngH70Vvo4mciIP/AlqHA/LDtSYfrFwdXifY2ImCMyzYvH40Ko2
+DHCw2qDjvK5UXn1iWuzXidT7DrxOfYoZpzySRP7VGyHxa3VPhOtzLDZSvTpk9ELo
+2x2IczUwLC17M0Iis4CpqlxSFIBYGX78pMzvsEyC4TFqUDfXRlye3apjD0iwK0hE
+kdP1+TPdJjhWImJm+3TLu45zTw3Ph5dnf5pLQPNhKfBSdku+vRrd35N5hHso9S1y
+Z3NrxcQlWnXuqkLIA14gM7qbBFD+el9Y+tZ7ERGYg3s5uNDQRTb0QC8zg/um2+zW
+4hHmuRcWY3n8IgHcYUruC1VyrrsFIWWMyLv7SZkAAoSY+jKyESDfYpJQ8jtZ4EF9
+2/gYm4FgZR8j4gWkzHSLGVt/4EIykJZb0yIg/QEovmmHqpy8xYri3goMSl4h7tfF
+TOCZLTzTyQ7xONdyEsrvQPhmdtXEgvSo5S7ZU9kkx32OjCoshLLjhtqAipBgEXqb
+hElFo1oSyOVoGc7UNh7KNBjWfeP8dNdCbIbIYPMeM0/CVjD60kW5ZEVDuYglT+Rz
+enJJvS4Hs+fq8cFNxMB+l64qE7iS+I6RP2bPeQM2aBa2UZNWxUIbXF7bb3zLrCGn
+GT8GF1AFRoW3GiDzB7QnLVp8BhIaqFUzbDim+5mFFG8wguxHTiz4snDdQXq2Es6V
+UETFsNsluQINBFE7fhIBEADIyLHyBh8AKJKQHksFAPHOyA48ocxgQDpQnqYlQcAK
+D8eUbRXciIz4ePBmvjaQmz8wJgWULc04u4i9jK8Jd/Ks+VhEz3AjRBfjvkBaVMog
+FMPKaoDn9LVMBSZJ3fcC1DVck1oO8LnFIdktt0zhvzG+pV5b/UTRsVZmwNh1p2dM
+4cJswxlksJXYnI9tFA74qiomDCPYM0zpv7TEjX23PZTLqTSHP5aWctx+MIEtdoqp
+EsEDL6npvYBRz/tuL41cUWs7CItH131Hyuizo4vGrxgWPnoXIxLmLOOZCMk/kbx0
+XCSvengqYwNgAOlIjewtTw+WJm1gtNQQeKmaXBX7njf2Wz7LI/0KVxttEpKT5/5y
+embOGn7My9i7zOc1frMCDivIOTQDBZTzR9o7/6wUJ69DIoFLMlO8UcCK3R7o5VUI
+ezx+XYsOAD7D2vKoiD8Se65Vnax2rfFlLP7OQqdem5l2lkHpJzP3lA8qmA2MfJ7V
+jsk7eDSyJQjG5c6KBoaFlYGhp/E2kR82cAKVaFIbW3euMM4XK6Mgzy3+DVKfk8mu
+AEuHub7plfxM+65yjLNAK6l6IKtY1HfM7F4GFyNSd3mNNcWN7ceIHh8Ur4DeD2Tp
+7r3XcWd6/czLYNsw2BAHeVUxnMTCeGN99UZTtHgVq9IJMOCDOPwMSzHFfZ6sNaYL
+qQARAQABiQIlBBgBAgAPBQJRO34SAhsMBQkB4TOAAAoJEFngH70Vvo4mpokP/jJJ
+2mXdhMVqZCtZhwphJfdxg8nBERzrd6ebXxKbTq1MmSN/fDwLknPabFHUpzk1ADCf
+6mh2o0HB+67yMzo1UVtyfPOaHgCE/pWer5ultJM8gOdpBfSWL8jRwU8ZQ4fDu3z8
+AC6zTNq7znOVLEzZPy8U7q5Rt5/6QdQYoTLe6DwlLmkflzWP5VWi/mTGvtu/t5OV
+tGZkzBYQ5QAXRXXkKswqkJpQFuW6d1vlYm9+x/+Q1+2kGT+CKbRAkqkf77qVcyJR
+1M2JQSs4ko+rLMZzr01sYA+EBD17nxqV8vUdYebNc9Qnk8Aphid1zarUbySgAdnJ
+5SLAjLe/6N6IEE9F3uKsPEs87gJrnwrYHRrmu0wAPwA0cMmtgD4Bz7Iiz4CLYPFW
+rHpQCA313K+rS/LLfLBL66wIRKcPuYIFR9N03jX9eGR6qtk0b5Zb3YjWOo4V9Q1r
+o+g6IB0Us5vH6ISuokq7Bv+8cXhEMVoctL9A8xWN1KDkweZ+7dNWCGV8lUWKy3Hw
+ig6hENH6H7J57U8H2v2aZTeUo6e7VDP9gddNKPSEEeoBKfVnWYGoG8mVPQ2PzTgZ
+ZO2vwp4c3Ix/kIV3xe+/Opcq1lxYhD7HSre1MB7HOeFmis6tBBjMJPaatZVfzj1v
+6Uhz5oUCwcPol8rsp69DvGVUPSHfDwBxurDX71oG
+=lEm7
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/puppet/modules/site_apt/files/keys/leap_key.asc b/puppet/modules/site_apt/files/keys/leap_key.asc
new file mode 100644
index 00000000..b69251f0
--- /dev/null
+++ b/puppet/modules/site_apt/files/keys/leap_key.asc
@@ -0,0 +1,63 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+mQINBFESwt0BEAC2CR+XgW04DVwT427v2T4+qz+O/xGOwQcalVaSOUuguYgf29en
+Apb6mUqROOTuJWN1nw1lvXiA6iFxg6DjDUhsp6j54X7GAAAjZ9QuavPgcsractsJ
+LRz9WSWqDjOAYsb4B5pwmSPAKYtmRAxLVzdxUsuHs2HxRO4VWnaNJQEBj7j7zuGs
+gvSJBSq9Vici6cGI9c1fsWyKsnp7R6M54mmQRbsCg2+G/N0hqOz0HE6ZlJKVKaZq
+uTrPxGWFuU3mAUpzFLa6Wj8DSUYiWZ/xrqiFdbB4t1HM3vlKB9LEg93DEuG/8Q0T
+g2KS0lEWxequBXyE6+jklDNqJeyHmfgkuAfFlkNYa5870XT87MzGE/hS40lbmhQV
+HHlwxMkAiERMc0Ys+OfgUJMbIDQBNRFg3Q/bjajFoVBgBoKFp7C22zgoJkUNT+7H
+Yv/t6zeDlIzNhgYms5d0gEiAeLauwju36BmwUsbQHwejWKP8pADRZL1bTj0E+rRU
+M4FFNh9D2XTFFKaaNubub8tUmo+ZUIEEKfPhNHK9wS/bsFyPv9y3HLe2b3NYGFK5
++Hznqg8N0H+29I7zLx7VpOh3iRN3Lbxv9dMmukVJtw8Rq/Udprd3Z5p8oCisFo+k
+nY+J+IgNjC0eniN8rkkl/4rIN5fvvOR8YCts50hL1fAy3dd/MKExz+QTXQARAQAB
+tClMRUFQIGFyY2hpdmUgc2lnbmluZyBrZXkgPHN5c2RldkBsZWFwLnNlPokCHAQQ
+AQoABgUCURPzwAAKCRBIWxL6IY6B65FzEACn1Q+9dcLig6yCRPGF8d5qdnWYquts
+fLc/W8P9uFCo4bLFhy+BlalZVhOSPt2KMBCApoW0fAc5aXOWjxEmtFOvziPtJ0N7
+uJj7y8XLk1//v7QXDJNYotiO82b9XTmF2G9URhxe/YU7mgx1cRW9X2h6LOG4VCIw
+Bd00wM9vV984f50hpftdyjCcWTO9WoSus7dOL457DhcX7uX89AGUJLC9RTiaDtIL
+/G/VEM8pIx5zW6Q2TwUXndVsNqyG5s0J0908KNyp5IPI66M07rR939JVAL8HXMxY
+KdA9pxkKzPSThx8yWZknJoINsUhrd5ijfiA6kM7HJlJF1SnwyHSSs3KydKHj5zN2
+n3oGGT0bjZiXZHShsWa5mjEvCJ7oqwtcCdo8thW128LY2/0h3JkSsYdgdsJjGJbG
+76nYjCIZYa6the4+QI8HM2WG5nrZL4B/EnYHK2lDdeVy/ynu96YhC4mdk566Vcqs
+RrWJgRxImkSbxp3f6SAOsLwOdmrs52wCoEpAYPMbu79jb2G7JbR4uDB0i/pXCp+c
+aleyKb4ve2EjHAY/VPF5BXKaQh3JIvGKVEZIv5ospoosr78UHBk60RMMzDSlOFso
+BcB6Plpqoq4lI/4Zh8M1+eDjAOnOKwQanS4Hv7O2PqldGBUAXS3m6OI2Kvv3VqnM
+X0GOB2sX4Ox8UYkCPQQTAQoAJwUCURLC3QIbAwUJAeEzgAULCQgHAwUVCgkICwUW
+AgMBAAIeAQIXgAAKCRAeNKGCjiB5AZBiD/wJwUVZjfNeWdpKrYy9HtZExtTcU/94
+3lgRUNinUuLPFU4i2s+hR3h5fzXR15nUD+IBJlXlzLV2G/IjXYPTp4a0gqHpWULa
+b5Stu7AzFiO42/RWUAzWD1Fyh6SuZ3FDERvheid8s4SXoe6y4cJ5ErfSlJS6qqku
+8ss8mS8lM1Mp+lc9wYTWQ+8hmSUivAZb9WLEljFxhvEnvAKPwD18o7+S9GABFwYs
+xflQvKZHguaOVqBEksry+vu8okWNrg3Ll3dDQEeahr7nrLrHe8gqONJgOE9jjxRv
+bJmGtIUTyGqgWZZzBfQXL/6uXL23bWkYZDkQNhfsm+colAV8gpj+/E3q/uMXwqz1
+bv06K/LsK3NHzBNE57kJHEhg9K3Uw2Wx5qwFMU1GDxsB3P9p+TyqAboEZAB2irTR
+y9k8peFB7wwf0sW3Eg78XFsfy4gyV619VnBR+PbfOpKqFFXAodF1mFiIrPeefaVp
+F9fiQ5Owt0sJjDaJnYT83ksAO2Aj+VsY3UjnDrGFaiV8Neit9y/8W8DqmZ3EZEF/
+M3iS0yDjqqt9ACFD+jkGlKYsyHv7gbpTq0yi6u/kRXHUTIvVwFL9M6Z6AUcG8gzo
+qbKhXGfWKEq0lN5HAjJ//V9ro3DekFd0A+NQOlFV6XtspZwphVdtW1WS078HmVlw
+F5dbD8pcfT/RjbkCDQRREsLdARAA3Frw+j6H9McEIi/gjiGwvxnIdGc8McWchnFp
+OWvdhTW9056v+y22DoKbULjT8k+8GzuRQ0xp4VwCC1rX3UExwceczzGs+tSKuIGm
+g1ELygsaOZHdQBNLGPvn+TZNGlaYXPlQo7m8YhXGHwgQrdKyjcFD5xnOHxe981LT
+q+IQ6jVYhho7/Qik9rVE1XHxoOfYvnNZJD0cFdf9OcX47YoqmM4sZYPMoOmKoVQT
+sAAQ527wz742Bd6SpuhqBpdEw6YiCYxEoo5kBY3IhP3L5OTS4tzhOkdf1xlhWSnC
+FE7NkPcK6o+r6qCcUqRGV9jRwI97JlPKegEHYWvLD4Sk31pWi8NZ0toU/nqRvxbh
+htHxuNf3jeAAzxQBhGVi0C/IBr4vqyFqmEHr9JxIa3DTV8w/a0Y4hX2bczL9Y1cB
+6n8qOA68aAn+xerJcSOroTIJh83D/7OguexGGYoZBDvX6dWguf8udFPeYpJvkT6T
+SYF9U0JpVTtlCNutjScUO2uaV9+uDqACngwqbzBTjL8UucAleVcFfOi48yepnOd1
+1YFYxbw+/BcqLNhi1eP2AaGxIgXbR88tF9OC0SXaCH+1Z1bbalOmQNYstOv9BbsH
+vW7mPgX2xhyoDkVRWaNAQoDLbnJr4gi9cD8/kQMzdlGOzt2ist/+xueblXJs5TOO
+80Rw+AEAEQEAAYkCJQQYAQoADwUCURLC3QIbDAUJAeEzgAAKCRAeNKGCjiB5AdMq
+D/9SXulJq6Q4U7aN6o7TLMU2MgqeWqtBqwTNIisBoSJjXq9Od4iN2S5Akwo/ZQO0
+1nRNPPc9yjwidgb7wCUFDNglUDuGS2nXaQ0XAO83qHMOsORN2S93dO6xVRX2Chhz
+l9bUr1WIQcM+lIs/LZCX2rvKlsFYmZQHX/ibhQs7T01RXajwJqwxyXyVPL+kPNeo
+wva4ZUf6rzdqKZLfFgyJyGdHI18bF6lahgHdN2OOawEeU2K+MlluR3ZahoyN4u1M
+qijf6snmfd0++EIqDHwYPn70F4JPdMhyuVpYBVyVtsgHy9W5fS+zSj+vX+qj6MBX
+dFBs+a9nr8GZJO4BUP2mtyNgmEfUVQefSHnq+0OlGPZG4raxTEqJfp2KTRCGB4hI
+zYWO1g1cOBeXxFfXJdkX8LoKbP5s2Kzn9sAK6BxmazOvSNpuimCDNvKjR00iKNS4
+Dxix2FBXQU/4pVpGHjXTQP6RqeTrAedXvpgCHWP1UIlswIQecGmQcJ/hRZjd+0vl
+cjfCYhZHr7N96Da6Cy8v2fZiZHaSAt7T2oIZ9X3gEh/kOlLDcuIdvMHUfojn0MrP
+Ce1AqOHyQQqhkVylvZpS0PdE0VW3PmJ98uKfX2FVAOTUD4Rw3n9Ew7bfM249HuP4
+JOXi/Skp4sBB/xgrtV1u+E+BW0SS/BOiwfrI4xUy+MrWuw==
+=4STg
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/puppet/modules/site_apt/manifests/dist_upgrade.pp b/puppet/modules/site_apt/manifests/dist_upgrade.pp
index f129dd73..08de31bb 100644
--- a/puppet/modules/site_apt/manifests/dist_upgrade.pp
+++ b/puppet/modules/site_apt/manifests/dist_upgrade.pp
@@ -1,15 +1,17 @@
class site_apt::dist_upgrade {
- if $::apt_running == 'true' {
+ if $::apt_running == 'true' {
fail ('apt-get is running in background - Please wait until it finishes. Exiting.')
