From b7c03c7cac3d3b04dade4086f416f1305c946830 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 15:24:29 +0100 Subject: include site_mx --- puppet/modules/apache | 2 +- puppet/modules/apt | 2 +- puppet/modules/couchdb | 2 +- puppet/modules/stunnel | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/puppet/modules/apache b/puppet/modules/apache index c3e92a9b..090e59ad 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit c3e92a9b3cb02f1546b6b1570f10a968d380005c +Subproject commit 090e59ad1fcba01e868237a83cadf9254cf09d3e diff --git a/puppet/modules/apt b/puppet/modules/apt index 1a72a996..6bf7a6ab 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 1a72a99693c1d77bfe891546408f88264fca98ee +Subproject commit 6bf7a6ab5d6e63f75c94f49aa0f12959e954efa8 diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 20deb065..7b6c9a29 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 20deb0652ccfe105eddec6ba2ad32b8d633705f6 +Subproject commit 7b6c9a29b1333ce733dd5d7c0dadd7f90513b261 diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index fc1589a5..75d387fc 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit fc1589a5f09d80f58d730d4e1f6a8058483f61fc +Subproject commit 75d387fc8aff12232fdeae2efbbfccdd91f94656 -- cgit v1.2.3 From 3da143db6a4369f09c513d95aeea6eb119f2c9f2 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 15:27:45 +0100 Subject: added submodule postfix from git://labs.riseup.net/shared-postfix --- .gitmodules | 3 +++ puppet/modules/postfix | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/postfix diff --git a/.gitmodules b/.gitmodules index 717ae5ed..b84dfef2 100644 --- a/.gitmodules +++ b/.gitmodules @@ -73,3 +73,6 @@ [submodule "puppet/modules/haproxy"] path = puppet/modules/haproxy url = git://code.leap.se/puppet_haproxy +[submodule "puppet/modules/postfix"] + path = puppet/modules/postfix + url = git://labs.riseup.net/shared-postfix diff --git a/puppet/modules/postfix b/puppet/modules/postfix new file mode 160000 index 00000000..881a59ac --- /dev/null +++ b/puppet/modules/postfix @@ -0,0 +1 @@ +Subproject commit 881a59ac62684028a7f4cb358e3592efc3ae99a9 -- cgit v1.2.3 From 1d1afa65b9072cbc59b45d2fcdc77707e31a97ae Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 15:42:17 +0100 Subject: added site_mx --- puppet/modules/site_mx/manifests/init.pp | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 puppet/modules/site_mx/manifests/init.pp diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp new file mode 100644 index 00000000..f7f358ce --- /dev/null +++ b/puppet/modules/site_mx/manifests/init.pp @@ -0,0 +1,3 @@ +class site_mx { + include site_postfix::mx +} -- cgit v1.2.3 From 4ceba14f444e41dc7dcc9f2176f4bf464f5286cd Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 17:16:09 +0100 Subject: shorewall rules for site_mx --- puppet/modules/site_shorewall/manifests/mx.pp | 24 ++++++++++++++++++++++ .../site_shorewall/manifests/service/smtp.pp | 13 ++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/mx.pp create mode 100644 puppet/modules/site_shorewall/manifests/service/smtp.pp diff --git a/puppet/modules/site_shorewall/manifests/mx.pp b/puppet/modules/site_shorewall/manifests/mx.pp new file mode 100644 index 00000000..5ec95fdd --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/mx.pp @@ -0,0 +1,24 @@ +class site_shorewall::mx { + + include site_shorewall::defaults + + $smtpd_ports = '25' + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_mx': + content => "PARAM - - tcp ${smtpd_ports} ", + notify => Service['shorewall'], + require => Package['shorewall'] + } + + + shorewall::rule { + 'net2fw-mx': + source => 'net', + destination => '$FW', + action => 'leap_mx(ACCEPT)', + order => 200; + } + + include site_shorewall::service::smtp +} diff --git a/puppet/modules/site_shorewall/manifests/service/smtp.pp b/puppet/modules/site_shorewall/manifests/service/smtp.pp new file mode 100644 index 00000000..7fbdf14e --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/service/smtp.pp @@ -0,0 +1,13 @@ +class site_shorewall::service::smtp { + + include site_shorewall::defaults + + shorewall::rule { + 'fw2net-http': + source => '$FW', + destination => 'net', + action => 'SMTP(ACCEPT)', + order => 200; + } + +} -- cgit v1.2.3 From c1e55fde49858c1bc9cf0da129a3b7df91cf9899 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 18:15:45 +0100 Subject: include shorewall rules for site_mx --- puppet/modules/site_mx/manifests/init.pp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index f7f358ce..4b2db215 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -1,3 +1,7 @@ class site_mx { + tag 'leap_service' + include site_postfix::mx + include site_shorewall::mx + include site_shorewall::service::smtp } -- cgit v1.2.3 From db5fd91d32b215eb9827e36e2a51c98af993ab99 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 18:16:13 +0100 Subject: added basic site_postfix::mx config --- puppet/modules/site_postfix/manifests/mx.pp | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 puppet/modules/site_postfix/manifests/mx.pp diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp new file mode 100644 index 00000000..9104c2cb --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -0,0 +1,16 @@ +class site_postfix::mx { + + $domain_hash = hiera ('domain') + $domain = $domain_hash['full_suffix'] + + # see https://leap.se/code/issues/1936 for contact email addr + #$root_mail_recipient = '' + $postfix_smtp_listen = 'all' + + postfix::config { + # just en example + 'delay_warning_time': value => '4h'; + } + + include ::postfix +} -- cgit v1.2.3 From 424dcefa2ab51a2185935b11d910bd2dbab8d1fb Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 17 Apr 2013 18:35:37 +0200 Subject: added site_mx::haproxy --- puppet/modules/site_mx/manifests/haproxy.pp | 14 ++++++++++++++ puppet/modules/site_mx/manifests/init.pp | 1 + 2 files changed, 15 insertions(+) create mode 100644 puppet/modules/site_mx/manifests/haproxy.pp diff --git a/puppet/modules/site_mx/manifests/haproxy.pp b/puppet/modules/site_mx/manifests/haproxy.pp new file mode 100644 index 00000000..988eeaf3 --- /dev/null +++ b/puppet/modules/site_mx/manifests/haproxy.pp @@ -0,0 +1,14 @@ +class site_mx::haproxy { + + include site_haproxy + + $haproxy = hiera('haproxy') + $local_ports = $haproxy['local_ports'] + + # Template uses $global_options, $defaults_options + concat::fragment { 'leap_haproxy_webapp_couchdb': + target => '/etc/haproxy/haproxy.cfg', + order => '20', + content => template('site_webapp/haproxy_couchdb.cfg.erb'), + } +} diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 4b2db215..8c8b8d7e 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -2,6 +2,7 @@ class site_mx { tag 'leap_service' include site_postfix::mx + include site_mx::haproxy include site_shorewall::mx include site_shorewall::service::smtp } -- cgit v1.2.3 From 15d19dfb940ca0ac55f0f92356aab7fe58aa9dba Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 17 Apr 2013 18:46:13 +0200 Subject: added provider_base/services/mx.json --- provider_base/services/mx.json | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 provider_base/services/mx.json diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json new file mode 100644 index 00000000..61ae0db9 --- /dev/null +++ b/provider_base/services/mx.json @@ -0,0 +1,8 @@ +{ + "stunnel": { + "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)" + }, + "haproxy": { + "local_ports": "= stunnel.couch_client.field(:accept_port)" + } +} -- cgit v1.2.3 From 67e98211f7414bfd8986ef2be1bcf9e5d5be406f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 17 Apr 2013 16:01:19 -0400 Subject: initial mx couchdb stunnel configuration --- provider_base/services/mx.json | 9 ++++++++ puppet/modules/site_mx/manifests/couchdb.pp | 35 +++++++++++++++++++++++++++++ puppet/modules/site_mx/manifests/init.pp | 1 + 3 files changed, 45 insertions(+) create mode 100644 puppet/modules/site_mx/manifests/couchdb.pp diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index 61ae0db9..949374ad 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -4,5 +4,14 @@ }, "haproxy": { "local_ports": "= stunnel.couch_client.field(:accept_port)" + }, + "x509": { + "use": true, + "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", + "client_ca_cert": "= file_path :client_ca_cert", + "client_ca_key": "= file_path :client_ca_key", + "commercial_cert": "= file [:commercial_cert, domain.full_suffix]", + "commercial_key": "= file [:commercial_key, domain.full_suffix]", + "commercial_ca_cert": "= try_file :commercial_ca_cert" } } diff --git a/puppet/modules/site_mx/manifests/couchdb.pp b/puppet/modules/site_mx/manifests/couchdb.pp new file mode 100644 index 00000000..f842ceab --- /dev/null +++ b/puppet/modules/site_mx/manifests/couchdb.pp @@ -0,0 +1,35 @@ +class site_mx::couchdb { + + $stunnel = hiera('stunnel') + $couch_client = $stunnel['couch_client'] + $couch_client_connect = $couch_client['connect'] + + include x509::variables + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $ca = $x509['ca_cert'] + $cert_name = 'leap_couchdb' + $ca_name = 'leap_ca' + $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" + + class { 'site_stunnel::setup': + cert_name => $cert_name, + key => $key, + cert => $cert, + ca_name => $ca_name, + ca => $ca + } + + $couchdb_stunnel_client_defaults = { + 'connect_port' => $couch_client_connect, + 'client' => true, + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, + } + + create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults) +} diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 8c8b8d7e..86ae56e1 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -5,4 +5,5 @@ class site_mx { include site_mx::haproxy include site_shorewall::mx include site_shorewall::service::smtp + include site_mx::couchdb } -- cgit v1.2.3 From 886551dfd2e6eb7dc51d15ebbd6393198dfde78f Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 22 Apr 2013 17:28:40 +0200 Subject: hiera variable mx.contact -> postfix $root_mail_recipient --- provider_base/services/mx.json | 3 +++ puppet/modules/site_postfix/manifests/mx.pp | 8 ++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index 949374ad..b15bfbc8 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -1,4 +1,7 @@ { + "mx": { + "contact": "= global.provider.contacts.default" + }, "stunnel": { "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)" }, diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 9104c2cb..15449001 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -1,10 +1,10 @@ class site_postfix::mx { - $domain_hash = hiera ('domain') - $domain = $domain_hash['full_suffix'] + $domain_hash = hiera ('domain') + $domain = $domain_hash['full_suffix'] + $mx_hash = hiera('mx') - # see https://leap.se/code/issues/1936 for contact email addr - #$root_mail_recipient = '' + $root_mail_recipient = $mx_hash['contact'] $postfix_smtp_listen = 'all' postfix::config { -- cgit v1.2.3 From d14758f02a6a7d2b8675ea538692bba44b72689d Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 22 Apr 2013 22:15:51 +0200 Subject: Configure Postfix for incoming mails (Feature #2269) --- puppet/modules/site_postfix/manifests/mx.pp | 42 +++++++++++++++++++++++++++-- 1 file changed, 40 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 15449001..4bab7722 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -8,8 +8,46 @@ class site_postfix::mx { $postfix_smtp_listen = 'all' postfix::config { - # just en example - 'delay_warning_time': value => '4h'; + 'mydestination': + value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; + 'smtpd_recipient_restrictions': + value => 'check_recipient_access hash:/etc/postfix/recipient,reject_unauth_destination'; + 'mailbox_size_limit': + value => '0'; + 'home_mailbox': + value => 'Maildir/'; + 'virtual_alias_maps': + value => 'hash:/etc/postfix/virtual'; + } + + postfix::hash { '/etc/postfix/virtual': } + postfix::hash { '/etc/postfix/recipient': } + + # for now, accept all mail + line {'deliver to vmail': + file => '/etc/postfix/recipient', + line => "@${domain} vmail", + notify => Exec['generate /etc/postfix/recipient.db'], + require => Package['postfix'], + } + + postfix::virtual { "@${domain}": destination => 'vmail'; } + #postfix::mailalias { 'vmail': recipient => 'vmail' } + + user { 'vmail': + ensure => present, + comment => 'Leap Mailspool', + home => '/var/mail/vmail', + shell => '/bin/false', + managehome => true, + } + + user { 'vmail': + ensure => present, + comment => 'Leap Mailspool', + home => '/var/mail/vmail', + shell => '/bin/false', + managehome => true, } include ::postfix -- cgit v1.2.3 From 997ab7fb2303da86ee27cb781ba6b74d4a2e89a6 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 23 Apr 2013 16:27:43 +0200 Subject: no need to import common anymore --- puppet/manifests/site.pp | 1 - 1 file changed, 1 deletion(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 08cbbb9e..327b6a67 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -11,7 +11,6 @@ Package { require => Exec['apt_updated'] } include stdlib -import 'common' include site_config::default include site_config::slow -- cgit v1.2.3 From 9159f1e023e0f38bb9b8bdcfb69f77823184f6ec Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 17 Apr 2013 16:01:19 -0400 Subject: initial mx couchdb stunnel configuration --- provider_base/services/mx.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index b15bfbc8..ab46960d 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -17,4 +17,15 @@ "commercial_key": "= file [:commercial_key, domain.full_suffix]", "commercial_ca_cert": "= try_file :commercial_ca_cert" } +} + }, + "x509": { + "use": true, + "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", + "client_ca_cert": "= file_path :client_ca_cert", + "client_ca_key": "= file_path :client_ca_key", + "commercial_cert": "= file [:commercial_cert, domain.full_suffix]", + "commercial_key": "= file [:commercial_key, domain.full_suffix]", + "commercial_ca_cert": "= try_file :commercial_ca_cert" + } } -- cgit v1.2.3 From bb559881644c8207a7d2791655f535cf9bcd61be Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 23 Apr 2013 15:59:44 -0400 Subject: update postfix module to new shared version for parameterized classes, and other 2.7 updates update site_postfix::mx to use parameterized classes --- puppet/modules/postfix | 2 +- puppet/modules/site_postfix/manifests/mx.pp | 11 +++-------- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/puppet/modules/postfix b/puppet/modules/postfix index 881a59ac..8e43dc85 160000 --- a/puppet/modules/postfix +++ b/puppet/modules/postfix @@ -1 +1 @@ -Subproject commit 881a59ac62684028a7f4cb358e3592efc3ae99a9 +Subproject commit 8e43dc85da5a5e45e88aef5f7c32c9cc1c35201c diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 4bab7722..2bf844bf 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -42,13 +42,8 @@ class site_postfix::mx { managehome => true, } - user { 'vmail': - ensure => present, - comment => 'Leap Mailspool', - home => '/var/mail/vmail', - shell => '/bin/false', - managehome => true, + class { 'postfix': + root_mail_recipient => $root_mail_recipient, + smtp_listen => 'all' } - - include ::postfix } -- cgit v1.2.3 From f242bcefaeae008083c0281f3103b67d31264e4f Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Apr 2013 10:08:18 +0200 Subject: fixed provider_base/services/mx.json syntax --- provider_base/services/mx.json | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index ab46960d..b15bfbc8 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -17,15 +17,4 @@ "commercial_key": "= file [:commercial_key, domain.full_suffix]", "commercial_ca_cert": "= try_file :commercial_ca_cert" } -} - }, - "x509": { - "use": true, - "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", - "client_ca_cert": "= file_path :client_ca_cert", - "client_ca_key": "= file_path :client_ca_key", - "commercial_cert": "= file [:commercial_cert, domain.full_suffix]", - "commercial_key": "= file [:commercial_key, domain.full_suffix]", - "commercial_ca_cert": "= try_file :commercial_ca_cert" - } } -- cgit v1.2.3 From adc12547c53639fe9cf97157d05e2b401dc7c9c3 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Apr 2013 10:09:21 +0200 Subject: using alias resolver --- puppet/modules/site_postfix/manifests/mx.pp | 27 +++++++-------------------- 1 file changed, 7 insertions(+), 20 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 2bf844bf..82536b80 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -11,28 +11,15 @@ class site_postfix::mx { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; 'smtpd_recipient_restrictions': - value => 'check_recipient_access hash:/etc/postfix/recipient,reject_unauth_destination'; - 'mailbox_size_limit': - value => '0'; - 'home_mailbox': - value => 'Maildir/'; - 'virtual_alias_maps': - value => 'hash:/etc/postfix/virtual'; + value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination'; + 'mailbox_size_limit': value => '0'; + 'home_mailbox': value => 'Maildir/'; + 'virtual_alias_maps': value => 'tcp:localhost:4242'; + 'luser_relay': value => 'vmail'; + 'local_recipient_maps': value => ''; } - postfix::hash { '/etc/postfix/virtual': } - postfix::hash { '/etc/postfix/recipient': } - - # for now, accept all mail - line {'deliver to vmail': - file => '/etc/postfix/recipient', - line => "@${domain} vmail", - notify => Exec['generate /etc/postfix/recipient.db'], - require => Package['postfix'], - } - - postfix::virtual { "@${domain}": destination => 'vmail'; } - #postfix::mailalias { 'vmail': recipient => 'vmail' } + #include site_postfix::mx::smtp_checks user { 'vmail': ensure => present, -- cgit v1.2.3 From e6c4f16351be546985432bf865d123a82024b9ae Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Apr 2013 12:24:05 +0200 Subject: smtpd_checks: smtpd_data_restrictions --- puppet/modules/site_postfix/manifests/mx.pp | 3 ++- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 8 ++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 82536b80..72c38ab1 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -17,9 +17,10 @@ class site_postfix::mx { 'virtual_alias_maps': value => 'tcp:localhost:4242'; 'luser_relay': value => 'vmail'; 'local_recipient_maps': value => ''; + #'debug_peer_list': value => '127.0.0.1'; } - #include site_postfix::mx::smtp_checks + include site_postfix::mx::smtpd_checks user { 'vmail': ensure => present, diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp new file mode 100644 index 00000000..e46bc149 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -0,0 +1,8 @@ +class site_postfix::mx::smtpd_checks { + + postfix::config { + 'smtpd_data_restrictions': + value => 'permit_mynetworks, reject_unauth_pipelining, permit' + } + +} -- cgit v1.2.3 From a1dc911c792e963cd814154a24a60dfaf147ecdc Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Apr 2013 14:06:38 +0200 Subject: smtpd_checks: smtpd_delay_reject --- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index e46bc149..b2f2d7c2 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -1,8 +1,9 @@ class site_postfix::mx::smtpd_checks { postfix::config { + 'smtpd_delay_reject': value => 'yes'; 'smtpd_data_restrictions': - value => 'permit_mynetworks, reject_unauth_pipelining, permit' + value => 'permit_mynetworks, reject_unauth_pipelining, permit'; } } -- cgit v1.2.3 From de4bdcddc33bd9aa2fc883ccef63f7c13543bb23 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 22 May 2013 19:39:37 +0200 Subject: smtpd_recipient_restrictions: +permit_tls_all_clientcerts --- puppet/modules/site_postfix/manifests/mx.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 72c38ab1..a625cdcd 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -11,7 +11,7 @@ class site_postfix::mx { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; 'smtpd_recipient_restrictions': - value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination'; + value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination,permit_tls_all_clientcerts'; 'mailbox_size_limit': value => '0'; 'home_mailbox': value => 'Maildir/'; 'virtual_alias_maps': value => 'tcp:localhost:4242'; -- cgit v1.2.3 From bcb165f6ed09dd51cc7b534a1fa5aafde21e3703 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 22 May 2013 19:40:13 +0200 Subject: beginning of smtp_auth config with client certs --- puppet/modules/site_postfix/manifests/mx/smtp_auth.pp | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtp_auth.pp diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp new file mode 100644 index 00000000..ab75130e --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp @@ -0,0 +1,10 @@ +class site_postfix::mx::smtp_auth { + $x509 = hiera('x509') + + postfix::config { + 'smtpd_tls_cert_file': value => $x509['client_ca_cert']; + 'smtpd_tls_key_file': value => $x509['client_ca_key']; + 'smtpd_tls_ask_ccert': value => 'yes'; + #'smtpd_tls_CAfile': value => + } +} -- cgit v1.2.3 From ff813f6da042e66b38a0c4c19df6956bdd5ca9c3 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Jul 2013 15:39:56 +0200 Subject: updated submodule apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/apt b/puppet/modules/apt index 6bf7a6ab..1a72a996 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 6bf7a6ab5d6e63f75c94f49aa0f12959e954efa8 +Subproject commit 1a72a99693c1d77bfe891546408f88264fca98ee -- cgit v1.2.3 From 3f31c74e7365a7508377324a9e0b26b3e746c0c1 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Jul 2013 15:42:07 +0200 Subject: updated submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 7b6c9a29..20deb065 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 7b6c9a29b1333ce733dd5d7c0dadd7f90513b261 +Subproject commit 20deb0652ccfe105eddec6ba2ad32b8d633705f6 -- cgit v1.2.3 From 9fae22550eb599baac912e88343a81d2517bba93 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Jul 2013 15:42:59 +0200 Subject: updated submodule apache --- puppet/modules/apache | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/apache b/puppet/modules/apache index 090e59ad..c3e92a9b 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit 090e59ad1fcba01e868237a83cadf9254cf09d3e +Subproject commit c3e92a9b3cb02f1546b6b1570f10a968d380005c -- cgit v1.2.3 From 0f95eccb08b80c02db99d57da413025813766d5e Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Jul 2013 17:26:06 +0200 Subject: re-add mx service --- puppet/manifests/site.pp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 327b6a67..a340ce66 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -36,3 +36,7 @@ if $services =~ /\bmonitor\b/ { if $services =~ /\btor\b/ { include site_tor } + +if $services =~ /\bmx\b/ { + include site_mx +} -- cgit v1.2.3 From c11047649e1ef630b48b007fb757fcc68b747e62 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 10 Jul 2013 14:10:22 +0200 Subject: added tls support, including smtp auth via client cert --- puppet/modules/site_postfix/manifests/mx.pp | 16 ++++++----- .../modules/site_postfix/manifests/mx/smtp_auth.pp | 10 ------- puppet/modules/site_postfix/manifests/mx/tls.pp | 31 ++++++++++++++++++++++ 3 files changed, 41 insertions(+), 16 deletions(-) delete mode 100644 puppet/modules/site_postfix/manifests/mx/smtp_auth.pp create mode 100644 puppet/modules/site_postfix/manifests/mx/tls.pp diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index a625cdcd..e9656072 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -3,6 +3,7 @@ class site_postfix::mx { $domain_hash = hiera ('domain') $domain = $domain_hash['full_suffix'] $mx_hash = hiera('mx') + $cert_name = hiera('name') $root_mail_recipient = $mx_hash['contact'] $postfix_smtp_listen = 'all' @@ -12,15 +13,16 @@ class site_postfix::mx { value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; 'smtpd_recipient_restrictions': value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination,permit_tls_all_clientcerts'; - 'mailbox_size_limit': value => '0'; - 'home_mailbox': value => 'Maildir/'; - 'virtual_alias_maps': value => 'tcp:localhost:4242'; - 'luser_relay': value => 'vmail'; - 'local_recipient_maps': value => ''; + 'mailbox_size_limit': value => '0'; + 'home_mailbox': value => 'Maildir/'; + 'virtual_alias_maps': value => 'tcp:localhost:4242'; + 'luser_relay': value => 'vmail'; + 'local_recipient_maps': value => ''; #'debug_peer_list': value => '127.0.0.1'; } include site_postfix::mx::smtpd_checks + include site_postfix::mx::tls user { 'vmail': ensure => present, @@ -32,6 +34,8 @@ class site_postfix::mx { class { 'postfix': root_mail_recipient => $root_mail_recipient, - smtp_listen => 'all' + smtp_listen => 'all', + require => [ X509::Key[$cert_name], X509::Cert[$cert_name], + User['vmail'] ] } } diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp deleted file mode 100644 index ab75130e..00000000 --- a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp +++ /dev/null @@ -1,10 +0,0 @@ -class site_postfix::mx::smtp_auth { - $x509 = hiera('x509') - - postfix::config { - 'smtpd_tls_cert_file': value => $x509['client_ca_cert']; - 'smtpd_tls_key_file': value => $x509['client_ca_key']; - 'smtpd_tls_ask_ccert': value => 'yes'; - #'smtpd_tls_CAfile': value => - } -} diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp new file mode 100644 index 00000000..7da38100 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -0,0 +1,31 @@ +class site_postfix::mx::tls { + + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $client_ca = $x509['client_ca_cert'] + + include x509::variables + $cert_name = hiera('name') + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" + + x509::key { $cert_name: + content => $key, + } + + x509::cert { $cert_name: + content => $cert, + } + + postfix::config { + 'smtpd_use_tls': value => 'yes'; + 'smtpd_tls_CAfile': value => $client_ca; + 'smtpd_tls_cert_file': value => $cert_path; + 'smtpd_tls_key_file': value => $key_path; + 'smtpd_tls_req_ccert': value => 'yes'; + 'smtpd_tls_security_level': + value => 'encrypt'; + } + +} -- cgit v1.2.3 From 0e7b47380edb2af6683a0cdc871eaa60a4101f5c Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 10 Jul 2013 21:45:51 -0700 Subject: ensure that /etc/hosts is output deterministically, so that content does not change each time you deploy. --- puppet/modules/site_config/templates/hosts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts index 2c784b05..c0a2740f 100644 --- a/puppet/modules/site_config/templates/hosts +++ b/puppet/modules/site_config/templates/hosts @@ -4,7 +4,8 @@ 127.0.1.1 <%= @hostname %>.<%= @domain_public %> <%= @hostname %> <%- if @hosts then -%> -<% @hosts.each do |name, props| -%> +<% @hosts.keys.sort.each do |name| -%> +<%- props = @hosts[name] -%> <%= props["ip_address"] %> <%= props["domain_full"] %> <%= props["domain_internal"] %> <%= name %> <% end -%> <% end -%> -- cgit v1.2.3 From 8478e8613ded138b5d68b122cb82f5418a199764 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 11 Jul 2013 10:04:21 -0700 Subject: changes to support restrictive permissions for /etc/leap. this is required to work with the latest leap_cli. --- platform.rb | 4 +-- puppet/modules/site_config/manifests/default.pp | 3 ++ puppet/modules/site_config/manifests/files.pp | 10 +++++++ puppet/modules/site_webapp/manifests/init.pp | 29 +++++++++++++------ puppet/modules/try/manifests/file.pp | 38 ++++++++++++++++++++----- 5 files changed, 66 insertions(+), 18 deletions(-) create mode 100644 puppet/modules/site_config/manifests/files.pp diff --git a/platform.rb b/platform.rb index 9f63b4ca..9921f3a2 100644 --- a/platform.rb +++ b/platform.rb @@ -3,8 +3,8 @@ # Leap::Platform.define do - self.version = "1.1.2" - self.compatible_cli = "1.1.2".."1.99" + self.version = "0.2.3" + self.compatible_cli = "1.1.3".."1.99" # # the facter facts that should be gathered diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 00eee9d0..e299a0f4 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -41,4 +41,7 @@ class site_config::default { # include basic shell config include site_config::shell + + # set up core leap files and directories + include site_config::files } diff --git a/puppet/modules/site_config/manifests/files.pp b/puppet/modules/site_config/manifests/files.pp new file mode 100644 index 00000000..03c9aff8 --- /dev/null +++ b/puppet/modules/site_config/manifests/files.pp @@ -0,0 +1,10 @@ +class site_config::files { + + file { '/srv/leap': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0711' + } + +} \ No newline at end of file diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index e743dc07..103a0faf 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -107,24 +107,35 @@ class site_webapp { try::file { '/srv/leap/webapp/public/favicon.ico': - ensure => 'link', + ensure => present, + owner => leap-webapp, + group => leap-webapp, require => Vcsrepo['/srv/leap/webapp'], - target => $webapp['favicon']; + source => $webapp['favicon']; '/srv/leap/webapp/app/assets/stylesheets/tail.scss': - ensure => 'link', + ensure => present, + owner => leap-webapp, + group => leap-webapp, require => Vcsrepo['/srv/leap/webapp'], - target => $webapp['tail_scss']; + source => $webapp['tail_scss']; '/srv/leap/webapp/app/assets/stylesheets/head.scss': - ensure => 'link', + ensure => present, + owner => leap-webapp, + group => leap-webapp, require => Vcsrepo['/srv/leap/webapp'], - target => $webapp['head_scss']; + source => $webapp['head_scss']; '/srv/leap/webapp/public/img': - ensure => 'link', - require => Vcsrepo['/srv/leap/webapp'], - target => $webapp['img_dir']; + ensure => directory, + recurse => true, + purge => true, + force => true, + owner => leap-webapp, + group => leap-webapp, + mode => '0644', + source => $webapp['img_dir']; } file { diff --git a/puppet/modules/try/manifests/file.pp b/puppet/modules/try/manifests/file.pp index 47a8c269..7063ded9 100644 --- a/puppet/modules/try/manifests/file.pp +++ b/puppet/modules/try/manifests/file.pp @@ -1,23 +1,47 @@ # -# like built-in type "file", but gets gracefully ignored if the target does not exist or is undefined. +# Works like the built-in type "file", but gets gracefully ignored if the target/source does not exist or is undefined. +# +# Also, if the source or target doesn't exist, and the destination is a git repo, then the file is restored from git. # # /bin/true and /usr/bin/test are hardcoded to their paths in debian. # - +# known limitations: +# * restore does not work for directories +# define try::file ( $ensure = undef, $target = undef, + $source = undef, + $owner = undef, + $group = undef, + $recurse = undef, + $purge = undef, + $force = undef, + $mode = undef, $restore = true) { - if $target != undef { + if $target { + $target_or_source = $target + } else { + $target_or_source = $source + } + + if $target_or_source != undef { exec { "check_${name}": command => "/bin/true", - onlyif => "/usr/bin/test -e '${target}'", + onlyif => "/usr/bin/test -e '${target_or_source}'", loglevel => info; } file { "$name": ensure => $ensure, target => $target, + source => $source, + owner => $owner, + group => $group, + recurse => $recurse, + purge => $purge, + force => $force, + mode => $mode, require => $require ? { undef => Exec["check_${name}"], default => [ $require, Exec["check_${name}"] ] @@ -27,10 +51,10 @@ define try::file ( } # - # if the target does not exist (or is undef), and the file happens to be in a git repo, + # if the target/source does not exist (or is undef), and the file happens to be in a git repo, # then restore the file to its original state. # - if $target == undef or $restore { + if ($target_or_source == undef) or $restore { $file_basename = basename($name) $file_dirname = dirname($name) $command = "git rev-parse && unlink '${name}'; git checkout -- '${file_basename}' && chown --reference='${file_dirname}' '${name}'; true" @@ -48,7 +72,7 @@ define try::file ( } } else { exec { "restore_${name}": - unless => "/usr/bin/test -e '${target}'", + unless => "/usr/bin/test -e '${target_or_source}'", command => $command, cwd => $file_dirname, require => $require ? { -- cgit v1.2.3 From f64791335e40b2b6e05305a6d8dda989fb755b9d Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 15 Jul 2013 11:34:22 +0200 Subject: fix smtpd_recipient_restrictions, debug connections from localhost --- puppet/modules/site_postfix/manifests/mx.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index e9656072..5ec8ab49 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -12,13 +12,13 @@ class site_postfix::mx { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; 'smtpd_recipient_restrictions': - value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination,permit_tls_all_clientcerts'; + value => 'check_recipient_access tcp:localhost:2244,permit_tls_all_clientcerts,reject_unauth_destination'; 'mailbox_size_limit': value => '0'; 'home_mailbox': value => 'Maildir/'; 'virtual_alias_maps': value => 'tcp:localhost:4242'; 'luser_relay': value => 'vmail'; 'local_recipient_maps': value => ''; - #'debug_peer_list': value => '127.0.0.1'; + 'debug_peer_list': value => '127.0.0.1'; } include site_postfix::mx::smtpd_checks -- cgit v1.2.3 From cdb7b1805ea20b89c2c9aa9a71700b1be02cd707 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 15 Jul 2013 10:26:54 +0100 Subject: lint nickserver class Change-Id: I03cdb5a6255d245cb1163a30b221b4c32dc4bef6 --- puppet/modules/site_nickserver/manifests/init.pp | 41 ++++++++++++++++-------- 1 file changed, 27 insertions(+), 14 deletions(-) diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index 7dfa2603..a3368771 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -1,10 +1,12 @@ # -# TODO: currently, this is dependent on some things that are set up in site_webapp +# TODO: currently, this is dependent on some things that are set up in +# site_webapp # # (1) HAProxy -> couchdb # (2) Apache # -# It would be good in the future to make nickserver installable independently of site_webapp. +# It would be good in the future to make nickserver installable independently of +# site_webapp. # class site_nickserver { @@ -16,14 +18,18 @@ class site_nickserver { # $nickserver = hiera('nickserver') - $nickserver_port = $nickserver['port'] # the port that public connects to (should be 6425) - $nickserver_local_port = '64250' # the port that nickserver is actually running on + # the port that public connects to (should be 6425) + $nickserver_port = $nickserver['port'] + # the port that nickserver is actually running on + $nickserver_local_port = '64250' $nickserver_domain = $nickserver['domain'] $couchdb_user = $nickserver['couchdb_user']['username'] $couchdb_password = $nickserver['couchdb_user']['password'] - $couchdb_host = 'localhost' # couchdb is available on localhost via haproxy, which is bound to 4096. - $couchdb_port = '4096' # See site_webapp/templates/haproxy_couchdb.cfg.erg + # couchdb is available on localhost via haproxy, which is bound to 4096. + $couchdb_host = 'localhost' + # See site_webapp/templates/haproxy_couchdb.cfg.erg + $couchdb_port = '4096' # temporarily for now: $domain = hiera('domain') @@ -41,6 +47,7 @@ class site_nickserver { ensure => present, allowdupe => false; } + user { 'nickserver': ensure => present, allowdupe => false, @@ -50,14 +57,14 @@ class site_nickserver { } # - # NICKSERVER CODE - # NOTE: in order to support TLS, libssl-dev must be installed before EventMachine gem - # is built/installed. + # NICKSERVER CODE NOTE: in order to support TLS, libssl-dev must be installed + # before EventMachine gem is built/installed. # package { 'libssl-dev': ensure => installed; } + vcsrepo { '/srv/leap/nickserver': ensure => present, revision => 'origin/master', @@ -68,13 +75,15 @@ class site_nickserver { require => [ User['nickserver'], Group['nickserver'] ], notify => Exec['nickserver_bundler_update']; } + exec { 'nickserver_bundler_update': cwd => '/srv/leap/nickserver', command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle"', unless => '/usr/bin/bundle check', user => 'nickserver', timeout => 600, - require => [ Class['bundler::install'], Vcsrepo['/srv/leap/nickserver'], Package['libssl-dev'] ], + require => [ Class['bundler::install'], Vcsrepo['/srv/leap/nickserver'], + Package['libssl-dev'] ], notify => Service['nickserver']; } @@ -99,8 +108,11 @@ class site_nickserver { ensure => link, target => '/srv/leap/nickserver/bin/nickserver', require => Vcsrepo['/srv/leap/nickserver']; + '/etc/init.d/nickserver': - owner => root, group => 0, mode => '0755', + owner => root, + group => 0, + mode => '0755', source => '/srv/leap/nickserver/dist/debian-init-script', require => Vcsrepo['/srv/leap/nickserver']; } @@ -119,7 +131,7 @@ class site_nickserver { # file { '/etc/shorewall/macro.nickserver': - content => "PARAM - - tcp $nickserver_port", + content => "PARAM - - tcp ${nickserver_port}", notify => Service['shorewall'], require => Package['shorewall']; } @@ -142,7 +154,8 @@ class site_nickserver { } apache::vhost::file { - 'nickserver': content => template('site_nickserver/nickserver-proxy.conf.erb') + 'nickserver': + content => template('site_nickserver/nickserver-proxy.conf.erb') } x509::key { 'nickserver': @@ -159,4 +172,4 @@ class site_nickserver { content => $x509_ca, notify => Service[apache]; } -} \ No newline at end of file +} -- cgit v1.2.3 From f35db765d82974d2b935036acbc57e7d1acd13a9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 16 Jul 2013 10:54:54 +0100 Subject: lint site_openvpn manifests Change-Id: I314031d93aa9f4a0f217680870678e39c096d46a --- puppet/modules/site_openvpn/manifests/init.pp | 13 +++--- .../site_openvpn/manifests/server_config.pp | 48 +++++++++++----------- 2 files changed, 31 insertions(+), 30 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 4f900623..b2bb0d3a 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -5,8 +5,9 @@ # (2) unlimited only # (3) limited only # -# The difference is that 'unlimited' gateways only allow client certs that match the 'unlimited_prefix', -# and 'limited' gateways only allow certs that match the 'limited_prefix'. +# The difference is that 'unlimited' gateways only allow client certs that match +# the 'unlimited_prefix', and 'limited' gateways only allow certs that match the +# 'limited_prefix'. # # We potentially create four openvpn config files (thus four daemons): # @@ -89,8 +90,8 @@ class site_openvpn { management => '127.0.0.1 1001' } } else { - tidy { "/etc/openvpn/tcp_config.conf": } - tidy { "/etc/openvpn/udp_config.conf": } + tidy { '/etc/openvpn/tcp_config.conf': } + tidy { '/etc/openvpn/udp_config.conf': } } if $openvpn_allow_limited { @@ -113,8 +114,8 @@ class site_openvpn { management => '127.0.0.1 1003' } } else { - tidy { "/etc/openvpn/limited_tcp_config.conf": } - tidy { "/etc/openvpn/limited_udp_config.conf": } + tidy { '/etc/openvpn/limited_tcp_config.conf': } + tidy { '/etc/openvpn/limited_udp_config.conf': } } file { diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 6106cfbb..a53019a8 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -70,7 +70,7 @@ define site_openvpn::server_config( if $tls_remote != undef { openvpn::option { - "tls-remote $openvpn_configname": + 'tls-remote $openvpn_configname': key => 'tls-remote', value => $tls_remote, server => $openvpn_configname; @@ -78,89 +78,89 @@ define site_openvpn::server_config( } openvpn::option { - "ca $openvpn_configname": + "ca ${openvpn_configname}": key => 'ca', value => '/etc/openvpn/ca_bundle.pem', server => $openvpn_configname; - "cert $openvpn_configname": + "cert ${openvpn_configname}": key => 'cert', value => '/etc/x509/certs/leap_openvpn.crt', server => $openvpn_configname; - "key $openvpn_configname": + "key ${openvpn_configname}": key => 'key', value => '/etc/x509/keys/leap_openvpn.key', server => $openvpn_configname; - "dh $openvpn_configname": + "dh ${openvpn_configname}": key => 'dh', value => '/etc/openvpn/keys/dh.pem', server => $openvpn_configname; - "tls-cipher $openvpn_configname": + "tls-cipher ${openvpn_configname}": key => 'tls-cipher', value => 'DHE-RSA-AES128-SHA', server => $openvpn_configname; - "auth $openvpn_configname": + "auth ${openvpn_configname}": key => 'auth', value => 'SHA1', server => $openvpn_configname; - "cipher $openvpn_configname": + "cipher ${openvpn_configname}": key => 'cipher', value => 'AES-128-CBC', server => $openvpn_configname; - "dev $openvpn_configname": + "dev ${openvpn_configname}": key => 'dev', value => 'tun', server => $openvpn_configname; - "duplicate-cn $openvpn_configname": + "duplicate-cn ${openvpn_configname}": key => 'duplicate-cn', server => $openvpn_configname; - "keepalive $openvpn_configname": + "keepalive ${openvpn_configname}": key => 'keepalive', value => '5 20', server => $openvpn_configname; - "local $openvpn_configname": + "local ${openvpn_configname}": key => 'local', value => $local, server => $openvpn_configname; - "mute $openvpn_configname": + "mute ${openvpn_configname}": key => 'mute', value => '5', server => $openvpn_configname; - "mute-replay-warnings $openvpn_configname": + "mute-replay-warnings ${openvpn_configname}": key => 'mute-replay-warnings', server => $openvpn_configname; - "management $openvpn_configname": + "management ${openvpn_configname}": key => 'management', value => $management, server => $openvpn_configname; - "proto $openvpn_configname": + "proto ${openvpn_configname}": key => 'proto', value => $proto, server => $openvpn_configname; - "push1 $openvpn_configname": + "push1 ${openvpn_configname}": key => 'push', value => $push, server => $openvpn_configname; - "push2 $openvpn_configname": + "push2 ${openvpn_configname}": key => 'push', value => '"redirect-gateway def1"', server => $openvpn_configname; - "script-security $openvpn_configname": + "script-security ${openvpn_configname}": key => 'script-security', value => '2', server => $openvpn_configname; - "server $openvpn_configname": + "server ${openvpn_configname}": key => 'server', value => $server, server => $openvpn_configname; - "status $openvpn_configname": + "status ${openvpn_configname}": key => 'status', value => '/var/run/openvpn-status 10', server => $openvpn_configname; - "status-version $openvpn_configname": + "status-version ${openvpn_configname}": key => 'status-version', value => '3', server => $openvpn_configname; - "topology $openvpn_configname": + "topology ${openvpn_configname}": key => 'topology', value => 'subnet', server => $openvpn_configname; @@ -169,7 +169,7 @@ define site_openvpn::server_config( # key => 'up', # value => '/etc/openvpn/server-up.sh', # server => $openvpn_configname; - "verb $openvpn_configname": + "verb ${openvpn_configname}": key => 'verb', value => '3', server => $openvpn_configname; -- cgit v1.2.3 From 26079c446763386500f9f628dff14ebf8a1994fc Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 16 Jul 2013 12:29:54 +0100 Subject: add .gitignore and configure it to ignore .reviewboardrc Change-Id: Id5e587f47a27c9d714d0d0b352b87e9e8f55d4a8 --- .gitignore | 1 + 1 file changed, 1 insertion(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..62603355 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.reviewboardrc -- cgit v1.2.3 From 3bfa6a7bd1cc9155155c50468a9bbe0769986920 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 17 Jul 2013 00:58:07 -0700 Subject: default to false for $hosts --- puppet/modules/site_config/manifests/hosts.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index ccedf036..a3ce0c1f 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -1,5 +1,5 @@ class site_config::hosts() { - $hosts = hiera('hosts','') + $hosts = hiera('hosts', false) $hostname = hiera('name') $domain_hash = hiera('domain') $domain_public = $domain_hash['full_suffix'] -- cgit v1.2.3 From e52f2191b616f77ffaf94152f3241ea017c296e3 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 15 Jul 2013 07:16:35 -0700 Subject: an entirely different implementation of try::file, using all execs. the built in file resource of puppet can't be used for what we want, because if you specify $source, it always bombs out if it doesn't exist, regardless of dependencies. --- puppet/modules/try/manifests/file.pp | 92 +++++++++++++++++++++++------------- 1 file changed, 58 insertions(+), 34 deletions(-) diff --git a/puppet/modules/try/manifests/file.pp b/puppet/modules/try/manifests/file.pp index 7063ded9..d21925c0 100644 --- a/puppet/modules/try/manifests/file.pp +++ b/puppet/modules/try/manifests/file.pp @@ -6,7 +6,10 @@ # /bin/true and /usr/bin/test are hardcoded to their paths in debian. # # known limitations: -# * restore does not work for directories +# * this is far too noisy +# * $restore does not work for directories +# * only file:// $source is supported +# * $content is not supported, only $target or $source. # define try::file ( $ensure = undef, @@ -20,33 +23,55 @@ define try::file ( $mode = undef, $restore = true) { - if $target { - $target_or_source = $target - } else { - $target_or_source = $source + # dummy exec to propagate requires: + # metaparameter 'require' will get triggered by this dummy exec + # so then we just need to depend on this to capture all requires. + # exec { $name: command => "/bin/true" } + + exec { + "chmod_${name}": + command => "chmod -R ${mode} '${name}'", + onlyif => "/usr/bin/test $mode", + loglevel => debug; + "chown_${name}": + command => "chown -R ${owner} '${name}'", + onlyif => "/usr/bin/test $owner", + loglevel => debug; + "chgrp_${name}": + command => "chgrp -R ${group} '${name}'", + onlyif => "/usr/bin/test $group", + loglevel => debug; } - if $target_or_source != undef { - exec { "check_${name}": - command => "/bin/true", - onlyif => "/usr/bin/test -e '${target_or_source}'", - loglevel => info; + if $target { + exec { "symlink_${name}": + command => "ln -s ${target} ${name}", + onlyif => "/usr/bin/test -d '${target}'", } - file { "$name": - ensure => $ensure, - target => $target, - source => $source, - owner => $owner, - group => $group, - recurse => $recurse, - purge => $purge, - force => $force, - mode => $mode, - require => $require ? { - undef => Exec["check_${name}"], - default => [ $require, Exec["check_${name}"] ] - }, - loglevel => info; + } elsif $source { + if $ensure == "directory" { + if $purge { + exec { "rsync_${name}": + command => "rsync -r --delete '${source}/' '${name}'", + onlyif => "/usr/bin/test -d '${source}'", + unless => "/usr/bin/diff -q '${source}' '${name}'", + notify => [Exec["chmod_${name}"], Exec["chown_${name}"], Exec["chgrp_${name}"]] + } + } else { + exec { "cp_r_${name}": + command => "cp -r '${source}' '${name}'", + onlyif => "/usr/bin/test -d '${source}'", + unless => "/usr/bin/diff -q '${source}' '${name}'", + notify => [Exec["chmod_${name}"], Exec["chown_${name}"], Exec["chgrp_${name}"]] + } + } + } else { + exec { "cp_${name}": + command => "cp '${source}' '${name}'", + onlyif => "/usr/bin/test -e '${source}'", + unless => "/usr/bin/diff -q '${source}' '${name}'", + notify => [Exec["chmod_${name}"], Exec["chown_${name}"], Exec["chgrp_${name}"]] + } } } @@ -54,20 +79,23 @@ define try::file ( # if the target/source does not exist (or is undef), and the file happens to be in a git repo, # then restore the file to its original state. # + + if $target { + $target_or_source = $target + } else { + $target_or_source = $source + } + if ($target_or_source == undef) or $restore { $file_basename = basename($name) $file_dirname = dirname($name) $command = "git rev-parse && unlink '${name}'; git checkout -- '${file_basename}' && chown --reference='${file_dirname}' '${name}'; true" debug($command) - if $target == undef { + if $target_or_source == undef { exec { "restore_${name}": command => $command, cwd => $file_dirname, - require => $require ? { - undef => undef, - default => [ $require ] - }, loglevel => info; } } else { @@ -75,10 +103,6 @@ define try::file ( unless => "/usr/bin/test -e '${target_or_source}'", command => $command, cwd => $file_dirname, - require => $require ? { - undef => undef, - default => [ $require ] - }, loglevel => info; } } -- cgit v1.2.3 From 3a12f829316b7ccaf353158ea58d27d6fd400065 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 19 Jul 2013 01:55:47 -0700 Subject: try::file - absolute exec paths. --- puppet/modules/try/manifests/file.pp | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/puppet/modules/try/manifests/file.pp b/puppet/modules/try/manifests/file.pp index d21925c0..4cefef2f 100644 --- a/puppet/modules/try/manifests/file.pp +++ b/puppet/modules/try/manifests/file.pp @@ -3,7 +3,7 @@ # # Also, if the source or target doesn't exist, and the destination is a git repo, then the file is restored from git. # -# /bin/true and /usr/bin/test are hardcoded to their paths in debian. +# All executable paths are hardcoded to their paths in debian. # # known limitations: # * this is far too noisy @@ -30,36 +30,36 @@ define try::file ( exec { "chmod_${name}": - command => "chmod -R ${mode} '${name}'", + command => "/bin/chmod -R ${mode} '${name}'", onlyif => "/usr/bin/test $mode", loglevel => debug; "chown_${name}": - command => "chown -R ${owner} '${name}'", + command => "/bin/chown -R ${owner} '${name}'", onlyif => "/usr/bin/test $owner", loglevel => debug; "chgrp_${name}": - command => "chgrp -R ${group} '${name}'", + command => "/bin/chgrp -R ${group} '${name}'", onlyif => "/usr/bin/test $group", loglevel => debug; } if $target { exec { "symlink_${name}": - command => "ln -s ${target} ${name}", + command => "/bin/ln -s ${target} ${name}", onlyif => "/usr/bin/test -d '${target}'", } } elsif $source { - if $ensure == "directory" { + if $ensure == 'directory' { if $purge { exec { "rsync_${name}": - command => "rsync -r --delete '${source}/' '${name}'", + command => "/usr/bin/rsync -r --delete '${source}/' '${name}'", onlyif => "/usr/bin/test -d '${source}'", unless => "/usr/bin/diff -q '${source}' '${name}'", notify => [Exec["chmod_${name}"], Exec["chown_${name}"], Exec["chgrp_${name}"]] } } else { exec { "cp_r_${name}": - command => "cp -r '${source}' '${name}'", + command => "/bin/cp -r '${source}' '${name}'", onlyif => "/usr/bin/test -d '${source}'", unless => "/usr/bin/diff -q '${source}' '${name}'", notify => [Exec["chmod_${name}"], Exec["chown_${name}"], Exec["chgrp_${name}"]] @@ -67,7 +67,7 @@ define try::file ( } } else { exec { "cp_${name}": - command => "cp '${source}' '${name}'", + command => "/bin/cp '${source}' '${name}'", onlyif => "/usr/bin/test -e '${source}'", unless => "/usr/bin/diff -q '${source}' '${name}'", notify => [Exec["chmod_${name}"], Exec["chown_${name}"], Exec["chgrp_${name}"]] -- cgit v1.2.3 From 984a6d2e22ff3f11d9b772f9a86e6d75f5e14f4b Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 23 Jul 2013 17:29:51 +0200 Subject: /srv/leap/webapp/public/img: require => Vcsrepo['/srv/leap/webapp'] --- puppet/modules/site_webapp/manifests/init.pp | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 103a0faf..f3c28f49 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -128,14 +128,15 @@ class site_webapp { source => $webapp['head_scss']; '/srv/leap/webapp/public/img': - ensure => directory, + ensure => directory, recurse => true, - purge => true, - force => true, - owner => leap-webapp, - group => leap-webapp, - mode => '0644', - source => $webapp['img_dir']; + purge => true, + force => true, + owner => leap-webapp, + group => leap-webapp, + mode => '0644', + require => Vcsrepo['/srv/leap/webapp'], + source => $webapp['img_dir']; } file { -- cgit v1.2.3 From 87959aa1cda7e942fd0db89857c79e09876006c0 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 23 Jul 2013 17:59:41 +0200 Subject: not need for file { '/srv/leap/webapp': }, we have vcsrepo { '/srv/leap/webapp': } --- puppet/modules/site_webapp/manifests/init.pp | 7 ------- 1 file changed, 7 deletions(-) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index f3c28f49..1071ea1d 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -31,13 +31,6 @@ class site_webapp { require => [ Group['leap-webapp'] ]; } - file { '/srv/leap/webapp': - ensure => directory, - owner => 'leap-webapp', - group => 'leap-webapp', - require => User['leap-webapp']; - } - vcsrepo { '/srv/leap/webapp': ensure => present, force => true, -- cgit v1.2.3 From a1d8ec10bd7d7ac4a146222010cf5a6862e45869 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 23 Jul 2013 12:45:31 -0400 Subject: fix linting error Change-Id: I975e1bd480d756a85e556b440a0e28e3899c9af8 --- puppet/modules/site_openvpn/manifests/server_config.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index a53019a8..5ba9812f 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -70,10 +70,10 @@ define site_openvpn::server_config( if $tls_remote != undef { openvpn::option { - 'tls-remote $openvpn_configname': - key => 'tls-remote', - value => $tls_remote, - server => $openvpn_configname; + "tls-remote ${openvpn_configname}": + key => 'tls-remote', + value => $tls_remote, + server => $openvpn_configname; } } -- cgit v1.2.3 From 56773db9cd0adab580e05e041b674a709a81a1db Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 15:24:29 +0100 Subject: include site_mx --- puppet/manifests/site.pp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 08cbbb9e..2ceca4f1 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -37,3 +37,8 @@ if $services =~ /\bmonitor\b/ { if $services =~ /\btor\b/ { include site_tor } + +if 'webapp' in $services { + include site_webapp +} + -- cgit v1.2.3 From 96115ce90ea7f2daf9ce40e738348c9cc4e0da05 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 15:27:45 +0100 Subject: added submodule postfix from git://labs.riseup.net/shared-postfix --- .gitmodules | 3 +++ puppet/modules/postfix | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/postfix diff --git a/.gitmodules b/.gitmodules index 717ae5ed..b84dfef2 100644 --- a/.gitmodules +++ b/.gitmodules @@ -73,3 +73,6 @@ [submodule "puppet/modules/haproxy"] path = puppet/modules/haproxy url = git://code.leap.se/puppet_haproxy +[submodule "puppet/modules/postfix"] + path = puppet/modules/postfix + url = git://labs.riseup.net/shared-postfix diff --git a/puppet/modules/postfix b/puppet/modules/postfix new file mode 160000 index 00000000..881a59ac --- /dev/null +++ b/puppet/modules/postfix @@ -0,0 +1 @@ +Subproject commit 881a59ac62684028a7f4cb358e3592efc3ae99a9 -- cgit v1.2.3 From 1c7664e5efaed6da2a7dff9dd2c2930f147499e9 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 15:42:17 +0100 Subject: added site_mx --- puppet/modules/site_mx/manifests/init.pp | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 puppet/modules/site_mx/manifests/init.pp diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp new file mode 100644 index 00000000..f7f358ce --- /dev/null +++ b/puppet/modules/site_mx/manifests/init.pp @@ -0,0 +1,3 @@ +class site_mx { + include site_postfix::mx +} -- cgit v1.2.3 From ef50a37c6f3eda75d9d631ed8040252be912b365 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 17:16:09 +0100 Subject: shorewall rules for site_mx --- puppet/modules/site_shorewall/manifests/mx.pp | 24 ++++++++++++++++++++++ .../site_shorewall/manifests/service/smtp.pp | 13 ++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/mx.pp create mode 100644 puppet/modules/site_shorewall/manifests/service/smtp.pp diff --git a/puppet/modules/site_shorewall/manifests/mx.pp b/puppet/modules/site_shorewall/manifests/mx.pp new file mode 100644 index 00000000..5ec95fdd --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/mx.pp @@ -0,0 +1,24 @@ +class site_shorewall::mx { + + include site_shorewall::defaults + + $smtpd_ports = '25' + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_mx': + content => "PARAM - - tcp ${smtpd_ports} ", + notify => Service['shorewall'], + require => Package['shorewall'] + } + + + shorewall::rule { + 'net2fw-mx': + source => 'net', + destination => '$FW', + action => 'leap_mx(ACCEPT)', + order => 200; + } + + include site_shorewall::service::smtp +} diff --git a/puppet/modules/site_shorewall/manifests/service/smtp.pp b/puppet/modules/site_shorewall/manifests/service/smtp.pp new file mode 100644 index 00000000..7fbdf14e --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/service/smtp.pp @@ -0,0 +1,13 @@ +class site_shorewall::service::smtp { + + include site_shorewall::defaults + + shorewall::rule { + 'fw2net-http': + source => '$FW', + destination => 'net', + action => 'SMTP(ACCEPT)', + order => 200; + } + +} -- cgit v1.2.3 From 07f1d18e20fb356a80e726e1555dbcc15db1cf45 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 18:15:45 +0100 Subject: include shorewall rules for site_mx --- puppet/modules/site_mx/manifests/init.pp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index f7f358ce..4b2db215 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -1,3 +1,7 @@ class site_mx { + tag 'leap_service' + include site_postfix::mx + include site_shorewall::mx + include site_shorewall::service::smtp } -- cgit v1.2.3 From 4db33aa76139e26678d1b989873532bc50937917 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 18:16:13 +0100 Subject: added basic site_postfix::mx config --- puppet/modules/site_postfix/manifests/mx.pp | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 puppet/modules/site_postfix/manifests/mx.pp diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp new file mode 100644 index 00000000..9104c2cb --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -0,0 +1,16 @@ +class site_postfix::mx { + + $domain_hash = hiera ('domain') + $domain = $domain_hash['full_suffix'] + + # see https://leap.se/code/issues/1936 for contact email addr + #$root_mail_recipient = '' + $postfix_smtp_listen = 'all' + + postfix::config { + # just en example + 'delay_warning_time': value => '4h'; + } + + include ::postfix +} -- cgit v1.2.3 From 930885ac2be95698584e094fa23713a946d81dac Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 17 Apr 2013 18:35:37 +0200 Subject: added site_mx::haproxy --- puppet/modules/site_mx/manifests/haproxy.pp | 14 ++++++++++++++ puppet/modules/site_mx/manifests/init.pp | 1 + 2 files changed, 15 insertions(+) create mode 100644 puppet/modules/site_mx/manifests/haproxy.pp diff --git a/puppet/modules/site_mx/manifests/haproxy.pp b/puppet/modules/site_mx/manifests/haproxy.pp new file mode 100644 index 00000000..988eeaf3 --- /dev/null +++ b/puppet/modules/site_mx/manifests/haproxy.pp @@ -0,0 +1,14 @@ +class site_mx::haproxy { + + include site_haproxy + + $haproxy = hiera('haproxy') + $local_ports = $haproxy['local_ports'] + + # Template uses $global_options, $defaults_options + concat::fragment { 'leap_haproxy_webapp_couchdb': + target => '/etc/haproxy/haproxy.cfg', + order => '20', + content => template('site_webapp/haproxy_couchdb.cfg.erb'), + } +} diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 4b2db215..8c8b8d7e 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -2,6 +2,7 @@ class site_mx { tag 'leap_service' include site_postfix::mx + include site_mx::haproxy include site_shorewall::mx include site_shorewall::service::smtp } -- cgit v1.2.3 From 972317f752d5d621bd8284d4c00caaabbb447061 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 17 Apr 2013 18:46:13 +0200 Subject: added provider_base/services/mx.json --- provider_base/services/mx.json | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 provider_base/services/mx.json diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json new file mode 100644 index 00000000..61ae0db9 --- /dev/null +++ b/provider_base/services/mx.json @@ -0,0 +1,8 @@ +{ + "stunnel": { + "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)" + }, + "haproxy": { + "local_ports": "= stunnel.couch_client.field(:accept_port)" + } +} -- cgit v1.2.3 From 720717e177af576936a7e3e950aec1d208a21fae Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 17 Apr 2013 16:01:19 -0400 Subject: initial mx couchdb stunnel configuration --- provider_base/services/mx.json | 9 ++++++++ puppet/modules/site_mx/manifests/couchdb.pp | 35 +++++++++++++++++++++++++++++ puppet/modules/site_mx/manifests/init.pp | 1 + 3 files changed, 45 insertions(+) create mode 100644 puppet/modules/site_mx/manifests/couchdb.pp diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index 61ae0db9..949374ad 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -4,5 +4,14 @@ }, "haproxy": { "local_ports": "= stunnel.couch_client.field(:accept_port)" + }, + "x509": { + "use": true, + "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", + "client_ca_cert": "= file_path :client_ca_cert", + "client_ca_key": "= file_path :client_ca_key", + "commercial_cert": "= file [:commercial_cert, domain.full_suffix]", + "commercial_key": "= file [:commercial_key, domain.full_suffix]", + "commercial_ca_cert": "= try_file :commercial_ca_cert" } } diff --git a/puppet/modules/site_mx/manifests/couchdb.pp b/puppet/modules/site_mx/manifests/couchdb.pp new file mode 100644 index 00000000..f842ceab --- /dev/null +++ b/puppet/modules/site_mx/manifests/couchdb.pp @@ -0,0 +1,35 @@ +class site_mx::couchdb { + + $stunnel = hiera('stunnel') + $couch_client = $stunnel['couch_client'] + $couch_client_connect = $couch_client['connect'] + + include x509::variables + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $ca = $x509['ca_cert'] + $cert_name = 'leap_couchdb' + $ca_name = 'leap_ca' + $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" + + class { 'site_stunnel::setup': + cert_name => $cert_name, + key => $key, + cert => $cert, + ca_name => $ca_name, + ca => $ca + } + + $couchdb_stunnel_client_defaults = { + 'connect_port' => $couch_client_connect, + 'client' => true, + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, + } + + create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults) +} diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 8c8b8d7e..86ae56e1 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -5,4 +5,5 @@ class site_mx { include site_mx::haproxy include site_shorewall::mx include site_shorewall::service::smtp + include site_mx::couchdb } -- cgit v1.2.3 From 8d93b0f2fa3198cf4071cf93d8213fbfc3e0a9be Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 22 Apr 2013 17:28:40 +0200 Subject: hiera variable mx.contact -> postfix $root_mail_recipient --- provider_base/services/mx.json | 3 +++ puppet/modules/site_postfix/manifests/mx.pp | 8 ++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index 949374ad..b15bfbc8 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -1,4 +1,7 @@ { + "mx": { + "contact": "= global.provider.contacts.default" + }, "stunnel": { "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)" }, diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 9104c2cb..15449001 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -1,10 +1,10 @@ class site_postfix::mx { - $domain_hash = hiera ('domain') - $domain = $domain_hash['full_suffix'] + $domain_hash = hiera ('domain') + $domain = $domain_hash['full_suffix'] + $mx_hash = hiera('mx') - # see https://leap.se/code/issues/1936 for contact email addr - #$root_mail_recipient = '' + $root_mail_recipient = $mx_hash['contact'] $postfix_smtp_listen = 'all' postfix::config { -- cgit v1.2.3 From f45c144272915ef839edd0cb47a1085d01d4c36a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 22 Apr 2013 22:15:51 +0200 Subject: Configure Postfix for incoming mails (Feature #2269) --- puppet/modules/site_postfix/manifests/mx.pp | 42 +++++++++++++++++++++++++++-- 1 file changed, 40 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 15449001..4bab7722 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -8,8 +8,46 @@ class site_postfix::mx { $postfix_smtp_listen = 'all' postfix::config { - # just en example - 'delay_warning_time': value => '4h'; + 'mydestination': + value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; + 'smtpd_recipient_restrictions': + value => 'check_recipient_access hash:/etc/postfix/recipient,reject_unauth_destination'; + 'mailbox_size_limit': + value => '0'; + 'home_mailbox': + value => 'Maildir/'; + 'virtual_alias_maps': + value => 'hash:/etc/postfix/virtual'; + } + + postfix::hash { '/etc/postfix/virtual': } + postfix::hash { '/etc/postfix/recipient': } + + # for now, accept all mail + line {'deliver to vmail': + file => '/etc/postfix/recipient', + line => "@${domain} vmail", + notify => Exec['generate /etc/postfix/recipient.db'], + require => Package['postfix'], + } + + postfix::virtual { "@${domain}": destination => 'vmail'; } + #postfix::mailalias { 'vmail': recipient => 'vmail' } + + user { 'vmail': + ensure => present, + comment => 'Leap Mailspool', + home => '/var/mail/vmail', + shell => '/bin/false', + managehome => true, + } + + user { 'vmail': + ensure => present, + comment => 'Leap Mailspool', + home => '/var/mail/vmail', + shell => '/bin/false', + managehome => true, } include ::postfix -- cgit v1.2.3 From b8fcdf50b284aa88ff3886243299ce76c9acd3eb Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 23 Apr 2013 16:27:43 +0200 Subject: no need to import common anymore --- puppet/manifests/site.pp | 1 - 1 file changed, 1 deletion(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 2ceca4f1..1603176c 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -11,7 +11,6 @@ Package { require => Exec['apt_updated'] } include stdlib -import 'common' include site_config::default include site_config::slow -- cgit v1.2.3 From fd009ffef849986a691cf98aa1eefc21c3a72d9f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 17 Apr 2013 16:01:19 -0400 Subject: initial mx couchdb stunnel configuration --- provider_base/services/mx.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index b15bfbc8..ab46960d 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -17,4 +17,15 @@ "commercial_key": "= file [:commercial_key, domain.full_suffix]", "commercial_ca_cert": "= try_file :commercial_ca_cert" } +} + }, + "x509": { + "use": true, + "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", + "client_ca_cert": "= file_path :client_ca_cert", + "client_ca_key": "= file_path :client_ca_key", + "commercial_cert": "= file [:commercial_cert, domain.full_suffix]", + "commercial_key": "= file [:commercial_key, domain.full_suffix]", + "commercial_ca_cert": "= try_file :commercial_ca_cert" + } } -- cgit v1.2.3 From 9c08bdad1cbb5c9c71ef42b99d7ec491ed084269 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 23 Apr 2013 15:59:44 -0400 Subject: update postfix module to new shared version for parameterized classes, and other 2.7 updates update site_postfix::mx to use parameterized classes --- puppet/modules/postfix | 2 +- puppet/modules/site_postfix/manifests/mx.pp | 11 +++-------- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/puppet/modules/postfix b/puppet/modules/postfix index 881a59ac..8e43dc85 160000 --- a/puppet/modules/postfix +++ b/puppet/modules/postfix @@ -1 +1 @@ -Subproject commit 881a59ac62684028a7f4cb358e3592efc3ae99a9 +Subproject commit 8e43dc85da5a5e45e88aef5f7c32c9cc1c35201c diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 4bab7722..2bf844bf 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -42,13 +42,8 @@ class site_postfix::mx { managehome => true, } - user { 'vmail': - ensure => present, - comment => 'Leap Mailspool', - home => '/var/mail/vmail', - shell => '/bin/false', - managehome => true, + class { 'postfix': + root_mail_recipient => $root_mail_recipient, + smtp_listen => 'all' } - - include ::postfix } -- cgit v1.2.3 From 02e32f7310a1960f9665f08517368d8fef4ea216 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Apr 2013 10:08:18 +0200 Subject: fixed provider_base/services/mx.json syntax --- provider_base/services/mx.json | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index ab46960d..b15bfbc8 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -17,15 +17,4 @@ "commercial_key": "= file [:commercial_key, domain.full_suffix]", "commercial_ca_cert": "= try_file :commercial_ca_cert" } -} - }, - "x509": { - "use": true, - "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", - "client_ca_cert": "= file_path :client_ca_cert", - "client_ca_key": "= file_path :client_ca_key", - "commercial_cert": "= file [:commercial_cert, domain.full_suffix]", - "commercial_key": "= file [:commercial_key, domain.full_suffix]", - "commercial_ca_cert": "= try_file :commercial_ca_cert" - } } -- cgit v1.2.3 From a7bcd40d22769ec61b3fdb8d04dd447f6167ed7e Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Apr 2013 10:09:21 +0200 Subject: using alias resolver --- puppet/modules/site_postfix/manifests/mx.pp | 27 +++++++-------------------- 1 file changed, 7 insertions(+), 20 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 2bf844bf..82536b80 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -11,28 +11,15 @@ class site_postfix::mx { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; 'smtpd_recipient_restrictions': - value => 'check_recipient_access hash:/etc/postfix/recipient,reject_unauth_destination'; - 'mailbox_size_limit': - value => '0'; - 'home_mailbox': - value => 'Maildir/'; - 'virtual_alias_maps': - value => 'hash:/etc/postfix/virtual'; + value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination'; + 'mailbox_size_limit': value => '0'; + 'home_mailbox': value => 'Maildir/'; + 'virtual_alias_maps': value => 'tcp:localhost:4242'; + 'luser_relay': value => 'vmail'; + 'local_recipient_maps': value => ''; } - postfix::hash { '/etc/postfix/virtual': } - postfix::hash { '/etc/postfix/recipient': } - - # for now, accept all mail - line {'deliver to vmail': - file => '/etc/postfix/recipient', - line => "@${domain} vmail", - notify => Exec['generate /etc/postfix/recipient.db'], - require => Package['postfix'], - } - - postfix::virtual { "@${domain}": destination => 'vmail'; } - #postfix::mailalias { 'vmail': recipient => 'vmail' } + #include site_postfix::mx::smtp_checks user { 'vmail': ensure => present, -- cgit v1.2.3 From b50b03d8a2bc1970df696938b382ada79397ba07 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Apr 2013 12:24:05 +0200 Subject: smtpd_checks: smtpd_data_restrictions --- puppet/modules/site_postfix/manifests/mx.pp | 3 ++- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 8 ++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 82536b80..72c38ab1 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -17,9 +17,10 @@ class site_postfix::mx { 'virtual_alias_maps': value => 'tcp:localhost:4242'; 'luser_relay': value => 'vmail'; 'local_recipient_maps': value => ''; + #'debug_peer_list': value => '127.0.0.1'; } - #include site_postfix::mx::smtp_checks + include site_postfix::mx::smtpd_checks user { 'vmail': ensure => present, diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp new file mode 100644 index 00000000..e46bc149 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -0,0 +1,8 @@ +class site_postfix::mx::smtpd_checks { + + postfix::config { + 'smtpd_data_restrictions': + value => 'permit_mynetworks, reject_unauth_pipelining, permit' + } + +} -- cgit v1.2.3 From 874cbdc087fde630ef7c44b51974aa702a151c7c Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Apr 2013 14:06:38 +0200 Subject: smtpd_checks: smtpd_delay_reject --- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index e46bc149..b2f2d7c2 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -1,8 +1,9 @@ class site_postfix::mx::smtpd_checks { postfix::config { + 'smtpd_delay_reject': value => 'yes'; 'smtpd_data_restrictions': - value => 'permit_mynetworks, reject_unauth_pipelining, permit' + value => 'permit_mynetworks, reject_unauth_pipelining, permit'; } } -- cgit v1.2.3 From 462c402e7850671cd6debc545bce93f51d5b6770 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 21 May 2013 16:34:16 -0400 Subject: add necessary service type to the mx.json --- provider_base/services/mx.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index b15bfbc8..91ad3277 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -16,5 +16,6 @@ "commercial_cert": "= file [:commercial_cert, domain.full_suffix]", "commercial_key": "= file [:commercial_key, domain.full_suffix]", "commercial_ca_cert": "= try_file :commercial_ca_cert" - } + }, + "service_type": "user_service" } -- cgit v1.2.3 From 230ca974a555f0391a6d1d5455d5f779c7b79828 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 15:24:29 +0100 Subject: include site_mx --- puppet/modules/apache | 2 +- puppet/modules/apt | 2 +- puppet/modules/couchdb | 2 +- puppet/modules/stunnel | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/puppet/modules/apache b/puppet/modules/apache index c3e92a9b..090e59ad 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit c3e92a9b3cb02f1546b6b1570f10a968d380005c +Subproject commit 090e59ad1fcba01e868237a83cadf9254cf09d3e diff --git a/puppet/modules/apt b/puppet/modules/apt index 1a72a996..6bf7a6ab 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 1a72a99693c1d77bfe891546408f88264fca98ee +Subproject commit 6bf7a6ab5d6e63f75c94f49aa0f12959e954efa8 diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 20deb065..7b6c9a29 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 20deb0652ccfe105eddec6ba2ad32b8d633705f6 +Subproject commit 7b6c9a29b1333ce733dd5d7c0dadd7f90513b261 diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index fc1589a5..75d387fc 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit fc1589a5f09d80f58d730d4e1f6a8058483f61fc +Subproject commit 75d387fc8aff12232fdeae2efbbfccdd91f94656 -- cgit v1.2.3 From e5e64291b584340032655ff7c9398067691b06f6 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 22 Apr 2013 22:15:51 +0200 Subject: Configure Postfix for incoming mails (Feature #2269) --- puppet/modules/site_postfix/manifests/mx.pp | 31 ++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 72c38ab1..0d2a545a 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -18,9 +18,36 @@ class site_postfix::mx { 'luser_relay': value => 'vmail'; 'local_recipient_maps': value => ''; #'debug_peer_list': value => '127.0.0.1'; + value => 'check_recipient_access hash:/etc/postfix/recipient,reject_unauth_destination'; + 'mailbox_size_limit': + value => '0'; + 'home_mailbox': + value => 'Maildir/'; + 'virtual_alias_maps': + value => 'hash:/etc/postfix/virtual'; } - include site_postfix::mx::smtpd_checks + postfix::hash { '/etc/postfix/virtual': } + postfix::hash { '/etc/postfix/recipient': } + + # for now, accept all mail + line {'deliver to vmail': + file => '/etc/postfix/recipient', + line => "@${domain} vmail", + notify => Exec['generate /etc/postfix/recipient.db'], + require => Package['postfix'], + } + + postfix::virtual { "@${domain}": destination => 'vmail'; } + #postfix::mailalias { 'vmail': recipient => 'vmail' } + + user { 'vmail': + ensure => present, + comment => 'Leap Mailspool', + home => '/var/mail/vmail', + shell => '/bin/false', + managehome => true, + } user { 'vmail': ensure => present, @@ -30,6 +57,8 @@ class site_postfix::mx { managehome => true, } + include site_postfix::mx::smtpd_checks + class { 'postfix': root_mail_recipient => $root_mail_recipient, smtp_listen => 'all' -- cgit v1.2.3 From 3f1e47a8e92f2ddde45d0bdf6b0b1a51c79d913c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 17 Apr 2013 16:01:19 -0400 Subject: initial mx couchdb stunnel configuration --- provider_base/services/mx.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index 91ad3277..73bbea83 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -18,4 +18,15 @@ "commercial_ca_cert": "= try_file :commercial_ca_cert" }, "service_type": "user_service" +} + }, + "x509": { + "use": true, + "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", + "client_ca_cert": "= file_path :client_ca_cert", + "client_ca_key": "= file_path :client_ca_key", + "commercial_cert": "= file [:commercial_cert, domain.full_suffix]", + "commercial_key": "= file [:commercial_key, domain.full_suffix]", + "commercial_ca_cert": "= try_file :commercial_ca_cert" + } } -- cgit v1.2.3 From c601ad1021dabc0301097f7c32123c44fc06ca75 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 23 Apr 2013 15:59:44 -0400 Subject: update postfix module to new shared version for parameterized classes, and other 2.7 updates update site_postfix::mx to use parameterized classes --- puppet/modules/site_postfix/manifests/mx.pp | 8 -------- 1 file changed, 8 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 0d2a545a..932cdd75 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -49,14 +49,6 @@ class site_postfix::mx { managehome => true, } - user { 'vmail': - ensure => present, - comment => 'Leap Mailspool', - home => '/var/mail/vmail', - shell => '/bin/false', - managehome => true, - } - include site_postfix::mx::smtpd_checks class { 'postfix': -- cgit v1.2.3 From 28e4abe1b1032746cf63616a6e7a1f43860061c4 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Apr 2013 10:08:18 +0200 Subject: fixed provider_base/services/mx.json syntax --- provider_base/services/mx.json | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index 73bbea83..91ad3277 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -18,15 +18,4 @@ "commercial_ca_cert": "= try_file :commercial_ca_cert" }, "service_type": "user_service" -} - }, - "x509": { - "use": true, - "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", - "client_ca_cert": "= file_path :client_ca_cert", - "client_ca_key": "= file_path :client_ca_key", - "commercial_cert": "= file [:commercial_cert, domain.full_suffix]", - "commercial_key": "= file [:commercial_key, domain.full_suffix]", - "commercial_ca_cert": "= try_file :commercial_ca_cert" - } } -- cgit v1.2.3 From 6b4d0522e1578ea1a0683c6a8d6c4117dca67d2f Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Apr 2013 10:09:21 +0200 Subject: using alias resolver --- puppet/modules/site_postfix/manifests/mx.pp | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 932cdd75..ee9bce3e 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -27,19 +27,7 @@ class site_postfix::mx { value => 'hash:/etc/postfix/virtual'; } - postfix::hash { '/etc/postfix/virtual': } - postfix::hash { '/etc/postfix/recipient': } - - # for now, accept all mail - line {'deliver to vmail': - file => '/etc/postfix/recipient', - line => "@${domain} vmail", - notify => Exec['generate /etc/postfix/recipient.db'], - require => Package['postfix'], - } - - postfix::virtual { "@${domain}": destination => 'vmail'; } - #postfix::mailalias { 'vmail': recipient => 'vmail' } + #include site_postfix::mx::smtp_checks user { 'vmail': ensure => present, -- cgit v1.2.3 From 2a853087a0bec5f9ec166fff538bda9076bb8369 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Apr 2013 12:24:05 +0200 Subject: smtpd_checks: smtpd_data_restrictions --- puppet/modules/site_postfix/manifests/mx.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index ee9bce3e..24698878 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -27,7 +27,7 @@ class site_postfix::mx { value => 'hash:/etc/postfix/virtual'; } - #include site_postfix::mx::smtp_checks + include site_postfix::mx::smtpd_checks user { 'vmail': ensure => present, -- cgit v1.2.3 From 901a06d29c0c658b479f4c5a0828b263d7d6de0f Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 22 May 2013 19:39:37 +0200 Subject: smtpd_recipient_restrictions: +permit_tls_all_clientcerts --- puppet/modules/site_postfix/manifests/mx.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 24698878..fa2765a4 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -11,7 +11,7 @@ class site_postfix::mx { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; 'smtpd_recipient_restrictions': - value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination'; + value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination,permit_tls_all_clientcerts'; 'mailbox_size_limit': value => '0'; 'home_mailbox': value => 'Maildir/'; 'virtual_alias_maps': value => 'tcp:localhost:4242'; -- cgit v1.2.3 From aa5be3d639c5445d3a069c72eb5c20e209440721 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 22 May 2013 19:40:13 +0200 Subject: beginning of smtp_auth config with client certs --- puppet/modules/site_postfix/manifests/mx/smtp_auth.pp | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtp_auth.pp diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp new file mode 100644 index 00000000..ab75130e --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp @@ -0,0 +1,10 @@ +class site_postfix::mx::smtp_auth { + $x509 = hiera('x509') + + postfix::config { + 'smtpd_tls_cert_file': value => $x509['client_ca_cert']; + 'smtpd_tls_key_file': value => $x509['client_ca_key']; + 'smtpd_tls_ask_ccert': value => 'yes'; + #'smtpd_tls_CAfile': value => + } +} -- cgit v1.2.3 From 34e316e64d0a733b9df48526896fb7c74f659ccb Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Jul 2013 15:39:56 +0200 Subject: updated submodule apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/apt b/puppet/modules/apt index 6bf7a6ab..1a72a996 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 6bf7a6ab5d6e63f75c94f49aa0f12959e954efa8 +Subproject commit 1a72a99693c1d77bfe891546408f88264fca98ee -- cgit v1.2.3 From f250e5bdd7481ced4285dfe8b2805098fa867474 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Jul 2013 15:42:07 +0200 Subject: updated submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 7b6c9a29..20deb065 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 7b6c9a29b1333ce733dd5d7c0dadd7f90513b261 +Subproject commit 20deb0652ccfe105eddec6ba2ad32b8d633705f6 -- cgit v1.2.3 From 8a17f5ccb00eeccdce2c41370d4b49ded50aba2b Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Jul 2013 15:42:59 +0200 Subject: updated submodule apache --- puppet/modules/apache | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/apache b/puppet/modules/apache index 090e59ad..c3e92a9b 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit 090e59ad1fcba01e868237a83cadf9254cf09d3e +Subproject commit c3e92a9b3cb02f1546b6b1570f10a968d380005c -- cgit v1.2.3 From 1c9c5a5fec51919a8e9ec14f5fe9b16c538bb4fa Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 21 May 2013 17:35:20 -0400 Subject: initial soledad configuration Change-Id: I19e91887c3f8e90764b4baef8c5e29e25658e190 --- provider_base/services/soledad.json | 2 +- puppet/manifests/site.pp | 4 ++ puppet/modules/site_shorewall/manifests/soledad.pp | 20 +++++++ puppet/modules/soledad/manifests/init.pp | 34 ++++++++++++ puppet/modules/soledad/manifests/server.pp | 62 ++++++++++++++++++++++ .../soledad/templates/soledad-server.conf.erb | 3 ++ 6 files changed, 124 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_shorewall/manifests/soledad.pp create mode 100644 puppet/modules/soledad/manifests/init.pp create mode 100644 puppet/modules/soledad/manifests/server.pp create mode 100644 puppet/modules/soledad/templates/soledad-server.conf.erb diff --git a/provider_base/services/soledad.json b/provider_base/services/soledad.json index 10657563..de24d8ef 100644 --- a/provider_base/services/soledad.json +++ b/provider_base/services/soledad.json @@ -3,4 +3,4 @@ "soledad": { "port": 1111 } -} \ No newline at end of file +} diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 08cbbb9e..bdb57c83 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -30,6 +30,10 @@ if $services =~ /\bwebapp\b/ { include site_nickserver } +if $services =~ /\bsoledad\b/ { + include soledad::server +} + if $services =~ /\bmonitor\b/ { include site_nagios } diff --git a/puppet/modules/site_shorewall/manifests/soledad.pp b/puppet/modules/site_shorewall/manifests/soledad.pp new file mode 100644 index 00000000..f3272c04 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/soledad.pp @@ -0,0 +1,20 @@ +class site_shorewall::soledad { + + include site_shorewall::defaults + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_soledad': + content => 'PARAM - - tcp 2424', + notify => Service['shorewall'], + require => Package['shorewall'] + } + + shorewall::rule { + 'net2fw-soledad': + source => 'net', + destination => '$FW', + action => 'leap_soledad(ACCEPT)', + order => 200; + } +} + diff --git a/puppet/modules/soledad/manifests/init.pp b/puppet/modules/soledad/manifests/init.pp new file mode 100644 index 00000000..08ba88a7 --- /dev/null +++ b/puppet/modules/soledad/manifests/init.pp @@ -0,0 +1,34 @@ +class soledad { + + group { 'soledad': + ensure => present, + allowdupe => false; + } + + user { 'soledad': + ensure => present, + allowdupe => false, + gid => 'soledad', + home => '/srv/leap/soledad', + require => Group['soledad']; + } + + file { + '/srv/leap/soledad': + ensure => directory, + owner => 'soledad', + group => 'soledad', + require => User['soledad']; + + '/var/lib/soledad': + ensure => directory, + owner => 'soledad', + group => 'soledad', + require => User['soledad']; + } + + package { 'soledad-common': + ensure => installed, + require => User['soledad']; + } +} diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp new file mode 100644 index 00000000..06de8642 --- /dev/null +++ b/puppet/modules/soledad/manifests/server.pp @@ -0,0 +1,62 @@ +class soledad::server { + tag 'leap_service' + include soledad + + $couchdb = hiera('couch') + $couchdb_host = 'localhost' + $couchdb_port = '4096' + $couchdb_user = $couchdb['users']['soledad']['username'] + $couchdb_password = $couchdb['users']['soledad']['password'] + + $x509 = hiera('x509') + $x509_key = $x509['key'] + $x509_cert = $x509['cert'] + $x509_ca = $x509['ca_cert'] + + x509::key { 'soledad': + content => $x509_key, + notify => Service['soledad-server']; + } + + x509::cert { 'soledad': + content => $x509_cert, + notify => Service['soledad-server']; + } + + x509::ca { 'soledad': + content => $x509_ca, + notify => Service['soledad-server']; + } + + # + # SOLEDAD CONFIG + # + + file { '/etc/leap/soledad-server.conf': + content => template('soledad/soledad-server.conf.erb'), + owner => 'soledad', + group => 'soledad', + mode => '0600', + notify => Service['soledad-server'], + require => Class['soledad']; + } + + package { 'soledad-server': + ensure => installed + } + + file { '/etc/default/soledad': + content => "CERT_PATH=/etc/x509/certs/soledad.crt\nPRIVKEY_PATH=/etc/x509/keys/soledad.key\n", + require => Package['soledad-server'] + } + + service { 'soledad-server': + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + require => [ Class['soledad'], Package['soledad-server'] ]; + } + + include site_shorewall::soledad +} diff --git a/puppet/modules/soledad/templates/soledad-server.conf.erb b/puppet/modules/soledad/templates/soledad-server.conf.erb new file mode 100644 index 00000000..47d1f6e4 --- /dev/null +++ b/puppet/modules/soledad/templates/soledad-server.conf.erb @@ -0,0 +1,3 @@ +[soledad-server] +couch_url = http://<%= @couchdb_user %>:<%= @couchdb_password %>@<%= @couchdb_host %>:<%= @couchdb_port %> + -- cgit v1.2.3 From d8a066a4307bea4c6dd6741daa250b67c92c1606 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 25 Jul 2013 14:40:53 -0400 Subject: initial leap_mx configuration Change-Id: Iddca4cf52706bf2f612d20ba19a53fbbe6b28479 --- puppet/modules/leap_mx/manifests/init.pp | 56 ++++++++++++++++++++++++++++ puppet/modules/leap_mx/templates/mx.conf.erb | 15 ++++++++ puppet/modules/site_mx/manifests/init.pp | 1 + 3 files changed, 72 insertions(+) create mode 100644 puppet/modules/leap_mx/manifests/init.pp create mode 100644 puppet/modules/leap_mx/templates/mx.conf.erb diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp new file mode 100644 index 00000000..652eb85b --- /dev/null +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -0,0 +1,56 @@ +class leap_mx { + + $couchdb_host = 'localhost' + $couchdb_port = '4096' + $couchdb_user = $soledad::couchdb::user + $couchdb_password = $soledad::couchdb::password + + # + # USER AND GROUP + # + + group { 'leap-mx': + ensure => present, + allowdupe => false; + } + + user { 'leap-mx': + ensure => present, + allowdupe => false, + gid => 'leap-mx', + home => '/etc/leap', + require => Group['leap-mx']; + } + + # + # LEAP-MX CONFIG + # + + file { '/etc/leap/mx.conf': + content => template('leap_mx/mx.conf.erb'), + owner => 'leap-mx', + group => 'leap-mx', + mode => '0600', + notify => Service['leap-mx']; + } + + # + # LEAP-MX CODE + # + + package { 'leap-mx': + ensure => installed; + } + + # + # LEAP-MX DAEMON + # + + service { 'leap_mx': + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + require => [ Package['leap-mx'] ]; + } +} diff --git a/puppet/modules/leap_mx/templates/mx.conf.erb b/puppet/modules/leap_mx/templates/mx.conf.erb new file mode 100644 index 00000000..bf1e6421 --- /dev/null +++ b/puppet/modules/leap_mx/templates/mx.conf.erb @@ -0,0 +1,15 @@ +[mail1] +path=/var/mail/vmail +recursive=True + +[couchdb] +user=<%= @couchdb_user %> +password=<%= @couchdb_password %> +server=<%= @couchdb_host %> +port=<%= @couchdb_port %> + +[alias map] +port=4242 + +[check recipient] +port=2244 \ No newline at end of file diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 86ae56e1..4cf3f41a 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -6,4 +6,5 @@ class site_mx { include site_shorewall::mx include site_shorewall::service::smtp include site_mx::couchdb + include leap_mx } -- cgit v1.2.3 From 26a443be18ec15e972da2aed776c2a918736922a Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 26 Jul 2013 02:32:38 -0700 Subject: fix cert generation bug: was creating 2024 bit keys instead of 2048 bit keys by default. --- provider_base/provider.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/provider_base/provider.json b/provider_base/provider.json index b6a7af21..84ef640e 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -38,12 +38,12 @@ "digest": "SHA256", "life_span": "10y", "server_certificates": { - "bit_size": 2024, + "bit_size": 2048, "digest": "SHA256", "life_span": "1y" }, "client_certificates": { - "bit_size": 2024, + "bit_size": 2048, "digest": "SHA256", "life_span": "2m", "limited_prefix": "LIMITED", -- cgit v1.2.3 From 4766d719b1181b636dc57374b478d2c21e369dc1 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 26 Jul 2013 02:35:04 -0700 Subject: added haproxy weights to webapp hiera (at haproxy.servers) --- platform.rb | 2 +- provider_base/services/webapp.json | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/platform.rb b/platform.rb index 9921f3a2..32b8fd19 100644 --- a/platform.rb +++ b/platform.rb @@ -4,7 +4,7 @@ Leap::Platform.define do self.version = "0.2.3" - self.compatible_cli = "1.1.3".."1.99" + self.compatible_cli = "1.1.4".."1.99" # # the facter facts that should be gathered diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 93396ec7..55331274 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -19,7 +19,8 @@ "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)" }, "haproxy": { - "local_ports": "= stunnel.couch_client.field(:accept_port)" + "local_ports": "= stunnel.couch_client.field(:accept_port)", + "servers": "= haproxy_servers(nodes_like_me[:services => :couchdb], stunnel.couch_client)" }, "definition_files": { "provider": "= file :provider_json_template", -- cgit v1.2.3 From 9ac4380bc1c6c4c88392c371cd3f4b306c3879d9 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 29 Jul 2013 17:12:28 -0700 Subject: try::file bugfixes -- add refreshonly to chmod/chown, ensure old file is replaced even if it is a link --- puppet/modules/try/manifests/file.pp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/puppet/modules/try/manifests/file.pp b/puppet/modules/try/manifests/file.pp index 4cefef2f..56a7c997 100644 --- a/puppet/modules/try/manifests/file.pp +++ b/puppet/modules/try/manifests/file.pp @@ -10,6 +10,7 @@ # * $restore does not work for directories # * only file:// $source is supported # * $content is not supported, only $target or $source. +# * does not auto-require all the parent directories like 'file' does # define try::file ( $ensure = undef, @@ -32,14 +33,17 @@ define try::file ( "chmod_${name}": command => "/bin/chmod -R ${mode} '${name}'", onlyif => "/usr/bin/test $mode", + refreshonly => true, loglevel => debug; "chown_${name}": command => "/bin/chown -R ${owner} '${name}'", onlyif => "/usr/bin/test $owner", + refreshonly => true, loglevel => debug; "chgrp_${name}": command => "/bin/chgrp -R ${group} '${name}'", onlyif => "/usr/bin/test $group", + refreshonly => true, loglevel => debug; } @@ -67,9 +71,9 @@ define try::file ( } } else { exec { "cp_${name}": - command => "/bin/cp '${source}' '${name}'", + command => "/bin/cp --remove-destination '${source}' '${name}'", onlyif => "/usr/bin/test -e '${source}'", - unless => "/usr/bin/diff -q '${source}' '${name}'", + unless => "/usr/bin/test ! -h '${name}' && /usr/bin/diff -q '${source}' '${name}'", notify => [Exec["chmod_${name}"], Exec["chown_${name}"], Exec["chgrp_${name}"]] } } -- cgit v1.2.3 From 3368fe07aac81e1bef8701c106234a6d67ccad6d Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 29 Jul 2013 17:13:34 -0700 Subject: site_webapp bugfix - get compile_assets to run by ensuring .scss files are created beforehand and have the correct permissions. --- puppet/modules/site_webapp/manifests/init.pp | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 1071ea1d..4815bab4 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -55,8 +55,9 @@ class site_webapp { exec { 'compile_assets': cwd => '/srv/leap/webapp', - command => '/bin/bash -c "/usr/bin/bundle exec rake assets:precompile"', + command => '/usr/bin/bundle exec rake assets:precompile', user => 'leap-webapp', + logoutput => on_failure, require => Exec['bundler_update'], notify => Service['apache']; } @@ -103,6 +104,7 @@ class site_webapp { ensure => present, owner => leap-webapp, group => leap-webapp, + mode => '0644', require => Vcsrepo['/srv/leap/webapp'], source => $webapp['favicon']; @@ -110,15 +112,19 @@ class site_webapp { ensure => present, owner => leap-webapp, group => leap-webapp, + mode => '0644', require => Vcsrepo['/srv/leap/webapp'], - source => $webapp['tail_scss']; + source => $webapp['tail_scss'], + before => Exec['bundler_update']; '/srv/leap/webapp/app/assets/stylesheets/head.scss': ensure => present, owner => leap-webapp, group => leap-webapp, + mode => '0644', require => Vcsrepo['/srv/leap/webapp'], - source => $webapp['head_scss']; + source => $webapp['head_scss'], + before => Exec['bundler_update']; '/srv/leap/webapp/public/img': ensure => directory, -- cgit v1.2.3 From 7ac64237fcb09893ae36b1b2f278e1474df8c49b Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 30 Jul 2013 13:10:52 -0700 Subject: site_webapp - add support for haproxy weights and backup servers (resolves #3278) --- platform.rb | 2 +- .../site_webapp/templates/haproxy_couchdb.cfg.erb | 25 ++++++++++++++-------- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/platform.rb b/platform.rb index 32b8fd19..f6ff82c6 100644 --- a/platform.rb +++ b/platform.rb @@ -4,7 +4,7 @@ Leap::Platform.define do self.version = "0.2.3" - self.compatible_cli = "1.1.4".."1.99" + self.compatible_cli = "1.2.1".."1.99" # # the facter facts that should be gathered diff --git a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb index f08161ee..914a964e 100644 --- a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb +++ b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb @@ -1,16 +1,23 @@ listen bigcouch-in - mode http + mode http balance roundrobin - option httplog - option dontlognull - option httpchk GET / - option http-server-close - + option httplog + option dontlognull + option httpchk GET / # health check using simple get to root + option http-server-close # use client keep-alive, but close server connection. + option allbackups # balance among all backups, not just one. + bind localhost:4096 -<% for port in @local_ports -%> - server couchdb_<%=port%> localhost:<%=port%> check inter 3000 fastinter 1000 downinter 1000 rise 2 fall 1 -<% end -%> + default-server inter 3000 fastinter 1000 downinter 1000 rise 2 fall 1 + +<%- if @haproxy['servers'] -%> +<%- @haproxy['servers'].each do |name,server| -%> +<%- backup = server['backup'] ? 'backup' : '' -%> + # <%=name%> + server couchdb_<%=server['port']%> <%=server['host']%>:<%=server['port']%> <%=backup%> weight <%=server['weight']%> check +<%- end -%> +<%- end -%> -- cgit v1.2.3 From b87bd57ad010ee6f091f77b8b1f653afafc0e4c7 Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 28 Jul 2013 18:14:01 -0700 Subject: added webapp.secure flag (turns on secure cookies and HSTS) --- provider_base/services/webapp.json | 3 ++- puppet/modules/site_webapp/templates/config.yml.erb | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 55331274..ed039b01 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -13,7 +13,8 @@ "allow_unlimited_certs": "= global.provider.service.allow_unlimited_bandwidth", "allow_anonymous_certs": "= global.provider.service.allow_anonymous", "secret_token": "= secret :webapp_secret_token", - "api_version": 1 + "api_version": 1, + "secure": false }, "stunnel": { "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)" diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index df562cd9..8b4b3bbe 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -2,6 +2,7 @@ production: admins: [admin] domain: <%= @provider_domain %> + force_ssl: <%= @webapp['secure'] %> client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %> client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %> secret_token: "<%= @secret_token %>" -- cgit v1.2.3 From 95fc96fc7642e389172b02cb8ef7d4b7689cb7df Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 29 Jul 2013 01:10:33 -0700 Subject: webapp - use hiera config "webapp.admins" for the list of admin usernames, default to empty list. --- provider_base/services/webapp.json | 1 + puppet/modules/site_webapp/templates/config.yml.erb | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index ed039b01..b9e823da 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -1,5 +1,6 @@ { "webapp": { + "admins": [], "modules": ["user", "billing", "help"], "couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]", // "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]", diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 8b4b3bbe..05d62d41 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -1,6 +1,6 @@ <%- cert_options = @webapp['client_certificates'] -%> production: - admins: [admin] + admins: <%= @webapp['admins'].inspect %> domain: <%= @provider_domain %> force_ssl: <%= @webapp['secure'] %> client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %> -- cgit v1.2.3 From 9e83de3497ec55f4910de099917387d500b8f4b4 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 31 Jul 2013 14:37:17 +0200 Subject: Site_webapp/Try::File: Could not find command 'git' (Bug #3202) --- puppet/modules/site_config/manifests/base_packages.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_config/manifests/base_packages.pp b/puppet/modules/site_config/manifests/base_packages.pp index 3d40f7a2..98a138ee 100644 --- a/puppet/modules/site_config/manifests/base_packages.pp +++ b/puppet/modules/site_config/manifests/base_packages.pp @@ -1,7 +1,7 @@ class site_config::base_packages { # base set of packages that we want to have installed everywhere - package { [ 'etckeeper', 'screen', 'less' ]: + package { [ 'etckeeper', 'git', 'less', 'screen' ]: ensure => installed, } -- cgit v1.2.3 From 3272876226dafc7256dbf2ed056cbac5e63a7380 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 31 Jul 2013 14:47:36 +0200 Subject: Revert "Site_webapp/Try::File: Could not find command 'git' (Bug #3202)" This reverts commit 9e83de3497ec55f4910de099917387d500b8f4b4. --- puppet/modules/site_config/manifests/base_packages.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_config/manifests/base_packages.pp b/puppet/modules/site_config/manifests/base_packages.pp index 98a138ee..3d40f7a2 100644 --- a/puppet/modules/site_config/manifests/base_packages.pp +++ b/puppet/modules/site_config/manifests/base_packages.pp @@ -1,7 +1,7 @@ class site_config::base_packages { # base set of packages that we want to have installed everywhere - package { [ 'etckeeper', 'git', 'less', 'screen' ]: + package { [ 'etckeeper', 'screen', 'less' ]: ensure => installed, } -- cgit v1.2.3 From 04502b614692145141c606f9ed052da4b1e4572a Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 31 Jul 2013 16:02:16 +0200 Subject: fix Could not find dependent Service[leap-mx] (Bug #3331) --- puppet/modules/leap_mx/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index 652eb85b..23fd1054 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -46,7 +46,7 @@ class leap_mx { # LEAP-MX DAEMON # - service { 'leap_mx': + service { 'leap-mx': ensure => running, enable => true, hasstatus => true, -- cgit v1.2.3 From 80ae781667ab1d8803593e03fc9c928b86db5e97 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 31 Jul 2013 17:40:26 +0200 Subject: fix /etc/leap/mx.conf doesn't contain any user credentials (Feature #3347) --- provider_base/services/mx.json | 1 + puppet/modules/leap_mx/manifests/init.pp | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index 91ad3277..d633d1dc 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -8,6 +8,7 @@ "haproxy": { "local_ports": "= stunnel.couch_client.field(:accept_port)" }, + "couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]", "x509": { "use": true, "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index 23fd1054..1e186bbb 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -1,9 +1,10 @@ class leap_mx { + $couchdb_admin_user = hiera('couchdb_admin_user') $couchdb_host = 'localhost' $couchdb_port = '4096' - $couchdb_user = $soledad::couchdb::user - $couchdb_password = $soledad::couchdb::password + $couchdb_user = $couchdb_admin_user['username'] + $couchdb_password = $couchdb_admin_user['password'] # # USER AND GROUP -- cgit v1.2.3 From 80b196be84d96b92e83acc680130a01370298c13 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 31 Jul 2013 17:56:26 +0200 Subject: use smtpd_tls_security_level = may in postfix config (Bug #3348) --- puppet/modules/site_postfix/manifests/mx/tls.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 7da38100..4b7a2626 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -25,7 +25,7 @@ class site_postfix::mx::tls { 'smtpd_tls_key_file': value => $key_path; 'smtpd_tls_req_ccert': value => 'yes'; 'smtpd_tls_security_level': - value => 'encrypt'; + value => 'may'; } } -- cgit v1.2.3 From e22d7657c903aaebacb059a8da6dcf53184b3242 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 31 Jul 2013 19:28:44 +0200 Subject: add haproxy servers to services/mx.json --- provider_base/services/mx.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index 91ad3277..50c03a19 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -6,7 +6,7 @@ "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)" }, "haproxy": { - "local_ports": "= stunnel.couch_client.field(:accept_port)" + "servers": "= haproxy_servers(nodes_like_me[:services => :couchdb], stunnel.couch_client)" }, "x509": { "use": true, -- cgit v1.2.3 From ab668294faeeb193ccb9c202fa48ed698696f931 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 29 Jul 2013 14:23:11 -0400 Subject: fix #3291: set the soledad port properly in the json and as a temporary work-around, use the couchdb admin/passwd Change-Id: Ibb1cd8416d00552f8ca1716e42a08137a4b461aa --- provider_base/services/soledad.json | 7 ++++--- puppet/modules/soledad/manifests/server.pp | 6 +++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/provider_base/services/soledad.json b/provider_base/services/soledad.json index de24d8ef..b6a0721c 100644 --- a/provider_base/services/soledad.json +++ b/provider_base/services/soledad.json @@ -1,6 +1,7 @@ { - "service_type": "public_service", "soledad": { - "port": 1111 - } + "port": 2424, + "couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]" + }, + "service_type": "public_service" } diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 06de8642..a75b4b8a 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -2,11 +2,11 @@ class soledad::server { tag 'leap_service' include soledad - $couchdb = hiera('couch') + $couchdb = hiera('soledad') $couchdb_host = 'localhost' $couchdb_port = '4096' - $couchdb_user = $couchdb['users']['soledad']['username'] - $couchdb_password = $couchdb['users']['soledad']['password'] + $couchdb_user = $couchdb['couchdb_admin_user']['username'] + $couchdb_password = $couchdb['couchdb_admin_user']['password'] $x509 = hiera('x509') $x509_key = $x509['key'] -- cgit v1.2.3 From 39285550424853bc4ba38e447361ab77dea505d5 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 29 Jul 2013 14:55:37 -0400 Subject: For now, soledad will only exist on couchdb nodes (but not every couchdb has soledad), so fix the port to be the local couchdb port. In the future, we may want to separate them out. There is no need to do haproxy with soledad, because the client is supposed to try a different soledad node if it can't connect Change-Id: I87e2c5079ba361634336316721c4358a0917fb09 --- puppet/modules/soledad/manifests/server.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index a75b4b8a..00fee4ac 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -4,7 +4,7 @@ class soledad::server { $couchdb = hiera('soledad') $couchdb_host = 'localhost' - $couchdb_port = '4096' + $couchdb_port = '5984' $couchdb_user = $couchdb['couchdb_admin_user']['username'] $couchdb_password = $couchdb['couchdb_admin_user']['password'] -- cgit v1.2.3 From c3ee10bfe3a9439897c896e4a1f2f599e664fb33 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 29 Jul 2013 16:59:12 -0400 Subject: add a requirement to soledad.json that soledad service is found on a couchdb node, if it is not, it will fail to compile this requires a newer leap_cli, so I've bumped the compatibility requirement Change-Id: Ie1061798d058087126163793b216dd5938eb95a6 --- provider_base/services/soledad.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/provider_base/services/soledad.json b/provider_base/services/soledad.json index b6a0721c..e26e2667 100644 --- a/provider_base/services/soledad.json +++ b/provider_base/services/soledad.json @@ -1,7 +1,8 @@ { "soledad": { "port": 2424, - "couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]" + "couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]", + "require_couchdb": "=> assert %(services.include? 'couchdb')" }, "service_type": "public_service" } -- cgit v1.2.3 From da191971398827f81ddb0dffd86d4a3c572f6386 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 29 Jul 2013 21:00:21 -0400 Subject: make site_shorewall::soledad use the hiera value for the soledad port Change-Id: I923f15de807f907d6246c3a83df1e59c39d4e920 --- puppet/modules/site_shorewall/manifests/soledad.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/soledad.pp b/puppet/modules/site_shorewall/manifests/soledad.pp index f3272c04..518d8689 100644 --- a/puppet/modules/site_shorewall/manifests/soledad.pp +++ b/puppet/modules/site_shorewall/manifests/soledad.pp @@ -1,10 +1,13 @@ class site_shorewall::soledad { + $soledad = hiera('soledad') + $soledad_port = $soledad['port'] + include site_shorewall::defaults # define macro for incoming services file { '/etc/shorewall/macro.leap_soledad': - content => 'PARAM - - tcp 2424', + content => "PARAM - - tcp ${soledad_port}", notify => Service['shorewall'], require => Package['shorewall'] } -- cgit v1.2.3 From 7d6893194cf1b6b8f4b3afa407d70dc90fe25f6c Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 1 Aug 2013 12:31:57 -0700 Subject: run soledad daemon using the configured port. --- provider_base/services/soledad.json | 2 +- puppet/modules/soledad/manifests/server.pp | 11 +++++++++-- puppet/modules/soledad/templates/default-soledad.erb | 4 ++++ 3 files changed, 14 insertions(+), 3 deletions(-) create mode 100644 puppet/modules/soledad/templates/default-soledad.erb diff --git a/provider_base/services/soledad.json b/provider_base/services/soledad.json index e26e2667..6b41c128 100644 --- a/provider_base/services/soledad.json +++ b/provider_base/services/soledad.json @@ -1,6 +1,6 @@ { "soledad": { - "port": 2424, + "port": 2323, "couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]", "require_couchdb": "=> assert %(services.include? 'couchdb')" }, diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 00fee4ac..ba482f29 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -13,6 +13,9 @@ class soledad::server { $x509_cert = $x509['cert'] $x509_ca = $x509['ca_cert'] + $soledad = hiera('soledad') + $soledad_port = $soledad['port'] + x509::key { 'soledad': content => $x509_key, notify => Service['soledad-server']; @@ -46,8 +49,12 @@ class soledad::server { } file { '/etc/default/soledad': - content => "CERT_PATH=/etc/x509/certs/soledad.crt\nPRIVKEY_PATH=/etc/x509/keys/soledad.key\n", - require => Package['soledad-server'] + content => template('soledad/default-soledad.erb'), + owner => 'soledad', + group => 'soledad', + mode => '0600', + notify => Service['soledad-server'], + require => Class['soledad']; } service { 'soledad-server': diff --git a/puppet/modules/soledad/templates/default-soledad.erb b/puppet/modules/soledad/templates/default-soledad.erb new file mode 100644 index 00000000..da85338a --- /dev/null +++ b/puppet/modules/soledad/templates/default-soledad.erb @@ -0,0 +1,4 @@ +# this file is managed by puppet +CERT_PATH=/etc/x509/certs/soledad.crt +PRIVKEY_PATH=/etc/x509/keys/soledad.key +HTTPS_PORT=<%=@soledad_port%> -- cgit v1.2.3 From 85bdcb07c47e1c310241d31b3360f2b64723585d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 13 Aug 2013 17:23:07 -0400 Subject: update couchdb submodule to the latest version - fixes #3447 Change-Id: Ib6458b962c624fdb75f514dbd4c2129581fc2bb7 --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 20deb065..f317163e 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 20deb0652ccfe105eddec6ba2ad32b8d633705f6 +Subproject commit f317163e8aa6abfc992df5ef65d99b0861488d41 -- cgit v1.2.3 From 9aa06a43fdc2a4eee50556e46b40d5003eb25925 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 13 Aug 2013 22:21:44 -0400 Subject: require that the couchdb::query::setup has been run before any attempts are made to create databases or add users as these would fail otherwise. Closes: #3466 Change-Id: Ifa8b3da5858ce858fd319c4a659e70d20a65d3e0 --- .../modules/site_couchdb/manifests/bigcouch/add_nodes.pp | 5 ++++- puppet/modules/site_couchdb/manifests/init.pp | 16 ++++++++++------ 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp b/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp index 241a4914..97e85785 100644 --- a/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp +++ b/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp @@ -1,5 +1,8 @@ class site_couchdb::bigcouch::add_nodes { # loop through neighbors array and add nodes $nodes = $::site_couchdb::bigcouch_config['neighbors'] - couchdb::bigcouch::add_node { $nodes: } + + couchdb::bigcouch::add_node { $nodes: + require => Couchdb::Query::Setup['localhost'] + } } diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 802f3224..75ed87a0 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -59,23 +59,27 @@ class site_couchdb { # Populate couchdb couchdb::add_user { $couchdb_webapp_user: - roles => '["auth"]', - pw => $couchdb_webapp_pw, - salt => $couchdb_webapp_salt + roles => '["auth"]', + pw => $couchdb_webapp_pw, + salt => $couchdb_webapp_salt, + require => Couchdb::Query::Setup['localhost'] } couchdb::add_user { $couchdb_soledad_user: roles => '["auth"]', pw => $couchdb_soledad_pw, - salt => $couchdb_soledad_salt + salt => $couchdb_soledad_salt, + require => Couchdb::Query::Setup['localhost'] } couchdb::create_db { 'users': - readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }" + readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }", + require => Couchdb::Query::Setup['localhost'] } couchdb::create_db { 'tokens': - readers => "{ \"names\": [], \"roles\": [\"auth\"] }" + readers => "{ \"names\": [], \"roles\": [\"auth\"] }", + require => Couchdb::Query::Setup['localhost'] } include site_shorewall::couchdb -- cgit v1.2.3 From 2530cd5fa6dbf39dc964b158d79d6d5c60babc4e Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Jul 2013 22:48:22 +0200 Subject: vagrant: Install squid-deb-proxy on clients (optional) (Feature #3330) squashed commits: site_squid_deb_proxy::client: include shorewall::rules::mdns for avahi discovery added submodule squid_deb_proxy from git://code.leap.se/puppet_squid_deb_proxy updated submodule squid_deb_proxy use squid_deb_proxy::client --- .gitmodules | 3 +++ puppet/manifests/setup.pp | 6 ++++++ puppet/modules/site_config/manifests/default.pp | 11 +++++++++++ puppet/modules/site_squid_deb_proxy/manifests/client.pp | 5 +++++ puppet/modules/squid_deb_proxy | 1 + 5 files changed, 26 insertions(+) create mode 100644 puppet/modules/site_squid_deb_proxy/manifests/client.pp create mode 160000 puppet/modules/squid_deb_proxy diff --git a/.gitmodules b/.gitmodules index b84dfef2..bfa826e2 100644 --- a/.gitmodules +++ b/.gitmodules @@ -76,3 +76,6 @@ [submodule "puppet/modules/postfix"] path = puppet/modules/postfix url = git://labs.riseup.net/shared-postfix +[submodule "puppet/modules/squid_deb_proxy"] + path = puppet/modules/squid_deb_proxy + url = git://code.leap.se/puppet_squid_deb_proxy diff --git a/puppet/manifests/setup.pp b/puppet/manifests/setup.pp index 80e7ffc2..d9e5229e 100644 --- a/puppet/manifests/setup.pp +++ b/puppet/manifests/setup.pp @@ -5,6 +5,8 @@ $services = '' Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } +include concat::setup + include site_config::hosts include site_apt @@ -14,3 +16,7 @@ package { 'facter': require => Exec['refresh_apt'] } +if hiera('squid_deb_proxy_client', false) { + include site_squid_deb_proxy::client +} + diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index e299a0f4..0a4e75b6 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -44,4 +44,15 @@ class site_config::default { # set up core leap files and directories include site_config::files + + # redundant declarations, remove if + # "Move setup.pp to a subclass (site_config::setup) (Feature #2993)" + # is solved. + + # if squid_deb_proxy_client is set to true, install and configure + # squid_deb_proxy_client for apt caching + if hiera('squid_deb_proxy_client', false) { + include site_squid_deb_proxy::client + } + } diff --git a/puppet/modules/site_squid_deb_proxy/manifests/client.pp b/puppet/modules/site_squid_deb_proxy/manifests/client.pp new file mode 100644 index 00000000..27844270 --- /dev/null +++ b/puppet/modules/site_squid_deb_proxy/manifests/client.pp @@ -0,0 +1,5 @@ +class site_squid_deb_proxy::client { + include squid_deb_proxy::client + include site_shorewall::defaults + include shorewall::rules::mdns +} diff --git a/puppet/modules/squid_deb_proxy b/puppet/modules/squid_deb_proxy new file mode 160000 index 00000000..e796aac4 --- /dev/null +++ b/puppet/modules/squid_deb_proxy @@ -0,0 +1 @@ +Subproject commit e796aac43aa9781069e167459253d040504c2092 -- cgit v1.2.3 From 5b52d1ed6e77416412a293be025580261284aa37 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 14 Aug 2013 10:09:46 -0400 Subject: Fix problem where webapp production.log had the wrong permissions - #3471 Change-Id: I20a6ecc43e36fc1e8416c46f7e4d14726995d2f2 --- puppet/modules/site_webapp/manifests/couchdb.pp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index b4ef0980..ac01a5bc 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -39,7 +39,15 @@ class site_webapp::couchdb { mode => '0600', require => Vcsrepo['/srv/leap/webapp']; - '/srv/leap/webapp/logs/production.log': + '/srv/leap/webapp/log': + ensure => directory, + owner => leap-webapp, + group => leap-webapp, + mode => '0755', + require => Vcsrepo['/srv/leap/webapp']; + + '/srv/leap/webapp/log/production.log': + ensure => present, owner => leap-webapp, group => leap-webapp, mode => '0666', -- cgit v1.2.3 From abfea88ae96f9f4431a4e67866139258ef28a2b5 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 13 Aug 2013 17:23:07 -0400 Subject: update couchdb submodule to the latest version - fixes #3447 Change-Id: Ib6458b962c624fdb75f514dbd4c2129581fc2bb7 --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 20deb065..f317163e 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 20deb0652ccfe105eddec6ba2ad32b8d633705f6 +Subproject commit f317163e8aa6abfc992df5ef65d99b0861488d41 -- cgit v1.2.3 From 3544497599bfd7902b7b1be6661aaf1048af44e3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 13 Aug 2013 22:21:44 -0400 Subject: require that the couchdb::query::setup has been run before any attempts are made to create databases or add users as these would fail otherwise. Closes: #3466 Change-Id: Ifa8b3da5858ce858fd319c4a659e70d20a65d3e0 --- .../modules/site_couchdb/manifests/bigcouch/add_nodes.pp | 5 ++++- puppet/modules/site_couchdb/manifests/init.pp | 16 ++++++++++------ 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp b/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp index 241a4914..97e85785 100644 --- a/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp +++ b/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp @@ -1,5 +1,8 @@ class site_couchdb::bigcouch::add_nodes { # loop through neighbors array and add nodes $nodes = $::site_couchdb::bigcouch_config['neighbors'] - couchdb::bigcouch::add_node { $nodes: } + + couchdb::bigcouch::add_node { $nodes: + require => Couchdb::Query::Setup['localhost'] + } } diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 802f3224..75ed87a0 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -59,23 +59,27 @@ class site_couchdb { # Populate couchdb couchdb::add_user { $couchdb_webapp_user: - roles => '["auth"]', - pw => $couchdb_webapp_pw, - salt => $couchdb_webapp_salt + roles => '["auth"]', + pw => $couchdb_webapp_pw, + salt => $couchdb_webapp_salt, + require => Couchdb::Query::Setup['localhost'] } couchdb::add_user { $couchdb_soledad_user: roles => '["auth"]', pw => $couchdb_soledad_pw, - salt => $couchdb_soledad_salt + salt => $couchdb_soledad_salt, + require => Couchdb::Query::Setup['localhost'] } couchdb::create_db { 'users': - readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }" + readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }", + require => Couchdb::Query::Setup['localhost'] } couchdb::create_db { 'tokens': - readers => "{ \"names\": [], \"roles\": [\"auth\"] }" + readers => "{ \"names\": [], \"roles\": [\"auth\"] }", + require => Couchdb::Query::Setup['localhost'] } include site_shorewall::couchdb -- cgit v1.2.3 From cd3be2c03f27a9ecf0b5f4159ae4d16dbeb1f046 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 14 Aug 2013 11:17:09 -0400 Subject: add START=yes to /etc/default/soledad to start the daemon, new package requires this to start. Closes: #3474 Change-Id: I921dcf0d6571cd60d2705ae4925d0a4318c84fa2 --- puppet/modules/soledad/templates/default-soledad.erb | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/soledad/templates/default-soledad.erb b/puppet/modules/soledad/templates/default-soledad.erb index da85338a..fd38903a 100644 --- a/puppet/modules/soledad/templates/default-soledad.erb +++ b/puppet/modules/soledad/templates/default-soledad.erb @@ -1,4 +1,5 @@ # this file is managed by puppet +START=yes CERT_PATH=/etc/x509/certs/soledad.crt PRIVKEY_PATH=/etc/x509/keys/soledad.key HTTPS_PORT=<%=@soledad_port%> -- cgit v1.2.3 From 2eec8200a35ea71e1ea5a1a56fe3a266603284fc Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 15 Aug 2013 14:48:38 -0400 Subject: Because both soledad and leap-mx do not function with twisted 12, we had to backport twisted 13. In order to install the backported dependencies we need an apt preferences_snippet installed for the backported twisted packages Change-Id: I886bb735eeb3abe7955c7cf054b749554ab84746 --- puppet/modules/leap_mx/manifests/init.pp | 2 ++ puppet/modules/site_apt/manifests/preferences/twisted.pp | 10 ++++++++++ puppet/modules/soledad/manifests/server.pp | 1 + 3 files changed, 13 insertions(+) create mode 100644 puppet/modules/site_apt/manifests/preferences/twisted.pp diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index 1e186bbb..ffa4519d 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -6,6 +6,8 @@ class leap_mx { $couchdb_user = $couchdb_admin_user['username'] $couchdb_password = $couchdb_admin_user['password'] + include site_apt::preferences::twisted + # # USER AND GROUP # diff --git a/puppet/modules/site_apt/manifests/preferences/twisted.pp b/puppet/modules/site_apt/manifests/preferences/twisted.pp new file mode 100644 index 00000000..2ba40e3d --- /dev/null +++ b/puppet/modules/site_apt/manifests/preferences/twisted.pp @@ -0,0 +1,10 @@ +class site_apt::preferences::twisted { + + apt::preferences_snippet { 'python-twisted': + package => 'python-twisted*', + release => "${::lsbdistcodename}-backports", + priority => 999, + before => Package['soledad-server'] + } + +} diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index ba482f29..00d87a4d 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -1,6 +1,7 @@ class soledad::server { tag 'leap_service' include soledad + include site_apt::preferences::twisted $couchdb = hiera('soledad') $couchdb_host = 'localhost' -- cgit v1.2.3 From fb38e5f896b460e05907b493bfe0ad38006f2060 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 15 Aug 2013 15:39:10 -0400 Subject: Revert "temp hack: deploy the webapp as couch user 'admin'" This reverts commit 8c038fea91adc87adf9e408c16e2f0ec9838e3d2. --- provider_base/services/webapp.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index b9e823da..ee61e5ab 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -3,8 +3,7 @@ "admins": [], "modules": ["user", "billing", "help"], "couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]", -// "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]", - "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:admin]", + "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]", "favicon": "= file_path 'branding/favicon.ico'", "tail_scss": "= file_path 'branding/tail.scss'", "head_scss": "= file_path 'branding/head.scss'", -- cgit v1.2.3 From 5229fc7ffc3e804b788b3d25042514806f9a4e9b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 16 Aug 2013 09:55:34 -0400 Subject: update couchdb submodule to fix #3481 Change-Id: I474cc691fcfc892b7aff4a3a0e3954155bf5ee30 --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index f317163e..1434b942 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit f317163e8aa6abfc992df5ef65d99b0861488d41 +Subproject commit 1434b9422bf37d1abcff53a076e9f07892c87022 -- cgit v1.2.3 From 377614a88317663847edb7ab692bef90f942a636 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 21 Aug 2013 10:05:09 -0400 Subject: update couchdb module to resolve #3459 Change-Id: Icad17de812392d7c587e5bcbf60cd5242c1241e9 --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 1434b942..eb45c81b 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 1434b9422bf37d1abcff53a076e9f07892c87022 +Subproject commit eb45c81bec1328b5fed6bcfe78059037af190c05 -- cgit v1.2.3 From e3a1c5d0c8f644bc0956758a8832d2f586556cf6 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 20 Aug 2013 20:36:12 -0400 Subject: Disable verbose, identifying apache headers (#3462): . Disable ServerSignature . Set ServerTokens Prod . unset the X-Powered-By and X-Runtime apache headers Change-Id: Iddb2cb9a0465bc7f657581adaacbbf748479fd7a --- puppet/modules/site_apache/files/conf.d/security | 50 ++++++++++++++++++++++ .../site_apache/templates/vhosts.d/api.conf.erb | 5 +++ .../templates/vhosts.d/leap_webapp.conf.erb | 5 +++ 3 files changed, 60 insertions(+) create mode 100644 puppet/modules/site_apache/files/conf.d/security diff --git a/puppet/modules/site_apache/files/conf.d/security b/puppet/modules/site_apache/files/conf.d/security new file mode 100644 index 00000000..11159f48 --- /dev/null +++ b/puppet/modules/site_apache/files/conf.d/security @@ -0,0 +1,50 @@ +# +# Disable access to the entire file system except for the directories that +# are explicitly allowed later. +# +# This currently breaks the configurations that come with some web application +# Debian packages. It will be made the default for the release after lenny. +# +# +# AllowOverride None +# Order Deny,Allow +# Deny from all +# + + +# Changing the following options will not really affect the security of the +# server, but might make attacks slightly more difficult in some cases. + +# +# ServerTokens +# This directive configures what you return as the Server HTTP response +# Header. The default is 'Full' which sends information about the OS-Type +# and compiled in modules. +# Set to one of: Full | OS | Minimal | Minor | Major | Prod +# where Full conveys the most information, and Prod the least. +# +#ServerTokens Minimal +ServerTokens Prod + +# +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated +# documents or custom error documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +# +#ServerSignature Off +ServerSignature Off + +# +# Allow TRACE method +# +# Set to "extended" to also reflect the request body (only for testing and +# diagnostic purposes). +# +# Set to one of: On | Off | extended +# +#TraceEnable Off +TraceEnable On + diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index ae894cd4..6a276e22 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -21,6 +21,11 @@ Listen 0.0.0.0:<%= api_port %> RequestHeader set X_FORWARDED_PROTO 'https' + + Header always unset X-Powered-By + Header always unset X-Runtime + + DocumentRoot /srv/leap/webapp/public # Check for maintenance file and redirect all requests diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 4b051699..9108caff 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -21,6 +21,11 @@ RequestHeader set X_FORWARDED_PROTO 'https' + + Header always unset X-Powered-By + Header always unset X-Runtime + + DocumentRoot /srv/leap/webapp/public RewriteEngine On -- cgit v1.2.3 From 538fe40239c59c186099fa7e1a026969fba4ae36 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 20 Aug 2013 20:53:58 -0400 Subject: Set apache header X-Frame-Options: "DENY" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The LEAP web application can be displayed inside other pages using an HTML iframe. Therefore, an attacker can embed parts of the LEAP application inside of a webpage they control. They can then use special style properties to disguise the embedded page. By tricking a user in to clicking in the iframe, the attacker can coerce the user in to performing unintended actions within the LEAP web application. An attacker creates a website that embeds the LEAP web application in an iframe. They then create an HTML /JavaScript game on the same page that involves clicking and dragging sprites. When a user plays the game, they are in fact dragging new text values in to the ‘‘Change Password’’ form in the LEAP web app, which is hidden behind the game using As long as iframe embedding is not required in the normal usage of the application, the X-Frame-Options header should be added to prevent browsers from displaying the web application in frames on other origins. This has also been set in the webapp Change-Id: I9e26ae32de4b7b6a327196838d0fa410648f107d --- puppet/modules/site_apache/files/conf.d/security | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/puppet/modules/site_apache/files/conf.d/security b/puppet/modules/site_apache/files/conf.d/security index 11159f48..a5ae5bdc 100644 --- a/puppet/modules/site_apache/files/conf.d/security +++ b/puppet/modules/site_apache/files/conf.d/security @@ -48,3 +48,8 @@ ServerSignature Off #TraceEnable Off TraceEnable On +# Setting this header will prevent other sites from embedding pages from this +# site as frames. This defends against clickjacking attacks. +# Requires mod_headers to be enabled. +# +Header set X-Frame-Options: "DENY" -- cgit v1.2.3 From 613f7f12f4c907ea07e79e3e73da8f2b71d3436d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 20 Aug 2013 20:44:21 -0400 Subject: add HSTS if hiera value for webapp['secure'] is set (#3514) Change-Id: Idd413349ec0b99835a1cbb4fb4c4fcef1a8fdeab --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 3 +++ puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 3 +++ 2 files changed, 6 insertions(+) diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 6a276e22..bc5ff156 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -22,6 +22,9 @@ Listen 0.0.0.0:<%= api_port %> RequestHeader set X_FORWARDED_PROTO 'https' +<% if @webapp['secure'] -%> + Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" +<% end -%> Header always unset X-Powered-By Header always unset X-Runtime diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 9108caff..5e3960c2 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -22,6 +22,9 @@ RequestHeader set X_FORWARDED_PROTO 'https' +<% if @webapp['secure'] -%> + Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" +<% end -%> Header always unset X-Powered-By Header always unset X-Runtime -- cgit v1.2.3 From 3cdebf3ebe73cb2859dc852dcc73a8ee2d60e976 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 20 Aug 2013 19:45:56 -0400 Subject: install a preliminary firewall that blocks everything, except ssh for the cases when shorewall doesn't properly come up, ensuring that it fails safe (#3339) Change-Id: Id4f0bf6cf25f420aa2ad67635b37ae95f54e3d38 --- puppet/manifests/setup.pp | 2 + puppet/modules/site_config/manifests/firewall.pp | 62 ++++++++++++++++++++++ .../templates/ipv4firewall_up.rules.erb | 20 +++++++ .../templates/ipv6firewall_up.rules.erb | 7 +++ .../modules/site_shorewall/manifests/defaults.pp | 28 +++++++++- puppet/modules/site_shorewall/manifests/sshd.pp | 6 +++ 6 files changed, 123 insertions(+), 2 deletions(-) create mode 100644 puppet/modules/site_config/manifests/firewall.pp create mode 100644 puppet/modules/site_config/templates/ipv4firewall_up.rules.erb create mode 100644 puppet/modules/site_config/templates/ipv6firewall_up.rules.erb diff --git a/puppet/manifests/setup.pp b/puppet/manifests/setup.pp index d9e5229e..84e4c056 100644 --- a/puppet/manifests/setup.pp +++ b/puppet/manifests/setup.pp @@ -9,6 +9,8 @@ include concat::setup include site_config::hosts +include site_config::initial_firewall + include site_apt package { 'facter': diff --git a/puppet/modules/site_config/manifests/firewall.pp b/puppet/modules/site_config/manifests/firewall.pp new file mode 100644 index 00000000..b9fc5ffe --- /dev/null +++ b/puppet/modules/site_config/manifests/firewall.pp @@ -0,0 +1,62 @@ +class site_config::initial_firewall { + + # This class is intended to setup an initial firewall, before shorewall is + # configured. The purpose of this is for the rare case where shorewall fails + # to start, we should not expose services to the public. + + $ssh_config = hiera('ssh') + $ssh_port = $ssh_config['port'] + + package { 'iptables': + ensure => present + } + + file { + # This firewall enables ssh access, dns lookups and web lookups (for + # package installation) but otherwise restricts all outgoing and incoming + # ports + '/etc/network/ipv4firewall_up.rules': + content => template('site_config/ipv4firewall_up.rules.erb'), + owner => root, + group => 0, + mode => '0644'; + + # This firewall denys all ipv6 traffic - we will need to change this + # when we begin to support ipv6 + '/etc/network/ipv6firewall_up.rules': + content => template('site_config/ipv6firewall_up.rules.erb'), + owner => root, + group => 0, + mode => '0644'; + + # Run the iptables-restore in if-pre-up so that the network is locked down + # until the correct interfaces and ips are connected + '/etc/network/if-pre-up.d/ipv4tables': + content => "#!/bin/sh\n/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules\n", + owner => root, + group => 0, + mode => '0744'; + + # Same as above for IPv6 + '/etc/network/if-pre-up.d/ipv6tables': + content => "#!/bin/sh\n/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules\n", + owner => root, + group => 0, + mode => '0744'; + } + + # Immediately setup these firewall rules, but only if shorewall is not running + exec { + 'default_ipv4_firewall': + command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', + logoutput => true, + unless => '/sbin/shorewall status', + require => File['/etc/network/ipv4firewall_up.rules']; + + 'default_ipv6_firewall': + command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', + logoutput => true, + unless => '/sbin/shorewall status', + require => File['/etc/network/ipv6firewall_up.rules']; + } +} diff --git a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb new file mode 100644 index 00000000..c03716f3 --- /dev/null +++ b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb @@ -0,0 +1,20 @@ +# Generated by iptables-save v1.4.14 on Tue Aug 20 14:40:40 2013 +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT DROP [0:0] +-A INPUT -i lo -j ACCEPT +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport <%= @ssh_port %> -j ACCEPT +-A INPUT -p udp -m udp --sport 53 -j ACCEPT +-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 +-A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport <%= @ssh_port %> -j ACCEPT +-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT +-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT +-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT +-A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 +COMMIT diff --git a/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb new file mode 100644 index 00000000..e7fae52e --- /dev/null +++ b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb @@ -0,0 +1,7 @@ +# Generated by ip6tables-save v1.4.20 on Tue Aug 20 12:19:43 2013 +*filter +:INPUT DROP [24:1980] +:FORWARD DROP [0:0] +:OUTPUT DROP [14:8030] +COMMIT +# Completed on Tue Aug 20 12:19:43 2013 diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index c62c9307..35e47982 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -1,4 +1,5 @@ class site_shorewall::defaults { + include shorewall include site_config::params @@ -18,8 +19,6 @@ class site_shorewall::defaults { options => 'tcpflags,blacklist,nosmurfs'; } - shorewall::routestopped { $site_config::params::interface: } - shorewall::policy { 'fw-to-all': sourcezone => 'fw', @@ -42,5 +41,30 @@ class site_shorewall::defaults { order => 200; } + package { 'shorewall-init': + ensure => installed + } + + augeas { + # stop instead of clear firewall on shutdown + 'shorewall_SAFESTOP': + changes => 'set /files/etc/shorewall/shorewall.conf/SAFESTOP Yes', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall]; + # require that the interface exist + 'shorewall_REQUIRE_INTERFACE': + changes => 'set /files/etc/shorewall/shorewall.conf/REQUIRE_INTERFACE Yes', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall]; + # configure shorewall-init + 'shorewall-init': + changes => 'set /files/etc/default/shorewall-init/PRODUCTS shorewall', + lens => 'Shellvars.lns', + incl => '/etc/default/shorewall-init', + require => [ Package['shorewall-init'], Service['shorewall'] ] + } + include site_shorewall::sshd } diff --git a/puppet/modules/site_shorewall/manifests/sshd.pp b/puppet/modules/site_shorewall/manifests/sshd.pp index a8e09e42..88b4102c 100644 --- a/puppet/modules/site_shorewall/manifests/sshd.pp +++ b/puppet/modules/site_shorewall/manifests/sshd.pp @@ -21,4 +21,10 @@ class site_shorewall::sshd { action => 'leap_sshd(ACCEPT)', order => 200; } + + # setup a routestopped rule to allow ssh when shorewall is stopped + shorewall::routestopped { $site_config::params::interface: + options => "- tcp ${ssh_port}" + } + } -- cgit v1.2.3 From 62c12a6d3c0ef1ff5dfd68d29b56a9846543f81e Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 27 Aug 2013 10:57:05 +0200 Subject: updated submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index eb45c81b..4a55caf8 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit eb45c81bec1328b5fed6bcfe78059037af190c05 +Subproject commit 4a55caf8cb828020b1535a8b7cd8351224b89bf2 -- cgit v1.2.3 From 2341a46e5fed90c8987ff1460e6d4fddfc939a07 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 27 Aug 2013 11:04:10 +0200 Subject: updated submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 4a55caf8..869ea732 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 4a55caf8cb828020b1535a8b7cd8351224b89bf2 +Subproject commit 869ea732363afa238055c59baad5d5ca83c38024 -- cgit v1.2.3 From c4024b72d5aeebbd814a78c741658ca50eb4dc71 Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 27 Jun 2013 11:44:31 +0200 Subject: make git forget about the changes due to symlinking files Git normally tracks the dummy files we replace with symlinks. So we tell it to ignore these changes on deploy. --- puppet/modules/site_webapp/manifests/init.pp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 4815bab4..ba7c7e0d 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -138,6 +138,12 @@ class site_webapp { source => $webapp['img_dir']; } + exec { 'git-assume-unchanged': + cwd => '/srv/leap/webapp', + command => '/bin/bash -c "/usr/bin/git update-index --assume-unchanged app/assets/stylesheets/head.scss app/assets/stylesheets/tail.scss public/favicon.ico"', + user => 'leap-webapp' + } + file { '/srv/leap/webapp/config/config.yml': content => template('site_webapp/config.yml.erb'), -- cgit v1.2.3 From b35146bf42bae91f1211b51dba568295f8d5b8f0 Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 26 Aug 2013 12:04:14 +0200 Subject: git:changes expect changes to certain files You can either ensure assume-unchanged or ensure those changes are tracked. Used to keep the git status clean. --- puppet/modules/site_webapp/manifests/git.pp | 30 ++++++++++++++++++++++++++++ puppet/modules/site_webapp/manifests/init.pp | 13 ++++++++---- 2 files changed, 39 insertions(+), 4 deletions(-) create mode 100644 puppet/modules/site_webapp/manifests/git.pp diff --git a/puppet/modules/site_webapp/manifests/git.pp b/puppet/modules/site_webapp/manifests/git.pp new file mode 100644 index 00000000..25862707 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/git.pp @@ -0,0 +1,30 @@ +# Usage +# git::changes { name: +# user => "me", +# ensure => {*assume-unchanged*, tracked} +# } +# + +define git::changes ( $user, $ensure='assume-unchanged' ) { + + case $ensure { + default: { err ( "unknown ensure value '${ensure}'" ) } + + assume-unchanged: { + exec { "assume-unchanged ${name}": + command => "/usr/bin/git update-index --assume-unchanged ${name}", + user => $user, + unless => "/usr/bin/git ls-files -v | grep '^[ch] ${name}'", + } + } + + tracked: { + exec { "assume-unchanged ${name}": + command => "/usr/bin/git update-index --no-assume-unchanged ${name}", + user => $user, + onlyif => "/usr/bin/git ls-files -v | grep '^[ch] ${name}'", + } + } + } +} + diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index ba7c7e0d..a8807a1a 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -138,10 +138,15 @@ class site_webapp { source => $webapp['img_dir']; } - exec { 'git-assume-unchanged': - cwd => '/srv/leap/webapp', - command => '/bin/bash -c "/usr/bin/git update-index --assume-unchanged app/assets/stylesheets/head.scss app/assets/stylesheets/tail.scss public/favicon.ico"', - user => 'leap-webapp' + git:changes { + '/srv/leap/webapp/app/assets/stylesheets/head.scss': + user => 'leap-webapp'; + + '/srv/leap/webapp/app/assets/stylesheets/tail.scss': + user => 'leap-webapp'; + + '/srv/leap/webapp/public/favicon.ico': + user => 'leap-webapp'; } file { -- cgit v1.2.3 From 3aa062ecb934731aa5876e60bb7c9086bcbb5742 Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 26 Aug 2013 12:21:08 +0200 Subject: specify cwd when using git:changes --- puppet/modules/site_webapp/manifests/git.pp | 5 ++++- puppet/modules/site_webapp/manifests/init.pp | 11 +++++++---- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/puppet/modules/site_webapp/manifests/git.pp b/puppet/modules/site_webapp/manifests/git.pp index 25862707..908bc1a4 100644 --- a/puppet/modules/site_webapp/manifests/git.pp +++ b/puppet/modules/site_webapp/manifests/git.pp @@ -1,11 +1,12 @@ # Usage # git::changes { name: +# cwd => "/path/to/git/" # user => "me", # ensure => {*assume-unchanged*, tracked} # } # -define git::changes ( $user, $ensure='assume-unchanged' ) { +define git::changes ( $cwd, $user, $ensure='assume-unchanged' ) { case $ensure { default: { err ( "unknown ensure value '${ensure}'" ) } @@ -13,6 +14,7 @@ define git::changes ( $user, $ensure='assume-unchanged' ) { assume-unchanged: { exec { "assume-unchanged ${name}": command => "/usr/bin/git update-index --assume-unchanged ${name}", + cwd => $cwd, user => $user, unless => "/usr/bin/git ls-files -v | grep '^[ch] ${name}'", } @@ -21,6 +23,7 @@ define git::changes ( $user, $ensure='assume-unchanged' ) { tracked: { exec { "assume-unchanged ${name}": command => "/usr/bin/git update-index --no-assume-unchanged ${name}", + cwd => $cwd, user => $user, onlyif => "/usr/bin/git ls-files -v | grep '^[ch] ${name}'", } diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index a8807a1a..4bae2088 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -138,14 +138,17 @@ class site_webapp { source => $webapp['img_dir']; } - git:changes { - '/srv/leap/webapp/app/assets/stylesheets/head.scss': + git::changes { + 'app/assets/stylesheets/head.scss': + cwd => '/srv/leap/webapp', user => 'leap-webapp'; - '/srv/leap/webapp/app/assets/stylesheets/tail.scss': + 'app/assets/stylesheets/tail.scss': + cwd => '/srv/leap/webapp', user => 'leap-webapp'; - '/srv/leap/webapp/public/favicon.ico': + 'public/favicon.ico': + cwd => '/srv/leap/webapp', user => 'leap-webapp'; } -- cgit v1.2.3 From b1a8cfe5f82f2d96514fbfacff930fdd58dec5b8 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 27 Aug 2013 14:16:00 +0200 Subject: move git::changes into git module, whitespace fix --- puppet/modules/git | 2 +- puppet/modules/site_webapp/manifests/git.pp | 33 ---------------------------- puppet/modules/site_webapp/manifests/init.pp | 2 +- 3 files changed, 2 insertions(+), 35 deletions(-) delete mode 100644 puppet/modules/site_webapp/manifests/git.pp diff --git a/puppet/modules/git b/puppet/modules/git index 497a1034..ba5dd8d5 160000 --- a/puppet/modules/git +++ b/puppet/modules/git @@ -1 +1 @@ -Subproject commit 497a1034489e0dc3cab5dab2fb0a857785769734 +Subproject commit ba5dd8d5c8e09d521ff49f1ebc753601e449f828 diff --git a/puppet/modules/site_webapp/manifests/git.pp b/puppet/modules/site_webapp/manifests/git.pp deleted file mode 100644 index 908bc1a4..00000000 --- a/puppet/modules/site_webapp/manifests/git.pp +++ /dev/null @@ -1,33 +0,0 @@ -# Usage -# git::changes { name: -# cwd => "/path/to/git/" -# user => "me", -# ensure => {*assume-unchanged*, tracked} -# } -# - -define git::changes ( $cwd, $user, $ensure='assume-unchanged' ) { - - case $ensure { - default: { err ( "unknown ensure value '${ensure}'" ) } - - assume-unchanged: { - exec { "assume-unchanged ${name}": - command => "/usr/bin/git update-index --assume-unchanged ${name}", - cwd => $cwd, - user => $user, - unless => "/usr/bin/git ls-files -v | grep '^[ch] ${name}'", - } - } - - tracked: { - exec { "assume-unchanged ${name}": - command => "/usr/bin/git update-index --no-assume-unchanged ${name}", - cwd => $cwd, - user => $user, - onlyif => "/usr/bin/git ls-files -v | grep '^[ch] ${name}'", - } - } - } -} - diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 4bae2088..1db52477 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -138,7 +138,7 @@ class site_webapp { source => $webapp['img_dir']; } - git::changes { + git::changes { 'app/assets/stylesheets/head.scss': cwd => '/srv/leap/webapp', user => 'leap-webapp'; -- cgit v1.2.3 From b9e3aeac876570e35f1e1c3a0f12dcd3758ebd5f Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 27 Aug 2013 18:06:54 +0200 Subject: updated submodule stdlib to obtain 'obfuscate_email' function (#3479) --- puppet/modules/stdlib | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/stdlib b/puppet/modules/stdlib index 66e0fa8f..85470dfc 160000 --- a/puppet/modules/stdlib +++ b/puppet/modules/stdlib @@ -1 +1 @@ -Subproject commit 66e0fa8f1bc5062e9d753598ad17602c378a2994 +Subproject commit 85470dfc1e703611a84abf922634d129dd2f8f8d -- cgit v1.2.3 From 7810400fcd09ec4805632981c2034706ab07720f Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 27 Aug 2013 18:19:24 +0200 Subject: tor service:obfuscate contact email addr (Feature #3479) --- puppet/modules/site_tor/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index 50ab636b..ac830f0d 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -13,7 +13,7 @@ class site_tor { tor::daemon::relay { $nickname: port => 9001, address => $address, - contact_info => $contact_email, + contact_info => obfuscate_email($contact_email), bandwidth_rate => $bandwidth_rate, my_family => '$2A431444756B0E7228A7918C85A8DACFF7E3B050', } -- cgit v1.2.3 From 14cee35e55c999663dbd8ac34197b6ce7382e35d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Aug 2013 14:55:33 -0400 Subject: fix name of initial_firewall.pp file (#3339) Change-Id: I341628d0f36225ce49ae301246e7c152553efcae --- puppet/modules/site_config/manifests/firewall.pp | 62 ---------------------- .../site_config/manifests/initial_firewall.pp | 62 ++++++++++++++++++++++ 2 files changed, 62 insertions(+), 62 deletions(-) delete mode 100644 puppet/modules/site_config/manifests/firewall.pp create mode 100644 puppet/modules/site_config/manifests/initial_firewall.pp diff --git a/puppet/modules/site_config/manifests/firewall.pp b/puppet/modules/site_config/manifests/firewall.pp deleted file mode 100644 index b9fc5ffe..00000000 --- a/puppet/modules/site_config/manifests/firewall.pp +++ /dev/null @@ -1,62 +0,0 @@ -class site_config::initial_firewall { - - # This class is intended to setup an initial firewall, before shorewall is - # configured. The purpose of this is for the rare case where shorewall fails - # to start, we should not expose services to the public. - - $ssh_config = hiera('ssh') - $ssh_port = $ssh_config['port'] - - package { 'iptables': - ensure => present - } - - file { - # This firewall enables ssh access, dns lookups and web lookups (for - # package installation) but otherwise restricts all outgoing and incoming - # ports - '/etc/network/ipv4firewall_up.rules': - content => template('site_config/ipv4firewall_up.rules.erb'), - owner => root, - group => 0, - mode => '0644'; - - # This firewall denys all ipv6 traffic - we will need to change this - # when we begin to support ipv6 - '/etc/network/ipv6firewall_up.rules': - content => template('site_config/ipv6firewall_up.rules.erb'), - owner => root, - group => 0, - mode => '0644'; - - # Run the iptables-restore in if-pre-up so that the network is locked down - # until the correct interfaces and ips are connected - '/etc/network/if-pre-up.d/ipv4tables': - content => "#!/bin/sh\n/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules\n", - owner => root, - group => 0, - mode => '0744'; - - # Same as above for IPv6 - '/etc/network/if-pre-up.d/ipv6tables': - content => "#!/bin/sh\n/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules\n", - owner => root, - group => 0, - mode => '0744'; - } - - # Immediately setup these firewall rules, but only if shorewall is not running - exec { - 'default_ipv4_firewall': - command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', - logoutput => true, - unless => '/sbin/shorewall status', - require => File['/etc/network/ipv4firewall_up.rules']; - - 'default_ipv6_firewall': - command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', - logoutput => true, - unless => '/sbin/shorewall status', - require => File['/etc/network/ipv6firewall_up.rules']; - } -} diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp new file mode 100644 index 00000000..b9fc5ffe --- /dev/null +++ b/puppet/modules/site_config/manifests/initial_firewall.pp @@ -0,0 +1,62 @@ +class site_config::initial_firewall { + + # This class is intended to setup an initial firewall, before shorewall is + # configured. The purpose of this is for the rare case where shorewall fails + # to start, we should not expose services to the public. + + $ssh_config = hiera('ssh') + $ssh_port = $ssh_config['port'] + + package { 'iptables': + ensure => present + } + + file { + # This firewall enables ssh access, dns lookups and web lookups (for + # package installation) but otherwise restricts all outgoing and incoming + # ports + '/etc/network/ipv4firewall_up.rules': + content => template('site_config/ipv4firewall_up.rules.erb'), + owner => root, + group => 0, + mode => '0644'; + + # This firewall denys all ipv6 traffic - we will need to change this + # when we begin to support ipv6 + '/etc/network/ipv6firewall_up.rules': + content => template('site_config/ipv6firewall_up.rules.erb'), + owner => root, + group => 0, + mode => '0644'; + + # Run the iptables-restore in if-pre-up so that the network is locked down + # until the correct interfaces and ips are connected + '/etc/network/if-pre-up.d/ipv4tables': + content => "#!/bin/sh\n/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules\n", + owner => root, + group => 0, + mode => '0744'; + + # Same as above for IPv6 + '/etc/network/if-pre-up.d/ipv6tables': + content => "#!