} else {
exec{'initial_apt_update':
- command => '/usr/bin/apt-get update && /usr/bin/apt-get autoclean',
+ command => '/usr/bin/apt-get update',
refreshonly => false,
+ timeout => 360,
}
exec{'initial_apt_dist_upgrade':
command => "/usr/bin/apt-get -q -y -o 'DPkg::Options::=--force-confold' dist-upgrade",
refreshonly => false,
+ timeout => 1200,
}
}
}
diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp
index 80c6fbde..8821c110 100644
--- a/puppet/modules/site_apt/manifests/init.pp
+++ b/puppet/modules/site_apt/manifests/init.pp
@@ -1,6 +1,20 @@
-class site_apt {
+class site_apt {
- include ::apt
+ # on couchdb we need to include squeeze in apt preferences,
+ # so the cloudant package can pull some packages from squeeze
+ # template() must be unquoted !
+ if 'couchdb' in $::services {
+ $custom_preferences = template("site_apt/preferences.include_squeeze")
+ } else {
+ $custom_preferences = ''
+ }
+ class { 'apt':
+ custom_preferences => $custom_preferences,
+ custom_key_dir => 'puppet:///modules/site_apt/keys'
+ }
+
+ # enable http://deb.leap.se debian package repository
+ include site_apt::leap_repo
apt::apt_conf { '90disable-pdiffs':
content => 'Acquire::PDiffs "false";';
@@ -8,8 +22,21 @@ class site_apt {
include ::apt::unattended_upgrades
- apt::sources_list { 'fallback.list.disabled':
- content => template('site_apt/fallback.list');
+ apt::sources_list { 'secondary.list.disabled':
+ content => template('site_apt/secondary.list');
}
+ apt::preferences_snippet { 'facter':
+ release => "${::lsbdistcodename}-backports",
+ priority => 999
+ }
+
+ # All packages should be installed _after_ refresh_apt is called,
+ # which does an apt-get update.
+ # There is one exception:
+ # The creation of sources.list depends on the lsb package
+
+ File['/etc/apt/preferences'] ->
+ Exec['refresh_apt']
+ Package <| ( title != 'lsb' ) |>
}
diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp
new file mode 100644
index 00000000..6b3d9919
--- /dev/null
+++ b/puppet/modules/site_apt/manifests/leap_repo.pp
@@ -0,0 +1,14 @@
+class site_apt::leap_repo {
+ apt::sources_list { 'leap.list':
+ content => 'deb http://deb.leap.se/debian stable main',
+ before => Exec[refresh_apt]
+ }
+
+ package { 'leap-keyring':
+ ensure => latest
+ }
+
+ # We wont be able to install the leap-keyring package unless the leap apt
+ # source has been added and apt has been refreshed
+ Exec['refresh_apt'] -> Package['leap-keyring']
+}
diff --git a/puppet/modules/site_apt/templates/preferences.include_squeeze b/puppet/modules/site_apt/templates/preferences.include_squeeze
new file mode 100644
index 00000000..d6d36b60
--- /dev/null
+++ b/puppet/modules/site_apt/templates/preferences.include_squeeze
@@ -0,0 +1,25 @@
+Explanation: Debian wheezy
+Package: *
+Pin: release o=Debian,n=wheezy
+Pin-Priority: 990
+
+Explanation: Debian wheezy-updates
+Package: *
+Pin: release o=Debian,n=wheezy-updates
+Pin-Priority: 990
+
+Explanation: Debian sid
+Package: *
+Pin: release o=Debian,n=sid
+Pin-Priority: 1
+
+Explanation: Debian squeeze
+Package: *
+Pin: release o=Debian,n=squeeze
+Pin-Priority: 980
+
+Explanation: Debian fallback
+Package: *
+Pin: release o=Debian
+Pin-Priority: -10
+
diff --git a/puppet/modules/site_apt/templates/fallback.list b/puppet/modules/site_apt/templates/secondary.list
index 41334b0b..41334b0b 100644
--- a/puppet/modules/site_apt/templates/fallback.list
+++ b/puppet/modules/site_apt/templates/secondary.list
diff --git a/puppet/modules/site_ca_daemon/manifests/apache.pp b/puppet/modules/site_ca_daemon/manifests/apache.pp
deleted file mode 100644
index ab6b08fd..00000000
--- a/puppet/modules/site_ca_daemon/manifests/apache.pp
+++ /dev/null
@@ -1,62 +0,0 @@
-class site_ca_daemon::apache {
-
- $api_domain = hiera('api_domain')
- $x509 = hiera('x509')
- $commercial_key = $x509['commercial_key']
- $commercial_cert = $x509['commercial_cert']
- $commercial_root = $x509['commercial_ca_cert']
- $api_key = $x509['key']
- $api_cert = $x509['cert']
- $api_root = $x509['ca_cert']
-
- $apache_no_default_site = true
- include apache::ssl
-
- apache::module {
- 'alias': ensure => present;
- 'rewrite': ensure => present;
- 'headers': ensure => present;
- }
-
- class { 'passenger': use_munin => false }
-
- apache::vhost::file {
- 'leap_ca_daemon':
- content => template('site_apache/vhosts.d/leap_ca_daemon.conf.erb')
- }
-
- apache::vhost::file {
- 'api':
- content => template('site_apache/vhosts.d/api.conf.erb')
- }
-
- x509::key {
- 'leap_ca_daemon':
- content => $commercial_key,
- notify => Service[apache];
-
- 'leap_api':
- content => $api_key,
- notify => Service[apache];
- }
-
- x509::cert {
- 'leap_ca_daemon':
- content => $commercial_cert,
- notify => Service[apache];
-
- 'leap_api':
- content => $api_cert,
- notify => Service[apache];
- }
-
- x509::ca {
- 'leap_ca_daemon':
- content => $commercial_root,
- notify => Service[apache];
-
- 'leap_api':
- content => $api_root,
- notify => Service[apache];
- }
-}
diff --git a/puppet/modules/site_ca_daemon/manifests/couchdb.pp b/puppet/modules/site_ca_daemon/manifests/couchdb.pp
deleted file mode 100644
index f446a05b..00000000
--- a/puppet/modules/site_ca_daemon/manifests/couchdb.pp
+++ /dev/null
@@ -1,16 +0,0 @@
-class site_ca_daemon::couchdb {
-
- $ca = hiera('ca_daemon')
- $couchdb_host = $ca['couchdb_hosts']
- $couchdb_user = $ca['couchdb_user']['username']
- $couchdb_password = $ca['couchdb_user']['password']
-
- file {
- '/etc/leap/leap_ca.yaml':
- content => template('site_ca_daemon/leap_ca.yaml.erb'),
- owner => leap_ca_daemon,
- group => leap_ca_daemon,
- mode => '0600';
- }
-
-}
diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp
deleted file mode 100644
index 8ba9c506..00000000
--- a/puppet/modules/site_ca_daemon/manifests/init.pp
+++ /dev/null
@@ -1,103 +0,0 @@
-class site_ca_daemon {
- tag 'leap_service'
- #$definition_files = hiera('definition_files')
- #$provider = $definition_files['provider']
- #$eip_service = $definition_files['eip_service']
- $x509 = hiera('x509')
-
- Class[Ruby] -> Class[rubygems] -> Class[bundler::install]
-
- class { 'ruby': ruby_version => '1.9.3' }
-
- class { 'bundler::install': install_method => 'package' }
-
- include rubygems
- #include site_ca_daemon::apache
- include site_ca_daemon::couchdb
-
- group { 'leap_ca_daemon':
- ensure => present,
- allowdupe => false;
- }
-
- user { 'leap_ca_daemon':
- ensure => present,
- allowdupe => false,
- gid => 'leap_ca_daemon',
- home => '/srv/leap_ca_daemon',
- require => [ Group['leap_ca_daemon'] ];
- }
-
-
- x509::key {
- 'leap_ca_daemon':
- content => $x509['ca_key'];
- #notify => Service['leap_ca_daemon']; <== no service yet for leap_ca_daemon
- }
-
- x509::cert {
- 'leap_ca_daemon':
- content => $x509['ca_cert'];
- #notify => Service['leap_ca_daemon']; <== no service yet for leap_ca_daemon
- }
-
- #
- # Does CA need a server key/cert? I think not now.
- #
- # x509::key {
- # 'server':
- # content => $x509['key'];
- # }
- #
- # x509::cert {
- # 'server':
- # content => $x509['cert'];
- # }
-
- # x509::ca {
- # 'leap_ca_daemon':
- # content => $x509['ca_cert'];
- # }
-
-
- file { '/srv/leap_ca_daemon':
- ensure => directory,
- owner => 'leap_ca_daemon',
- group => 'leap_ca_daemon',
- require => User['leap_ca_daemon'];
- }
-
- vcsrepo { '/srv/leap_ca_daemon':
- ensure => present,
- revision => 'origin/master',
- provider => git,
- source => 'git://code.leap.se/leap_ca',
- owner => 'leap_ca_daemon',
- group => 'leap_ca_daemon',
- require => [ User['leap_ca_daemon'], Group['leap_ca_daemon'] ],
- notify => Exec['bundler_update']
- }
-
- exec { 'bundler_update':
- cwd => '/srv/leap_ca_daemon',
- command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install"',
- unless => '/usr/bin/bundle check',
- timeout => 600,
- require => [ Class['bundler::install'], Vcsrepo['/srv/leap_ca_daemon'] ];
- }
-
- file { '/usr/local/bin/leap_ca_daemon':
- ensure => link,
- target => '/srv/leap_ca_daemon/bin/leap_ca_daemon',
- }
-
- file { '/etc/cron.hourly/leap_ca':
- ensure => present,
- content => "#/bin/sh\n/srv/leap_ca_daemon/bin/leap_ca_daemon --run-once > /dev/null",
- owner => 'root',
- group => 0,
- mode => '0755',
- }
-
-
-}
diff --git a/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb b/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb
deleted file mode 100644
index e0b95278..00000000
--- a/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb
+++ /dev/null
@@ -1,31 +0,0 @@
-#
-# Default configuration options for LEAP Certificate Authority Daemon
-#
-
-#
-# Certificate Authority
-#
-ca_key_path: "/etc/x509/keys/leap_ca_daemon.key"
-ca_key_password: nil
-ca_cert_path: "/etc/x509/certs/leap_ca_daemon.crt"
-
-#
-# Certificate pool
-#
-max_pool_size: 100
-client_cert_lifespan: 2
-client_cert_bit_size: 2024
-client_cert_hash: "SHA256"
-
-#
-# Database
-#
-db_name: "client_certificates"
-couch_connection:
- protocol: "https"
- host: <%= couchdb_host %>
- port: 6984
- username: <%= couchdb_user %>
- password: <%= couchdb_password %>
- prefix: ""
- suffix: ""
diff --git a/puppet/modules/site_config/files/xterm-title.sh b/puppet/modules/site_config/files/xterm-title.sh
new file mode 100644
index 00000000..3cff0e3a
--- /dev/null
+++ b/puppet/modules/site_config/files/xterm-title.sh
@@ -0,0 +1,8 @@
+# If this is an xterm set the title to user@host:dir
+case "$TERM" in
+xterm*|rxvt*)
+ PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD}\007"'
+ ;;
+*)
+ ;;
+esac
diff --git a/puppet/modules/site_config/manifests/base_packages.pp b/puppet/modules/site_config/manifests/base_packages.pp
new file mode 100644
index 00000000..3d40f7a2
--- /dev/null
+++ b/puppet/modules/site_config/manifests/base_packages.pp
@@ -0,0 +1,28 @@
+class site_config::base_packages {
+
+ # base set of packages that we want to have installed everywhere
+ package { [ 'etckeeper', 'screen', 'less' ]:
+ ensure => installed,
+ }
+
+ # base set of packages that we want to remove everywhere
+ package { [ 'acpi', 'acpid', 'acpi-support-base', 'eject', 'ftp',
+ 'laptop-detect', 'lpr', 'nfs-common', 'nfs-kernel-server',
+ 'portmap', 'pppconfig', 'pppoe', 'pump', 'qstat', 'rpcbind',
+ 'samba-common', 'samba-common-bin', 'smbclient', 'tcl8.5',
+ 'tk8.5', 'os-prober', 'unzip', 'xauth', 'x11-common',
+ 'x11-utils', 'xterm' ]:
+ ensure => absent;
+ }
+
+ if $::virtual == 'virtualbox' {
+ $virtualbox_ensure = present
+ } else {
+ $virtualbox_ensure = absent
+ }
+
+ package { [ 'build-essential', 'fontconfig-config', 'g++', 'g++-4.7', 'gcc',
+ 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]:
+ ensure => $virtualbox_ensure
+ }
+}
diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp
index 2191e9a1..00eee9d0 100644
--- a/puppet/modules/site_config/manifests/default.pp
+++ b/puppet/modules/site_config/manifests/default.pp
@@ -12,10 +12,14 @@ class site_config::default {
# configure apt
include site_apt
-
# configure ssh and include ssh-keys
include site_config::sshd
+ # fix dhclient from changing resolver information
+ if $::ec2_instance_id {
+ include site_config::dhclient
+ }
+
# configure /etc/resolv.conf
include site_config::resolvconf
@@ -24,13 +28,17 @@ class site_config::default {
# configure /etc/hosts
class { 'site_config::hosts':
- stage => initial,
+ stage => setup,
}
- package { [ 'etckeeper' ]:
- ensure => installed,
- }
+ # install/remove base packages
+ include site_config::base_packages
# include basic shorewall config
include site_shorewall::defaults
+
+ Class['git'] -> Vcsrepo<||>
+
+ # include basic shell config
+ include site_config::shell
}
diff --git a/puppet/modules/site_config/manifests/dhclient.pp b/puppet/modules/site_config/manifests/dhclient.pp
new file mode 100644
index 00000000..7ac0caf3
--- /dev/null
+++ b/puppet/modules/site_config/manifests/dhclient.pp
@@ -0,0 +1,30 @@
+class site_config::dhclient {
+
+ # Unfortunately, there does not seem to be a way to reload the dhclient.conf
+ # config file, or a convenient way to disable the modifications to
+ # /etc/resolv.conf. So the following makes the functions involved noops and
+ # ships a script to kill and restart dhclient. See the debian bugs:
+ # #681698, #712796
+
+ include site_config::params
+
+ file { '/usr/local/sbin/reload_dhclient':
+ owner => 0,
+ group => 0,
+ mode => '0755',
+ content => template('site_config/reload_dhclient.erb');
+ }
+
+ exec { 'reload_dhclient':
+ refreshonly => true,
+ command => '/usr/local/sbin/reload_dhclient';
+ }
+
+ file { '/etc/dhcp/dhclient-enter-hooks.d/disable_resolvconf':
+ content => 'make_resolv_conf() { : ; } ; set_hostname() { : ; }',
+ mode => '0644',
+ owner => 'root',
+ group => 'root',
+ notify => Exec['reload_dhclient'];
+ }
+}
diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp
index 6c00f3b6..ccedf036 100644
--- a/puppet/modules/site_config/manifests/hosts.pp
+++ b/puppet/modules/site_config/manifests/hosts.pp
@@ -1,22 +1,34 @@
class site_config::hosts() {
+ $hosts = hiera('hosts','')
+ $hostname = hiera('name')
+ $domain_hash = hiera('domain')
+ $domain_public = $domain_hash['full_suffix']
- $hosts = hiera('hosts','')
- $hostname = hiera('name')
-
- $domain_public = $site_config::default::domain_hash['full_suffix']
-
- file { "/etc/hostname":
- ensure => present,
+ file { '/etc/hostname':
+ ensure => present,
content => $hostname
}
- exec { "/bin/hostname $hostname":
+ exec { "/bin/hostname ${hostname}":
subscribe => [ File['/etc/hostname'], File['/etc/hosts'] ],
refreshonly => true;
}
+ # we depend on reliable hostnames from /etc/hosts for the stunnel services
+ # so restart stunnel service when /etc/hosts is modified
+ # because this is done in an early stage, the stunnel module may not
+ # have been deployed and will not be available for overriding, so
+ # this is handled in an unorthodox manner
+ exec { '/etc/init.d/stunnel4 restart':
+ subscribe => File['/etc/hosts'],
+ refreshonly => true,
+ onlyif => 'test -f /etc/init.d/stunnel4';
+ }
+
file { '/etc/hosts':
content => template('site_config/hosts'),
- mode => '0644', owner => root, group => root;
+ mode => '0644',
+ owner => root,
+ group => root;
}
}
diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp
new file mode 100644
index 00000000..237ee454
--- /dev/null
+++ b/puppet/modules/site_config/manifests/params.pp
@@ -0,0 +1,25 @@
+class site_config::params {
+
+ $ip_address = hiera('ip_address')
+ $ip_address_interface = getvar("interface_${ip_address}")
+ $ec2_local_ipv4_interface = getvar("interface_${::ec2_local_ipv4}")
+
+ if $::virtual == 'virtualbox' {
+ $interface = [ 'eth0', 'eth1' ]
+ }
+ elsif hiera('interface','') != '' {
+ $interface = hiera('interface')
+ }
+ elsif $ip_address_interface != '' {
+ $interface = $ip_address_interface
+ }
+ elsif $ec2_local_ipv4_interface != '' {
+ $interface = $ec2_local_ipv4_interface
+ }
+ elsif $::interfaces =~ /eth0/ {
+ $interface = eth0
+ }
+ else {
+ fail("unable to determine a valid interface, please set a valid interface for this node in nodes/${::hostname}.json")
+ }
+}
diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp
index d73f0b78..271c5043 100644
--- a/puppet/modules/site_config/manifests/resolvconf.pp
+++ b/puppet/modules/site_config/manifests/resolvconf.pp
@@ -1,16 +1,5 @@
class site_config::resolvconf {
- # bind9 purging can be taken out after some time
- package { 'bind9':
- ensure => absent,
- }
- file { '/etc/default/bind9':
- ensure => absent;
- }
- file { '/etc/bind/named.conf.options':
- ensure => absent;
- }
-
$domain_public = $site_config::default::domain_hash['full_suffix']
# 127.0.0.1: caching-only local bind
diff --git a/puppet/modules/site_config/manifests/ruby.pp b/puppet/modules/site_config/manifests/ruby.pp
new file mode 100644
index 00000000..2a720114
--- /dev/null
+++ b/puppet/modules/site_config/manifests/ruby.pp
@@ -0,0 +1,14 @@
+class site_config::ruby {
+ Class[Ruby] -> Class[rubygems] -> Class[bundler::install]
+ class { '::ruby': ruby_version => '1.9.3' }
+ class { 'bundler::install': install_method => 'package' }
+ include rubygems
+}
+
+
+#
+# Ruby settings common to all servers
+#
+# Why this way? So that other classes can do 'include site_ruby' without creating redeclaration errors.
+# See https://puppetlabs.com/blog/modeling-class-composition-with-parameterized-classes/
+#
diff --git a/puppet/modules/site_config/manifests/shell.pp b/puppet/modules/site_config/manifests/shell.pp
new file mode 100644
index 00000000..5b8c025d
--- /dev/null
+++ b/puppet/modules/site_config/manifests/shell.pp
@@ -0,0 +1,22 @@
+class site_config::shell {
+
+ file {
+ '/etc/profile.d/leap_path.sh':
+ content => 'PATH=$PATH:/srv/leap/bin',
+ mode => '0644',
+ owner => root,
+ group => root;
+ }
+
+ ##
+ ## XTERM TITLE
+ ##
+
+ file { '/etc/profile.d/xterm-title.sh':
+ source => 'puppet:///modules/site_config/xterm-title.sh',
+ owner => root,
+ group => 0,
+ mode => '0644';
+ }
+
+}
diff --git a/puppet/modules/site_config/manifests/slow.pp b/puppet/modules/site_config/manifests/slow.pp
index 18b22a9c..94bac88d 100644
--- a/puppet/modules/site_config/manifests/slow.pp
+++ b/puppet/modules/site_config/manifests/slow.pp
@@ -1,6 +1,6 @@
class site_config::slow {
tag 'leap_slow'
class { 'site_apt::dist_upgrade':
- stage => initial,
+ stage => setup,
}
}
diff --git a/puppet/modules/site_config/manifests/sshd.pp b/puppet/modules/site_config/manifests/sshd.pp
index 944dbce2..8ff337a0 100644
--- a/puppet/modules/site_config/manifests/sshd.pp
+++ b/puppet/modules/site_config/manifests/sshd.pp
@@ -2,7 +2,7 @@ class site_config::sshd {
# configure sshd
include sshd
include site_sshd
- # no need for configuring authorized_keys as leap_cli cares for that
+ # no need for configuring authorized_keys as leap_cli cares for that
#$ssh_pubkeys=hiera_hash('ssh_pubkeys')
#notice($ssh_pubkeys)
#create_resources('site_sshd::ssh_key', $ssh_pubkeys)
diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts
index 00cc6a79..2c784b05 100644
--- a/puppet/modules/site_config/templates/hosts
+++ b/puppet/modules/site_config/templates/hosts
@@ -1,10 +1,12 @@
# This file is managed by puppet, any changes will be overwritten!
127.0.0.1 localhost
-127.0.1.1 <%= hostname %>.<%= @domain_public %> <%= hostname %>
+127.0.1.1 <%= @hostname %>.<%= @domain_public %> <%= @hostname %>
-<%- if hosts.to_s != '' then -%>
-<%= hosts %>
+<%- if @hosts then -%>
+<% @hosts.each do |name, props| -%>
+<%= props["ip_address"] %> <%= props["domain_full"] %> <%= props["domain_internal"] %> <%= name %>
+<% end -%>
<% end -%>
# The following lines are desirable for IPv6 capable hosts
diff --git a/puppet/modules/site_config/templates/reload_dhclient.erb b/puppet/modules/site_config/templates/reload_dhclient.erb
new file mode 100644
index 00000000..075828b7
--- /dev/null
+++ b/puppet/modules/site_config/templates/reload_dhclient.erb
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+# Get the PID
+PIDFILE='/var/run/dhclient.<%= scope.lookupvar('site_config::params::interface') %>.pid'
+
+# Capture how dhclient is currently running so we can relaunch it
+dhclient=`/bin/ps --no-headers --pid $(cat $PIDFILE) -f | /usr/bin/awk '{for(i=8;i<=NF;++i) printf("%s ", $i) }'`
+
+# Kill the current dhclient
+/usr/bin/pkill -F $PIDFILE
+
+# Restart dhclient with the arguments it had previously
+$dhclient
diff --git a/puppet/modules/site_couchdb/files/couchdb b/puppet/modules/site_couchdb/files/couchdb
deleted file mode 100755
index ccdfe716..00000000
--- a/puppet/modules/site_couchdb/files/couchdb
+++ /dev/null
@@ -1,160 +0,0 @@
-#!/bin/sh -e
-
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not
-# use this file except in compliance with the License. You may obtain a copy of
-# the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations under
-# the License.
-
-### BEGIN INIT INFO
-# Provides: couchdb
-# Required-Start: $local_fs $remote_fs
-# Required-Stop: $local_fs $remote_fs
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: Apache CouchDB init script
-# Description: Apache CouchDB init script for the database server.
-### END INIT INFO
-
-SCRIPT_OK=0
-SCRIPT_ERROR=1
-
-DESCRIPTION="database server"
-NAME=couchdb
-SCRIPT_NAME=`basename $0`
-COUCHDB=/usr/bin/couchdb
-CONFIGURATION_FILE=/etc/default/couchdb
-RUN_DIR=/var/run/couchdb
-LSB_LIBRARY=/lib/lsb/init-functions
-
-if test ! -x $COUCHDB; then
- exit $SCRIPT_ERROR
-fi
-
-if test -r $CONFIGURATION_FILE; then
- . $CONFIGURATION_FILE
-fi
-
-log_daemon_msg () {
- # Dummy function to be replaced by LSB library.
-
- echo $@
-}
-
-log_end_msg () {
- # Dummy function to be replaced by LSB library.
-
- if test "$1" != "0"; then
- echo "Error with $DESCRIPTION: $NAME"
- fi
- return $1
-}
-
-if test -r $LSB_LIBRARY; then
- . $LSB_LIBRARY
-fi
-
-run_command () {
- command="$1"
- if test -n "$COUCHDB_OPTIONS"; then
- command="$command $COUCHDB_OPTIONS"
- fi
- if test -n "$COUCHDB_USER"; then
- if su $COUCHDB_USER -c "$command"; then
- return $SCRIPT_OK
- else
- return $SCRIPT_ERROR
- fi
- else
- if $command; then
- return $SCRIPT_OK
- else
- return $SCRIPT_ERROR
- fi
- fi
-}
-
-start_couchdb () {
- # Start Apache CouchDB as a background process.
-
- mkdir -p "$RUN_DIR"
- chown -R "$COUCHDB_USER" "$RUN_DIR"
- command="$COUCHDB -b"
- if test -n "$COUCHDB_STDOUT_FILE"; then
- command="$command -o $COUCHDB_STDOUT_FILE"
- fi
- if test -n "$COUCHDB_STDERR_FILE"; then
- command="$command -e $COUCHDB_STDERR_FILE"
- fi
- if test -n "$COUCHDB_RESPAWN_TIMEOUT"; then
- command="$command -r $COUCHDB_RESPAWN_TIMEOUT"
- fi
- run_command "$command" > /dev/null
-}
-
-stop_couchdb () {
- # Stop the running Apache CouchDB process.
-
- run_command "$COUCHDB -d" > /dev/null
- pkill -u couchdb
- # always return true even if no remaining couchdb procs got killed
- /bin/true
-}
-
-display_status () {
- # Display the status of the running Apache CouchDB process.
-
- run_command "$COUCHDB -s"
-}
-
-parse_script_option_list () {
- # Parse arguments passed to the script and take appropriate action.