/bin/sh\n/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules\n", + owner => root, + group => 0, + mode => '0744'; + } + + # Immediately setup these firewall rules, but only if shorewall is not running + exec { + 'default_ipv4_firewall': + command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', + logoutput => true, + unless => '/sbin/shorewall status', + require => File['/etc/network/ipv4firewall_up.rules']; + + 'default_ipv6_firewall': + command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', + logoutput => true, + unless => '/sbin/shorewall status', + require => File['/etc/network/ipv6firewall_up.rules']; + } +} -- cgit v1.2.3 From 92ad38f756f277866e6a3953dbc3e7f31b99898f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Aug 2013 15:07:02 -0400 Subject: now that soledad has been split we can better organize things (#3579) . create a soledad::common class . leap-mx now only needs to include soledad-common . move the site_apt::preferences::twisted to a preferences block inside the soledad server class . make sure that the packages are doing 'ensure => latest' instead of installed Change-Id: Ifa978e831cdc8835666b27322a6e068d67251f5d --- puppet/modules/leap_mx/manifests/init.pp | 6 ++++-- puppet/modules/site_apt/manifests/preferences/twisted.pp | 3 +-- puppet/modules/soledad/manifests/common.pp | 10 ++++++++++ puppet/modules/soledad/manifests/init.pp | 4 ---- puppet/modules/soledad/manifests/server.pp | 3 ++- 5 files changed, 17 insertions(+), 9 deletions(-) create mode 100644 puppet/modules/soledad/manifests/common.pp diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index ffa4519d..25b2758f 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -6,8 +6,9 @@ class leap_mx { $couchdb_user = $couchdb_admin_user['username'] $couchdb_password = $couchdb_admin_user['password'] + include soledad::common include site_apt::preferences::twisted - + # # USER AND GROUP # @@ -42,7 +43,8 @@ class leap_mx { # package { 'leap-mx': - ensure => installed; + ensure => installed, + require => Class['site_apt::preferences::twisted'] } # diff --git a/puppet/modules/site_apt/manifests/preferences/twisted.pp b/puppet/modules/site_apt/manifests/preferences/twisted.pp index 2ba40e3d..abff6838 100644 --- a/puppet/modules/site_apt/manifests/preferences/twisted.pp +++ b/puppet/modules/site_apt/manifests/preferences/twisted.pp @@ -3,8 +3,7 @@ class site_apt::preferences::twisted { apt::preferences_snippet { 'python-twisted': package => 'python-twisted*', release => "${::lsbdistcodename}-backports", - priority => 999, - before => Package['soledad-server'] + priority => 999; } } diff --git a/puppet/modules/soledad/manifests/common.pp b/puppet/modules/soledad/manifests/common.pp new file mode 100644 index 00000000..8a1d664a --- /dev/null +++ b/puppet/modules/soledad/manifests/common.pp @@ -0,0 +1,10 @@ +class soledad::common { + + include soledad + + package { 'soledad-common': + ensure => latest, + require => User['soledad'] + } + +} diff --git a/puppet/modules/soledad/manifests/init.pp b/puppet/modules/soledad/manifests/init.pp index 08ba88a7..7d44c8b4 100644 --- a/puppet/modules/soledad/manifests/init.pp +++ b/puppet/modules/soledad/manifests/init.pp @@ -27,8 +27,4 @@ class soledad { require => User['soledad']; } - package { 'soledad-common': - ensure => installed, - require => User['soledad']; - } } diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 00d87a4d..fcf9d461 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -46,7 +46,8 @@ class soledad::server { } package { 'soledad-server': - ensure => installed + ensure => latest, + require => Class['site_apt::preferences::twisted'] } file { '/etc/default/soledad': -- cgit v1.2.3 From 778e85c3a163b6343cd545073e4432b882dc888a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Aug 2013 19:42:15 -0400 Subject: setup bigcouch logrotation (#3491) Change-Id: Ia35cf7a9fc1d0fad6a57bbae73968ab6b8f0c847 --- puppet/modules/site_couchdb/manifests/init.pp | 2 ++ puppet/modules/site_couchdb/manifests/logrotate.pp | 12 ++++++++++++ 2 files changed, 14 insertions(+) create mode 100644 puppet/modules/site_couchdb/manifests/logrotate.pp diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 75ed87a0..238b83d9 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -82,6 +82,8 @@ class site_couchdb { require => Couchdb::Query::Setup['localhost'] } + include site_couchdb::logrotate + include site_shorewall::couchdb include site_shorewall::couchdb::bigcouch } diff --git a/puppet/modules/site_couchdb/manifests/logrotate.pp b/puppet/modules/site_couchdb/manifests/logrotate.pp new file mode 100644 index 00000000..e1039d49 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/logrotate.pp @@ -0,0 +1,12 @@ +class site_couchdb::logrotate { + + augeas { + 'logrotate_bigcouch': + context => '/files/etc/logrotate.d/bigcouch/rule', + changes => [ 'set file /opt/bigcouch/var/log/*.log', 'set rotate 7', + 'set schedule daily', 'set compress compress', + 'set missingok missingok', 'set ifempty notifempty', + 'set copytruncate copytruncate' ] + } + +} -- cgit v1.2.3 From 231f6a03a93caa914bc04d40af2cb203ded676fb Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 28 Aug 2013 12:14:01 +0200 Subject: added site_postfix::debug for debugging (#3538) --- puppet/modules/site_postfix/manifests/debug.pp | 9 +++++++++ puppet/modules/site_postfix/manifests/mx.pp | 4 +++- 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/manifests/debug.pp diff --git a/puppet/modules/site_postfix/manifests/debug.pp b/puppet/modules/site_postfix/manifests/debug.pp new file mode 100644 index 00000000..f370d166 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/debug.pp @@ -0,0 +1,9 @@ +class site_postfix::debug { + + postfix::config { + 'debug_peer_list': value => '127.0.0.1'; + 'debug_peer_level': value => '1'; + 'smtpd_tls_loglevel': value => '1'; + } + +} diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 0581f147..d7637c70 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -18,12 +18,14 @@ class site_postfix::mx { 'virtual_alias_maps': value => 'tcp:localhost:4242'; 'luser_relay': value => 'vmail'; 'local_recipient_maps': value => ''; - 'debug_peer_list': value => '127.0.0.1'; } include site_postfix::mx::smtpd_checks include site_postfix::mx::tls + # greater verbosity for debugging, take out for production + include site_postfix::debug + user { 'vmail': ensure => present, comment => 'Leap Mailspool', -- cgit v1.2.3 From 4bcf6fbba365097286c9a411436d2d6b686336c0 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 28 Aug 2013 12:18:16 +0200 Subject: integrate manual postfix config changes in puppet (Feature #3538) --- puppet/modules/site_postfix/manifests/mx.pp | 1 - puppet/modules/site_postfix/manifests/mx/tls.pp | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index d7637c70..7e2082d9 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -17,7 +17,6 @@ class site_postfix::mx { 'home_mailbox': value => 'Maildir/'; 'virtual_alias_maps': value => 'tcp:localhost:4242'; 'luser_relay': value => 'vmail'; - 'local_recipient_maps': value => ''; } include site_postfix::mx::smtpd_checks diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 4b7a2626..8c9da9db 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -23,7 +23,7 @@ class site_postfix::mx::tls { 'smtpd_tls_CAfile': value => $client_ca; 'smtpd_tls_cert_file': value => $cert_path; 'smtpd_tls_key_file': value => $key_path; - 'smtpd_tls_req_ccert': value => 'yes'; + 'smtpd_tls_ask_ccert': value => 'yes'; 'smtpd_tls_security_level': value => 'may'; } -- cgit v1.2.3 From 579a9d4d2f68d020c993d1c680eb9022d8c789e3 Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 28 Aug 2013 13:00:27 +0200 Subject: require VCS repo before git assume-unchanged (feature #1608) --- puppet/modules/site_webapp/manifests/init.pp | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 1db52477..84ec8fab 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -54,12 +54,12 @@ class site_webapp { } exec { 'compile_assets': - cwd => '/srv/leap/webapp', - command => '/usr/bin/bundle exec rake assets:precompile', - user => 'leap-webapp', + cwd => '/srv/leap/webapp', + command => '/usr/bin/bundle exec rake assets:precompile', + user => 'leap-webapp', logoutput => on_failure, - require => Exec['bundler_update'], - notify => Service['apache']; + require => Exec['bundler_update'], + notify => Service['apache']; } file { @@ -74,14 +74,14 @@ class site_webapp { target => '/usr/local/share/ca-certificates/leap_api.crt'; "/srv/leap/webapp/public/${api_version}": - ensure => directory, + ensure => directory, require => Vcsrepo['/srv/leap/webapp'], - owner => leap-webapp, group => leap-webapp, mode => '0755'; + owner => leap-webapp, group => leap-webapp, mode => '0755'; "/srv/leap/webapp/public/${api_version}/config/": - ensure => directory, + ensure => directory, require => Vcsrepo['/srv/leap/webapp'], - owner => leap-webapp, group => leap-webapp, mode => '0755'; + owner => leap-webapp, group => leap-webapp, mode => '0755'; "/srv/leap/webapp/public/${api_version}/config/eip-service.json": content => $eip_service, @@ -141,14 +141,17 @@ class site_webapp { git::changes { 'app/assets/stylesheets/head.scss': cwd => '/srv/leap/webapp', + require => Vcsrepo['/srv/leap/webapp'], user => 'leap-webapp'; 'app/assets/stylesheets/tail.scss': cwd => '/srv/leap/webapp', + require => Vcsrepo['/srv/leap/webapp'], user => 'leap-webapp'; 'public/favicon.ico': cwd => '/srv/leap/webapp', + require => Vcsrepo['/srv/leap/webapp'], user => 'leap-webapp'; } -- cgit v1.2.3 From 979e2f5d21a0516aec79063eff0a63ecbfabe661 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 28 Aug 2013 14:42:58 +0200 Subject: updated submodule stdlib to obtain facts that show netmask in cidr notation --- puppet/modules/stdlib | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/stdlib b/puppet/modules/stdlib index 85470dfc..73b69e81 160000 --- a/puppet/modules/stdlib +++ b/puppet/modules/stdlib @@ -1 +1 @@ -Subproject commit 85470dfc1e703611a84abf922634d129dd2f8f8d +Subproject commit 73b69e8198f702f086ff6afd94a54dddc7935893 -- cgit v1.2.3 From 6a1ed392b4528f07d19c5cced68909db2a1825d9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Aug 2013 20:15:21 -0400 Subject: apache headers module needs to be enabled on the monitor server (#3462) Change-Id: Ia4e36e9cb2b37172a148c209c5c07b9eca59d89e --- puppet/modules/site_nagios/manifests/server.pp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index c114a39a..5ca04da2 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -18,6 +18,10 @@ class site_nagios::server inherits nagios::base { #before => Class ['nagios::defaults'] } + apache::module { + 'headers': ensure => present; + } + File ['nagios_htpasswd'] { source => undef, content => "nagiosadmin:$nagiosadmin_pw", -- cgit v1.2.3 From f52d2e77f3b3f0c478fcaa192e02683d7508a728 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 28 Aug 2013 16:37:49 +0200 Subject: SMTP checks (Feature #2304) --- puppet/modules/site_postfix/manifests/mx.pp | 2 -- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 11 ++++++++++- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 7e2082d9..53dd9be4 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -11,8 +11,6 @@ class site_postfix::mx { postfix::config { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; - 'smtpd_recipient_restrictions': - value => 'check_recipient_access tcp:localhost:2244,permit_tls_all_clientcerts,reject_unauth_destination'; 'mailbox_size_limit': value => '0'; 'home_mailbox': value => 'Maildir/'; 'virtual_alias_maps': value => 'tcp:localhost:4242'; diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index b2f2d7c2..bda666f8 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -1,9 +1,18 @@ class site_postfix::mx::smtpd_checks { postfix::config { - 'smtpd_delay_reject': value => 'yes'; + 'smtpd_client_restrictions': + value => 'permit_mynetworks,permit'; 'smtpd_data_restrictions': value => 'permit_mynetworks, reject_unauth_pipelining, permit'; + 'smtpd_delay_reject': + value => 'yes'; + 'smtpd_helo_restrictions': + value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit'; + 'smtpd_recipient_restrictions': + value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + 'smtpd_sender_restrictions': + value => 'check_sender_access tcp:localhost:2244, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; } } -- cgit v1.2.3 From fcfbbf21dcd61d668c4289ba97bf845d0b97ed93 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 29 Aug 2013 18:48:30 +0200 Subject: removed submodule "puppet/modules/postfix" (url: git://labs.riseup.net/shared-postfix) --- .gitmodules | 3 --- puppet/modules/postfix | 1 - 2 files changed, 4 deletions(-) delete mode 160000 puppet/modules/postfix diff --git a/.gitmodules b/.gitmodules index bfa826e2..4c29de32 100644 --- a/.gitmodules +++ b/.gitmodules @@ -73,9 +73,6 @@ [submodule "puppet/modules/haproxy"] path = puppet/modules/haproxy url = git://code.leap.se/puppet_haproxy -[submodule "puppet/modules/postfix"] - path = puppet/modules/postfix - url = git://labs.riseup.net/shared-postfix [submodule "puppet/modules/squid_deb_proxy"] path = puppet/modules/squid_deb_proxy url = git://code.leap.se/puppet_squid_deb_proxy diff --git a/puppet/modules/postfix b/puppet/modules/postfix deleted file mode 160000 index 8e43dc85..00000000 --- a/puppet/modules/postfix +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 8e43dc85da5a5e45e88aef5f7c32c9cc1c35201c -- cgit v1.2.3 From fb10fcf5484417c5bfb9099c17f0edf4ccf3bc09 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 29 Aug 2013 18:51:03 +0200 Subject: re-added submodule postfix from git://code.leap.se/puppet_postfix (#3584) --- .gitmodules | 3 +++ puppet/modules/postfix | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/postfix diff --git a/.gitmodules b/.gitmodules index 4c29de32..13bb18d1 100644 --- a/.gitmodules +++ b/.gitmodules @@ -76,3 +76,6 @@ [submodule "puppet/modules/squid_deb_proxy"] path = puppet/modules/squid_deb_proxy url = git://code.leap.se/puppet_squid_deb_proxy +[submodule "puppet/modules/postfix"] + path = puppet/modules/postfix + url = git://code.leap.se/puppet_postfix diff --git a/puppet/modules/postfix b/puppet/modules/postfix new file mode 160000 index 00000000..25b1de20 --- /dev/null +++ b/puppet/modules/postfix @@ -0,0 +1 @@ +Subproject commit 25b1de206454c663539b748fb9f08276ad95b3e4 -- cgit v1.2.3 From 683a1dbe729d3979c9390e2d0aeb5e0e4c258370 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 29 Aug 2013 16:02:07 +0200 Subject: Deploy postfix with an empty main.cf as beginning (Feature #3584) --- puppet/modules/site_apt/templates/wheezy/postfix.seeds | 1 + puppet/modules/site_postfix/manifests/mx.pp | 1 + 2 files changed, 2 insertions(+) create mode 100644 puppet/modules/site_apt/templates/wheezy/postfix.seeds diff --git a/puppet/modules/site_apt/templates/wheezy/postfix.seeds b/puppet/modules/site_apt/templates/wheezy/postfix.seeds new file mode 100644 index 00000000..1a878ccc --- /dev/null +++ b/puppet/modules/site_apt/templates/wheezy/postfix.seeds @@ -0,0 +1 @@ +postfix postfix/main_mailer_type select No configuration diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 53dd9be4..ed5b3832 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -32,6 +32,7 @@ class site_postfix::mx { } class { 'postfix': + preseed => true, root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', require => [ X509::Key[$cert_name], X509::Cert[$cert_name], -- cgit v1.2.3 From 6c508c1c938fa2933d633fa7896505e23128c997 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 29 Aug 2013 19:00:33 +0200 Subject: fix smtpd mail restrictions (Feature #3166) --- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index bda666f8..0973e625 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -4,15 +4,15 @@ class site_postfix::mx::smtpd_checks { 'smtpd_client_restrictions': value => 'permit_mynetworks,permit'; 'smtpd_data_restrictions': - value => 'permit_mynetworks, reject_unauth_pipelining, permit'; + value => 'permit_tls_all_clientcerts, permit_mynetworks, reject_unauth_pipelining, permit'; 'smtpd_delay_reject': value => 'yes'; 'smtpd_helo_restrictions': value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit'; 'smtpd_recipient_restrictions': - value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + value => 'reject_unknown_recipient_domain, permit_tls_all_clientcerts, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; 'smtpd_sender_restrictions': - value => 'check_sender_access tcp:localhost:2244, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; + value => 'check_sender_access tcp:localhost:2244, permit_tls_all_clientcerts, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; } } -- cgit v1.2.3 From 7240764c9f1f319a002eb63f7a2dc26a2d479d31 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 29 Aug 2013 19:28:43 +0200 Subject: updated submodule couchdb, fix puppet couchdb module doesn't create necessary databases anymore (Bug #3594) --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 869ea732..32a0f9df 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 869ea732363afa238055c59baad5d5ca83c38024 +Subproject commit 32a0f9df6e80c15b3b49b8ad81b9a49ecc6f39dd -- cgit v1.2.3 From 7ec54bd92bc63e1d7a5213196c1b4fb1bbe1b0b4 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 29 Aug 2013 19:42:56 +0200 Subject: updated submodule couchdb, fixed merge resolution error from last merge --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 32a0f9df..ca467f2c 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 32a0f9df6e80c15b3b49b8ad81b9a49ecc6f39dd +Subproject commit ca467f2c8ec25132133e058f446217828b932671 -- cgit v1.2.3 From 1f66ee794114d6a7096e15d0b044c17cb6d22a91 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 29 Aug 2013 15:10:55 -0400 Subject: change the name of the couch_database in the nickserver.yaml to the new one Change-Id: I5fe6912f3774ae87c595ca1dcac60a61e24de9e5 --- puppet/modules/site_nickserver/templates/nickserver.yml.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_nickserver/templates/nickserver.yml.erb b/puppet/modules/site_nickserver/templates/nickserver.yml.erb index 7aab5605..e717cbaa 100644 --- a/puppet/modules/site_nickserver/templates/nickserver.yml.erb +++ b/puppet/modules/site_nickserver/templates/nickserver.yml.erb @@ -6,7 +6,7 @@ domain: "<%= @address_domain %>" couch_host: "<%= @couchdb_host %>" couch_port: <%= @couchdb_port %> -couch_database: "users" +couch_database: "identities" couch_user: "<%= @couchdb_user %>" couch_password: "<%= @couchdb_password %>" -- cgit v1.2.3 From 323ceff1ea60bd3463821fc2295ffb790d822165 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 29 Aug 2013 15:05:15 -0400 Subject: create individual classes for the apache modules so they can be included more than once in different locations, depending on what services are configured on a node (#3612) Change-Id: Iff064d3d67baa132fb5198fea741522ab4e71770 --- puppet/modules/site_apache/manifests/module/alias.pp | 5 +++++ puppet/modules/site_apache/manifests/module/headers.pp | 5 +++++ puppet/modules/site_apache/manifests/module/rewrite.pp | 5 +++++ puppet/modules/site_nagios/manifests/server.pp | 4 +--- puppet/modules/site_webapp/manifests/apache.pp | 8 +++----- 5 files changed, 19 insertions(+), 8 deletions(-) create mode 100644 puppet/modules/site_apache/manifests/module/alias.pp create mode 100644 puppet/modules/site_apache/manifests/module/headers.pp create mode 100644 puppet/modules/site_apache/manifests/module/rewrite.pp diff --git a/puppet/modules/site_apache/manifests/module/alias.pp b/puppet/modules/site_apache/manifests/module/alias.pp new file mode 100644 index 00000000..c1f5e185 --- /dev/null +++ b/puppet/modules/site_apache/manifests/module/alias.pp @@ -0,0 +1,5 @@ +class site_apache::module::alias ( $ensure = present ) +{ + + apache::module { 'alias': ensure => $ensure } +} diff --git a/puppet/modules/site_apache/manifests/module/headers.pp b/puppet/modules/site_apache/manifests/module/headers.pp new file mode 100644 index 00000000..f7caa28c --- /dev/null +++ b/puppet/modules/site_apache/manifests/module/headers.pp @@ -0,0 +1,5 @@ +class site_apache::module::headers ( $ensure = present ) +{ + + apache::module {'headers': ensure => $ensure } +} diff --git a/puppet/modules/site_apache/manifests/module/rewrite.pp b/puppet/modules/site_apache/manifests/module/rewrite.pp new file mode 100644 index 00000000..7ad00a0c --- /dev/null +++ b/puppet/modules/site_apache/manifests/module/rewrite.pp @@ -0,0 +1,5 @@ +class site_apache::module::rewrite ( $ensure = present ) +{ + + apache::module { 'rewrite': ensure => $ensure } +} diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 5ca04da2..a088921a 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -18,9 +18,7 @@ class site_nagios::server inherits nagios::base { #before => Class ['nagios::defaults'] } - apache::module { - 'headers': ensure => present; - } + include site_apache::module::headers File ['nagios_htpasswd'] { source => undef, diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 8b340160..4331afe4 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -14,11 +14,9 @@ class site_webapp::apache { class { '::apache': no_default_site => true, ssl => true } - apache::module { - 'alias': ensure => present; - 'rewrite': ensure => present; - 'headers': ensure => present; - } + include site_apache::module::headers + include site_apache::module::rewrite + include site_apache::module::alias class { 'passenger': use_munin => false } -- cgit v1.2.3 From ddcab83dda101ee335bbf37451f37e2bfe358c7f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 29 Aug 2013 16:14:53 -0400 Subject: Make TLS-required smtps (465) be port for sending SMTP. This is preferred over 25 because that is typically blocked, and we cannot force TLS on that port due to other MTAs not being configured for this century. We don't use submission (568) because that uses STARTTLS, and the STARTTLS banner can easily be stripped by an adversary. (#3604) . enable smtps (port 465) for client submission over TLS, and require that TLS is enabled . add 465 to the allowed open ports in the firewall . change the smtp-service.json to use 465 instead of 25 note: I did not use the 'use_smtps' parameter that is available in the postfix class because it added some options that we do not want/need. Change-Id: I0040eb2dff6008a1c830d59df9963eb83dc9ea02 --- provider_base/files/service-definitions/v1/smtp-service.json.erb | 2 +- puppet/modules/site_postfix/manifests/mx.pp | 1 + puppet/modules/site_shorewall/manifests/mx.pp | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/provider_base/files/service-definitions/v1/smtp-service.json.erb b/provider_base/files/service-definitions/v1/smtp-service.json.erb index 60129f5f..8fee9f8e 100644 --- a/provider_base/files/service-definitions/v1/smtp-service.json.erb +++ b/provider_base/files/service-definitions/v1/smtp-service.json.erb @@ -15,7 +15,7 @@ host = {} host["hostname"] = node.domain.full host["ip_address"] = node.ip_address - host["port"] = 25 # hard coded for now, later node.smtp.port + host["port"] = 465 # hard coded for now, later node.smtp.port if node['location'] location_name = underscore(node.location.name) host["location"] = location_name diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index ed5b3832..18815f70 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -35,6 +35,7 @@ class site_postfix::mx { preseed => true, root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', + mastercf_tail => "smtps inet n - - - - smtpd\n -o smtpd_tls_wrappermode=yes\n -o smtpd_tls_security_level=encrypt\n", require => [ X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] } diff --git a/puppet/modules/site_shorewall/manifests/mx.pp b/puppet/modules/site_shorewall/manifests/mx.pp index 5ec95fdd..123ffec2 100644 --- a/puppet/modules/site_shorewall/manifests/mx.pp +++ b/puppet/modules/site_shorewall/manifests/mx.pp @@ -2,7 +2,7 @@ class site_shorewall::mx { include site_shorewall::defaults - $smtpd_ports = '25' + $smtpd_ports = '25,465' # define macro for incoming services file { '/etc/shorewall/macro.leap_mx': -- cgit v1.2.3 From f18a47cfcabcc126689b1166464b5f7c3d000b79 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 30 Aug 2013 08:54:18 +0200 Subject: create sessions db with puppet (Bug #3597) --- puppet/modules/site_couchdb/manifests/init.pp | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 238b83d9..84f737d7 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -66,9 +66,9 @@ class site_couchdb { } couchdb::add_user { $couchdb_soledad_user: - roles => '["auth"]', - pw => $couchdb_soledad_pw, - salt => $couchdb_soledad_salt, + roles => '["auth"]', + pw => $couchdb_soledad_pw, + salt => $couchdb_soledad_salt, require => Couchdb::Query::Setup['localhost'] } @@ -82,6 +82,11 @@ class site_couchdb { require => Couchdb::Query::Setup['localhost'] } + couchdb::create_db { 'sessions': + readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }", + require => Couchdb::Query::Setup['localhost'] + } + include site_couchdb::logrotate include site_shorewall::couchdb -- cgit v1.2.3 From 8b7e1d9afda6a0ae2a8ff5548d9c8ab78370693b Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 30 Aug 2013 14:57:21 +0200 Subject: updated submodule couchdb: couchdb: update_user_webapp fails (Bug #3611) --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index ca467f2c..f59e8b2e 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit ca467f2c8ec25132133e058f446217828b932671 +Subproject commit f59e8b2e4aad3023f46ae3a1aad655b06605ee84 -- cgit v1.2.3 From 27efd6072ecf13b4bbdb098ee70eb81eb5cdc81c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 30 Aug 2013 15:01:15 -0400 Subject: change the master.cf_tail to pull in -o smtpd_recipient_restrictions=$smtps_recipient_restrictions from main.cf, allowing us to setup specific restrictions for the smtps port move permit_tls_all_clientcerts from the smtpd_data_restrictions and smtpd_recipient_restrictions to only be in smtps_recipient_restrictions make a note about the permit_tls_all_clientcerts being something that we don't want in the future remove check_sender_access check which was doing an unnecessary lookup Change-Id: If9101512e42f7cd82c0e06543cef696d6063f8dc --- puppet/modules/site_postfix/manifests/mx.pp | 2 +- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 13 ++++++++++--- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 18815f70..e9f662c3 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -35,7 +35,7 @@ class site_postfix::mx { preseed => true, root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', - mastercf_tail => "smtps inet n - - - - smtpd\n -o smtpd_tls_wrappermode=yes\n -o smtpd_tls_security_level=encrypt\n", + mastercf_tail => "smtps inet n - - - - smtpd\n -o smtpd_tls_wrappermode=yes\n -o smtpd_tls_security_level=encrypt\n -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions", require => [ X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] } diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 0973e625..640f2390 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -4,15 +4,22 @@ class site_postfix::mx::smtpd_checks { 'smtpd_client_restrictions': value => 'permit_mynetworks,permit'; 'smtpd_data_restrictions': - value => 'permit_tls_all_clientcerts, permit_mynetworks, reject_unauth_pipelining, permit'; + value => 'permit_mynetworks, reject_unauth_pipelining, permit'; 'smtpd_delay_reject': value => 'yes'; 'smtpd_helo_restrictions': value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit'; 'smtpd_recipient_restrictions': - value => 'reject_unknown_recipient_domain, permit_tls_all_clientcerts, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + # We should change from permit_tls_all_clientcerts to permit_tls_clientcerts + # with a lookup on $relay_clientcerts! Right now we are listing the only + # valid CA that client certificates can use in the $smtp_tls_CAfile parameter + # but we cannot cut off a certificate that should no longer be used unless + # we use permit_tls_clientcerts with the $relay_clientcerts lookup + 'smtps_recipient_restrictions': + value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; 'smtpd_sender_restrictions': - value => 'check_sender_access tcp:localhost:2244, permit_tls_all_clientcerts, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; + value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; } } -- cgit v1.2.3 From ff26ca98604d9e3f3856cca2af678b21c096d1ee Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 30 Aug 2013 15:19:43 -0400 Subject: postfix enable submission port using starttls, so the client can transition to the more restrictive TLS wrapper mode Change-Id: I2a1728788378d9a1b79155ddb9bb4b0464b16baa --- provider_base/files/service-definitions/v1/smtp-service.json.erb | 2 +- puppet/modules/site_postfix/manifests/mx.pp | 8 +++++++- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 4 +++- puppet/modules/site_shorewall/manifests/mx.pp | 2 +- 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/provider_base/files/service-definitions/v1/smtp-service.json.erb b/provider_base/files/service-definitions/v1/smtp-service.json.erb index 8fee9f8e..b31eaf21 100644 --- a/provider_base/files/service-definitions/v1/smtp-service.json.erb +++ b/provider_base/files/service-definitions/v1/smtp-service.json.erb @@ -15,7 +15,7 @@ host = {} host["hostname"] = node.domain.full host["ip_address"] = node.ip_address - host["port"] = 465 # hard coded for now, later node.smtp.port + host["port"] = 587 # hard coded for now, later node.smtp.port if node['location'] location_name = underscore(node.location.name) host["location"] = location_name diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index e9f662c3..eddf19f2 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -35,7 +35,13 @@ class site_postfix::mx { preseed => true, root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', - mastercf_tail => "smtps inet n - - - - smtpd\n -o smtpd_tls_wrappermode=yes\n -o smtpd_tls_security_level=encrypt\n -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions", + mastercf_tail => + "smtps inet n - - - - smtpd\n + -o smtpd_tls_wrappermode=yes\n + -o smtpd_tls_security_level=encrypt\n + submission inet n - n - - smtpd\n + -o smtpd_tls_security_level=encrypt\n + -o smtpd_recipient_restrictions=\$submission_recipient_restrictions", require => [ X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] } diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 640f2390..7ade8588 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -18,8 +18,10 @@ class site_postfix::mx::smtpd_checks { # we use permit_tls_clientcerts with the $relay_clientcerts lookup 'smtps_recipient_restrictions': value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + 'submission_recipient_restrictions': + value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; 'smtpd_sender_restrictions': value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; - } + } } diff --git a/puppet/modules/site_shorewall/manifests/mx.pp b/puppet/modules/site_shorewall/manifests/mx.pp index 123ffec2..332f164e 100644 --- a/puppet/modules/site_shorewall/manifests/mx.pp +++ b/puppet/modules/site_shorewall/manifests/mx.pp @@ -2,7 +2,7 @@ class site_shorewall::mx { include site_shorewall::defaults - $smtpd_ports = '25,465' + $smtpd_ports = '25,465,587' # define macro for incoming services file { '/etc/shorewall/macro.leap_mx': -- cgit v1.2.3 From 15b94f811e90b171e9c8c84ebd7ef8b32bf4c0a7 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Mon, 2 Sep 2013 01:44:59 +0200 Subject: changing urls of submodules to https://leap.se (#3252 and #3139 ) --- .gitmodules | 48 ++++++++++++++++++++++++------------------------ 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/.gitmodules b/.gitmodules index 13bb18d1..6c5e6ddf 100644 --- a/.gitmodules +++ b/.gitmodules @@ -3,79 +3,79 @@ url = git://github.com/luxflux/puppet-openvpn.git [submodule "puppet/modules/concat"] path = puppet/modules/concat - url = git://code.leap.se/puppet_concat + url = https://leap.se/git/puppet_concat [submodule "puppet/modules/sshd"] path = puppet/modules/sshd - url = git://labs.riseup.net/shared-sshd + url = https://leap.se/git/puppet_sshd [submodule "puppet/modules/apt"] path = puppet/modules/apt - url = git://code.leap.se/puppet_apt + url = https://leap.se/git/puppet_apt [submodule "puppet/modules/lsb"] path = puppet/modules/lsb - url = git://labs.riseup.net/shared-lsb + url = https://leap.se/git/puppet_lsb [submodule "puppet/modules/ntp"] path = puppet/modules/ntp - url = git://github.com/puppetlabs/puppetlabs-ntp.git + url = https://leap.se/git/puppet_ntp.git [submodule "puppet/modules/git"] path = puppet/modules/git - url = git://code.leap.se/puppet_git + url = https://leap.se/git/puppet_git [submodule "puppet/modules/common"] path = puppet/modules/common - url = git://labs.riseup.net/shared-common + url = https://leap.se/git/puppet_common [submodule "puppet/modules/shorewall"] path = puppet/modules/shorewall - url = git://code.leap.se/puppet_shorewall + url = https://leap.se/git/puppet_shorewall [submodule "puppet/modules/resolvconf"] path = puppet/modules/resolvconf - url = git://git.puppet.immerda.ch/module-resolvconf.git + url = https://leap.se/git/puppet_resolvconf.git [submodule "puppet/modules/couchdb"] path = puppet/modules/couchdb - url = git://code.leap.se/puppet_couchdb + url = https://leap.se/git/puppet_couchdb [submodule "puppet/modules/apache"] path = puppet/modules/apache - url = git://code.leap.se/puppet_apache + url = https://leap.se/git/puppet_apache [submodule "puppet/modules/bundler"] path = puppet/modules/bundler - url = git://code.leap.se/puppet_bundler + url = https://leap.se/git/puppet_bundler [submodule "puppet/modules/vcsrepo"] path = puppet/modules/vcsrepo url = git://labs.riseup.net/module_vcs [submodule "puppet/modules/rubygems"] path = puppet/modules/rubygems - url = git://code.leap.se/puppet_rubygems + url = https://leap.se/git/puppet_rubygems [submodule "puppet/modules/ruby"] path = puppet/modules/ruby - url = git://code.leap.se/puppet_ruby + url = https://leap.se/git/puppet_ruby [submodule "puppet/modules/x509"] path = puppet/modules/x509 - url = git://code.leap.se/puppet_x509 + url = https://leap.se/git/puppet_x509 [submodule "puppet/modules/passenger"] path = puppet/modules/passenger - url = git://code.leap.se/puppet_passenger + url = https://leap.se/git/puppet_passenger [submodule "puppet/modules/augeas"] path = puppet/modules/augeas - url = git://code.leap.se/puppet_augeas + url = https://leap.se/git/puppet_augeas [submodule "puppet/modules/stdlib"] path = puppet/modules/stdlib - url = git://code.leap.se/puppet_stdlib + url = https://leap.se/git/puppet_stdlib [submodule "puppet/modules/unbound"] path = puppet/modules/unbound - url = git://code.leap.se/puppet_unbound + url = https://leap.se/git/puppet_unbound [submodule "puppet/modules/nagios"] path = puppet/modules/nagios - url = git://code.leap.se/puppet_nagios + url = https://leap.se/git/puppet_nagios [submodule "puppet/modules/tor"] path = puppet/modules/tor url = git://labs.riseup.net/shared-tor [submodule "puppet/modules/stunnel"] path = puppet/modules/stunnel - url = git://code.leap.se/puppet_stunnel + url = https://leap.se/git/puppet_stunnel [submodule "puppet/modules/haproxy"] path = puppet/modules/haproxy - url = git://code.leap.se/puppet_haproxy + url = https://leap.se/git/puppet_haproxy [submodule "puppet/modules/squid_deb_proxy"] path = puppet/modules/squid_deb_proxy - url = git://code.leap.se/puppet_squid_deb_proxy + url = https://leap.se/git/puppet_squid_deb_proxy [submodule "puppet/modules/postfix"] path = puppet/modules/postfix - url = git://code.leap.se/puppet_postfix + url = https://leap.se/git/puppet_postfix -- cgit v1.2.3 From e2782d2153e176416224fb7ed8eb37ca6ca98ff3 Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 2 Sep 2013 10:59:45 +0200 Subject: specify RAILS_ENV when calling bundle assets-precompile (fixes #3638) We currently disable the billing gem in production while it's on in development and test. Therefore bundler will not install its dependencies - in particular the braintree gem when deploying. Since the RAILS_ENV was not specified rake was called with the default of 'development'. It therefore tried to load the development gems and failed when looking for 'braintree'. Specifying the production RAILS_ENV fixes this. It looks like we'll always need to specify RAILS_ENV when calling rake or we might want to export it to the environment in a separate task or the user config files such as .bashrc --- puppet/modules/site_webapp/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 84ec8fab..b3a556a6 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -55,7 +55,7 @@ class site_webapp { exec { 'compile_assets': cwd => '/srv/leap/webapp', - command => '/usr/bin/bundle exec rake assets:precompile', + command => '/bin/bash -c "RAILS_ENV=production /usr/bin/bundle exec rake assets:precompile"', user => 'leap-webapp', logoutput => on_failure, require => Exec['bundler_update'], -- cgit v1.2.3 From c25c97adeb6c41d9af008ba918dfa6ee192f2fd9 Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 2 Sep 2013 11:57:48 +0200 Subject: create all webapp databases so _security is set (fixes 3517) --- puppet/modules/site_couchdb/manifests/init.pp | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 84f737d7..43abd616 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -87,6 +87,19 @@ class site_couchdb { require => Couchdb::Query::Setup['localhost'] } + couchdb::create_db { 'tickets': + readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }", + require => Couchdb::Query::Setup['localhost'] + } + + # leap_mx will want access to this. Granting access to the soledad user + # via the auth group for now. + # leap_mx could use that for a start. + couchdb::create_db { 'identities': + readers => "{ \"names\": [], \"roles\": [\"auth\"] }", + require => Couchdb::Query::Setup['localhost'] + } + include site_couchdb::logrotate include site_shorewall::couchdb -- cgit v1.2.3 From 822f92c3ff3fb8ef640b7e1c10819f367014f8d1 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 2 Sep 2013 17:02:55 +0200 Subject: disable postfix debugging by default --- puppet/modules/site_postfix/manifests/mx.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index eddf19f2..2e68297d 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -21,7 +21,7 @@ class site_postfix::mx { include site_postfix::mx::tls # greater verbosity for debugging, take out for production - include site_postfix::debug + #include site_postfix::debug user { 'vmail': ensure => present, -- cgit v1.2.3 From 8d69a43fe97079f9595ed460bfa36c4bfd6cb0a8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 3 Sep 2013 10:22:40 -0400 Subject: Without smtpd_helo_required, the helo restrictions are easily bypassed by not sending a HELO (#3693) Change-Id: I6a7338136a53e16962a070826493139fa3307df7 --- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 7ade8588..34cffb0d 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -1,6 +1,8 @@ class site_postfix::mx::smtpd_checks { postfix::config { + 'smtpd_helo_required': + value => 'yes'; 'smtpd_client_restrictions': value => 'permit_mynetworks,permit'; 'smtpd_data_restrictions': -- cgit v1.2.3 From 53244ecd2e31599379b5ee12fd5a95603f565191 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 3 Sep 2013 10:54:28 -0400 Subject: require that shorewall has been installed before execs are run (#3339) Change-Id: Iae2b1cacd64565931cef77194a733aeae681efaf --- puppet/modules/site_config/manifests/initial_firewall.pp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp index b9fc5ffe..36a556e4 100644 --- a/puppet/modules/site_config/manifests/initial_firewall.pp +++ b/puppet/modules/site_config/manifests/initial_firewall.pp @@ -51,12 +51,14 @@ class site_config::initial_firewall { command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', logoutput => true, unless => '/sbin/shorewall status', - require => File['/etc/network/ipv4firewall_up.rules']; + require => [ Package['shorewall'], + File['/etc/network/ipv4firewall_up.rules'] ]; 'default_ipv6_firewall': command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', logoutput => true, unless => '/sbin/shorewall status', - require => File['/etc/network/ipv6firewall_up.rules']; + require => [ Package['shorewall'], + File['/etc/network/ipv6firewall_up.rules']; } } -- cgit v1.2.3 From 9e66f8128274a8c82d3af50597b8a61061153186 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 3 Sep 2013 10:54:28 -0400 Subject: require that shorewall has been installed before execs are run (#3339) Change-Id: Iae2b1cacd64565931cef77194a733aeae681efaf --- puppet/modules/site_config/manifests/initial_firewall.pp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp index b9fc5ffe..9178a5f2 100644 --- a/puppet/modules/site_config/manifests/initial_firewall.pp +++ b/puppet/modules/site_config/manifests/initial_firewall.pp @@ -51,12 +51,14 @@ class site_config::initial_firewall { command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', logoutput => true, unless => '/sbin/shorewall status', - require => File['/etc/network/ipv4firewall_up.rules']; + require => [ Package['shorewall'], + File['/etc/network/ipv4firewall_up.rules'] ]; 'default_ipv6_firewall': command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', logoutput => true, unless => '/sbin/shorewall status', - require => File['/etc/network/ipv6firewall_up.rules']; + require => [ Package['shorewall'], + File['/etc/network/ipv6firewall_up.rules'] ]; } } -- cgit v1.2.3 From cfdbad27fe0b1c5e98b127f2c3d22258e233ef11 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 3 Sep 2013 10:37:21 -0400 Subject: add /etc/postfix/checks directory and setup a check_helo_access that allows admins to have some control over problem clients connecting that present helo patterns that they wish to block (#3694) Change-Id: I159c29b6fe17e3d75b607d1a6fa82856b976c9b4 --- puppet/modules/site_postfix/manifests/checks.pp | 23 ++++++++++++++++++++++ puppet/modules/site_postfix/manifests/mx.pp | 1 + .../site_postfix/manifests/mx/smtpd_checks.pp | 4 +++- .../site_postfix/templates/checks/helo_access.erb | 21 ++++++++++++++++++++ 4 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/manifests/checks.pp create mode 100644 puppet/modules/site_postfix/templates/checks/helo_access.erb diff --git a/puppet/modules/site_postfix/manifests/checks.pp b/puppet/modules/site_postfix/manifests/checks.pp new file mode 100644 index 00000000..06f9a7a4 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/checks.pp @@ -0,0 +1,23 @@ +class site_postfix::checks { + + file { + '/etc/postfix/checks': + ensure => directory, + mode => '0755', + owner => root, + group => postfix, + require => Class['postfix']; + + '/etc/postfix/checks/helo_checks': + content => template('site_postfix/checks/helo_access.erb'), + mode => '0644', + owner => root, + group => root; + } + + exec { + '/usr/sbin/postmap /etc/postfix/checks/helo_checks': + refreshonly => true, + subscribe => File['/etc/postfix/checks/helo_checks']; + } +} diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 2e68297d..e5dc1c7b 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -18,6 +18,7 @@ class site_postfix::mx { } include site_postfix::mx::smtpd_checks + include site_postfix::checks include site_postfix::mx::tls # greater verbosity for debugging, take out for production diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 7ade8588..795c1703 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -1,6 +1,8 @@ class site_postfix::mx::smtpd_checks { postfix::config { + 'checks_dir': + value => '$config_directory/checks'; 'smtpd_client_restrictions': value => 'permit_mynetworks,permit'; 'smtpd_data_restrictions': @@ -8,7 +10,7 @@ class site_postfix::mx::smtpd_checks { 'smtpd_delay_reject': value => 'yes'; 'smtpd_helo_restrictions': - value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit'; + value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access hash:$checks_dir/helo_checks, permit'; 'smtpd_recipient_restrictions': value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; # We should change from permit_tls_all_clientcerts to permit_tls_clientcerts diff --git a/puppet/modules/site_postfix/templates/checks/helo_access.erb b/puppet/modules/site_postfix/templates/checks/helo_access.erb new file mode 100644 index 00000000..bef3c11d --- /dev/null +++ b/puppet/modules/site_postfix/templates/checks/helo_access.erb @@ -0,0 +1,21 @@ +# THIS FILE IS MANAGED BY PUPPET +# To make changes to this file, please edit your platform directory under +# puppet/modules/site_postfix/templates/checks/helo_access.erb and then deploy + +# The format of this file is the HELO/EHLO domain followed by an action. +# The action could be OK to allow it, REJECT to reject it, or a custom +# status code and message. Any lines that are prefixed by an octothorpe (#) +# will be considered comments. + +# Some examples: +# +# Reject anyone that HELO's with foobar: +# foobar REJECT +# +# Allow the switches to skip this check: +# switch1 OK +# switch2 OK + +# Reject anybody that HELO's as being in our own domain(s) +# anyone who identifies themselves as us is a virus/spammer +<%= domain %> 554 You are not in domain <%= domain %> -- cgit v1.2.3 From d901c602f61697f329e37bc92209c264755094c1 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 3 Sep 2013 15:26:23 +0200 Subject: Sending mail fails when relaying using non-fully-qualified hostname (Feature #3667) --- puppet/modules/site_postfix/manifests/mx.pp | 7 ++++--- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 2 ++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index e5dc1c7b..515b6825 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -42,8 +42,9 @@ class site_postfix::mx { -o smtpd_tls_security_level=encrypt\n submission inet n - n - - smtpd\n -o smtpd_tls_security_level=encrypt\n - -o smtpd_recipient_restrictions=\$submission_recipient_restrictions", - require => [ X509::Key[$cert_name], X509::Cert[$cert_name], - User['vmail'] ] + -o smtpd_recipient_restrictions=\$submission_recipient_restrictions\n + -o smtpd_helo_restrictions=\$submission_helo_restrictions", + require => + [ X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] } } diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index b1536d64..7aea71fb 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -24,6 +24,8 @@ class site_postfix::mx::smtpd_checks { value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; 'submission_recipient_restrictions': value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + 'submission_helo_restrictions': + value => 'permit_mynetworks, permit'; 'smtpd_sender_restrictions': value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; } -- cgit v1.2.3 From 1c0bde0eef6f693a3a67b88eed40173d9f4cf756 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 3 Sep 2013 16:20:02 +0200 Subject: fix $master_cf_tail format --- puppet/modules/site_postfix/manifests/mx.pp | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 515b6825..2d8f3db5 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -37,14 +37,14 @@ class site_postfix::mx { root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', mastercf_tail => - "smtps inet n - - - - smtpd\n - -o smtpd_tls_wrappermode=yes\n - -o smtpd_tls_security_level=encrypt\n - submission inet n - n - - smtpd\n - -o smtpd_tls_security_level=encrypt\n - -o smtpd_recipient_restrictions=\$submission_recipient_restrictions\n - -o smtpd_helo_restrictions=\$submission_helo_restrictions", - require => - [ X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] + "smtps inet n - - - - smtpd + -o smtpd_tls_wrappermode=yes + -o smtpd_tls_security_level=encrypt +submission inet n - n - - smtpd + -o smtpd_tls_security_level=encrypt + -o smtpd_recipient_restrictions=\$submission_recipient_restrictions + -o smtpd_helo_restrictions=\$submission_helo_restrictions", + require => [ + X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] } } -- cgit v1.2.3 From ccdf90ea9c48efbaa34dda8f23d6a95db9970cd9 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 3 Sep 2013 18:46:09 +0200 Subject: use check_helo_access hash:/helo_checks also for $submission_helo_restrictions --- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 7aea71fb..0f1500a4 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -25,7 +25,7 @@ class site_postfix::mx::smtpd_checks { 'submission_recipient_restrictions': value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; 'submission_helo_restrictions': - value => 'permit_mynetworks, permit'; + value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit'; 'smtpd_sender_restrictions': value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; } -- cgit v1.2.3 From 94cdd54caa0cfabb80dab35ebfe9ae02d68ddfb3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 3 Sep 2013 15:47:18 -0400 Subject: Work around for shorewall not being available at the site_config stage (#3339) Change-Id: Id3138cb967f76380b7f4e22ce862a099cb47669e --- puppet/modules/site_config/manifests/initial_firewall.pp | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp index 9178a5f2..6bef0032 100644 --- a/puppet/modules/site_config/manifests/initial_firewall.pp +++ b/puppet/modules/site_config/manifests/initial_firewall.pp @@ -50,15 +50,13 @@ class site_config::initial_firewall { 'default_ipv4_firewall': command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', logoutput => true, - unless => '/sbin/shorewall status', - require => [ Package['shorewall'], - File['/etc/network/ipv4firewall_up.rules'] ]; + unless => '/etc/init.d/shorewall status', + require => File['/etc/network/ipv4firewall_up.rules']; 'default_ipv6_firewall': command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', logoutput => true, - unless => '/sbin/shorewall status', - require => [ Package['shorewall'], - File['/etc/network/ipv6firewall_up.rules'] ]; + unless => '/etc/init.d/shorewall status', + require => File['/etc/network/ipv6firewall_up.rules']; } } -- cgit v1.2.3 From 042310874c13ee2901c73d36a5f743f69520c6f3 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 4 Sep 2013 10:10:15 +0200 Subject: updated submodule couchdb: don't use couchdb::document for creating _security, cause this special doc doesn't have and _id (#3706) --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index f59e8b2e..dacaeb4d 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit f59e8b2e4aad3023f46ae3a1aad655b06605ee84 +Subproject commit dacaeb4d98be9468336923f5501822d389bda768 -- cgit v1.2.3 From 9544d1a4c8e3dfa11ba611b296a3e47edde0e67f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 3 Sep 2013 14:47:09 -0400 Subject: make sure that the shorewall package is installed before trying to change its configuration file (#3701) Change-Id: Ib2dad30d53e5bf7539762eb3683430b10eb875ed --- puppet/modules/site_shorewall/manifests/defaults.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index 35e47982..6a40d501 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -51,12 +51,14 @@ class site_shorewall::defaults { changes => 'set /files/etc/shorewall/shorewall.conf/SAFESTOP Yes', lens => 'Shellvars.lns', incl => '/etc/shorewall/shorewall.conf', + require => Package['shorewall'], notify => Service[shorewall]; # require that the interface exist 'shorewall_REQUIRE_INTERFACE': changes => 'set /files/etc/shorewall/shorewall.conf/REQUIRE_INTERFACE Yes', lens => 'Shellvars.lns', incl => '/etc/shorewall/shorewall.conf', + require => Package['shorewall'], notify => Service[shorewall]; # configure shorewall-init 'shorewall-init': -- cgit v1.2.3 From ae225f1a9d478019cd22485795e7c6c916b2845c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 3 Sep 2013 15:04:03 -0400 Subject: fix soledad-server not being available before the leap repository has been configured (#3702) Change-Id: I8a86a241c52d88b4b681a800647d7c9c7c574b8e --- puppet/modules/soledad/manifests/server.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index fcf9d461..393d416a 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -47,7 +47,8 @@ class soledad::server { package { 'soledad-server': ensure => latest, - require => Class['site_apt::preferences::twisted'] + require => [ Class['site_apt::preferences::twisted'], + Class['site_apt::leap_repo'] ]; } file { '/etc/default/soledad': -- cgit v1.2.3 From 64a190e046847a90d9148f4bf48441b0f2e05287 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 4 Sep 2013 20:46:35 +0200 Subject: updated couchdb submodule: bigcouch nodes doesn't get registered as cluster members (Bug #3703) --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index dacaeb4d..9250ca56 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit dacaeb4d98be9468336923f5501822d389bda768 +Subproject commit 9250ca56e0235e4b213af932c8952b97630cc076 -- cgit v1.2.3 From 99ffaf7ab6fb4ee39b1e2bb4977a9101cdfebec6 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 4 Sep 2013 14:56:27 -0400 Subject: need to test that /etc/init.d/shorewall exists before attempting to call it, otherwise puppet complains (#3339) Change-Id: I7c8cc235817fe3d898157de4c4fdd8f1fe74f05a --- puppet/modules/site_config/manifests/initial_firewall.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp index 6bef0032..51cceb31 100644 --- a/puppet/modules/site_config/manifests/initial_firewall.pp +++ b/puppet/modules/site_config/manifests/initial_firewall.pp @@ -50,13 +50,13 @@ class site_config::initial_firewall { 'default_ipv4_firewall': command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', logoutput => true, - unless => '/etc/init.d/shorewall status', + unless => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status', require => File['/etc/network/ipv4firewall_up.rules']; 'default_ipv6_firewall': command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', logoutput => true, - unless => '/etc/init.d/shorewall status', + unless => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status', require => File['/etc/network/ipv6firewall_up.rules']; } } -- cgit v1.2.3 From c8488a381071aba3ebe88f8b84185d7b6ad8a625 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 4 Sep 2013 20:14:26 -0400 Subject: change git repository clone URIs from git:// to https:// (#3732) Change-Id: Ic700fec9cfb8e8474fb65dbdd4a1a537bf586ec9 --- puppet/modules/site_nickserver/manifests/init.pp | 2 +- puppet/modules/site_webapp/manifests/init.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index a3368771..153355f1 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -69,7 +69,7 @@ class site_nickserver { ensure => present, revision => 'origin/master', provider => git, - source => 'git://code.leap.se/nickserver', + source => 'https://leap.se/git/nickserver', owner => 'nickserver', group => 'nickserver', require => [ User['nickserver'], Group['nickserver'] ], diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index b3a556a6..9c4c2693 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -36,7 +36,7 @@ class site_webapp { force => true, revision => 'origin/master', provider => git, - source => 'git://code.leap.se/leap_web', + source => 'https://leap.se/git/leap_web', owner => 'leap-webapp', group => 'leap-webapp', require => [ User['leap-webapp'], Group['leap-webapp'] ], -- cgit v1.2.3 From f9ee40f2fca2396c1ef7d85a9c44b97fe834671a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 4 Sep 2013 22:46:56 -0400 Subject: fix initial firewall to allow outgoing lo traffic and outgoing port 443 (#3736) this allows nameserver queries to the local resolver to work and clones to the leap https repository to work Change-Id: I575d08405a0c28e12c8d201a8dbc79585a5a9a48 --- puppet/modules/site_config/templates/ipv4firewall_up.rules.erb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb index c03716f3..524ae308 100644 --- a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb +++ b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb @@ -10,10 +10,12 @@ -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 +-A OUTPUT -o lo -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport <%= @ssh_port %> -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT +-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT -A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -- cgit v1.2.3 From 3d56396278a160d03efd1ddeda65646fcf7ca1a4 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 5 Sep 2013 17:57:15 +0200 Subject: puppet fails if no services are configured (Bug #3747) --- puppet/manifests/site.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index c7d00c61..bce3a08b 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -2,7 +2,7 @@ Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } # parse services for host -$services=join(hiera_array('services'), ' ') +$services=join(hiera_array('services', ['']), ' ') notice("Services for ${fqdn}: ${services}") # make sure apt is updated before any packages are installed -- cgit v1.2.3 From e328df2ba76628ae23f3fcdee476d6bb0ec8177f Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 5 Sep 2013 18:09:25 +0200 Subject: Some packages are installed before refresh_apt is called (Bug #2988) --- puppet/modules/site_apt/manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 8821c110..3fa9a2b7 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -37,6 +37,6 @@ class site_apt { # The creation of sources.list depends on the lsb package File['/etc/apt/preferences'] -> - Exec['refresh_apt'] - Package <| ( title != 'lsb' ) |> + Exec['refresh_apt'] -> + Package <| ( title != 'lsb' ) |> } -- cgit v1.2.3 From bda67fd78d64bcc152535d2d16bca9b31c1ecbf8 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 5 Sep 2013 18:32:03 +0200 Subject: updated submodule apt: unattended-upgrades package cannot be installed (Bug #3098) --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/apt b/puppet/modules/apt index 1a72a996..64fb988c 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 1a72a99693c1d77bfe891546408f88264fca98ee +Subproject commit 64fb988c0e37d64fb3e241dc95f156072e43bf2a -- cgit v1.2.3 From a6a001c4b2bb147a3ef25f9058c48658bf1ef573 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 5 Sep 2013 14:23:15 -0400 Subject: require that shorewall is up before running bundler commands, it needs to pull things from git (#3756) Change-Id: If404452c54dedb7a39a910994dc68309257d351d --- puppet/modules/site_webapp/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 9c4c2693..b4d5bb14 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -49,7 +49,7 @@ class site_webapp { unless => '/usr/bin/bundle check', user => 'leap-webapp', timeout => 600, - require => [ Class['bundler::install'], Vcsrepo['/srv/leap/webapp'] ], + require => [ Class['bundler::install'], Vcsrepo['/srv/leap/webapp'], Service['shorewall'] ], notify => Service['apache']; } -- cgit v1.2.3 From d6682ddd8566292571daf6004265f3b38f054cd8 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 5 Sep 2013 22:40:12 -0700 Subject: make sure we gather ec2_public_ipv4 fact. REQUIRES latest leap_cli (1.2.2) --- platform.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/platform.rb b/platform.rb index f6ff82c6..5f442c0c 100644 --- a/platform.rb +++ b/platform.rb @@ -3,13 +3,13 @@ # Leap::Platform.define do - self.version = "0.2.3" - self.compatible_cli = "1.2.1".."1.99" + self.version = "0.2.4" + self.compatible_cli = "1.2.2".."1.99" # # the facter facts that should be gathered # - self.facts = ["ec2_local_ipv4"] + self.facts = ["ec2_local_ipv4", "ec2_public_ipv4"] # # the named paths for this platform -- cgit v1.2.3 From fcbf7c0b4df14149269b646b5ac8e66acd63647e Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 6 Sep 2013 17:37:03 +0200 Subject: use define instead of class for site_stunnel::setup (#3817) so it can be called multiple times --- puppet/modules/site_couchdb/manifests/stunnel.pp | 2 +- puppet/modules/site_mx/manifests/couchdb.pp | 2 +- puppet/modules/site_stunnel/manifests/setup.pp | 2 +- puppet/modules/site_webapp/manifests/couchdb.pp | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index d982013e..481da279 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -27,7 +27,7 @@ class site_couchdb::stunnel ($key, $cert, $ca) { # basic setup: ensure cert, key, ca files are in place, and some generic # stunnel things are done - class { 'site_stunnel::setup': + site_stunnel::setup { 'couchdb_couchdb': cert_name => $cert_name, key => $key, cert => $cert, diff --git a/puppet/modules/site_mx/manifests/couchdb.pp b/puppet/modules/site_mx/manifests/couchdb.pp index f842ceab..85db7327 100644 --- a/puppet/modules/site_mx/manifests/couchdb.pp +++ b/puppet/modules/site_mx/manifests/couchdb.pp @@ -15,7 +15,7 @@ class site_mx::couchdb { $cert_path = "${x509::variables::certs}/${cert_name}.crt" $key_path = "${x509::variables::keys}/${cert_name}.key" - class { 'site_stunnel::setup': + site_stunnel::setup {'mx_couchdb': cert_name => $cert_name, key => $key, cert => $cert, diff --git a/puppet/modules/site_stunnel/manifests/setup.pp b/puppet/modules/site_stunnel/manifests/setup.pp index 92eeb425..7fd18d47 100644 --- a/puppet/modules/site_stunnel/manifests/setup.pp +++ b/puppet/modules/site_stunnel/manifests/setup.pp @@ -1,4 +1,4 @@ -class site_stunnel::setup ($cert_name, $key, $cert, $ca_name, $ca) { +define site_stunnel::setup ($cert_name, $key, $cert, $ca_name, $ca) { include site_stunnel diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index ac01a5bc..4bafc7f3 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -60,7 +60,7 @@ class site_webapp::couchdb { mode => '0744'; } - class { 'site_stunnel::setup': + site_stunnel::setup { 'webapp_couchdb': cert_name => $cert_name, key => $key, cert => $cert, -- cgit v1.2.3 From 4d58a02c83baf0ce0a9ecb349d998aa3dad9493f Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 13 Sep 2013 14:17:20 +0200 Subject: deploy default x509::ca leap_ca in site_config::default (#3817) --- puppet/modules/site_config/manifests/default.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 0a4e75b6..dd0d37f7 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -55,4 +55,15 @@ class site_config::default { include site_squid_deb_proxy::client } + # Set up leap ca + $x509 = hiera('x509') + $ca = $x509['ca_cert'] + $ca_name = 'leap_ca' + + x509::ca { $ca_name: + content => $ca, + before => [ + Class['Site_openvpn::Keys'], + Class['Site_stunnel'] ] + } } -- cgit v1.2.3 From a6c19295e276da865f6c66963ed761d3ebc7dc99 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 13 Sep 2013 14:17:54 +0200 Subject: remove x509::ca for leap_ca in site_openvpn::keys and site_stunnel::stunnel (#3817) --- puppet/modules/site_openvpn/manifests/keys.pp | 6 ------ puppet/modules/site_stunnel/manifests/setup.pp | 6 ------ 2 files changed, 12 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index f3c5b423..864bbd9b 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -12,12 +12,6 @@ class site_openvpn::keys { notify => Service[openvpn]; } - x509::ca { - 'leap_ca': - content => $site_openvpn::x509_config['ca_cert'], - notify => Service[openvpn]; - } - file { '/etc/openvpn/keys/dh.pem': content => $site_openvpn::x509_config['dh'], mode => '0644', diff --git a/puppet/modules/site_stunnel/manifests/setup.pp b/puppet/modules/site_stunnel/manifests/setup.pp index 7fd18d47..2309800b 100644 --- a/puppet/modules/site_stunnel/manifests/setup.pp +++ b/puppet/modules/site_stunnel/manifests/setup.pp @@ -14,11 +14,5 @@ define site_stunnel::setup ($cert_name, $key, $cert, $ca_name, $ca) { notify => Service['stunnel']; } - x509::ca { - $ca_name: - content => $ca, - notify => Service['stunnel']; - } - } -- cgit v1.2.3 From 3a9569ca027dccef87509323f08407e60039d9a9 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 13 Sep 2013 15:55:09 +0200 Subject: Deploy default x509 cert + key that services can use (Feature #3836) --- puppet/modules/site_config/manifests/default.pp | 13 ++----------- puppet/modules/site_config/manifests/params.pp | 3 +++ puppet/modules/site_config/manifests/x509.pp | 19 +++++++++++++++++++ 3 files changed, 24 insertions(+), 11 deletions(-) create mode 100644 puppet/modules/site_config/manifests/x509.pp diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index dd0d37f7..b315044a 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -55,15 +55,6 @@ class site_config::default { include site_squid_deb_proxy::client } - # Set up leap ca - $x509 = hiera('x509') - $ca = $x509['ca_cert'] - $ca_name = 'leap_ca' - - x509::ca { $ca_name: - content => $ca, - before => [ - Class['Site_openvpn::Keys'], - Class['Site_stunnel'] ] - } + include site_config::x509 + } diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index 237ee454..20697042 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -22,4 +22,7 @@ class site_config::params { else { fail("unable to determine a valid interface, please set a valid interface for this node in nodes/${::hostname}.json") } + + $ca_name = 'leap_ca' + $cert_name = 'leap' } diff --git a/puppet/modules/site_config/manifests/x509.pp b/puppet/modules/site_config/manifests/x509.pp new file mode 100644 index 00000000..879285dd --- /dev/null +++ b/puppet/modules/site_config/manifests/x509.pp @@ -0,0 +1,19 @@ +class site_config::x509 { + + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $ca = $x509['ca_cert'] + + x509::key { $site_config::params::cert_name: + content => $key + } + + x509::cert { $site_config::params::cert_name: + content => $cert + } + + x509::ca { $site_config::params::ca_name: + content => $ca + } +} -- cgit v1.2.3 From 3e5e685200e9b5c3ac8567100e552929ea55d8e8 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 13 Sep 2013 16:20:07 +0200 Subject: setup stunnel config to use default x509 cert,key+ca (#3837) * fix stunnel setups for couchdb, mx, webapp services --- puppet/modules/site_couchdb/manifests/init.pp | 11 +---------- puppet/modules/site_couchdb/manifests/stunnel.pp | 20 ++++---------------- puppet/modules/site_mx/manifests/couchdb.pp | 20 ++++---------------- puppet/modules/site_stunnel/manifests/setup.pp | 18 ------------------ puppet/modules/site_webapp/manifests/couchdb.pp | 8 +------- 5 files changed, 10 insertions(+), 67 deletions(-) delete mode 100644 puppet/modules/site_stunnel/manifests/setup.pp diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 43abd616..6bc4f6a3 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,11 +1,6 @@ class site_couchdb { tag 'leap_service' - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $ca = $x509['ca_cert'] - $couchdb_config = hiera('couch') $couchdb_users = $couchdb_config['users'] $couchdb_admin = $couchdb_users['admin'] @@ -44,11 +39,7 @@ class site_couchdb { -> Couchdb::Add_user[$couchdb_webapp_user] -> Couchdb::Add_user[$couchdb_soledad_user] - class { 'site_couchdb::stunnel': - key => $key, - cert => $cert, - ca => $ca - } + class { 'site_couchdb::stunnel': } class { 'site_couchdb::bigcouch::add_nodes': } diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 481da279..993555cb 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -1,4 +1,4 @@ -class site_couchdb::stunnel ($key, $cert, $ca) { +class site_couchdb::stunnel { $stunnel = hiera('stunnel') @@ -19,21 +19,9 @@ class site_couchdb::stunnel ($key, $cert, $ca) { $ednp_clients = $stunnel['ednp_clients'] include x509::variables - $cert_name = 'leap_couchdb' - $ca_name = 'leap_ca' - $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" - $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" - - # basic setup: ensure cert, key, ca files are in place, and some generic - # stunnel things are done - site_stunnel::setup { 'couchdb_couchdb': - cert_name => $cert_name, - key => $key, - cert => $cert, - ca_name => $ca_name, - ca => $ca - } + $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" # setup a stunnel server for the webapp to connect to couchdb stunnel::service { 'couch_server': diff --git a/puppet/modules/site_mx/manifests/couchdb.pp b/puppet/modules/site_mx/manifests/couchdb.pp index 85db7327..b1f3bd02 100644 --- a/puppet/modules/site_mx/manifests/couchdb.pp +++ b/puppet/modules/site_mx/manifests/couchdb.pp @@ -5,23 +5,11 @@ class site_mx::couchdb { $couch_client_connect = $couch_client['connect'] include x509::variables - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $ca = $x509['ca_cert'] - $cert_name = 'leap_couchdb' - $ca_name = 'leap_ca' - $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" - $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" + $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" - site_stunnel::setup {'mx_couchdb': - cert_name => $cert_name, - key => $key, - cert => $cert, - ca_name => $ca_name, - ca => $ca - } + include site_stunnel $couchdb_stunnel_client_defaults = { 'connect_port' => $couch_client_connect, diff --git a/puppet/modules/site_stunnel/manifests/setup.pp b/puppet/modules/site_stunnel/manifests/setup.pp deleted file mode 100644 index 2309800b..00000000 --- a/puppet/modules/site_stunnel/manifests/setup.pp +++ /dev/null @@ -1,18 +0,0 @@ -define site_stunnel::setup ($cert_name, $key, $cert, $ca_name, $ca) { - - include site_stunnel - - x509::key { - $cert_name: - content => $key, - notify => Service['stunnel']; - } - - x509::cert { - $cert_name: - content => $cert, - notify => Service['stunnel']; - } - -} - diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 4bafc7f3..f9a4eb6b 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -60,13 +60,7 @@ class site_webapp::couchdb { mode => '0744'; } - site_stunnel::setup { 'webapp_couchdb': - cert_name => $cert_name, - key => $key, - cert => $cert, - ca_name => $ca_name, - ca => $ca - } + include site_stunnel exec { 'migrate_design_documents': cwd => '/srv/leap/webapp', -- cgit v1.2.3 From 2e1ec38fa4333db7a36b8036207a8f959410bd9d Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Fri, 13 Sep 2013 22:06:46 +0200 Subject: change openvpn submodule url (bug #3139) --- .gitmodules | 4 ++-- puppet/modules/openvpn | 2 +- puppet/modules/tor | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.gitmodules b/.gitmodules index 6c5e6ddf..a160d379 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,6 +1,6 @@ [submodule "puppet/modules/openvpn"] path = puppet/modules/openvpn - url = git://github.com/luxflux/puppet-openvpn.git + url = https://leap.se/git/puppet_openvpn [submodule "puppet/modules/concat"] path = puppet/modules/concat url = https://leap.se/git/puppet_concat @@ -66,7 +66,7 @@ url = https://leap.se/git/puppet_nagios [submodule "puppet/modules/tor"] path = puppet/modules/tor - url = git://labs.riseup.net/shared-tor + url = https://leap.se/git/puppet_tor [submodule "puppet/modules/stunnel"] path = puppet/modules/stunnel url = https://leap.se/git/puppet_stunnel diff --git a/puppet/modules/openvpn b/puppet/modules/openvpn index 25f1fe8d..26d4edc6 160000 --- a/puppet/modules/openvpn +++ b/puppet/modules/openvpn @@ -1 +1 @@ -Subproject commit 25f1fe8d813f6128068d890a40f5e24be78fb47c +Subproject commit 26d4edc669853a268a65d2cbbfb42c19f1333de7 diff --git a/puppet/modules/tor b/puppet/modules/tor index a780e840..dcb6e748 160000 --- a/puppet/modules/tor +++ b/puppet/modules/tor @@ -1 +1 @@ -Subproject commit a780e84001177f10a86a7bf824589c0553f513a0 +Subproject commit dcb6e748864e7dfd3c14f4f2aba4c9120f12b78a -- cgit v1.2.3 From a27a46af184331c2b6dab4a0ead4f7a77de713df Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Fri, 13 Sep 2013 22:06:46 +0200 Subject: change vcsrepo submodule url (bug #3139) --- .gitmodules | 10 +++++----- puppet/modules/openvpn | 2 +- puppet/modules/tor | 2 +- puppet/modules/vcsrepo | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.gitmodules b/.gitmodules index 6c5e6ddf..070cb517 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,6 +1,6 @@ [submodule "puppet/modules/openvpn"] path = puppet/modules/openvpn - url = git://github.com/luxflux/puppet-openvpn.git + url = https://leap.se/git/puppet_openvpn [submodule "puppet/modules/concat"] path = puppet/modules/concat url = https://leap.se/git/puppet_concat @@ -37,9 +37,6 @@ [submodule "puppet/modules/bundler"] path = puppet/modules/bundler url = https://leap.se/git/puppet_bundler -[submodule "puppet/modules/vcsrepo"] - path = puppet/modules/vcsrepo - url = git://labs.riseup.net/module_vcs [submodule "puppet/modules/rubygems"] path = puppet/modules/rubygems url = https://leap.se/git/puppet_rubygems @@ -66,7 +63,7 @@ url = https://leap.se/git/puppet_nagios [submodule "puppet/modules/tor"] path = puppet/modules/tor - url = git://labs.riseup.net/shared-tor + url = https://leap.se/git/puppet_tor [submodule "puppet/modules/stunnel"] path = puppet/modules/stunnel url = https://leap.se/git/puppet_stunnel @@ -79,3 +76,6 @@ [submodule "puppet/modules/postfix"] path = puppet/modules/postfix url = https://leap.se/git/puppet_postfix +[submodule "puppet/modules/vcsrepo"] + path = puppet/modules/vcsrepo + url = https://leap.se/git/puppet_vcsrepo diff --git a/puppet/modules/openvpn b/puppet/modules/openvpn index 25f1fe8d..26d4edc6 160000 --- a/puppet/modules/openvpn +++ b/puppet/modules/openvpn @@ -1 +1 @@ -Subproject commit 25f1fe8d813f6128068d890a40f5e24be78fb47c +Subproject commit 26d4edc669853a268a65d2cbbfb42c19f1333de7 diff --git a/puppet/modules/tor b/puppet/modules/tor index a780e840..dcb6e748 160000 --- a/puppet/modules/tor +++ b/puppet/modules/tor @@ -1 +1 @@ -Subproject commit a780e84001177f10a86a7bf824589c0553f513a0 +Subproject commit dcb6e748864e7dfd3c14f4f2aba4c9120f12b78a diff --git a/puppet/modules/vcsrepo b/puppet/modules/vcsrepo index 4db1120c..f92d0922 160000 --- a/puppet/modules/vcsrepo +++ b/puppet/modules/vcsrepo @@ -1 +1 @@ -Subproject commit 4db1120c78763f5244dc6c9d2e0d064a6ef363e0 +Subproject commit f92d09226cfddb0c7e5e342dd199d8ea05b497cb -- cgit v1.2.3 From 70284fd0e786ad838fbbd40c816f6c0d01cc1629 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Sat, 14 Sep 2013 11:41:16 +0200 Subject: moved openvpn submodule back to 25f1fe8d8, like it was before --- puppet/modules/openvpn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/openvpn b/puppet/modules/openvpn index 26d4edc6..25f1fe8d 160000 --- a/puppet/modules/openvpn +++ b/puppet/modules/openvpn @@ -1 +1 @@ -Subproject commit 26d4edc669853a268a65d2cbbfb42c19f1333de7 +Subproject commit 25f1fe8d813f6128068d890a40f5e24be78fb47c -- cgit v1.2.3 From f1ad11887a65b94f101e0d99363daeba93020d2a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 14 Sep 2013 13:00:15 -0400 Subject: ensure site_config::caching_resolver runs with tag leap_base (#3757) Change-Id: I593602ff9d3486dee39227673147e137045c55c5 --- puppet/modules/site_config/manifests/caching_resolver.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index 922c394f..3d7b9206 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -1,4 +1,5 @@ class site_config::caching_resolver { + tag 'leap_base' # Setup a conf.d directory to place additional unbound configuration files. # There must be at least one file in the directory, or unbound will not start, -- cgit v1.2.3 From d9fc65006a65d7fe7e5799079ce3e1d0baeade8c Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 17 Sep 2013 17:24:45 +0200 Subject: updated submodule stunnel - include stunnel in stunnel::service (https://leap.se/code/issues/3861) --- puppet/modules/stunnel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index 75d387fc..53d5864d 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit 75d387fc8aff12232fdeae2efbbfccdd91f94656 +Subproject commit 53d5864d217fbbb265aba7887bb4900b40a0fcc8 -- cgit v1.2.3 From c5d4a716ffc8bad1a0a634438245eb02452ed43d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 17 Sep 2013 12:07:45 -0400 Subject: update stunnel submodule commit id to correct one for new repository Change-Id: I33292b9eb2a5553ac296857c99fdaf350ed52542 --- puppet/modules/stunnel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index 53d5864d..b6fbb5f0 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit 53d5864d217fbbb265aba7887bb4900b40a0fcc8 +Subproject commit b6fbb5f013976f6ad1448ac744ae50b2b1aa0bd0 -- cgit v1.2.3 From ecb3727ad43ee55f07db067e80b9d74308296582 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 17 Sep 2013 18:00:32 +0200 Subject: site_config::params::interface should contain eth1 for vagrant cause it's the main interface we use (#2399, #2401) --- puppet/modules/site_config/manifests/params.