-
- case "$1" in
- start)
- log_daemon_msg "Starting $DESCRIPTION" $NAME
- if start_couchdb; then
- log_end_msg $SCRIPT_OK
- else
- log_end_msg $SCRIPT_ERROR
- fi
- ;;
- stop)
- log_daemon_msg "Stopping $DESCRIPTION" $NAME
- if stop_couchdb; then
- log_end_msg $SCRIPT_OK
- else
- log_end_msg $SCRIPT_ERROR
- fi
- ;;
- restart|force-reload)
- log_daemon_msg "Restarting $DESCRIPTION" $NAME
- if stop_couchdb; then
- if start_couchdb; then
- log_end_msg $SCRIPT_OK
- else
- log_end_msg $SCRIPT_ERROR
- fi
- else
- log_end_msg $SCRIPT_ERROR
- fi
- ;;
- status)
- display_status
- ;;
- *)
- cat << EOF >&2
-Usage: $SCRIPT_NAME {start|stop|restart|force-reload|status}
-EOF
- exit $SCRIPT_ERROR
- ;;
- esac
-}
-
-parse_script_option_list $@
diff --git a/puppet/modules/site_couchdb/files/local.ini b/puppet/modules/site_couchdb/files/local.ini
index b3376cbb..22aa0177 100644
--- a/puppet/modules/site_couchdb/files/local.ini
+++ b/puppet/modules/site_couchdb/files/local.ini
@@ -28,8 +28,10 @@
[httpd_global_handlers]
;_google = {couch_httpd_proxy, handle_proxy_req, <<"http://www.google.com">>}
+# futon is enabled by default on bigcouch in default.ini
+# we need to find another way to disable futon, it won't work disabling it here
# enable futon
-_utils = {couch_httpd_misc_handlers, handle_utils_dir_req, "/usr/share/couchdb/www"}
+#_utils = {couch_httpd_misc_handlers, handle_utils_dir_req, "/usr/share/couchdb/www"}
# disable futon
#_utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Welcome, Futon is disabled!">>}
diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp
deleted file mode 100644
index 7739473e..00000000
--- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp
+++ /dev/null
@@ -1,25 +0,0 @@
-define site_couchdb::apache_ssl_proxy ($key, $cert) {
-
- $apache_no_default_site = true
- include apache
- apache::module {
- 'proxy': ensure => present;
- 'proxy_http': ensure => present;
- 'rewrite': ensure => present;
- 'ssl': ensure => present;
- }
- apache::vhost::file { 'couchdb_proxy': }
-
- x509::key {
- 'leap_couchdb':
- content => $key,
- notify => Service[apache];
- }
-
- x509::cert {
- 'leap_couchdb':
- content => $cert,
- notify => Service[apache];
- }
-
-}
diff --git a/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp b/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp
new file mode 100644
index 00000000..241a4914
--- /dev/null
+++ b/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp
@@ -0,0 +1,5 @@
+class site_couchdb::bigcouch::add_nodes {
+ # loop through neighbors array and add nodes
+ $nodes = $::site_couchdb::bigcouch_config['neighbors']
+ couchdb::bigcouch::add_node { $nodes: }
+}
diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp
deleted file mode 100644
index 333511b5..00000000
--- a/puppet/modules/site_couchdb/manifests/configure.pp
+++ /dev/null
@@ -1,27 +0,0 @@
-class site_couchdb::configure {
-
- file { '/etc/init.d/couchdb':
- source => 'puppet:///modules/site_couchdb/couchdb',
- mode => '0755',
- owner => 'root',
- group => 'root',
- }
-
- file { '/etc/couchdb/local.d/admin.ini':
- content => "[admins]
-admin = $site_couchdb::couchdb_admin_pw
-",
- mode => '0600',
- owner => 'couchdb',
- group => 'couchdb',
- notify => Service[couchdb]
- }
-
-
- exec { '/etc/init.d/couchdb restart; sleep 6':
- path => ['/bin', '/usr/bin',],
- subscribe => File['/etc/couchdb/local.d/admin.ini',
- '/etc/couchdb/local.ini'],
- refreshonly => true
- }
-}
diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp
index 9ecde5e6..802f3224 100644
--- a/puppet/modules/site_couchdb/manifests/init.pp
+++ b/puppet/modules/site_couchdb/manifests/init.pp
@@ -1,64 +1,83 @@
class site_couchdb {
tag 'leap_service'
- include couchdb
$x509 = hiera('x509')
$key = $x509['key']
$cert = $x509['cert']
+ $ca = $x509['ca_cert']
+
$couchdb_config = hiera('couch')
$couchdb_users = $couchdb_config['users']
$couchdb_admin = $couchdb_users['admin']
$couchdb_admin_user = $couchdb_admin['username']
$couchdb_admin_pw = $couchdb_admin['password']
+ $couchdb_admin_salt = $couchdb_admin['salt']
$couchdb_webapp = $couchdb_users['webapp']
$couchdb_webapp_user = $couchdb_webapp['username']
$couchdb_webapp_pw = $couchdb_webapp['password']
- $couchdb_ca_daemon = $couchdb_users['ca_daemon']
- $couchdb_ca_daemon_user = $couchdb_ca_daemon['username']
- $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password']
+ $couchdb_webapp_salt = $couchdb_webapp['salt']
+ $couchdb_soledad = $couchdb_users['soledad']
+ $couchdb_soledad_user = $couchdb_soledad['username']
+ $couchdb_soledad_pw = $couchdb_soledad['password']
+ $couchdb_soledad_salt = $couchdb_soledad['salt']
+
+ $bigcouch_config = $couchdb_config['bigcouch']
+ $bigcouch_cookie = $bigcouch_config['cookie']
+
+ $ednp_port = $bigcouch_config['ednp_port']
+
+ class { 'couchdb':
+ bigcouch => true,
+ admin_pw => $couchdb_admin_pw,
+ admin_salt => $couchdb_admin_salt,
+ bigcouch_cookie => $bigcouch_cookie,
+ ednp_port => $ednp_port
+ }
+
+ class { 'couchdb::bigcouch::package::cloudant': }
- Package ['couchdb']
- -> File['/etc/init.d/couchdb']
- -> File['/etc/couchdb/local.ini']
- -> File['/etc/couchdb/local.d/admin.ini']
- -> File['/etc/couchdb/couchdb.netrc']
+ Class ['couchdb::bigcouch::package::cloudant']
+ -> Service ['couchdb']
+ -> Class ['site_couchdb::bigcouch::add_nodes']
-> Couchdb::Create_db['users']
- -> Couchdb::Create_db['client_certificates']
+ -> Couchdb::Create_db['tokens']
-> Couchdb::Add_user[$couchdb_webapp_user]
- -> Couchdb::Add_user[$couchdb_ca_daemon_user]
- -> Site_couchdb::Apache_ssl_proxy['apache_ssl_proxy']
+ -> Couchdb::Add_user[$couchdb_soledad_user]
- include site_couchdb::configure
- include couchdb::deploy_config
-
- site_couchdb::apache_ssl_proxy { 'apache_ssl_proxy':
- key => $key,
- cert => $cert
+ class { 'site_couchdb::stunnel':
+ key => $key,
+ cert => $cert,
+ ca => $ca
}
+ class { 'site_couchdb::bigcouch::add_nodes': }
+
couchdb::query::setup { 'localhost':
user => $couchdb_admin_user,
- pw => $couchdb_admin_pw
+ pw => $couchdb_admin_pw,
}
# Populate couchdb
couchdb::add_user { $couchdb_webapp_user:
- roles => '["certs"]',
- pw => $couchdb_webapp_pw
+ roles => '["auth"]',
+ pw => $couchdb_webapp_pw,
+ salt => $couchdb_webapp_salt
}
- couchdb::add_user { $couchdb_ca_daemon_user:
- roles => '["certs"]',
- pw => $couchdb_ca_daemon_pw
+ couchdb::add_user { $couchdb_soledad_user:
+ roles => '["auth"]',
+ pw => $couchdb_soledad_pw,
+ salt => $couchdb_soledad_salt
}
couchdb::create_db { 'users':
readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }"
}
- couchdb::create_db { 'client_certificates':
- readers => "{ \"names\": [], \"roles\": [\"certs\"] }"
+ couchdb::create_db { 'tokens':
+ readers => "{ \"names\": [], \"roles\": [\"auth\"] }"
}
include site_shorewall::couchdb
+ include site_shorewall::couchdb::bigcouch
}
diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp
new file mode 100644
index 00000000..d982013e
--- /dev/null
+++ b/puppet/modules/site_couchdb/manifests/stunnel.pp
@@ -0,0 +1,104 @@
+class site_couchdb::stunnel ($key, $cert, $ca) {
+
+ $stunnel = hiera('stunnel')
+
+ $couch_server = $stunnel['couch_server']
+ $couch_server_accept = $couch_server['accept']
+ $couch_server_connect = $couch_server['connect']
+
+ # Erlang Port Mapper Daemon (epmd) stunnel server/clients
+ $epmd_server = $stunnel['epmd_server']
+ $epmd_server_accept = $epmd_server['accept']
+ $epmd_server_connect = $epmd_server['connect']
+ $epmd_clients = $stunnel['epmd_clients']
+
+ # Erlang Distributed Node Protocol (ednp) stunnel server/clients
+ $ednp_server = $stunnel['ednp_server']
+ $ednp_server_accept = $ednp_server['accept']
+ $ednp_server_connect = $ednp_server['connect']
+ $ednp_clients = $stunnel['ednp_clients']
+
+ include x509::variables
+ $cert_name = 'leap_couchdb'
+ $ca_name = 'leap_ca'
+ $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt"
+ $cert_path = "${x509::variables::certs}/${cert_name}.crt"
+ $key_path = "${x509::variables::keys}/${cert_name}.key"
+
+ # basic setup: ensure cert, key, ca files are in place, and some generic
+ # stunnel things are done
+ class { 'site_stunnel::setup':
+ cert_name => $cert_name,
+ key => $key,
+ cert => $cert,
+ ca_name => $ca_name,
+ ca => $ca
+ }
+
+ # setup a stunnel server for the webapp to connect to couchdb
+ stunnel::service { 'couch_server':
+ accept => $couch_server_accept,
+ connect => $couch_server_connect,
+ client => false,
+ cafile => $ca_path,
+ key => $key_path,
+ cert => $cert_path,
+ verify => '2',
+ pid => '/var/run/stunnel4/couchserver.pid',
+ rndfile => '/var/lib/stunnel4/.rnd',
+ debuglevel => '4'
+ }
+
+
+ # setup stunnel server for Erlang Port Mapper Daemon (epmd), necessary for
+ # bigcouch clustering between each bigcouchdb node
+ stunnel::service { 'epmd_server':
+ accept => $epmd_server_accept,
+ connect => $epmd_server_connect,
+ client => false,
+ cafile => $ca_path,
+ key => $key_path,
+ cert => $cert_path,
+ verify => '2',
+ pid => '/var/run/stunnel4/epmd_server.pid',
+ rndfile => '/var/lib/stunnel4/.rnd',
+ debuglevel => '4'
+ }
+
+ # setup stunnel clients for Erlang Port Mapper Daemon (epmd) to connect
+ # to the above epmd stunnel server.
+ $epmd_client_defaults = {
+ 'client' => true,
+ 'cafile' => $ca_path,
+ 'key' => $key_path,
+ 'cert' => $cert_path,
+ }
+
+ create_resources(site_stunnel::clients, $epmd_clients, $epmd_client_defaults)
+
+ # setup stunnel server for Erlang Distributed Node Protocol (ednp), necessary
+ # for bigcouch clustering between each bigcouchdb node
+ stunnel::service { 'ednp_server':
+ accept => $ednp_server_accept,
+ connect => $ednp_server_connect,
+ client => false,
+ cafile => $ca_path,
+ key => $key_path,
+ cert => $cert_path,
+ verify => '2',
+ pid => '/var/run/stunnel4/ednp_server.pid',
+ rndfile => '/var/lib/stunnel4/.rnd',
+ debuglevel => '4'
+ }
+
+ # setup stunnel clients for Erlang Distributed Node Protocol (ednp) to connect
+ # to the above ednp stunnel server.
+ $ednp_client_defaults = {
+ 'client' => true,
+ 'cafile' => $ca_path,
+ 'key' => $key_path,
+ 'cert' => $cert_path,
+ }
+
+ create_resources(site_stunnel::clients, $ednp_clients, $ednp_client_defaults)
+}
diff --git a/puppet/modules/site_haproxy/manifests/init.pp b/puppet/modules/site_haproxy/manifests/init.pp
new file mode 100644
index 00000000..ace88a7b
--- /dev/null
+++ b/puppet/modules/site_haproxy/manifests/init.pp
@@ -0,0 +1,26 @@
+class site_haproxy {
+
+ class { 'haproxy':
+ enable => true,
+ version => '1.4.23-0.1~leap60+1',
+ manage_service => true,
+ global_options => {
+ 'log' => '127.0.0.1 local0',
+ 'maxconn' => '4096',
+ 'stats' => 'socket /var/run/haproxy.sock user haproxy group haproxy',
+ 'chroot' => '/usr/share/haproxy',
+ 'user' => 'haproxy',
+ 'group' => 'haproxy',
+ 'daemon' => ''
+ },
+ defaults_options => {
+ 'log' => 'global',
+ 'retries' => '3',
+ 'option' => 'redispatch',
+ 'timeout connect' => '4000',
+ 'timeout client' => '20000',
+ 'timeout server' => '20000'
+ }
+ }
+
+}
diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp
index c98a8a1f..c114a39a 100644
--- a/puppet/modules/site_nagios/manifests/server.pp
+++ b/puppet/modules/site_nagios/manifests/server.pp
@@ -2,7 +2,7 @@ class site_nagios::server inherits nagios::base {
# First, purge old nagios config (see #1467)
class { 'site_nagios::server::purge':
- stage => initial
+ stage => setup
}
$nagios_hiera=hiera('nagios')
diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp
new file mode 100644
index 00000000..7dfa2603
--- /dev/null
+++ b/puppet/modules/site_nickserver/manifests/init.pp
@@ -0,0 +1,162 @@
+#
+# TODO: currently, this is dependent on some things that are set up in site_webapp
+#
+# (1) HAProxy -> couchdb
+# (2) Apache
+#
+# It would be good in the future to make nickserver installable independently of site_webapp.
+#
+
+class site_nickserver {
+ tag 'leap_service'
+ include site_config::ruby
+
+ #
+ # VARIABLES
+ #
+
+ $nickserver = hiera('nickserver')
+ $nickserver_port = $nickserver['port'] # the port that public connects to (should be 6425)
+ $nickserver_local_port = '64250' # the port that nickserver is actually running on
+ $nickserver_domain = $nickserver['domain']
+
+ $couchdb_user = $nickserver['couchdb_user']['username']
+ $couchdb_password = $nickserver['couchdb_user']['password']
+ $couchdb_host = 'localhost' # couchdb is available on localhost via haproxy, which is bound to 4096.
+ $couchdb_port = '4096' # See site_webapp/templates/haproxy_couchdb.cfg.erg
+
+ # temporarily for now:
+ $domain = hiera('domain')
+ $address_domain = $domain['full_suffix']
+ $x509 = hiera('x509')
+ $x509_key = $x509['key']
+ $x509_cert = $x509['cert']
+ $x509_ca = $x509['ca_cert']
+
+ #
+ # USER AND GROUP
+ #
+
+ group { 'nickserver':
+ ensure => present,
+ allowdupe => false;
+ }
+ user { 'nickserver':
+ ensure => present,
+ allowdupe => false,
+ gid => 'nickserver',
+ home => '/srv/leap/nickserver',
+ require => Group['nickserver'];
+ }
+
+ #
+ # NICKSERVER CODE
+ # NOTE: in order to support TLS, libssl-dev must be installed before EventMachine gem
+ # is built/installed.
+ #
+
+ package {
+ 'libssl-dev': ensure => installed;
+ }
+ vcsrepo { '/srv/leap/nickserver':
+ ensure => present,
+ revision => 'origin/master',
+ provider => git,
+ source => 'git://code.leap.se/nickserver',
+ owner => 'nickserver',
+ group => 'nickserver',
+ require => [ User['nickserver'], Group['nickserver'] ],
+ notify => Exec['nickserver_bundler_update'];
+ }
+ exec { 'nickserver_bundler_update':
+ cwd => '/srv/leap/nickserver',
+ command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle"',
+ unless => '/usr/bin/bundle check',
+ user => 'nickserver',
+ timeout => 600,
+ require => [ Class['bundler::install'], Vcsrepo['/srv/leap/nickserver'], Package['libssl-dev'] ],
+ notify => Service['nickserver'];
+ }
+
+ #
+ # NICKSERVER CONFIG
+ #
+
+ file { '/etc/leap/nickserver.yml':
+ content => template('site_nickserver/nickserver.yml.erb'),
+ owner => nickserver,
+ group => nickserver,
+ mode => '0600',
+ notify => Service['nickserver'];
+ }
+
+ #
+ # NICKSERVER DAEMON
+ #
+
+ file {
+ '/usr/bin/nickserver':
+ ensure => link,
+ target => '/srv/leap/nickserver/bin/nickserver',
+ require => Vcsrepo['/srv/leap/nickserver'];
+ '/etc/init.d/nickserver':
+ owner => root, group => 0, mode => '0755',
+ source => '/srv/leap/nickserver/dist/debian-init-script',
+ require => Vcsrepo['/srv/leap/nickserver'];
+ }
+
+ service { 'nickserver':
+ ensure => running,
+ enable => true,
+ hasrestart => true,
+ hasstatus => true,
+ require => File['/etc/init.d/nickserver'];
+ }
+
+ #
+ # FIREWALL
+ # poke a hole in the firewall to allow nickserver requests
+ #
+
+ file { '/etc/shorewall/macro.nickserver':
+ content => "PARAM - - tcp $nickserver_port",
+ notify => Service['shorewall'],
+ require => Package['shorewall'];
+ }
+
+ shorewall::rule { 'net2fw-nickserver':
+ source => 'net',
+ destination => '$FW',
+ action => 'nickserver(ACCEPT)',
+ order => 200;
+ }
+
+ #
+ # APACHE REVERSE PROXY
+ # nickserver doesn't speak TLS natively, let Apache handle that.
+ #
+
+ apache::module {
+ 'proxy': ensure => present;
+ 'proxy_http': ensure => present
+ }
+
+ apache::vhost::file {
+ 'nickserver': content => template('site_nickserver/nickserver-proxy.conf.erb')
+ }
+
+ x509::key { 'nickserver':
+ content => $x509_key,
+ notify => Service[apache];
+ }
+
+ x509::cert { 'nickserver':
+ content => $x509_cert,
+ notify => Service[apache];
+ }
+
+ x509::ca { 'nickserver':
+ content => $x509_ca,
+ notify => Service[apache];
+ }
+} \ No newline at end of file
diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb
new file mode 100644
index 00000000..67896cd3
--- /dev/null
+++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb
@@ -0,0 +1,23 @@
+#
+# Apache reverse proxy configuration for the Nickserver
+#
+
+Listen 0.0.0.0:<%= @nickserver_port -%>
+
+<VirtualHost *:<%= @nickserver_port -%>>
+ ServerName <%= @nickserver_domain %>
+ ServerAlias <%= @address_domain %>
+
+ SSLEngine on
+ SSLProtocol -all +SSLv3 +TLSv1
+ SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
+ SSLHonorCipherOrder on
+
+ SSLCACertificatePath /etc/ssl/certs
+ SSLCertificateChainFile /etc/ssl/certs/nickserver.pem
+ SSLCertificateKeyFile /etc/x509/keys/nickserver.key
+ SSLCertificateFile /etc/x509/certs/nickserver.crt
+
+ ProxyPass / http://localhost:<%= @nickserver_local_port %>/
+ ProxyPreserveHost On # preserve Host header in HTTP request
+</VirtualHost>
diff --git a/puppet/modules/site_nickserver/templates/nickserver.yml.erb b/puppet/modules/site_nickserver/templates/nickserver.yml.erb
new file mode 100644
index 00000000..7aab5605
--- /dev/null
+++ b/puppet/modules/site_nickserver/templates/nickserver.yml.erb
@@ -0,0 +1,19 @@
+#
+# configuration for nickserver.
+#
+
+domain: "<%= @address_domain %>"
+
+couch_host: "<%= @couchdb_host %>"
+couch_port: <%= @couchdb_port %>
+couch_database: "users"
+couch_user: "<%= @couchdb_user %>"
+couch_password: "<%= @couchdb_password %>"
+
+hkp_url: "https://hkps.pool.sks-keyservers.net:/pks/lookup"
+
+user: "nickserver"
+port: <%= @nickserver_local_port %>
+pid_file: "/var/run/nickserver"
+log_file: "/var/log/nickserver.log"
+
diff --git a/puppet/modules/site_openvpn/README b/puppet/modules/site_openvpn/README
new file mode 100644
index 00000000..cef5be23
--- /dev/null
+++ b/puppet/modules/site_openvpn/README
@@ -0,0 +1,20 @@
+Place to look when debugging problems
+========================================
+
+Log files:
+
+ openvpn: /var/log/syslog
+ shorewall: /var/log/syslog
+ shorewall startup: /var/log/shorewall-init.log
+
+Check NAT masq:
+
+ iptables -t nat --list-rules
+
+Check interfaces:
+
+ ip addr ls
+
+Scripts:
+
+ /usr/local/bin/add_gateway_ips.sh \ No newline at end of file
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index e3d2a9af..4f900623 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -1,55 +1,141 @@
+#
+# An openvpn gateway can support three modes:
+#
+# (1) limited and unlimited
+# (2) unlimited only
+# (3) limited only
+#
+# The difference is that 'unlimited' gateways only allow client certs that match the 'unlimited_prefix',
+# and 'limited' gateways only allow certs that match the 'limited_prefix'.
+#
+# We potentially create four openvpn config files (thus four daemons):
+#
+# (1) unlimited + tcp => tcp_config.conf
+# (2) unlimited + udp => udp_config.conf
+# (3) limited + tcp => limited_tcp_config.conf
+# (4) limited + udp => limited_udp_config.conf
+#
+
class site_openvpn {
tag 'leap_service'
- # parse hiera config
- $ip_address = hiera('ip_address')
- $interface = getvar("interface_${ip_address}")
- #$gateway_address = hiera('gateway_address')
- $openvpn_config = hiera('openvpn')
- $openvpn_gateway_address = $openvpn_config['gateway_address']
- $openvpn_tcp_network_prefix = '10.1.0'
- $openvpn_tcp_netmask = '255.255.248.0'
- $openvpn_tcp_cidr = '21'
- $openvpn_udp_network_prefix = '10.2.0'
- $openvpn_udp_netmask = '255.255.248.0'
- $openvpn_udp_cidr = '21'
- $x509_config = hiera('x509')
+
+ $openvpn_config = hiera('openvpn')
+ $x509_config = hiera('x509')
+ $openvpn_ports = $openvpn_config['ports']
+
+ if $::ec2_instance_id {
+ $openvpn_gateway_address = $::ipaddress
+ } else {
+ $openvpn_gateway_address = $openvpn_config['gateway_address']
+ if $openvpn_config['second_gateway_address'] {
+ $openvpn_second_gateway_address = $openvpn_config['second_gateway_address']
+ } else {
+ $openvpn_second_gateway_address = undef
+ }
+ }
+
+ $openvpn_allow_unlimited = $openvpn_config['allow_unlimited']
+ $openvpn_unlimited_prefix = $openvpn_config['unlimited_prefix']
+ $openvpn_unlimited_tcp_network_prefix = '10.41.0'
+ $openvpn_unlimited_tcp_netmask = '255.255.248.0'
+ $openvpn_unlimited_tcp_cidr = '21'
+ $openvpn_unlimited_udp_network_prefix = '10.42.0'
+ $openvpn_unlimited_udp_netmask = '255.255.248.0'
+ $openvpn_unlimited_udp_cidr = '21'
+
+ if !$::ec2_instance_id {
+ $openvpn_allow_limited = $openvpn_config['allow_limited']
+ $openvpn_limited_prefix = $openvpn_config['limited_prefix']
+ $openvpn_rate_limit = $openvpn_config['rate_limit']
+ $openvpn_limited_tcp_network_prefix = '10.43.0'
+ $openvpn_limited_tcp_netmask = '255.255.248.0'
+ $openvpn_limited_tcp_cidr = '21'
+ $openvpn_limited_udp_network_prefix = '10.44.0'
+ $openvpn_limited_udp_netmask = '255.255.248.0'
+ $openvpn_limited_udp_cidr = '21'
+ }
# deploy ca + server keys
include site_openvpn::keys
- # create 2 openvpn config files, one for tcp, one for udp
- site_openvpn::server_config { 'tcp_config':
- port => '1194',
- proto => 'tcp',
- local => $openvpn_gateway_address,
- server => "${openvpn_tcp_network_prefix}.0 ${openvpn_tcp_netmask}",
- push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"",
- management => '127.0.0.1 1000'
+ if $openvpn_allow_unlimited and $openvpn_allow_limited {
+ $unlimited_gateway_address = $openvpn_gateway_address
+ $limited_gateway_address = $openvpn_second_gateway_address
+ } elsif $openvpn_allow_unlimited {
+ $unlimited_gateway_address = $openvpn_gateway_address
+ $limited_gateway_address = undef
+ } elsif $openvpn_allow_limited {
+ $unlimited_gateway_address = undef
+ $limited_gateway_address = $openvpn_gateway_address
}
- site_openvpn::server_config { 'udp_config':
- port => '1194',
- proto => 'udp',
- server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}",
- push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"",
- local => $openvpn_gateway_address,
- management => '127.0.0.1 1001'
+
+ if $openvpn_allow_unlimited {
+ site_openvpn::server_config { 'tcp_config':
+ port => '1194',
+ proto => 'tcp',
+ local => $unlimited_gateway_address,
+ tls_remote => "\"${openvpn_unlimited_prefix}\"",
+ server => "${openvpn_unlimited_tcp_network_prefix}.0 ${openvpn_unlimited_tcp_netmask}",
+ push => "\"dhcp-option DNS ${openvpn_unlimited_tcp_network_prefix}.1\"",
+ management => '127.0.0.1 1000'
+ }
+ site_openvpn::server_config { 'udp_config':
+ port => '1194',
+ proto => 'udp',
+ local => $unlimited_gateway_address,
+ tls_remote => "\"${openvpn_unlimited_prefix}\"",
+ server => "${openvpn_unlimited_udp_network_prefix}.0 ${openvpn_unlimited_udp_netmask}",
+ push => "\"dhcp-option DNS ${openvpn_unlimited_udp_network_prefix}.1\"",
+ management => '127.0.0.1 1001'
+ }
+ } else {
+ tidy { "/etc/openvpn/tcp_config.conf": }
+ tidy { "/etc/openvpn/udp_config.conf": }
+ }
+
+ if $openvpn_allow_limited {
+ site_openvpn::server_config { 'limited_tcp_config':
+ port => '1194',
+ proto => 'tcp',
+ local => $limited_gateway_address,
+ tls_remote => "\"${openvpn_limited_prefix}\"",
+ server => "${openvpn_limited_tcp_network_prefix}.0 ${openvpn_limited_tcp_netmask}",
+ push => "\"dhcp-option DNS ${openvpn_limited_tcp_network_prefix}.1\"",
+ management => '127.0.0.1 1002'
+ }
+ site_openvpn::server_config { 'limited_udp_config':
+ port => '1194',
+ proto => 'udp',
+ local => $limited_gateway_address,
+ tls_remote => "\"${openvpn_limited_prefix}\"",
+ server => "${openvpn_limited_udp_network_prefix}.0 ${openvpn_limited_udp_netmask}",
+ push => "\"dhcp-option DNS ${openvpn_limited_udp_network_prefix}.1\"",
+ management => '127.0.0.1 1003'
+ }
+ } else {
+ tidy { "/etc/openvpn/limited_tcp_config.conf": }
+ tidy { "/etc/openvpn/limited_udp_config.conf": }
}
- # add second IP on given interface
- file { '/usr/local/bin/leap_add_second_ip.sh':
- content => "#!/bin/sh
-ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface
-/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
-",
- mode => '0755',
+ file {
+ '/usr/local/bin/add_gateway_ips.sh':
+ content => template('site_openvpn/add_gateway_ips.sh.erb'),
+ mode => '0755';
}
- exec { '/usr/local/bin/leap_add_second_ip.sh':