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index 20697042..a4657457 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -5,7 +5,7 @@ class site_config::params { $ec2_local_ipv4_interface = getvar("interface_${::ec2_local_ipv4}") if $::virtual == 'virtualbox' { - $interface = [ 'eth0', 'eth1' ] + $interface = 'eth1' } elsif hiera('interface','') != '' { $interface = hiera('interface') @@ -17,7 +17,7 @@ class site_config::params { $interface = $ec2_local_ipv4_interface } elsif $::interfaces =~ /eth0/ { - $interface = eth0 + $interface = 'eth0' } else { fail("unable to determine a valid interface, please set a valid interface for this node in nodes/${::hostname}.json") -- cgit v1.2.3 From 5ca8f6f9d26a2c2abfa9f1752aad6b8d91020074 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 17 Sep 2013 18:37:00 +0200 Subject: shorewall: #2399 blocks uplink (Bug #2866) --- puppet/modules/site_config/manifests/default.pp | 7 +++++++ puppet/modules/site_config/manifests/vagrant.pp | 10 ++++++++++ 2 files changed, 17 insertions(+) create mode 100644 puppet/modules/site_config/manifests/vagrant.pp diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index b315044a..83a344a2 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -15,11 +15,18 @@ class site_config::default { # configure ssh and include ssh-keys include site_config::sshd + # include classes for special environments + # i.e. openstack/aws nodes, vagrant nodes + # fix dhclient from changing resolver information if $::ec2_instance_id { include site_config::dhclient } + if ( $::virtual == 'virtualbox' ) { + include site_config::vagrant + } + # configure /etc/resolv.conf include site_config::resolvconf diff --git a/puppet/modules/site_config/manifests/vagrant.pp b/puppet/modules/site_config/manifests/vagrant.pp new file mode 100644 index 00000000..04266735 --- /dev/null +++ b/puppet/modules/site_config/manifests/vagrant.pp @@ -0,0 +1,10 @@ +class site_config::vagrant { + # class for vagrant nodes + + # eth0 on vagrant nodes is the uplink if + shorewall::interface { 'eth0': + zone => 'net', + options => 'tcpflags,blacklist,nosmurfs'; + } + +} -- cgit v1.2.3 From 5d253f32696851771f0d95c2de1fec081657f8a4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 17 Sep 2013 16:05:46 -0400 Subject: fix stunnel module so that code was not removed accidentally Change-Id: Ia236eb5b7609d9f96970230fce4d0051d832e3cb --- puppet/modules/stunnel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index b6fbb5f0..ec49fd93 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit b6fbb5f013976f6ad1448ac744ae50b2b1aa0bd0 +Subproject commit ec49fd93c2469bc5c13f7e6a7d25468613e1b84f -- cgit v1.2.3 From ca3f34da520ff835d383aa82f528adf927d3364f Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 18 Sep 2013 12:20:43 +0200 Subject: include shorewall::interface{eth0} in setup.pp so packages can be installed during main puppetrun, even before shorewall is configured completly --- puppet/manifests/setup.pp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/puppet/manifests/setup.pp b/puppet/manifests/setup.pp index 84e4c056..ba58e728 100644 --- a/puppet/manifests/setup.pp +++ b/puppet/manifests/setup.pp @@ -22,3 +22,11 @@ if hiera('squid_deb_proxy_client', false) { include site_squid_deb_proxy::client } +# shorewall is installed/half-configured during setup.pp (Bug #3871) +# we need to include shorewall::interface{eth0} in setup.pp so +# packages can be installed during main puppetrun, even before shorewall +# is configured completly +if ( $::virtual == 'virtualbox' ) { + include site_config::vagrant +} + -- cgit v1.2.3 From bdfef97e49f17c74158084e10e7d0121cc70dd42 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 17 Sep 2013 19:11:39 +0200 Subject: openvpn should use /usr/local/share/ca-certificates/leap_ca.crt (Feature #3831) --- puppet/modules/site_config/manifests/params.pp | 5 +++-- puppet/modules/site_config/manifests/x509.pp | 5 +++++ puppet/modules/site_openvpn/manifests/server_config.pp | 6 +++--- 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index a4657457..b434af90 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -23,6 +23,7 @@ class site_config::params { fail("unable to determine a valid interface, please set a valid interface for this node in nodes/${::hostname}.json") } - $ca_name = 'leap_ca' - $cert_name = 'leap' + $ca_name = 'leap_ca' + $ca_bundle_name = 'leap_ca_bundle' + $cert_name = 'leap' } diff --git a/puppet/modules/site_config/manifests/x509.pp b/puppet/modules/site_config/manifests/x509.pp index 879285dd..2660c523 100644 --- a/puppet/modules/site_config/manifests/x509.pp +++ b/puppet/modules/site_config/manifests/x509.pp @@ -4,6 +4,7 @@ class site_config::x509 { $key = $x509['key'] $cert = $x509['cert'] $ca = $x509['ca_cert'] + $client_ca = $x509['client_ca_cert'] x509::key { $site_config::params::cert_name: content => $key @@ -16,4 +17,8 @@ class site_config::x509 { x509::ca { $site_config::params::ca_name: content => $ca } + + x509::ca { $site_config::params::ca_bundle_name: + content => "${ca}${client_ca}" + } } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 5ba9812f..befeaef7 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -80,15 +80,15 @@ define site_openvpn::server_config( openvpn::option { "ca ${openvpn_configname}": key => 'ca', - value => '/etc/openvpn/ca_bundle.pem', + value => "${x509::variables::local_CAs}/${site_config::params::ca_bundle_name}.crt", server => $openvpn_configname; "cert ${openvpn_configname}": key => 'cert', - value => '/etc/x509/certs/leap_openvpn.crt', + value => "${x509::variables::certs}/${site_config::params::cert_name}.crt", server => $openvpn_configname; "key ${openvpn_configname}": key => 'key', - value => '/etc/x509/keys/leap_openvpn.key', + value => "${x509::variables::keys}/${site_config::params::cert_name}.key", server => $openvpn_configname; "dh ${openvpn_configname}": key => 'dh', -- cgit v1.2.3 From 3decab555397f01e757a0b8a1a5af3648cf49bd0 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 18 Sep 2013 16:42:24 +0200 Subject: Include content of client_ca.crt and client_ca.key in hiera (Feature #3874) --- provider_base/services/mx.json | 4 ++-- provider_base/services/webapp.json | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index 25ccf4f0..f999dd23 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -12,8 +12,8 @@ "x509": { "use": true, "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", - "client_ca_cert": "= file_path :client_ca_cert", - "client_ca_key": "= file_path :client_ca_key", + "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'", + "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'", "commercial_cert": "= file [:commercial_cert, domain.full_suffix]", "commercial_key": "= file [:commercial_key, domain.full_suffix]", "commercial_ca_cert": "= try_file :commercial_ca_cert" diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index ee61e5ab..e47f047b 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -45,8 +45,8 @@ "x509": { "use": true, "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", - "client_ca_cert": "= file_path :client_ca_cert", - "client_ca_key": "= file_path :client_ca_key", + "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'", + "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'", "commercial_cert": "= file [:commercial_cert, domain.full_suffix]", "commercial_key": "= file [:commercial_key, domain.full_suffix]", "commercial_ca_cert": "= try_file :commercial_ca_cert" -- cgit v1.2.3 From 869b9e26475180d41513d036a0600ee433da1b77 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 18 Sep 2013 16:50:15 +0200 Subject: deploy client_ca (#3833) --- puppet/modules/site_config/manifests/params.pp | 1 + puppet/modules/site_config/manifests/x509.pp | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index b434af90..008a4e1f 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -24,6 +24,7 @@ class site_config::params { } $ca_name = 'leap_ca' + $client_ca_name = 'leap_client_ca' $ca_bundle_name = 'leap_ca_bundle' $cert_name = 'leap' } diff --git a/puppet/modules/site_config/manifests/x509.pp b/puppet/modules/site_config/manifests/x509.pp index 2660c523..8eca97e7 100644 --- a/puppet/modules/site_config/manifests/x509.pp +++ b/puppet/modules/site_config/manifests/x509.pp @@ -18,6 +18,10 @@ class site_config::x509 { content => $ca } + x509::ca { $site_config::params::client_ca_name: + content => $client_ca + } + x509::ca { $site_config::params::ca_bundle_name: content => "${ca}${client_ca}" } -- cgit v1.2.3 From 1f9003eb6ed90400279011d477e6143e2eb6e2db Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 18 Sep 2013 16:50:59 +0200 Subject: use x509 for postfix ca and fix names for cert+key (Feature #3833) --- puppet/modules/site_postfix/manifests/mx.pp | 3 +-- puppet/modules/site_postfix/manifests/mx/tls.pp | 20 ++++---------------- 2 files changed, 5 insertions(+), 18 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 2d8f3db5..4a7d66ed 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -44,7 +44,6 @@ submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_recipient_restrictions=\$submission_recipient_restrictions -o smtpd_helo_restrictions=\$submission_helo_restrictions", - require => [ - X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] + require => Class['Site_config::X509'] } } diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 8c9da9db..34df72bb 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -1,26 +1,14 @@ class site_postfix::mx::tls { - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $client_ca = $x509['client_ca_cert'] - include x509::variables - $cert_name = hiera('name') - $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" - - x509::key { $cert_name: - content => $key, - } + $ca_path = "${x509::variables::local_CAs}/${site_config::params::client_ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" - x509::cert { $cert_name: - content => $cert, - } postfix::config { 'smtpd_use_tls': value => 'yes'; - 'smtpd_tls_CAfile': value => $client_ca; + 'smtpd_tls_CAfile': value => $ca_path; 'smtpd_tls_cert_file': value => $cert_path; 'smtpd_tls_key_file': value => $key_path; 'smtpd_tls_ask_ccert': value => 'yes'; -- cgit v1.2.3 From 3388336b57cc59617b6dc8380beeeacfdb2fb5b3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 18 Sep 2013 12:05:10 -0400 Subject: Setup a class dependency for every tag 'leap_service' to make sure that shorewall is setup before the service is setup. This is necessary due to the strict initial firewall that stops various service setup operations from happening, but is relaxed once shorewall is setup properly (#3782) Change-Id: Ia9640c4118aa0053cdb99e7bc11860fed5527501 --- puppet/modules/site_couchdb/manifests/init.pp | 3 ++- puppet/modules/site_mx/manifests/init.pp | 1 + puppet/modules/site_nagios/manifests/init.pp | 2 ++ puppet/modules/site_nickserver/manifests/init.pp | 2 ++ puppet/modules/site_openvpn/manifests/init.pp | 2 ++ puppet/modules/site_tor/manifests/init.pp | 3 ++- puppet/modules/site_webapp/manifests/init.pp | 2 ++ 7 files changed, 13 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 6bc4f6a3..f4f93828 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -31,7 +31,8 @@ class site_couchdb { class { 'couchdb::bigcouch::package::cloudant': } - Class ['couchdb::bigcouch::package::cloudant'] + Class['site_config::default'] + -> Class ['couchdb::bigcouch::package::cloudant'] -> Service ['couchdb'] -> Class ['site_couchdb::bigcouch::add_nodes'] -> Couchdb::Create_db['users'] diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 4cf3f41a..3d8469fd 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -1,5 +1,6 @@ class site_mx { tag 'leap_service' + Class['site_config::default'] -> Class['site_mx'] include site_postfix::mx include site_mx::haproxy diff --git a/puppet/modules/site_nagios/manifests/init.pp b/puppet/modules/site_nagios/manifests/init.pp index cab32905..c3cfa02e 100644 --- a/puppet/modules/site_nagios/manifests/init.pp +++ b/puppet/modules/site_nagios/manifests/init.pp @@ -1,4 +1,6 @@ class site_nagios { tag 'leap_service' + Class['site_config::default'] -> Class['site_nagios'] + include site_nagios::server } diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index 153355f1..45503d8a 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -11,6 +11,8 @@ class site_nickserver { tag 'leap_service' + Class['site_config::default'] -> Class['site_nickserver'] + include site_config::ruby # diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index b2bb0d3a..fe5ef87f 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -20,6 +20,8 @@ class site_openvpn { tag 'leap_service' + Class['site_config::default'] -> Class['site_openvpn'] + $openvpn_config = hiera('openvpn') $x509_config = hiera('x509') $openvpn_ports = $openvpn_config['ports'] diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index ac830f0d..16ee4c30 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -1,6 +1,7 @@ class site_tor { tag 'leap_service' - + Class['site_config::default'] -> Class['site_tor'] + $tor = hiera('tor') $bandwidth_rate = $tor['bandwidth_rate'] $tor_type = $tor['type'] diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index b4d5bb14..97a75010 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -11,6 +11,8 @@ class site_webapp { $api_version = $webapp['api_version'] $secret_token = $webapp['secret_token'] + Class['site_config::default'] -> Class['site_webapp'] + include site_config::ruby include site_webapp::apache include site_webapp::couchdb -- cgit v1.2.3 From 1ce6cb5a30c5ee73d6474ac9c1bbd4c7819d9a73 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 12:19:00 +0200 Subject: only deploy x509 stuff for nodes if it existes in hiera (Feature #3875) --- puppet/modules/site_config/manifests/default.pp | 2 -- puppet/modules/site_config/manifests/x509.pp | 28 ---------------------- puppet/modules/site_config/manifests/x509/ca.pp | 9 +++++++ .../site_config/manifests/x509/ca_bundle.pp | 10 ++++++++ .../modules/site_config/manifests/x509/cert_key.pp | 15 ++++++++++++ .../site_config/manifests/x509/client_ca.pp | 9 +++++++ puppet/modules/site_couchdb/manifests/stunnel.pp | 5 ++++ puppet/modules/site_mx/manifests/init.pp | 5 ++++ puppet/modules/site_nickserver/manifests/init.pp | 5 ++++ puppet/modules/site_openvpn/manifests/init.pp | 6 ++++- puppet/modules/site_postfix/manifests/mx.pp | 8 ++++++- puppet/modules/site_webapp/manifests/couchdb.pp | 2 ++ puppet/modules/soledad/manifests/server.pp | 3 +++ 13 files changed, 75 insertions(+), 32 deletions(-) delete mode 100644 puppet/modules/site_config/manifests/x509.pp create mode 100644 puppet/modules/site_config/manifests/x509/ca.pp create mode 100644 puppet/modules/site_config/manifests/x509/ca_bundle.pp create mode 100644 puppet/modules/site_config/manifests/x509/cert_key.pp create mode 100644 puppet/modules/site_config/manifests/x509/client_ca.pp diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 83a344a2..b27e99af 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -62,6 +62,4 @@ class site_config::default { include site_squid_deb_proxy::client } - include site_config::x509 - } diff --git a/puppet/modules/site_config/manifests/x509.pp b/puppet/modules/site_config/manifests/x509.pp deleted file mode 100644 index 8eca97e7..00000000 --- a/puppet/modules/site_config/manifests/x509.pp +++ /dev/null @@ -1,28 +0,0 @@ -class site_config::x509 { - - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $ca = $x509['ca_cert'] - $client_ca = $x509['client_ca_cert'] - - x509::key { $site_config::params::cert_name: - content => $key - } - - x509::cert { $site_config::params::cert_name: - content => $cert - } - - x509::ca { $site_config::params::ca_name: - content => $ca - } - - x509::ca { $site_config::params::client_ca_name: - content => $client_ca - } - - x509::ca { $site_config::params::ca_bundle_name: - content => "${ca}${client_ca}" - } -} diff --git a/puppet/modules/site_config/manifests/x509/ca.pp b/puppet/modules/site_config/manifests/x509/ca.pp new file mode 100644 index 00000000..b16d0eeb --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/ca.pp @@ -0,0 +1,9 @@ +class site_config::x509::ca { + + $x509 = hiera('x509') + $ca = $x509['ca_cert'] + + x509::ca { $site_config::params::ca_name: + content => $ca + } +} diff --git a/puppet/modules/site_config/manifests/x509/ca_bundle.pp b/puppet/modules/site_config/manifests/x509/ca_bundle.pp new file mode 100644 index 00000000..204f0a5e --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/ca_bundle.pp @@ -0,0 +1,10 @@ +class site_config::x509::ca_bundle { + + $x509 = hiera('x509') + $ca = $x509['ca_cert'] + $client_ca = $x509['client_ca_cert'] + + x509::ca { $site_config::params::ca_bundle_name: + content => "${ca}${client_ca}" + } +} diff --git a/puppet/modules/site_config/manifests/x509/cert_key.pp b/puppet/modules/site_config/manifests/x509/cert_key.pp new file mode 100644 index 00000000..d55c6cf2 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/cert_key.pp @@ -0,0 +1,15 @@ +class site_config::x509::cert_key { + + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + + x509::key { $site_config::params::cert_name: + content => $key + } + + x509::cert { $site_config::params::cert_name: + content => $cert + } + +} diff --git a/puppet/modules/site_config/manifests/x509/client_ca.pp b/puppet/modules/site_config/manifests/x509/client_ca.pp new file mode 100644 index 00000000..f91ea970 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/client_ca.pp @@ -0,0 +1,9 @@ +class site_config::x509::client_ca { + + $x509 = hiera('x509') + $client_ca = $x509['client_ca_cert'] + + x509::ca { $site_config::params::client_ca_name: + content => $client_ca + } +} diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 993555cb..fbb75000 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -18,6 +18,11 @@ class site_couchdb::stunnel { $ednp_server_connect = $ednp_server['connect'] $ednp_clients = $stunnel['ednp_clients'] + + + include site_config::x509::cert_key + include site_config::x509::ca + include x509::variables $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 3d8469fd..527dc4a5 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -2,6 +2,11 @@ class site_mx { tag 'leap_service' Class['site_config::default'] -> Class['site_mx'] + include site_config::x509::cert_key + include site_config::x509::ca + include site_config::x509::client_ca + + include site_postfix::mx include site_mx::haproxy include site_shorewall::mx diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index 45503d8a..84b07e77 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -36,6 +36,11 @@ class site_nickserver { # temporarily for now: $domain = hiera('domain') $address_domain = $domain['full_suffix'] + + + include site_config::x509::cert_key + include site_config::x509::ca + $x509 = hiera('x509') $x509_key = $x509['key'] $x509_cert = $x509['cert'] diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index fe5ef87f..41f4c6d4 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -20,8 +20,12 @@ class site_openvpn { tag 'leap_service' + include site_config::x509::cert_key + include site_config::x509::ca_bundle + + Class['site_config::default'] -> Class['site_openvpn'] - + $openvpn_config = hiera('openvpn') $x509_config = hiera('x509') $openvpn_ports = $openvpn_config['ports'] diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 4a7d66ed..32465e01 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -8,6 +8,9 @@ class site_postfix::mx { $root_mail_recipient = $mx_hash['contact'] $postfix_smtp_listen = 'all' + include site_config::x509::cert_key + include site_config::x509::client_ca + postfix::config { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; @@ -44,6 +47,9 @@ submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_recipient_restrictions=\$submission_recipient_restrictions -o smtpd_helo_restrictions=\$submission_helo_restrictions", - require => Class['Site_config::X509'] + require => [ + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Client_ca'], + User['vmail'] ] } } diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index f9a4eb6b..24f9279d 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -13,6 +13,8 @@ class site_webapp::couchdb { $couch_client = $stunnel['couch_client'] $couch_client_connect = $couch_client['connect'] + include site_config::x509::cert_key + include site_config::x509::ca include x509::variables $x509 = hiera('x509') $key = $x509['key'] diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 393d416a..c0af238c 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -9,6 +9,9 @@ class soledad::server { $couchdb_user = $couchdb['couchdb_admin_user']['username'] $couchdb_password = $couchdb['couchdb_admin_user']['password'] + include site_config::x509::cert_key + include site_config::x509::ca + $x509 = hiera('x509') $x509_key = $x509['key'] $x509_cert = $x509['cert'] -- cgit v1.2.3 From c68399c019d09a4c8ba44f47936b4b3842802177 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 12:29:15 +0200 Subject: tidy openvpn x509 definitions (#3831) --- .../site_config/manifests/x509/ca_bundle.pp | 6 +++ puppet/modules/site_openvpn/manifests/dh_key.pp | 10 +++++ puppet/modules/site_openvpn/manifests/init.pp | 5 +-- puppet/modules/site_openvpn/manifests/keys.pp | 45 ---------------------- 4 files changed, 18 insertions(+), 48 deletions(-) create mode 100644 puppet/modules/site_openvpn/manifests/dh_key.pp delete mode 100644 puppet/modules/site_openvpn/manifests/keys.pp diff --git a/puppet/modules/site_config/manifests/x509/ca_bundle.pp b/puppet/modules/site_config/manifests/x509/ca_bundle.pp index 204f0a5e..4cbe574a 100644 --- a/puppet/modules/site_config/manifests/x509/ca_bundle.pp +++ b/puppet/modules/site_config/manifests/x509/ca_bundle.pp @@ -1,5 +1,11 @@ class site_config::x509::ca_bundle { + # CA bundle -- we want to have the possibility of allowing multiple CAs. + # For now, the reason is to transition to using client CA. In the future, + # we will want to be able to smoothly phase out one CA and phase in another. + # I tried "--capath" for this, but it did not work. + + $x509 = hiera('x509') $ca = $x509['ca_cert'] $client_ca = $x509['client_ca_cert'] diff --git a/puppet/modules/site_openvpn/manifests/dh_key.pp b/puppet/modules/site_openvpn/manifests/dh_key.pp new file mode 100644 index 00000000..13cc0f5b --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/dh_key.pp @@ -0,0 +1,10 @@ +class site_openvpn::dh_key { + + $x509_config = hiera('x509') + + file { '/etc/openvpn/keys/dh.pem': + content => $x509_config['dh'], + mode => '0644', + } + +} diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 41f4c6d4..29b3f13f 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -27,7 +27,6 @@ class site_openvpn { Class['site_config::default'] -> Class['site_openvpn'] $openvpn_config = hiera('openvpn') - $x509_config = hiera('x509') $openvpn_ports = $openvpn_config['ports'] if $::ec2_instance_id { @@ -62,8 +61,8 @@ class site_openvpn { $openvpn_limited_udp_cidr = '21' } - # deploy ca + server keys - include site_openvpn::keys + # deploy dh keys + include site_openvpn::dh_key if $openvpn_allow_unlimited and $openvpn_allow_limited { $unlimited_gateway_address = $openvpn_gateway_address diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp deleted file mode 100644 index 864bbd9b..00000000 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ /dev/null @@ -1,45 +0,0 @@ -class site_openvpn::keys { - - x509::key { - 'leap_openvpn': - content => $site_openvpn::x509_config['key'], - notify => Service[openvpn]; - } - - x509::cert { - 'leap_openvpn': - content => $site_openvpn::x509_config['cert'], - notify => Service[openvpn]; - } - - file { '/etc/openvpn/keys/dh.pem': - content => $site_openvpn::x509_config['dh'], - mode => '0644', - } - - # - # CA bundle -- we want to have the possibility of allowing multiple CAs. - # For now, the reason is to transition to using client CA. In the future, - # we will want to be able to smoothly phase out one CA and phase in another. - # I tried "--capath" for this, but it did not work. - # - - concat { - '/etc/openvpn/ca_bundle.pem': - owner => root, - group => root, - mode => 644, - warn => true, - notify => Service['openvpn']; - } - - concat::fragment { - 'client_ca_cert': - content => $site_openvpn::x509_config['client_ca_cert'], - target => '/etc/openvpn/ca_bundle.pem'; - 'ca_cert': - content => $site_openvpn::x509_config['ca_cert'], - target => '/etc/openvpn/ca_bundle.pem'; - } - -} -- cgit v1.2.3 From 12d22a47ad529f02e0c6d27b25f7ddaa17a32727 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 12:32:35 +0200 Subject: soledad should use default key, cert and ca (Feature #3841) --- puppet/modules/soledad/manifests/server.pp | 31 ++++++++---------------------- 1 file changed, 8 insertions(+), 23 deletions(-) diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index c0af238c..0c073443 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -12,29 +12,9 @@ class soledad::server { include site_config::x509::cert_key include site_config::x509::ca - $x509 = hiera('x509') - $x509_key = $x509['key'] - $x509_cert = $x509['cert'] - $x509_ca = $x509['ca_cert'] - $soledad = hiera('soledad') $soledad_port = $soledad['port'] - x509::key { 'soledad': - content => $x509_key, - notify => Service['soledad-server']; - } - - x509::cert { 'soledad': - content => $x509_cert, - notify => Service['soledad-server']; - } - - x509::ca { 'soledad': - content => $x509_ca, - notify => Service['soledad-server']; - } - # # SOLEDAD CONFIG # @@ -50,8 +30,9 @@ class soledad::server { package { 'soledad-server': ensure => latest, - require => [ Class['site_apt::preferences::twisted'], - Class['site_apt::leap_repo'] ]; + require => [ + Class['site_apt::preferences::twisted'], + Class['site_apt::leap_repo'] ]; } file { '/etc/default/soledad': @@ -68,7 +49,11 @@ class soledad::server { enable => true, hasstatus => true, hasrestart => true, - require => [ Class['soledad'], Package['soledad-server'] ]; + require => [ + Class['soledad'], + Package['soledad-server'], + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca'] ]; } include site_shorewall::soledad -- cgit v1.2.3 From d7aca479f254ce4cbe58ee2a2197ea5c6d02de53 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 12:44:30 +0200 Subject: Depend services on deployment of default key, cert and ca (Feature #3838) --- puppet/modules/site_couchdb/manifests/stunnel.pp | 15 ++++++++++++--- puppet/modules/site_openvpn/manifests/init.pp | 6 +++++- puppet/modules/site_stunnel/manifests/clients.pp | 6 +++++- 3 files changed, 22 insertions(+), 5 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index fbb75000..7ba303fe 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -39,7 +39,10 @@ class site_couchdb::stunnel { verify => '2', pid => '/var/run/stunnel4/couchserver.pid', rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '4' + debuglevel => '4', + require => [ + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca'] ]; } @@ -55,7 +58,10 @@ class site_couchdb::stunnel { verify => '2', pid => '/var/run/stunnel4/epmd_server.pid', rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '4' + debuglevel => '4', + require => [ + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca'] ]; } # setup stunnel clients for Erlang Port Mapper Daemon (epmd) to connect @@ -81,7 +87,10 @@ class site_couchdb::stunnel { verify => '2', pid => '/var/run/stunnel4/ednp_server.pid', rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '4' + debuglevel => '4', + require => [ + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca'] ]; } # setup stunnel clients for Erlang Distributed Node Protocol (ednp) to connect diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 29b3f13f..6ab0d430 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -137,7 +137,11 @@ class site_openvpn { command => '/etc/init.d/openvpn restart', refreshonly => true, subscribe => File['/etc/openvpn'], - require => [ Package['openvpn'], File['/etc/openvpn'] ]; + require => [ + Package['openvpn'], + File['/etc/openvpn'], + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca_bundle'] ]; } cron { 'add_gateway_ips.sh': diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp index ed766e1a..b2c8db1f 100644 --- a/puppet/modules/site_stunnel/manifests/clients.pp +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -21,6 +21,10 @@ define site_stunnel::clients ( verify => $verify, pid => "/var/run/stunnel4/${pid}.pid", rndfile => $rndfile, - debuglevel => $debuglevel + debuglevel => $debuglevel, + require => [ + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca'] ]; + } } -- cgit v1.2.3 From b798d716e5219d00b5b94ce8b80566e4b3bf0899 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 13:11:24 +0200 Subject: webapp: Depend services on deployment of default key, cert and ca (Feature #3838) --- .../site_config/manifests/x509/client_ca.pp | 5 +++++ puppet/modules/site_webapp/manifests/apache.pp | 24 ++++++++------------- puppet/modules/site_webapp/manifests/client_ca.pp | 25 ---------------------- puppet/modules/site_webapp/manifests/couchdb.pp | 19 ++++------------ puppet/modules/site_webapp/manifests/init.pp | 3 ++- 5 files changed, 20 insertions(+), 56 deletions(-) delete mode 100644 puppet/modules/site_webapp/manifests/client_ca.pp diff --git a/puppet/modules/site_config/manifests/x509/client_ca.pp b/puppet/modules/site_config/manifests/x509/client_ca.pp index f91ea970..3e914cf5 100644 --- a/puppet/modules/site_config/manifests/x509/client_ca.pp +++ b/puppet/modules/site_config/manifests/x509/client_ca.pp @@ -1,5 +1,10 @@ class site_config::x509::client_ca { + ## + ## This is for the special CA that is used exclusively for generating + ## client certificates by the webapp. + ## + $x509 = hiera('x509') $client_ca = $x509['client_ca_cert'] diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 4331afe4..3dd1c4c7 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -8,9 +8,15 @@ class site_webapp::apache { $commercial_key = $x509['commercial_key'] $commercial_cert = $x509['commercial_cert'] $commercial_root = $x509['commercial_ca_cert'] - $api_key = $x509['key'] - $api_cert = $x509['cert'] - $api_root = $x509['ca_cert'] + + include site_config::x509::cert_key + include site_config::x509::ca + + include x509::variables + + X509::Cert[$site_config::params::cert_name] ~> Service[apache] + X509::Key[$site_config::params::cert_name] ~> Service[apache] + X509::Ca[$site_config::params::ca_name] ~> Service[apache] class { '::apache': no_default_site => true, ssl => true } @@ -34,29 +40,17 @@ class site_webapp::apache { 'leap_webapp': content => $commercial_key, notify => Service[apache]; - - 'leap_api': - content => $api_key, - notify => Service[apache]; } x509::cert { 'leap_webapp': content => $commercial_cert, notify => Service[apache]; - - 'leap_api': - content => $api_cert, - notify => Service[apache]; } x509::ca { 'leap_webapp': content => $commercial_root, notify => Service[apache]; - - 'leap_api': - content => $api_root, - notify => Service[apache]; } } diff --git a/puppet/modules/site_webapp/manifests/client_ca.pp b/puppet/modules/site_webapp/manifests/client_ca.pp deleted file mode 100644 index 0d9b15d6..00000000 --- a/puppet/modules/site_webapp/manifests/client_ca.pp +++ /dev/null @@ -1,25 +0,0 @@ -## -## This is for the special CA that is used exclusively for generating -## client certificates by the webapp. -## - -class site_webapp::client_ca { - include x509::variables - - $x509 = hiera('x509') - $cert_path = "${x509::variables::certs}/leap_client_ca.crt" - $key_path = "${x509::variables::keys}/leap_client_ca.key" - - x509::key { - 'leap_client_ca': - source => $x509['client_ca_key'], - group => 'leap-webapp', - notify => Service[apache]; - } - - x509::cert { - 'leap_client_ca': - source => $x509['client_ca_cert'], - notify => Service[apache]; - } -} diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 24f9279d..5a5cccad 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -13,18 +13,7 @@ class site_webapp::couchdb { $couch_client = $stunnel['couch_client'] $couch_client_connect = $couch_client['connect'] - include site_config::x509::cert_key - include site_config::x509::ca include x509::variables - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $ca = $x509['ca_cert'] - $cert_name = 'leap_couchdb' - $ca_name = 'leap_ca' - $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" - $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" file { '/srv/leap/webapp/config/couchdb.yml.admin': @@ -73,10 +62,10 @@ class site_webapp::couchdb { $couchdb_stunnel_client_defaults = { 'connect_port' => $couch_client_connect, - 'client' => true, - 'cafile' => $ca_path, - 'key' => $key_path, - 'cert' => $cert_path, + 'client' => true, + 'cafile' => "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt", + 'key' => "${x509::variables::keys}/${site_config::params::cert_name}.key", + 'cert' => "${x509::variables::certs}/${site_config::params::cert_name}.crt", } create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 97a75010..4b06cea6 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -16,8 +16,9 @@ class site_webapp { include site_config::ruby include site_webapp::apache include site_webapp::couchdb - include site_webapp::client_ca include site_webapp::haproxy + include site_config::x509::cert_key + include site_config::x509::ca group { 'leap-webapp': ensure => present, -- cgit v1.2.3 From 43a5b322d99effa411c9fddf5f849da70a7768e8 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 13:45:03 +0200 Subject: tidy nickserver x509 definitions (#3842) --- puppet/modules/site_nickserver/manifests/init.pp | 24 ++++------------------ .../templates/nickserver-proxy.conf.erb | 6 +++--- 2 files changed, 7 insertions(+), 23 deletions(-) diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index 84b07e77..a12ed3a2 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -41,11 +41,6 @@ class site_nickserver { include site_config::x509::cert_key include site_config::x509::ca - $x509 = hiera('x509') - $x509_key = $x509['key'] - $x509_cert = $x509['cert'] - $x509_ca = $x509['ca_cert'] - # # USER AND GROUP # @@ -129,7 +124,10 @@ class site_nickserver { enable => true, hasrestart => true, hasstatus => true, - require => File['/etc/init.d/nickserver']; + require => [ + File['/etc/init.d/nickserver'], + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca'] ]; } # @@ -165,18 +163,4 @@ class site_nickserver { content => template('site_nickserver/nickserver-proxy.conf.erb') } - x509::key { 'nickserver': - content => $x509_key, - notify => Service[apache]; - } - - x509::cert { 'nickserver': - content => $x509_cert, - notify => Service[apache]; - } - - x509::ca { 'nickserver': - content => $x509_ca, - notify => Service[apache]; - } } diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb index 67896cd3..478ae7f1 100644 --- a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb +++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb @@ -14,9 +14,9 @@ Listen 0.0.0.0:<%= @nickserver_port -%> SSLHonorCipherOrder on SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile /etc/ssl/certs/nickserver.pem - SSLCertificateKeyFile /etc/x509/keys/nickserver.key - SSLCertificateFile /etc/x509/certs/nickserver.crt + SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt + SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt ProxyPass / http://localhost:<%= @nickserver_local_port %>/ ProxyPreserveHost On # preserve Host header in HTTP request -- cgit v1.2.3 From 55578fec453d6b090f623fd3368138f9e322c9f5 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 13:48:07 +0200 Subject: tidy webapp api x509 definitions (#3840) --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index bc5ff156..4efbbc52 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -15,9 +15,9 @@ Listen 0.0.0.0:<%= api_port %> SSLHonorCipherOrder on SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile /etc/ssl/certs/leap_api.pem - SSLCertificateKeyFile /etc/x509/keys/leap_api.key - SSLCertificateFile /etc/x509/certs/leap_api.crt + SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt + SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt RequestHeader set X_FORWARDED_PROTO 'https' -- cgit v1.2.3 From 77a2c7864953886e8861217bb4947bae6366acc8 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 13:50:27 +0200 Subject: tidy soledad x509 definitions (#3841) --- puppet/modules/soledad/templates/default-soledad.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/soledad/templates/default-soledad.erb b/puppet/modules/soledad/templates/default-soledad.erb index fd38903a..32504e38 100644 --- a/puppet/modules/soledad/templates/default-soledad.erb +++ b/puppet/modules/soledad/templates/default-soledad.erb @@ -1,5 +1,5 @@ # this file is managed by puppet START=yes -CERT_PATH=/etc/x509/certs/soledad.crt -PRIVKEY_PATH=/etc/x509/keys/soledad.key +CERT_PATH=<%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt +PRIVKEY_PATH=<%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key HTTPS_PORT=<%=@soledad_port%> -- cgit v1.2.3 From 0397643c8c10de21fb67e0de9cd86c323bbbc3da Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 16:49:53 +0200 Subject: fix x509 path in webapp config.yml.erb (#3894) --- puppet/modules/site_webapp/templates/config.yml.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 05d62d41..57e4ccb6 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -3,8 +3,8 @@ production: admins: <%= @webapp['admins'].inspect %> domain: <%= @provider_domain %> force_ssl: <%= @webapp['secure'] %> - client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %> - client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %> + client_ca_key: <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key + client_ca_cert: <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt secret_token: "<%= @secret_token %>" client_cert_lifespan: <%= cert_options['life_span'].to_i %> client_cert_bit_size: <%= cert_options['bit_size'].to_i %> -- cgit v1.2.3 From 486a9cd3b7bd8d643a9623fd40db2286cdf52fc8 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 20 Sep 2013 18:58:13 +0200 Subject: fix whitespace issues from https://review.leap.se/r/82 --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 4 ++-- puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb | 4 ++-- puppet/modules/site_webapp/templates/config.yml.erb | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 4efbbc52..5f1f4c1d 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -16,8 +16,8 @@ Listen 0.0.0.0:<%= api_port %> SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt - SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key - SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt + SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt RequestHeader set X_FORWARDED_PROTO 'https' diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb index 478ae7f1..ae06410e 100644 --- a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb +++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb @@ -15,8 +15,8 @@ Listen 0.0.0.0:<%= @nickserver_port -%> SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt - SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key - SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt + SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt ProxyPass / http://localhost:<%= @nickserver_local_port %>/ ProxyPreserveHost On # preserve Host header in HTTP request diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 57e4ccb6..0ce623fc 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -4,7 +4,7 @@ production: domain: <%= @provider_domain %> force_ssl: <%= @webapp['secure'] %> client_ca_key: <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key - client_ca_cert: <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt + client_ca_cert: <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt secret_token: "<%= @secret_token %>" client_cert_lifespan: <%= cert_options['life_span'].to_i %> client_cert_bit_size: <%= cert_options['bit_size'].to_i %> -- cgit v1.2.3 From 98d8a337930d5afaf78d88c23adb985a7060f66b Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 18:31:51 +0200 Subject: move all resources that are applied on every node into site_config::default (#3782) in commit 338833, we established a relationship between all resources that have a leap_service tag, that are called in site.pp. But we had some resources as default on every node in site.pp (apt::update, Package { require => Exec['apt_updated'] }, site_config::slow and stdlib), that were still lacking any relationship to the leap_service tag. By moving them into default.pp they automatically are executed before resources with a leap_service tag. --- puppet/manifests/site.pp | 8 -------- puppet/modules/site_config/manifests/default.pp | 9 +++++++++ 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index bce3a08b..9f5d82d8 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -5,15 +5,7 @@ Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } $services=join(hiera_array('services', ['']), ' ') notice("Services for ${fqdn}: ${services}") -# make sure apt is updated before any packages are installed -include apt::update -Package { require => Exec['apt_updated'] } - -include stdlib - include site_config::default -include site_config::slow - # configure eip if $services =~ /\bopenvpn\b/ { diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 83a344a2..13de82af 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -3,6 +3,15 @@ class site_config::default { $domain_hash = hiera('domain') + # make sure apt is updated before any packages are installed + include apt::update + Package { require => Exec['apt_updated'] } + + include stdlib + + include site_config::slow + + include concat::setup # default class, used by all hosts -- cgit v1.2.3 From d7f5b368547f37cfa53cd606f3d72fab44b6bd7f Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 20 Sep 2013 12:15:36 -0700 Subject: use newer haproxy_servers macro in order to allow couchdb and webapp to be on the same node (requires latest leap_cli) --- platform.rb | 2 +- provider_base/services/webapp.json | 3 +-- puppet/modules/site_webapp/manifests/haproxy.pp | 1 - 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/platform.rb b/platform.rb index 5f442c0c..c68aac86 100644 --- a/platform.rb +++ b/platform.rb @@ -4,7 +4,7 @@ Leap::Platform.define do self.version = "0.2.4" - self.compatible_cli = "1.2.2".."1.99" + self.compatible_cli = "1.2.3".."1.99" # # the facter facts that should be gathered diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index e47f047b..6f2beb8a 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -20,8 +20,7 @@ "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)" }, "haproxy": { - "local_ports": "= stunnel.couch_client.field(:accept_port)", - "servers": "= haproxy_servers(nodes_like_me[:services => :couchdb], stunnel.couch_client)" + "servers": "= haproxy_servers(nodes_like_me[:services => :couchdb], stunnel.couch_client, global.services[:couchdb].couch.port)" }, "definition_files": { "provider": "= file :provider_json_template", diff --git a/puppet/modules/site_webapp/manifests/haproxy.pp b/puppet/modules/site_webapp/manifests/haproxy.pp index 4a7e3c25..b69c69da 100644 --- a/puppet/modules/site_webapp/manifests/haproxy.pp +++ b/puppet/modules/site_webapp/manifests/haproxy.pp @@ -3,7 +3,6 @@ class site_webapp::haproxy { include site_haproxy $haproxy = hiera('haproxy') - $local_ports = $haproxy['local_ports'] # Template uses $global_options, $defaults_options concat::fragment { 'leap_haproxy_webapp_couchdb': -- cgit v1.2.3 From a95e00f78e07d515b49de563ca5fbcd83be0d015 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Tue, 17 Sep 2013 20:09:10 +0200 Subject: adding fqdn as default servername and moving service.domain to ServerAlias (fixing #3384) node name and dns fqdn could be different Also note that on local deploys that warning from #3384 will continue to exist (because of dns) --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 3 ++- puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 3 ++- puppet/modules/site_webapp/manifests/apache.pp | 3 +++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index bc5ff156..2cac297e 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -7,7 +7,8 @@ Listen 0.0.0.0:<%= api_port %> > - ServerName <%= api_domain %> + ServerName <%= domain_name %> + ServerAlias <%= api_domain %> SSLEngine on SSLProtocol -all +SSLv3 +TLSv1 diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 5e3960c2..3b376839 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -6,7 +6,8 @@ - ServerName <%= domain %> + ServerName <%= domain_name %> + ServerAlias <%= domain %> ServerAlias www.<%= domain %> SSLEngine on diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 4331afe4..3d28ec83 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -4,6 +4,9 @@ class site_webapp::apache { $api_domain = $web_api['domain'] $api_port = $web_api['port'] + $web_domain = hiera('domain') + $domain_name = $web_domain['name'] + $x509 = hiera('x509') $commercial_key = $x509['commercial_key'] $commercial_cert = $x509['commercial_cert'] -- cgit v1.2.3 From d8b9ab39d333de6494e5006b3ba4abf4b8901bca Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 21 Sep 2013 16:52:55 -0700 Subject: ensure that contacts.default is an array, and is required (requires latest leap_cli). --- platform.rb | 2 +- provider_base/provider.json | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/platform.rb b/platform.rb index c68aac86..60b0d9a5 100644 --- a/platform.rb +++ b/platform.rb @@ -4,7 +4,7 @@ Leap::Platform.define do self.version = "0.2.4" - self.compatible_cli = "1.2.3".."1.99" + self.compatible_cli = "1.2.4".."1.99" # # the facter facts that should be gathered diff --git a/provider_base/provider.json b/provider_base/provider.json index 84ef640e..5b335e8a 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -8,8 +8,8 @@ "en": "REQUIRED" }, "contacts": { - "default": "REQUIRED", - "english": "= contacts.default.split('@').join(' at the domain ')" + "default": ["REQUIRED"], + "english": "= contacts.default.map {|email| email.split('@').join(' at the domain ')}.join(', ')" }, "languages": ["en"], "default_language": "en", -- cgit v1.2.3 From ffa4504f81c0abecc62b068951ec147741028128 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 09:09:30 +0200 Subject: seperate cert and key deployment (#3918) --- puppet/modules/site_config/manifests/x509/cert.pp | 10 ++++++++++ puppet/modules/site_config/manifests/x509/cert_key.pp | 15 --------------- puppet/modules/site_config/manifests/x509/key.pp | 9 +++++++++ puppet/modules/site_couchdb/manifests/stunnel.pp | 12 ++++++++---- puppet/modules/site_mx/manifests/init.pp | 3 ++- puppet/modules/site_nickserver/manifests/init.pp | 6 ++++-- puppet/modules/site_openvpn/manifests/init.pp | 6 ++++-- puppet/modules/site_postfix/manifests/mx.pp | 6 ++++-- puppet/modules/site_stunnel/manifests/clients.pp | 3 ++- puppet/modules/site_webapp/manifests/apache.pp | 3 ++- puppet/modules/site_webapp/manifests/init.pp | 3 ++- puppet/modules/soledad/manifests/server.pp | 6 ++++-- 12 files changed, 51 insertions(+), 31 deletions(-) create mode 100644 puppet/modules/site_config/manifests/x509/cert.pp delete mode 100644 puppet/modules/site_config/manifests/x509/cert_key.pp create mode 100644 puppet/modules/site_config/manifests/x509/key.pp diff --git a/puppet/modules/site_config/manifests/x509/cert.pp b/puppet/modules/site_config/manifests/x509/cert.pp new file mode 100644 index 00000000..7ed42959 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/cert.pp @@ -0,0 +1,10 @@ +class site_config::x509::cert { + + $x509 = hiera('x509') + $cert = $x509['cert'] + + x509::cert { $site_config::params::cert_name: + content => $cert + } + +} diff --git a/puppet/modules/site_config/manifests/x509/cert_key.pp b/puppet/modules/site_config/manifests/x509/cert_key.pp deleted file mode 100644 index d55c6cf2..00000000 --- a/puppet/modules/site_config/manifests/x509/cert_key.pp +++ /dev/null @@ -1,15 +0,0 @@ -class site_config::x509::cert_key { - - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - - x509::key { $site_config::params::cert_name: - content => $key - } - - x509::cert { $site_config::params::cert_name: - content => $cert - } - -} diff --git a/puppet/modules/site_config/manifests/x509/key.pp b/puppet/modules/site_config/manifests/x509/key.pp new file mode 100644 index 00000000..32b59726 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/key.pp @@ -0,0 +1,9 @@ +class site_config::x509::key { + + $x509 = hiera('x509') + $key = $x509['key'] + + x509::key { $site_config::params::cert_name: + content => $key + } +} diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 7ba303fe..87c35f05 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -20,7 +20,8 @@ class site_couchdb::stunnel { - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::ca include x509::variables @@ -41,7 +42,8 @@ class site_couchdb::stunnel { rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4', require => [ - Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca'] ]; } @@ -60,7 +62,8 @@ class site_couchdb::stunnel { rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4', require => [ - Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca'] ]; } @@ -89,7 +92,8 @@ class site_couchdb::stunnel { rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4', require => [ - Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca'] ]; } diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 527dc4a5..52c5f1d6 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -2,7 +2,8 @@ class site_mx { tag 'leap_service' Class['site_config::default'] -> Class['site_mx'] - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::ca include site_config::x509::client_ca diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index a12ed3a2..bf0511d5 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -38,7 +38,8 @@ class site_nickserver { $address_domain = $domain['full_suffix'] - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::ca # @@ -126,7 +127,8 @@ class site_nickserver { hasstatus => true, require => [ File['/etc/init.d/nickserver'], - Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca'] ]; } diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 6ab0d430..bf72c8d6 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -20,7 +20,8 @@ class site_openvpn { tag 'leap_service' - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::ca_bundle @@ -140,7 +141,8 @@ class site_openvpn { require => [ Package['openvpn'], File['/etc/openvpn'], - Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca_bundle'] ]; } diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 32465e01..d56b526f 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -8,7 +8,8 @@ class site_postfix::mx { $root_mail_recipient = $mx_hash['contact'] $postfix_smtp_listen = 'all' - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::client_ca postfix::config { @@ -48,7 +49,8 @@ submission inet n - n - - smtpd -o smtpd_recipient_restrictions=\$submission_recipient_restrictions -o smtpd_helo_restrictions=\$submission_helo_restrictions", require => [ - Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], Class['Site_config::X509::Client_ca'], User['vmail'] ] } diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp index b2c8db1f..791fdbc5 100644 --- a/puppet/modules/site_stunnel/manifests/clients.pp +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -23,7 +23,8 @@ define site_stunnel::clients ( rndfile => $rndfile, debuglevel => $debuglevel, require => [ - Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca'] ]; } diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index d604b00f..062344d7 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -12,7 +12,8 @@ class site_webapp::apache { $commercial_cert = $x509['commercial_cert'] $commercial_root = $x509['commercial_ca_cert'] - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::ca include x509::variables diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 4b06cea6..ff230417 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -17,7 +17,8 @@ class site_webapp { include site_webapp::apache include site_webapp::couchdb include site_webapp::haproxy - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::ca group { 'leap-webapp': diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 0c073443..6ccd934a 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -9,7 +9,8 @@ class soledad::server { $couchdb_user = $couchdb['couchdb_admin_user']['username'] $couchdb_password = $couchdb['couchdb_admin_user']['password'] - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::ca $soledad = hiera('soledad') @@ -52,7 +53,8 @@ class soledad::server { require => [ Class['soledad'], Package['soledad-server'], - Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca'] ]; } -- cgit v1.2.3 From 9fae612bd8d147321e0cb553610fcaf0140e84eb Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 09:23:54 +0200 Subject: move commercial x509 deployment to site_x509 (Feature #3889) --- .../templates/vhosts.d/leap_webapp.conf.erb | 6 ++-- puppet/modules/site_config/manifests/params.pp | 10 ++++--- .../site_config/manifests/x509/commercial/ca.pp | 9 ++++++ .../site_config/manifests/x509/commercial/cert.pp | 10 +++++++ .../site_config/manifests/x509/commercial/key.pp | 9 ++++++ puppet/modules/site_webapp/manifests/apache.pp | 35 ++++------------------ 6 files changed, 43 insertions(+), 36 deletions(-) create mode 100644 puppet/modules/site_config/manifests/x509/commercial/ca.pp create mode 100644 puppet/modules/site_config/manifests/x509/commercial/cert.pp create mode 100644 puppet/modules/site_config/manifests/x509/commercial/key.pp diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 3b376839..6059453b 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -16,9 +16,9 @@ SSLHonorCipherOrder on SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile /etc/ssl/certs/leap_webapp.pem - SSLCertificateKeyFile /etc/x509/keys/leap_webapp.key - SSLCertificateFile /etc/x509/certs/leap_webapp.crt + SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt + SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt RequestHeader set X_FORWARDED_PROTO 'https' diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index 008a4e1f..59a161e8 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -23,8 +23,10 @@ class site_config::params { fail("unable to determine a valid interface, please set a valid interface for this node in nodes/${::hostname}.json") } - $ca_name = 'leap_ca' - $client_ca_name = 'leap_client_ca' - $ca_bundle_name = 'leap_ca_bundle' - $cert_name = 'leap' + $ca_name = 'leap_ca' + $client_ca_name = 'leap_client_ca' + $ca_bundle_name = 'leap_ca_bundle' + $cert_name = 'leap' + $commercial_ca_name = 'leap_commercial_ca' + $commercial_cert_name = 'leap_commercial' } diff --git a/puppet/modules/site_config/manifests/x509/commercial/ca.pp b/puppet/modules/site_config/manifests/x509/commercial/ca.pp new file mode 100644 index 00000000..8f35759f --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/commercial/ca.pp @@ -0,0 +1,9 @@ +class site_config::x509::commercial::ca { + + $x509 = hiera('x509') + $ca = $x509['commercial_ca_cert'] + + x509::ca { $site_config::params::commercial_ca_name: + content => $ca + } +} diff --git a/puppet/modules/site_config/manifests/x509/commercial/cert.pp b/puppet/modules/site_config/manifests/x509/commercial/cert.pp new file mode 100644 index 00000000..0c71a705 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/commercial/cert.pp @@ -0,0 +1,10 @@ +class site_config::x509::commercial::cert { + + $x509 = hiera('x509') + $cert = $x509['commercial_cert'] + + x509::cert { $site_config::params::commercial_cert_name: + content => $cert + } + +} diff --git a/puppet/modules/site_config/manifests/x509/commercial/key.pp b/puppet/modules/site_config/manifests/x509/commercial/key.pp new file mode 100644 index 00000000..d32e85ef --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/commercial/key.pp @@ -0,0 +1,9 @@ +class site_config::x509::commercial::key { + + $x509 = hiera('x509') + $key = $x509['commercial_key'] + + x509::key { $site_config::params::commercial_cert_name: + content => $key + } +} diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 062344d7..6a199b9e 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -7,20 +7,14 @@ class site_webapp::apache { $web_domain = hiera('domain') $domain_name = $web_domain['name'] - $x509 = hiera('x509') - $commercial_key = $x509['commercial_key'] - $commercial_cert = $x509['commercial_cert'] - $commercial_root = $x509['commercial_ca_cert'] - - include site_config::x509::cert - include site_config::x509::key - include site_config::x509::ca - include x509::variables + include site_config::x509::commercial::cert + include site_config::x509::commercial::key + include site_config::x509::commercial::ca - X509::Cert[$site_config::params::cert_name] ~> Service[apache] - X509::Key[$site_config::params::cert_name] ~> Service[apache] - X509::Ca[$site_config::params::ca_name] ~> Service[apache] + Class['Site_config::X509::Commercial::Key'] ~> Service[apache] + Class['Site_config::X509::Commercial::Cert'] ~> Service[apache] + Class['Site_config::X509::Commercial::Ca'] ~> Service[apache] class { '::apache': no_default_site => true, ssl => true } @@ -40,21 +34,4 @@ class site_webapp::apache { content => template('site_apache/vhosts.d/api.conf.erb') } - x509::key { - 'leap_webapp': - content => $commercial_key, - notify => Service[apache]; - } - - x509::cert { - 'leap_webapp': - content => $commercial_cert, - notify => Service[apache]; - } - - x509::ca { - 'leap_webapp': - content => $commercial_root, - notify => Service[apache]; - } } -- cgit v1.2.3 From 02f17c426e6288f898a66a1a687b413ffe9a9b95 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 11:01:19 +0200 Subject: Webapp doesn't serve commercial cert (Bug #3916) --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 9e2dbcaf..5f1f4c1d 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -7,8 +7,7 @@ Listen 0.0.0.0:<%= api_port %> > - ServerName <%= domain_name %> - ServerAlias <%= api_domain %> + ServerName <%= api_domain %> SSLEngine on SSLProtocol -all +SSLv3 +TLSv1 -- cgit v1.2.3 From abb03cd19389188c38ccaeb96e3136cac5397563 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 17:15:35 +0200 Subject: https://bitmask.net/ca.crt gives 403 Forbidden (Bug #3919) --- puppet/modules/site_webapp/manifests/init.pp | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index ff230417..e630875c 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -17,8 +17,7 @@ class site_webapp { include site_webapp::apache include site_webapp::couchdb include site_webapp::haproxy - include site_config::x509::cert - include site_config::x509::key + include site_config::x509::cert_key include site_config::x509::ca group { 'leap-webapp': @@ -75,7 +74,7 @@ class site_webapp { '/srv/leap/webapp/public/ca.crt': ensure => link, require => Vcsrepo['/srv/leap/webapp'], - target => '/usr/local/share/ca-certificates/leap_api.crt'; + target => "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt"; "/srv/leap/webapp/public/${api_version}": ensure => directory, -- cgit v1.2.3 From 0447e92ab5dcc3d8a07613a765c60db23252f278 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 17:55:22 +0200 Subject: added site_config::x509::client_ca::cert and site_config::x509::client_ca::key for client_ca deployment (#3917) --- puppet/modules/site_config/manifests/x509/client_ca.pp | 14 -------------- puppet/modules/site_config/manifests/x509/client_ca/ca.pp | 14 ++++++++++++++ puppet/modules/site_config/manifests/x509/client_ca/key.pp | 14 ++++++++++++++ puppet/modules/site_webapp/templates/config.yml.erb | 4 ++-- 4 files changed, 30 insertions(+), 16 deletions(-) delete mode 100644 puppet/modules/site_config/manifests/x509/client_ca.pp create mode 100644 puppet/modules/site_config/manifests/x509/client_ca/ca.pp create mode 100644 puppet/modules/site_config/manifests/x509/client_ca/key.pp diff --git a/puppet/modules/site_config/manifests/x509/client_ca.pp b/puppet/modules/site_config/manifests/x509/client_ca.pp deleted file mode 100644 index 3e914cf5..00000000 --- a/puppet/modules/site_config/manifests/x509/client_ca.pp +++ /dev/null @@ -1,14 +0,0 @@ -class site_config::x509::client_ca { - - ## - ## This is for the special CA that is used exclusively for generating - ## client certificates by the webapp. - ## - - $x509 = hiera('x509') - $client_ca = $x509['client_ca_cert'] - - x509::ca { $site_config::params::client_ca_name: - content => $client_ca - } -} diff --git a/puppet/modules/site_config/manifests/x509/client_ca/ca.pp b/puppet/modules/site_config/manifests/x509/client_ca/ca.pp new file mode 100644 index 00000000..0f313898 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/client_ca/ca.pp @@ -0,0 +1,14 @@ +class site_config::x509::client_ca::ca { + + ## + ## This is for the special CA that is used exclusively for generating + ## client certificates by the webapp. + ## + + $x509 = hiera('x509') + $cert = $x509['client_ca_cert'] + + x509::ca { $site_config::params::client_ca_name: + content => $cert + } +} diff --git a/puppet/modules/site_config/manifests/x509/client_ca/key.pp b/puppet/modules/site_config/manifests/x509/client_ca/key.pp new file mode 100644 index 00000000..f9ef3f52 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/client_ca/key.pp @@ -0,0 +1,14 @@ +class site_config::x509::client_ca::key { + + ## + ## This is for the special CA that is used exclusively for generating + ## client certificates by the webapp. + ## + + $x509 = hiera('x509') + $key = $x509['client_ca_key'] + + x509::key { $site_config::params::client_ca_name: + content => $key + } +} diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 0ce623fc..6b45abc2 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -3,8 +3,8 @@ production: admins: <%= @webapp['admins'].inspect %> domain: <%= @provider_domain %> force_ssl: <%= @webapp['secure'] %> - client_ca_key: <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key - client_ca_cert: <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt + client_ca_key: <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::client_ca_name') %>.key + client_ca_cert: <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::client_ca_name') %>.crt secret_token: "<%= @secret_token %>" client_cert_lifespan: <%= cert_options['life_span'].to_i %> client_cert_bit_size: <%= cert_options['bit_size'].to_i %> -- cgit v1.2.3 From 1adbf7af76b10d44a53de28d23f4c7167dc4f941 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 18:02:05 +0200 Subject: fix client_ca cert+key for mx service (Feature #3921) --- puppet/modules/site_mx/manifests/init.pp | 3 ++- puppet/modules/site_postfix/manifests/mx.pp | 6 ++++-- puppet/modules/site_postfix/manifests/mx/smtp_auth.pp | 4 ---- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 52c5f1d6..cdb84b54 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -5,7 +5,8 @@ class site_mx { include site_config::x509::cert include site_config::x509::key include site_config::x509::ca - include site_config::x509::client_ca + include site_config::x509::client_ca::ca + include site_config::x509::client_ca::key include site_postfix::mx diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index d56b526f..abc0ab46 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -10,7 +10,8 @@ class site_postfix::mx { include site_config::x509::cert include site_config::x509::key - include site_config::x509::client_ca + include site_config::x509::client_ca::ca + include site_config::x509::client_ca::key postfix::config { 'mydestination': @@ -51,7 +52,8 @@ submission inet n - n - - smtpd require => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], - Class['Site_config::X509::Client_ca'], + Class['Site_config::X509::Client_ca::Key'], + Class['Site_config::X509::Client_ca::Ca'], User['vmail'] ] } } diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp index ab75130e..afa70527 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp @@ -1,10 +1,6 @@ class site_postfix::mx::smtp_auth { - $x509 = hiera('x509') postfix::config { - 'smtpd_tls_cert_file': value => $x509['client_ca_cert']; - 'smtpd_tls_key_file': value => $x509['client_ca_key']; 'smtpd_tls_ask_ccert': value => 'yes'; - #'smtpd_tls_CAfile': value => } } -- cgit v1.2.3 From 2a60f275d2ee5c0b93b8737fa80396817853ae83 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 19:15:16 +0200 Subject: webapp leftover for seperate cert and key deployment (Feature #3918) --- puppet/modules/site_webapp/manifests/init.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index e630875c..07d2b942 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -17,7 +17,8 @@ class site_webapp { include site_webapp::apache include site_webapp::couchdb include site_webapp::haproxy - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::ca group { 'leap-webapp': -- cgit v1.2.3 From 2aa2ab27860166b2846abbfd4ed2afc76576f714 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 19:20:34 +0200 Subject: deploy client_ca on webapp node --- puppet/modules/site_webapp/manifests/init.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 07d2b942..c85a5ddc 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -20,6 +20,8 @@ class site_webapp { include site_config::x509::cert include site_config::x509::key include site_config::x509::ca + include site_config::x509::client_ca::ca + include site_config::x509::client_ca::key group { 'leap-webapp': ensure => present, -- cgit v1.2.3 From e757dd2f52f3859c17f5015274299998dd9f6ba6 Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 25 Sep 2013 10:53:37 +0200 Subject: recent couchdb puppet - requires git submodule update --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 9250ca56..e5bbb903 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 9250ca56e0235e4b213af932c8952b97630cc076 +Subproject commit e5bbb903159a94dc3357344d78060343ef47bac8 -- cgit v1.2.3 From 20a8032ae0580356c3399976f44c13825f87093a Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 25 Sep 2013 14:29:15 +0200 Subject: openvpn is restarted before package is installed (Bug #3904) --- puppet/modules/site_openvpn/manifests/init.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index bf72c8d6..61fefd0a 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -167,7 +167,9 @@ class site_openvpn { ensure => running, hasrestart => true, hasstatus => true, - require => Exec['concat_/etc/default/openvpn']; + require => [ + Package['openvpn'], + Exec['concat_/etc/default/openvpn'] ]; } file { -- cgit v1.2.3 From af6e944090a3b54ca605b1b6145fbb7c008fb093 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 25 Sep 2013 14:22:07 -0400 Subject: add smtp_tls_received_header to include information about the protocol and cipher used as well as the client and issuer CommonName into the "Received:" header Also, clean up the parameters to standardize them Change-Id: Ib6be27f0f93e0a9e20fbdffa1d42220a25fc8ed4 --- puppet/modules/site_postfix/manifests/mx.pp | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index abc0ab46..80b750d0 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -16,10 +16,16 @@ class site_postfix::mx { postfix::config { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; - 'mailbox_size_limit': value => '0'; - 'home_mailbox': value => 'Maildir/'; - 'virtual_alias_maps': value => 'tcp:localhost:4242'; - 'luser_relay': value => 'vmail'; + 'mailbox_size_limit': + value => '0'; + 'home_mailbox': + value => 'Maildir/'; + 'virtual_alias_maps': + value => 'tcp:localhost:4242'; + 'luser_relay': + value => 'vmail'; + 'smtpd_tls_received_header': + value => 'yes'; } include site_postfix::mx::smtpd_checks -- cgit v1.2.3 From 8cbd46a5c62a4f6d91f03283ea9072e7fcc943d8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 25 Sep 2013 13:06:42 -0400 Subject: properly set the $smtps_recipient_restrictions variable in master.cf (#3935) Change-Id: Ia5f35977b3dad08c10256f0281ab36ffb230c9fd --- puppet/modules/site_postfix/manifests/mx.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index abc0ab46..88922c00 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -45,6 +45,7 @@ class site_postfix::mx { "smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt + -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_recipient_restrictions=\$submission_recipient_restrictions -- cgit v1.2.3 From a457f610aca8544b4c9e3a3f4ddcc4d00a05baf6 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 26 Sep 2013 14:53:37 -0400 Subject: Add client-side TLS configuration (#3868) Change-Id: I0b82930f6f6a453e57f1d57fd8b5df78d464e206 --- puppet/modules/site_postfix/manifests/mx/tls.pp | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 34df72bb..89b63ba1 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -17,3 +17,24 @@ class site_postfix::mx::tls { } } + # smtp TLS + postfix::config { + 'smtp_use_tls': value => 'yes'; + 'smtp_tls_CApath': value => '/etc/ssl/certs/'; + 'smtp_tls_CAfile': value => $ca_path; + 'smtp_tls_cert_file': value => $cert_path; + 'smtp_tls_key_file': value => $key_path; + 'smtp_tls_ask_ccert': value => 'yes'; + 'smtp_tls_loglevel': value => '1'; + 'smtp_tls_exclude_ciphers': + value => 'aNULL, MD5, DES'; + # upstream default is md5 (since 2.5 and older used it), we force sha1 + 'smtp_tls_fingerprint_digest': + value => 'sha1'; + 'smtp_tls_session_cache_database': + value => 'btree:${queue_directory}/smtp_cache'; + 'smtp_tls_security_level': + value => 'may'; + } + + -- cgit v1.2.3 From 62271e0e067daef064dba2860a92eb6351510d3c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 26 Sep 2013 15:47:03 -0400 Subject: create a site_config::packages directory, move site_config::base_packages to site_config::packages::base add site_config::packages::gnutls for inclusion (#3955) Change-Id: I9599eb26844503613c16f57ee17d6ea7bd0cf6fb --- .../modules/site_config/manifests/base_packages.pp | 28 ---------------------- puppet/modules/site_config/manifests/default.pp | 2 +- .../manifests/packages/base_packages.pp | 28 ++++++++++++++++++++++ .../site_config/manifests/packages/gnutls.pp | 5 ++++ 4 files changed, 34 insertions(+), 29 deletions(-) delete mode 100644 puppet/modules/site_config/manifests/base_packages.pp create mode 100644 puppet/modules/site_config/manifests/packages/base_packages.pp create mode 100644 puppet/modules/site_config/manifests/packages/gnutls.pp diff --git a/puppet/modules/site_config/manifests/base_packages.pp b/puppet/modules/site_config/manifests/base_packages.pp deleted file mode 100644 index 3d40f7a2..00000000 --- a/puppet/modules/site_config/manifests/base_packages.pp +++ /dev/null @@ -1,28 +0,0 @@ -class site_config::base_packages { - - # base set of packages that we want to have installed everywhere - package { [ 'etckeeper', 'screen', 'less' ]: - ensure => installed, - } - - # base set of packages that we want to remove everywhere - package { [ 'acpi', 'acpid', 'acpi-support-base', 'eject', 'ftp', - 'laptop-detect', 'lpr', 'nfs-common', 'nfs-kernel-server', - 'portmap', 'pppconfig', 'pppoe', 'pump', 'qstat', 'rpcbind', - 'samba-common', 'samba-common-bin', 'smbclient', 'tcl8.5', - 'tk8.5', 'os-prober', 'unzip', 'xauth', 'x11-common', - 'x11-utils', 'xterm' ]: - ensure => absent; - } - - if $::virtual == 'virtualbox' { - $virtualbox_ensure = present - } else { - $virtualbox_ensure = absent - } - - package { [ 'build-essential', 'fontconfig-config', 'g++', 'g++-4.7', 'gcc', - 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: - ensure => $virtualbox_ensure - } -} diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 16932ab2..d3bb241f 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -48,7 +48,7 @@ class site_config::default { } # install/remove base packages - include site_config::base_packages + include site_config::packages::base # include basic shorewall config include site_shorewall::defaults diff --git a/puppet/modules/site_config/manifests/packages/base_packages.pp b/puppet/modules/site_config/manifests/packages/base_packages.pp new file mode 100644 index 00000000..d93e194b --- /dev/null +++ b/puppet/modules/site_config/manifests/packages/base_packages.pp @@ -0,0 +1,28 @@ +class site_config::packages::base { + + # base set of packages that we want to have installed everywhere + package { [ 'etckeeper', 'screen', 'less' ]: + ensure => installed, + } + + # base set of packages that we want to remove everywhere + package { [ 'acpi', 'acpid', 'acpi-support-base', 'eject', 'ftp', + 'laptop-detect', 'lpr', 'nfs-common', 'nfs-kernel-server', + 'portmap', 'pppconfig', 'pppoe', 'pump', 'qstat', 'rpcbind', + 'samba-common', 'samba-common-bin', 'smbclient', 'tcl8.5', + 'tk8.5', 'os-prober', 'unzip', 'xauth', 'x11-common', + 'x11-utils', 'xterm' ]: + ensure => absent; + } + + if $::virtual == 'virtualbox' { + $virtualbox_ensure = present + } else { + $virtualbox_ensure = absent + } + + package { [ 'build-essential', 'fontconfig-config', 'g++', 'g++-4.7', 'gcc', + 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: + ensure => $virtualbox_ensure + } +} diff --git a/puppet/modules/site_config/manifests/packages/gnutls.pp b/puppet/modules/site_config/manifests/packages/gnutls.pp new file mode 100644 index 00000000..b1f17480 --- /dev/null +++ b/puppet/modules/site_config/manifests/packages/gnutls.pp @@ -0,0 +1,5 @@ +class site_config::packages::gnutls { + + package { 'gnutls-bin': ensure => installed } + +} -- cgit v1.2.3 From 407fad442822e04d311ecfbc7bc54de0b037d3a9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 26 Sep 2013 17:11:39 -0400 Subject: set myhostname in postfix the internet hostname of this mail system. The default would otherwise be set to be something like starfish.local instead of the fully qualified domain (#3869) Change-Id: I4a537402de08b41446d344d8c21973b8d09e7ad6 --- puppet/modules/site_postfix/manifests/mx.pp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 0eb7a7cd..e44b7a9a 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -2,6 +2,7 @@ class site_postfix::mx { $domain_hash = hiera ('domain') $domain = $domain_hash['full_suffix'] + $host_domain = $domain_hash['full'] $mx_hash = hiera('mx') $cert_name = hiera('name') @@ -16,6 +17,8 @@ class site_postfix::mx { postfix::config { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; + 'myhostname': + value => $host_domain; 'mailbox_size_limit': value => '0'; 'home_mailbox': -- cgit v1.2.3 From 3b532da3871a5a655af4b0741348d9140b0ebf6a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 2 Oct 2013 10:37:05 -0400 Subject: only add vpn_(un)?limited_udp_resolver and vpn_(un)?limited_tcp_resolver lines to unbound.conf if the openvpn package is installed (#3868) Change-Id: I65852660a606ccea7569b2207bd535bd8aa3867c --- puppet/modules/site_openvpn/manifests/resolver.pp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index c1bce858..c74fb509 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -60,25 +60,25 @@ class site_openvpn::resolver { path => '/etc/unbound/unbound.conf', line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_tcp_resolver', notify => Service['unbound'], - require => Package['unbound']; + require => [ Package['openvpn'], Package['unbound'] ]; 'add_unlimited_udp_resolver': ensure => $ensure_unlimited, path => '/etc/unbound/unbound.conf', line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_udp_resolver', notify => Service['unbound'], - require => Package['unbound']; + require => [ Package['openvpn'], Package['unbound'] ]; 'add_limited_tcp_resolver': ensure => $ensure_limited, path => '/etc/unbound/unbound.conf', line => 'server: include: /etc/unbound/conf.d/vpn_limited_tcp_resolver', notify => Service['unbound'], - require => Package['unbound']; - 'add_limited_udp_resolver': + require => [ Package['openvpn'], Package['unbound'] ]; + 'add_limited_udp_resolver': ensure => $ensure_limited, path => '/etc/unbound/unbound.conf', line => 'server: include: /etc/unbound/conf.d/vpn_limited_udp_resolver', notify => Service['unbound'], - require => Package['unbound'] + require => [ Package['openvpn'], Package['unbound'] ]; } } -- cgit v1.2.3 From f531ec536a55d756262329f516f1b3bdccf4f0b4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 26 Sep 2013 17:20:19 -0400 Subject: setup smtpd_tls_eecdh_grade to 'ultra' and configure the smtpd_tls_dh1024_param file, after generating it (#3953) Change-Id: I8e88a4862cda052c2f0ca0149f1d0753c7c83cb5 --- puppet/modules/site_postfix/manifests/mx/tls.pp | 31 +++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 34df72bb..9122a974 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -14,6 +14,37 @@ class site_postfix::mx::tls { 'smtpd_tls_ask_ccert': value => 'yes'; 'smtpd_tls_security_level': value => 'may'; + 'smtpd_tls_eecdh_grade': + value => 'ultra' + } + + # Setup DH parameters + # Instead of using the dh parameters that are created by leap cli, it is more + # secure to generate new parameter files that will only be used for postfix, + # for each machine + + include site_config::packages::gnutls + + exec { 'certtool-postfix-gendh-1024': + command => 'certtool --generate-dh-params --bits=1024 --outfile=/etc/postfix/dh_1024.pem', + user => root, + group => root, + creates => '/etc/postfix/dh_1024.pem', + require => Package['gnutls-bin'] + } + + # Make sure the dh params file has correct ownership and mode + file { + '/etc/postfix/dh_1024.pem': + owner => root, + group => root, + mode => '0600', + require => Exec['certtool-postfix-gendh-1024']; + } + + postfix::config { 'smtpd_tls_dh1024_param_file': + value => '/etc/postfix/dh_1024.pem', + require => File['/etc/postfix/dh_1024.pem'] } } -- cgit v1.2.3 From 56f7b18d03f5ea337a68d653b422834c9283cfab Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 3 Oct 2013 13:16:43 -0400 Subject: It turns out postfix's variable for 1024bit DH parameters can actually take a file of arbitrary length (#4012) Neither Postfix nor OpenSSL actually care about the size of the prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits Change-Id: Id60deec93547e7df6dfc414209afaf9d53c710b5 --- puppet/modules/site_postfix/manifests/mx/tls.pp | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 9122a974..5e399f5c 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -25,17 +25,21 @@ class site_postfix::mx::tls { include site_config::packages::gnutls + # Note, the file name is called dh_1024.pem, but we are generating 2048bit dh + # parameters Neither Postfix nor OpenSSL actually care about the size of the + # prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits + exec { 'certtool-postfix-gendh-1024': - command => 'certtool --generate-dh-params --bits=1024 --outfile=/etc/postfix/dh_1024.pem', + command => 'certtool --generate-dh-params --bits=2048 --outfile=/etc/postfix/smtpd_tls_dh_param.pem', user => root, group => root, - creates => '/etc/postfix/dh_1024.pem', + creates => '/etc/postfix/smtpd_tls_dh_param.pem', require => Package['gnutls-bin'] } # Make sure the dh params file has correct ownership and mode file { - '/etc/postfix/dh_1024.pem': + '/etc/postfix/smtpd_tls_dh_param.pem': owner => root, group => root, mode => '0600', @@ -43,8 +47,8 @@ class site_postfix::mx::tls { } postfix::config { 'smtpd_tls_dh1024_param_file': - value => '/etc/postfix/dh_1024.pem', - require => File['/etc/postfix/dh_1024.pem'] + value => '/etc/postfix/smtpd_tls_dh_param.pem', + require => File['/etc/postfix/smtpd_tls_dh_param.pem'] } } -- cgit v1.2.3 From f7bb77c38d31021e810b1b55097fa3329bd73ce7 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 3 Oct 2013 15:27:33 -0400 Subject: fix name of base class file Change-Id: I844970f1c8f895d5a460d5082bfa1a2a88b32ecd --- .../modules/site_config/manifests/packages/base.pp | 28 ++++++++++++++++++++++ .../manifests/packages/base_packages.pp | 28 ---------------------- 2 files changed, 28 insertions(+), 28 deletions(-) create mode 100644 puppet/modules/site_config/manifests/packages/base.pp delete mode 100644 puppet/modules/site_config/manifests/packages/base_packages.pp diff --git a/puppet/modules/site_config/manifests/packages/base.pp b/puppet/modules/site_config/manifests/packages/base.pp new file mode 100644 index 00000000..d93e194b --- /dev/null +++ b/puppet/modules/site_config/manifests/packages/base.pp @@ -0,0 +1,28 @@ +class site_config::packages::base { + + # base set of packages that we want to have installed everywhere + package { [ 'etckeeper', 'screen', 'less' ]: + ensure => installed, + } + + # base set of packages that we want to remove everywhere + package { [ 'acpi', 'acpid', 'acpi-support-base', 'eject', 'ftp', + 'laptop-detect', 'lpr', 'nfs-common', 'nfs-kernel-server', + 'portmap', 'pppconfig', 'pppoe', 'pump', 'qstat', 'rpcbind', + 'samba-common', 'samba-common-bin', 'smbclient', 'tcl8.5', + 'tk8.5', 'os-prober', 'unzip', 'xauth', 'x11-common', + 'x11-utils', 'xterm' ]: + ensure => absent; + } + + if $::virtual == 'virtualbox' { + $virtualbox_ensure = present + } else { + $virtualbox_ensure = absent + } + + package { [ 'build-essential', 'fontconfig-config', 'g++', 'g++-4.7', 'gcc', + 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: + ensure => $virtualbox_ensure + } +} diff --git a/puppet/modules/site_config/manifests/packages/base_packages.pp b/puppet/modules/site_config/manifests/packages/base_packages.pp deleted file mode 100644 index d93e194b..00000000 --- a/puppet/modules/site_config/manifests/packages/base_packages.pp +++ /dev/null @@ -1,28 +0,0 @@ -class site_config::packages::base { - - # base set of packages that we want to have installed everywhere - package { [ 'etckeeper', 'screen', 'less' ]: - ensure => installed, - } - - # base set of packages that we want to remove everywhere - package { [ 'acpi', 'acpid', 'acpi-support-base', 'eject', 'ftp', - 'laptop-detect', 'lpr', 'nfs-common', 'nfs-kernel-server', - 'portmap', 'pppconfig', 'pppoe', 'pump', 'qstat', 'rpcbind', - 'samba-common', 'samba-common-bin', 'smbclient', 'tcl8.5', - 'tk8.5', 'os-prober', 'unzip', 'xauth', 'x11-common', - 'x11-utils', 'xterm' ]: - ensure => absent; - } - - if $::virtual == 'virtualbox' { - $virtualbox_ensure = present - } else { - $virtualbox_ensure = absent - } - - package { [ 'build-essential', 'fontconfig-config', 'g++', 'g++-4.7', 'gcc', - 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: - ensure => $virtualbox_ensure - } -} -- cgit v1.2.3 From 9acb4a7c2a36f12a5ca71e5c4c74364d344e2c5f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 3 Oct 2013 13:45:57 -0400 Subject: only use TLSv1 or later for smtp (Feature #4011) Disable on the client-side with postfix (smtp) SSLv2/SSLv3 and only allow for TLSv1 or later SMTP servers almost universally support TLSv1. There are very few servers that don't (the few that are would result sending in the clear for these, but the alternative isn't much better). This is unlikely to cause any significant problems. Change-Id: I8f98ba32973537905b71f63b100f41a420b6aa3f --- puppet/modules/site_postfix/manifests/mx/tls.pp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 3bc7d85b..96cfa911 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -70,6 +70,9 @@ class site_postfix::mx::tls { value => 'btree:${queue_directory}/smtp_cache'; 'smtp_tls_security_level': value => 'may'; + # see issue #4011 + 'smtp_tls_protocols': + value => '!SSLv2, !SSLv3'; } -- cgit v1.2.3 From ed694ff4b412c36801e17c93c0ee587da1ebc981 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 3 Oct 2013 17:57:48 -0400 Subject: implement stripping user's home IPs from Received headers (#3866) Change-Id: I6d78286f84144bba5fd3166cc0264570e4fd3ee0 --- .../modules/site_postfix/files/checks/received_anon | 2 ++ puppet/modules/site_postfix/manifests/checks.pp | 20 +++++++++++++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/files/checks/received_anon diff --git a/puppet/modules/site_postfix/files/checks/received_anon b/puppet/modules/site_postfix/files/checks/received_anon new file mode 100644 index 00000000..2822973e --- /dev/null +++ b/puppet/modules/site_postfix/files/checks/received_anon @@ -0,0 +1,2 @@ +/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))([[:space:]]+).*(\(using [.[:alnum:]]+ with cipher [-A-Z0-9]+ \([0-9]+\/[0-9]+ bits\)\))[[:space:]]+\(Client CN "([[:alnum:]]+)", Issuer "[[:print:]]+" \(verified OK\)\)[[:space:]]+by ([.[:alnum:]]+) \(([^)]+)\) with (E?SMTPS?A?) id ([A-F[:digit:]]+).*/ + REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])${2}${3}${2}(Authenticated sender: $4)${2}with $7 id $8 diff --git a/puppet/modules/site_postfix/manifests/checks.pp b/puppet/modules/site_postfix/manifests/checks.pp index 06f9a7a4..31399d32 100644 --- a/puppet/modules/site_postfix/manifests/checks.pp +++ b/puppet/modules/site_postfix/manifests/checks.pp @@ -6,7 +6,7 @@ class site_postfix::checks { mode => '0755', owner => root, group => postfix, - require => Class['postfix']; + require => Package['postfix']; '/etc/postfix/checks/helo_checks': content => template('site_postfix/checks/helo_access.erb'), @@ -20,4 +20,22 @@ class site_postfix::checks { refreshonly => true, subscribe => File['/etc/postfix/checks/helo_checks']; } + + # Anonymize the user's home IP from the email headers (Feature #3866) + package { 'postfix-pcre': ensure => installed } + + file { '/etc/postfix/checks/received_anon': + source => 'puppet:///modules/site_postfix/checks/received_anon', + mode => '0644', + owner => root, + group => root, + notify => Service['postfix'] + } + + postfix::config { + 'header_checks': + value => 'pcre:/etc/postfix/checks/received_anon', + require => File['/etc/postfix/checks/received_anon']; + } + } -- cgit v1.2.3 From 5d25466e8365577c48df98afdd22d2880b7ef5ce Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 3 Oct 2013 13:16:43 -0400 Subject: It turns out postfix's variable for 1024bit DH parameters can actually take a file of arbitrary length (#4012) Neither Postfix nor OpenSSL actually care about the size of the prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits Change-Id: Id60deec93547e7df6dfc414209afaf9d53c710b5 --- puppet/modules/site_postfix/manifests/mx/tls.