- subscribe => File['/usr/local/bin/leap_add_second_ip.sh'],
+ exec { '/usr/local/bin/add_gateway_ips.sh':
+ subscribe => File['/usr/local/bin/add_gateway_ips.sh'],
}
- cron { 'leap_add_second_ip.sh':
- command => "/usr/local/bin/leap_add_second_ip.sh",
+ exec { 'restart_openvpn':
+ command => '/etc/init.d/openvpn restart',
+ refreshonly => true,
+ subscribe => File['/etc/openvpn'],
+ require => [ Package['openvpn'], File['/etc/openvpn'] ];
+ }
+
+ cron { 'add_gateway_ips.sh':
+ command => '/usr/local/bin/add_gateway_ips.sh',
user => 'root',
special => 'reboot',
}
@@ -63,6 +149,7 @@ ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr a
'openvpn':
ensure => installed;
}
+
service {
'openvpn':
ensure => running,
@@ -74,6 +161,7 @@ ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr a
file {
'/etc/openvpn':
ensure => directory,
+ notify => Exec['restart_openvpn'],
require => Package['openvpn'];
}
diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp
index d3963c95..dc31767c 100644
--- a/puppet/modules/site_openvpn/manifests/resolver.pp
+++ b/puppet/modules/site_openvpn/manifests/resolver.pp
@@ -1,5 +1,53 @@
class site_openvpn::resolver {
+ if $site_openvpn::openvpn_allow_unlimited {
+ $ensure_unlimited = 'present'
+ file {
+ '/etc/unbound/conf.d/vpn_unlimited_udp_resolver':
+ content => "interface: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr} allow\n",
+ owner => root,
+ group => root,
+ mode => '0644',
+ require => Service['openvpn'],
+ notify => Service['unbound'];
+ '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver':
+ content => "interface: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr} allow\n",
+ owner => root,
+ group => root,
+ mode => '0644',
+ require => Service['openvpn'],
+ notify => Service['unbound'];
+ }
+ } else {
+ $ensure_unlimited = 'absent'
+ tidy { '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': }
+ tidy { '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': }
+ }
+
+ if $site_openvpn::openvpn_allow_limited {
+ $ensure_limited = 'present'
+ file {
+ '/etc/unbound/conf.d/vpn_limited_udp_resolver':
+ content => "interface: ${site_openvpn::openvpn_limited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr} allow\n",
+ owner => root,
+ group => root,
+ mode => '0644',
+ require => Service['openvpn'],
+ notify => Service['unbound'];
+ '/etc/unbound/conf.d/vpn_limited_tcp_resolver':
+ content => "interface: ${site_openvpn::openvpn_limited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr} allow\n",
+ owner => root,
+ group => root,
+ mode => '0644',
+ require => Service['openvpn'],
+ notify => Service['unbound'];
+ }
+ } else {
+ $ensure_limited = 'absent'
+ tidy { '/etc/unbound/conf.d/vpn_limited_udp_resolver': }
+ tidy { '/etc/unbound/conf.d/vpn_limited_tcp_resolver': }
+ }
+
# this is an unfortunate way to get around the fact that the version of
# unbound we are working with does not accept a wildcard include directive
# (/etc/unbound/conf.d/*), when it does, these line definitions should
@@ -7,30 +55,30 @@ class site_openvpn::resolver {
# include: /etc/unbound/conf.d/*
line {
- 'add_tcp_resolver':
- ensure => present,
- file => '/etc/unbound/unbound.conf',
- line => 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver',
- notify => Service['unbound'];
-
- 'add_udp_resolver':
- ensure => present,
- file => '/etc/unbound/unbound.conf',
- line => 'server: include: /etc/unbound/conf.d/vpn_udp_resolver',
- notify => Service['unbound'];
+ 'add_unlimited_tcp_resolver':
+ ensure => $ensure_unlimited,
+ file => '/etc/unbound/unbound.conf',
+ line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_tcp_resolver',
+ notify => Service['unbound'],
+ require => Package['unbound'];
+ 'add_unlimited_udp_resolver':
+ ensure => $ensure_unlimited,
+ file => '/etc/unbound/unbound.conf',
+ line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_udp_resolver',
+ notify => Service['unbound'],
+ require => Package['unbound'];
+ 'add_limited_tcp_resolver':
+ ensure => $ensure_limited,
+ file => '/etc/unbound/unbound.conf',
+ line => 'server: include: /etc/unbound/conf.d/vpn_limited_tcp_resolver',
+ notify => Service['unbound'],
+ require => Package['unbound'];
+ 'add_limited_udp_resolver':
+ ensure => $ensure_limited,
+ file => '/etc/unbound/unbound.conf',
+ line => 'server: include: /etc/unbound/conf.d/vpn_limited_udp_resolver',
+ notify => Service['unbound'],
+ require => Package['unbound']
}
- file {
- '/etc/unbound/conf.d/vpn_udp_resolver':
- content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr} allow\n",
- owner => root, group => root, mode => '0644',
- require => Service['openvpn'],
- notify => Service['unbound'];
-
- '/etc/unbound/conf.d/vpn_tcp_resolver':
- content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr} allow\n",
- owner => root, group => root, mode => '0644',
- require => Service['openvpn'],
- notify => Service['unbound'];
- }
}
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index de273b46..6106cfbb 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -52,18 +52,29 @@
# note: the default is BF-CBC (blowfish)
#
-define site_openvpn::server_config ($port, $proto, $local, $server, $push, $management ) {
+define site_openvpn::server_config(
+ $port, $proto, $local, $server, $push,
+ $management, $tls_remote = undef) {
$openvpn_configname = $name
concat {
- "/etc/openvpn/$openvpn_configname.conf":
+ "/etc/openvpn/${openvpn_configname}.conf":
owner => root,
group => root,
mode => 644,
warn => true,
require => File['/etc/openvpn'],
- notify => Service['openvpn'];
+ notify => Exec['restart_openvpn'];
+ }
+
+ if $tls_remote != undef {
+ openvpn::option {
+ "tls-remote $openvpn_configname":
+ key => 'tls-remote',
+ value => $tls_remote,
+ server => $openvpn_configname;
+ }
}
openvpn::option {
diff --git a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb
new file mode 100644
index 00000000..05f3d16b
--- /dev/null
+++ b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_gateway_address %>/24 ||
+ ip addr add <%= @openvpn_gateway_address %>/24 dev <%= scope.lookupvar('site_config::params::interface') %>
+
+<% if @openvpn_second_gateway_address %>
+ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_second_gateway_address %>/24 ||
+ ip addr add <%= @openvpn_second_gateway_address %>/24 dev <%= scope.lookupvar('site_config::params::interface') %>
+<% end %>
+
+/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp
index 9fa59569..73bed62b 100644
--- a/puppet/modules/site_shorewall/manifests/couchdb.pp
+++ b/puppet/modules/site_shorewall/manifests/couchdb.pp
@@ -2,16 +2,17 @@ class site_shorewall::couchdb {
include site_shorewall::defaults
- $couchdb_port = '6984'
+ $stunnel = hiera('stunnel')
+ $couch_server = $stunnel['couch_server']
+ $couch_stunnel_port = $couch_server['accept']
# define macro for incoming services
file { '/etc/shorewall/macro.leap_couchdb':
- content => "PARAM - - tcp $couchdb_port",
+ content => "PARAM - - tcp ${couch_stunnel_port}",
notify => Service['shorewall'],
require => Package['shorewall']
}
-
shorewall::rule {
'net2fw-couchdb':
source => 'net',
diff --git a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp
new file mode 100644
index 00000000..20740650
--- /dev/null
+++ b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp
@@ -0,0 +1,51 @@
+class site_shorewall::couchdb::bigcouch {
+
+ include site_shorewall::defaults
+
+ $stunnel = hiera('stunnel')
+
+ # Erlang Port Mapper Daemon (epmd) stunnel server/clients
+ $epmd_clients = $stunnel['epmd_clients']
+ $epmd_server = $stunnel['epmd_server']
+ $epmd_server_port = $epmd_server['accept']
+ $epmd_server_connect = $epmd_server['connect']
+
+ # Erlang Distributed Node Protocol (ednp) stunnel server/clients
+ $ednp_clients = $stunnel['ednp_clients']
+ $ednp_server = $stunnel['ednp_server']
+ $ednp_server_port = $ednp_server['accept']
+ $ednp_server_connect = $ednp_server['connect']
+
+ # define macro for incoming services
+ file { '/etc/shorewall/macro.leap_bigcouch':
+ content => "PARAM - - tcp ${epmd_server_port},${ednp_server_port}",
+ notify => Service['shorewall'],
+ require => Package['shorewall']
+ }
+
+ shorewall::rule {
+ 'net2fw-bigcouch':
+ source => 'net',
+ destination => '$FW',
+ action => 'leap_bigcouch(ACCEPT)',
+ order => 300;
+ }
+
+ # setup DNAT rules for each epmd
+ $epmd_shorewall_dnat_defaults = {
+ 'source' => '$FW',
+ 'proto' => 'tcp',
+ 'destinationport' => regsubst($epmd_server_connect, '^([0-9.]+:)([0-9]+)$', '\2')
+ }
+ create_resources(site_shorewall::couchdb::dnat, $epmd_clients, $epmd_shorewall_dnat_defaults)
+
+ # setup DNAT rules for each ednp
+ $ednp_shorewall_dnat_defaults = {
+ 'source' => '$FW',
+ 'proto' => 'tcp',
+ 'destinationport' => regsubst($ednp_server_connect, '^([0-9.]+:)([0-9]+)$', '\2')
+ }
+ create_resources(site_shorewall::couchdb::dnat, $ednp_clients, $ednp_shorewall_dnat_defaults)
+
+}
+
diff --git a/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp b/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp
new file mode 100644
index 00000000..f1bc9acf
--- /dev/null
+++ b/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp
@@ -0,0 +1,21 @@
+define site_shorewall::couchdb::dnat (
+ $source,
+ $connect,
+ $connect_port,
+ $accept_port,
+ $proto,
+ $destinationport )
+{
+
+
+ shorewall::rule {
+ "dnat_${name}_${destinationport}":
+ action => 'DNAT',
+ source => $source,
+ destination => "\$FW:127.0.0.1:${accept_port}",
+ proto => $proto,
+ destinationport => $destinationport,
+ originaldest => $connect,
+ order => 200
+ }
+}
diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp
index d5639a90..c62c9307 100644
--- a/puppet/modules/site_shorewall/manifests/defaults.pp
+++ b/puppet/modules/site_shorewall/manifests/defaults.pp
@@ -1,17 +1,10 @@
class site_shorewall::defaults {
include shorewall
+ include site_config::params
# be safe for development
#if ( $::virtual == 'virtualbox') { $shorewall_startup='0' }
- $ip_address = hiera('ip_address')
- # a special case for vagrant interfaces
- $interface = $::virtual ? {
- virtualbox => [ 'eth0', 'eth1' ],
- default => getvar("interface_${ip_address}")
- }
-
-
# If you want logging:
shorewall::params {
'LOG': value => 'debug';
@@ -19,14 +12,13 @@ class site_shorewall::defaults {
shorewall::zone {'net': type => 'ipv4'; }
-
# define interfaces
- shorewall::interface { $interface:
+ shorewall::interface { $site_config::params::interface:
zone => 'net',
options => 'tcpflags,blacklist,nosmurfs';
}
- shorewall::routestopped { $interface: }
+ shorewall::routestopped { $site_config::params::interface: }
shorewall::policy {
'fw-to-all':
diff --git a/puppet/modules/site_shorewall/manifests/dnat.pp b/puppet/modules/site_shorewall/manifests/dnat.pp
new file mode 100644
index 00000000..a73294cc
--- /dev/null
+++ b/puppet/modules/site_shorewall/manifests/dnat.pp
@@ -0,0 +1,19 @@
+define site_shorewall::dnat (
+ $source,
+ $destination,
+ $proto,
+ $destinationport,
+ $originaldest ) {
+
+
+ shorewall::rule {
+ "dnat_${name}_${destinationport}":
+ action => 'DNAT',
+ source => $source,
+ destination => $destination,
+ proto => $proto,
+ destinationport => $destinationport,
+ originaldest => $originaldest,
+ order => 200
+ }
+}
diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp
index 68f480d8..aa298408 100644
--- a/puppet/modules/site_shorewall/manifests/dnat_rule.pp
+++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp
@@ -2,24 +2,45 @@ define site_shorewall::dnat_rule {
$port = $name
if $port != 1194 {
- shorewall::rule {
- "dnat_tcp_port_$port":
- action => 'DNAT',
- source => 'net',
- destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194",
- proto => 'tcp',
- destinationport => $port,
- order => 100;
+ if $site_openvpn::openvpn_allow_unlimited {
+ shorewall::rule {
+ "dnat_tcp_port_$port":
+ action => 'DNAT',
+ source => 'net',
+ destination => "\$FW:${site_openvpn::unlimited_gateway_address}:1194",