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 96cfa911..cff686e5 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -29,8 +29,8 @@ class site_postfix::mx::tls { # parameters Neither Postfix nor OpenSSL actually care about the size of the # prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits - exec { 'certtool-postfix-gendh-1024': - command => 'certtool --generate-dh-params --bits=2048 --outfile=/etc/postfix/smtpd_tls_dh_param.pem', + exec { 'certtool-postfix-gendh': + command => 'certtool --generate-dh-params --bits 2048 --outfile /etc/postfix/smtpd_tls_dh_param.pem', user => root, group => root, creates => '/etc/postfix/smtpd_tls_dh_param.pem', @@ -43,7 +43,7 @@ class site_postfix::mx::tls { owner => root, group => root, mode => '0600', - require => Exec['certtool-postfix-gendh-1024']; + require => Exec['certtool-postfix-gendh']; } postfix::config { 'smtpd_tls_dh1024_param_file': -- cgit v1.2.3 From 9890125a57c3a06792e8d08ba15f1b636c764c61 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 8 Oct 2013 19:39:18 -0400 Subject: setup email account 'blacklist' by configuring reserved aliases, effectively implementing RFC2142 and more (#3602) Change-Id: Ic2765b25ff9e1560def4900a1bf38dc8023b0ffa --- puppet/modules/site_postfix/manifests/mx.pp | 1 + .../modules/site_postfix/manifests/mx/reserved_aliases.pp | 13 +++++++++++++ 2 files changed, 14 insertions(+) create mode 100644 puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index e44b7a9a..a043c277 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -34,6 +34,7 @@ class site_postfix::mx { include site_postfix::mx::smtpd_checks include site_postfix::checks include site_postfix::mx::tls + include site_postfix::mx::reserved_aliases # greater verbosity for debugging, take out for production #include site_postfix::debug diff --git a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp new file mode 100644 index 00000000..6df53355 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp @@ -0,0 +1,13 @@ +class site_postfix::reserved_aliases { + + postfix::mailalias { + [ 'postmaster', 'hostmaster', 'domainadmin', 'certmaster', 'ssladmin', + 'arin-admin', 'administrator', 'webmaster', 'www-data', 'www', + 'nobody', 'sys', 'postgresql', 'mysql', 'bin', 'cron', 'lp', 'games', + 'maildrop', 'abuse', 'noc', 'security', 'usenet', 'news', 'uucp', + 'ftp': + ensure => present, + recipient => 'root' + } + +} -- cgit v1.2.3 From 80172de8a301c3befa26ac25c5e858f070bb2040 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 10 Oct 2013 18:09:32 +0200 Subject: provide global.provider.contacts.default on every node, no need to add in services/mx.json again --- provider_base/common.json | 1 + provider_base/services/mx.json | 3 --- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/provider_base/common.json b/provider_base/common.json index 2313bd8b..7ccb5005 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -3,6 +3,7 @@ "environment": null, "services": [], "tags": [], + "contacts": "= global.provider.contacts.default", "domain": { "full_suffix": "= global.provider.domain", "internal_suffix": "= global.provider.domain_internal", diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index f999dd23..7b0aa57b 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -1,7 +1,4 @@ { - "mx": { - "contact": "= global.provider.contacts.default" - }, "stunnel": { "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)" }, -- cgit v1.2.3 From b22a3524c99f9205c8078d5542718e3625e68244 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 10 Oct 2013 18:14:24 +0200 Subject: fix site_postfix::mx::reserved_aliases class name and package array --- puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp index 6df53355..aea66f78 100644 --- a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp +++ b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp @@ -1,11 +1,11 @@ -class site_postfix::reserved_aliases { +class site_postfix::mx::reserved_aliases { postfix::mailalias { [ 'postmaster', 'hostmaster', 'domainadmin', 'certmaster', 'ssladmin', 'arin-admin', 'administrator', 'webmaster', 'www-data', 'www', 'nobody', 'sys', 'postgresql', 'mysql', 'bin', 'cron', 'lp', 'games', 'maildrop', 'abuse', 'noc', 'security', 'usenet', 'news', 'uucp', - 'ftp': + 'ftp' ]: ensure => present, recipient => 'root' } -- cgit v1.2.3 From 2a291df14f20a3e3ac1eeebbaf50c79feb2012ed Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 10 Oct 2013 18:15:56 +0200 Subject: contacts is now a top-level hiera variable --- puppet/modules/site_postfix/manifests/mx.pp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index a043c277..08d57a24 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -3,10 +3,9 @@ class site_postfix::mx { $domain_hash = hiera ('domain') $domain = $domain_hash['full_suffix'] $host_domain = $domain_hash['full'] - $mx_hash = hiera('mx') $cert_name = hiera('name') - $root_mail_recipient = $mx_hash['contact'] + $root_mail_recipient = hiera ('contacts') $postfix_smtp_listen = 'all' include site_config::x509::cert -- cgit v1.2.3 From 1d080ba042d9ce55c4eaad6d35f7fffefccdbbca Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 10 Oct 2013 18:30:44 +0200 Subject: added mail.smarthost variable to hiera --- provider_base/common.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/provider_base/common.json b/provider_base/common.json index 7ccb5005..5be0dd70 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -36,5 +36,8 @@ }, "name": "common", "location": null, - "enabled": true + "enabled": true, + "mail": { + "smarthost": "= nodes_like_me[:services => :mx].exclude(self).field('domain.full')" + } } -- cgit v1.2.3 From 04e270616db7d486eeacb298aed173731c9a2fe2 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 10 Oct 2013 18:49:36 +0200 Subject: deploy postfix satellites on all nodes (Bug #1683) --- puppet/modules/site_config/manifests/default.pp | 4 ++++ puppet/modules/site_postfix/manifests/satellite.pp | 11 +++++++++++ 2 files changed, 15 insertions(+) create mode 100644 puppet/modules/site_postfix/manifests/satellite.pp diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index d3bb241f..a645cb1a 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -71,4 +71,8 @@ class site_config::default { include site_squid_deb_proxy::client } + if $::services !~ /\bmx\b/ { + include site_postfix::satellite + } + } diff --git a/puppet/modules/site_postfix/manifests/satellite.pp b/puppet/modules/site_postfix/manifests/satellite.pp new file mode 100644 index 00000000..de20b667 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/satellite.pp @@ -0,0 +1,11 @@ +class site_postfix::satellite { + + $root_mail_recipient = hiera ('contacts') + $mail = hiera ('mail') + $relayhost = $mail['smarthost'] + + class { '::postfix::satellite': + relayhost => $relayhost, + root_mail_recipient => $root_mail_recipient + } +} -- cgit v1.2.3 From 2a4ae58cc5e3f6e4a1e09ef6a9f15ade1e2c59fa Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 10 Oct 2013 18:53:13 +0200 Subject: move site_config::checks to site_config::mx::checks --- puppet/modules/site_postfix/manifests/checks.pp | 41 ---------------------- puppet/modules/site_postfix/manifests/mx.pp | 2 +- puppet/modules/site_postfix/manifests/mx/checks.pp | 41 ++++++++++++++++++++++ 3 files changed, 42 insertions(+), 42 deletions(-) delete mode 100644 puppet/modules/site_postfix/manifests/checks.pp create mode 100644 puppet/modules/site_postfix/manifests/mx/checks.pp diff --git a/puppet/modules/site_postfix/manifests/checks.pp b/puppet/modules/site_postfix/manifests/checks.pp deleted file mode 100644 index 31399d32..00000000 --- a/puppet/modules/site_postfix/manifests/checks.pp +++ /dev/null @@ -1,41 +0,0 @@ -class site_postfix::checks { - - file { - '/etc/postfix/checks': - ensure => directory, - mode => '0755', - owner => root, - group => postfix, - require => Package['postfix']; - - '/etc/postfix/checks/helo_checks': - content => template('site_postfix/checks/helo_access.erb'), - mode => '0644', - owner => root, - group => root; - } - - exec { - '/usr/sbin/postmap /etc/postfix/checks/helo_checks': - refreshonly => true, - subscribe => File['/etc/postfix/checks/helo_checks']; - } - - # Anonymize the user's home IP from the email headers (Feature #3866) - package { 'postfix-pcre': ensure => installed } - - file { '/etc/postfix/checks/received_anon': - source => 'puppet:///modules/site_postfix/checks/received_anon', - mode => '0644', - owner => root, - group => root, - notify => Service['postfix'] - } - - postfix::config { - 'header_checks': - value => 'pcre:/etc/postfix/checks/received_anon', - require => File['/etc/postfix/checks/received_anon']; - } - -} diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 08d57a24..474ed03d 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -31,7 +31,7 @@ class site_postfix::mx { } include site_postfix::mx::smtpd_checks - include site_postfix::checks + include site_postfix::mx::checks include site_postfix::mx::tls include site_postfix::mx::reserved_aliases diff --git a/puppet/modules/site_postfix/manifests/mx/checks.pp b/puppet/modules/site_postfix/manifests/mx/checks.pp new file mode 100644 index 00000000..31399d32 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/checks.pp @@ -0,0 +1,41 @@ +class site_postfix::checks { + + file { + '/etc/postfix/checks': + ensure => directory, + mode => '0755', + owner => root, + group => postfix, + require => Package['postfix']; + + '/etc/postfix/checks/helo_checks': + content => template('site_postfix/checks/helo_access.erb'), + mode => '0644', + owner => root, + group => root; + } + + exec { + '/usr/sbin/postmap /etc/postfix/checks/helo_checks': + refreshonly => true, + subscribe => File['/etc/postfix/checks/helo_checks']; + } + + # Anonymize the user's home IP from the email headers (Feature #3866) + package { 'postfix-pcre': ensure => installed } + + file { '/etc/postfix/checks/received_anon': + source => 'puppet:///modules/site_postfix/checks/received_anon', + mode => '0644', + owner => root, + group => root, + notify => Service['postfix'] + } + + postfix::config { + 'header_checks': + value => 'pcre:/etc/postfix/checks/received_anon', + require => File['/etc/postfix/checks/received_anon']; + } + +} -- cgit v1.2.3 From c655713c15263848b5af8fc8d8b6b41e69cb8d1c Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 9 Oct 2013 14:55:16 +0200 Subject: don't remove dev-packages on webapp node they are needed for building gems --- puppet/modules/site_config/manifests/packages/base.pp | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/puppet/modules/site_config/manifests/packages/base.pp b/puppet/modules/site_config/manifests/packages/base.pp index d93e194b..94ff679b 100644 --- a/puppet/modules/site_config/manifests/packages/base.pp +++ b/puppet/modules/site_config/manifests/packages/base.pp @@ -6,7 +6,7 @@ class site_config::packages::base { } # base set of packages that we want to remove everywhere - package { [ 'acpi', 'acpid', 'acpi-support-base', 'eject', 'ftp', + package { [ 'acpi', 'acpid', 'acpi-support-base', 'eject', 'ftp', 'fontconfig-config', 'laptop-detect', 'lpr', 'nfs-common', 'nfs-kernel-server', 'portmap', 'pppconfig', 'pppoe', 'pump', 'qstat', 'rpcbind', 'samba-common', 'samba-common-bin', 'smbclient', 'tcl8.5', @@ -15,14 +15,17 @@ class site_config::packages::base { ensure => absent; } - if $::virtual == 'virtualbox' { - $virtualbox_ensure = present + if $::virtual == 'virtualbox' or $::services =~ /\bwebapp\b/ { + $dev_packages_ensure = present } else { - $virtualbox_ensure = absent + $dev_packages_ensure = absent } - package { [ 'build-essential', 'fontconfig-config', 'g++', 'g++-4.7', 'gcc', + # g++ and ruby1.9.1-dev are needed for nickserver/eventmachine (#4079) + # dev_packages are needed for building gems on the webapp node + + package { [ 'build-essential', 'g++', 'g++-4.7', 'gcc', 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: - ensure => $virtualbox_ensure + ensure => $dev_packages_ensure } } -- cgit v1.2.3 From 23304bbc281ef25b9ad2a607631aaa728e9c7b29 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 10 Oct 2013 15:32:26 +0200 Subject: install ruby-dev for nickserver/webapp (#4079 + #4080) --- puppet/modules/site_config/manifests/ruby.pp | 4 +++- puppet/modules/site_config/manifests/ruby/dev.pp | 6 ++++++ puppet/modules/site_nickserver/manifests/init.pp | 9 +++++---- puppet/modules/site_webapp/manifests/init.pp | 8 ++++++-- 4 files changed, 20 insertions(+), 7 deletions(-) create mode 100644 puppet/modules/site_config/manifests/ruby/dev.pp diff --git a/puppet/modules/site_config/manifests/ruby.pp b/puppet/modules/site_config/manifests/ruby.pp index 2a720114..9c005032 100644 --- a/puppet/modules/site_config/manifests/ruby.pp +++ b/puppet/modules/site_config/manifests/ruby.pp @@ -1,6 +1,8 @@ class site_config::ruby { Class[Ruby] -> Class[rubygems] -> Class[bundler::install] - class { '::ruby': ruby_version => '1.9.3' } + class { '::ruby': + ruby_version => '1.9.3', + } class { 'bundler::install': install_method => 'package' } include rubygems } diff --git a/puppet/modules/site_config/manifests/ruby/dev.pp b/puppet/modules/site_config/manifests/ruby/dev.pp new file mode 100644 index 00000000..dbc77ae7 --- /dev/null +++ b/puppet/modules/site_config/manifests/ruby/dev.pp @@ -0,0 +1,6 @@ +class site_config::ruby::dev inherits site_config::ruby { + Class['::ruby'] { + ruby_version => '1.9.3', + install_dev => true + } +} diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index bf0511d5..59613f7b 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -13,7 +13,7 @@ class site_nickserver { tag 'leap_service' Class['site_config::default'] -> Class['site_nickserver'] - include site_config::ruby + include site_config::ruby::dev # # VARIABLES @@ -65,7 +65,7 @@ class site_nickserver { # package { - 'libssl-dev': ensure => installed; + [ 'libssl-dev' ]: ensure => installed; } vcsrepo { '/srv/leap/nickserver': @@ -85,8 +85,9 @@ class site_nickserver { unless => '/usr/bin/bundle check', user => 'nickserver', timeout => 600, - require => [ Class['bundler::install'], Vcsrepo['/srv/leap/nickserver'], - Package['libssl-dev'] ], + require => [ + Class['bundler::install'], Vcsrepo['/srv/leap/nickserver'], + Package['libssl-dev'], Package['ruby-dev'] ], notify => Service['nickserver']; } diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index c85a5ddc..f305f1a9 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -13,7 +13,7 @@ class site_webapp { Class['site_config::default'] -> Class['site_webapp'] - include site_config::ruby + include site_config::ruby::dev include site_webapp::apache include site_webapp::couchdb include site_webapp::haproxy @@ -55,7 +55,11 @@ class site_webapp { unless => '/usr/bin/bundle check', user => 'leap-webapp', timeout => 600, - require => [ Class['bundler::install'], Vcsrepo['/srv/leap/webapp'], Service['shorewall'] ], + require => [ + Class['bundler::install'], + Vcsrepo['/srv/leap/webapp'], + Package['ruby-dev'], + Service['shorewall'] ], notify => Service['apache']; } -- cgit v1.2.3 From da6cb0546f91444d8c4e059eaa99f17fafe9c5a2 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 11 Oct 2013 18:02:59 +0200 Subject: fixed issues from https://review.leap.se/r/98/ --- puppet/modules/site_config/manifests/ruby.pp | 4 +--- puppet/modules/site_nickserver/manifests/init.pp | 7 +++---- puppet/modules/site_webapp/manifests/init.pp | 2 +- 3 files changed, 5 insertions(+), 8 deletions(-) diff --git a/puppet/modules/site_config/manifests/ruby.pp b/puppet/modules/site_config/manifests/ruby.pp index 9c005032..2a720114 100644 --- a/puppet/modules/site_config/manifests/ruby.pp +++ b/puppet/modules/site_config/manifests/ruby.pp @@ -1,8 +1,6 @@ class site_config::ruby { Class[Ruby] -> Class[rubygems] -> Class[bundler::install] - class { '::ruby': - ruby_version => '1.9.3', - } + class { '::ruby': ruby_version => '1.9.3' } class { 'bundler::install': install_method => 'package' } include rubygems } diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index 59613f7b..81482a55 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -64,9 +64,7 @@ class site_nickserver { # before EventMachine gem is built/installed. # - package { - [ 'libssl-dev' ]: ensure => installed; - } + package { 'libssl-dev': ensure => installed } vcsrepo { '/srv/leap/nickserver': ensure => present, @@ -87,7 +85,8 @@ class site_nickserver { timeout => 600, require => [ Class['bundler::install'], Vcsrepo['/srv/leap/nickserver'], - Package['libssl-dev'], Package['ruby-dev'] ], + Package['libssl-dev'], Class['site_config::ruby::dev'] ], + notify => Service['nickserver']; } diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index f305f1a9..6c5bda4c 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -58,7 +58,7 @@ class site_webapp { require => [ Class['bundler::install'], Vcsrepo['/srv/leap/webapp'], - Package['ruby-dev'], + Class['site_config::ruby::dev'], Service['shorewall'] ], notify => Service['apache']; } -- cgit v1.2.3 From f2cd05902a9dd64beb1417ddb1d9994c4dc29b14 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 11 Oct 2013 22:08:07 +0200 Subject: class moved but forgot to rename --- puppet/modules/site_postfix/manifests/mx/checks.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_postfix/manifests/mx/checks.pp b/puppet/modules/site_postfix/manifests/mx/checks.pp index 31399d32..6b19891c 100644 --- a/puppet/modules/site_postfix/manifests/mx/checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/checks.pp @@ -1,4 +1,4 @@ -class site_postfix::checks { +class site_postfix::mx::checks { file { '/etc/postfix/checks': -- cgit v1.2.3 From 4a75cd70b50969023c507b5c9ec2e8c36142f706 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 11 Oct 2013 22:32:01 +0200 Subject: /etc/haproxy/haproxy.cfg changed randomly (Feature #4111) --- puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb index 914a964e..1fa01b96 100644 --- a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb +++ b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb @@ -13,7 +13,7 @@ listen bigcouch-in default-server inter 3000 fastinter 1000 downinter 1000 rise 2 fall 1 <%- if @haproxy['servers'] -%> -<%- @haproxy['servers'].each do |name,server| -%> +<%- @haproxy['servers'].sort.each do |name,server| -%> <%- backup = server['backup'] ? 'backup' : '' -%> # <%=name%> server couchdb_<%=server['port']%> <%=server['host']%>:<%=server['port']%> <%=backup%> weight <%=server['weight']%> check -- cgit v1.2.3 From 071bd544ed79a07bb2532b7e79318e76062ba49e Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 12 Oct 2013 01:02:38 +0200 Subject: puppet - openvpn gateway address is hard coded as a /24 network (Bug #1863) --- puppet/modules/site_openvpn/manifests/init.pp | 6 ++++++ puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb | 8 ++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 61fefd0a..42146741 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -62,6 +62,12 @@ class site_openvpn { $openvpn_limited_udp_cidr = '21' } + # find out the netmask in cidr format of the primary IF + # thx to https://blog.kumina.nl/tag/puppet-tips-and-tricks/ + # we can do this using an inline_template: + $factname_primary_netmask = "netmask_cidr_${::site_config::params::interface}" + $primary_netmask = inline_template('<%= scope.lookupvar(factname_primary_netmask) %>') + # deploy dh keys include site_openvpn::dh_key diff --git a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb index 05f3d16b..e76b756b 100644 --- a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb +++ b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb @@ -1,11 +1,11 @@ #!/bin/sh -ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_gateway_address %>/24 || - ip addr add <%= @openvpn_gateway_address %>/24 dev <%= scope.lookupvar('site_config::params::interface') %> +ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_gateway_address %>/<%= @primary_netmask %> || + ip addr add <%= @openvpn_gateway_address %>/<%= @primary_netmask %> dev <%= scope.lookupvar('site_config::params::interface') %> <% if @openvpn_second_gateway_address %> -ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_second_gateway_address %>/24 || - ip addr add <%= @openvpn_second_gateway_address %>/24 dev <%= scope.lookupvar('site_config::params::interface') %> +ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_second_gateway_address %>/<%= @primary_netmask %> || + ip addr add <%= @openvpn_second_gateway_address %>/<%= @primary_netmask %> dev <%= scope.lookupvar('site_config::params::interface') %> <% end %> /bin/echo 1 > /proc/sys/net/ipv4/ip_forward -- cgit v1.2.3 From 9ca96289f3b0231ad516c35876284ba4b76835b0 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 15 Oct 2013 11:39:44 -0700 Subject: produce a hash for nagios.hosts --- provider_base/services/monitor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json index f5e4d922..c3e2b954 100644 --- a/provider_base/services/monitor.json +++ b/provider_base/services/monitor.json @@ -1,6 +1,6 @@ { "nagios": { "nagiosadmin_pw": "= secret :nagios_admin_password", - "hosts": "= nodes_like_me.fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')" + "hosts": "= nodes_like_me.pick_fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')" } } -- cgit v1.2.3 From befbc71fa2af217ff89facd8e10794b60f19f66e Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 15 Oct 2013 22:43:49 +0200 Subject: new fallback nameservers (#4113) * the german privacy foundation has dissolved itself and shut down their public nameserver. we are now using the public nameserver by Digitalcourage, a german privacy organisation (https://en.wikipedia.org/wiki/Digitalcourage) * the IP for the server of the swiss privacy foundation has changed (http://www.privacyfoundation.ch/de/service/server.html) --- puppet/modules/site_config/manifests/resolvconf.pp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index 271c5043..b307f18b 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -2,12 +2,13 @@ class site_config::resolvconf { $domain_public = $site_config::default::domain_hash['full_suffix'] - # 127.0.0.1: caching-only local bind - # 87.118.100.175: http://server.privacyfoundation.de - # 62.141.58.13: http://www.privacyfoundation.ch/de/service/server.html class { '::resolvconf': domain => $domain_public, search => $domain_public, - nameservers => [ '127.0.0.1', '87.118.100.175', '62.141.58.13' ] + nameservers => [ + '127.0.0.1 # local caching-only, unbound', + '85.214.20.141 # Digitalcourage, a german privacy organisation: (https://en.wikipedia.org/wiki/Digitalcourage)', + '62.141.58.13 # Swiss privacy Foundation (http://www.privacyfoundation.ch/de/service/server.html)' + ] } } -- cgit v1.2.3 From 27f6e30c0096970c49efcf572227d39fe5612ed9 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 16 Oct 2013 00:02:27 +0200 Subject: vagrant: support other providers besides virtualbox (Bug #4158) --- puppet/modules/site_config/manifests/default.pp | 3 ++- puppet/modules/site_config/manifests/packages/base.pp | 4 +++- puppet/modules/site_config/manifests/params.pp | 4 +++- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index a645cb1a..c7243d5f 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -2,6 +2,7 @@ class site_config::default { tag 'leap_base' $domain_hash = hiera('domain') + include site_config::params # make sure apt is updated before any packages are installed include apt::update @@ -32,7 +33,7 @@ class site_config::default { include site_config::dhclient } - if ( $::virtual == 'virtualbox' ) { + if ( $::site_config::params::environment == 'local' ) { include site_config::vagrant } diff --git a/puppet/modules/site_config/manifests/packages/base.pp b/puppet/modules/site_config/manifests/packages/base.pp index 94ff679b..3e1d4a67 100644 --- a/puppet/modules/site_config/manifests/packages/base.pp +++ b/puppet/modules/site_config/manifests/packages/base.pp @@ -1,5 +1,7 @@ class site_config::packages::base { + include site_config::params + # base set of packages that we want to have installed everywhere package { [ 'etckeeper', 'screen', 'less' ]: ensure => installed, @@ -15,7 +17,7 @@ class site_config::packages::base { ensure => absent; } - if $::virtual == 'virtualbox' or $::services =~ /\bwebapp\b/ { + if $::site_config::params::environment == 'local' or $::services =~ /\bwebapp\b/ { $dev_packages_ensure = present } else { $dev_packages_ensure = absent diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index 59a161e8..2ef391db 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -3,8 +3,10 @@ class site_config::params { $ip_address = hiera('ip_address') $ip_address_interface = getvar("interface_${ip_address}") $ec2_local_ipv4_interface = getvar("interface_${::ec2_local_ipv4}") + $environment = hiera('environment') - if $::virtual == 'virtualbox' { + + if $environment == 'local' { $interface = 'eth1' } elsif hiera('interface','') != '' { -- cgit v1.2.3 From 57a1a16f6d6df7dfebf0d40c38af7fbc3af21a34 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Oct 2013 11:15:44 -0400 Subject: add rsyslog puppet submodule Change-Id: Ic9f521010af7b362490ee5b0048e41cf11bfc593 --- .gitmodules | 3 +++ puppet/modules/rsyslog | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/rsyslog diff --git a/.gitmodules b/.gitmodules index 070cb517..0ab46323 100644 --- a/.gitmodules +++ b/.gitmodules @@ -79,3 +79,6 @@ [submodule "puppet/modules/vcsrepo"] path = puppet/modules/vcsrepo url = https://leap.se/git/puppet_vcsrepo +[submodule "puppet/modules/rsyslog"] + path = puppet/modules/rsyslog + url = https://leap.se/git/puppet_rsyslog diff --git a/puppet/modules/rsyslog b/puppet/modules/rsyslog new file mode 160000 index 00000000..20fbda6b --- /dev/null +++ b/puppet/modules/rsyslog @@ -0,0 +1 @@ +Subproject commit 20fbda6b91472e656331a9c64630fb207e9f5789 -- cgit v1.2.3 From de8fe441e1c07b63f1c02aa231a8a56c9a9448ec Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Oct 2013 11:16:18 -0400 Subject: rsyslog: setup default local config that gets us the same config as default from debian Change-Id: If07ee200e2ae0d9cfaf8e405d6354c80d77330ca --- puppet/modules/site_config/manifests/default.pp | 3 +++ puppet/modules/site_config/manifests/syslog.pp | 6 ++++++ 2 files changed, 9 insertions(+) create mode 100644 puppet/modules/site_config/manifests/syslog.pp diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index c7243d5f..2380066a 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -48,6 +48,9 @@ class site_config::default { stage => setup, } + # install/configure syslog + include site_config::syslog + # install/remove base packages include site_config::packages::base diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp new file mode 100644 index 00000000..c7c55c34 --- /dev/null +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -0,0 +1,6 @@ +class site_config::syslog { + + class { 'rsyslog::client': log_remote => false, log_local => true } + +} + -- cgit v1.2.3 From aa86d15696245c6ded59ca51ceff8f6eaf3119c5 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Oct 2013 12:18:15 -0400 Subject: syslog: add rsyslog::snippet to anonymize logs it is necessary to install the fixed package from the leap.se repository until it is available in wheezy-backports, so install the apt preferences to pull it from there, and add its necessary library dependency from wheezy-backports Change-Id: I379ff2ceaac1a978143715d3a7ced0011ca0d747 --- puppet/modules/site_config/manifests/syslog.pp | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp index c7c55c34..6a9da460 100644 --- a/puppet/modules/site_config/manifests/syslog.pp +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -1,6 +1,28 @@ class site_config::syslog { - class { 'rsyslog::client': log_remote => false, log_local => true } + # we need to pull in rsyslog from the leap repository until it is availbale in + # wheezy-backports + apt::preferences_snippet { 'fixed_rsyslog_anon_package': + package => 'rsyslog', + priority => '999', + pin => 'release o=leap.se', + before => Class['rsyslog::install'] + } -} + apt::preferences_snippet { 'rsyslog_anon_libestr0': + package => 'libestr0', + priority => '999', + pin => 'release a=wheezy-backports', + before => Class['rsyslog::install'] + } + + class { 'rsyslog::client': + log_remote => false, + log_local => true + } + rsyslog::snippet { '00-anonymize_logs': + content => '$ModLoad mmanon +action(type="mmanon" ipv4.bits="32" mode="rewrite")' + } +} -- cgit v1.2.3 From 6381342712085fc5c147f21b13872d0c49c42855 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 16 Oct 2013 20:48:21 +0200 Subject: /etc/apt/preferences is changed twice on every puppetrun on couch nodes (Feature #3962) this will fix the alteration of the preferences file. we now use the apt module default preferences, and pin the depending packages from squeeze that are dependencies for the bigcouch package in the couchdb module, class couchdb::bigcouch::package::cloudant. --- puppet/modules/site_apt/manifests/init.pp | 9 --------- 1 file changed, 9 deletions(-) diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 3fa9a2b7..9facf4cc 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -1,15 +1,6 @@ class site_apt { - # on couchdb we need to include squeeze in apt preferences, - # so the cloudant package can pull some packages from squeeze - # template() must be unquoted ! - if 'couchdb' in $::services { - $custom_preferences = template("site_apt/preferences.include_squeeze") - } else { - $custom_preferences = '' - } class { 'apt': - custom_preferences => $custom_preferences, custom_key_dir => 'puppet:///modules/site_apt/keys' } -- cgit v1.2.3 From 99df31cdd58ca60b90c0098b126903e2d8251128 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 16 Oct 2013 21:30:16 +0200 Subject: vagrant: support other providers besides virtualbox (Bug #4158), Part 2 took out the last remaining virtualbox references --- puppet/manifests/setup.pp | 4 +++- puppet/modules/site_shorewall/manifests/defaults.pp | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/puppet/manifests/setup.pp b/puppet/manifests/setup.pp index ba58e728..84124f5a 100644 --- a/puppet/manifests/setup.pp +++ b/puppet/manifests/setup.pp @@ -5,6 +5,8 @@ $services = '' Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } +include site_config::params + include concat::setup include site_config::hosts @@ -26,7 +28,7 @@ if hiera('squid_deb_proxy_client', false) { # we need to include shorewall::interface{eth0} in setup.pp so # packages can be installed during main puppetrun, even before shorewall # is configured completly -if ( $::virtual == 'virtualbox' ) { +if ( $::site_config::params::environment == 'local' ) { include site_config::vagrant } diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index 6a40d501..8f56ac42 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -4,7 +4,9 @@ class site_shorewall::defaults { include site_config::params # be safe for development - #if ( $::virtual == 'virtualbox') { $shorewall_startup='0' } + # if ( $::site_config::params::environment == 'local' ) { + # $shorewall_startup='0' + # } # If you want logging: shorewall::params { -- cgit v1.2.3 From 62d76bb7454df2c4f0aebac3efed201f6aa0bdb4 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 16 Oct 2013 22:36:08 +0200 Subject: updated submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index e5bbb903..d84dfddb 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit e5bbb903159a94dc3357344d78060343ef47bac8 +Subproject commit d84dfddb0dfc2e5207c90380fb1f7fcf7bc7a72d -- cgit v1.2.3 From a44e598c29b66bd560dbe864b70f13aa324c1437 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Oct 2013 15:59:26 -0400 Subject: fix for rsyslog-relp being installed first, resulting in dependency errors (#4161) Change-Id: I2f0bcc5b4cb5effae57051f04251aeb8b09a4c6d --- puppet/modules/site_config/manifests/syslog.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp index 6a9da460..73d4f58f 100644 --- a/puppet/modules/site_config/manifests/syslog.pp +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -3,14 +3,14 @@ class site_config::syslog { # we need to pull in rsyslog from the leap repository until it is availbale in # wheezy-backports apt::preferences_snippet { 'fixed_rsyslog_anon_package': - package => 'rsyslog', + package => 'rsyslog-*', priority => '999', pin => 'release o=leap.se', before => Class['rsyslog::install'] } - apt::preferences_snippet { 'rsyslog_anon_libestr0': - package => 'libestr0', + apt::preferences_snippet { 'rsyslog_anon_depends': + package => 'libestr0 librelp0', priority => '999', pin => 'release a=wheezy-backports', before => Class['rsyslog::install'] -- cgit v1.2.3 From c884bc04e2eb29bdaacc5c6673ed7f212dc28e88 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Oct 2013 13:48:01 -0400 Subject: syslog: fix apt_preferences snippet to glob on both rsyslog and rsyslog-relp (#4161) Change-Id: I7eaa35897da3b24833be3b2c14db99cd66b547c0 --- puppet/modules/site_config/manifests/syslog.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp index 73d4f58f..d3abeca1 100644 --- a/puppet/modules/site_config/manifests/syslog.pp +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -3,7 +3,7 @@ class site_config::syslog { # we need to pull in rsyslog from the leap repository until it is availbale in # wheezy-backports apt::preferences_snippet { 'fixed_rsyslog_anon_package': - package => 'rsyslog-*', + package => 'rsyslog*', priority => '999', pin => 'release o=leap.se', before => Class['rsyslog::install'] -- cgit v1.2.3 From cf9b3a637b4e348cd7c055ccb361e28d737914fd Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 23 Sep 2013 14:15:46 +0200 Subject: nagios: use hash instead of array for hosts (Bug #3909) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Puppet 2.7.19 introduced a change that don't allow resource titles to be something else that a string. from the puppet 2.7.19 changelog: Don’t allow resource titles which aren’t strings It was possible to create resources whose titles weren't strings, by using a variable containing a hash, or the result of a function which doesn't return a string. This can cause problems resolving relationships when the stringified version of the title differs between master and agent. Now we will only accept primitives, and will stringify them. That is: string, symbol, number, boolean. Arrays or nested arrays will still be flattened and used to create multiple resources. Any other value (for instance: a hash) will cause a parse error. currently, it's much easier to iterate over a hash in puppet than over an array, cause every resource you call iterating over an array would need a unique name, and you don't have this in arrays. --- puppet/modules/site_nagios/manifests/add_host.pp | 51 ++++++++++++------------ puppet/modules/site_nagios/manifests/server.pp | 7 ++-- 2 files changed, 30 insertions(+), 28 deletions(-) diff --git a/puppet/modules/site_nagios/manifests/add_host.pp b/puppet/modules/site_nagios/manifests/add_host.pp index 498552b5..94352de4 100644 --- a/puppet/modules/site_nagios/manifests/add_host.pp +++ b/puppet/modules/site_nagios/manifests/add_host.pp @@ -1,31 +1,32 @@ -define site_nagios::add_host { - $nagios_host = $name - $nagios_hostname = $name['domain_internal'] - $nagios_ip = $name['ip_address'] - $nagios_services = $name['services'] - $nagios_openvpn_gw = $name['openvpn_gateway_address'] +define site_nagios::add_host ( + $domain_internal, + $ip_address, + $services, + $openvpn_gateway_address='' ) { - # Add Nagios host - nagios_host { $nagios_hostname: - address => $nagios_ip, - use => 'generic-host', - } + $nagios_hostname = $domain_internal - # Add Nagios service + # Add Nagios host + nagios_host { $nagios_hostname: + address => $ip_address, + use => 'generic-host', + } - # First, we need to turn the serice array into hash, using a "hash template" - # see https://github.com/ashak/puppet-resource-looping - $nagios_service_hashpart = { - 'hostname' => $nagios_hostname, - 'ip_address' => $nagios_ip, - 'openvpn_gw' => $nagios_openvpn_gw, - } - $dynamic_parameters = { - 'service' => '%s' - } - $nagios_servicename = "${nagios_hostname}_%s" + # Add Nagios service - $nagios_service_hash = create_resources_hash_from($nagios_servicename, $nagios_services, $nagios_service_hashpart, $dynamic_parameters) + # First, we need to turn the serice array into hash, using a "hash template" + # see https://github.com/ashak/puppet-resource-looping + $nagios_service_hashpart = { + 'hostname' => $nagios_hostname, + 'ip_address' => $ip_address, + 'openvpn_gw' => $openvpn_gateway_address, + } + $dynamic_parameters = { + 'service' => '%s' + } + $nagios_servicename = "${nagios_hostname}_%s" - create_resources ( site_nagios::add_service, $nagios_service_hash ) + $nagios_service_hash = create_resources_hash_from($nagios_servicename, $services, $nagios_service_hashpart, $dynamic_parameters) + + create_resources ( site_nagios::add_service, $nagios_service_hash ) } diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index a088921a..3e1ef7e7 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -5,9 +5,9 @@ class site_nagios::server inherits nagios::base { stage => setup } - $nagios_hiera=hiera('nagios') + $nagios_hiera = hiera('nagios') $nagiosadmin_pw = htpasswd_sha1($nagios_hiera['nagiosadmin_pw']) - $hosts = $nagios_hiera['hosts'] + $hosts = $nagios_hiera['hosts'] include nagios::defaults include nagios::base @@ -35,6 +35,7 @@ class site_nagios::server inherits nagios::base { group => 'nagios', } - site_nagios::add_host {$hosts:} + create_resources ( site_nagios::add_host, $hosts ) + include site_shorewall::monitor } -- cgit v1.2.3 From 9074a7bce264d64f467bc628f06e37a5802043bd Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 17 Oct 2013 23:09:49 +0200 Subject: "Header set X-Frame-Options: Allow" only for nagios (Bug #4169) Nagios won't work with setting this option to "DENY", as set in conf.d/security (#4169). Therefor we allow it here, only for nagios. --- puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 6059453b..afc19782 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -18,7 +18,7 @@ SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key - SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt RequestHeader set X_FORWARDED_PROTO 'https' @@ -49,6 +49,10 @@ PassengerEnabled off AllowOverride all + # Nagios won't work with setting this option to "DENY", + # as set in conf.d/security (#4169). Therefor we allow + # it here, only for nagios. + Header set X-Frame-Options: "ALLOW" <% end -%> -- cgit v1.2.3 From d272b9a45b1099a17719fbe3c77b24f10b5de5cb Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 20 Oct 2013 20:59:22 +0200 Subject: Possibility to include local puppet recipes (Feature #3976) --- .gitignore | 3 ++- puppet/manifests/setup.pp | 5 +++++ puppet/modules/site_config/manifests/default.pp | 5 +++++ 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 62603355..f9d757dd 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -.reviewboardrc +/.reviewboardrc +/puppet/modules/site_custom diff --git a/puppet/manifests/setup.pp b/puppet/manifests/setup.pp index 84124f5a..f89b7032 100644 --- a/puppet/manifests/setup.pp +++ b/puppet/manifests/setup.pp @@ -32,3 +32,8 @@ if ( $::site_config::params::environment == 'local' ) { include site_config::vagrant } +# if class site_custom::setup exists, include it. +# possibility for users to define custom puppet recipes +if defined( '::site_custom::setup') { + include ::site_custom::setup +} diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 2380066a..33d3df05 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -79,4 +79,9 @@ class site_config::default { include site_postfix::satellite } + # if class site_custom exists, include it. + # possibility for users to define custom puppet recipes + if defined( '::site_custom') { + include ::site_custom + } } -- cgit v1.2.3 From bf42d6764421c182401f981b3463f261044e9878 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 21 Oct 2013 18:40:06 +0200 Subject: updated submodule postfix --- puppet/modules/postfix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/postfix b/puppet/modules/postfix index 25b1de20..1103a73a 160000 --- a/puppet/modules/postfix +++ b/puppet/modules/postfix @@ -1 +1 @@ -Subproject commit 25b1de206454c663539b748fb9f08276ad95b3e4 +Subproject commit 1103a73ab4253712c6446bba7a443619fe516717 -- cgit v1.2.3 From 367f1402ddb23f50c9b47d8f35bef31ac83fcd81 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 22 Oct 2013 13:38:02 +0200 Subject: site_tor: can't convert String into Integer (Bug #3974) tor.contacts has been a string, and is now an array of email addresses this change needed to be adopted also in stdlib/lib/puppet/parser/functions/obfuscate_email.rb (see #4193). --- puppet/modules/site_tor/manifests/init.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index 16ee4c30..b6e73a23 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -1,12 +1,12 @@ class site_tor { tag 'leap_service' Class['site_config::default'] -> Class['site_tor'] - + $tor = hiera('tor') $bandwidth_rate = $tor['bandwidth_rate'] $tor_type = $tor['type'] $nickname = $tor['nickname'] - $contact_email = $tor['contacts'] + $contact_emails = join($tor['contacts'],', ') $address = hiera('ip_address') @@ -14,7 +14,7 @@ class site_tor { tor::daemon::relay { $nickname: port => 9001, address => $address, - contact_info => obfuscate_email($contact_email), + contact_info => obfuscate_email($contact_emails), bandwidth_rate => $bandwidth_rate, my_family => '$2A431444756B0E7228A7918C85A8DACFF7E3B050', } -- cgit v1.2.3 From ce086618f0da8eab312c44c71117f3f95bf2a39a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 24 Oct 2013 11:50:58 -0400 Subject: stop specifying the haproxy that we provided in our repository, it is available in wheezy-backports now (#4272) Change-Id: Ie0b8b69f1305f4ec8d11356acc308aad2a8c1e91 --- puppet/modules/site_haproxy/manifests/init.pp | 1 - 1 file changed, 1 deletion(-) diff --git a/puppet/modules/site_haproxy/manifests/init.pp b/puppet/modules/site_haproxy/manifests/init.pp index ace88a7b..602e26be 100644 --- a/puppet/modules/site_haproxy/manifests/init.pp +++ b/puppet/modules/site_haproxy/manifests/init.pp @@ -2,7 +2,6 @@ class site_haproxy { class { 'haproxy': enable => true, - version => '1.4.23-0.1~leap60+1', manage_service => true, global_options => { 'log' => '127.0.0.1 local0', -- cgit v1.2.3 From befa14796567d950f7afa066381070ca7246b1d4 Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 25 Oct 2013 12:50:00 +0200 Subject: Users with access to a db are called members - not readers (#4219) ( they can read and write ). I think couch themselves changed the termology at some point but i might just have used the wrong term from the beginning on. Let's call them members either way because it's more clear that read only members require aditional design docs. --- puppet/modules/couchdb | 2 +- puppet/modules/site_couchdb/manifests/init.pp | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index d84dfddb..4597cf55 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit d84dfddb0dfc2e5207c90380fb1f7fcf7bc7a72d +Subproject commit 4597cf55613aa25e77ef9943c32918fd59ff65c2 diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index f4f93828..5d77c994 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -65,22 +65,22 @@ class site_couchdb { } couchdb::create_db { 'users': - readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }", + members => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }", require => Couchdb::Query::Setup['localhost'] } couchdb::create_db { 'tokens': - readers => "{ \"names\": [], \"roles\": [\"auth\"] }", + members => "{ \"names\": [], \"roles\": [\"auth\"] }", require => Couchdb::Query::Setup['localhost'] } couchdb::create_db { 'sessions': - readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }", + members => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }", require => Couchdb::Query::Setup['localhost'] } couchdb::create_db { 'tickets': - readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }", + members => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }", require => Couchdb::Query::Setup['localhost'] } @@ -88,7 +88,7 @@ class site_couchdb { # via the auth group for now. # leap_mx could use that for a start. couchdb::create_db { 'identities': - readers => "{ \"names\": [], \"roles\": [\"auth\"] }", + members => "{ \"names\": [], \"roles\": [\"auth\"] }", require => Couchdb::Query::Setup['localhost'] } -- cgit v1.2.3 From 6492bf38a0e092d9eaa4a56a80c441d9eb272da6 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 30 Oct 2013 22:24:22 +0100 Subject: updated submodule stdlib --- puppet/modules/stdlib | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/stdlib b/puppet/modules/stdlib index 73b69e81..71cb0f4c 160000 --- a/puppet/modules/stdlib +++ b/puppet/modules/stdlib @@ -1 +1 @@ -Subproject commit 73b69e8198f702f086ff6afd94a54dddc7935893 +Subproject commit 71cb0f4c2c3bf95f62c9f189f5cef155b09a9682 -- cgit v1.2.3 From 39ad06e91c959a3503cde763121fe4b8cdf10c19 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 30 Oct 2013 23:08:11 +0100 Subject: added submodule backupninja from https://leap.se/git/puppet_backupninja --- .gitmodules | 3 +++ puppet/modules/backupninja | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/backupninja diff --git a/.gitmodules b/.gitmodules index 0ab46323..0b339593 100644 --- a/.gitmodules +++ b/.gitmodules @@ -82,3 +82,6 @@ [submodule "puppet/modules/rsyslog"] path = puppet/modules/rsyslog url = https://leap.se/git/puppet_rsyslog +[submodule "puppet/modules/backupninja"] + path = puppet/modules/backupninja + url = https://leap.se/git/puppet_backupninja diff --git a/puppet/modules/backupninja b/puppet/modules/backupninja new file mode 160000 index 00000000..daeb1a1f --- /dev/null +++ b/puppet/modules/backupninja @@ -0,0 +1 @@ +Subproject commit daeb1a1f112a4dbf6b39565f0dea461e46a64681 -- cgit v1.2.3 From 747bfed900f53461fa342d7fa2c44b9275d3a8d1 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 30 Oct 2013 13:31:26 -0400 Subject: require postfix is installed before installing postfix-pcre (#4223) Change-Id: I547b99becb8b16fec0ac89f06fb6d833cbde3c2b --- puppet/modules/site_postfix/manifests/mx/checks.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_postfix/manifests/mx/checks.pp b/puppet/modules/site_postfix/manifests/mx/checks.pp index 6b19891c..5d75a5e5 100644 --- a/puppet/modules/site_postfix/manifests/mx/checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/checks.pp @@ -22,7 +22,7 @@ class site_postfix::mx::checks { } # Anonymize the user's home IP from the email headers (Feature #3866) - package { 'postfix-pcre': ensure => installed } + package { 'postfix-pcre': ensure => installed, require => Package['postfix'] } file { '/etc/postfix/checks/received_anon': source => 'puppet:///modules/site_postfix/checks/received_anon', -- cgit v1.2.3 From 12f13e38f0776f801907841b8fe4ab65f67ad060 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 30 Oct 2013 14:34:27 -0400 Subject: certtool-postfix-gendh attempted before postfix is installed (Bug #4340) Change-Id: I4ffb5b9203741d1152dfd93ef9ecc45f6a6088d4 --- puppet/modules/site_postfix/manifests/mx/tls.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index cff686e5..08978efd 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -34,7 +34,7 @@ class site_postfix::mx::tls { user => root, group => root, creates => '/etc/postfix/smtpd_tls_dh_param.pem', - require => Package['gnutls-bin'] + require => [ Package['gnutls-bin'], Package['postfix'] ] } # Make sure the dh params file has correct ownership and mode -- cgit v1.2.3 From ce084fbbe5980497b8b3f3e643e6b618c4fa0b0a Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 31 Oct 2013 00:48:37 +0100 Subject: Automate local backup of couchdb data (Feature #4350) --- puppet/modules/site_couchdb/manifests/backup.pp | 12 ++++++++++++ puppet/modules/site_couchdb/manifests/init.pp | 25 +++++++++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 puppet/modules/site_couchdb/manifests/backup.pp diff --git a/puppet/modules/site_couchdb/manifests/backup.pp b/puppet/modules/site_couchdb/manifests/backup.pp new file mode 100644 index 00000000..ef505693 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/backup.pp @@ -0,0 +1,12 @@ +class site_couchdb::backup { + + # general backupninja config + backupninja::config { 'backupninja_config': + usecolors => false, + } + + # dump all DBs locally to /var/backups/couchdb once a day + backupninja::sh { 'couchdb_backup': + command_string => "cd /srv/leap/couchdb/scripts \n./couchdb_dumpall.sh" + } +} diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 5d77c994..684d3ab7 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -16,6 +16,8 @@ class site_couchdb { $couchdb_soledad_pw = $couchdb_soledad['password'] $couchdb_soledad_salt = $couchdb_soledad['salt'] + $couchdb_backup = $couchdb_config['backup'] + $bigcouch_config = $couchdb_config['bigcouch'] $bigcouch_cookie = $bigcouch_config['cookie'] @@ -96,4 +98,27 @@ class site_couchdb { include site_shorewall::couchdb include site_shorewall::couchdb::bigcouch + + # /etc/couchdb/couchdb.netrc is deployed by the couchdb module + # needed for couchdb_scripts (backup) and makes life easier + # for the admin (i.e. using curl/wget without passing credentials) + + file { '/root/.netrc': + ensure => link, + target => '/etc/couchdb/couchdb.netrc' + } + + file { '/srv/leap/couchdb': + ensure => directory + } + + vcsrepo { '/srv/leap/couchdb/scripts': + ensure => present, + provider => git, + source => 'https://leap.se/git/couchdb_scripts', + revision => 'origin/master', + require => File['/srv/leap/couchdb'] + } + + if $couchdb_backup { include site_couchdb::backup } } -- cgit v1.2.3 From 5e004e3bf776f9eb0831213fc25c26009aa6d820 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 1 Nov 2013 18:29:39 +0100 Subject: Change SMTP port to 465 in smtp-service.json (Feature #4339) --- provider_base/files/service-definitions/v1/smtp-service.json.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/provider_base/files/service-definitions/v1/smtp-service.json.erb b/provider_base/files/service-definitions/v1/smtp-service.json.erb index b31eaf21..45f240ac 100644 --- a/provider_base/files/service-definitions/v1/smtp-service.json.erb +++ b/provider_base/files/service-definitions/v1/smtp-service.json.erb @@ -15,7 +15,7 @@ host = {} host["hostname"] = node.domain.full host["ip_address"] = node.ip_address - host["port"] = 587 # hard coded for now, later node.smtp.port + host["port"] = 465 # hard coded for now, later node.smtp.port if node['location'] location_name = underscore(node.location.name) host["location"] = location_name @@ -26,4 +26,4 @@ hsh["hosts"] = hosts hsh["locations"] = locations JSON.sorted_generate hsh -%> \ No newline at end of file +%> -- cgit v1.2.3 From 6a4e2efe9c57dea50119506b3c86b8277c5b5bd0 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Mon, 4 Nov 2013 00:56:17 +0100 Subject: update documentation of the platform. Todo: known-issues --- doc/development.md | 272 +++++++++++++++++++++++++++++++++++++++ doc/en.md | 4 +- doc/faq.md | 53 ++++++++ doc/guide.md | 57 +++++---- doc/known-issues.md | 6 +- doc/quick-start.md | 336 +++++++++++++++++++++++++++++++++++-------------- doc/troubleshooting.md | 147 ++++++++++++++++++++++ 7 files changed, 754 insertions(+), 121 deletions(-) create mode 100644 doc/development.md create mode 100644 doc/faq.md create mode 100644 doc/troubleshooting.md diff --git a/doc/development.md b/doc/development.md new file mode 100644 index 00000000..7a761418 --- /dev/null +++ b/doc/development.md @@ -0,0 +1,272 @@ +@title = "Development Environment" +@toc = true + +If you are wanting to make local changes to your provider, or want to contribute some fixes back to LEAP, we recommend that you follow this guide to build up a development environment to test your changes first. Using this method, you can quickly test your changes without deploying them to your production environment, while benefitting from the convenience of reverting to known good states in order to retry things from scratch. + +This page will walk you through setting up nodes using [Vagrant](http://www.vagrantup.com/) for convenient deployment testing, snapshotting known good states, and reverting to previous snapshots. + +Requirements +============ + +* Be a real machine with virtualization support in the CPU (VT-x or AMD-V). In other words, not a virtual machine. +* Have at least 4gb of RAM. +* Have a fast internet connection (because you will be downloading a lot of big files, like virtual machine images). + +Install prerequisites +-------------------------------- + +For development purposes, you will need everything that you need for deploying the LEAP platform: + +* LEAP cli +* A provider instance + +You will also need to setup a virtualized Vagrant environment, to do so please make sure you have the following +pre-requisites installed: + +*Debian & Ubuntu* + +Install core prerequisites: + + sudo apt-get install git ruby ruby-dev rsync openssh-client openssl rake make + +Install Vagrant in order to be able to test with local virtual machines (typically optional, but required for this tutorial): + + sudo apt-get install vagrant virtualbox + + + + +Adding development nodes to your provider +========================================= + +Now you will add local-only Vagrant development nodes to your provider. + +You do not need to setup a different provider instance for development, in fact it is more convenient if you do not, but you can if you wish. If you do not have a provider already, you will need to create one and configure it before continuing (it is recommended you go through the [Quick Start](quick-start) before continuing down this path). + + +Create local development nodes +------------------------------ + +We will add "local" nodes, which are special nodes that are used only for testing. These nodes exist only as virtual machines on your computer, and cannot be accessed from the outside. Each "node" is a server that can have one or more services attached to it. We recommend that you create different nodes for different services to better isolate issues. + +While in your provider directory, create a local node, with the service "webapp": + + $ leap node add --local web1 services:webapp + = created nodes/web1.json + = created files/nodes/web1/ + = created files/nodes/web1/web1.key + = created files/nodes/web1/web1.crt + +This command creates a node configuration file in `nodes/web1.json` with the webapp service. + +Starting local development nodes +-------------------------------- + +In order to test the node "web1" we need to start it. Starting a node for the first time will spin up a virtual machine. The first time you do this will take some time because it will need to download a VM image (about 700mb). After you've downloaded the base image, you will not need to download it again, and instead you will re-use the downloaded image (until you need to update the image). + +NOTE: Many people have difficulties getting Vagrant working. If the following commands do not work, please visit the [Vagrant page](vagrant) to troubleshoot your Vagrant install before proceeding. + + $ leap local start web + = created test/ + = created test/Vagrantfile + = installing vagrant plugin 'sahara' + Bringing machine 'web1' up with 'virtualbox' provider... + [web1] Box 'leap-wheezy' was not found. Fetching box from specified URL for + the provider 'virtualbox'. Note that if the URL does not have + a box for this provider, you should interrupt Vagrant now and add + the box yourself. Otherwise Vagrant will attempt to download the + full box prior to discovering this error. + Downloading or copying the box... + Progress: 3% (Rate: 560k/s, Estimated time remaining: 0:13:36) + ... + Bringing machine 'web1' up with 'virtualbox' provider... + [web1] Importing base box 'leap-wheezy'... + 0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100% + +Now the virtual machine 'web1' is running. You can add another local node using the same process. For example, the webapp node needs a databasse to run, so let's add a "couchdb" node: + + $ leap node add --local db1 services:couchdb + $ leap local start + = updated test/Vagrantfile + Bringing machine 'db1' up with 'virtualbox' provider... + [db1] Importing base box 'leap-wheezy'... + [db1] Matching MAC address for NAT networking... + [db1] Setting the name of the VM... + [db1] Clearing any previously set forwarded ports... + [db1] Fixed port collision for 22 => 2222. Now on port 2202. + [db1] Creating shared folders metadata... + [db1] Clearing any previously set network interfaces... + [db1] Preparing network interfaces based on configuration... + [db1] Forwarding ports... + [db1] -- 22 => 2202 (adapter 1) + [db1] Running any VM customizations... + [db1] Booting VM... + [db1] Waiting for VM to boot. This can take a few minutes. + [db1] VM booted and ready for use! + [db1] Configuring and enabling network interfaces... + [db1] Mounting shared folders... + [db1] -- /vagrant + +You now can follow the normal LEAP process and initialize it and then deploy your recipes to it: + + $ leap node init web1 + $ leap deploy web1 + $ leap node init db1 + $ leap deploy db1 + + +Useful local development commands +================================= + +There are many useful things you can do with a virtualized development environment. + +Listing what machines are running +--------------------------------- + +Now you have the two virtual machines "web1" and "db1" running, you can see the running machines as follows: + + $ leap local status + Current machine states: + + db1 running (virtualbox) + web1 running (virtualbox) + + This environment represents multiple VMs. The VMs are all listed + above with their current state. For more information about a specific + VM, run `vagrant status NAME`. + +Stopping machines +----------------- + +It is not recommended that you leave your virtual machines running when you are not using them. They consume memory and other resources! To stop your machines, simply do the following: + + $ leap local stop web1 db1 + +Connecting to machines +---------------------- + +You can connect to your local nodes just like you do with normal LEAP nodes, by running 'leap ssh node'. + +However, if you cannot connect to your local node, because the networking is not setup properly, or you have deployed a firewall that locks you out, you may need to access the graphical console. + +In order to do that, you will need to configure Vagrant to launch a graphical console and then you can login as root there to diagnose the networking problem. To do this, add the following to you +$HOME/.leaprc: + + @custom_vagrant_vm_line = 'config.vm.boot_mode = :gui' + +and then start, or restart, your local Vagrant node. You should get a VirtualBox graphical interface presented to you showing you the bootup and eventually the login. + +Snapshotting machines +--------------------- + +A very useful feature of local Vagrant development nodes is the ability to snapshot the current state and then revert to that when you need. + +For example, perhaps the base image is a little bit out of date and you want to get the packages updated to the latest before continuing. You can do that simply by starting the node, connecting to it and updating the packages and then snapshotting the node: + + $ leap local start web1 + $ leap ssh web1 + web1# apt-get -u dist-upgrade + web1# exit + $ leap local save web1 + +Now you can deploy to web1 and if you decide you want to revert to the state before deployment, you simply have to reset the node to your previous save: + + $ leap local reset web1 + +More information +---------------- + +See `leap help local` for a complete list of local-only commands and how they can be used. + + +Limitations +=========== + +Please consult the known issues for vagrant, see the [Known Issues](known-issues), section *Special Environments* + + +Troubleshooting Vagrant +======================= + +To troubleshoot vagrant issues, try going through these steps: + +* Try plain vagrant using the [Getting started guide](http://docs.vagrantup.com/v2/getting-started/index.html). +* If that fails, make sure that you can run virtual machines (VMs) in plain virtualbox (Virtualbox GUI or VBoxHeadless). + We don't suggest a sepecial howto for that, [this one](http://www.thegeekstuff.com/2012/02/virtualbox-install-create-vm/) seems pretty decent, or you follow the [Oracale Virtualbox User Manual](http://www.virtualbox.org/manual/UserManual.html). There's also specific documentation for [Debian](https://wiki.debian.org/VirtualBox) and for [Ubuntu](https://help.ubuntu.com/community/VirtualBox). If you succeeded, try again if you now can start vagrant nodes using plain vagrant (see first step). +* If plain vagrant works for you, you're very close to using vagrant with leap ! If you encounter any problems now, please [contact us](https://leap.se/en/about-us/contact) or use our [issue tracker](https://leap.se/code) + +Known working combinations +-------------------------- + +Please consider that using other combinations might work for you as well, these are just the combinations we tried and worked for us: + + +Debian Wheezy +------------- + +* `virtualbox-4.2 4.2.16-86992~Debian~wheezy` from Oracle and `vagrant 1.2.2` from vagrantup.com + + +Ubuntu Raring 13.04 +------------------- + +* `virtualbox 4.2.10-dfsg-0ubuntu2.1` from Ubuntu raring and `vagrant 1.2.2` from vagrantup.com + + +Using Vagrant with libvirt/kvm +============================== + +Vagrant can be used with different providers/backends, one of them is [vagrant-libvirt](https://github.com/pradels/vagrant-libvirt). Here are the steps how to use it. Be sure to use a recent vagrant version (>= 1.3). + +Install vagrant-libvirt plugin and add box +------------------------------------------ + sudo apt-get install libvirt-bin libvirt-dev + vagrant plugin install vagrant-libvirt + vagrant plugin install sahara + vagrant box add leap-wheezy https://downloads.leap.se/leap-debian-libvirt.box + + +Debugging +--------- + +If you get an error in any of the above commands, try to get some debugging information, it will often tell you what is wrong. In order to get debugging logs, you simply need to re-run the command that produced the error but prepend the command with VAGRANT_LOG=info, for example: + VAGRANT_LOG=info vagrant box add leap-wheezy https://downloads.leap.se/leap-debian-libvirt.box + +Start it +-------- + +Use this example Vagrantfile: + + Vagrant.configure("2") do |config| + config.vm.define :testvm do |testvm| + testvm.vm.box = "leap-wheezy" + testvm.vm.network :private_network, :ip => '10.6.6.201' + end + + config.vm.provider :libvirt do |libvirt| + libvirt.connect_via_ssh = false + end + end + +Then: + + vagrant up --provider=libvirt + +If everything works, you should export libvirt as the VAGRANT_DEFAULT_PROVIDER: + + export VAGRANT_DEFAULT_PROVIDER="libvirt" + +Now you should be able to use the `leap local` commands. + +Known Issues +------------ + +* 'Call to virConnectOpen failed: internal error: Unable to locate libvirtd daemon in /usr/sbin (to override, set $LIBVIRTD_PATH to the name of the libvirtd binary)' - you don't have the libvirtd daemon running or installed, be sure you installed the 'libvirt-bin' package and it is running +* 'Call to virConnectOpen failed: Failed to connect socket to '/var/run/libvirt/libvirt-sock': Permission denied' - you need to be in the libvirt group to access the socket, do 'sudo adduser libvirt' and then re-login to your session +* see the [vagrant-libvirt issue list on github](https://github.com/pradels/vagrant-libvirt/issues) +* be sure to use vagrant-libvirt >= 0.0.11 and sahara >= 0.0.16 (which are the latest stable gems you would get with `vagrant plugin install [vagrant-libvirt|sahara]`) for proper libvirt support diff --git a/doc/en.md b/doc/en.md index bdae4630..f1a1fc17 100644 --- a/doc/en.md +++ b/doc/en.md @@ -20,7 +20,7 @@ LEAP maintains a repository of platform recipes, which typically do not need to As these recipes consist in abstract definitions, in order to configure settings for a particular service provider a system administrator has to create a provider instance (see below). -LEAP's platform recipes are distributed as a git repository: `git://leap.se/leap_platform.git` +LEAP's platform recipes are distributed as a git repository: `https://leap.se/git/leap_platform` The provider instance --------------------- @@ -64,7 +64,7 @@ One other significant difference between LEAP and typical system automation is h These two approaches, masterless push and pre-compiled static configuration, allow the sysadmin to manage a set of LEAP servers using traditional software development techniques of branching and merging, to more easily create local testing environments using virtual servers, and to deploy without the added complexity and failure potential of a master server. -The `leap` command line tool is distributed as a git repository: `git://leap.se/leap_cli`. It can be installed with `sudo gem install leap_cli`. +The `leap` command line tool is distributed as a git repository: `https://leap.se/git/leap_cli`. It can be installed with `sudo gem install leap_cli`. Getting started ---------------------------------- diff --git a/doc/faq.md b/doc/faq.md new file mode 100644 index 00000000..2654ce80 --- /dev/null +++ b/doc/faq.md @@ -0,0 +1,53 @@ +@title = 'Frequently asked questions' +@nav_title = 'FAQ' +@toc = true + +Puppet +====== + +Where do i find the time a server was last deployed ? +----------------------------------------------------- + +The puppet state file on the node indicates the last puppetrun: + + ls -la /var/lib/puppet/state/state.yaml + +What resources are touched by puppet/leap_platform (services/packages/files etc.) ? +----------------------------------------------------------------------------------- + +Log into your server and issue: + + grep -v '!ruby/sym' /var/lib/puppet/state/state.yaml | sed 's/\"//' | sort + + +How can i customize the leap_platform puppet manifests ? +-------------------------------------------------------- + +You can create a custom module `site_custom`. The class `site_custom::setup` will get +included in the first part of the deploy process, and `site_custom` during the second part. +Of cause you can also create a different git branch and change whatever you want, if you are +familiar wit git. + +Facter +====== + +How can i see custom facts distributed by leap_platform on a node ? +------------------------------------------------------------------- + +On the server, export the FACTERLIB env. variable to include the path of the custom fact in question: + + export FACTERLIB=/var/lib/puppet/lib/facter:/srv/leap/puppet/modules/stdlib/lib/facter/ + facter + + +Etc +=== + +How do i change the domain of my provider ? +------------------------------------------- + +* First of all, you need to have access to the nameserver config of your new domain. +* Update domain in provider.json +* remove all ca and cert files: `rm files/cert/* files/ca/*` +* create ca, csr and certs : `leap cert ca; leap cert csr; leap cert dh; leap cert update` +* deploy diff --git a/doc/guide.md b/doc/guide.md index dae392e5..52c3b2fa 100644 --- a/doc/guide.md +++ b/doc/guide.md @@ -15,16 +15,11 @@ When adding a new node to your provider, you should ask yourself four questions: Brief overview of the services: -![services diagram](service-diagram.png) - * **webapp**: The web application. Runs both webapp control panel for users and admins as well as the REST API that the client uses. Needs to communicate heavily with `couchdb` nodes. You need at least one, good to have two for redundancy. The webapp does not get a lot of traffic, so you will not need many. * **couchdb**: The database for users and user data. You can get away with just one, but for proper redundancy you should have at least three. Communicates heavily with `webapp` and `mx` nodes. * **soledad**: Handles the data syncing with clients. Typically combined with `couchdb` service, since it communicates heavily with couchdb. (not currently in stable release) * **mx**: Incoming and outgoing MX servers. Communicates with the public internet, clients, and `couchdb` nodes. (not currently in stable release) * **openvpn**: OpenVPN gateway for clients. You need at least one, but want as many as needed to support the bandwidth your users are doing. The `openvpn` nodes are autonomous and don't need to communicate with any other nodes. Often combined with `tor` service. - -Not pictured: - * **monitor**: Internal service to monitor all the other nodes. Currently, you can have zero or one `monitor` nodes. * **tor**: Sets up a tor exit node, unconnected to any other service. * **dns**: Not yet implemented. @@ -157,30 +152,32 @@ Configuration options The `ca` option in provider.json provides settings used when generating CAs and certificates. The defaults are as follows: - "ca": { - "name": "= global.provider.ca.organization + ' Root CA'", - "organization": "= global.provider.name", - "organizational_unit": "= 'https://' + global.provider.name", - "bit_size": 4096, - "digest": "SHA256", - "life_span": "10y", - "server_certificates": { - "bit_size": 2024, - "digest": "SHA256", - "life_span": "1y" - }, - "client_certificates": { - "bit_size": 2024, + { + "ca": { + "name": "= global.provider.ca.organization + ' Root CA'", + "organization": "= global.provider.name[global.provider.default_language]", + "organizational_unit": "= 'https://' + global.provider.domain", + "bit_size": 4096, "digest": "SHA256", - "life_span": "2m", - "limited_prefix": "LIMITED", - "unlimited_prefix": "UNLIMITED" + "life_span": "10y", + "server_certificates": { + "bit_size": 2048, + "digest": "SHA256", + "life_span": "1y" + }, + "client_certificates": { + "bit_size": 2048, + "digest": "SHA256", + "life_span": "2m", + "limited_prefix": "LIMITED", + "unlimited_prefix": "UNLIMITED" + } } } -To see what values are used for your provider, run `leap inspect provider.json`. You can modify the defaults as you wish by adding the values to provider.json. +You should not need to override these defaults in your own provider.json, but you can if you want to. To see what values are used for your provider, run `leap inspect provider.json`. -NOTE: A certificate `bit_size` greater than 2024 will probably not be recognized by most commercial CAs. +NOTE: A certificate `bit_size` greater than 2048 will probably not be recognized by most commercial CAs. Certificate Authorities ----------------------------------------- @@ -245,6 +242,18 @@ The private key file is extremely sensitive and care should be taken with its pr If your commercial CA has a chained CA cert, you should be OK if you just put the **last** cert in the chain into the `commercial_ca.crt` file. This only works if the other CAs in the chain have certs in the debian package `ca-certificates`, which is the case for almost all CAs. +If you want to add additional fields to the CSR, like country, city, or locality, you can configure these values in provider.json like so: + + "ca": { + "server_certificates": { + "country": "US", + "state": "Washington", + "locality": "Seattle" + } + } + +If they are not present, the CSR will be created without them. + Facts ============================== diff --git a/doc/known-issues.md b/doc/known-issues.md index abd28084..960eaad7 100644 --- a/doc/known-issues.md +++ b/doc/known-issues.md @@ -34,15 +34,15 @@ User setup and ssh . If the ssh host key changes, you need to run node init again (see: https://leap.se/en/docs/platform/guide#Working.with.SSH) -. At the moment, only ECDSA ssh host keys are supported. If you get the following error: `= FAILED ssh-keyscan: no hostkey alg (must be missing an ecdsa public host key)` then you should confirm that you have the following line defined in your server's /etc/ssh/sshd_config: -HostKey /etc/ssh/ssh_host_ecdsa_key and that file exists. If you made a change to your sshd_config, then you need to run `/etc/init.d/ssh restart` (see: https://leap.se/code/issues/2373) +. At the moment, only ECDSA ssh host keys are supported. If you get the following error: `= FAILED ssh-keyscan: no hostkey alg (must be missing an ecdsa public host key)` then you should confirm that you have the following line defined in your server's **/etc/ssh/sshd_config**: `HostKey /etc/ssh/ssh_host_ecdsa_key`. If that file doesn't exist, run `ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ""` in order to create it. If you made a change to your sshd_config, then you need to run `/etc/init.d/ssh restart` (see: https://leap.se/code/issues/2373) -. To remove an admin's access to your servers, please remove the directory for that user under the `users/` subdirectory in your provider directory and then remove that user's ssh keys from files/ssh/authorized_keys. When finished you *must* run a `leap deploy` to update that information on the servers (see: https://leap.se/code/issues/1863) +. To remove an admin's access to your servers, please remove the directory for that user under the `users/` subdirectory in your provider directory and then remove that user's ssh keys from files/ssh/authorized_keys. When finished you *must* run a `leap deploy` to update that information on the servers. . At the moment, it is only possible to add an admin who will have access to all LEAP servers (see: https://leap.se/code/issues/2280) . leap add-user --self allows only one key - if you run that command twice with different keys, you will just replace the key with the second key. To add a second key, add it manually to files/ssh/authorized_keys (see: https://leap.se/code/issues/866) + Deploying --------- diff --git a/doc/quick-start.md b/doc/quick-start.md index 5ba28f8d..0bce271a 100644 --- a/doc/quick-start.md +++ b/doc/quick-start.md @@ -1,116 +1,197 @@ @title = 'LEAP Platform Quick Start' @nav_title = 'Quick Start' -This tutorial walks you through the initial process of creating and deploying a service provider running the [LEAP platform](platform). First examples aim to build a provider in a virtual environment, and in the end running in real hardware is targeted. +Quick Start +=========== -First, a few definitions: +This tutorial walks you through the initial process of creating and deploying a minimal service provider running the [LEAP platform](platform). This Quick Start guide will guide you through building a three node OpenVPN provider. +If you are curious how this will look like without trying it out yourself, you can watch our [recorded screencasts](http://shelr.tv/users/524415e69660807910000021). -* **node:** A server that is part of the service provider's infrastructure. All nodes are running the Debian GNU/Linux operating system. -* **sysadmin:** This is you. -* **sysadmin machine:** Your desktop or laptop computer that you use to control the nodes. This machine can be running any variant of Unix, Linux, or Mac OS (however, only Debian derivatives are supported at the moment). +Our goal +------------------ -All the commands in this tutorial are run on your sysadmin machine. In order to complete the tutorial, the sysadmin machine must: +We are going to create a minimal LEAP provider offering OpenVPN service. This basic setup can be expanded by adding more OpenVPN nodes to increase capacity, or more webapp and couchdb nodes to increase availability (performance wise, a single couchdb and a single webapp are more than enough for most usage, since they are only lightly used, but you might want redundancy). -* Be a real machine with virtualization support in the CPU (VT-x or AMD-V). In other words, not a virtual machine. -* Have at least 4gb of RAM. -* Have a fast internet connection (because you will be downloading a lot of big files, like virtual machine images). +Our goal is something like this: -Install prerequisites + $ leap list + NODES SERVICES TAGS + couch1 couchdb + web1 webapp + vpn1 openvpn + +NOTE: You won't be able to run that `leap list` command yet, not until we actually create the node configurations. + +Requirements +------------ + +In order to complete this Quick Start, you will need a few things: + +* You will need three real or paravirtualized virtual machines (KVM, Xen, Openstack, Amazon, but not Vagrant - sorry) that have a basic Debian Stable installed. If you allocate 10G to each node, that should be plenty. +* You should be able to SSH into them remotely, and know their IP addresses and their SSH host keys +* You will need four different IPs, one for each node, and a second one for the VPN gateway +* The ability to create/modify DNS entries for your domain is preferable, but not needed. If you don't have access to DNS, you can workaround this by modifying your local resolver, i.e. editing `/etc/hosts`. +* You need to be aware that this process will make changes to your systems, so please be sure that these machines are a basic install with nothing configured or running for other purposes +* Your machines will need to be connected to the internet, and not behind a restrictive firewall. +* You should work locally on your laptop/workstation (one that you trust and that is ideally full-disk encrypted) while going through this guide. This is important because the provider configurations you are creating contain sensitive data that should not reside on a remote machine. The leap cli utility will login to your servers and configure the services. + +All the commands in this tutorial are run on your sysadmin machine. In order to complete the tutorial, the sysadmin will do the following: + +* Install pre-requisites +* Install the LEAP command-line utility +* Check out the LEAP platform +* Create a provider and its certificates +* Setup the provider's nodes and the services that will reside on those nodes +* Initialize the nodes +* Deploy the LEAP platform