+ proto => 'tcp',
+ destinationport => $port,
+ order => 100;
+ }
+ shorewall::rule {
+ "dnat_udp_port_$port":
+ action => 'DNAT',
+ source => 'net',
+ destination => "\$FW:${site_openvpn::unlimited_gateway_address}:1194",
+ proto => 'udp',
+ destinationport => $port,
+ order => 100;
+ }
}
-
- shorewall::rule {
- "dnat_udp_port_$port":
- action => 'DNAT',
- source => 'net',
- destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194",
- proto => 'udp',
- destinationport => $port,
- order => 100;
+ if $site_openvpn::openvpn_allow_limited {
+ shorewall::rule {
+ "dnat_free_tcp_port_$port":
+ action => 'DNAT',
+ source => 'net',
+ destination => "\$FW:${site_openvpn::limited_gateway_address}:1194",
+ proto => 'tcp',
+ destinationport => $port,
+ order => 100;
+ }
+ shorewall::rule {
+ "dnat_free_udp_port_$port":
+ action => 'DNAT',
+ source => 'net',
+ destination => "\$FW:${site_openvpn::limited_gateway_address}:1194",
+ proto => 'udp',
+ destinationport => $port,
+ order => 100;
+ }
}
}
}
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index 4e5a5d48..7109b770 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -1,54 +1,56 @@
class site_shorewall::eip {
include site_shorewall::defaults
+ include site_config::params
include site_shorewall::ip_forward
- $openvpn_config = hiera('openvpn')
- $openvpn_ports = $openvpn_config['ports']
- $openvpn_gateway_address = $site_openvpn::openvpn_gateway_address
-
# define macro for incoming services
file { '/etc/shorewall/macro.leap_eip':
content => "PARAM - - tcp 1194
-PARAM - - udp 1194
-",
- notify => Service['shorewall']
+ PARAM - - udp 1194
+ ",
+ notify => Service['shorewall'],
+ require => Package['shorewall']
}
-
shorewall::interface {
'tun0':
zone => 'eip',
options => 'tcpflags,blacklist,nosmurfs';
'tun1':
zone => 'eip',
- options => 'tcpflags,blacklist,nosmurfs'
+ options => 'tcpflags,blacklist,nosmurfs';
+ 'tun2':
+ zone => 'eip',
+ options => 'tcpflags,blacklist,nosmurfs';
+ 'tun3':
+ zone => 'eip',
+ options => 'tcpflags,blacklist,nosmurfs';
}
+ shorewall::zone {
+ 'eip':
+ type => 'ipv4';
+ }
- shorewall::zone {'eip':
- type => 'ipv4'; }
+ $interface = $site_config::params::interface
- case $::virtual {
- 'virtualbox': {
- shorewall::masq {
- 'eth0_tcp':
- interface => 'eth0',
- source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}";
- 'eth0_udp':
- interface => 'eth0',
- source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; }
- }
- default: {
- $interface = $site_shorewall::defaults::interface
- shorewall::masq {
- "${interface}_tcp":
- interface => $interface,
- source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}";
-
- "${interface}_udp":
- interface => $interface,
- source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; }
+ shorewall::masq {
+ "${interface}_unlimited_tcp":
+ interface => $interface,
+ source => "${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr}";
+ "${interface}_unlimited_udp":
+ interface => $interface,
+ source => "${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr}";
+ }
+ if ! $::ec2_instance_id {
+ shorewall::masq {
+ "${interface}_limited_tcp":
+ interface => $interface,
+ source => "${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr}";
+ "${interface}_limited_udp":
+ interface => $interface,
+ source => "${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr}";
}
}
@@ -61,15 +63,14 @@ PARAM - - udp 1194
}
shorewall::rule {
- 'net2fw-openvpn':
- source => 'net',
- destination => '$FW',
- action => 'leap_eip(ACCEPT)',
- order => 200;
+ 'net2fw-openvpn':
+ source => 'net',
+ destination => '$FW',
+ action => 'leap_eip(ACCEPT)',
+ order => 200;
}
# create dnat rule for each port
- #create_resources('site_shorewall::dnat_rule', $openvpn_ports)
- site_shorewall::dnat_rule { $openvpn_ports: }
+ site_shorewall::dnat_rule { $site_openvpn::openvpn_ports: }
}
diff --git a/puppet/modules/site_shorewall/manifests/webapp.pp b/puppet/modules/site_shorewall/manifests/webapp.pp
index d12bbc8f..a8d2aa5b 100644
--- a/puppet/modules/site_shorewall/manifests/webapp.pp
+++ b/puppet/modules/site_shorewall/manifests/webapp.pp
@@ -2,5 +2,6 @@ class site_shorewall::webapp {
include site_shorewall::defaults
include site_shorewall::service::https
+ include site_shorewall::service::http
include site_shorewall::service::webapp_api
}
diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp
new file mode 100644
index 00000000..c18f691c
--- /dev/null
+++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp
@@ -0,0 +1,19 @@
+define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') {
+ # This line allows default homedir based on $title variable.
+ # If $home is empty, the default is used.
+ $homedir = $home ? {'' => "/home/${title}", default => $home}
+ file {
+ "${homedir}/.ssh":
+ ensure => 'directory',
+ owner => $title,
+ group => $title,
+ mode => '0700';
+ "${homedir}/.ssh/authorized_keys":
+ ensure => $ensure,
+ owner => $ensure ? {'present' => $title, default => undef },
+ group => $ensure ? {'present' => $title, default => undef },
+ mode => '0600',
+ require => File["${homedir}/.ssh"],
+ content => template('site_sshd/authorized_keys.erb');
+ }
+}
diff --git a/puppet/modules/site_sshd/manifests/deploy_authorized_keys.pp b/puppet/modules/site_sshd/manifests/deploy_authorized_keys.pp
new file mode 100644
index 00000000..97ca058f
--- /dev/null
+++ b/puppet/modules/site_sshd/manifests/deploy_authorized_keys.pp
@@ -0,0 +1,9 @@
+class site_sshd::deploy_authorized_keys ( $keys ) {
+ tag 'leap_authorized_keys'
+
+ site_sshd::authorized_keys {'root':
+ keys => $keys,
+ home => '/root'
+ }
+
+}
diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp
index 630e9bdf..90dd2d0e 100644
--- a/puppet/modules/site_sshd/manifests/init.pp
+++ b/puppet/modules/site_sshd/manifests/init.pp
@@ -1 +1,31 @@
-class site_sshd {}
+class site_sshd {
+ $ssh = hiera_hash('ssh')
+
+ ##
+ ## SETUP AUTHORIZED KEYS
+ ##
+
+ $authorized_keys = $ssh['authorized_keys']
+
+ class { 'site_sshd::deploy_authorized_keys':
+ keys => $authorized_keys
+ }
+
+ ##
+ ## OPTIONAL MOSH SUPPORT
+ ##
+
+ $mosh = $ssh['mosh']
+
+ if $mosh['enabled'] {
+ class { 'site_sshd::mosh':
+ ensure => present,
+ ports => $mosh['ports']
+ }
+ }
+ else {
+ class { 'site_sshd::mosh':
+ ensure => absent
+ }
+ }
+}
diff --git a/puppet/modules/site_sshd/manifests/mosh.pp b/puppet/modules/site_sshd/manifests/mosh.pp
new file mode 100644
index 00000000..49f56ca0
--- /dev/null
+++ b/puppet/modules/site_sshd/manifests/mosh.pp
@@ -0,0 +1,21 @@
+class site_sshd::mosh ( $ensure = present, $ports = '60000-61000' ) {
+
+ package { 'mosh':
+ ensure => $ensure
+ }
+
+ file { '/etc/shorewall/macro.mosh':
+ ensure => $ensure,
+ content => "PARAM - - udp ${ports}",
+ notify => Service['shorewall'],
+ require => Package['shorewall'];
+ }
+
+ shorewall::rule { 'net2fw-mosh':
+ ensure => $ensure,
+ source => 'net',
+ destination => '$FW',
+ action => 'mosh(ACCEPT)',
+ order => 200;
+ }
+}
diff --git a/puppet/modules/site_sshd/manifests/ssh_key.pp b/puppet/modules/site_sshd/manifests/ssh_key.pp
deleted file mode 100644
index b47b2ebd..00000000
--- a/puppet/modules/site_sshd/manifests/ssh_key.pp
+++ /dev/null
@@ -1,3 +0,0 @@
-define site_sshd::ssh_key($key) {
- # ... todo: deploy ssh_key
-}
diff --git a/puppet/modules/site_sshd/templates/authorized_keys.erb b/puppet/modules/site_sshd/templates/authorized_keys.erb
new file mode 100644
index 00000000..3c65e8ab
--- /dev/null
+++ b/puppet/modules/site_sshd/templates/authorized_keys.erb
@@ -0,0 +1,6 @@
+# NOTICE: This file is autogenerated by Puppet
+# all manually added keys will be overridden
+
+<% keys.sort.each do |user, hash| -%>
+<%=hash['type']-%> <%=hash['key']%> <%=user%>
+<% end -%>
diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp
new file mode 100644
index 00000000..ed766e1a
--- /dev/null
+++ b/puppet/modules/site_stunnel/manifests/clients.pp
@@ -0,0 +1,26 @@
+define site_stunnel::clients (
+ $accept_port,
+ $connect_port,
+ $connect,
+ $cafile,
+ $key,
+ $cert,
+ $client = true,
+ $verify = '2',
+ $pid = $name,
+ $rndfile = '/var/lib/stunnel4/.rnd',
+ $debuglevel = '4' ) {
+
+ stunnel::service { $name:
+ accept => "127.0.0.1:${accept_port}",
+ connect => "${connect}:${connect_port}",
+ client => $client,
+ cafile => $cafile,
+ key => $key,
+ cert => $cert,
+ verify => $verify,
+ pid => "/var/run/stunnel4/${pid}.pid",
+ rndfile => $rndfile,
+ debuglevel => $debuglevel
+ }
+}
diff --git a/puppet/modules/site_stunnel/manifests/init.pp b/puppet/modules/site_stunnel/manifests/init.pp
new file mode 100644
index 00000000..c7d6acc6
--- /dev/null
+++ b/puppet/modules/site_stunnel/manifests/init.pp
@@ -0,0 +1,17 @@
+class site_stunnel {
+
+ # include the generic stunnel module
+ # increase the number of open files to allow for 800 connections
+ class { 'stunnel': default_extra => 'ulimit -n 4096' }
+
+ # The stunnel.conf provided by the Debian package is broken by default
+ # so we get rid of it and just define our own. See #549384
+ if !defined(File['/etc/stunnel/stunnel.conf']) {
+ file {
+ # this file is a broken config installed by the package
+ '/etc/stunnel/stunnel.conf':
+ ensure => absent;
+ }
+ }
+}
+
diff --git a/puppet/modules/site_stunnel/manifests/setup.pp b/puppet/modules/site_stunnel/manifests/setup.pp
new file mode 100644
index 00000000..92eeb425
--- /dev/null
+++ b/puppet/modules/site_stunnel/manifests/setup.pp
@@ -0,0 +1,24 @@
+class site_stunnel::setup ($cert_name, $key, $cert, $ca_name, $ca) {
+
+ include site_stunnel
+
+ x509::key {
+ $cert_name:
+ content => $key,
+ notify => Service['stunnel'];
+ }
+
+ x509::cert {
+ $cert_name:
+ content => $cert,
+ notify => Service['stunnel'];
+ }
+
+ x509::ca {
+ $ca_name:
+ content => $ca,
+ notify => Service['stunnel'];
+ }
+
+}
+
diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp
index ceb6fb13..50ab636b 100644
--- a/puppet/modules/site_tor/manifests/init.pp
+++ b/puppet/modules/site_tor/manifests/init.pp
@@ -15,6 +15,7 @@ class site_tor {
address => $address,
contact_info => $contact_email,
bandwidth_rate => $bandwidth_rate,
+ my_family => '$2A431444756B0E7228A7918C85A8DACFF7E3B050',
}
tor::daemon::directory { $::hostname: port => 80 }
diff --git a/puppet/modules/site_webapp/files/migrate_design_documents b/puppet/modules/site_webapp/files/migrate_design_documents
new file mode 100644
index 00000000..6e24aa5b
--- /dev/null
+++ b/puppet/modules/site_webapp/files/migrate_design_documents
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+cd /srv/leap/webapp
+
+# use admin credentials
+cp config/couchdb.yml.admin config/couchdb.yml
+chown leap-webapp:leap-webapp config/couchdb.yml
+
+# needs to be run twice
+RAILS_ENV=production /usr/bin/bundle exec rake couchrest:migrate
+RAILS_ENV=production /usr/bin/bundle exec rake couchrest:migrate
+
+# use user credentials and remove admin credentials
+cp config/couchdb.yml.webapp config/couchdb.yml
+chown leap-webapp:leap-webapp config/couchdb.yml
+
diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp
index 554b9147..8b340160 100644
--- a/puppet/modules/site_webapp/manifests/apache.pp
+++ b/puppet/modules/site_webapp/manifests/apache.pp
@@ -12,8 +12,7 @@ class site_webapp::apache {
$api_cert = $x509['cert']
$api_root = $x509['ca_cert']
- $apache_no_default_site = true
- include apache::ssl
+ class { '::apache': no_default_site => true, ssl => true }
apache::module {
'alias': ensure => present;
diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp
index 6cac666f..b4ef0980 100644
--- a/puppet/modules/site_webapp/manifests/couchdb.pp
+++ b/puppet/modules/site_webapp/manifests/couchdb.pp
@@ -1,16 +1,79 @@
class site_webapp::couchdb {
- $webapp = hiera('webapp')
- $couchdb_host = $webapp['couchdb_hosts']
- $couchdb_user = $webapp['couchdb_user']['username']
- $couchdb_password = $webapp['couchdb_user']['password']
+ $webapp = hiera('webapp')
+ # haproxy listener on port localhost:4096, see site_webapp::haproxy
+ $couchdb_host = 'localhost'
+ $couchdb_port = '4096'
+ $couchdb_admin_user = $webapp['couchdb_admin_user']['username']
+ $couchdb_admin_password = $webapp['couchdb_admin_user']['password']
+ $couchdb_webapp_user = $webapp['couchdb_webapp_user']['username']
+ $couchdb_webapp_password = $webapp['couchdb_webapp_user']['password']
+
+ $stunnel = hiera('stunnel')
+ $couch_client = $stunnel['couch_client']
+ $couch_client_connect = $couch_client['connect']
+
+ include x509::variables
+ $x509 = hiera('x509')
+ $key = $x509['key']
+ $cert = $x509['cert']
+ $ca = $x509['ca_cert']
+ $cert_name = 'leap_couchdb'
+ $ca_name = 'leap_ca'
+ $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt"
+ $cert_path = "${x509::variables::certs}/${cert_name}.crt"
+ $key_path = "${x509::variables::keys}/${cert_name}.key"
file {
- '/srv/leap-webapp/config/couchdb.yml':
+ '/srv/leap/webapp/config/couchdb.yml.admin':
+ content => template('site_webapp/couchdb.yml.admin.erb'),
+ owner => leap-webapp,
+ group => leap-webapp,
+ mode => '0600',
+ require => Vcsrepo['/srv/leap/webapp'];
+
+ '/srv/leap/webapp/config/couchdb.yml.webapp':
content => template('site_webapp/couchdb.yml.erb'),
owner => leap-webapp,
group => leap-webapp,
- mode => '0600';
+ mode => '0600',
+ require => Vcsrepo['/srv/leap/webapp'];
+
+ '/srv/leap/webapp/logs/production.log':
+ owner => leap-webapp,
+ group => leap-webapp,
+ mode => '0666',
+ require => Vcsrepo['/srv/leap/webapp'];
+
+ '/usr/local/sbin/migrate_design_documents':
+ source => 'puppet:///modules/site_webapp/migrate_design_documents',
+ owner => root,
+ group => root,
+ mode => '0744';
+ }
+
+ class { 'site_stunnel::setup':
+ cert_name => $cert_name,
+ key => $key,
+ cert => $cert,
+ ca_name => $ca_name,
+ ca => $ca
+ }
+
+ exec { 'migrate_design_documents':
+ cwd => '/srv/leap/webapp',
+ command => '/usr/local/sbin/migrate_design_documents',
+ require => Exec['bundler_update'],
+ notify => Service['apache'];
+ }
+
+ $couchdb_stunnel_client_defaults = {
+ 'connect_port' => $couch_client_connect,
+ 'client' => true,
+ 'cafile' => $ca_path,
+ 'key' => $key_path,
+ 'cert' => $cert_path,
}
+ create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults)
}
diff --git a/puppet/modules/site_webapp/manifests/haproxy.pp b/puppet/modules/site_webapp/manifests/haproxy.pp
new file mode 100644
index 00000000..4a7e3c25
--- /dev/null
+++ b/puppet/modules/site_webapp/manifests/haproxy.pp
@@ -0,0 +1,14 @@
+class site_webapp::haproxy {
+
+ include site_haproxy
+
+ $haproxy = hiera('haproxy')
+ $local_ports = $haproxy['local_ports']
+
+ # Template uses $global_options, $defaults_options
+ concat::fragment { 'leap_haproxy_webapp_couchdb':
+ target => '/etc/haproxy/haproxy.cfg',
+ order => '20',
+ content => template('site_webapp/haproxy_couchdb.cfg.erb'),
+ }
+}
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index e8134521..e743dc07 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -3,20 +3,19 @@ class site_webapp {
$definition_files = hiera('definition_files')
$provider = $definition_files['provider']
$eip_service = $definition_files['eip_service']
+ $soledad_service = $definition_files['soledad_service']
+ $smtp_service = $definition_files['smtp_service']
$node_domain = hiera('domain')
$provider_domain = $node_domain['full_suffix']
$webapp = hiera('webapp')
+ $api_version = $webapp['api_version']
+ $secret_token = $webapp['secret_token']
- Class[Ruby] -> Class[rubygems] -> Class[bundler::install]
-
- class { 'ruby': ruby_version => '1.9.3' }
-
- class { 'bundler::install': install_method => 'package' }
-
- include rubygems
+ include site_config::ruby
include site_webapp::apache
include site_webapp::couchdb
include site_webapp::client_ca
+ include site_webapp::haproxy
group { 'leap-webapp':
ensure => present,
@@ -28,19 +27,20 @@ class site_webapp {
allowdupe => false,
gid => 'leap-webapp',
groups => 'ssl-cert',
- home => '/srv/leap-webapp',
+ home => '/srv/leap/webapp',
require => [ Group['leap-webapp'] ];
}
- file { '/srv/leap-webapp':
+ file { '/srv/leap/webapp':
ensure => directory,
owner => 'leap-webapp',
group => 'leap-webapp',
require => User['leap-webapp'];
}
- vcsrepo { '/srv/leap-webapp':
+ vcsrepo { '/srv/leap/webapp':
ensure => present,
+ force => true,
revision => 'origin/master',
provider => git,
source => 'git://code.leap.se/leap_web',
@@ -51,17 +51,17 @@ class site_webapp {
}
exec { 'bundler_update':
- cwd => '/srv/leap-webapp',
- command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle"',
+ cwd => '/srv/leap/webapp',
+ command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle --without test development"',
unless => '/usr/bin/bundle check',
user => 'leap-webapp',
timeout => 600,
- require => [ Class['bundler::install'], Vcsrepo['/srv/leap-webapp'] ],
+ require => [ Class['bundler::install'], Vcsrepo['/srv/leap/webapp'] ],
notify => Service['apache'];
}
exec { 'compile_assets':
- cwd => '/srv/leap-webapp',
+ cwd => '/srv/leap/webapp',
command => '/bin/bash -c "/usr/bin/bundle exec rake assets:precompile"',
user => 'leap-webapp',
require => Exec['bundler_update'],
@@ -69,47 +69,72 @@ class site_webapp {
}
file {
- '/srv/leap-webapp/public/provider.json':
+ '/srv/leap/webapp/public/provider.json':
content => $provider,
+ require => Vcsrepo['/srv/leap/webapp'],
owner => leap-webapp, group => leap-webapp, mode => '0644';
- '/srv/leap-webapp/public/ca.crt':
+ '/srv/leap/webapp/public/ca.crt':
ensure => link,
+ require => Vcsrepo['/srv/leap/webapp'],
target => '/usr/local/share/ca-certificates/leap_api.crt';
- '/srv/leap-webapp/public/config':
+ "/srv/leap/webapp/public/${api_version}":
ensure => directory,
+ require => Vcsrepo['/srv/leap/webapp'],
owner => leap-webapp, group => leap-webapp, mode => '0755';
- '/srv/leap-webapp/public/config/eip-service.json':
+ "/srv/leap/webapp/public/${api_version}/config/":
+ ensure => directory,
+ require => Vcsrepo['/srv/leap/webapp'],
+ owner => leap-webapp, group => leap-webapp, mode => '0755';
+
+ "/srv/leap/webapp/public/${api_version}/config/eip-service.json":
content => $eip_service,
+ require => Vcsrepo['/srv/leap/webapp'],
owner => leap-webapp, group => leap-webapp, mode => '0644';
- }
- try::file {
- '/srv/leap-webapp/public/favicon.ico':
- ensure => 'link',
- target => $webapp['favicon'];
-
- '/srv/leap-webapp/app/assets/stylesheets/tail.scss':
- ensure => 'link',
- target => $webapp['tail_scss'];
+ "/srv/leap/webapp/public/${api_version}/config/soledad-service.json":
+ content => $soledad_service,
+ require => Vcsrepo['/srv/leap/webapp'],
+ owner => leap-webapp, group => leap-webapp, mode => '0644';
- '/srv/leap-webapp/app/assets/stylesheets/head.scss':
- ensure => 'link',
- target => $webapp['head_scss'];
+ "/srv/leap/webapp/public/${api_version}/config/smtp-service.json":
+ content => $smtp_service,
+ require => Vcsrepo['/srv/leap/webapp'],
+ owner => leap-webapp, group => leap-webapp, mode => '0644';
+ }
- '/srv/leap-webapp/public/img':
- ensure => 'link',
- target => $webapp['img_dir'];
+ try::file {
+ '/srv/leap/webapp/public/favicon.ico':
+ ensure => 'link',
+ require => Vcsrepo['/srv/leap/webapp'],
+ target => $webapp['favicon'];
+
+ '/srv/leap/webapp/app/assets/stylesheets/tail.scss':
+ ensure => 'link',
+ require => Vcsrepo['/srv/leap/webapp'],
+ target => $webapp['tail_scss'];
+
+ '/srv/leap/webapp/app/assets/stylesheets/head.scss':
+ ensure => 'link',
+ require => Vcsrepo['/srv/leap/webapp'],
+ target => $webapp['head_scss'];
+
+ '/srv/leap/webapp/public/img':
+ ensure => 'link',
+ require => Vcsrepo['/srv/leap/webapp'],
+ target => $webapp['img_dir'];
}
file {
- '/srv/leap-webapp/config/config.yml':
+ '/srv/leap/webapp/config/config.yml':
content => template('site_webapp/config.yml.erb'),
owner => leap-webapp,
group => leap-webapp,
- mode => '0600';
+ mode => '0600',
+ require => Vcsrepo['/srv/leap/webapp'],
+ notify => Service['apache'];
}
include site_shorewall::webapp
diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb
index 9cf85f0c..df562cd9 100644
--- a/puppet/modules/site_webapp/templates/config.yml.erb
+++ b/puppet/modules/site_webapp/templates/config.yml.erb
@@ -1,5 +1,15 @@
+<%- cert_options = @webapp['client_certificates'] -%>
production:
admins: [admin]
domain: <%= @provider_domain %>
client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %>
client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %>
+ secret_token: "<%= @secret_token %>"
+ client_cert_lifespan: <%= cert_options['life_span'].to_i %>
+ client_cert_bit_size: <%= cert_options['bit_size'].to_i %>
+ client_cert_hash: <%= cert_options['digest'] %>
+ allow_limited_certs: <%= @webapp['allow_limited_certs'].inspect %>
+ allow_unlimited_certs: <%= @webapp['allow_unlimited_certs'].inspect %>
+ allow_anonymous_certs: <%= @webapp['allow_anonymous_certs'].inspect %>
+ limited_cert_prefix: "<%= cert_options['limited_prefix'] %>"
+ unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>"
diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb b/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb
new file mode 100644
index 00000000..a0921add
--- /dev/null
+++ b/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb
@@ -0,0 +1,9 @@
+production:
+ prefix: ""
+ protocol: 'http'
+ host: <%= @couchdb_host %>
+ port: <%= @couchdb_port %>
+ auto_update_design_doc: false
+ username: <%= @couchdb_admin_user %>
+ password: <%= @couchdb_admin_password %>
+
diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb
index ee521713..2bef0af5 100644
--- a/puppet/modules/site_webapp/templates/couchdb.yml.erb
+++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb
@@ -1,8 +1,9 @@
production:
prefix: ""
- protocol: 'https'
+ protocol: 'http'
host: <%= @couchdb_host %>
- port: 6984
- username: <%= @couchdb_user %>
- password: <%= @couchdb_password %>
+ port: <%= @couchdb_port %>
+ auto_update_design_doc: false
+ username: <%= @couchdb_webapp_user %>
+ password: <%= @couchdb_webapp_password %>
diff --git a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb
new file mode 100644
index 00000000..f08161ee
--- /dev/null
+++ b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb
@@ -0,0 +1,16 @@
+
+listen bigcouch-in
+ mode http
+ balance roundrobin
+ option httplog
+ option dontlognull
+ option httpchk GET /
+ option http-server-close
+
+ bind localhost:4096
+<% for port in @local_ports -%>
+ server couchdb_<%=port%> localhost:<%=port%> check inter 3000 fastinter 1000 downinter 1000 rise 2 fall 1
+<% end -%>
+
+
+
diff --git a/puppet/modules/stdlib b/puppet/modules/stdlib
-Subproject 2df66c041109ecca1099bf3977657572cc32ad2
+Subproject 66e0fa8f1bc5062e9d753598ad17602c378a299
diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel
new file mode 160000
+Subproject fc1589a5f09d80f58d730d4e1f6a8058483f61f
diff --git a/puppet/modules/try/manifests/file.pp b/puppet/modules/try/manifests/file.pp
index 406c0b7a..47a8c269 100644
--- a/puppet/modules/try/manifests/file.pp
+++ b/puppet/modules/try/manifests/file.pp
@@ -18,7 +18,10 @@ define try::file (
file { "$name":
ensure => $ensure,
target => $target,
- require => Exec["check_${name}"],
+ require => $require ? {
+ undef => Exec["check_${name}"],
+ default => [ $require, Exec["check_${name}"] ]
+ },
loglevel => info;
}
}
@@ -37,6 +40,10 @@ define try::file (
exec { "restore_${name}":
command => $command,
cwd => $file_dirname,
+ require => $require ? {
+ undef => undef,
+ default => [ $require ]
+ },
loglevel => info;
}
} else {
@@ -44,6 +51,10 @@ define try::file (
unless => "/usr/bin/test -e '${target}'",
command => $command,
cwd => $file_dirname,
+ require => $require ? {
+ undef => undef,
+ default => [ $require ]
+ },
loglevel => info;
}
}
diff --git a/puppet/modules/vcsrepo b/puppet/modules/vcsrepo
-Subproject 04851c28b12973c679fc9f234fd0f5a193df9d7
+Subproject 4db1120c78763f5244dc6c9d2e0d064a6ef363e