to the nodes +* Test that things worked correctly +* Some additional commands + +We will walk you through each of these steps. + + +Prepare your environment +======================== + +There are a few things you need to setup before you can get going. Just some packages, the LEAP cli and the platform. + +Install pre-requisites -------------------------------- *Debian & Ubuntu* Install core prerequisites: - sudo apt-get install git ruby ruby-dev rsync openssh-client openssl rake make - -Install Vagrant in order to be able to test with local virtual machines (typically optional, but required for this tutorial): - - sudo apt-get install vagrant virtualbox + $ sudo apt-get install git ruby ruby-dev rsync openssh-client openssl rake make bzip2 -Install leap +NOTE: leap_cli should work with ruby1.8, but has only been tested using ruby1.9. + + +Install the LEAP command-line utility --------------------- Install `leap` command from source: - git clone git://leap.se/leap_cli.git - cd leap_cli - rake build + $ git clone https://leap.se/git/leap_cli + $ cd leap_cli + $ rake build Then, install as root user (recommended): - sudo rake install + $ sudo rake install Or, install as unprivileged user: - rake install + $ rake install # watch out for the directory leap is installed to, then i.e. - sudo ln -s ~/.gem/ruby/1.9.1/bin/leap /usr/local/bin/leap + $ sudo ln -s ~/.gem/ruby/1.9.1/bin/leap /usr/local/bin/leap With both methods, you can use now /usr/local/bin/leap, which in most cases will be in your $PATH. +If you have successfully installed the LEAP cli, then you should be able to do the following: -Create a provider instance ---------------------------------------- + $ leap --help + +and be presented with the command-line help options. If you receive an error when doing this, please read through the README.md in the LEAP cli source to try and resolve any problems before going forwards. + + +Check out the platform +---------------------- + +The LEAP Platform is a series of puppet recipes and modules that will be used to configure your provider. You will need a local copy of the platform that will be used to setup your nodes and manage your services. To begin with, you will not need to modify the LEAP Platform. + +First we'll create a directory for LEAP things, and then we'll check out the platform code and initalize the modules: + + $ mkdir ~/leap + $ cd ~/leap + $ git clone https://leap.se/git/leap_platform.git + $ cd leap_platform + $ git submodule sync; git submodule update --init -A provider instance is a directory tree, usually stored in git, that contains everything you need to manage an infrastructure for a service provider. In this case, we create one for bitmask.net and call the instance directory 'bitmask'. - mkdir -p ~/leap/bitmask +Provider Setup +============== -Now, we will initialize this directory to make it a provider instance. Your provider instance will need to know where it can find local copy of the git repository leap_platform, which holds the puppet recipes you will need to manage your servers. Typically, you will not need to modify leap_platform. +A provider instance is a directory tree, usually stored in git, that contains everything you need to manage an infrastructure for a service provider. In this case, we create one for example.org and call the instance directory 'example'. - cd ~/leap/bitmask - leap new . + $ mkdir -p ~/leap/example + +Bootstrap the provider +----------------------- + +Now, we will initialize this directory to make it a provider instance. Your provider instance will need to know where it can find the local copy of the git repository leap_platform, which we setup in the previous step. + + $ cd ~/leap/example + $ leap new . + +NOTES: + . make sure you include that trailing dot! The `leap new` command will ask you for several required values: -* domain: The primary domain name of your service provider. In this tutorial, we will be using "bitmask.net". -* name: The name of your service provider. +* domain: The primary domain name of your service provider. In this tutorial, we will be using "example.org". +* name: The name of your service provider (we use "Example"). * contact emails: A comma separated list of email addresses that should be used for important service provider contacts (for things like postmaster aliases, Tor contact emails, etc). -* platform: The directory where you have a copy of the `leap_platform` git repository checked out. If it doesn't exist, it will be downloaded for you. +* platform: The directory where you have a copy of the `leap_platform` git repository checked out. + +You could also have passed these configuration options on the command-line, like so: + + $ leap new --contacts your@email.here --domain leap.example.org --name Example --platform=~/leap/leap_platform . You may want to poke around and see what is in the files we just created. For example: - cat provider.json + $ cat provider.json Optionally, commit your provider directory using the version control software you fancy. For example: - git init - git add . - git commit -m "initial commit" + $ git init + $ git add . + $ git commit -m "initial provider commit" Now add yourself as a privileged sysadmin who will have access to deploy to servers: - leap add-user --self + $ leap add-user --self -NOTE: in most cases, `leap` must be run from within a provider instance directory tree (e.g. ~/leap/bitmask). +NOTE: in most cases, `leap` must be run from within a provider instance directory tree (e.g. ~/leap/example). -Now generate required X509 certificates and keys: +Create provider certificates +---------------------------- - leap cert ca - leap cert csr +Create two certificate authorities, one for server certs and one for client +certs (note: you only need to run this one command to get both): + + $ leap cert ca + +Create a temporary cert for your main domain (you should replace with a real commercial cert at some point) + + $ leap cert csr To see details about the keys and certs that the prior two commands created, you can use `leap inspect` like so: - leap inspect files/ca/ca.crt + $ leap inspect files/ca/ca.crt + +Create the Diffie-Hellman parameters file, needed for forward secret OpenVPN ciphers: + + $ leap cert dh + +NOTE: the files `files/ca/*.key` are extremely sensitive and must be carefully protected. The other key files are much less sensitive and can simply be regenerated if needed. Edit provider.json configuration @@ -119,58 +200,99 @@ Edit provider.json configuration There are a few required settings in provider.json. At a minimum, you must have: { - "domain": "bitmask.net", - "name": "Bitmask", + "domain": "example.org", + "name": "Example", "contacts": { - "default": "email1@domain.org, email2@domain.org" + "default": "email1@example.org" } } For a full list of possible settings, you can use `leap inspect` to see how provider.json is evaluated after including the inherited defaults: - leap inspect provider.json + $ leap inspect provider.json -Create nodes ---------------------- -A "node" is a server that is part of your infrastructure. Every node can have one or more services associated with it. Some nodes are "local" and used only for testing. These local nodes exist only as virtual machines on your computer and cannot be accessed from outside (see `leap help local` for more information). +Setup the provider's nodes and services +--------------------------------------- -Create a local node, with the service "webapp": +A "node" is a server that is part of your infrastructure. Every node can have one or more services associated with it. Some nodes are "local" and used only for testing, see [Development](developmet) for more information. - leap node add --local web1 services:webapp +Create a node, with the service "webapp": -This created a node configuration file in `nodes/web1.json`, but it did not create the virtual machine. In order to test our node "web1", we need to first spin up a virtual machine. The next command will probably take a very long time, because it will need to download a VM image (about 700mb). + $ leap node add web1 ip_address:x.x.x.w services:webapp tags:production - leap local start +NOTE: replace x.x.x.w with the actual IP address of this node -Now that the virtual machine for web1 is running, you need to initialize it and then deploy the recipes to it. You only need to initialize a node once, but there is no harm in doing it multiple times. These commands will take a while to run the first time, as it needs to update the package cache on the new virtual machine. +This created a node configuration file in `nodes/web1.json`, but it did not do anything else. It also added the 'tag' called 'production' to this node. Tags allow us to conveniently group nodes together. When creating nodes, you should give them the tag 'production' if the node is to be used in your production infrastructure. - leap node init web1 - leap deploy web1 +The web application and the VPN nodes require a database, so lets create the database server node: -That is it, you should now have your first running node. However, the LEAP web application requires a database to run, so let's add a "couchdb" node: + $ leap node add couch1 ip_address:x.x.x.x services:couchdb tags:production - leap node add --local db1 services:couchdb - leap local start - leap node init db1 - leap deploy db1 +NOTE: replace x.x.x.x with the actual IP address of this node -Access the web application --------------------------------------------- +Now we need the VPN gateway, so lets create that node: -You should now have two local virtual machines running, one for the web application and one for the database. In order to connect to the web application in your browser, you need to point your domain at the IP address of the web application node (named web1 in this example). + $ leap node add vpn1 ip_address:x.x.x.y openvpn.gateway_address:x.x.x.z services:openvpn tags:production -There are a lot of different ways to do this, but one easy way is to modify your `/etc/hosts` file. First, find the IP address of the webapp node: +NOTE: replace x.x.x.y with the IP address of the machine, and x.x.x.z with the second IP. openvpn gateways must be assigned two IP addresses, one for the host itself and one for the openvpn gateway. We do this to prevent incoming and outgoing VPN traffic on the same IP. Without this, the client might send some traffic to other VPN users in the clear, bypassing the VPN. - leap list webapp --print ip_address -Then modify `/etc/hosts` like so: +Setup DNS +--------- + +Now that you have the nodes configured, you should create the DNS entries for these nodes. + +Set up your DNS with these hostnames: + + $ leap list --print ip_address,domain.full,dns.aliases + couch1 x.x.x.w, couch1.example.org, null + web1 x.x.x.x, web1.example.org, api.example.org, nicknym.example.org + vpn1 x.x.x.y, vpn1.example.org, null + +Alternately, you can adapt this zone file snippet: - 10.5.5.47 DOMAIN + $ leap compile zone -Replacing 'DOMAIN' with whatever you specified as the `domain` in the `leap new` command. +If you cannot edit your DNS zone file, you can still test your provider by adding entries to your local resolver hosts file (`/etc/hosts` for linux): -Next, you can connect to the web application either using a web browser or via the API using the LEAP client. To use a browser, connect to https://DOMAIN. Your browser will complain about an untrusted cert, but for now just bypass this. From there, you should be able to register a new user and login. + x.x.x.w couch1.example.org + x.x.x.x web1.example.org api.example.org example.org + x.x.x.y vpn1.example.org + +Please don't forget about these entries, they will override DNS queries if you setup your DNS later. + + +Initialize the nodes +-------------------- + +Node initialization only needs to be done once, but there is no harm in doing it multiple times: + + $ leap node init production + +This will initialize all nodes with the tag "production". When `leap node init` is run, you will be prompted to verify the fingerprint of the SSH host key and to provide the root password of the server(s). You should only need to do this once. + +If you prefer, you can initalize each node, one at a time: + + $ leap node init web1 + $ leap node init couch1 + $ leap node init vpn1 + +Deploy the LEAP platform to the nodes +-------------------- + +Now you should deploy the platform recipes to the nodes. Deployment can take a while to run, especially on the first run, as it needs to update the packages on the new machine: + + $ leap deploy web1 + +Watch the output for any errors (in red), if everything worked fine, you should now have your first running node. If you do have errors, try doing the deploy again. + +However, to deploy our three-node openvpn setup, we need the database and LEAP web application requires a database to run, so let's deploy to the couchdb and openvpn nodes: + + $ leap deploy couch1 + $ leap deploy vpn1 + +NOTE: the output from deploying can be quite busy, so we often do them each node one by one. What is going on here? -------------------------------------------- @@ -190,17 +312,55 @@ You can run `leap -v2 deploy` to see exactly what commands are being executed. -Additional commands -------------------------------------------- + +Test that things worked correctly +================================= + +You should now have three machines with the LEAP platform deployed to them, one for the web application, one for the database and one for the OpenVPN gateway. + + +Access the web application +-------------------------------------------- + +In order to connect to the web application in your browser, you need to point your domain at the IP address of the web application node (named web1 in this example). + +There are a lot of different ways to do this, but one easy way is to modify your `/etc/hosts` file. First, find the IP address of the webapp node: + + $ leap list webapp --print ip_address + +Then modify `/etc/hosts` like so: + + x.x.x.w leap.example.org + +Replacing 'leap.example.org' with whatever you specified as the `domain` in the `leap new` command. + +Next, you can connect to the web application either using a web browser or via the API using the LEAP client. To use a browser, connect to https://leap.example.org (replacing that with your domain). Your browser will complain about an untrusted cert, but for now just bypass this. From there, you should be able to register a new user and login. + +Use the VPN +----------- + +You should be able to simply test that the OpenVPN gateway works properly by doing the following: + + $ leap test init + $ sudo openvpn test/openvpn/unlimited.ovpn + +Or, you can use the LEAP client (called "bitmask") to connect to your new provider, create a user and then connect to the VPN. + + +Additional information +====================== + +It is useful to know a few additional things. + +Useful commands +--------------- Here are a few useful commands you can run on your new local nodes: * `leap ssh web1` -- SSH into node web1 (requires `leap node init web1` first). * `leap list` -- list all nodes. +* `leap list production` -- list only those nodes with the tag 'production' * `leap list --print ip_address` -- list a particular attribute of all nodes. -* `leap local reset web1` -- return web1 to a pristine state. -* `leap local stop` -- stop all local virtual machines. -* `leap local status` -- get the running state of all the local virtual machines. * `leap cert update` -- generate new certificates if needed. See the full command reference for more information. @@ -223,20 +383,12 @@ Examples: * `leap deploy webapp openvpn` -- deploy to all webapp OR openvpn nodes. * `leap node init vpn1` -- just init the node named vpn1. -Running on real hardware ------------------------------------ - -The steps required to initialize and deploy to nodes on the public internet are basically the same as we have seen so far for local testing nodes. There are a few key differences: - -* Obviously, you will need to acquire a real or virtual machine that you can SSH into remotely. -* When creating the node configuration, you should give it the tag "production" if the node is to be used in your production infrastructure. -* When creating the node configuration, you need to specify the IP address of the node. - -For example: +Keep track of your provider configurations +------------------------------------------ - leap node add db1 tags:production services:couchdb ip_address:4.4.4.4 +You should commit your provider changes to your favorite VCS whenever things change. This way you can share your configurations with other admins, all they have to do is to pull the changes to stay up to date. Every time you make a change to your provider, such as adding nodes, services, generating certificates, etc. you should add those to your VCS, commit them and push them to where your repository is hosted. -Also, running `leap node init NODE_NAME` on a real server will prompt you to verify the fingerprint of the SSH host key and to provide the root password of the server NODE_NAME. You should only need to do this once. +Note that your provider directory contains secrets! Those secrets include passwords for various services. You do not want to have those passwords readable by the world, so make sure that wherever you are hosting your repository, it is not public for the world to read. What's next ----------------------------------- diff --git a/doc/troubleshooting.md b/doc/troubleshooting.md new file mode 100644 index 00000000..bb2fc4b5 --- /dev/null +++ b/doc/troubleshooting.md @@ -0,0 +1,147 @@ +@title = 'Troubleshooting Guide' +@nav_title = 'Troubleshooting' +@toc = true + + +General +======= + +* Please increase verbosity when debugging / filing issues in our issue tracker. You can do this with adding i.e. `-v 5` after the `leap` cmd, i.e. `leap -v 2 deploy`. + +Webapp node +=========== + +Places to look for errors +------------------------- + +* `/var/log/apache2/error.log` +* `/srv/leap/webapp/log/production.log` +* `/var/log/syslog` (watch out for stunnel issues) + +Is haproxy ok ? +--------------- + + + curl -s -X GET "http://127.0.0.1:4096" + +Is couchdb accessible through stunnel ? +--------------------------------------- + + + curl -s -X GET "http://127.0.0.1:4000" + + +Check couchdb acl +----------------- + + + mkdir /etc/couchdb + cat /srv/leap/webapp/config/couchdb.yml.admin # see username and password + echo "machine 127.0.0.1 login admin password " > /etc/couchdb/couchdb-admin.netrc + chmod 600 /etc/couchdb/couchdb-admin.netrc + + curl -s --netrc-file /etc/couchdb/couchdb-admin.netrc -X GET "http://127.0.0.1:4096" + curl -s --netrc-file /etc/couchdb/couchdb-admin.netrc -X GET "http://127.0.0.1:4096/_all_dbs" + + +Couchdb node +============ + +Places to look for errors +------------------------- + +* `/opt/bigcouch/var/log/bigcouch.log` +* `/var/log/syslog` (watch out for stunnel issues) + + +Bigcouch membership +------------------- + +* All nodes configured for the provider should appear here: + + + curl -s --netrc-file /etc/couchdb/couchdb.netrc -X GET 'http://127.0.0.1:5986/nodes/_all_docs' + +* All configured nodes should show up under "cluster_nodes", and the ones online and communicating with each other should appear under "all_nodes". This example output shows the configured cluster nodes `couch1.bitmask.net` and `couch2.bitmask.net`, but `couch2.bitmask.net` is currently not accessible from `couch1.bitmask.net` + + + curl -s --netrc-file /etc/couchdb/couchdb.netrc 'http://127.0.0.1:5984/_membership' + {"all_nodes":["bigcouch@couch1.bitmask.net"],"cluster_nodes":["bigcouch@couch1.bitmask.net","bigcouch@couch2.bitmask.net"]} + + + +Databases +--------- + +* Following output shows all neccessary DBs that should be present. Note that the `user-0123456....` DBs are the data stores for a particular user. + + + curl -s --netrc-file /etc/couchdb/couchdb.netrc -X GET 'http://127.0.0.1:5984/_all_dbs' + ["customers","identities","sessions","shared","tickets","tokens","user-0","user-9d34680b01074c75c2ec58c7321f540c","user-9d34680b01074c75c2ec58c7325fb7ff","users"] + + + +Design Documents +---------------- + +* Is User `_design doc` available ? + + + curl -s --netrc-file /etc/couchdb/couchdb.netrc -X GET "http://127.0.0.1:5984/users/_design/User" + + + +MX node +======= + +Places to look for errors +------------------------- + +* `/var/log/mail.log` +* `/var/log/leap_mx.log` +* `/var/log/syslog` (watch out for stunnel issues) + + +Query leap-mx +------------- + +* for useraccount + + + postmap -v -q "joe@dev.bitmask.net" tcp:localhost:2244 + ... + postmap: dict_tcp_lookup: send: get jow@dev.bitmask.net + postmap: dict_tcp_lookup: recv: 200 + ... + +* for mailalias + + + postmap -v -q "joe@dev.bitmask.net" tcp:localhost:4242 + ... + postmap: dict_tcp_lookup: send: get joe@dev.bitmask.net + postmap: dict_tcp_lookup: recv: 200 f01bc1c70de7d7d80bc1ad77d987e73a + postmap: dict_tcp_lookup: found: f01bc1c70de7d7d80bc1ad77d987e73a + f01bc1c70de7d7d80bc1ad77d987e73a + ... + + + +Mailspool +--------- + +* Any file in the mailspool longer for a few seconds ? + + + ls -la /var/mail/vmail/Maildir/cur/ + + +VPN node +======== + +Places to look for errors +------------------------- + +* `/var/log/syslog` (watch out for openvpn issues) + + -- cgit v1.2.3 From 58dbe442b37408f7cd1270cd5e1abb69e8ceeafa Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Nov 2013 14:21:10 -0500 Subject: add debug script for bug reporting (#4419) Change-Id: I0d97f6ee32e10865f5229d2f1d3c849304ba75fc --- leap-debug-remote.sh | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 leap-debug-remote.sh diff --git a/leap-debug-remote.sh b/leap-debug-remote.sh new file mode 100644 index 00000000..7f9c6945 --- /dev/null +++ b/leap-debug-remote.sh @@ -0,0 +1,23 @@ +#!/bin/sh +# debug script to be run on remote servers + +regexp='(leap|stunnel|couch|soledad|haproxy)' + +find /etc/leap/ + +echo + +ls -la /srv/leap/ + +echo + + +dpkg -l | egrep "$regexp" + +echo + +ps aux|egrep "$regexp" + +echo + +cat /etc/hosts -- cgit v1.2.3 From 41c5506ef0adc0381bcae99ae1139d2de3a2a858 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Nov 2013 15:51:39 -0500 Subject: added website nagios check (#1629) Change-Id: Icebf9d8849b4440f4f6dbc00a1a8ac0873b62f6a --- .../modules/site_nagios/manifests/add_service.pp | 26 +++++++++++----------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/puppet/modules/site_nagios/manifests/add_service.pp b/puppet/modules/site_nagios/manifests/add_service.pp index 6ef3cbf5..8d2a310b 100644 --- a/puppet/modules/site_nagios/manifests/add_service.pp +++ b/puppet/modules/site_nagios/manifests/add_service.pp @@ -3,19 +3,19 @@ define site_nagios::add_service ( case $service { 'webapp': { - $check_command = 'check_https_cert' - $service_description = 'Website Certificate' + nagios_service { + "${name}_cert": + use => 'generic-service', + check_command => 'check_https_cert', + service_description => 'Website Certificate', + host_name => $hostname; + "${name}_website": + use => 'generic-service', + check_command => 'check_https', + service_description => 'Website', + host_name => $hostname + } } - default: { - #notice ("No Nagios service check for service \"$service\"") - } - } - - if ( $check_command != '' ) { - nagios_service { $name: - use => 'generic-service', - check_command => $check_command, - service_description => $service_description, - host_name => $hostname } + default: {} } } -- cgit v1.2.3 From 8dd6174fe2077a94c8ede027a8364d7ff3372f3d Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 19 Nov 2013 14:58:52 -0800 Subject: cleaned up README, fixed links --- README.md | 47 ++++++++++++++--------------------------------- 1 file changed, 14 insertions(+), 33 deletions(-) diff --git a/README.md b/README.md index 890008f5..7c253f62 100644 --- a/README.md +++ b/README.md @@ -1,65 +1,49 @@ -============= -Leap Platform -============= - What is it? -=========== - -The LEAP Platform is set of complementary packages and server recipes to automate the maintenance of LEAP services in a hardened Debian environment. Its goal is to make it as painless as possible for sysadmins to deploy and maintain a service provider’s infrastructure for secure communication. These recipes define an abstract service provider. It is a set of Puppet modules designed to work together to provide to sysadmins everything they need to manage a service provider infrastructure that provides secure communication services. - -As these recipes consist of abstract definitions, in order to configure settings for a particular service provider a system administrator has to obtain the leap command-line interface and create a provider instance. The details of how to get started are contained in the `Quick Start` documentation as detailed below. +============================= +The LEAP Platform is set of complementary packages and server recipes to automate the maintenance of LEAP services in a hardened Debian environment. Its goal is to make it as painless as possible for sysadmins to deploy and maintain a service provider's infrastructure for secure communication. These recipes define an abstract service provider. It is a set of Puppet modules designed to work together to provide to sysadmins everything they need to manage a service provider infrastructure that provides secure communication services. Getting started -=============== +============================= -It is highly recommended that you start by reading the overview of the Leap Platform on the website (https://leap.se/docs/platform) and then begin with the `Quick Start` guide (https://leap.se/docs/platform/quick-start) to walk through a test environment setup to get familiar with how things work before deploying to live servers. +It is highly recommended that you start by reading the overview of the [LEAP Platform](https://leap.se/docs/platform) and then begin with the [Quick Start guide](https://leap.se/docs/platform/quick-start) to walk through a test environment setup to get familiar with how things work before deploying to live servers. An offline copy of this documentation is contained in the `doc` subdirectory. For more current updates to the documentation, visit the website. Requirements ------------- - -For a minimal test or develop install we recommend a fairly recent computer x86_64 with hardware virtualization features (AMD-V or VT-x) with plenty of RAM. If you follow the `Quick Start` documentation we will walk you through using Vagrant to setup a test deployment. - -For a live deployment of the platform the amount of required (virtual) servers depends on your needs and which services you want to deploy. At the moment, the Leap Platform supports servers with a base Debian Wheezy installation. +------------------ -While you can deploy all services on one server, we stronly recommend to use seperate servers for better security. +For testing a virtual deployment simulated on your computer, you will need a fairly recent computer x86_64 with hardware virtualization features (AMD-V or VT-x) and plenty of RAM. If you follow the "Quick Start" documentation we will walk you through using Vagrant to setup a test deployment. +For a live deployment of the platform, the number of servers that is required depends on your needs and which services you want to deploy. At the moment, the LEAP Platform supports servers with a base Debian Wheezy installation. Troubleshooting -=============== +============================= -If you have a problem, we are interested in fixing it! +If you have a problem, we are interested in fixing it! -If you have a problem, be sure to have a look at the Known Issues section of the documentation to see if your issue is detailed there. +If you have a problem, be sure to have a look at the [Known Issues](https://leap.se/docs/platform/known-issues) to see if your issue is detailed there. If not, the best way for us to solve your problem is if you provide to us the complete log of what you did, and the output that was produced. Please don't cut out what appears to be useless information and only include the error that you received, instead copy and paste the complete log so that we can better determine the overall situation. If you can run the same command that produced the error with a raised verbosity level (such as -v2), that provides us with more useful debugging information. -Visit https://leap.se/development for contact possibilities. - -Known Issues ------------- - -* Please read the section in the documentation about Known Issues (https://leap.se/docs/platform/known-issues) +To capture the log, you can copy from the console, or run `leap --log FILE` or edit Leapfile to include `@log = '/tmp/leap.log'`. +Visit https://leap.se/en/docs/get-involved/communication for details on how to contact the developers. More Information ================ -For more information about the LEAP Encryption Access Project, please visit the website https://leap.se which also lists contact data. - Changelog --------- For a changelog of the current branch: - git log + git log Authors and Credits ------------------ -See contributors: +See contributors: git shortlog -es --all @@ -68,6 +52,3 @@ Copyright/License ----------------- Read LICENSE - - - -- cgit v1.2.3 From 1ada62ad64b9664783de875820242fc404f967f2 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 19 Nov 2013 15:15:59 +0100 Subject: initial design documents from the webapp (#3770) --- .../modules/site_couchdb/files/designs/Readme.md | 14 ++++++ .../files/designs/customers/Customer.json | 18 ++++++++ .../files/designs/identities/Identity.json | 28 ++++++++++++ .../files/designs/sessions/Session.json | 8 ++++ .../site_couchdb/files/designs/tickets/Ticket.json | 50 ++++++++++++++++++++++ .../site_couchdb/files/designs/tokens/Token.json | 14 ++++++ .../site_couchdb/files/designs/users/User.json | 26 +++++++++++ 7 files changed, 158 insertions(+) create mode 100644 puppet/modules/site_couchdb/files/designs/Readme.md create mode 100644 puppet/modules/site_couchdb/files/designs/customers/Customer.json create mode 100644 puppet/modules/site_couchdb/files/designs/identities/Identity.json create mode 100644 puppet/modules/site_couchdb/files/designs/sessions/Session.json create mode 100644 puppet/modules/site_couchdb/files/designs/tickets/Ticket.json create mode 100644 puppet/modules/site_couchdb/files/designs/tokens/Token.json create mode 100644 puppet/modules/site_couchdb/files/designs/users/User.json diff --git a/puppet/modules/site_couchdb/files/designs/Readme.md b/puppet/modules/site_couchdb/files/designs/Readme.md new file mode 100644 index 00000000..983f629f --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/Readme.md @@ -0,0 +1,14 @@ +This directory contains design documents for the leap platform. + +They need to be uploaded to the couch database in order to query the +database in certain ways. + +Each subdirectory corresponds to a couch database and contains the design +documents that need to be added to that particular database. + +Here's an example of how to upload the users design document: +```bash +HOST="http://localhost:5984" +curl -X PUT $HOST/users/_design/User --data @users/User.json + +``` diff --git a/puppet/modules/site_couchdb/files/designs/customers/Customer.json b/puppet/modules/site_couchdb/files/designs/customers/Customer.json new file mode 100644 index 00000000..1b4bbddd --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/customers/Customer.json @@ -0,0 +1,18 @@ +{ + "_id": "_design/Customer", + "language": "javascript", + "views": { + "by_user_id": { + "map": " function(doc) {\n if ((doc['type'] == 'Customer') && (doc['user_id'] != null)) {\n emit(doc['user_id'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_braintree_customer_id": { + "map": " function(doc) {\n if ((doc['type'] == 'Customer') && (doc['braintree_customer_id'] != null)) {\n emit(doc['braintree_customer_id'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "all": { + "map": " function(doc) {\n if (doc['type'] == 'Customer') {\n emit(doc._id, null);\n }\n }\n" + } + }, + "couchrest-hash": "688c401ec0230b75625c176a88fc4a02" +} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/identities/Identity.json b/puppet/modules/site_couchdb/files/designs/identities/Identity.json new file mode 100644 index 00000000..8cf8c39b --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/identities/Identity.json @@ -0,0 +1,28 @@ +{ + "_id": "_design/Identity", + "language": "javascript", + "views": { + "by_user_id": { + "map": " function(doc) {\n if ((doc['type'] == 'Identity') && (doc['user_id'] != null)) {\n emit(doc['user_id'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_address_and_destination": { + "map": " function(doc) {\n if ((doc['type'] == 'Identity') && (doc['address'] != null) && (doc['destination'] != null)) {\n emit([doc['address'], doc['destination']], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_address": { + "map": " function(doc) {\n if ((doc['type'] == 'Identity') && (doc['address'] != null)) {\n emit(doc['address'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "pgp_key_by_email": { + "map": " function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n emit(doc.address, doc.keys[\"pgp\"]);\n }\n" + }, + "disabled": { + "map": " function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.user_id === \"undefined\") {\n emit(doc._id, 1);\n }\n }\n" + }, + "all": { + "map": " function(doc) {\n if (doc['type'] == 'Identity') {\n emit(doc._id, null);\n }\n }\n" + } + }, + "couchrest-hash": "5b0ece9d28b3025d18ea71fddf3a532f" +} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/sessions/Session.json b/puppet/modules/site_couchdb/files/designs/sessions/Session.json new file mode 100644 index 00000000..70202780 --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/sessions/Session.json @@ -0,0 +1,8 @@ +{ + "views": { + "by_expires": { + "reduce": "_sum", + "map": "function(doc) {\n if(typeof doc.expires !== \"undefined\") {\n emit(doc.expires, 1);\n }\n}\n" + } + } +} diff --git a/puppet/modules/site_couchdb/files/designs/tickets/Ticket.json b/puppet/modules/site_couchdb/files/designs/tickets/Ticket.json new file mode 100644 index 00000000..2c9408b8 --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/tickets/Ticket.json @@ -0,0 +1,50 @@ +{ + "_id": "_design/Ticket", + "language": "javascript", + "views": { + "by_updated_at": { + "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['updated_at'] != null)) {\n emit(doc['updated_at'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_created_at": { + "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['created_at'] != null)) {\n emit(doc['created_at'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_created_by": { + "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['created_by'] != null)) {\n emit(doc['created_by'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_is_open_and_created_at": { + "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['is_open'] != null) && (doc['created_at'] != null)) {\n emit([doc['is_open'], doc['created_at']], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_is_open_and_updated_at": { + "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['is_open'] != null) && (doc['updated_at'] != null)) {\n emit([doc['is_open'], doc['updated_at']], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_includes_post_by_and_is_open_and_created_at": { + "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.is_open, doc.created_at], 1);\n }\n });\n }\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "by_includes_post_by_and_is_open_and_updated_at": { + "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.is_open, doc.updated_at], 1);\n }\n });\n }\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "by_includes_post_by_and_updated_at": { + "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.updated_at], 1);\n }\n });\n }\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "by_includes_post_by": { + "map": "// TODO: This view is only used in tests--should we keep it?\nfunction(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit(comment.posted_by, 1);\n }\n });\n }\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "by_includes_post_by_and_created_at": { + "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.created_at], 1);\n }\n });\n }\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "all": { + "map": " function(doc) {\n if (doc['type'] == 'Ticket') {\n emit(doc._id, null);\n }\n }\n" + } + }, + "couchrest-hash": "9978e2cbeacbe8622c2a7f103bf8130f" +} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/tokens/Token.json b/puppet/modules/site_couchdb/files/designs/tokens/Token.json new file mode 100644 index 00000000..b9025f15 --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/tokens/Token.json @@ -0,0 +1,14 @@ +{ + "_id": "_design/Token", + "language": "javascript", + "views": { + "by_last_seen_at": { + "map": " function(doc) {\n if ((doc['type'] == 'Token') && (doc['last_seen_at'] != null)) {\n emit(doc['last_seen_at'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "all": { + "map": " function(doc) {\n if (doc['type'] == 'Token') {\n emit(doc._id, null);\n }\n }\n" + } + }, + "couchrest-hash": "541dd924551c42a2317b345effbe65cc" +} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/users/User.json b/puppet/modules/site_couchdb/files/designs/users/User.json new file mode 100644 index 00000000..c500822b --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/users/User.json @@ -0,0 +1,26 @@ +{ + "_id": "_design/User", + "language": "javascript", + "views": { + "by_login": { + "map": " function(doc) {\n if ((doc['type'] == 'User') && (doc['login'] != null)) {\n emit(doc['login'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "all": { + "map": " function(doc) {\n if (doc['type'] == 'User') {\n emit(doc._id, null);\n }\n }\n" + }, + "by_alias": { + "map": "function(doc) {\n if (doc.type != 'User') {\n return;\n }\n doc.email_aliases.forEach(function(alias){\n emit(alias.username, 1);\n });\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "by_login_or_alias": { + "map": "function(doc) {\n if (doc.type != 'User') {\n return;\n }\n emit(doc.login, 1);\n doc.email_aliases.forEach(function(alias){\n emit(alias.username, 1);\n });\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "by_created_at": { + "map": " function(doc) {\n if ((doc['type'] == 'User') && (doc['created_at'] != null)) {\n emit(doc['created_at'], 1);\n }\n }\n", + "reduce": "_sum" + } + }, + "couchrest-hash": "26adb5c9480663de3fe60d959b60a7b2" +} \ No newline at end of file -- cgit v1.2.3 From 481e945b3c8ea6bcb1de501b925d4332b1275c2d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 22 Nov 2013 11:08:31 -0500 Subject: update couchdb submodule to get debugging output #4225 Change-Id: Ie1b6d67f493ed6891a2df76b044d64d359edb420 --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 4597cf55..d3153dd2 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 4597cf55613aa25e77ef9943c32918fd59ff65c2 +Subproject commit d3153dd2da619035c0504b02f478796d656bb11d -- cgit v1.2.3 From 970fcd5d3262735c8ae7979a462cd77bf270b108 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 13 Nov 2013 10:13:53 -0800 Subject: added custom index.html --- provider_base/services/webapp.json | 1 + puppet/modules/site_webapp/manifests/init.pp | 13 +++++++++++++ 2 files changed, 14 insertions(+) diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 6f2beb8a..9b02afce 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -8,6 +8,7 @@ "tail_scss": "= file_path 'branding/tail.scss'", "head_scss": "= file_path 'branding/head.scss'", "img_dir": "= file_path 'branding/img'", + "home_page": "= file_path 'branding/views/home.html.haml'", "client_certificates": "= global.provider.ca.client_certificates", "allow_limited_certs": "= global.provider.service.allow_limited_bandwidth", "allow_unlimited_certs": "= global.provider.service.allow_unlimited_bandwidth", diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 6c5bda4c..d5687804 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -146,6 +146,14 @@ class site_webapp { mode => '0644', require => Vcsrepo['/srv/leap/webapp'], source => $webapp['img_dir']; + + '/srv/leap/webapp/app/views/home/index.html.haml': + ensure => present, + owner => leap-webapp, + group => leap-webapp, + mode => '0644', + require => Vcsrepo['/srv/leap/webapp'], + source => $webapp['home_page']; } git::changes { @@ -163,6 +171,11 @@ class site_webapp { cwd => '/srv/leap/webapp', require => Vcsrepo['/srv/leap/webapp'], user => 'leap-webapp'; + + 'app/views/home/index.html.haml': + cwd => '/srv/leap/webapp', + require => Vcsrepo['/srv/leap/webapp'], + user => 'leap-webapp'; } file { -- cgit v1.2.3 From 289a00a149ac08d01b8ee638620d8c2928966fa3 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 15 Nov 2013 01:02:25 -0800 Subject: improvements to webapp deployment: allow for greater customization, allow for custom git source, improve apache config. --- provider_base/services/webapp.json | 12 ++-- .../site_apache/manifests/module/expires.pp | 4 ++ .../templates/vhosts.d/leap_webapp.conf.erb | 8 +++ puppet/modules/site_webapp/manifests/apache.pp | 1 + puppet/modules/site_webapp/manifests/init.pp | 64 ++++------------------ 5 files changed, 29 insertions(+), 60 deletions(-) create mode 100644 puppet/modules/site_apache/manifests/module/expires.pp diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 9b02afce..392375ff 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -4,18 +4,18 @@ "modules": ["user", "billing", "help"], "couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]", "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]", - "favicon": "= file_path 'branding/favicon.ico'", - "tail_scss": "= file_path 'branding/tail.scss'", - "head_scss": "= file_path 'branding/head.scss'", - "img_dir": "= file_path 'branding/img'", - "home_page": "= file_path 'branding/views/home.html.haml'", + "customization_dir": "= file_path 'webapp'", "client_certificates": "= global.provider.ca.client_certificates", "allow_limited_certs": "= global.provider.service.allow_limited_bandwidth", "allow_unlimited_certs": "= global.provider.service.allow_unlimited_bandwidth", "allow_anonymous_certs": "= global.provider.service.allow_anonymous", "secret_token": "= secret :webapp_secret_token", "api_version": 1, - "secure": false + "secure": false, + "git": { + "source": "https://leap.se/git/leap_web", + "revision": "origin/master" + } }, "stunnel": { "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)" diff --git a/puppet/modules/site_apache/manifests/module/expires.pp b/puppet/modules/site_apache/manifests/module/expires.pp new file mode 100644 index 00000000..f73a5607 --- /dev/null +++ b/puppet/modules/site_apache/manifests/module/expires.pp @@ -0,0 +1,4 @@ +class site_apache::module::expires ( $ensure = present ) +{ + apache::module { 'expires': ensure => $ensure } +} diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index afc19782..a001552a 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -45,6 +45,14 @@ PassengerFriendlyErrorPages off SetEnv TMPDIR /var/tmp + # Allow rails assets to be cached for a very long time (since the URLs change whenever the content changes) + + Header unset ETag + FileETag None + ExpiresActive On + ExpiresDefault "access plus 1 year" + + <% if (defined? @services) and (@services.include? 'monitor') -%> PassengerEnabled off diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 6a199b9e..581922cb 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -21,6 +21,7 @@ class site_webapp::apache { include site_apache::module::headers include site_apache::module::rewrite include site_apache::module::alias + include site_apache::module::expires class { 'passenger': use_munin => false } diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index d5687804..c090c6a0 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -40,9 +40,9 @@ class site_webapp { vcsrepo { '/srv/leap/webapp': ensure => present, force => true, - revision => 'origin/master', + revision => $webapp['git']['revision'], provider => git, - source => 'https://leap.se/git/leap_web', + source => $webapp['git']['source'], owner => 'leap-webapp', group => 'leap-webapp', require => [ User['leap-webapp'], Group['leap-webapp'] ], @@ -63,6 +63,10 @@ class site_webapp { notify => Service['apache']; } + # + # NOTE: in order to support a webapp that is running on a subpath and not the root of the domain + # assets:precompile needs to be run with RAILS_RELATIVE_URL_ROOT=/application-root + # exec { 'compile_assets': cwd => '/srv/leap/webapp', command => '/bin/bash -c "RAILS_ENV=production /usr/bin/bundle exec rake assets:precompile"', @@ -110,72 +114,24 @@ class site_webapp { } try::file { - '/srv/leap/webapp/public/favicon.ico': - ensure => present, - owner => leap-webapp, - group => leap-webapp, - mode => '0644', - require => Vcsrepo['/srv/leap/webapp'], - source => $webapp['favicon']; - - '/srv/leap/webapp/app/assets/stylesheets/tail.scss': - ensure => present, - owner => leap-webapp, - group => leap-webapp, - mode => '0644', - require => Vcsrepo['/srv/leap/webapp'], - source => $webapp['tail_scss'], - before => Exec['bundler_update']; - - '/srv/leap/webapp/app/assets/stylesheets/head.scss': - ensure => present, - owner => leap-webapp, - group => leap-webapp, - mode => '0644', - require => Vcsrepo['/srv/leap/webapp'], - source => $webapp['head_scss'], - before => Exec['bundler_update']; - - '/srv/leap/webapp/public/img': + '/srv/leap/webapp/config/customization': ensure => directory, recurse => true, purge => true, force => true, owner => leap-webapp, group => leap-webapp, - mode => '0644', - require => Vcsrepo['/srv/leap/webapp'], - source => $webapp['img_dir']; - - '/srv/leap/webapp/app/views/home/index.html.haml': - ensure => present, - owner => leap-webapp, - group => leap-webapp, - mode => '0644', + mode => 'u=rwX,go=rX', require => Vcsrepo['/srv/leap/webapp'], - source => $webapp['home_page']; + notify => Exec['compile_assets'], + source => $webapp['customization_dir']; } git::changes { - 'app/assets/stylesheets/head.scss': - cwd => '/srv/leap/webapp', - require => Vcsrepo['/srv/leap/webapp'], - user => 'leap-webapp'; - - 'app/assets/stylesheets/tail.scss': - cwd => '/srv/leap/webapp', - require => Vcsrepo['/srv/leap/webapp'], - user => 'leap-webapp'; - 'public/favicon.ico': cwd => '/srv/leap/webapp', require => Vcsrepo['/srv/leap/webapp'], user => 'leap-webapp'; - - 'app/views/home/index.html.haml': - cwd => '/srv/leap/webapp', - require => Vcsrepo['/srv/leap/webapp'], - user => 'leap-webapp'; } file { -- cgit v1.2.3 From 846728631f5247984dfa69b7e82f5014e10f4427 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 25 Nov 2013 00:43:51 -0800 Subject: fix bug when 'environment' is nil in hiera.yaml --- puppet/modules/site_config/manifests/params.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index 2ef391db..5bdc0077 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -3,7 +3,7 @@ class site_config::params { $ip_address = hiera('ip_address') $ip_address_interface = getvar("interface_${ip_address}") $ec2_local_ipv4_interface = getvar("interface_${::ec2_local_ipv4}") - $environment = hiera('environment') + $environment = hiera('environment', undef) if $environment == 'local' { -- cgit v1.2.3 From e86f20b2435ec251c6373baf4c2ee36d5f26b83e Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 25 Nov 2013 01:20:52 -0800 Subject: fixed `diff` bug with try::file and directories --- puppet/modules/try/manifests/file.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/try/manifests/file.pp b/puppet/modules/try/manifests/file.pp index 56a7c997..cd1bb035 100644 --- a/puppet/modules/try/manifests/file.pp +++ b/puppet/modules/try/manifests/file.pp @@ -58,14 +58,14 @@ define try::file ( exec { "rsync_${name}": command => "/usr/bin/rsync -r --delete '${source}/' '${name}'", onlyif => "/usr/bin/test -d '${source}'", - unless => "/usr/bin/diff -q '${source}' '${name}'", + unless => "/usr/bin/diff -rq '${source}' '${name}'", notify => [Exec["chmod_${name}"], Exec["chown_${name}"], Exec["chgrp_${name}"]] } } else { exec { "cp_r_${name}": command => "/bin/cp -r '${source}' '${name}'", onlyif => "/usr/bin/test -d '${source}'", - unless => "/usr/bin/diff -q '${source}' '${name}'", + unless => "/usr/bin/diff -rq '${source}' '${name}'", notify => [Exec["chmod_${name}"], Exec["chown_${name}"], Exec["chgrp_${name}"]] } } -- cgit v1.2.3 From 82544d7ce6c1952fe9d1043facd64c4737b5f4f3 Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 25 Nov 2013 22:49:25 +0100 Subject: add new version of couchdb submodule This one reverts a buggy fix. Trying to push it out asap --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index d3153dd2..4c7bc8b6 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit d3153dd2da619035c0504b02f478796d656bb11d +Subproject commit 4c7bc8b661250bb7fe1000ae1515507c5bf4beb1 -- cgit v1.2.3 From fee571ccc4cd0cf8c665cf7446a0bb99c6dd30cf Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Nov 2013 13:10:01 -0500 Subject: disable starttls over submission for client connections, we are using TLS wrapper mode on the smtps port 465 now (#4366) enable the missing smtpd_helo_restrictions for smtps Change-Id: Iac497369d65c5ad8fd7e93e6fcabb830b855b4f6 --- puppet/modules/site_postfix/manifests/mx.pp | 5 +---- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 4 +--- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 474ed03d..59d3030d 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -55,10 +55,7 @@ class site_postfix::mx { -o smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions -submission inet n - n - - smtpd - -o smtpd_tls_security_level=encrypt - -o smtpd_recipient_restrictions=\$submission_recipient_restrictions - -o smtpd_helo_restrictions=\$submission_helo_restrictions", + -o smtpd_helo_restrictions=\$smtps_helo_restrictions", require => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 0f1500a4..0ec40277 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -22,9 +22,7 @@ class site_postfix::mx::smtpd_checks { # we use permit_tls_clientcerts with the $relay_clientcerts lookup 'smtps_recipient_restrictions': value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; - 'submission_recipient_restrictions': - value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; - 'submission_helo_restrictions': + 'smtps_helo_restrictions': value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit'; 'smtpd_sender_restrictions': value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; -- cgit v1.2.3 From ab278941346cc868aad7a3900a2cd5a1007986ea Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 25 Nov 2013 12:16:04 -0500 Subject: make some more dependency chains explicit Change-Id: Ib9525c3a933041fa9b378e1869c0a866375bb509 --- puppet/modules/site_couchdb/manifests/init.pp | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 684d3ab7..dcf7f48a 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -34,9 +34,11 @@ class site_couchdb { class { 'couchdb::bigcouch::package::cloudant': } Class['site_config::default'] - -> Class ['couchdb::bigcouch::package::cloudant'] - -> Service ['couchdb'] - -> Class ['site_couchdb::bigcouch::add_nodes'] + -> Class['couchdb::bigcouch::package::cloudant'] + -> Service['couchdb'] + -> Class['site_couchdb::stunnel'] + -> File['/root/.netrc'] + -> Class['site_couchdb::bigcouch::add_nodes'] -> Couchdb::Create_db['users'] -> Couchdb::Create_db['tokens'] -> Couchdb::Add_user[$couchdb_webapp_user] @@ -46,11 +48,21 @@ class site_couchdb { class { 'site_couchdb::bigcouch::add_nodes': } + # /etc/couchdb/couchdb.netrc is deployed by couchdb::query::setup + # we symlink this to /root/.netrc for couchdb_scripts (eg. backup) + # and makes life easier for the admin (i.e. using curl/wget without + # passing credentials) couchdb::query::setup { 'localhost': user => $couchdb_admin_user, pw => $couchdb_admin_pw, } + file { '/root/.netrc': + ensure => link, + target => '/etc/couchdb/couchdb.netrc', + require => Couchdb::Query::Setup['localhost'] + } + # Populate couchdb couchdb::add_user { $couchdb_webapp_user: roles => '["auth"]', @@ -99,15 +111,6 @@ class site_couchdb { include site_shorewall::couchdb include site_shorewall::couchdb::bigcouch - # /etc/couchdb/couchdb.netrc is deployed by the couchdb module - # needed for couchdb_scripts (backup) and makes life easier - # for the admin (i.e. using curl/wget without passing credentials) - - file { '/root/.netrc': - ensure => link, - target => '/etc/couchdb/couchdb.netrc' - } - file { '/srv/leap/couchdb': ensure => directory } -- cgit v1.2.3 From dc6c48cbc25216417a02304ec2c23663688cd99d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 26 Nov 2013 14:49:53 -0500 Subject: enable uploading a document to couch from a file (#4256) deploy design documents during couch deploy (#3771) Change-Id: I4679e066303ac9b02582214c48e2e7dcfe5bd651 --- puppet/modules/couchdb | 2 +- .../site_couchdb/files/designs/customers.json | 18 ++++++++ .../site_couchdb/files/designs/identities.json | 28 ++++++++++++ .../site_couchdb/files/designs/sessions.json | 8 ++++ .../site_couchdb/files/designs/tickets.json | 50 ++++++++++++++++++++++ .../modules/site_couchdb/files/designs/tokens.json | 14 ++++++ .../modules/site_couchdb/files/designs/users.json | 26 +++++++++++ puppet/modules/site_couchdb/manifests/designs.pp | 20 +++++++++ 8 files changed, 165 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_couchdb/files/designs/customers.json create mode 100644 puppet/modules/site_couchdb/files/designs/identities.json create mode 100644 puppet/modules/site_couchdb/files/designs/sessions.json create mode 100644 puppet/modules/site_couchdb/files/designs/tickets.json create mode 100644 puppet/modules/site_couchdb/files/designs/tokens.json create mode 100644 puppet/modules/site_couchdb/files/designs/users.json create mode 100644 puppet/modules/site_couchdb/manifests/designs.pp diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 4c7bc8b6..e4906614 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 4c7bc8b661250bb7fe1000ae1515507c5bf4beb1 +Subproject commit e49066146ffeb91ce7c8e2100cdc4eca0ceb3a9b diff --git a/puppet/modules/site_couchdb/files/designs/customers.json b/puppet/modules/site_couchdb/files/designs/customers.json new file mode 100644 index 00000000..1b4bbddd --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/customers.json @@ -0,0 +1,18 @@ +{ + "_id": "_design/Customer", + "language": "javascript", + "views": { + "by_user_id": { + "map": " function(doc) {\n if ((doc['type'] == 'Customer') && (doc['user_id'] != null)) {\n emit(doc['user_id'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_braintree_customer_id": { + "map": " function(doc) {\n if ((doc['type'] == 'Customer') && (doc['braintree_customer_id'] != null)) {\n emit(doc['braintree_customer_id'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "all": { + "map": " function(doc) {\n if (doc['type'] == 'Customer') {\n emit(doc._id, null);\n }\n }\n" + } + }, + "couchrest-hash": "688c401ec0230b75625c176a88fc4a02" +} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/identities.json b/puppet/modules/site_couchdb/files/designs/identities.json new file mode 100644 index 00000000..8cf8c39b --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/identities.json @@ -0,0 +1,28 @@ +{ + "_id": "_design/Identity", + "language": "javascript", + "views": { + "by_user_id": { + "map": " function(doc) {\n if ((doc['type'] == 'Identity') && (doc['user_id'] != null)) {\n emit(doc['user_id'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_address_and_destination": { + "map": " function(doc) {\n if ((doc['type'] == 'Identity') && (doc['address'] != null) && (doc['destination'] != null)) {\n emit([doc['address'], doc['destination']], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_address": { + "map": " function(doc) {\n if ((doc['type'] == 'Identity') && (doc['address'] != null)) {\n emit(doc['address'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "pgp_key_by_email": { + "map": " function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n emit(doc.address, doc.keys[\"pgp\"]);\n }\n" + }, + "disabled": { + "map": " function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.user_id === \"undefined\") {\n emit(doc._id, 1);\n }\n }\n" + }, + "all": { + "map": " function(doc) {\n if (doc['type'] == 'Identity') {\n emit(doc._id, null);\n }\n }\n" + } + }, + "couchrest-hash": "5b0ece9d28b3025d18ea71fddf3a532f" +} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/sessions.json b/puppet/modules/site_couchdb/files/designs/sessions.json new file mode 100644 index 00000000..70202780 --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/sessions.json @@ -0,0 +1,8 @@ +{ + "views": { + "by_expires": { + "reduce": "_sum", + "map": "function(doc) {\n if(typeof doc.expires !== \"undefined\") {\n emit(doc.expires, 1);\n }\n}\n" + } + } +} diff --git a/puppet/modules/site_couchdb/files/designs/tickets.json b/puppet/modules/site_couchdb/files/designs/tickets.json new file mode 100644 index 00000000..2c9408b8 --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/tickets.json @@ -0,0 +1,50 @@ +{ + "_id": "_design/Ticket", + "language": "javascript", + "views": { + "by_updated_at": { + "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['updated_at'] != null)) {\n emit(doc['updated_at'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_created_at": { + "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['created_at'] != null)) {\n emit(doc['created_at'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_created_by": { + "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['created_by'] != null)) {\n emit(doc['created_by'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_is_open_and_created_at": { + "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['is_open'] != null) && (doc['created_at'] != null)) {\n emit([doc['is_open'], doc['created_at']], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_is_open_and_updated_at": { + "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['is_open'] != null) && (doc['updated_at'] != null)) {\n emit([doc['is_open'], doc['updated_at']], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_includes_post_by_and_is_open_and_created_at": { + "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.is_open, doc.created_at], 1);\n }\n });\n }\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "by_includes_post_by_and_is_open_and_updated_at": { + "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.is_open, doc.updated_at], 1);\n }\n });\n }\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "by_includes_post_by_and_updated_at": { + "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.updated_at], 1);\n }\n });\n }\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "by_includes_post_by": { + "map": "// TODO: This view is only used in tests--should we keep it?\nfunction(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit(comment.posted_by, 1);\n }\n });\n }\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "by_includes_post_by_and_created_at": { + "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.created_at], 1);\n }\n });\n }\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "all": { + "map": " function(doc) {\n if (doc['type'] == 'Ticket') {\n emit(doc._id, null);\n }\n }\n" + } + }, + "couchrest-hash": "9978e2cbeacbe8622c2a7f103bf8130f" +} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/tokens.json b/puppet/modules/site_couchdb/files/designs/tokens.json new file mode 100644 index 00000000..b9025f15 --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/tokens.json @@ -0,0 +1,14 @@ +{ + "_id": "_design/Token", + "language": "javascript", + "views": { + "by_last_seen_at": { + "map": " function(doc) {\n if ((doc['type'] == 'Token') && (doc['last_seen_at'] != null)) {\n emit(doc['last_seen_at'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "all": { + "map": " function(doc) {\n if (doc['type'] == 'Token') {\n emit(doc._id, null);\n }\n }\n" + } + }, + "couchrest-hash": "541dd924551c42a2317b345effbe65cc" +} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/users.json b/puppet/modules/site_couchdb/files/designs/users.json new file mode 100644 index 00000000..c500822b --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/users.json @@ -0,0 +1,26 @@ +{ + "_id": "_design/User", + "language": "javascript", + "views": { + "by_login": { + "map": " function(doc) {\n if ((doc['type'] == 'User') && (doc['login'] != null)) {\n emit(doc['login'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "all": { + "map": " function(doc) {\n if (doc['type'] == 'User') {\n emit(doc._id, null);\n }\n }\n" + }, + "by_alias": { + "map": "function(doc) {\n if (doc.type != 'User') {\n return;\n }\n doc.email_aliases.forEach(function(alias){\n emit(alias.username, 1);\n });\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "by_login_or_alias": { + "map": "function(doc) {\n if (doc.type != 'User') {\n return;\n }\n emit(doc.login, 1);\n doc.email_aliases.forEach(function(alias){\n emit(alias.username, 1);\n });\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "by_created_at": { + "map": " function(doc) {\n if ((doc['type'] == 'User') && (doc['created_at'] != null)) {\n emit(doc['created_at'], 1);\n }\n }\n", + "reduce": "_sum" + } + }, + "couchrest-hash": "26adb5c9480663de3fe60d959b60a7b2" +} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/manifests/designs.pp b/puppet/modules/site_couchdb/manifests/designs.pp new file mode 100644 index 00000000..2d0a8326 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/designs.pp @@ -0,0 +1,20 @@ +class site_couchdb::designs { + + Class['site_couchdb::create_dbs'] + -> Class['site_couchdb::designs'] + + file { '/srv/leap/couchdb/designs': + ensure => directory, + source => 'puppet:///modules/site_couchdb/designs', + recurse => true, + mode => '0755' + } + + exec { '/srv/leap/couchdb/scripts/load_design_documents.sh': + subscribe => File['/srv/leap/couchdb/designs'], + refreshonly => true, + require => Vcsrepo['/srv/leap/couchdb/scripts'] + } + +} + -- cgit v1.2.3 From 92d68c912d0de44ec9e88f7327303cc0fce7114b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 26 Nov 2013 16:25:14 -0500 Subject: break out the database creation, user creation and design document loading into different classes Change-Id: Idd126d69e1fbe9c9794ad50337307dcc5dd635f4 --- puppet/modules/site_couchdb/manifests/add_users.pp | 17 +++++++ .../modules/site_couchdb/manifests/create_dbs.pp | 31 ++++++++++++ puppet/modules/site_couchdb/manifests/init.pp | 56 ++++------------------ 3 files changed, 56 insertions(+), 48 deletions(-) create mode 100644 puppet/modules/site_couchdb/manifests/add_users.pp create mode 100644 puppet/modules/site_couchdb/manifests/create_dbs.pp diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp new file mode 100644 index 00000000..e9d3da78 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/add_users.pp @@ -0,0 +1,17 @@ +class site_couchdb::add_users { + + # Populate couchdb + couchdb::add_user { $site_couchdb::couchdb_webapp_user: + roles => '["auth"]', + pw => $site_couchdb::couchdb_webapp_pw, + salt => $site_couchdb::couchdb_webapp_salt, + require => Couchdb::Query::Setup['localhost'] + } + + couchdb::add_user { $site_couchdb::couchdb_soledad_user: + roles => '["auth"]', + pw => $site_couchdb::couchdb_soledad_pw, + salt => $site_couchdb::couchdb_soledad_salt, + require => Couchdb::Query::Setup['localhost'] + } +} diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp new file mode 100644 index 00000000..2dca51c1 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -0,0 +1,31 @@ +class site_couchdb::create_dbs { + + couchdb::create_db { 'users': + members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", + require => Couchdb::Query::Setup['localhost'] + } + + couchdb::create_db { 'tokens': + members => "{ \"names\": [], \"roles\": [\"auth\"] }", + require => Couchdb::Query::Setup['localhost'] + } + + couchdb::create_db { 'sessions': + members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", + require => Couchdb::Query::Setup['localhost'] + } + + couchdb::create_db { 'tickets': + members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", + require => Couchdb::Query::Setup['localhost'] + } + + # leap_mx will want access to this. Granting access to the soledad user + # via the auth group for now. + # leap_mx could use that for a start. + couchdb::create_db { 'identities': + members => "{ \"names\": [], \"roles\": [\"auth\"] }", + require => Couchdb::Query::Setup['localhost'] + } + +} diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index dcf7f48a..0f839997 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -52,69 +52,29 @@ class site_couchdb { # we symlink this to /root/.netrc for couchdb_scripts (eg. backup) # and makes life easier for the admin (i.e. using curl/wget without # passing credentials) - couchdb::query::setup { 'localhost': - user => $couchdb_admin_user, - pw => $couchdb_admin_pw, - } - file { '/root/.netrc': ensure => link, target => '/etc/couchdb/couchdb.netrc', require => Couchdb::Query::Setup['localhost'] } - # Populate couchdb - couchdb::add_user { $couchdb_webapp_user: - roles => '["auth"]', - pw => $couchdb_webapp_pw, - salt => $couchdb_webapp_salt, - require => Couchdb::Query::Setup['localhost'] - } - - couchdb::add_user { $couchdb_soledad_user: - roles => '["auth"]', - pw => $couchdb_soledad_pw, - salt => $couchdb_soledad_salt, - require => Couchdb::Query::Setup['localhost'] - } - - couchdb::create_db { 'users': - members => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }", - require => Couchdb::Query::Setup['localhost'] - } - - couchdb::create_db { 'tokens': - members => "{ \"names\": [], \"roles\": [\"auth\"] }", - require => Couchdb::Query::Setup['localhost'] - } - - couchdb::create_db { 'sessions': - members => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }", - require => Couchdb::Query::Setup['localhost'] - } - - couchdb::create_db { 'tickets': - members => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }", - require => Couchdb::Query::Setup['localhost'] + file { '/srv/leap/couchdb': + ensure => directory } - # leap_mx will want access to this. Granting access to the soledad user - # via the auth group for now. - # leap_mx could use that for a start. - couchdb::create_db { 'identities': - members => "{ \"names\": [], \"roles\": [\"auth\"] }", - require => Couchdb::Query::Setup['localhost'] + couchdb::query::setup { 'localhost': + user => $couchdb_admin_user, + pw => $couchdb_admin_pw, } + include site_couchdb::create_dbs + include site_couchdb::add_users + include site_couchdb::designs include site_couchdb::logrotate include site_shorewall::couchdb include site_shorewall::couchdb::bigcouch - file { '/srv/leap/couchdb': - ensure => directory - } - vcsrepo { '/srv/leap/couchdb/scripts': ensure => present, provider => git, -- cgit v1.2.3 From 69e626d819317ce977007571714dd7a2f1235492 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 20 Nov 2013 13:13:36 -0500 Subject: initial tapicero configuration Change-Id: Ie53b09df0758ba01b30ed658bee04682bc180b01 --- puppet/manifests/site.pp | 1 + puppet/modules/tapicero/files/tapicero.init | 60 ++++++++++ puppet/modules/tapicero/manifests/init.pp | 126 +++++++++++++++++++++ .../modules/tapicero/templates/tapicero.yaml.erb | 36 ++++++ 4 files changed, 223 insertions(+) create mode 100755 puppet/modules/tapicero/files/tapicero.init create mode 100644 puppet/modules/tapicero/manifests/init.pp create mode 100644 puppet/modules/tapicero/templates/tapicero.yaml.erb diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 9f5d82d8..def0a642 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -14,6 +14,7 @@ if $services =~ /\bopenvpn\b/ { if $services =~ /\bcouchdb\b/ { include site_couchdb + include tapicero } if $services =~ /\bwebapp\b/ { diff --git a/puppet/modules/tapicero/files/tapicero.init b/puppet/modules/tapicero/files/tapicero.init new file mode 100755 index 00000000..7a9af45f --- /dev/null +++ b/puppet/modules/tapicero/files/tapicero.init @@ -0,0 +1,60 @@ +#!/bin/sh + +### BEGIN INIT INFO +# Provides: tapicero +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: tapicero initscript +# Description: Controls tapicero daemon +### END INIT INFO + +PATH=/sbin:/usr/sbin:/bin:/usr/bin +BUNDLER=/usr/bin/bundle +NAME=tapicero +HOME="/srv/leap" +DAEMON="${HOME}/${NAME}/bin/${NAME}" +BUNDLE_GEMFILE="${HOME}/${NAME}/Gemfile" + +export BUNDLE_GEMFILE + +# exit if the daemon doesn't exist +[ -x "$DAEMON" ] || exit 0 + +. /lib/init/vars.sh +. /lib/lsb/init-functions + +if [ "$VERBOSE" != no ]; then + OPTIONS="--verbose" +else + OPTIONS="" +fi + +case "$1" in + start) + $BUNDLER exec $DAEMON start $OPTIONS + exit $? + ;; + stop) + $BUNDLER exec $DAEMON stop $OPTIONS + exit $? + ;; + restart) + $BUNDLER exec $DAEMON restart $OPTIONS + exit $? + ;; + reload) + $BUNDLER exec $DAEMON reload $OPTIONS + exit $? + ;; + status) + $BUNDLER exec $DAEMON status $OPTIONS + exit $? + ;; + *) + echo "Usage: /etc/init.d/$NAME {start|stop|reload|restart|status}" + exit 1 +esac + +exit 0 diff --git a/puppet/modules/tapicero/manifests/init.pp b/puppet/modules/tapicero/manifests/init.pp new file mode 100644 index 00000000..fe33ac75 --- /dev/null +++ b/puppet/modules/tapicero/manifests/init.pp @@ -0,0 +1,126 @@ +class tapicero { + tag 'leap_service' + + $couchdb = hiera('couch') + $couchdb_port = $couchdb['port'] + + $couchdb_users = $couchdb['users'] + + $couchdb_admin_user = $couchdb_users['admin']['username'] + $couchdb_admin_password = $couchdb_users['admin']['password'] + + $couchdb_soledad_user = $couchdb_users['soledad']['username'] + $couchdb_soledad_password = $couchdb_users['soledad']['password'] + + $couchdb_leap_mx_user = $couchdb_users['leap_mx']['username'] + $couchdb_leap_mx_password = $couchdb_users['leap_mx']['password'] + + + Class['site_config::default'] -> Class['tapicero'] + + include site_config::ruby::dev + + # + # USER AND GROUP + # + + group { 'tapicero': + ensure => present, + allowdupe => false; + } + + user { 'tapicero': + ensure => present, + allowdupe => false, + gid => 'tapicero', + home => '/srv/leap/tapicero', + require => Group['tapicero']; + } + + # + # TAPICERO FILES + # + + file { + + ## + ## TAPICERO DIRECTORIES + ## + + '/srv/leap/tapicero': + ensure => directory, + owner => 'tapicero', + group => 'tapicero', + require => User['tapicero']; + + '/var/lib/leap/tapicero': + ensure => directory, + owner => 'tapicero', + group => 'tapicero', + require => User['tapicero']; + + ## + ## TAPICERO CONFIG + ## + + '/etc/leap/tapicero.yaml': + content => template('tapicero/tapicero.yaml.erb'), + owner => 'tapicero', + group => 'tapicero', + mode => '0600', + notify => Service['tapicero']; + + ## + ## TAPICERO INIT + ## + + '/etc/init.d/tapicero': + source => 'puppet:///modules/tapicero/tapicero.init', + owner => root, + group => 0, + mode => '0755', + require => Vcsrepo['/srv/leap/tapicero']; + } + + # + # TAPICERO CODE + # + + vcsrepo { '/srv/leap/tapicero': + ensure => present, + force => true, + revision => 'origin/master', + provider => git, + source => 'https://leap.se/git/tapicero', + owner => 'tapicero', + group => 'tapicero', + require => [ User['tapicero'], Group['tapicero'] ], + notify => Exec['tapicero_bundler_update'] + } + + exec { 'tapicero_bundler_update': + cwd => '/srv/leap/tapicero', + command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle --without test development"', + unless => '/usr/bin/bundle check', + user => 'tapicero', + timeout => 600, + require => [ + Class['bundler::install'], + Vcsrepo['/srv/leap/tapicero'], + Class['site_config::ruby::dev'] ], + notify => Service['tapicero']; + } + + # + # TAPICERO DAEMON + # + + service { 'tapicero': + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + require => File['/etc/init.d/tapicero']; + } + +} diff --git a/puppet/modules/tapicero/templates/tapicero.yaml.erb b/puppet/modules/tapicero/templates/tapicero.yaml.erb new file mode 100644 index 00000000..75b8d5f6 --- /dev/null +++ b/puppet/modules/tapicero/templates/tapicero.yaml.erb @@ -0,0 +1,36 @@ +# +# Default configuration options for Tapicero +# + +# database to observe for changes: +users_db_name: "users" + +# prefix for per user databases: +db_prefix: "user-" + +# couch connection configuration +couch_connection: + protocol: "http" + host: "localhost" + port: <%= @couchdb_port %> + username: <%= @couchdb_admin_user %> + password: <%= @couchdb_admin_password %> + +# security settings to be used for the per user databases +security: + admins: + names: [] + roles: [] + readers: + names: + - <%= @couchdb_soledad_user %> + - <%= @couchdb_leap_mx_user %> + roles: [] + +# file to store the last processed user record in so we can resume after +# a restart: +seq_file: "/var/lib/leap/tapicero/tapicero.seq" + +# Configure log_file like this if you want to log to a file instead of syslog: +# log_file: "/var/leap/log/tapicero.log" +log_level: info -- cgit v1.2.3 From 52f64689a9db8b7300cadaa850e5d7914cef0b9d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 20 Nov 2013 13:13:47 -0500 Subject: setup some common leap system directories: /var/lib/leap and /var/log/leap Change-Id: I18aa0ee635d7166676e4bb4384e2b517784a68b0 --- puppet/modules/site_config/manifests/files.pp | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/puppet/modules/site_config/manifests/files.pp b/puppet/modules/site_config/manifests/files.pp index 03c9aff8..684d3ad0 100644 --- a/puppet/modules/site_config/manifests/files.pp +++ b/puppet/modules/site_config/manifests/files.pp @@ -1,10 +1,23 @@ class site_config::files { - file { '/srv/leap': - ensure => directory, - owner => 'root', - group => 'root', - mode => '0711' + file { + '/srv/leap': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0711'; + + '/var/lib/leap': + ensure => directory, + owner => root, + group => 'root', + mode => '0755'; + + '/var/log/leap': + ensure => directory, + owner => root, + group => 'adm', + mode => '0750'; } -} \ No newline at end of file +} -- cgit v1.2.3 From 3accc19120285c9f518c830100d97f5bba91d3ec Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Nov 2013 13:15:03 -0500 Subject: explicitly set the admin user as having access to the per-user databases, even though it is probably not needed Change-Id: I2f9e751570190f7358332404ae734ae850f92b9f --- puppet/modules/tapicero/templates/tapicero.yaml.erb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/puppet/modules/tapicero/templates/tapicero.yaml.erb b/puppet/modules/tapicero/templates/tapicero.yaml.erb index 75b8d5f6..098f95bd 100644 --- a/puppet/modules/tapicero/templates/tapicero.yaml.erb +++ b/puppet/modules/tapicero/templates/tapicero.yaml.erb @@ -19,7 +19,11 @@ couch_connection: # security settings to be used for the per user databases security: admins: - names: [] + names: + # We explicitly allow the admin user to access per user databases, even + # though admin access ignores per database security we just do this to be + # explicit about this + - <%= @couchdb_admin_user %> roles: [] readers: names: -- cgit v1.2.3 From 77528b228c6d7ba095a796df4c5cc4c95eb50d9d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Nov 2013 14:00:10 -0500 Subject: pretty reformat couchdb.json and site_couchdb/manifests/init.pp, alphabetizing couchdb users Change-Id: I88264d32e9381f826652d1631083ba371e2b1b54 --- provider_base/services/couchdb.json | 68 +++++++++++----------- puppet/modules/site_couchdb/manifests/add_users.pp | 14 +++-- .../modules/site_couchdb/manifests/create_dbs.pp | 19 +++--- puppet/modules/site_couchdb/manifests/init.pp | 11 ++-- 4 files changed, 58 insertions(+), 54 deletions(-) diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json index a26579c8..95ab75f1 100644 --- a/provider_base/services/couchdb.json +++ b/provider_base/services/couchdb.json @@ -1,38 +1,38 @@ { - "x509": { - "use": true - }, - "stunnel": { - "couch_server": "= stunnel_server(couch.port)", - "epmd_server": "= stunnel_server(couch.bigcouch.epmd_port)", - "epmd_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.epmd_port)", - "ednp_server": "= stunnel_server(couch.bigcouch.ednp_port)", - "ednp_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.ednp_port)" - }, - "couch": { - "port": 5984, - "bigcouch": { - "epmd_port": 4369, - "ednp_port": 9002, - "cookie": "= secret :bigcouch_cookie", - "neighbors": "= nodes_like_me[:services => :couchdb].exclude(self).field('domain.full')" + "x509": { + "use": true }, - "users": { - "admin": { - "username": "admin", - "password": "= secret :couch_admin_password", - "salt": "= hex_secret :couch_admin_password_salt, 128" - }, - "webapp": { - "username": "webapp", - "password": "= secret :couch_webapp_password", - "salt": "= hex_secret :couch_webapp_password_salt, 128" - }, - "soledad": { - "username": "soledad", - "password": "= secret :couch_soledad_password", - "salt": "= hex_secret :couch_soledad_password_salt, 128" - } + "stunnel": { + "couch_server": "= stunnel_server(couch.port)", + "epmd_server": "= stunnel_server(couch.bigcouch.epmd_port)", + "epmd_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.epmd_port)", + "ednp_server": "= stunnel_server(couch.bigcouch.ednp_port)", + "ednp_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.ednp_port)" + }, + "couch": { + "port": 5984, + "bigcouch": { + "epmd_port": 4369, + "ednp_port": 9002, + "cookie": "= secret :bigcouch_cookie", + "neighbors": "= nodes_like_me[:services => :couchdb].exclude(self).field('domain.full')" + }, + "users": { + "admin": { + "username": "admin", + "password": "= secret :couch_admin_password", + "salt": "= hex_secret :couch_admin_password_salt, 128" + }, + "soledad": { + "username": "soledad", + "password": "= secret :couch_soledad_password", + "salt": "= hex_secret :couch_soledad_password_salt, 128" + }, + "webapp": { + "username": "webapp", + "password": "= secret :couch_webapp_password", + "salt": "= hex_secret :couch_webapp_password_salt, 128" + } + } } - } } diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp index e9d3da78..b9304a97 100644 --- a/puppet/modules/site_couchdb/manifests/add_users.pp +++ b/puppet/modules/site_couchdb/manifests/add_users.pp @@ -1,12 +1,6 @@ class site_couchdb::add_users { # Populate couchdb - couchdb::add_user { $site_couchdb::couchdb_webapp_user: - roles => '["auth"]', - pw => $site_couchdb::couchdb_webapp_pw, - salt => $site_couchdb::couchdb_webapp_salt, - require => Couchdb::Query::Setup['localhost'] - } couchdb::add_user { $site_couchdb::couchdb_soledad_user: roles => '["auth"]', @@ -14,4 +8,12 @@ class site_couchdb::add_users { salt => $site_couchdb::couchdb_soledad_salt, require => Couchdb::Query::Setup['localhost'] } + + couchdb::add_user { $site_couchdb::couchdb_webapp_user: + roles => '["auth"]', + pw => $site_couchdb::couchdb_webapp_pw, + salt => $site_couchdb::couchdb_webapp_salt, + require => Couchdb::Query::Setup['localhost'] + } + } diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp index 2dca51c1..b5404231 100644 --- a/puppet/modules/site_couchdb/manifests/create_dbs.pp +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -1,11 +1,9 @@ class site_couchdb::create_dbs { - couchdb::create_db { 'users': - members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", - require => Couchdb::Query::Setup['localhost'] - } - - couchdb::create_db { 'tokens': + # leap_mx will want access to this. Granting access to the soledad user + # via the auth group for now. + # leap_mx could use that for a start. + couchdb::create_db { 'identities': members => "{ \"names\": [], \"roles\": [\"auth\"] }", require => Couchdb::Query::Setup['localhost'] } @@ -20,12 +18,13 @@ class site_couchdb::create_dbs { require => Couchdb::Query::Setup['localhost'] } - # leap_mx will want access to this. Granting access to the soledad user - # via the auth group for now. - # leap_mx could use that for a start. - couchdb::create_db { 'identities': + couchdb::create_db { 'tokens': members => "{ \"names\": [], \"roles\": [\"auth\"] }", require => Couchdb::Query::Setup['localhost'] } + couchdb::create_db { 'users': + members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", + require => Couchdb::Query::Setup['localhost'] + } } diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 0f839997..82f2befb 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -3,19 +3,22 @@ class site_couchdb { $couchdb_config = hiera('couch') $couchdb_users = $couchdb_config['users'] + $couchdb_admin = $couchdb_users['admin'] $couchdb_admin_user = $couchdb_admin['username'] $couchdb_admin_pw = $couchdb_admin['password'] $couchdb_admin_salt = $couchdb_admin['salt'] - $couchdb_webapp = $couchdb_users['webapp'] - $couchdb_webapp_user = $couchdb_webapp['username'] - $couchdb_webapp_pw = $couchdb_webapp['password'] - $couchdb_webapp_salt = $couchdb_webapp['salt'] + $couchdb_soledad = $couchdb_users['soledad'] $couchdb_soledad_user = $couchdb_soledad['username'] $couchdb_soledad_pw = $couchdb_soledad['password'] $couchdb_soledad_salt = $couchdb_soledad['salt'] + $couchdb_webapp = $couchdb_users['webapp'] + $couchdb_webapp_user = $couchdb_webapp['username'] + $couchdb_webapp_pw = $couchdb_webapp['password'] + $couchdb_webapp_salt = $couchdb_webapp['salt'] + $couchdb_backup = $couchdb_config['backup'] $bigcouch_config = $couchdb_config['bigcouch'] -- cgit v1.2.3 From fdf028e53cb1efa9d3d6c8ab76c89f98e2fb7498 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Nov 2013 14:03:03 -0500 Subject: add leap_mx couchdb user/password Change-Id: Ice83115e0feabddd40ad74c2a6e98e24da9b4c2f --- provider_base/services/couchdb.json | 5 +++++ puppet/modules/site_couchdb/manifests/add_users.pp | 7 +++++++ puppet/modules/site_couchdb/manifests/init.pp | 5 +++++ 3 files changed, 17 insertions(+) diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json index 95ab75f1..61b97da1 100644 --- a/provider_base/services/couchdb.json +++ b/provider_base/services/couchdb.json @@ -23,6 +23,11 @@ "password": "= secret :couch_admin_password", "salt": "= hex_secret :couch_admin_password_salt, 128" }, + "leap_mx": { + "username": "leap_mx", + "password": "= secret :couch_leap_mx_password", + "salt": "= hex_secret :couch_leap_mx_password_salt, 128" + }, "soledad": { "username": "soledad", "password": "= secret :couch_soledad_password", diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp index b9304a97..c83b096d 100644 --- a/puppet/modules/site_couchdb/manifests/add_users.pp +++ b/puppet/modules/site_couchdb/manifests/add_users.pp @@ -2,6 +2,13 @@ class site_couchdb::add_users { # Populate couchdb + couchdb::add_user { $site_couchdb::couchdb_leap_mx_user: + roles => '["identities"]', + pw => $site_couchdb::couchdb_leap_mx_pw, + salt => $site_couchdb::couchdb_leap_mx_salt, + require => Couchdb::Query::Setup['localhost'] + } + couchdb::add_user { $site_couchdb::couchdb_soledad_user: roles => '["auth"]', pw => $site_couchdb::couchdb_soledad_pw, diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 82f2befb..b73c23c3 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -9,6 +9,11 @@ class site_couchdb { $couchdb_admin_pw = $couchdb_admin['password'] $couchdb_admin_salt = $couchdb_admin['salt'] + $couchdb_leap_mx = $couchdb_users['leap_mx'] + $couchdb_leap_mx_user = $couchdb_leap_mx['username'] + $couchdb_leap_mx_pw = $couchdb_leap_mx['password'] + $couchdb_leap_mx_salt = $couchdb_leap_mx['salt'] + $couchdb_soledad = $couchdb_users['soledad'] $couchdb_soledad_user = $couchdb_soledad['username'] $couchdb_soledad_pw = $couchdb_soledad['password'] -- cgit v1.2.3 From e25091395d49d7e10c6266528d4bdfc48c10c886 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Nov 2013 14:08:20 -0500 Subject: add identities roles Change-Id: I483509850bee448bb2ea39863c1e6a796e102c3c --- puppet/modules/site_couchdb/manifests/add_users.pp | 2 +- puppet/modules/site_couchdb/manifests/create_dbs.pp | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp index c83b096d..e525d01a 100644 --- a/puppet/modules/site_couchdb/manifests/add_users.pp +++ b/puppet/modules/site_couchdb/manifests/add_users.pp @@ -17,7 +17,7 @@ class site_couchdb::add_users { } couchdb::add_user { $site_couchdb::couchdb_webapp_user: - roles => '["auth"]', + roles => '["auth","identities"]', pw => $site_couchdb::couchdb_webapp_pw, salt => $site_couchdb::couchdb_webapp_salt, require => Couchdb::Query::Setup['localhost'] diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp index b5404231..a734c870 100644 --- a/puppet/modules/site_couchdb/manifests/create_dbs.pp +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -1,10 +1,10 @@ class site_couchdb::create_dbs { - # leap_mx will want access to this. Granting access to the soledad user - # via the auth group for now. - # leap_mx could use that for a start. + # identities database + # r/w: webapp + # r: nickserver, leap_mx - need to restrict with design document couchdb::create_db { 'identities': - members => "{ \"names\": [], \"roles\": [\"auth\"] }", + members => "{ \"names\": [], \"roles\": [\"identities\"] }", require => Couchdb::Query::Setup['localhost'] } -- cgit v1.2.3 From 6bff399fdcdab967a13a27d40dcef4bfb871e046 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Nov 2013 14:12:28 -0500 Subject: add nickserver couchdb user, set it to have 'identities' role Change-Id: I06723ccf2ba040204e9fc5256c99a1faad6abb5f --- provider_base/services/couchdb.json | 5 +++++ puppet/modules/site_couchdb/manifests/add_users.pp | 10 ++++++++++ 2 files changed, 15 insertions(+) diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json index 61b97da1..1a8147f9 100644 --- a/provider_base/services/couchdb.json +++ b/provider_base/services/couchdb.json @@ -28,6 +28,11 @@ "password": "= secret :couch_leap_mx_password", "salt": "= hex_secret :couch_leap_mx_password_salt, 128" }, + "nickserver": { + "username": "nickserver", + "password": "= secret :couch_nickserver_password", + "salt": "= hex_secret :couch_nickserver_password_salt, 128" + }, "soledad": { "username": "soledad", "password": "= secret :couch_soledad_password", diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp index e525d01a..e3b74865 100644 --- a/puppet/modules/site_couchdb/manifests/add_users.pp +++ b/puppet/modules/site_couchdb/manifests/add_users.pp @@ -9,6 +9,16 @@ class site_couchdb::add_users { require => Couchdb::Query::Setup['localhost'] } + # nickserver couchdb user + # read: identities, keycache + # write: keycache (a cache of discovered key, doesn’t exist yet) + couchdb::add_user { $site_couchdb::couchdb_nickserver_user: + roles => '["identities"]', + pw => $site_couchdb::couchdb_nickserver_pw, + salt => $site_couchdb::couchdb_nickserver_salt, + require => Couchdb::Query::Setup['localhost'] + } + couchdb::add_user { $site_couchdb::couchdb_soledad_user: roles => '["auth"]', pw => $site_couchdb::couchdb_soledad_pw, -- cgit v1.2.3 From a9d75259f96e64825ea97eca17cbe6e0c6005d0d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Nov 2013 14:19:36 -0500 Subject: add comments with access information Change-Id: I058ac1f061bca17736662f14826e99d32472739b --- puppet/modules/site_couchdb/manifests/add_users.pp | 16 ++++++++++++---- puppet/modules/site_couchdb/manifests/create_dbs.pp | 17 ++++++++++++++--- 2 files changed, 26 insertions(+), 7 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp index e3b74865..8af9ea66 100644 --- a/puppet/modules/site_couchdb/manifests/add_users.pp +++ b/puppet/modules/site_couchdb/manifests/add_users.pp @@ -1,7 +1,10 @@ class site_couchdb::add_users { - # Populate couchdb + # Couchdb users + ## leap_mx couchdb user + ## read: identities + ## write access to user- couchdb::add_user { $site_couchdb::couchdb_leap_mx_user: roles => '["identities"]', pw => $site_couchdb::couchdb_leap_mx_pw, @@ -9,9 +12,9 @@ class site_couchdb::add_users { require => Couchdb::Query::Setup['localhost'] } - # nickserver couchdb user - # read: identities, keycache - # write: keycache (a cache of discovered key, doesn’t exist yet) + ## nickserver couchdb user + ## r: identities + ## r/w: keycache couchdb::add_user { $site_couchdb::couchdb_nickserver_user: roles => '["identities"]', pw => $site_couchdb::couchdb_nickserver_pw, @@ -19,6 +22,9 @@ class site_couchdb::add_users { require => Couchdb::Query::Setup['localhost'] } + ## soledad couchdb user + ## read: tokens, user-, shared + ## write: user-, shared couchdb::add_user { $site_couchdb::couchdb_soledad_user: roles => '["auth"]', pw => $site_couchdb::couchdb_soledad_pw, @@ -26,6 +32,8 @@ class site_couchdb::add_users { require => Couchdb::Query::Setup['localhost'] } + ## webapp couchdb user + ## read/write: users, tokens, sessions, tickets, identities couchdb::add_user { $site_couchdb::couchdb_webapp_user: roles => '["auth","identities"]', pw => $site_couchdb::couchdb_webapp_pw, diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp index a734c870..d3125448 100644 --- a/puppet/modules/site_couchdb/manifests/create_dbs.pp +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -1,28 +1,39 @@ class site_couchdb::create_dbs { - # identities database - # r/w: webapp - # r: nickserver, leap_mx - need to restrict with design document + # Couchdb databases + + ## identities database + ## r: nickserver, leap_mx - needs to be restrict with design document + ## r/w: webapp couchdb::create_db { 'identities': members => "{ \"names\": [], \"roles\": [\"identities\"] }", require => Couchdb::Query::Setup['localhost'] } + ## sessions database + ## r/w: webapp couchdb::create_db { 'sessions': members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", require => Couchdb::Query::Setup['localhost'] } + ## tickets database + ## r/w: webapp couchdb::create_db { 'tickets': members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", require => Couchdb::Query::Setup['localhost'] } + ## tokens database + ## r: soledad - needs to be restricted with a design document + ## r/w: webapp couchdb::create_db { 'tokens': members => "{ \"names\": [], \"roles\": [\"auth\"] }", require => Couchdb::Query::Setup['localhost'] } + ## users database + ## r/w: webapp couchdb::create_db { 'users': members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", require => Couchdb::Query::Setup['localhost'] -- cgit v1.2.3 From 25ff4895b47ffd937e9f9881747ee8ffb511dacf Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Nov 2013 14:20:51 -0500 Subject: add keycache couchdb database, and set appropriate roles Change-Id: I492a8dfb42e92ced80fb09c2095fa1328e24346b --- puppet/modules/site_couchdb/manifests/add_users.pp | 2 +- puppet/modules/site_couchdb/manifests/create_dbs.pp | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp index 8af9ea66..f5c38cbb 100644 --- a/puppet/modules/site_couchdb/manifests/add_users.pp +++ b/puppet/modules/site_couchdb/manifests/add_users.pp @@ -16,7 +16,7 @@ class site_couchdb::add_users { ## r: identities ## r/w: keycache couchdb::add_user { $site_couchdb::couchdb_nickserver_user: - roles => '["identities"]', + roles => '["identities","keycache"]', pw => $site_couchdb::couchdb_nickserver_pw, salt => $site_couchdb::couchdb_nickserver_salt, require => Couchdb::Query::Setup['localhost'] diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp index d3125448..f8c38987 100644 --- a/puppet/modules/site_couchdb/manifests/create_dbs.pp +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -10,6 +10,13 @@ class site_couchdb::create_dbs { require => Couchdb::Query::Setup['localhost'] } + ## keycache database + ## r/w: nickserver + couchdb::create_db { 'keycache': + members => "{ \"names\": [], \"roles\": [\"keycache\"] }", + require => Couchdb::Query::Setup['localhost'] + } + ## sessions database ## r/w: webapp couchdb::create_db { 'sessions': -- cgit v1.2.3 From d0911282e2e201b1f60cd3431018d57cd8321482 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Nov 2013 14:21:49 -0500 Subject: add shared couchdb database, giving soledad access Change-Id: I743538f66e35f0fffaa0d07fb4ee44b810635aa3 --- puppet/modules/site_couchdb/manifests/create_dbs.pp | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp index f8c38987..9e21e33a 100644 --- a/puppet/modules/site_couchdb/manifests/create_dbs.pp +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -16,7 +16,7 @@ class site_couchdb::create_dbs { members => "{ \"names\": [], \"roles\": [\"keycache\"] }", require => Couchdb::Query::Setup['localhost'] } - + ## sessions database ## r/w: webapp couchdb::create_db { 'sessions': @@ -24,6 +24,13 @@ class site_couchdb::create_dbs { require => Couchdb::Query::Setup['localhost'] } + ## shared database + ## r/w: soledad + couchdb::create_db { 'shared': + members => "{ \"names\": [\"$site_couchdb::couchdb_soledad_user\"], \"roles\": [] }", + require => Couchdb::Query::Setup['localhost'] + } + ## tickets database ## r/w: webapp couchdb::create_db { 'tickets': -- cgit v1.2.3 From ef0eae6b9ed6294f5c921a73777090142861beba Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Nov 2013 14:22:57 -0500 Subject: setup tokens couchdb role for the tokens database and give soledad and the webapp access Change-Id: Ifc44d5775e37655240573ab01dd2ee2f794bd8f3 --- puppet/modules/site_couchdb/manifests/add_users.pp | 6 +++--- puppet/modules/site_couchdb/manifests/create_dbs.pp | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp index f5c38cbb..03ce12f1 100644 --- a/puppet/modules/site_couchdb/manifests/add_users.pp +++ b/puppet/modules/site_couchdb/manifests/add_users.pp @@ -26,16 +26,16 @@ class site_couchdb::add_users { ## read: tokens, user-, shared ## write: user-, shared couchdb::add_user { $site_couchdb::couchdb_soledad_user: - roles => '["auth"]', + roles => '["tokens"]', pw => $site_couchdb::couchdb_soledad_pw, salt => $site_couchdb::couchdb_soledad_salt, require => Couchdb::Query::Setup['localhost'] } ## webapp couchdb user - ## read/write: users, tokens, sessions, tickets, identities + ## read/write: users, tokens, sessions, tickets, identities, customer couchdb::add_user { $site_couchdb::couchdb_webapp_user: - roles => '["auth","identities"]', + roles => '["tokens","identities"]', pw => $site_couchdb::couchdb_webapp_pw, salt => $site_couchdb::couchdb_webapp_salt, require => Couchdb::Query::Setup['localhost'] diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp index 9e21e33a..a1db9d54 100644 --- a/puppet/modules/site_couchdb/manifests/create_dbs.pp +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -42,7 +42,7 @@ class site_couchdb::create_dbs { ## r: soledad - needs to be restricted with a design document ## r/w: webapp couchdb::create_db { 'tokens': - members => "{ \"names\": [], \"roles\": [\"auth\"] }", + members => "{ \"names\": [], \"roles\": [\"tokens\"] }", require => Couchdb::Query::Setup['localhost'] } -- cgit v1.2.3 From 0aed6d16a0303e05462f4c81cda0ced9872773bf Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Nov 2013 14:27:50 -0500 Subject: add the tapicero couchdb user, and appropriate roles Change-Id: I41e9a73c8d04d5a2d74b41c8e32aca9906f3a4cf --- provider_base/services/couchdb.json | 5 +++++ puppet/modules/site_couchdb/manifests/add_users.pp | 16 +++++++++++++--- puppet/modules/site_couchdb/manifests/create_dbs.pp | 2 +- puppet/modules/site_couchdb/manifests/init.pp | 5 +++++ 4 files changed, 24 insertions(+), 4 deletions(-) diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json index 1a8147f9..0cb044ef 100644 --- a/provider_base/services/couchdb.json +++ b/provider_base/services/couchdb.json @@ -38,6 +38,11 @@ "password": "= secret :couch_soledad_password", "salt": "= hex_secret :couch_soledad_password_salt, 128" }, + "tapicero": { + "username": "tapicero", + "password": "= secret :couch_tapicero_password", + "salt": "= hex_secret :couch_tapicero_password_salt, 128" + }, "webapp": { "username": "webapp", "password": "= secret :couch_webapp_password", diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp index 03ce12f1..f9ea7349 100644 --- a/puppet/modules/site_couchdb/manifests/add_users.pp +++ b/puppet/modules/site_couchdb/manifests/add_users.pp @@ -23,8 +23,8 @@ class site_couchdb::add_users { } ## soledad couchdb user - ## read: tokens, user-, shared - ## write: user-, shared + ## r/w: user-, shared + ## read: tokens couchdb::add_user { $site_couchdb::couchdb_soledad_user: roles => '["tokens"]', pw => $site_couchdb::couchdb_soledad_pw, @@ -32,10 +32,20 @@ class site_couchdb::add_users { require => Couchdb::Query::Setup['localhost'] } + ### tapicero couchdb user + ### admin: needs to be able to create user- databases + ### read: users + couchdb::add_user { $site_couchdb::couchdb_tapicero_user: + roles => '["users"]', + pw => $site_couchdb::couchdb_tapicero_pw, + salt => $site_couchdb::couchdb_tapicero_salt, + require => Couchdb::Query::Setup['localhost'] + } + ## webapp couchdb user ## read/write: users, tokens, sessions, tickets, identities, customer couchdb::add_user { $site_couchdb::couchdb_webapp_user: - roles => '["tokens","identities"]', + roles => '["tokens","identities","users"]', pw => $site_couchdb::couchdb_webapp_pw, salt => $site_couchdb::couchdb_webapp_salt, require => Couchdb::Query::Setup['localhost'] diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp index a1db9d54..f53597e7 100644 --- a/puppet/modules/site_couchdb/manifests/create_dbs.pp +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -49,7 +49,7 @@ class site_couchdb::create_dbs { ## users database ## r/w: webapp couchdb::create_db { 'users': - members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", + members => "{ \"names\": [], \"roles\": [\"users\"] }", require => Couchdb::Query::Setup['localhost'] } } diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index b73c23c3..bb3fa5d7 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -19,6 +19,11 @@ class site_couchdb { $couchdb_soledad_pw = $couchdb_soledad['password'] $couchdb_soledad_salt = $couchdb_soledad['salt'] + $couchdb_tapicero = $couchdb_users['tapicero'] + $couchdb_tapicero_user = $couchdb_tapicero['username'] + $couchdb_tapicero_pw = $couchdb_tapicero['password'] + $couchdb_tapicero_salt = $couchdb_tapicero['salt'] + $couchdb_webapp = $couchdb_users['webapp'] $couchdb_webapp_user = $couchdb_webapp['username'] $couchdb_webapp_pw = $couchdb_webapp['password'] -- cgit v1.2.3 From 4aedafa09dd40673ae654f685cbad1b01c72f84c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 26 Nov 2013 20:37:55 -0500 Subject: add webapp cron entries to cleanup sessions and tokens (#4572) Change-Id: Ic1ef7e25f07cbbbcea9bcc90248479009904303e --- puppet/modules/site_webapp/manifests/cron.pp | 19 +++++++++++++++++++ puppet/modules/site_webapp/manifests/init.pp | 1 + 2 files changed, 20 insertions(+) create mode 100644 puppet/modules/site_webapp/manifests/cron.pp diff --git a/puppet/modules/site_webapp/manifests/cron.pp b/puppet/modules/site_webapp/manifests/cron.pp new file mode 100644 index 00000000..be997103 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/cron.pp @@ -0,0 +1,19 @@ +class site_webapp::cron { + + # cron tasks that need to be performed to cleanup the database + cron { + 'remove_expired_sessions': + command => 'bundle exec rake cleanup:sessions', + cwd => '/srv/leap/webapp', + environment => 'RAILS_ENV=production', + hour => 2, + minute => 30; + + 'remove_expired_tokens': + command => 'bundle exec rake cleanup:tokens', + cwd => '/srv/leap/webapp', + environment => 'RAILS_ENV=production', + hour => 3, + minute => 0; + } +} diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index c090c6a0..cb94d328 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -17,6 +17,7 @@ class site_webapp { include site_webapp::apache include site_webapp::couchdb include site_webapp::haproxy + include site_webapp::cron include site_config::x509::cert include site_config::x509::key include site_config::x509::ca -- cgit v1.2.3 From 27b084fbb61ea036a45970f1b0c5a8f8175f96e8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Nov 2013 15:00:10 -0500 Subject: add missing nickserver hiera value lookup Change-Id: I77061054f4768f0677ca9c498e6cd6d5df4ff806 --- puppet/modules/site_couchdb/manifests/init.pp | 49 +++++++++++++++------------ 1 file changed, 27 insertions(+), 22 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index bb3fa5d7..1933f01b 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,40 +1,45 @@ class site_couchdb { tag 'leap_service' - $couchdb_config = hiera('couch') - $couchdb_users = $couchdb_config['users'] + $couchdb_config = hiera('couch') + $couchdb_users = $couchdb_config['users'] - $couchdb_admin = $couchdb_users['admin'] - $couchdb_admin_user = $couchdb_admin['username'] - $couchdb_admin_pw = $couchdb_admin['password'] - $couchdb_admin_salt = $couchdb_admin['salt'] + $couchdb_admin = $couchdb_users['admin'] + $couchdb_admin_user = $couchdb_admin['username'] + $couchdb_admin_pw = $couchdb_admin['password'] + $couchdb_admin_salt = $couchdb_admin['salt'] - $couchdb_leap_mx = $couchdb_users['leap_mx'] - $couchdb_leap_mx_user = $couchdb_leap_mx['username'] - $couchdb_leap_mx_pw = $couchdb_leap_mx['password'] - $couchdb_leap_mx_salt = $couchdb_leap_mx['salt'] + $couchdb_leap_mx = $couchdb_users['leap_mx'] + $couchdb_leap_mx_user = $couchdb_leap_mx['username'] + $couchdb_leap_mx_pw = $couchdb_leap_mx['password'] + $couchdb_leap_mx_salt = $couchdb_leap_mx['salt'] - $couchdb_soledad = $couchdb_users['soledad'] - $couchdb_soledad_user = $couchdb_soledad['username'] - $couchdb_soledad_pw = $couchdb_soledad['password'] - $couchdb_soledad_salt = $couchdb_soledad['salt'] + $couchdb_nickserver = $couchdb_users['nickserver'] + $couchdb_nickserver_user = $couchdb_nickserver['username'] + $couchdb_nickserver_pw = $couchdb_nickserver['password'] + $couchdb_nickserver_salt = $couchdb_nickserver['salt'] + + $couchdb_soledad = $couchdb_users['soledad'] + $couchdb_soledad_user = $couchdb_soledad['username'] + $couchdb_soledad_pw = $couchdb_soledad['password'] + $couchdb_soledad_salt = $couchdb_soledad['salt'] $couchdb_tapicero = $couchdb_users['tapicero'] $couchdb_tapicero_user = $couchdb_tapicero['username'] $couchdb_tapicero_pw = $couchdb_tapicero['password'] $couchdb_tapicero_salt = $couchdb_tapicero['salt'] - $couchdb_webapp = $couchdb_users['webapp'] - $couchdb_webapp_user = $couchdb_webapp['username'] - $couchdb_webapp_pw = $couchdb_webapp['password'] - $couchdb_webapp_salt = $couchdb_webapp['salt'] + $couchdb_webapp = $couchdb_users['webapp'] + $couchdb_webapp_user = $couchdb_webapp['username'] + $couchdb_webapp_pw = $couchdb_webapp['password'] + $couchdb_webapp_salt = $couchdb_webapp['salt'] - $couchdb_backup = $couchdb_config['backup'] + $couchdb_backup = $couchdb_config['backup'] - $bigcouch_config = $couchdb_config['bigcouch'] - $bigcouch_cookie = $bigcouch_config['cookie'] + $bigcouch_config = $couchdb_config['bigcouch'] + $bigcouch_cookie = $bigcouch_config['cookie'] - $ednp_port = $bigcouch_config['ednp_port'] + $ednp_port = $bigcouch_config['ednp_port'] class { 'couchdb': bigcouch => true, -- cgit v1.2.3 From bf563b722126c0e6ae1d8f2f830be03e006664a1 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 20 Nov 2013 12:10:52 -0500 Subject: setup customer couchdb database Change-Id: Ic0e9f5f6a1f28d865d7757a9de0d9399a6a9a5e3 Conflicts: puppet/modules/site_couchdb/manifests/init.pp --- puppet/modules/site_couchdb/manifests/create_dbs.pp | 7 +++++++ puppet/modules/site_couchdb/manifests/init.pp | 13 ++++++------- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp index f53597e7..f206fddb 100644 --- a/puppet/modules/site_couchdb/manifests/create_dbs.pp +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -2,6 +2,13 @@ class site_couchdb::create_dbs { # Couchdb databases + ### customer database + ### r/w: webapp, + couchdb::create_db { 'customer': + members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", + require => Couchdb::Query::Setup['localhost'] + } + ## identities database ## r: nickserver, leap_mx - needs to be restrict with design document ## r/w: webapp diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 1933f01b..ad0c996a 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -70,14 +70,13 @@ class site_couchdb { # we symlink this to /root/.netrc for couchdb_scripts (eg. backup) # and makes life easier for the admin (i.e. using curl/wget without # passing credentials) - file { '/root/.netrc': - ensure => link, - target => '/etc/couchdb/couchdb.netrc', - require => Couchdb::Query::Setup['localhost'] - } + file { + '/root/.netrc': + ensure => link, + target => '/etc/couchdb/couchdb.netrc'; - file { '/srv/leap/couchdb': - ensure => directory + '/srv/leap/couchdb': + ensure => directory } couchdb::query::setup { 'localhost': -- cgit v1.2.3 From 7f59d8c7f5a41125c17271b1cd55118dafa52151 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 28 Nov 2013 09:54:37 -0500 Subject: remove admin access from webapp Change-Id: Ib2ce0d38a8e4dd30ae6842bfb5579d9c3dd10f18 --- .../site_webapp/files/migrate_design_documents | 16 ---------------- puppet/modules/site_webapp/manifests/couchdb.pp | 22 ---------------------- puppet/modules/site_webapp/manifests/init.pp | 6 ++++-- .../site_webapp/templates/couchdb.yml.admin.erb | 9 --------- 4 files changed, 4 insertions(+), 49 deletions(-) delete mode 100644 puppet/modules/site_webapp/files/migrate_design_documents delete mode 100644 puppet/modules/site_webapp/templates/couchdb.yml.admin.erb diff --git a/puppet/modules/site_webapp/files/migrate_design_documents b/puppet/modules/site_webapp/files/migrate_design_documents deleted file mode 100644 index 6e24aa5b..00000000 --- a/puppet/modules/site_webapp/files/migrate_design_documents +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/sh - -cd /srv/leap/webapp - -# use admin credentials -cp config/couchdb.yml.admin config/couchdb.yml -chown leap-webapp:leap-webapp config/couchdb.yml - -# needs to be run twice -RAILS_ENV=production /usr/bin/bundle exec rake couchrest:migrate -RAILS_ENV=production /usr/bin/bundle exec rake couchrest:migrate - -# use user credentials and remove admin credentials -cp config/couchdb.yml.webapp config/couchdb.yml -chown leap-webapp:leap-webapp config/couchdb.yml - diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 5a5cccad..7f6ebbc6 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -4,8 +4,6 @@ class site_webapp::couchdb { # haproxy listener on port localhost:4096, see site_webapp::haproxy $couchdb_host = 'localhost' $couchdb_port = '4096' - $couchdb_admin_user = $webapp['couchdb_admin_user']['username'] - $couchdb_admin_password = $webapp['couchdb_admin_user']['password'] $couchdb_webapp_user = $webapp['couchdb_webapp_user']['username'] $couchdb_webapp_password = $webapp['couchdb_webapp_user']['password'] @@ -16,13 +14,6 @@ class site_webapp::couchdb { include x509::variables file { - '/srv/leap/webapp/config/couchdb.yml.admin': - content => template('site_webapp/couchdb.yml.admin.erb'), - owner => leap-webapp, - group => leap-webapp, - mode => '0600', - require => Vcsrepo['/srv/leap/webapp']; - '/srv/leap/webapp/config/couchdb.yml.webapp': content => template('site_webapp/couchdb.yml.erb'), owner => leap-webapp, @@ -43,23 +34,10 @@ class site_webapp::couchdb { group => leap-webapp, mode => '0666', require => Vcsrepo['/srv/leap/webapp']; - - '/usr/local/sbin/migrate_design_documents': - source => 'puppet:///modules/site_webapp/migrate_design_documents', - owner => root, - group => root, - mode => '0744'; } include site_stunnel - exec { 'migrate_design_documents': - cwd => '/srv/leap/webapp', - command => '/usr/local/sbin/migrate_design_documents', - require => Exec['bundler_update'], - notify => Service['apache']; - } - $couchdb_stunnel_client_defaults = { 'connect_port' => $couch_client_connect, 'client' => true, diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index cb94d328..ae644287 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -65,9 +65,11 @@ class site_webapp { } # - # NOTE: in order to support a webapp that is running on a subpath and not the root of the domain - # assets:precompile needs to be run with RAILS_RELATIVE_URL_ROOT=/application-root + # NOTE: in order to support a webapp that is running on a subpath and not the + # root of the domain assets:precompile needs to be run with + # RAILS_RELATIVE_URL_ROOT=/application-root # + exec { 'compile_assets': cwd => '/srv/leap/webapp', command => '/bin/bash -c "RAILS_ENV=production /usr/bin/bundle exec rake assets:precompile"', diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb b/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb deleted file mode 100644 index a0921add..00000000 --- a/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb +++ /dev/null @@ -1,9 +0,0 @@ -production: - prefix: "" - protocol: 'http' - host: <%= @couchdb_host %> - port: <%= @couchdb_port %> - auto_update_design_doc: false - username: <%= @couchdb_admin_user %> - password: <%= @couchdb_admin_password %> - -- cgit v1.2.3 From 6d3f584bb2b1ff63cd3a1973585807d283fc9041 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 28 Nov 2013 10:02:07 -0500 Subject: remove unnecessary soledad/leap_mx hiera password variables from tapicero Change-Id: I17827fb88db9de088f638899433f5df1be9c3615 --- puppet/modules/tapicero/manifests/init.pp | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/puppet/modules/tapicero/manifests/init.pp b/puppet/modules/tapicero/manifests/init.pp index fe33ac75..743e8a84 100644 --- a/puppet/modules/tapicero/manifests/init.pp +++ b/puppet/modules/tapicero/manifests/init.pp @@ -9,11 +9,8 @@ class tapicero { $couchdb_admin_user = $couchdb_users['admin']['username'] $couchdb_admin_password = $couchdb_users['admin']['password'] - $couchdb_soledad_user = $couchdb_users['soledad']['username'] - $couchdb_soledad_password = $couchdb_users['soledad']['password'] - - $couchdb_leap_mx_user = $couchdb_users['leap_mx']['username'] - $couchdb_leap_mx_password = $couchdb_users['leap_mx']['password'] + $couchdb_soledad_user = $couchdb_users['soledad']['username'] + $couchdb_leap_mx_user = $couchdb_users['leap_mx']['username'] Class['site_config::default'] -> Class['tapicero'] -- cgit v1.2.3 From 82f0c979bb91912518db3111b714f61cbe21e7df Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 28 Nov 2013 10:02:26 -0500 Subject: remove admin access from soledad Change-Id: I7c516c6a4ba26d2c5cebe19a9bff66eae3bd430f --- provider_base/services/soledad.json | 1 - puppet/modules/soledad/manifests/server.pp | 18 ++++++++++-------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/provider_base/services/soledad.json b/provider_base/services/soledad.json index 6b41c128..dc12454b 100644 --- a/provider_base/services/soledad.json +++ b/provider_base/services/soledad.json @@ -1,7 +1,6 @@ { "soledad": { "port": 2323, - "couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]", "require_couchdb": "=> assert %(services.include? 'couchdb')" }, "service_type": "public_service" diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 6ccd934a..339030fc 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -3,19 +3,21 @@ class soledad::server { include soledad include site_apt::preferences::twisted - $couchdb = hiera('soledad') - $couchdb_host = 'localhost' - $couchdb_port = '5984' - $couchdb_user = $couchdb['couchdb_admin_user']['username'] - $couchdb_password = $couchdb['couchdb_admin_user']['password'] + $couchdb = hiera('couch') + $couchdb_users = $couchdb['users'] + $couchdb_user = $couchdb_users['soledad']['username'] + $couchdb_password = $couchdb_users['soledad']['password'] - include site_config::x509::cert - include site_config::x509::key - include site_config::x509::ca + $couchdb_host = 'localhost' + $couchdb_port = '5984' $soledad = hiera('soledad') $soledad_port = $soledad['port'] + include site_config::x509::cert + include site_config::x509::key + include site_config::x509::ca + # # SOLEDAD CONFIG # -- cgit v1.2.3 From c42879b031a8363e0ad575550c0fd36b269e9e28 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 28 Nov 2013 10:05:28 -0500 Subject: remove admin access from leap_mx Change-Id: I0bbe42677d7680c99bf205ed4f6080026b308d77 --- puppet/modules/leap_mx/manifests/init.pp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index 25b2758f..0d05a834 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -1,10 +1,11 @@ class leap_mx { - $couchdb_admin_user = hiera('couchdb_admin_user') - $couchdb_host = 'localhost' + $couchdb = hiera('couch') + $couchdb_users = $couchdb['users'] + $couchdb_user = $couchdb_users['leap_mx']['username'] + $couchdb_password = $couchdb_users['leap_mx']['password'] + $couchdb_port = '4096' - $couchdb_user = $couchdb_admin_user['username'] - $couchdb_password = $couchdb_admin_user['password'] include soledad::common include site_apt::preferences::twisted -- cgit v1.2.3 From bba78a580f7c859d3d0d726e291ad628d7e835d3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 28 Nov 2013 10:31:49 -0500 Subject: remove admin access from nickserver Change-Id: If7fff4c2b839cef5807ee8cee1355aea4dc719a8 --- provider_base/services/webapp.json | 3 +-- puppet/modules/site_nickserver/manifests/init.pp | 10 +++++++--- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 392375ff..ba140baf 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -36,8 +36,7 @@ }, "nickserver": { "domain": "= 'nicknym.' + domain.full_suffix", - "port": 6425, - "couchdb_user": "= global.services[:couchdb].couch.users[:admin]" + "port": 6425 }, "dns": { "aliases": "= [domain.full_suffix, domain.full, api.domain, nickserver.domain]" diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index 81482a55..bedef74d 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -20,14 +20,18 @@ class site_nickserver { # $nickserver = hiera('nickserver') + $nickserver_domain = $nickserver['domain'] + + $couchdb = hiera('couch') + $couchdb_users = $couchdb['users'] + $couchdb_user = $couchdb_users['nickserver']['username'] + $couchdb_password = $couchdb_users['nickserver']['password'] + # the port that public connects to (should be 6425) $nickserver_port = $nickserver['port'] # the port that nickserver is actually running on $nickserver_local_port = '64250' - $nickserver_domain = $nickserver['domain'] - $couchdb_user = $nickserver['couchdb_user']['username'] - $couchdb_password = $nickserver['couchdb_user']['password'] # couchdb is available on localhost via haproxy, which is bound to 4096. $couchdb_host = 'localhost' # See site_webapp/templates/haproxy_couchdb.cfg.erg -- cgit v1.2.3 From 0ee2115516eb8b79ad6ff8711b860d9da60e0f2a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 28 Nov 2013 11:03:20 -0500 Subject: remove duplicate couchdb design document json files Change-Id: I5b3d073aec0522cf464ff41905be1ee326f13197 --- .../site_couchdb/files/designs/customers.json | 18 -------- .../site_couchdb/files/designs/identities.json | 28 ------------ .../site_couchdb/files/designs/sessions.json | 8 ---- .../site_couchdb/files/designs/tickets.json | 50 ---------------------- .../modules/site_couchdb/files/designs/tokens.json | 14 ------ .../modules/site_couchdb/files/designs/users.json | 26 ----------- 6 files changed, 144 deletions(-) delete mode 100644 puppet/modules/site_couchdb/files/designs/customers.json delete mode 100644 puppet/modules/site_couchdb/files/designs/identities.json delete mode 100644 puppet/modules/site_couchdb/files/designs/sessions.json delete mode 100644 puppet/modules/site_couchdb/files/designs/tickets.json delete mode 100644 puppet/modules/site_couchdb/files/designs/tokens.json delete mode 100644 puppet/modules/site_couchdb/files/designs/users.json diff --git a/puppet/modules/site_couchdb/files/designs/customers.json b/puppet/modules/site_couchdb/files/designs/customers.json deleted file mode 100644 index 1b4bbddd..00000000 --- a/puppet/modules/site_couchdb/files/designs/customers.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "_id": "_design/Customer", - "language": "javascript", - "views": { - "by_user_id": { - "map": " function(doc) {\n if ((doc['type'] == 'Customer') && (doc['user_id'] != null)) {\n emit(doc['user_id'], 1);\n }\n }\n", - "reduce": "_sum" - }, - "by_braintree_customer_id": { - "map": " function(doc) {\n if ((doc['type'] == 'Customer') && (doc['braintree_customer_id'] != null)) {\n emit(doc['braintree_customer_id'], 1);\n }\n }\n", - "reduce": "_sum" - }, - "all": { - "map": " function(doc) {\n if (doc['type'] == 'Customer') {\n emit(doc._id, null);\n }\n }\n" - } - }, - "couchrest-hash": "688c401ec0230b75625c176a88fc4a02" -} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/identities.json b/puppet/modules/site_couchdb/files/designs/identities.json deleted file mode 100644 index 8cf8c39b..00000000 --- a/puppet/modules/site_couchdb/files/designs/identities.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "_id": "_design/Identity", - "language": "javascript", - "views": { - "by_user_id": { - "map": " function(doc) {\n if ((doc['type'] == 'Identity') && (doc['user_id'] != null)) {\n emit(doc['user_id'], 1);\n }\n }\n", - "reduce": "_sum" - }, - "by_address_and_destination": { - "map": " function(doc) {\n if ((doc['type'] == 'Identity') && (doc['address'] != null) && (doc['destination'] != null)) {\n emit([doc['address'], doc['destination']], 1);\n }\n }\n", - "reduce": "_sum" - }, - "by_address": { - "map": " function(doc) {\n if ((doc['type'] == 'Identity') && (doc['address'] != null)) {\n emit(doc['address'], 1);\n }\n }\n", - "reduce": "_sum" - }, - "pgp_key_by_email": { - "map": " function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n emit(doc.address, doc.keys[\"pgp\"]);\n }\n" - }, - "disabled": { - "map": " function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.user_id === \"undefined\") {\n emit(doc._id, 1);\n }\n }\n" - }, - "all": { - "map": " function(doc) {\n if (doc['type'] == 'Identity') {\n emit(doc._id, null);\n }\n }\n" - } - }, - "couchrest-hash": "5b0ece9d28b3025d18ea71fddf3a532f" -} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/sessions.json b/puppet/modules/site_couchdb/files/designs/sessions.json deleted file mode 100644 index 70202780..00000000 --- a/puppet/modules/site_couchdb/files/designs/sessions.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "views": { - "by_expires": { - "reduce": "_sum", - "map": "function(doc) {\n if(typeof doc.expires !== \"undefined\") {\n emit(doc.expires, 1);\n }\n}\n" - } - } -} diff --git a/puppet/modules/site_couchdb/files/designs/tickets.json b/puppet/modules/site_couchdb/files/designs/tickets.json deleted file mode 100644 index 2c9408b8..00000000 --- a/puppet/modules/site_couchdb/files/designs/tickets.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "_id": "_design/Ticket", - "language": "javascript", - "views": { - "by_updated_at": { - "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['updated_at'] != null)) {\n emit(doc['updated_at'], 1);\n }\n }\n", - "reduce": "_sum" - }, - "by_created_at": { - "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['created_at'] != null)) {\n emit(doc['created_at'], 1);\n }\n }\n", - "reduce": "_sum" - }, - "by_created_by": { - "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['created_by'] != null)) {\n emit(doc['created_by'], 1);\n }\n }\n", - "reduce": "_sum" - }, - "by_is_open_and_created_at": { - "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['is_open'] != null) && (doc['created_at'] != null)) {\n emit([doc['is_open'], doc['created_at']], 1);\n }\n }\n", - "reduce": "_sum" - }, - "by_is_open_and_updated_at": { - "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['is_open'] != null) && (doc['updated_at'] != null)) {\n emit([doc['is_open'], doc['updated_at']], 1);\n }\n }\n", - "reduce": "_sum" - }, - "by_includes_post_by_and_is_open_and_created_at": { - "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.is_open, doc.created_at], 1);\n }\n });\n }\n}\n", - "reduce": "function(key, values, rereduce) { return sum(values); }" - }, - "by_includes_post_by_and_is_open_and_updated_at": { - "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.is_open, doc.updated_at], 1);\n }\n });\n }\n}\n", - "reduce": "function(key, values, rereduce) { return sum(values); }" - }, - "by_includes_post_by_and_updated_at": { - "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.updated_at], 1);\n }\n });\n }\n}\n", - "reduce": "function(key, values, rereduce) { return sum(values); }" - }, - "by_includes_post_by": { - "map": "// TODO: This view is only used in tests--should we keep it?\nfunction(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit(comment.posted_by, 1);\n }\n });\n }\n}\n", - "reduce": "function(key, values, rereduce) { return sum(values); }" - }, - "by_includes_post_by_and_created_at": { - "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.created_at], 1);\n }\n });\n }\n}\n", - "reduce": "function(key, values, rereduce) { return sum(values); }" - }, - "all": { - "map": " function(doc) {\n if (doc['type'] == 'Ticket') {\n emit(doc._id, null);\n }\n }\n" - } - }, - "couchrest-hash": "9978e2cbeacbe8622c2a7f103bf8130f" -} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/tokens.json b/puppet/modules/site_couchdb/files/designs/tokens.json deleted file mode 100644 index b9025f15..00000000 --- a/puppet/modules/site_couchdb/files/designs/tokens.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "_id": "_design/Token", - "language": "javascript", - "views": { - "by_last_seen_at": { - "map": " function(doc) {\n if ((doc['type'] == 'Token') && (doc['last_seen_at'] != null)) {\n emit(doc['last_seen_at'], 1);\n }\n }\n", - "reduce": "_sum" - }, - "all": { - "map": " function(doc) {\n if (doc['type'] == 'Token') {\n emit(doc._id, null);\n }\n }\n" - } - }, - "couchrest-hash": "541dd924551c42a2317b345effbe65cc" -} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/users.json b/puppet/modules/site_couchdb/files/designs/users.json deleted file mode 100644 index c500822b..00000000 --- a/puppet/modules/site_couchdb/files/designs/users.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "_id": "_design/User", - "language": "javascript", - "views": { - "by_login": { - "map": " function(doc) {\n if ((doc['type'] == 'User') && (doc['login'] != null)) {\n emit(doc['login'], 1);\n }\n }\n", - "reduce": "_sum" - }, - "all": { - "map": " function(doc) {\n if (doc['type'] == 'User') {\n emit(doc._id, null);\n }\n }\n" - }, - "by_alias": { - "map": "function(doc) {\n if (doc.type != 'User') {\n return;\n }\n doc.email_aliases.forEach(function(alias){\n emit(alias.username, 1);\n });\n}\n", - "reduce": "function(key, values, rereduce) { return sum(values); }" - }, - "by_login_or_alias": { - "map": "function(doc) {\n if (doc.type != 'User') {\n return;\n }\n emit(doc.login, 1);\n doc.email_aliases.forEach(function(alias){\n emit(alias.username, 1);\n });\n}\n", - "reduce": "function(key, values, rereduce) { return sum(values); }" - }, - "by_created_at": { - "map": " function(doc) {\n if ((doc['type'] == 'User') && (doc['created_at'] != null)) {\n emit(doc['created_at'], 1);\n }\n }\n", - "reduce": "_sum" - } - }, - "couchrest-hash": "26adb5c9480663de3fe60d959b60a7b2" -} \ No newline at end of file -- cgit v1.2.3 From a241d230f01ac2c89405f4ef12f5d27bdedf1543 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 28 Nov 2013 11:52:16 -0500 Subject: remove nickserver admin user, and fix nickserver couchdb hiera variables Change-Id: I5bdb6b946becdc95cadc92651c06e66b826e2698 --- provider_base/services/webapp.json | 2 +- puppet/modules/site_nickserver/manifests/init.pp | 7 ++----- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index ba140baf..ca7e7309 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -2,7 +2,6 @@ "webapp": { "admins": [], "modules": ["user", "billing", "help"], - "couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]", "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]", "customization_dir": "= file_path 'webapp'", "client_certificates": "= global.provider.ca.client_certificates", @@ -36,6 +35,7 @@ }, "nickserver": { "domain": "= 'nicknym.' + domain.full_suffix", + "couchdb_nickserver_user": "= global.services[:couchdb].couch.users[:nickserver]", "port": 6425 }, "dns": { diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index bedef74d..e1b911c1 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -21,11 +21,8 @@ class site_nickserver { $nickserver = hiera('nickserver') $nickserver_domain = $nickserver['domain'] - - $couchdb = hiera('couch') - $couchdb_users = $couchdb['users'] - $couchdb_user = $couchdb_users['nickserver']['username'] - $couchdb_password = $couchdb_users['nickserver']['password'] + $couchdb_user = $nickserver['couchdb_nickserver_user']['username'] + $couchdb_password = $nickserver['couchdb_nickserver_user']['password'] # the port that public connects to (should be 6425) $nickserver_port = $nickserver['port'] -- cgit v1.2.3 From 408621e4b57b9df1d67fa32eba8d15b83b8d1fd4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 28 Nov 2013 11:52:31 -0500 Subject: remove leap_mx admin user and fix leap_mx couchdb hiera variables Change-Id: I052576279d8a47313cd99412fdd7b715daa73374 --- provider_base/services/mx.json | 2 +- puppet/modules/leap_mx/manifests/init.pp | 7 +++---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index 7b0aa57b..9d0ee532 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -5,7 +5,7 @@ "haproxy": { "servers": "= haproxy_servers(nodes_like_me[:services => :couchdb], stunnel.couch_client)" }, - "couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]", + "couchdb_leap_mx_user": "= global.services[:couchdb].couch.users[:leap_mx]", "x509": { "use": true, "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index 0d05a834..d1625f5a 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -1,9 +1,8 @@ class leap_mx { - $couchdb = hiera('couch') - $couchdb_users = $couchdb['users'] - $couchdb_user = $couchdb_users['leap_mx']['username'] - $couchdb_password = $couchdb_users['leap_mx']['password'] + $mx = hiera('mx') + $couchdb_user = $mx['couchdb_leap_mx_user']['username'] + $couchdb_password = $mx['couchdb_leap_mx_password']['password'] $couchdb_port = '4096' -- cgit v1.2.3 From 76c3048a15719bc1dd15287fd3406e94d40684ab Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 28 Nov 2013 12:00:50 -0500 Subject: fix soledad couchdb hiera variables Change-Id: I0882fc993b407eddc40c03838050d42c0443bd3d --- provider_base/services/soledad.json | 1 + puppet/modules/leap_mx/manifests/init.pp | 6 +++--- puppet/modules/soledad/manifests/server.pp | 7 +++---- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/provider_base/services/soledad.json b/provider_base/services/soledad.json index dc12454b..9c8567b8 100644 --- a/provider_base/services/soledad.json +++ b/provider_base/services/soledad.json @@ -3,5 +3,6 @@ "port": 2323, "require_couchdb": "=> assert %(services.include? 'couchdb')" }, + "couchdb_soledad_user": "= global.services[:couchdb].couch.users[:soledad]", "service_type": "public_service" } diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index d1625f5a..e0c3660b 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -1,8 +1,8 @@ class leap_mx { - $mx = hiera('mx') - $couchdb_user = $mx['couchdb_leap_mx_user']['username'] - $couchdb_password = $mx['couchdb_leap_mx_password']['password'] + $leap_mx = hiera('couchdb_leap_mx_user') + $couchdb_user = $leap_mx['username'] + $couchdb_password = $leap_mx['password'] $couchdb_port = '4096' diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 339030fc..d4991fe6 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -3,10 +3,9 @@ class soledad::server { include soledad include site_apt::preferences::twisted - $couchdb = hiera('couch') - $couchdb_users = $couchdb['users'] - $couchdb_user = $couchdb_users['soledad']['username'] - $couchdb_password = $couchdb_users['soledad']['password'] + $soledad = hiera('soledad') + $couchdb_user = $soledad['couchdb_soledad_user']['username'] + $couchdb_password = $soledad['couchdb_soledad_password']['password'] $couchdb_host = 'localhost' $couchdb_port = '5984' -- cgit v1.2.3 From 81ff8e2b6aaebae35098357146958a8011af85fe Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 28 Nov 2013 11:56:38 -0500 Subject: fix cwd in webapp cronjobs Change-Id: I2e189bf5e209c731077539a57f9b334ac66cd25b --- puppet/modules/site_webapp/manifests/cron.pp | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_webapp/manifests/cron.pp b/puppet/modules/site_webapp/manifests/cron.pp index be997103..811ad11d 100644 --- a/puppet/modules/site_webapp/manifests/cron.pp +++ b/puppet/modules/site_webapp/manifests/cron.pp @@ -3,15 +3,13 @@ class site_webapp::cron { # cron tasks that need to be performed to cleanup the database cron { 'remove_expired_sessions': - command => 'bundle exec rake cleanup:sessions', - cwd => '/srv/leap/webapp', + command => 'cd /srv/leap/webapp && bundle exec rake cleanup:sessions', environment => 'RAILS_ENV=production', hour => 2, minute => 30; 'remove_expired_tokens': - command => 'bundle exec rake cleanup:tokens', - cwd => '/srv/leap/webapp', + command => 'cd /srv/leap/webapp && bundle exec rake cleanup:tokens', environment => 'RAILS_ENV=production', hour => 3, minute => 0; -- cgit v1.2.3 From b62056da276abb8eb6ef6d6c883c5d20da2017d8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 28 Nov 2013 12:25:36 -0500 Subject: fix soledad couchdb hiera variables, part ii Change-Id: Ie0028056767358c4fe6796edd5ba4435e86a0cb3 --- provider_base/services/soledad.json | 4 ++-- puppet/modules/soledad/manifests/server.pp | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/provider_base/services/soledad.json b/provider_base/services/soledad.json index 9c8567b8..fc349ce1 100644 --- a/provider_base/services/soledad.json +++ b/provider_base/services/soledad.json @@ -1,8 +1,8 @@ { "soledad": { "port": 2323, - "require_couchdb": "=> assert %(services.include? 'couchdb')" + "require_couchdb": "=> assert %(services.include? 'couchdb')", + "couchdb_soledad_user": "= global.services[:couchdb].couch.users[:soledad]" }, - "couchdb_soledad_user": "= global.services[:couchdb].couch.users[:soledad]", "service_type": "public_service" } diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index d4991fe6..572cad44 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -5,12 +5,11 @@ class soledad::server { $soledad = hiera('soledad') $couchdb_user = $soledad['couchdb_soledad_user']['username'] - $couchdb_password = $soledad['couchdb_soledad_password']['password'] + $couchdb_password = $soledad['couchdb_soledad_user']['password'] $couchdb_host = 'localhost' $couchdb_port = '5984' - $soledad = hiera('soledad') $soledad_port = $soledad['port'] include site_config::x509::cert -- cgit v1.2.3 From 79c97caa49ca43585fa638f1aa32cacbd94d06f0 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Thu, 5 Dec 2013 09:19:28 +0100 Subject: updated sshd submodule, see #4423 --- puppet/modules/sshd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/sshd b/puppet/modules/sshd index bd2e283a..1eabfe1b 160000 --- a/puppet/modules/sshd +++ b/puppet/modules/sshd @@ -1 +1 @@ -Subproject commit bd2e283ab59430a7b3194804f1c8da7a9b58f8ff +Subproject commit 1eabfe1b590f6663c2558f949408a08fc5f58fa6 -- cgit v1.2.3 From b3542ab1f8a80e5674bbf367f3345a71f30cd0db Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 25 Nov 2013 00:42:46 -0800 Subject: initial test framework --- bin/run_tests | 147 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ tests/dummy.rb | 44 +++++++++++++++++ 2 files changed, 191 insertions(+) create mode 100755 bin/run_tests create mode 100644 tests/dummy.rb diff --git a/bin/run_tests b/bin/run_tests new file mode 100755 index 00000000..19a58784 --- /dev/null +++ b/bin/run_tests @@ -0,0 +1,147 @@ +#!/usr/bin/ruby + +require 'minitest/unit' +require 'yaml' + +## +## CUSTOM TEST CLASSES +## + +class SkipTest < Exception +end + +# +# Our custom unit test class. All tests should be subclasses of this. +# +class LeapTest < MiniTest::Unit::TestCase + class Pass < MiniTest::Assertion + end + + # + # The default pass just does an `assert true`. In our case, we want to make the passes more explicit. + # + def pass + raise LeapTest::Pass + end + + # + # Always runs tests in alphanumeric order + # + def self.test_order + :alpha + end +end + +# +# Custom test runner in order to modify the output. +# +class LeapRunner < MiniTest::Unit + + attr_accessor :passes + + def initialize + @passes = 0 + super + end + + # + # call stack: + # MiniTest::Unit.new.run + # MiniTest::Unit.runner + # LeapTest._run + # + def _run args = [] + suites = LeapTest.send "test_suites" + output.sync = true + results = _run_suites suites, :test + @test_count = results.inject(0) { |sum, (tc, _)| sum + tc } + @assertion_count = results.inject(0) { |sum, (_, ac)| sum + ac } + report.each_with_index do |msg, i| + puts "%s" % msg + end + status + # return failures + errors if @test_count > 0 # or return nil... + rescue Interrupt + abort 'Interrupted' + end + + # + # override puke to change what prints out. + # + def puke(klass, meth, e) + e = case e + when MiniTest::Skip then + @skips += 1 + #if @verbose + report_line("SKIP", klass, meth, e, e.message) + #end + when LeapTest::Pass then + @passes += 1 + report_line("PASS", klass, meth) + when MiniTest::Assertion then + @failures += 1 + report_line("FAIL", klass, meth, e, e.message) + else + @errors += 1 + bt = MiniTest::filter_backtrace(e.backtrace).join "\n" + report_line("ERROR", klass, meth, e, "#{e.class}: #{e.message}\n#{bt}") + end + @report << e + return "" # disable the marching ants + end + + # + # override default status slightly + # + def status(io = self.output) + format = "%d tests, %d assertions, %d passes, %d failures, %d errors, %d skips" + io.puts format % [test_count, assertion_count, passes, failures, errors, skips] + end + + private + + # + # returns a string for a PASS, SKIP, or FAIL error + # + def report_line(prefix, klass, meth, e=nil, message=nil) + if e && message + #indent = "\n" + (" " * (prefix.length+4)) + indent = "\n " + msg_txt = indent + message.split("\n").join(indent) + "#{prefix}: #{readable(klass.name)} > #{readable(meth)} [#{File.basename(location(e))}]:#{msg_txt}\n" + else + "#{prefix}: #{readable(klass.name)} > #{readable(meth)}\n" + end + end + + # + # Converts snake_case and CamelCase to something more pleasant for humans to read. + # + def readable(str) + str.gsub(/([A-Z]+)([A-Z][a-z])/, '\1 \2'). + gsub(/([a-z])([A-Z])/, '\1 \2'). + gsub(/_/, ' '). + sub(/^test /i, ''). + downcase + end +end + +## +## RUN THE TESTS +## + +if File.exists?('/etc/leap/hiera.yaml') + $node = YAML.load_file('/etc/leap/hiera.yaml') +else + $node = {"services" => [], "dummy" => true} +end + +Dir[File.expand_path('../../tests/*.rb', __FILE__)].each do |test_file| + begin + require test_file + rescue SkipTest + end +end + +MiniTest::Unit.runner = LeapRunner.new +MiniTest::Unit.new.run diff --git a/tests/dummy.rb b/tests/dummy.rb new file mode 100644 index 00000000..e7964a6c --- /dev/null +++ b/tests/dummy.rb @@ -0,0 +1,44 @@ +# only run in the dummy case where there is no hiera.yaml file. +raise SkipTest unless $node["dummy"] + +class Robot + def can_shoot_lasers? + "OHAI!" + end + + def can_fly? + "YES!" + end +end + +class TestDummy < LeapTest + def setup + @robot = Robot.new + end + + def test_lasers + assert_equal "OHAI!", @robot.can_shoot_lasers? + pass + end + + def test_fly + refute_match /^no/i, @robot.can_fly? + pass + end + + def test_blah + assert false + pass + end + + def test_that_will_be_skipped + skip "test this later" + pass + end + + def test_err + 12/0 + pass + end + +end -- cgit v1.2.3 From e23dc7849d1118ed2dfe7f37a6109ffbeefa959c Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 6 Dec 2013 14:59:54 -0800 Subject: added test dependencies and test halting. --- bin/run_tests | 119 ++++++++++++++++++++++++++++++++++++++++++++++++------- tests/network.rb | 12 ++++++ tests/webapp.rb | 13 ++++++ 3 files changed, 129 insertions(+), 15 deletions(-) create mode 100644 tests/network.rb create mode 100644 tests/webapp.rb diff --git a/bin/run_tests b/bin/run_tests index 19a58784..91c742c5 100755 --- a/bin/run_tests +++ b/bin/run_tests @@ -1,15 +1,40 @@ #!/usr/bin/ruby +# +# this script will run the unit tests in ../tests/*.rb. +# +# Tests for the platform differ from traditional ruby unit tests in a few ways: +# +# (1) at the end of every test function, you should call 'pass()' +# (2) you can specify test dependencies by calling depends_on("TestFirst") in the test class definition. +# (3) test functions are always run in alphabetical order. +# (4) any halt or error will stop the testing unless --continue is specified. +# + require 'minitest/unit' require 'yaml' +require 'tsort' ## -## CUSTOM TEST CLASSES +## EXCEPTIONS ## +# this class is raised if a test file wants to be skipped entirely. class SkipTest < Exception end +# raised if --no-continue and there is an error +class TestError < Exception +end + +# raised if --no-continue and there is a failure +class TestFailure < Exception +end + +## +## CUSTOM UNIT TEST CLASS +## + # # Our custom unit test class. All tests should be subclasses of this. # @@ -17,6 +42,17 @@ class LeapTest < MiniTest::Unit::TestCase class Pass < MiniTest::Assertion end + # + # Test class dependencies + # + def self.depends_on(*class_names) + @dependencies ||= [] + @dependencies += class_names + end + def self.dependencies + @dependencies || [] + end + # # The default pass just does an `assert true`. In our case, we want to make the passes more explicit. # @@ -25,7 +61,7 @@ class LeapTest < MiniTest::Unit::TestCase end # - # Always runs tests in alphanumeric order + # Always runs test methods within a test class in alphanumeric order # def self.test_order :alpha @@ -53,40 +89,50 @@ class LeapRunner < MiniTest::Unit def _run args = [] suites = LeapTest.send "test_suites" output.sync = true - results = _run_suites suites, :test + suites = TestDependencyGraph.new(suites).sorted + results = _run_suites(suites, :test) @test_count = results.inject(0) { |sum, (tc, _)| sum + tc } @assertion_count = results.inject(0) { |sum, (_, ac)| sum + ac } - report.each_with_index do |msg, i| - puts "%s" % msg - end + report.each {|msg| output.puts msg} status - # return failures + errors if @test_count > 0 # or return nil... rescue Interrupt - abort 'Interrupted' + report.each {|msg| output.puts msg} + abort 'Tests halted on interrupt.' + rescue TestFailure + report.each {|msg| output.puts msg} + abort 'Tests halted on failure (because of --no-continue).' + rescue TestError + report.each {|msg| output.puts msg} + abort 'Tests halted on error (because of --no-continue).' end # # override puke to change what prints out. # def puke(klass, meth, e) - e = case e + case e when MiniTest::Skip then @skips += 1 #if @verbose - report_line("SKIP", klass, meth, e, e.message) + @report << report_line("SKIP", klass, meth, e, e.message) #end when LeapTest::Pass then @passes += 1 - report_line("PASS", klass, meth) + @report << report_line("PASS", klass, meth) when MiniTest::Assertion then @failures += 1 - report_line("FAIL", klass, meth, e, e.message) + @report << report_line("FAIL", klass, meth, e, e.message) + if $halt_on_failure + raise TestFailure.new + end else @errors += 1 bt = MiniTest::filter_backtrace(e.backtrace).join "\n" - report_line("ERROR", klass, meth, e, "#{e.class}: #{e.message}\n#{bt}") + @report << report_line("ERROR", klass, meth, e, "#{e.class}: #{e.message}\n#{bt}") + if $halt_on_failure + raise TestError.new + end end - @report << e return "" # disable the marching ants end @@ -126,16 +172,49 @@ class LeapRunner < MiniTest::Unit end end +## +## Dependency resolution +## Use a topographical sort to manage test dependencies +## + +class TestDependencyGraph + include TSort + + def initialize(test_classes) + @dependencies = {} # each key is a test class name, and the values + # are arrays of test class names that the key depends on. + test_classes.each do |test_class| + @dependencies[test_class.name] = test_class.dependencies + end + end + + def tsort_each_node(&block) + @dependencies.each_key(&block) + end + + def tsort_each_child(test_class_name, &block) + @dependencies[test_class_name].each(&block) + end + + def sorted + self.tsort.collect {|class_name| + Kernel.const_get(class_name) + } + end +end + ## ## RUN THE TESTS ## +# load node data from hiera file if File.exists?('/etc/leap/hiera.yaml') $node = YAML.load_file('/etc/leap/hiera.yaml') else - $node = {"services" => [], "dummy" => true} + $node = {"services" => ['webapp'], "dummy" => true} end +# load all test classes Dir[File.expand_path('../../tests/*.rb', __FILE__)].each do |test_file| begin require test_file @@ -143,5 +222,15 @@ Dir[File.expand_path('../../tests/*.rb', __FILE__)].each do |test_file| end end +# parse command line options +$halt_on_failure = true +loop do + case ARGV[0] + when '--continue' then ARGV.shift; $halt_on_failure = false + else break + end +end + +# run some tests already MiniTest::Unit.runner = LeapRunner.new MiniTest::Unit.new.run diff --git a/tests/network.rb b/tests/network.rb new file mode 100644 index 00000000..115d356a --- /dev/null +++ b/tests/network.rb @@ -0,0 +1,12 @@ +require File.dirname(__FILE__) + '/webapp' + +class TestNetwork < LeapTest + + def setup + end + + def test_test + pass + end + +end diff --git a/tests/webapp.rb b/tests/webapp.rb new file mode 100644 index 00000000..1762de9e --- /dev/null +++ b/tests/webapp.rb @@ -0,0 +1,13 @@ +raise SkipTest unless $node["services"].include?("webapp") + +class TestAWebapp < LeapTest + depends_on "TestNetwork" + + def setup + end + + def test_test + assert false, 'hey, stop here' + end + +end -- cgit v1.2.3 From 68328b6e15a38a74261ee46b06091b8e63f85499 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 9 Dec 2013 23:06:19 -0800 Subject: added initial white-box tests for couchdb and webapp nodes --- bin/run_tests | 101 ++++++++++++++++++++++++++++++++++++++------- tests/README.md | 12 ++++++ tests/dummy.rb | 44 -------------------- tests/network.rb | 12 ------ tests/webapp.rb | 13 ------ tests/white-box/couchdb.rb | 54 ++++++++++++++++++++++++ tests/white-box/dummy.rb | 44 ++++++++++++++++++++ tests/white-box/network.rb | 13 ++++++ tests/white-box/webapp.rb | 53 ++++++++++++++++++++++++ 9 files changed, 262 insertions(+), 84 deletions(-) create mode 100644 tests/README.md delete mode 100644 tests/dummy.rb delete mode 100644 tests/network.rb delete mode 100644 tests/webapp.rb create mode 100644 tests/white-box/couchdb.rb create mode 100644 tests/white-box/dummy.rb create mode 100644 tests/white-box/network.rb create mode 100644 tests/white-box/webapp.rb diff --git a/bin/run_tests b/bin/run_tests index 91c742c5..8c5fb492 100755 --- a/bin/run_tests +++ b/bin/run_tests @@ -14,6 +14,7 @@ require 'minitest/unit' require 'yaml' require 'tsort' +require 'net/http' ## ## EXCEPTIONS @@ -61,11 +62,84 @@ class LeapTest < MiniTest::Unit::TestCase end # + # the default fail() is part of the kernel and it just throws a runtime exception. for tests, + # we want the same behavior as assert(false) + # + def fail(msg=nil) + assert(false, msg) + end + # Always runs test methods within a test class in alphanumeric order # def self.test_order :alpha end + + # + # attempts a http GET on the url, yields |body, response, error| + # + def get(url, params=nil) + uri = URI(url) + if params + uri.query = URI.encode_www_form(params) + end + response = Net::HTTP.get_response(uri) + if response.is_a?(Net::HTTPSuccess) + yield response.body, response, nil + else + yield nil, response, nil + end + rescue => exc + yield nil, nil, exc + end + + def assert_get(url, params=nil) + get(url, params) do |body, response, error| + if body + yield body + elsif response + fail "Expected a 200 status code from #{url}, but got #{response.code} instead." + else + fail "Expected a response from #{url}, but got \"#{error}\" instead." + end + end + end + + # + # Matches the regexp in the file, and returns the first matched string (or fails if no match). + # + def file_match(filename, regexp) + if match = File.read(filename).match(regexp) + match.captures.first + else + fail "Regexp #{regexp.inspect} not found in file #{filename.inspect}." + end + end + + # + # Matches the regexp in the file, and returns array of matched strings (or fails if no match). + # + def file_matches(filename, regexp) + if match = File.read(filename).match(regexp) + match.captures + else + fail "Regexp #{regexp.inspect} not found in file #{filename.inspect}." + end + end + + # + # checks to make sure the given property path exists in $node (e.g. hiera.yaml) + # and returns the value + # + def assert_property(property) + latest = $node + property.split('.').each do |segment| + latest = latest[segment] + fail "Required node property `#{property}` is missing." if latest.nil? + end + return latest + end + end # @@ -93,16 +167,12 @@ class LeapRunner < MiniTest::Unit results = _run_suites(suites, :test) @test_count = results.inject(0) { |sum, (tc, _)| sum + tc } @assertion_count = results.inject(0) { |sum, (_, ac)| sum + ac } - report.each {|msg| output.puts msg} status rescue Interrupt - report.each {|msg| output.puts msg} abort 'Tests halted on interrupt.' rescue TestFailure - report.each {|msg| output.puts msg} abort 'Tests halted on failure (because of --no-continue).' rescue TestError - report.each {|msg| output.puts msg} abort 'Tests halted on error (because of --no-continue).' end @@ -114,21 +184,21 @@ class LeapRunner < MiniTest::Unit when MiniTest::Skip then @skips += 1 #if @verbose - @report << report_line("SKIP", klass, meth, e, e.message) + report_line("SKIP", klass, meth, e, e.message) #end when LeapTest::Pass then @passes += 1 @report << report_line("PASS", klass, meth) when MiniTest::Assertion then @failures += 1 - @report << report_line("FAIL", klass, meth, e, e.message) + report_line("FAIL", klass, meth, e, e.message) if $halt_on_failure raise TestFailure.new end else @errors += 1 bt = MiniTest::filter_backtrace(e.backtrace).join "\n" - @report << report_line("ERROR", klass, meth, e, "#{e.class}: #{e.message}\n#{bt}") + report_line("ERROR", klass, meth, e, "#{e.class}: #{e.message}\n#{bt}") if $halt_on_failure raise TestError.new end @@ -141,7 +211,7 @@ class LeapRunner < MiniTest::Unit # def status(io = self.output) format = "%d tests, %d assertions, %d passes, %d failures, %d errors, %d skips" - io.puts format % [test_count, assertion_count, passes, failures, errors, skips] + output.puts format % [test_count, assertion_count, passes, failures, errors, skips] end private @@ -151,13 +221,14 @@ class LeapRunner < MiniTest::Unit # def report_line(prefix, klass, meth, e=nil, message=nil) if e && message - #indent = "\n" + (" " * (prefix.length+4)) indent = "\n " msg_txt = indent + message.split("\n").join(indent) - "#{prefix}: #{readable(klass.name)} > #{readable(meth)} [#{File.basename(location(e))}]:#{msg_txt}\n" + output.puts "#{prefix}: #{readable(klass.name)} > #{readable(meth)} [#{File.basename(location(e))}]:#{msg_txt}" else - "#{prefix}: #{readable(klass.name)} > #{readable(meth)}\n" + output.puts "#{prefix}: #{readable(klass.name)} > #{readable(meth)}" end + # I don't understand at all why, but adding a very tiny sleep here will + sleep(0.0001) # keep lines from being joined together by the logger. output.flush doesn't. end # @@ -167,8 +238,8 @@ class LeapRunner < MiniTest::Unit str.gsub(/([A-Z]+)([A-Z][a-z])/, '\1 \2'). gsub(/([a-z])([A-Z])/, '\1 \2'). gsub(/_/, ' '). - sub(/^test /i, ''). - downcase + sub(/^test (\d* )?/i, ''). + downcase.capitalize end end @@ -211,11 +282,11 @@ end if File.exists?('/etc/leap/hiera.yaml') $node = YAML.load_file('/etc/leap/hiera.yaml') else - $node = {"services" => ['webapp'], "dummy" => true} + $node = {"services" => [], "dummy" => true} end # load all test classes -Dir[File.expand_path('../../tests/*.rb', __FILE__)].each do |test_file| +Dir[File.expand_path('../../tests/white-box/*.rb', __FILE__)].each do |test_file| begin require test_file rescue SkipTest diff --git a/tests/README.md b/tests/README.md new file mode 100644 index 00000000..debbf700 --- /dev/null +++ b/tests/README.md @@ -0,0 +1,12 @@ +This directory contains to kinds of tests: + +White Box Tests +================================ + +These tests are run on the server as superuser. They are for troubleshooting any problems with the internal setup of the server. + +Black Box Tests +================================ + +These test are run the user's local machine. They are for troubleshooting any external problems with the service exposed by the server. + diff --git a/tests/dummy.rb b/tests/dummy.rb deleted file mode 100644 index e7964a6c..00000000 --- a/tests/dummy.rb +++ /dev/null @@ -1,44 +0,0 @@ -# only run in the dummy case where there is no hiera.yaml file. -raise SkipTest unless $node["dummy"] - -class Robot - def can_shoot_lasers? - "OHAI!" - end - - def can_fly? - "YES!" - end -end - -class TestDummy < LeapTest - def setup - @robot = Robot.new - end - - def test_lasers - assert_equal "OHAI!", @robot.can_shoot_lasers? - pass - end - - def test_fly - refute_match /^no/i, @robot.can_fly? - pass - end - - def test_blah - assert false - pass - end - - def test_that_will_be_skipped - skip "test this later" - pass - end - - def test_err - 12/0 - pass - end - -end diff --git a/tests/network.rb b/tests/network.rb deleted file mode 100644 index 115d356a..00000000 --- a/tests/network.rb +++ /dev/null @@ -1,12 +0,0 @@ -require File.dirname(__FILE__) + '/webapp' - -class TestNetwork < LeapTest - - def setup - end - - def test_test - pass - end - -end diff --git a/tests/webapp.rb b/tests/webapp.rb deleted file mode 100644 index 1762de9e..00000000 --- a/tests/webapp.rb +++ /dev/null @@ -1,13 +0,0 @@ -raise SkipTest unless $node["services"].include?("webapp") - -class TestAWebapp < LeapTest - depends_on "TestNetwork" - - def setup - end - - def test_test - assert false, 'hey, stop here' - end - -end diff --git a/tests/white-box/couchdb.rb b/tests/white-box/couchdb.rb new file mode 100644 index 00000000..0fc4d3b2 --- /dev/null +++ b/tests/white-box/couchdb.rb @@ -0,0 +1,54 @@ +raise SkipTest unless $node["services"].include?("couchdb") + +require 'json' + +class TestCouchdb < LeapTest + + def setup + end + + # + # check to make sure we can get welcome response from local couchdb + # + def test_01_is_running + assert_get(couchdb_url) do |body| + assert_match /"couchdb":"Welcome"/, body, "Could not get welcome message from #{couchdb_url}. Probably couchdb is not running." + end + pass + end + + # + # compare the configured nodes to the nodes that are actually listed in bigcouch + # + def test_02_nodes_are_in_replication_database + url = couchdb_admin_url("/nodes/_all_docs") + neighbors = assert_property('couch.bigcouch.neighbors') + neighbors << assert_property('domain.full') + neighbors.sort! + assert_get(url) do |body| + response = JSON.parse(body) + nodes_in_db = response['rows'].collect{|row| row['id'].sub(/^bigcouch@/, '')}.sort + assert_equal neighbors, nodes_in_db, "The couchdb replication node list is wrong (/nodes/_all_docs)" + end + pass + end + + private + + def couchdb_url(path="", port=nil) + @port ||= begin + assert_property 'couch.port' + $node['couch']['port'] + end + @password ||= begin + assert_property 'couch.users.admin.password' + $node['couch']['users']['admin']['password'] + end + "http://admin:#{@password}@localhost:#{port || @port}#{path}" + end + + def couchdb_admin_url(path="") + couchdb_url(path, "5986") # admin port is hardcoded for now. + end + +end diff --git a/tests/white-box/dummy.rb b/tests/white-box/dummy.rb new file mode 100644 index 00000000..dd343769 --- /dev/null +++ b/tests/white-box/dummy.rb @@ -0,0 +1,44 @@ +# only run in the dummy case where there is no hiera.yaml file. +raise SkipTest unless $node["dummy"] + +class Robot + def can_shoot_lasers? + "OHAI!" + end + + def can_fly? + "YES!" + end +end + +class TestDummy < LeapTest + def setup + @robot = Robot.new + end + + def test_lasers + assert_equal "OHAI!", @robot.can_shoot_lasers? + pass + end + + def test_fly + refute_match /^no/i, @robot.can_fly? + pass + end + + def test_blah + fail "blah" #assert false + pass + end + + def test_01_will_be_skipped + skip "test this later" + pass + end + + def test_err + 12/0 + pass + end + +end diff --git a/tests/white-box/network.rb b/tests/white-box/network.rb new file mode 100644 index 00000000..9680cb5f --- /dev/null +++ b/tests/white-box/network.rb @@ -0,0 +1,13 @@ +class TestNetwork < LeapTest + + def setup + end + + # + # TODO: write an actual test to confirm the network is up and working. + # + def test_working + pass + end + +end diff --git a/tests/white-box/webapp.rb b/tests/white-box/webapp.rb new file mode 100644 index 00000000..65f3217b --- /dev/null +++ b/tests/white-box/webapp.rb @@ -0,0 +1,53 @@ +raise SkipTest unless $node["services"].include?("webapp") + +class TestWebapp < LeapTest + depends_on "TestNetwork" + + HAPROXY_CONFIG = '/etc/haproxy/haproxy.cfg' + + def setup + end + + # + # example properties: + # + # stunnel: + # couch_client: + # couch1_5984: + # accept_port: 4000 + # connect: couch1.bitmask.i + # connect_port: 15984 + # + def test_01_stunnel_is_working + assert_property('stunnel.couch_client') + $node['stunnel']['couch_client'].values.each do |stunnel_conf| + assert port = stunnel_conf['accept_port'], 'Field `accept_port` must be present in `stunnel` property.' + local_stunnel_url = "http://localhost:#{port}" + assert_get(local_stunnel_url) do |body| + assert_match /"couchdb":"Welcome"/, body, "Request to #{local_stunnel_url} should return couchdb welcome message." + end + end + pass + end + + # + # example properties: + # + # haproxy: + # servers: + # couch1: + # backup: false + # host: localhost + # port: 4000 + # weight: 10 + # + def test_02_haproxy_is_working + port = file_match(HAPROXY_CONFIG, /^ bind localhost:(\d+)$/) + url = "http://localhost:#{port}" + assert_get(url) do |body| + assert_match /"couchdb":"Welcome"/, body, "Request to #{url} should return couchdb welcome message." + end + pass + end + +end -- cgit v1.2.3 From 12d489e5fd3cfc8b7f9d9132ba015cfe2dc46cf8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 3 Dec 2013 10:48:05 -0500 Subject: update couchdb::add_user to use couchdb::document (#4624) Change-Id: Ie7810d7e851f5023bc8970cccc888eccb8661856 --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index e4906614..d38d80cc 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit e49066146ffeb91ce7c8e2100cdc4eca0ceb3a9b +Subproject commit d38d80ccb19947984ea9d4ecc8d826144c33dff4 -- cgit v1.2.3 From ea37ddb5b324686fe2e3489119e4000a50d9a138 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 3 Dec 2013 12:39:03 -0500 Subject: restore missing couchdb_host variable for leap_mx Change-Id: I5b21471ab5de55b627a200b256168122f49c1e28 --- puppet/modules/leap_mx/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index e0c3660b..b59eac01 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -4,6 +4,7 @@ class leap_mx { $couchdb_user = $leap_mx['username'] $couchdb_password = $leap_mx['password'] + $couchdb_host = 'localhost' $couchdb_port = '4096' include soledad::common -- cgit v1.2.3 From b947a35003613ebc03d1d3e880d1d5aeeb2d6dea Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 4 Dec 2013 11:02:30 -0500 Subject: replace couch-doc-update with one that uses MultiJson instead, this could prevent the outdated json errors (#4622) Change-Id: Ibd929045a28eef1e9262fad8953df8fd150c1966 --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index d38d80cc..7ac2149c 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit d38d80ccb19947984ea9d4ecc8d826144c33dff4 +Subproject commit 7ac2149cdc9f9ca0ce00f70c4e7ac48c896889ec -- cgit v1.2.3 From 006a2fec91304f1814deb3c3887b72aa0872a600 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 17 Dec 2013 11:44:50 -0500 Subject: fix name of customers couchdb database (#4787) Change-Id: I704a1d46069f975711323ff8e6a634d06c267157 --- puppet/modules/site_couchdb/manifests/create_dbs.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp index f206fddb..b0ebca4d 100644 --- a/puppet/modules/site_couchdb/manifests/create_dbs.pp +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -4,7 +4,7 @@ class site_couchdb::create_dbs { ### customer database ### r/w: webapp, - couchdb::create_db { 'customer': + couchdb::create_db { 'customers': members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", require => Couchdb::Query::Setup['localhost'] } -- cgit v1.2.3 From 67eb795b40a3294f86b7ec6c4b1c3e2541635841 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 17 Dec 2013 18:05:01 +0100 Subject: updated submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 7ac2149c..090f014c 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 7ac2149cdc9f9ca0ce00f70c4e7ac48c896889ec +Subproject commit 090f014c63ae3e36662cacf9a0bdd2d51cd0e6e6 -- cgit v1.2.3 From 51f17512d031e937ebbb8f6568c7cffc287b65d3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 17 Dec 2013 12:57:20 -0500 Subject: rename the tls.pp to be smtpd_tls.pp, this allows us to have a separate class for smtp vs. smtpd tls configurations Change-Id: Ic1cc560c76924fcbbc15e245bec7b78ac2de83d3 --- .../modules/site_postfix/manifests/mx/smtpd_tls.pp | 53 +++++++++++++++ puppet/modules/site_postfix/manifests/mx/tls.pp | 78 ---------------------- 2 files changed, 53 insertions(+), 78 deletions(-) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp delete mode 100644 puppet/modules/site_postfix/manifests/mx/tls.pp diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp new file mode 100644 index 00000000..5714218c --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp @@ -0,0 +1,53 @@ +class site_postfix::mx::smtpd_tls { + + include x509::variables + $ca_path = "${x509::variables::local_CAs}/${site_config::params::client_ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" + + + postfix::config { + 'smtpd_use_tls': value => 'yes'; + 'smtpd_tls_CAfile': value => $ca_path; + 'smtpd_tls_cert_file': value => $cert_path; + 'smtpd_tls_key_file': value => $key_path; + 'smtpd_tls_ask_ccert': value => 'yes'; + 'smtpd_tls_security_level': + value => 'may'; + 'smtpd_tls_eecdh_grade': + value => 'ultra' + } + + # Setup DH parameters + # Instead of using the dh parameters that are created by leap cli, it is more + # secure to generate new parameter files that will only be used for postfix, + # for each machine + + include site_config::packages::gnutls + + # Note, the file name is called dh_1024.pem, but we are generating 2048bit dh + # parameters Neither Postfix nor OpenSSL actually care about the size of the + # prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits + + exec { 'certtool-postfix-gendh': + command => 'certtool --generate-dh-params --bits 2048 --outfile /etc/postfix/smtpd_tls_dh_param.pem', + user => root, + group => root, + creates => '/etc/postfix/smtpd_tls_dh_param.pem', + require => [ Package['gnutls-bin'], Package['postfix'] ] + } + + # Make sure the dh params file has correct ownership and mode + file { + '/etc/postfix/smtpd_tls_dh_param.pem': + owner => root, + group => root, + mode => '0600', + require => Exec['certtool-postfix-gendh']; + } + + postfix::config { 'smtpd_tls_dh1024_param_file': + value => '/etc/postfix/smtpd_tls_dh_param.pem', + require => File['/etc/postfix/smtpd_tls_dh_param.pem'] + } +} diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp deleted file mode 100644 index 08978efd..00000000 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ /dev/null @@ -1,78 +0,0 @@ -class site_postfix::mx::tls { - - include x509::variables - $ca_path = "${x509::variables::local_CAs}/${site_config::params::client_ca_name}.crt" - $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" - $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" - - - postfix::config { - 'smtpd_use_tls': value => 'yes'; - 'smtpd_tls_CAfile': value => $ca_path; - 'smtpd_tls_cert_file': value => $cert_path; - 'smtpd_tls_key_file': value => $key_path; - 'smtpd_tls_ask_ccert': value => 'yes'; - 'smtpd_tls_security_level': - value => 'may'; - 'smtpd_tls_eecdh_grade': - value => 'ultra' - } - - # Setup DH parameters - # Instead of using the dh parameters that are created by leap cli, it is more - # secure to generate new parameter files that will only be used for postfix, - # for each machine - - include site_config::packages::gnutls - - # Note, the file name is called dh_1024.pem, but we are generating 2048bit dh - # parameters Neither Postfix nor OpenSSL actually care about the size of the - # prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits - - exec { 'certtool-postfix-gendh': - command => 'certtool --generate-dh-params --bits 2048 --outfile /etc/postfix/smtpd_tls_dh_param.pem', - user => root, - group => root, - creates => '/etc/postfix/smtpd_tls_dh_param.pem', - require => [ Package['gnutls-bin'], Package['postfix'] ] - } - - # Make sure the dh params file has correct ownership and mode - file { - '/etc/postfix/smtpd_tls_dh_param.pem': - owner => root, - group => root, - mode => '0600', - require => Exec['certtool-postfix-gendh']; - } - - postfix::config { 'smtpd_tls_dh1024_param_file': - value => '/etc/postfix/smtpd_tls_dh_param.pem', - require => File['/etc/postfix/smtpd_tls_dh_param.pem'] - } - -} - # smtp TLS - postfix::config { - 'smtp_use_tls': value => 'yes'; - 'smtp_tls_CApath': value => '/etc/ssl/certs/'; - 'smtp_tls_CAfile': value => $ca_path; - 'smtp_tls_cert_file': value => $cert_path; - 'smtp_tls_key_file': value => $key_path; - 'smtp_tls_ask_ccert': value => 'yes'; - 'smtp_tls_loglevel': value => '1'; - 'smtp_tls_exclude_ciphers': - value => 'aNULL, MD5, DES'; - # upstream default is md5 (since 2.5 and older used it), we force sha1 - 'smtp_tls_fingerprint_digest': - value => 'sha1'; - 'smtp_tls_session_cache_database': - value => 'btree:${queue_directory}/smtp_cache'; - 'smtp_tls_security_level': - value => 'may'; - # see issue #4011 - 'smtp_tls_protocols': - value => '!SSLv2, !SSLv3'; - } - - -- cgit v1.2.3 From 86a2d30985cb118fdb158cc605237ae9445b6123 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 17 Dec 2013 12:58:22 -0500 Subject: add a smtp_tls class and include that on both mx servers and satellites Change-Id: I779ea60e6d726d042203fa0756d73b4af079d728 --- puppet/modules/site_postfix/manifests/mx.pp | 3 ++- .../modules/site_postfix/manifests/mx/smtp_tls.pp | 29 ++++++++++++++++++++++ puppet/modules/site_postfix/manifests/satellite.pp | 3 +++ 3 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtp_tls.pp diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 59d3030d..441252f2 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -32,7 +32,8 @@ class site_postfix::mx { include site_postfix::mx::smtpd_checks include site_postfix::mx::checks - include site_postfix::mx::tls + include site_postfix::mx::smtp_tls + include site_postfix::mx::smtpd_tls include site_postfix::mx::reserved_aliases # greater verbosity for debugging, take out for production diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp new file mode 100644 index 00000000..4b9c2fd9 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp @@ -0,0 +1,29 @@ +class site_postfix::mx::smtp_tls { + + include x509::variables + $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" + + # smtp TLS + postfix::config { + 'smtp_use_tls': value => 'yes'; + 'smtp_tls_CApath': value => '/etc/ssl/certs/'; + 'smtp_tls_CAfile': value => $ca_path; + 'smtp_tls_cert_file': value => $cert_path; + 'smtp_tls_key_file': value => $key_path; + 'smtp_tls_loglevel': value => '1'; + 'smtp_tls_exclude_ciphers': + value => 'aNULL, MD5, DES'; + # upstream default is md5 (since 2.5 and older used it), we force sha1 + 'smtp_tls_fingerprint_digest': + value => 'sha1'; + 'smtp_tls_session_cache_database': + value => 'btree:${queue_directory}/smtp_cache'; + 'smtp_tls_security_level': + value => 'may'; + # see issue #4011 + 'smtp_tls_protocols': + value => '!SSLv2, !SSLv3'; + } +} diff --git a/puppet/modules/site_postfix/manifests/satellite.pp b/puppet/modules/site_postfix/manifests/satellite.pp index de20b667..7be51b22 100644 --- a/puppet/modules/site_postfix/manifests/satellite.pp +++ b/puppet/modules/site_postfix/manifests/satellite.pp @@ -3,9 +3,12 @@ class site_postfix::satellite { $root_mail_recipient = hiera ('contacts') $mail = hiera ('mail') $relayhost = $mail['smarthost'] + $cert_name = hiera('name') class { '::postfix::satellite': relayhost => $relayhost, root_mail_recipient => $root_mail_recipient } + + include site_postfix::mx::smtp_tls } -- cgit v1.2.3 From 5708e04af02ec7332be84dfb63200008c35b9af4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 17 Dec 2013 13:06:17 -0500 Subject: set x509 use to true for all nodes, we need a cert for relaying using TLS (#1910) Change-Id: I347178f2a172e4be6af8c0c76d801b3c769235cd --- provider_base/common.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provider_base/common.json b/provider_base/common.json index 5be0dd70..07a45972 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -25,7 +25,7 @@ }, "hosts": "=> hosts_file", "x509": { - "use": false, + "use": true, "cert": "= x509.use ? file(:node_x509_cert, :missing => 'x509 certificate for node $node. Run `leap cert update`') : nil", "key": "= x509.use ? file(:node_x509_key, :missing => 'x509 key for node $node. Run `leap cert update`') : nil", "ca_cert": "= try_file :ca_cert" -- cgit v1.2.3 From 411b7ebb8bce00a81002d1abb9f7c488571ddb47 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 17 Dec 2013 12:57:20 -0500 Subject: rename the tls.pp to be smtpd_tls.pp, this allows us to have a separate class for smtp vs. smtpd tls configurations Change-Id: Ic1cc560c76924fcbbc15e245bec7b78ac2de83d3 --- .../modules/site_postfix/manifests/mx/smtpd_tls.pp | 53 +++++++++++++++ puppet/modules/site_postfix/manifests/mx/tls.pp | 78 ---------------------- 2 files changed, 53 insertions(+), 78 deletions(-) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp delete mode 100644 puppet/modules/site_postfix/manifests/mx/tls.pp diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp new file mode 100644 index 00000000..5714218c --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp @@ -0,0 +1,53 @@ +class site_postfix::mx::smtpd_tls { + + include x509::variables + $ca_path = "${x509::variables::local_CAs}/${site_config::params::client_ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" + + + postfix::config { + 'smtpd_use_tls': value => 'yes'; + 'smtpd_tls_CAfile': value => $ca_path; + 'smtpd_tls_cert_file': value => $cert_path; + 'smtpd_tls_key_file': value => $key_path; + 'smtpd_tls_ask_ccert': value => 'yes'; + 'smtpd_tls_security_level': + value => 'may'; + 'smtpd_tls_eecdh_grade': + value => 'ultra' + } + + # Setup DH parameters + # Instead of using the dh parameters that are created by leap cli, it is more + # secure to generate new parameter files that will only be used for postfix, + # for each machine + + include site_config::packages::gnutls + + # Note, the file name is called dh_1024.pem, but we are generating 2048bit dh + # parameters Neither Postfix nor OpenSSL actually care about the size of the + # prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits + + exec { 'certtool-postfix-gendh': + command => 'certtool --generate-dh-params --bits 2048 --outfile /etc/postfix/smtpd_tls_dh_param.pem', + user => root, + group => root, + creates => '/etc/postfix/smtpd_tls_dh_param.pem', + require => [ Package['gnutls-bin'], Package['postfix'] ] + } + + # Make sure the dh params file has correct ownership and mode + file { + '/etc/postfix/smtpd_tls_dh_param.pem': + owner => root, + group => root, + mode => '0600', + require => Exec['certtool-postfix-gendh']; + } + + postfix::config { 'smtpd_tls_dh1024_param_file': + value => '/etc/postfix/smtpd_tls_dh_param.pem', + require => File['/etc/postfix/smtpd_tls_dh_param.pem'] + } +} diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp deleted file mode 100644 index 08978efd..00000000 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ /dev/null @@ -1,78 +0,0 @@ -class site_postfix::mx::tls { - - include x509::variables - $ca_path = "${x509::variables::local_CAs}/${site_config::params::client_ca_name}.crt" - $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" - $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" - - - postfix::config { - 'smtpd_use_tls': value => 'yes'; - 'smtpd_tls_CAfile': value => $ca_path; - 'smtpd_tls_cert_file': value => $cert_path; - 'smtpd_tls_key_file': value => $key_path; - 'smtpd_tls_ask_ccert': value => 'yes'; - 'smtpd_tls_security_level': - value => 'may'; - 'smtpd_tls_eecdh_grade': - value => 'ultra' - } - - # Setup DH parameters - # Instead of using the dh parameters that are created by leap cli, it is more - # secure to generate new parameter files that will only be used for postfix, - # for each machine - - include site_config::packages::gnutls - - # Note, the file name is called dh_1024.pem, but we are generating 2048bit dh - # parameters Neither Postfix nor OpenSSL actually care about the size of the - # prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits - - exec { 'certtool-postfix-gendh': - command => 'certtool --generate-dh-params --bits 2048 --outfile /etc/postfix/smtpd_tls_dh_param.pem', - user => root, - group => root, - creates => '/etc/postfix/smtpd_tls_dh_param.pem', - require => [ Package['gnutls-bin'], Package['postfix'] ] - } - - # Make sure the dh params file has correct ownership and mode - file { - '/etc/postfix/smtpd_tls_dh_param.pem': - owner => root, - group => root, - mode => '0600', - require => Exec['certtool-postfix-gendh']; - } - - postfix::config { 'smtpd_tls_dh1024_param_file': - value => '/etc/postfix/smtpd_tls_dh_param.pem', - require => File['/etc/postfix/smtpd_tls_dh_param.pem'] - } - -} - # smtp TLS - postfix::config { - 'smtp_use_tls': value => 'yes'; - 'smtp_tls_CApath': value => '/etc/ssl/certs/'; - 'smtp_tls_CAfile': value => $ca_path; - 'smtp_tls_cert_file': value => $cert_path; - 'smtp_tls_key_file': value => $key_path; - 'smtp_tls_ask_ccert': value => 'yes'; - 'smtp_tls_loglevel': value => '1'; - 'smtp_tls_exclude_ciphers': - value => 'aNULL, MD5, DES'; - # upstream default is md5 (since 2.5 and older used it), we force sha1 - 'smtp_tls_fingerprint_digest': - value => 'sha1'; - 'smtp_tls_session_cache_database': - value => 'btree:${queue_directory}/smtp_cache'; - 'smtp_tls_security_level': - value => 'may'; - # see issue #4011 - 'smtp_tls_protocols': - value => '!SSLv2, !SSLv3'; - } - - -- cgit v1.2.3 From 9531b13447ff204a00a138a137818054603fe1c9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 17 Dec 2013 12:58:22 -0500 Subject: add a smtp_tls class and include that on both mx servers and satellites Change-Id: I779ea60e6d726d042203fa0756d73b4af079d728 --- puppet/modules/site_postfix/manifests/mx.pp | 3 ++- .../modules/site_postfix/manifests/mx/smtp_tls.pp | 29 ++++++++++++++++++++++ puppet/modules/site_postfix/manifests/satellite.pp | 3 +++ 3 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtp_tls.pp diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 59d3030d..441252f2 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -32,7 +32,8 @@ class site_postfix::mx { include site_postfix::mx::smtpd_checks include site_postfix::mx::checks - include site_postfix::mx::tls + include site_postfix::mx::smtp_tls + include site_postfix::mx::smtpd_tls include site_postfix::mx::reserved_aliases # greater verbosity for debugging, take out for production diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp new file mode 100644 index 00000000..4b9c2fd9 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp @@ -0,0 +1,29 @@ +class site_postfix::mx::smtp_tls { + + include x509::variables + $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" + + # smtp TLS + postfix::config { + 'smtp_use_tls': value => 'yes'; + 'smtp_tls_CApath': value => '/etc/ssl/certs/'; + 'smtp_tls_CAfile': value => $ca_path; + 'smtp_tls_cert_file': value => $cert_path; + 'smtp_tls_key_file': value => $key_path; + 'smtp_tls_loglevel': value => '1'; + 'smtp_tls_exclude_ciphers': + value => 'aNULL, MD5, DES'; + # upstream default is md5 (since 2.5 and older used it), we force sha1 + 'smtp_tls_fingerprint_digest': + value => 'sha1'; + 'smtp_tls_session_cache_database': + value => 'btree:${queue_directory}/smtp_cache'; + 'smtp_tls_security_level': + value => 'may'; + # see issue #4011 + 'smtp_tls_protocols': + value => '!SSLv2, !SSLv3'; + } +} diff --git a/puppet/modules/site_postfix/manifests/satellite.pp b/puppet/modules/site_postfix/manifests/satellite.pp index de20b667..7be51b22 100644 --- a/puppet/modules/site_postfix/manifests/satellite.pp +++ b/puppet/modules/site_postfix/manifests/satellite.pp @@ -3,9 +3,12 @@ class site_postfix::satellite { $root_mail_recipient = hiera ('contacts') $mail = hiera ('mail') $relayhost = $mail['smarthost'] + $cert_name = hiera('name') class { '::postfix::satellite': relayhost => $relayhost, root_mail_recipient => $root_mail_recipient } + + include site_postfix::mx::smtp_tls } -- cgit v1.2.3 From e8af63fedc1738c0afbb9cee2a2339719d62b38f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 17 Dec 2013 13:06:17 -0500 Subject: set x509 use to true for all nodes, we need a cert for relaying using TLS (#1910) Change-Id: I347178f2a172e4be6af8c0c76d801b3c769235cd --- provider_base/common.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provider_base/common.json b/provider_base/common.json index 5be0dd70..07a45972 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -25,7 +25,7 @@ }, "hosts": "=> hosts_file", "x509": { - "use": false, + "use": true, "cert": "= x509.use ? file(:node_x509_cert, :missing => 'x509 certificate for node $node. Run `leap cert update`') : nil", "key": "= x509.use ? file(:node_x509_key, :missing => 'x509 key for node $node. Run `leap cert update`') : nil", "ca_cert": "= try_file :ca_cert" -- cgit v1.2.3 From 88af29f3aba662aab4ca5ac3122d43139fb97004 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 17 Dec 2013 15:43:58 -0500 Subject: Fix for openvpn/unbound not starting at boot (#4506) This change sets the sysctl net.ipv4.ip_nonlocal_bind to allow applications to bind to an address, even when the link is down. This is necessary because applications like unbound and openvpn fail to start on boot in some situations because interfaces are not fully up (due to a combination of non-deterministic booting because of the likely potential setting of allow-hotplug in the interfaces file and the LSB boot dependency on $network not being sufficient. The only down-side to setting this is a daemon could bind to an incorrect ip and we wouldn't get an error, but this would be a configuration mistake, rather than a fatal condition. Change-Id: I5c03083e8c20bb25afad85a1230f4555808d341c --- .gitmodules | 3 +++ puppet/modules/site_config/manifests/default.pp | 4 +++- puppet/modules/site_config/manifests/sysctl.pp | 8 ++++++++ puppet/modules/sysctl | 1 + 4 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_config/manifests/sysctl.pp create mode 160000 puppet/modules/sysctl diff --git a/.gitmodules b/.gitmodules index 0b339593..cc8afdb5 100644 --- a/.gitmodules +++ b/.gitmodules @@ -85,3 +85,6 @@ [submodule "puppet/modules/backupninja"] path = puppet/modules/backupninja url = https://leap.se/git/puppet_backupninja +[submodule "puppet/modules/sysctl"] + path = puppet/modules/sysctl + url = https://leap.se/git/puppet_sysctl diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 33d3df05..d85d9c8f 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -12,7 +12,6 @@ class site_config::default { include site_config::slow - include concat::setup # default class, used by all hosts @@ -22,6 +21,9 @@ class site_config::default { # configure apt include site_apt + # configure sysctl parameters + include site_config::sysctl + # configure ssh and include ssh-keys include site_config::sshd diff --git a/puppet/modules/site_config/manifests/sysctl.pp b/puppet/modules/site_config/manifests/sysctl.pp new file mode 100644 index 00000000..99f75123 --- /dev/null +++ b/puppet/modules/site_config/manifests/sysctl.pp @@ -0,0 +1,8 @@ +class site_config::sysctl { + + sysctl::config { + 'net.ipv4.ip_nonlocal_bind': + value => 1, + comment => 'Allow applications to bind to an address when link is down (see https://leap.se/code/issues/4506)' + } +} diff --git a/puppet/modules/sysctl b/puppet/modules/sysctl new file mode 160000 index 00000000..975852b7 --- /dev/null +++ b/puppet/modules/sysctl @@ -0,0 +1 @@ +Subproject commit 975852b7acc1125b4cd9d4d490b9abd8d31217e6 -- cgit v1.2.3 From e0c07465d14d701da16e47b9c2e3938c80088c4d Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Dec 2013 12:50:17 +0100 Subject: Deploy /etc/leap/couchdb_scripts_defaults.conf so we can exclude some DBs, i.e. sessions + tokens (#4794) --- .../modules/site_couchdb/files/couchdb_scripts_defaults.conf | 4 ++++ puppet/modules/site_couchdb/manifests/backup.pp | 11 +++++++++++ 2 files changed, 15 insertions(+) create mode 100644 puppet/modules/site_couchdb/files/couchdb_scripts_defaults.conf diff --git a/puppet/modules/site_couchdb/files/couchdb_scripts_defaults.conf b/puppet/modules/site_couchdb/files/couchdb_scripts_defaults.conf new file mode 100644 index 00000000..1565e1a1 --- /dev/null +++ b/puppet/modules/site_couchdb/files/couchdb_scripts_defaults.conf @@ -0,0 +1,4 @@ +# space separated list of excluded DBs for dumping +# sourced by couchdb_dumpall.sh +EXCLUDE_DBS='sessions tokens' + diff --git a/puppet/modules/site_couchdb/manifests/backup.pp b/puppet/modules/site_couchdb/manifests/backup.pp index ef505693..8b5aa6ea 100644 --- a/puppet/modules/site_couchdb/manifests/backup.pp +++ b/puppet/modules/site_couchdb/manifests/backup.pp @@ -9,4 +9,15 @@ class site_couchdb::backup { backupninja::sh { 'couchdb_backup': command_string => "cd /srv/leap/couchdb/scripts \n./couchdb_dumpall.sh" } + + # Deploy /etc/leap/couchdb_scripts_defaults.conf so we can exclude + # some databases + + file { '/etc/leap/couchdb_scripts_defaults.conf': + source => 'puppet:///modules/site_couchdb/couchdb_scripts_defaults.conf', + mode => '0644', + owner => 'root', + group => 'root', + } + } -- cgit v1.2.3 From 66ad58f2bc3b285bd17d5e61a21afece11d2c293 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 19 Dec 2013 14:22:43 -0500 Subject: Fix the location of the smtp/smtpd_tls_session_cache_database (#4813) Change-Id: I959fa40ff508bbeaf7baa0b6ba90c10c9e6b0ef7 --- puppet/modules/site_postfix/manifests/mx/smtp_tls.pp | 2 +- puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp index 4b9c2fd9..3cc7ea72 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp @@ -19,7 +19,7 @@ class site_postfix::mx::smtp_tls { 'smtp_tls_fingerprint_digest': value => 'sha1'; 'smtp_tls_session_cache_database': - value => 'btree:${queue_directory}/smtp_cache'; + value => 'btree:${data_directory}/smtp_cache'; 'smtp_tls_security_level': value => 'may'; # see issue #4011 diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp index 5714218c..0809c75f 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp @@ -15,7 +15,9 @@ class site_postfix::mx::smtpd_tls { 'smtpd_tls_security_level': value => 'may'; 'smtpd_tls_eecdh_grade': - value => 'ultra' + value => 'ultra'; + 'smtpd_tls_session_cache_database': + value => 'btree:${data_directory}/smtpd_scache'; } # Setup DH parameters -- cgit v1.2.3 From 5f7f2cd3a61aafb1afc81b74b3ef03afe3a64221 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 19 Dec 2013 16:03:45 -0500 Subject: Set mynetworks to include any mx server in the provider to allow them to Helo as the domain (#4495) Change-Id: I6c8ac28faceb8b0c6129a606ede04837efd3d261 --- provider_base/services/mx.json | 1 + puppet/modules/site_postfix/manifests/mx.pp | 3 +++ 2 files changed, 4 insertions(+) diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index 9d0ee532..d57c3168 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -6,6 +6,7 @@ "servers": "= haproxy_servers(nodes_like_me[:services => :couchdb], stunnel.couch_client)" }, "couchdb_leap_mx_user": "= global.services[:couchdb].couch.users[:leap_mx]", + "mx_nodes": "= nodes['services' => 'mx']['environment' => '!local'].field('ip_address')", "x509": { "use": true, "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 441252f2..de89c26e 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -4,6 +4,7 @@ class site_postfix::mx { $domain = $domain_hash['full_suffix'] $host_domain = $domain_hash['full'] $cert_name = hiera('name') + $mynetworks = join(hiera('mx_nodes'), ' ') $root_mail_recipient = hiera ('contacts') $postfix_smtp_listen = 'all' @@ -14,6 +15,8 @@ class site_postfix::mx { include site_config::x509::client_ca::key postfix::config { + 'mynetworks': + value => "127.0.0.0/8 [::1]/128 [fe80::]/64 ${mynetworks}"; 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; 'myhostname': -- cgit v1.2.3 From ecb537042e73934d508377280254dc18f8180a41 Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 20 Dec 2013 15:48:21 +0100 Subject: Adopt tapicero config file to tapicero > 0.2.0 In order to reuse the couch changes observer for key uploads I extracted it from tapicero and made the configuration more generic. This results in some changes to the config file format. When deploying tapicero >= 0.2.0 this config file format should be used instead. Also set log_level to debug by default. We can reduce this later but it might be useful for now. --- .../modules/tapicero/templates/tapicero.yaml.erb | 48 +++++++++++----------- 1 file changed, 25 insertions(+), 23 deletions(-) diff --git a/puppet/modules/tapicero/templates/tapicero.yaml.erb b/puppet/modules/tapicero/templates/tapicero.yaml.erb index 098f95bd..cfc02c5c 100644 --- a/puppet/modules/tapicero/templates/tapicero.yaml.erb +++ b/puppet/modules/tapicero/templates/tapicero.yaml.erb @@ -2,34 +2,15 @@ # Default configuration options for Tapicero # -# database to observe for changes: -users_db_name: "users" - -# prefix for per user databases: -db_prefix: "user-" - # couch connection configuration -couch_connection: +connection: protocol: "http" host: "localhost" port: <%= @couchdb_port %> username: <%= @couchdb_admin_user %> password: <%= @couchdb_admin_password %> - -# security settings to be used for the per user databases -security: - admins: - names: - # We explicitly allow the admin user to access per user databases, even - # though admin access ignores per database security we just do this to be - # explicit about this - - <%= @couchdb_admin_user %> - roles: [] - readers: - names: - - <%= @couchdb_soledad_user %> - - <%= @couchdb_leap_mx_user %> - roles: [] + prefix : "" + suffix : "" # file to store the last processed user record in so we can resume after # a restart: @@ -37,4 +18,25 @@ seq_file: "/var/lib/leap/tapicero/tapicero.seq" # Configure log_file like this if you want to log to a file instead of syslog: # log_file: "/var/leap/log/tapicero.log" -log_level: info +log_level: debug + +# tapicero specific options +options: + # prefix for per user databases: + db_prefix: "user-" + + # security settings to be used for the per user databases + security: + admins: + names: + # We explicitly allow the admin user to access per user databases, even + # though admin access ignores per database security we just do this to be + # explicit about this + - <%= @couchdb_admin_user %> + roles: [] + readers: + names: + - <%= @couchdb_soledad_user %> + - <%= @couchdb_leap_mx_user %> + roles: [] + -- cgit v1.2.3 From bf385beb22b7a17899604c21b764d84de55b23a8 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 24 Dec 2013 00:53:14 -0800 Subject: move nickserver config to /etc/nickserver.yml (fixes #4843) --- puppet/modules/site_nickserver/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index e1b911c1..eaf90d55 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -95,7 +95,7 @@ class site_nickserver { # NICKSERVER CONFIG # - file { '/etc/leap/nickserver.yml': + file { '/etc/nickserver.yml': content => template('site_nickserver/nickserver.yml.erb'), owner => nickserver, group => nickserver, -- cgit v1.2.3 From 34678e895a5a40da6f444199983fee3f8ce518ee Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 27 Dec 2013 02:43:24 -0800 Subject: added some network tests for stunnel --- bin/run_tests | 87 ++++++++++++++++++++++++++++++++++++++++++++-- tests/white-box/dummy.rb | 24 ++++++++++--- tests/white-box/network.rb | 23 ++++++++++-- tests/white-box/webapp.rb | 8 +++-- 4 files changed, 131 insertions(+), 11 deletions(-) diff --git a/bin/run_tests b/bin/run_tests index 8c5fb492..89fbdb24 100755 --- a/bin/run_tests +++ b/bin/run_tests @@ -93,18 +93,99 @@ class LeapTest < MiniTest::Unit::TestCase yield nil, nil, exc end - def assert_get(url, params=nil) + def assert_get(url, params=nil, options=nil) + options ||= {} get(url, params) do |body, response, error| if body yield body elsif response - fail "Expected a 200 status code from #{url}, but got #{response.code} instead." + fail ["Expected a 200 status code from #{url}, but got #{response.code} instead.", options[:error_msg]].compact.join("\n") else - fail "Expected a response from #{url}, but got \"#{error}\" instead." + fail ["Expected a response from #{url}, but got \"#{error}\" instead.", options[:error_msg]].compact.join("\n") end end end + # + # test if a socket can be connected to + # + + # + # tcp connection helper with timeout + # + def try_tcp_connect(host, port, timeout = 5) + addr = Socket.getaddrinfo(host, nil) + sockaddr = Socket.pack_sockaddr_in(port, addr[0][3]) + + Socket.new(Socket.const_get(addr[0][0]), Socket::SOCK_STREAM, 0).tap do |socket| + socket.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1) + begin + socket.connect_nonblock(sockaddr) + rescue IO::WaitReadable + if IO.select([socket], nil, nil, timeout) == nil + raise "Connection timeout" + else + socket.connect_nonblock(sockaddr) + end + rescue IO::WaitWritable + if IO.select(nil, [socket], nil, timeout) == nil + raise "Connection timeout" + else + socket.connect_nonblock(sockaddr) + end + end + return socket + end + end + + def try_tcp_write(socket, timeout = 5) + begin + socket.write_nonblock("\0") + rescue IO::WaitReadable + if IO.select([socket], nil, nil, timeout) == nil + raise "Write timeout" + else + retry + end + rescue IO::WaitWritable + if IO.select(nil, [socket], nil, timeout) == nil + raise "Write timeout" + else + retry + end + end + end + + def try_tcp_read(socket, timeout = 5) + begin + socket.read_nonblock(1) + rescue IO::WaitReadable + if IO.select([socket], nil, nil, timeout) == nil + raise "Read timeout" + else + retry + end + rescue IO::WaitWritable + if IO.select(nil, [socket], nil, timeout) == nil + raise "Read timeout" + else + retry + end + end + end + + def assert_tcp_socket(host, port, msg=nil) + begin + socket = try_tcp_connect(host, port, 1) + #try_tcp_write(socket,1) + #try_tcp_read(socket,1) + rescue StandardError => exc + fail ["Failed to open socket #{host}:#{port}", exc].join("\n") + ensure + socket.close if socket + end + end + # # Matches the regexp in the file, and returns the first matched string (or fails if no match). # diff --git a/tests/white-box/dummy.rb b/tests/white-box/dummy.rb index dd343769..6ca49754 100644 --- a/tests/white-box/dummy.rb +++ b/tests/white-box/dummy.rb @@ -26,8 +26,8 @@ class TestDummy < LeapTest pass end - def test_blah - fail "blah" #assert false + def test_fail + fail "fail" pass end @@ -36,8 +36,24 @@ class TestDummy < LeapTest pass end - def test_err - 12/0 + def test_socket_failure + assert_tcp_socket('localhost', 900000) + pass + end + + def test_socket_success + fork { + Socket.tcp_server_loop('localhost', 12345) do |sock, client_addrinfo| + begin + sock.write('hi') + ensure + sock.close + exit + end + end + } + sleep 0.2 + assert_tcp_socket('localhost', 12345) pass end diff --git a/tests/white-box/network.rb b/tests/white-box/network.rb index 9680cb5f..8ca56ffd 100644 --- a/tests/white-box/network.rb +++ b/tests/white-box/network.rb @@ -1,12 +1,31 @@ +require 'socket' + +raise SkipTest if $node["dummy"] + class TestNetwork < LeapTest def setup end # - # TODO: write an actual test to confirm the network is up and working. + # example properties: + # + # stunnel: + # couch_client: + # couch1_5984: + # accept_port: 4000 + # connect: couch1.bitmask.i + # connect_port: 15984 # - def test_working + def test_01_stunnel_is_running + if $node['stunnel'] + $node['stunnel'].values.each do |stunnel_type| + stunnel_type.values.each do |stunnel_conf| + assert port = stunnel_conf['accept_port'], 'Field `accept_port` must be present in `stunnel` property.' + assert_tcp_socket('localhost', port) + end + end + end pass end diff --git a/tests/white-box/webapp.rb b/tests/white-box/webapp.rb index 65f3217b..aaad4426 100644 --- a/tests/white-box/webapp.rb +++ b/tests/white-box/webapp.rb @@ -1,5 +1,7 @@ raise SkipTest unless $node["services"].include?("webapp") +require 'socket' + class TestWebapp < LeapTest depends_on "TestNetwork" @@ -18,12 +20,14 @@ class TestWebapp < LeapTest # connect: couch1.bitmask.i # connect_port: 15984 # - def test_01_stunnel_is_working + def test_01_can_contact_couchdb assert_property('stunnel.couch_client') $node['stunnel']['couch_client'].values.each do |stunnel_conf| assert port = stunnel_conf['accept_port'], 'Field `accept_port` must be present in `stunnel` property.' local_stunnel_url = "http://localhost:#{port}" - assert_get(local_stunnel_url) do |body| + remote_ip_address = TCPSocket.gethostbyname(stunnel_conf['connect']).last + msg = "(stunnel to %s:%s, aka %s)" % [stunnel_conf['connect'], stunnel_conf['connect_port'], remote_ip_address] + assert_get(local_stunnel_url, nil, error_msg: msg) do |body| assert_match /"couchdb":"Welcome"/, body, "Request to #{local_stunnel_url} should return couchdb welcome message." end end -- cgit v1.2.3 From f1ba024e9c529b5f9ac988d6600931f914ec1d31 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 27 Dec 2013 10:32:10 -0800 Subject: improved stunnel test --- tests/white-box/network.rb | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/tests/white-box/network.rb b/tests/white-box/network.rb index 8ca56ffd..02eb80ca 100644 --- a/tests/white-box/network.rb +++ b/tests/white-box/network.rb @@ -11,18 +11,30 @@ class TestNetwork < LeapTest # example properties: # # stunnel: - # couch_client: - # couch1_5984: - # accept_port: 4000 - # connect: couch1.bitmask.i - # connect_port: 15984 + # ednp_clients: + # elk_9002: + # accept_port: 4003 + # connect: elk.dev.bitmask.i + # connect_port: 19002 + # couch_server: + # accept: 15984 + # connect: "127.0.0.1:5984" # def test_01_stunnel_is_running if $node['stunnel'] - $node['stunnel'].values.each do |stunnel_type| - stunnel_type.values.each do |stunnel_conf| - assert port = stunnel_conf['accept_port'], 'Field `accept_port` must be present in `stunnel` property.' - assert_tcp_socket('localhost', port) + $node['stunnel'].each do |stunnel_type, stunnel_configs| + if stunnel_type =~ /_clients?$/ + stunnel_configs.values.each do |stunnel_conf| + assert port = stunnel_conf['accept_port'], 'Field `accept_port` must be present in `stunnel` property.' + assert_tcp_socket('localhost', port) + end + elsif stunnel_type =~ /_server$/ + assert accept = stunnel_configs['accept'], "Field `accept` must be present in property `stunnel.#{stunnel_type}`" + assert_tcp_socket('localhost', accept) + assert connect = stunnel_configs['connect'], "Field `connect` must be present in property `stunnel.#{stunnel_type}`" + assert_tcp_socket(*connect.split(':')) + else + skip "Unknown stunnel type `#{stunnel_type}`" end end end -- cgit v1.2.3 From 0a56b656f8fbfd38ee1a9babdb93fbed39c4a973 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 27 Dec 2013 12:27:53 -0800 Subject: improve couchdb test --- bin/run_tests | 20 +++++++++++++++++--- tests/white-box/couchdb.rb | 24 +++++++++++++++++++++--- tests/white-box/dummy.rb | 11 +++++++++++ 3 files changed, 49 insertions(+), 6 deletions(-) diff --git a/bin/run_tests b/bin/run_tests index 89fbdb24..86a72f26 100755 --- a/bin/run_tests +++ b/bin/run_tests @@ -43,6 +43,11 @@ class LeapTest < MiniTest::Unit::TestCase class Pass < MiniTest::Assertion end + def initialize(name) + super(name) + io # << calling this will suppress the marching ants + end + # # Test class dependencies # @@ -69,6 +74,11 @@ class LeapTest < MiniTest::Unit::TestCase assert(false, msg) end + def warn(*msg) + method_name = caller.first.split('`').last.gsub(/(block in |')/,'') + MiniTest::Unit.runner.report_line("WARN", self.class, method_name, nil, msg.join("\n")) + end + # Always runs test methods within a test class in alphanumeric order # def self.test_order @@ -295,16 +305,18 @@ class LeapRunner < MiniTest::Unit output.puts format % [test_count, assertion_count, passes, failures, errors, skips] end - private - # # returns a string for a PASS, SKIP, or FAIL error # def report_line(prefix, klass, meth, e=nil, message=nil) - if e && message + if message indent = "\n " msg_txt = indent + message.split("\n").join(indent) + end + if e && message output.puts "#{prefix}: #{readable(klass.name)} > #{readable(meth)} [#{File.basename(location(e))}]:#{msg_txt}" + elsif message + output.puts "#{prefix}: #{readable(klass.name)} > #{readable(meth)}:#{msg_txt}" else output.puts "#{prefix}: #{readable(klass.name)} > #{readable(meth)}" end @@ -312,6 +324,8 @@ class LeapRunner < MiniTest::Unit sleep(0.0001) # keep lines from being joined together by the logger. output.flush doesn't. end + private + # # Converts snake_case and CamelCase to something more pleasant for humans to read. # diff --git a/tests/white-box/couchdb.rb b/tests/white-box/couchdb.rb index 0fc4d3b2..6ffc6a4f 100644 --- a/tests/white-box/couchdb.rb +++ b/tests/white-box/couchdb.rb @@ -21,7 +21,7 @@ class TestCouchdb < LeapTest # compare the configured nodes to the nodes that are actually listed in bigcouch # def test_02_nodes_are_in_replication_database - url = couchdb_admin_url("/nodes/_all_docs") + url = couchdb_backend_url("/nodes/_all_docs") neighbors = assert_property('couch.bigcouch.neighbors') neighbors << assert_property('domain.full') neighbors.sort! @@ -33,6 +33,24 @@ class TestCouchdb < LeapTest pass end + def test_03_replica_membership + url = couchdb_url("/_membership") + assert_get(url) do |body| + response = JSON.parse(body) + nodes_configured_but_not_available = response['cluster_nodes'] - response['all_nodes'] + nodes_available_but_not_configured = response['cluster_nodes'] - response['all_nodes'] + if nodes_configured_but_not_available.any? + warn "These nodes are configured but not available:", nodes_configured_but_not_available + end + if nodes_available_but_not_configured.any? + warn "These nodes are available but not configured:", nodes_available_but_not_configured + end + if response['cluster_nodes'] == response['all_nodes'] + pass + end + end + end + private def couchdb_url(path="", port=nil) @@ -47,8 +65,8 @@ class TestCouchdb < LeapTest "http://admin:#{@password}@localhost:#{port || @port}#{path}" end - def couchdb_admin_url(path="") - couchdb_url(path, "5986") # admin port is hardcoded for now. + def couchdb_backend_url(path="") + couchdb_url(path, "5986") # TODO: admin port is hardcoded for now but should be configurable. end end diff --git a/tests/white-box/dummy.rb b/tests/white-box/dummy.rb index 6ca49754..a3e8ad68 100644 --- a/tests/white-box/dummy.rb +++ b/tests/white-box/dummy.rb @@ -41,6 +41,17 @@ class TestDummy < LeapTest pass end + def test_warn + block_test do + warn "not everything", "is a success or failure" + end + end + + # used to test extracting the proper caller even when in a block + def block_test + yield + end + def test_socket_success fork { Socket.tcp_server_loop('localhost', 12345) do |sock, client_addrinfo| -- cgit v1.2.3 From d86e34564cda2d28fd42d10e584184af7e8b7553 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 27 Dec 2013 15:00:10 -0800 Subject: more couchdb tests --- tests/white-box/couchdb.rb | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/tests/white-box/couchdb.rb b/tests/white-box/couchdb.rb index 6ffc6a4f..3abddefc 100644 --- a/tests/white-box/couchdb.rb +++ b/tests/white-box/couchdb.rb @@ -33,12 +33,18 @@ class TestCouchdb < LeapTest pass end + # + # all configured nodes are in 'cluster_nodes' + # all nodes online and communicating are in 'all_nodes' + # + # this seems backward to me, so it might be the other way around. + # def test_03_replica_membership url = couchdb_url("/_membership") assert_get(url) do |body| response = JSON.parse(body) nodes_configured_but_not_available = response['cluster_nodes'] - response['all_nodes'] - nodes_available_but_not_configured = response['cluster_nodes'] - response['all_nodes'] + nodes_available_but_not_configured = response['all_nodes'] - response['cluster_nodes'] if nodes_configured_but_not_available.any? warn "These nodes are configured but not available:", nodes_configured_but_not_available end @@ -51,6 +57,29 @@ class TestCouchdb < LeapTest end end + def test_04_acl_users_exist + acl_users = ['_design/_auth', 'leap_mx', 'nickserver', 'soledad', 'tapicero', 'webapp'] + url = couchdb_backend_url("/_users/_all_docs") + assert_get(url) do |body| + response = JSON.parse(body) + assert_equal 6, response['total_rows'] + actual_users = response['rows'].map{|row| row['id'].sub(/^org.couchdb.user:/, '') } + assert_equal acl_users, actual_users + end + pass + end + + def test_05_databases_exist + dbs_that_should_exist = ["customers","identities","keycache","sessions","shared","tickets","tokens","users"] + dbs_that_should_exist.each do |db_name| + assert_get(couchdb_url("/"+db_name)) do |body| + assert response = JSON.parse(body) + assert_equal db_name, response['db_name'] + end + end + pass + end + private def couchdb_url(path="", port=nil) -- cgit v1.2.3 From 71f2d1b0b7db6bb35dd6bd9220795aed3174d90b Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 27 Dec 2013 16:47:57 -0800 Subject: added more network tests and pgrep test helper --- bin/run_tests | 19 ++++++++++++++++++- tests/white-box/couchdb.rb | 9 +++++---- tests/white-box/network.rb | 20 ++++++++++++++++++-- 3 files changed, 41 insertions(+), 7 deletions(-) diff --git a/bin/run_tests b/bin/run_tests index 86a72f26..f4778988 100755 --- a/bin/run_tests +++ b/bin/run_tests @@ -107,7 +107,7 @@ class LeapTest < MiniTest::Unit::TestCase options ||= {} get(url, params) do |body, response, error| if body - yield body + yield body if block_given? elsif response fail ["Expected a 200 status code from #{url}, but got #{response.code} instead.", options[:error_msg]].compact.join("\n") else @@ -231,6 +231,22 @@ class LeapTest < MiniTest::Unit::TestCase return latest end + # + # works like pgrep command line + # return an array of hashes like so [{:pid => "1234", :process => "ls"}] + # + def pgrep(match) + output = `pgrep --full --list-name '#{match}'` + output.each_line.map{|line| + pid = line.split(' ')[0] + process = line.gsub(/(#{pid} |\n)/, '') + if process =~ /pgrep --full --list-name/ + nil + else + {:pid => pid, :process => process} + end + }.compact + end end # @@ -310,6 +326,7 @@ class LeapRunner < MiniTest::Unit # def report_line(prefix, klass, meth, e=nil, message=nil) if message + message = message.sub(/http:\/\/([a-z_]+):([a-zA-Z0-9_]+)@/, "http://\\1:password@") indent = "\n " msg_txt = indent + message.split("\n").join(indent) end diff --git a/tests/white-box/couchdb.rb b/tests/white-box/couchdb.rb index 3abddefc..c83e5714 100644 --- a/tests/white-box/couchdb.rb +++ b/tests/white-box/couchdb.rb @@ -3,6 +3,7 @@ raise SkipTest unless $node["services"].include?("couchdb") require 'json' class TestCouchdb < LeapTest + depends_on "TestNetwork" def setup end @@ -10,7 +11,7 @@ class TestCouchdb < LeapTest # # check to make sure we can get welcome response from local couchdb # - def test_01_is_running + def test_01_couch_is_running assert_get(couchdb_url) do |body| assert_match /"couchdb":"Welcome"/, body, "Could not get welcome message from #{couchdb_url}. Probably couchdb is not running." end @@ -39,7 +40,7 @@ class TestCouchdb < LeapTest # # this seems backward to me, so it might be the other way around. # - def test_03_replica_membership + def test_03_replica_membership_is_kosher url = couchdb_url("/_membership") assert_get(url) do |body| response = JSON.parse(body) @@ -64,12 +65,12 @@ class TestCouchdb < LeapTest response = JSON.parse(body) assert_equal 6, response['total_rows'] actual_users = response['rows'].map{|row| row['id'].sub(/^org.couchdb.user:/, '') } - assert_equal acl_users, actual_users + assert_equal acl_users.sort, actual_users.sort end pass end - def test_05_databases_exist + def test_05_required_databases_exist dbs_that_should_exist = ["customers","identities","keycache","sessions","shared","tickets","tokens","users"] dbs_that_should_exist.each do |db_name| assert_get(couchdb_url("/"+db_name)) do |body| diff --git a/tests/white-box/network.rb b/tests/white-box/network.rb index 02eb80ca..53df80dc 100644 --- a/tests/white-box/network.rb +++ b/tests/white-box/network.rb @@ -7,6 +7,11 @@ class TestNetwork < LeapTest def setup end + def test_01_can_connect_to_internet + assert_get('http://www.google.com/images/srpr/logo11w.png') + pass + end + # # example properties: # @@ -20,15 +25,24 @@ class TestNetwork < LeapTest # accept: 15984 # connect: "127.0.0.1:5984" # - def test_01_stunnel_is_running + def test_02_stunnel_is_running if $node['stunnel'] + good_stunnel_pids = [] $node['stunnel'].each do |stunnel_type, stunnel_configs| if stunnel_type =~ /_clients?$/ - stunnel_configs.values.each do |stunnel_conf| + stunnel_configs.each do |stunnel_name, stunnel_conf| + config_file_name = "/etc/stunnel/#{stunnel_name}.conf" + processes = pgrep(config_file_name) + assert_equal 6, processes.length, "There should be six stunnel processes running for `#{config_file_name}`" + good_stunnel_pids += processes.map{|ps| ps[:pid]} assert port = stunnel_conf['accept_port'], 'Field `accept_port` must be present in `stunnel` property.' assert_tcp_socket('localhost', port) end elsif stunnel_type =~ /_server$/ + config_file_name = "/etc/stunnel/#{stunnel_type}.conf" + processes = pgrep(config_file_name) + assert_equal 6, processes.length, "There should be six stunnel processes running for `#{config_file_name}`" + good_stunnel_pids += processes.map{|ps| ps[:pid]} assert accept = stunnel_configs['accept'], "Field `accept` must be present in property `stunnel.#{stunnel_type}`" assert_tcp_socket('localhost', accept) assert connect = stunnel_configs['connect'], "Field `connect` must be present in property `stunnel.#{stunnel_type}`" @@ -37,6 +51,8 @@ class TestNetwork < LeapTest skip "Unknown stunnel type `#{stunnel_type}`" end end + all_stunnel_pids = pgrep('/usr/bin/stunnel').collect{|process| process[:pid]}.uniq + assert_equal good_stunnel_pids.sort, all_stunnel_pids.sort, "There should not be any extra stunnel processes that are not configured in /etc/stunnel" end pass end -- cgit v1.2.3 From 353475da8d535f2904e68977c3dafa6bb3bb483a Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 30 Dec 2013 18:04:30 -0800 Subject: tests -- added tests to check that the right processes are running --- bin/run_tests | 4 ++++ tests/white-box/couchdb.rb | 9 ++++++++- tests/white-box/openvpn.rb | 16 ++++++++++++++++ tests/white-box/webapp.rb | 6 ++++++ 4 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 tests/white-box/openvpn.rb diff --git a/bin/run_tests b/bin/run_tests index f4778988..a44fcdcf 100755 --- a/bin/run_tests +++ b/bin/run_tests @@ -249,6 +249,10 @@ class LeapTest < MiniTest::Unit::TestCase end end +def assert_running(process) + assert pgrep(process).any?, "No running process for #{process}" +end + # # Custom test runner in order to modify the output. # diff --git a/tests/white-box/couchdb.rb b/tests/white-box/couchdb.rb index c83e5714..93551367 100644 --- a/tests/white-box/couchdb.rb +++ b/tests/white-box/couchdb.rb @@ -8,10 +8,17 @@ class TestCouchdb < LeapTest def setup end + def test_00_daemons_running + assert_running 'tapicero' + assert_running 'bin/beam' + assert_running 'bin/epmd' + pass + end + # # check to make sure we can get welcome response from local couchdb # - def test_01_couch_is_running + def test_01_couch_is_working assert_get(couchdb_url) do |body| assert_match /"couchdb":"Welcome"/, body, "Could not get welcome message from #{couchdb_url}. Probably couchdb is not running." end diff --git a/tests/white-box/openvpn.rb b/tests/white-box/openvpn.rb new file mode 100644 index 00000000..2b1276f4 --- /dev/null +++ b/tests/white-box/openvpn.rb @@ -0,0 +1,16 @@ +raise SkipTest unless $node["services"].include?("openvpn") + +class TestOpenvpn < LeapTest + depends_on "TestNetwork" + + def setup + end + + def test_01_daemons_running + assert_running '/usr/sbin/openvpn .* /etc/openvpn/tcp_config.conf' + assert_running '/usr/sbin/openvpn .* /etc/openvpn/udp_config.conf' + assert_running '/usr/sbin/unbound' + pass + end + +end diff --git a/tests/white-box/webapp.rb b/tests/white-box/webapp.rb index aaad4426..09e92797 100644 --- a/tests/white-box/webapp.rb +++ b/tests/white-box/webapp.rb @@ -54,4 +54,10 @@ class TestWebapp < LeapTest pass end + def test_03_daemons_running + assert_running '/usr/sbin/apache2' + assert_running '/usr/bin/nickserver' + pass + end + end -- cgit v1.2.3 From c07e0f2f5ddd17c7d7bdb6a1afc4748b401f14ae Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 31 Dec 2013 17:09:22 +0100 Subject: add design docs for new soledad version to shared db --- puppet/modules/site_couchdb/files/designs/shared/docs.json | 12 ++++++++++++ puppet/modules/site_couchdb/files/designs/shared/syncs.json | 11 +++++++++++ .../site_couchdb/files/designs/shared/transactions.json | 12 ++++++++++++ 3 files changed, 35 insertions(+) create mode 100644 puppet/modules/site_couchdb/files/designs/shared/docs.json create mode 100644 puppet/modules/site_couchdb/files/designs/shared/syncs.json create mode 100644 puppet/modules/site_couchdb/files/designs/shared/transactions.json diff --git a/puppet/modules/site_couchdb/files/designs/shared/docs.json b/puppet/modules/site_couchdb/files/designs/shared/docs.json new file mode 100644 index 00000000..4aad02aa --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/shared/docs.json @@ -0,0 +1,12 @@ +{ + "views" : { + "get" : { + "map" : "function(doc) {\n if (doc.u1db_rev) {\n var is_tombstone = true;\n var has_conflicts = false;\n if (doc._attachments) {\n if (doc._attachments.u1db_content)\n is_tombstone = false;\n if (doc._attachments.u1db_conflicts)\n has_conflicts = true;\n }\n emit(doc._id,\n {\n \"couch_rev\": doc._rev,\n \"u1db_rev\": doc.u1db_rev,\n \"is_tombstone\": is_tombstone,\n \"has_conflicts\": has_conflicts,\n }\n );\n }\n}\n" + } + }, + "_id" : "_design/docs", + "updates" : { + "resolve_doc" : "function(doc, req){\n /* we expect to receive the following in `req.body`:\n * {\n * 'couch_rev': '',\n * 'conflicts': '',\n * }\n */\n var body = JSON.parse(req.body);\n\n // fail if no document was given\n if (!doc) {\n return [null, 'document does not exist']\n } \n\n // fail if couch revisions do not match\n if (body['couch_rev'] != null\n && doc['_rev'] != body['couch_rev']) {\n return [null, 'revision conflict']\n }\n\n // fail if conflicts were not sent\n if (body['conflicts'] == null)\n return [null, 'missing conflicts']\n\n // save conflicts as attachment if they were sent\n if (body['conflicts'] != null) {\n if (!doc._attachments)\n doc._attachments = {};\n doc._attachments.u1db_conflicts = {\n content_type: \"application/octet-stream\",\n data: body['conflicts'] // should be base64 encoded\n }\n }\n // or delete attachment if there are no conflicts\n else if (doc._attachments && doc._attachments.u1db_conflicts)\n delete doc._attachments.u1db_conflicts;\n\n return [doc, 'ok'];\n}\n", + "put" : "function(doc, req){\n /* we expect to receive the following in `req.body`:\n * {\n * 'couch_rev': '',\n * 'u1db_rev': '',\n * 'content': '',\n * 'trans_id': ''\n * 'conflicts': '',\n * 'update_conflicts': \n * }\n */\n var body = JSON.parse(req.body);\n\n // create a new document document\n if (!doc) {\n doc = {}\n doc['_id'] = req['id'];\n }\n // or fail if couch revisions do not match\n else if (doc['_rev'] != body['couch_rev']) {\n // of fail if revisions do not match\n return [null, 'revision conflict']\n }\n\n // store u1db rev\n doc.u1db_rev = body['u1db_rev'];\n\n // save content as attachment\n if (body['content'] != null) {\n // save u1db content as attachment\n if (!doc._attachments)\n doc._attachments = {};\n doc._attachments.u1db_content = {\n content_type: \"application/octet-stream\",\n data: body['content'] // should be base64 encoded\n };\n }\n // or delete the attachment if document is tombstone\n else if (doc._attachments &&\n doc._attachments.u1db_content)\n delete doc._attachments.u1db_content;\n\n // store the transaction id\n if (!doc.u1db_transactions)\n doc.u1db_transactions = [];\n var d = new Date();\n doc.u1db_transactions.push([d.getTime(), body['trans_id']]);\n\n // save conflicts as attachment if they were sent\n if (body['update_conflicts'])\n if (body['conflicts'] != null) {\n if (!doc._attachments)\n doc._attachments = {};\n doc._attachments.u1db_conflicts = {\n content_type: \"application/octet-stream\",\n data: body['conflicts'] // should be base64 encoded\n }\n } else {\n if(doc._attachments && doc._attachments.u1db_conflicts)\n delete doc._attachments.u1db_conflicts\n }\n\n return [doc, 'ok'];\n}\n" + } +} diff --git a/puppet/modules/site_couchdb/files/designs/shared/syncs.json b/puppet/modules/site_couchdb/files/designs/shared/syncs.json new file mode 100644 index 00000000..0df5ff74 --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/shared/syncs.json @@ -0,0 +1,11 @@ +{ + "views" : { + "log" : { + "map" : "function(doc) {\n if (doc._id == 'u1db_sync_log') {\n if (doc.syncs)\n doc.syncs.forEach(function (entry) {\n emit(entry[0],\n {\n 'known_generation': entry[1],\n 'known_transaction_id': entry[2]\n });\n });\n }\n}\n" + } + }, + "_id" : "_design/syncs", + "updates" : { + "put" : "function(doc, req){\n if (!doc) {\n doc = {}\n doc['_id'] = 'u1db_sync_log';\n doc['syncs'] = [];\n }\n body = JSON.parse(req.body);\n // remove outdated info\n doc['syncs'] = doc['syncs'].filter(\n function (entry) {\n return entry[0] != body['other_replica_uid'];\n }\n );\n // store u1db rev\n doc['syncs'].push([\n body['other_replica_uid'],\n body['other_generation'],\n body['other_transaction_id']\n ]);\n return [doc, 'ok'];\n}\n\n" + } +} diff --git a/puppet/modules/site_couchdb/files/designs/shared/transactions.json b/puppet/modules/site_couchdb/files/designs/shared/transactions.json new file mode 100644 index 00000000..8fcb84d1 --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/shared/transactions.json @@ -0,0 +1,12 @@ +{ + "lists" : { + "generation" : "function(head, req) {\n var row;\n var rows=[];\n // fetch all rows\n while(row = getRow()) {\n rows.push(row);\n }\n if (rows.length > 0)\n send(JSON.stringify({\n \"generation\": rows.length,\n \"doc_id\": rows[rows.length-1]['id'],\n \"transaction_id\": rows[rows.length-1]['value']\n }));\n else\n send(JSON.stringify({\n \"generation\": 0,\n \"doc_id\": \"\",\n \"transaction_id\": \"\",\n }));\n}\n", + "whats_changed" : "function(head, req) {\n var row;\n var gen = 1;\n var old_gen = 0;\n if (req.query.old_gen)\n old_gen = parseInt(req.query['old_gen']);\n send('{\"transactions\":[\\n');\n // fetch all rows\n while(row = getRow()) {\n if (gen > old_gen) {\n if (gen > old_gen+1)\n send(',\\n');\n send(JSON.stringify({\n \"generation\": gen,\n \"doc_id\": row[\"id\"],\n \"transaction_id\": row[\"value\"]\n }));\n }\n gen++;\n }\n send('\\n]}');\n}\n", + "trans_id_for_gen" : "function(head, req) {\n var row;\n var rows=[];\n var i = 1;\n var gen = 1;\n if (req.query.gen)\n gen = parseInt(req.query['gen']);\n // fetch all rows\n while(row = getRow())\n rows.push(row);\n if (gen <= rows.length)\n send(JSON.stringify({\n \"generation\": gen,\n \"doc_id\": rows[gen-1]['id'],\n \"transaction_id\": rows[gen-1]['value'],\n }));\n else\n send('{}');\n}\n" + }, + "views" : { + "log" : { + "map" : "function(doc) {\n if (doc.u1db_transactions)\n doc.u1db_transactions.forEach(function(t) {\n emit(t[0], // use timestamp as key so the results are ordered\n t[1]); // value is the transaction_id\n });\n}\n" + } + } +} -- cgit v1.2.3 From fefab2386f0fbd9f218dc0b361eb833875c27f56 Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 29 Dec 2013 22:16:03 -0800 Subject: added support for minimum client version checking --- provider_base/provider.json | 6 +++++- provider_base/services/webapp.json | 3 ++- puppet/modules/site_webapp/manifests/init.pp | 11 ++++++++++- puppet/modules/site_webapp/templates/config.yml.erb | 1 + 4 files changed, 18 insertions(+), 3 deletions(-) diff --git a/provider_base/provider.json b/provider_base/provider.json index 5b335e8a..8864e24d 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -50,5 +50,9 @@ "unlimited_prefix": "UNLIMITED" } }, - "hiera_sync_destination": "/etc/leap" + "hiera_sync_destination": "/etc/leap", + "client_version": { + "min": "0.5", + "max": null + } } diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index ca7e7309..08c7c5b0 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -14,7 +14,8 @@ "git": { "source": "https://leap.se/git/leap_web", "revision": "origin/master" - } + }, + "client_version": "= global.provider.client_version" }, "stunnel": { "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)" diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index ae644287..f8216aa4 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -80,11 +80,20 @@ class site_webapp { } file { - '/srv/leap/webapp/public/provider.json': + '/srv/leap/webapp/config/provider': + ensure => directory, + require => Vcsrepo['/srv/leap/webapp'], + owner => leap-webapp, group => leap-webapp, mode => '0755'; + + '/srv/leap/webapp/config/provider/provider.json': content => $provider, require => Vcsrepo['/srv/leap/webapp'], owner => leap-webapp, group => leap-webapp, mode => '0644'; + # old provider.json location. this can be removed after everyone upgrades. + '/srv/leap/webapp/public/provider.json': + ensure => absent; + '/srv/leap/webapp/public/ca.crt': ensure => link, require => Vcsrepo['/srv/leap/webapp'], diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 6b45abc2..98f8564e 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -14,3 +14,4 @@ production: allow_anonymous_certs: <%= @webapp['allow_anonymous_certs'].inspect %> limited_cert_prefix: "<%= cert_options['limited_prefix'] %>" unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>" + minimum_client_version: "<%= @webapp['client_version']['min'] %>" -- cgit v1.2.3 From 43c7680458664c12b788e490ce4f194a3313265c Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 3 Jan 2014 14:52:50 +0100 Subject: reduce tapicero log level. Debug is becoming quite verbose with the backtraces. Info should suffice as a default. --- puppet/modules/tapicero/templates/tapicero.yaml.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/tapicero/templates/tapicero.yaml.erb b/puppet/modules/tapicero/templates/tapicero.yaml.erb index cfc02c5c..8e19b22f 100644 --- a/puppet/modules/tapicero/templates/tapicero.yaml.erb +++ b/puppet/modules/tapicero/templates/tapicero.yaml.erb @@ -18,7 +18,7 @@ seq_file: "/var/lib/leap/tapicero/tapicero.seq" # Configure log_file like this if you want to log to a file instead of syslog: # log_file: "/var/leap/log/tapicero.log" -log_level: debug +log_level: info # tapicero specific options options: -- cgit v1.2.3 From 73e987b58646ba3fbedc2d4242ba904037c12d98 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 4 Jan 2014 17:59:53 +0100 Subject: updated submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 090f014c..bab9edcb 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 090f014c63ae3e36662cacf9a0bdd2d51cd0e6e6 +Subproject commit bab9edcb8a081fc32570c3462c8ec7b3c6ce029d -- cgit v1.2.3 From ec080f77f5f4d12d4a67b604a20113a79d22c28a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 6 Jan 2014 17:25:15 +0100 Subject: install ntp on all platform nodes (Feature #4913) --- puppet/modules/site_config/manifests/packages/base.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_config/manifests/packages/base.pp b/puppet/modules/site_config/manifests/packages/base.pp index 3e1d4a67..9d416043 100644 --- a/puppet/modules/site_config/manifests/packages/base.pp +++ b/puppet/modules/site_config/manifests/packages/base.pp @@ -3,7 +3,7 @@ class site_config::packages::base { include site_config::params # base set of packages that we want to have installed everywhere - package { [ 'etckeeper', 'screen', 'less' ]: + package { [ 'etckeeper', 'screen', 'less', 'ntp' ]: ensure => installed, } -- cgit v1.2.3 From f4eca7fba63c5e0cfe695812c11fae10778fd349 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 7 Jan 2014 18:06:34 +0100 Subject: restrict bigcouch chttp proc to localhost --- puppet/modules/site_couchdb/manifests/init.pp | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index ad0c996a..fd7e67a1 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -42,11 +42,12 @@ class site_couchdb { $ednp_port = $bigcouch_config['ednp_port'] class { 'couchdb': - bigcouch => true, - admin_pw => $couchdb_admin_pw, - admin_salt => $couchdb_admin_salt, - bigcouch_cookie => $bigcouch_cookie, - ednp_port => $ednp_port + bigcouch => true, + admin_pw => $couchdb_admin_pw, + admin_salt => $couchdb_admin_salt, + bigcouch_cookie => $bigcouch_cookie, + ednp_port => $ednp_port, + chttpd_bind_address => '127.0.0.1' } class { 'couchdb::bigcouch::package::cloudant': } -- cgit v1.2.3 From e94ae94dd01cd256f89fb079cfca75a487dceed5 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 8 Jan 2014 17:26:59 +0100 Subject: updated submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index bab9edcb..a6be3cc3 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit bab9edcb8a081fc32570c3462c8ec7b3c6ce029d +Subproject commit a6be3cc3ec8494c5e57bad3351493239bc16b756 -- cgit v1.2.3 From fe1561855cd7be38190d54913f84bae5ab3c9a4a Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 8 Jan 2014 14:21:38 -0800 Subject: fix webapp couchdb.yml to be couchdb.yml not couchdb.yml.webapp --- puppet/modules/site_webapp/manifests/couchdb.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 7f6ebbc6..ff743fba 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -14,7 +14,7 @@ class site_webapp::couchdb { include x509::variables file { - '/srv/leap/webapp/config/couchdb.yml.webapp': + '/srv/leap/webapp/config/couchdb.yml': content => template('site_webapp/couchdb.yml.erb'), owner => leap-webapp, group => leap-webapp, -- cgit v1.2.3 From 7fbad48e98cb49367041b22f7c94a8d0e001db33 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 7 Jan 2014 12:02:05 +0100 Subject: fix function issues in webapp design documents This change is a result of https://github.com/leapcode/leap_web/pull/133. Both should be deployed at the same time to prevent conflicts. --- .../site_couchdb/files/designs/identities/Identity.json | 4 ++-- puppet/modules/site_couchdb/files/designs/users/User.json | 10 +--------- 2 files changed, 3 insertions(+), 11 deletions(-) diff --git a/puppet/modules/site_couchdb/files/designs/identities/Identity.json b/puppet/modules/site_couchdb/files/designs/identities/Identity.json index 8cf8c39b..2ac092ab 100644 --- a/puppet/modules/site_couchdb/files/designs/identities/Identity.json +++ b/puppet/modules/site_couchdb/files/designs/identities/Identity.json @@ -15,7 +15,7 @@ "reduce": "_sum" }, "pgp_key_by_email": { - "map": " function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n emit(doc.address, doc.keys[\"pgp\"]);\n }\n" + "map": " function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.keys === \"object\") {\n emit(doc.address, doc.keys[\"pgp\"]);\n }\n }\n" }, "disabled": { "map": " function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.user_id === \"undefined\") {\n emit(doc._id, 1);\n }\n }\n" @@ -24,5 +24,5 @@ "map": " function(doc) {\n if (doc['type'] == 'Identity') {\n emit(doc._id, null);\n }\n }\n" } }, - "couchrest-hash": "5b0ece9d28b3025d18ea71fddf3a532f" + "couchrest-hash": "e9004d70e26770c621a9667536429a68" } \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/users/User.json b/puppet/modules/site_couchdb/files/designs/users/User.json index c500822b..c99666cb 100644 --- a/puppet/modules/site_couchdb/files/designs/users/User.json +++ b/puppet/modules/site_couchdb/files/designs/users/User.json @@ -9,18 +9,10 @@ "all": { "map": " function(doc) {\n if (doc['type'] == 'User') {\n emit(doc._id, null);\n }\n }\n" }, - "by_alias": { - "map": "function(doc) {\n if (doc.type != 'User') {\n return;\n }\n doc.email_aliases.forEach(function(alias){\n emit(alias.username, 1);\n });\n}\n", - "reduce": "function(key, values, rereduce) { return sum(values); }" - }, - "by_login_or_alias": { - "map": "function(doc) {\n if (doc.type != 'User') {\n return;\n }\n emit(doc.login, 1);\n doc.email_aliases.forEach(function(alias){\n emit(alias.username, 1);\n });\n}\n", - "reduce": "function(key, values, rereduce) { return sum(values); }" - }, "by_created_at": { "map": " function(doc) {\n if ((doc['type'] == 'User') && (doc['created_at'] != null)) {\n emit(doc['created_at'], 1);\n }\n }\n", "reduce": "_sum" } }, - "couchrest-hash": "26adb5c9480663de3fe60d959b60a7b2" + "couchrest-hash": "3bdbcd85b928ad911e0c89a8924e015c" } \ No newline at end of file -- cgit v1.2.3 From dfc1368452a6474cb4582aff0f3505a2b8b4842c Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 13 Jan 2014 12:42:06 +0100 Subject: load_design_documents.sh fails (Bug #4945) --- puppet/modules/site_couchdb/manifests/designs.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_couchdb/manifests/designs.pp b/puppet/modules/site_couchdb/manifests/designs.pp index 2d0a8326..83d6c8cd 100644 --- a/puppet/modules/site_couchdb/manifests/designs.pp +++ b/puppet/modules/site_couchdb/manifests/designs.pp @@ -7,6 +7,7 @@ class site_couchdb::designs { ensure => directory, source => 'puppet:///modules/site_couchdb/designs', recurse => true, + purge => true, mode => '0755' } -- cgit v1.2.3 From 0e07e1b20acb844a6c610166c9918a92a093df73 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 20 Jan 2014 15:05:19 +0100 Subject: configure leap_platform to install our leap bigcouch package (Feature #4971) --- puppet/modules/site_couchdb/manifests/init.pp | 2 -- 1 file changed, 2 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index ad0c996a..e1414b34 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -49,10 +49,8 @@ class site_couchdb { ednp_port => $ednp_port } - class { 'couchdb::bigcouch::package::cloudant': } Class['site_config::default'] - -> Class['couchdb::bigcouch::package::cloudant'] -> Service['couchdb'] -> Class['site_couchdb::stunnel'] -> File['/root/.netrc'] -- cgit v1.2.3 From e91d7e016244da48be0a9ea23d3bb43bb3b8e93d Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 21 Jan 2014 14:41:04 +0100 Subject: properly purge cloudant repository leftovers (#4971) --- .../modules/site_apt/files/keys/cloudant-key.asc | 52 ---------------------- puppet/modules/site_couchdb/manifests/init.pp | 7 +++ 2 files changed, 7 insertions(+), 52 deletions(-) delete mode 100644 puppet/modules/site_apt/files/keys/cloudant-key.asc diff --git a/puppet/modules/site_apt/files/keys/cloudant-key.asc b/puppet/modules/site_apt/files/keys/cloudant-key.asc deleted file mode 100644 index 99716a3c..00000000 --- a/puppet/modules/site_apt/files/keys/cloudant-key.asc +++ /dev/null @@ -1,52 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.11 (GNU/Linux) - -mQINBFE7fhIBEACrDREcODnhdugNozMeBawOm2irpNCP54yMljST/DOXx1uo3gQw -HnVcQ4lL7lXhbfL6Tp0WhrNYTWbbWHO0DaQbW0GQMHa2BGG0Xm0HPrjr3j55tAcM -NPr0ArDuplq4Py2pwviZiEtQkkn+biH9oV+N3jNO+8+zVHLVU7pHaX6Yd7HAxFM8 -XX+7SeVtplZ7nvSxUREiMNxQb9o0kYNRPS+b0UjiIXHrFO9afl7lTdg/I8AhKWa0 -3jJoY/IRvVopJblISQNGFipR11Lpu5sOHghgz4V8mk/in7JLMmoqSl5DP5VhRII8 -OyADBjaUJD2mkv5cGaevqpB4AId78X9+Y62gFJrGkIHY9uBxIUkRe+leYI4Zz4Bm -D9qBIbEY/kKkblTlC1G7u3qbGQcsbCRVIOnhruCih7vifcP40YwGUk5NmDA5AE78 -OovCGYGp4zMepDTSJxGT3sJOTEbzN09so6C7fQWBeQiiG5Uepp1q+VnaGpT1L4rc -Y6yRbu9dOFj6WzY4W5HtnbalzTIEYy+SIGZqRkJt6jREYLiFfyrpSFIgGoJAs0yx -9M0McXfeOod69TPufB1PeppnBwFcTmYNYxakusQxAebRDPEBZqoEgl0gMmxWbAdI -nxGMWWnSsN/Dj0dXRf1MG/5akOhX2zQcUzBOE2m/Xr5kjDPYFtFxVJDGzQARAQAB -tDNDbG91ZGFudCBQYWNrYWdlIFNpZ25pbmcgS2V5IDxzdXBwb3J0QGNsb3VkYW50 -LmNvbT6JAj4EEwECACgFAlE7fhICGwMFCQHhM4AGCwkIBwMCBhUIAgkKCwQWAgMB -Ah4BAheAAAoJEFngH70Vvo4mciIP/AlqHA/LDtSYfrFwdXifY2ImCMyzYvH40Ko2 -DHCw2qDjvK5UXn1iWuzXidT7DrxOfYoZpzySRP7VGyHxa3VPhOtzLDZSvTpk9ELo -2x2IczUwLC17M0Iis4CpqlxSFIBYGX78pMzvsEyC4TFqUDfXRlye3apjD0iwK0hE -kdP1+TPdJjhWImJm+3TLu45zTw3Ph5dnf5pLQPNhKfBSdku+vRrd35N5hHso9S1y -Z3NrxcQlWnXuqkLIA14gM7qbBFD+el9Y+tZ7ERGYg3s5uNDQRTb0QC8zg/um2+zW -4hHmuRcWY3n8IgHcYUruC1VyrrsFIWWMyLv7SZkAAoSY+jKyESDfYpJQ8jtZ4EF9 -2/gYm4FgZR8j4gWkzHSLGVt/4EIykJZb0yIg/QEovmmHqpy8xYri3goMSl4h7tfF -TOCZLTzTyQ7xONdyEsrvQPhmdtXEgvSo5S7ZU9kkx32OjCoshLLjhtqAipBgEXqb -hElFo1oSyOVoGc7UNh7KNBjWfeP8dNdCbIbIYPMeM0/CVjD60kW5ZEVDuYglT+Rz -enJJvS4Hs+fq8cFNxMB+l64qE7iS+I6RP2bPeQM2aBa2UZNWxUIbXF7bb3zLrCGn -GT8GF1AFRoW3GiDzB7QnLVp8BhIaqFUzbDim+5mFFG8wguxHTiz4snDdQXq2Es6V -UETFsNsluQINBFE7fhIBEADIyLHyBh8AKJKQHksFAPHOyA48ocxgQDpQnqYlQcAK -D8eUbRXciIz4ePBmvjaQmz8wJgWULc04u4i9jK8Jd/Ks+VhEz3AjRBfjvkBaVMog -FMPKaoDn9LVMBSZJ3fcC1DVck1oO8LnFIdktt0zhvzG+pV5b/UTRsVZmwNh1p2dM -4cJswxlksJXYnI9tFA74qiomDCPYM0zpv7TEjX23PZTLqTSHP5aWctx+MIEtdoqp -EsEDL6npvYBRz/tuL41cUWs7CItH131Hyuizo4vGrxgWPnoXIxLmLOOZCMk/kbx0 -XCSvengqYwNgAOlIjewtTw+WJm1gtNQQeKmaXBX7njf2Wz7LI/0KVxttEpKT5/5y -embOGn7My9i7zOc1frMCDivIOTQDBZTzR9o7/6wUJ69DIoFLMlO8UcCK3R7o5VUI -ezx+XYsOAD7D2vKoiD8Se65Vnax2rfFlLP7OQqdem5l2lkHpJzP3lA8qmA2MfJ7V -jsk7eDSyJQjG5c6KBoaFlYGhp/E2kR82cAKVaFIbW3euMM4XK6Mgzy3+DVKfk8mu -AEuHub7plfxM+65yjLNAK6l6IKtY1HfM7F4GFyNSd3mNNcWN7ceIHh8Ur4DeD2Tp -7r3XcWd6/czLYNsw2BAHeVUxnMTCeGN99UZTtHgVq9IJMOCDOPwMSzHFfZ6sNaYL -qQARAQABiQIlBBgBAgAPBQJRO34SAhsMBQkB4TOAAAoJEFngH70Vvo4mpokP/jJJ -2mXdhMVqZCtZhwphJfdxg8nBERzrd6ebXxKbTq1MmSN/fDwLknPabFHUpzk1ADCf -6mh2o0HB+67yMzo1UVtyfPOaHgCE/pWer5ultJM8gOdpBfSWL8jRwU8ZQ4fDu3z8 -AC6zTNq7znOVLEzZPy8U7q5Rt5/6QdQYoTLe6DwlLmkflzWP5VWi/mTGvtu/t5OV -tGZkzBYQ5QAXRXXkKswqkJpQFuW6d1vlYm9+x/+Q1+2kGT+CKbRAkqkf77qVcyJR -1M2JQSs4ko+rLMZzr01sYA+EBD17nxqV8vUdYebNc9Qnk8Aphid1zarUbySgAdnJ -5SLAjLe/6N6IEE9F3uKsPEs87gJrnwrYHRrmu0wAPwA0cMmtgD4Bz7Iiz4CLYPFW -rHpQCA313K+rS/LLfLBL66wIRKcPuYIFR9N03jX9eGR6qtk0b5Zb3YjWOo4V9Q1r -o+g6IB0Us5vH6ISuokq7Bv+8cXhEMVoctL9A8xWN1KDkweZ+7dNWCGV8lUWKy3Hw -ig6hENH6H7J57U8H2v2aZTeUo6e7VDP9gddNKPSEEeoBKfVnWYGoG8mVPQ2PzTgZ -ZO2vwp4c3Ix/kIV3xe+/Opcq1lxYhD7HSre1MB7HOeFmis6tBBjMJPaatZVfzj1v -6Uhz5oUCwcPol8rsp69DvGVUPSHfDwBxurDX71oG -=lEm7 ------END PGP PUBLIC KEY BLOCK----- diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index e1414b34..4cd7ce03 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -49,8 +49,15 @@ class site_couchdb { ednp_port => $ednp_port } + # ensure that we don't have leftovers from previous installations + # where we installed the cloudant bigcouch package + # https://leap.se/code/issues/4971 + class { 'couchdb::bigcouch::package::cloudant': + ensure => absent + } Class['site_config::default'] + -> Class['couchdb::bigcouch::package::cloudant'] -> Service['couchdb'] -> Class['site_couchdb::stunnel'] -> File['/root/.netrc'] -- cgit v1.2.3 From 77c5574d77267b3a92cfe35cb285c3b9eb47de32 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 21 Jan 2014 16:28:44 +0100 Subject: updated submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index bab9edcb..32dba50b 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit bab9edcb8a081fc32570c3462c8ec7b3c6ce029d +Subproject commit 32dba50beb0c24b9b883e495149b353aa70506c6 -- cgit v1.2.3 From e7fe6d504565b7e0234681ed500059a54739f2e3 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 22 Jan 2014 16:47:59 +0100 Subject: anonymize webapp ips (Bug #4896) --- puppet/modules/site_apache/manifests/module/removeip.pp | 5 +++++ puppet/modules/site_webapp/manifests/apache.pp | 1 + 2 files changed, 6 insertions(+) create mode 100644 puppet/modules/site_apache/manifests/module/removeip.pp diff --git a/puppet/modules/site_apache/manifests/module/removeip.pp b/puppet/modules/site_apache/manifests/module/removeip.pp new file mode 100644 index 00000000..f106167a --- /dev/null +++ b/puppet/modules/site_apache/manifests/module/removeip.pp @@ -0,0 +1,5 @@ +class site_apache::module::removeip ( $ensure = present ) +{ + package { 'libapache2-mod-removeip': ensure => $ensure } + apache::module { 'removeip': ensure => $ensure } +} diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 581922cb..d327877a 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -22,6 +22,7 @@ class site_webapp::apache { include site_apache::module::rewrite include site_apache::module::alias include site_apache::module::expires + include site_apache::module::removeip class { 'passenger': use_munin => false } -- cgit v1.2.3 From c356125d06b8c19146f8bd6f34e31da38bfd7cc2 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 24 Jan 2014 17:36:04 +0100 Subject: swiss privacy foundation changed their nameserver IPs: http://www.privacyfoundation.ch/de/service/server.html --- puppet/modules/site_config/manifests/resolvconf.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index b307f18b..05990c67 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -8,7 +8,7 @@ class site_config::resolvconf { nameservers => [ '127.0.0.1 # local caching-only, unbound', '85.214.20.141 # Digitalcourage, a german privacy organisation: (https://en.wikipedia.org/wiki/Digitalcourage)', - '62.141.58.13 # Swiss privacy Foundation (http://www.privacyfoundation.ch/de/service/server.html)' + '77.109.138.45 # Swiss privacy Foundation (http://www.privacyfoundation.ch/de/service/server.html)' ] } } -- cgit v1.2.3 From 96bf170f0659dd91fa0a0377e8da476c2603765d Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 29 Jan 2014 17:26:02 +0100 Subject: add a .mailmap so authors show up with a unified name/email combination --- .mailmap | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 .mailmap diff --git a/.mailmap b/.mailmap new file mode 100644 index 00000000..aee70b0a --- /dev/null +++ b/.mailmap @@ -0,0 +1,8 @@ +Varac +Micah Anderson Micah Anderson +Micah Anderson micah +Kwadronaut +Elijah elijah +Elijah elijah +Leap Admins root + -- cgit v1.2.3 From d8112f6c897579cbb8bbe1230ca5d0eff6746def Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 30 Jan 2014 17:19:50 +0100 Subject: updated submodule rubygems, change gem source to use https instead of http (Feature #3827) --- puppet/modules/rubygems | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/rubygems b/puppet/modules/rubygems index 1e5ed3db..7e0240ac 160000 --- a/puppet/modules/rubygems +++ b/puppet/modules/rubygems @@ -1 +1 @@ -Subproject commit 1e5ed3dbef9381bb9d5e2a7b4957bb3f5288d6a8 +Subproject commit 7e0240acce5a338e7cc2b55f1f8ba749634c5da4 -- cgit v1.2.3 From d91494c57bc5929853c5ad0bb99212c98b7c3c95 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 4 Feb 2014 16:19:54 +0100 Subject: added submodule check_mk from https://git.codecoop.org/varacanero/puppet_check_mk.git --- .gitmodules | 3 +++ puppet/modules/check_mk | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/check_mk diff --git a/.gitmodules b/.gitmodules index cc8afdb5..13b43e88 100644 --- a/.gitmodules +++ b/.gitmodules @@ -88,3 +88,6 @@ [submodule "puppet/modules/sysctl"] path = puppet/modules/sysctl url = https://leap.se/git/puppet_sysctl +[submodule "puppet/modules/check_mk"] + path = puppet/modules/check_mk + url = https://git.codecoop.org/varacanero/puppet_check_mk.git diff --git a/puppet/modules/check_mk b/puppet/modules/check_mk new file mode 160000 index 00000000..4cd47d03 --- /dev/null +++ b/puppet/modules/check_mk @@ -0,0 +1 @@ +Subproject commit 4cd47d03c68d8530dcbff37c5bc1cf6a8006d767 -- cgit v1.2.3 From dde7b18cc0ad265aa7f7b8ccf4fedd9f0542fc74 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 5 Feb 2014 16:44:23 +0100 Subject: site_nagios::client: install check_mk agent --- puppet/modules/site_nagios/manifests/client.pp | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 puppet/modules/site_nagios/manifests/client.pp diff --git a/puppet/modules/site_nagios/manifests/client.pp b/puppet/modules/site_nagios/manifests/client.pp new file mode 100644 index 00000000..ea6062a0 --- /dev/null +++ b/puppet/modules/site_nagios/manifests/client.pp @@ -0,0 +1,5 @@ +class site_nagios::client { + package { [ 'check-mk-agent', 'check-mk-agent-logwatch' ]: + ensure => installed, + } +} -- cgit v1.2.3 From 6156db5b5b817d35cfba185923ce2f5e65a0108a Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 5 Feb 2014 17:00:58 +0100 Subject: updated submodule check_mk --- puppet/modules/check_mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/check_mk b/puppet/modules/check_mk index 4cd47d03..b449ad81 160000 --- a/puppet/modules/check_mk +++ b/puppet/modules/check_mk @@ -1 +1 @@ -Subproject commit 4cd47d03c68d8530dcbff37c5bc1cf6a8006d767 +Subproject commit b449ad813d8c9672d23393ca30bbfd3dc1dd7fe3 -- cgit v1.2.3 From e93ca6ae1ebb794fb72ade75ef2e5b27b86619c8 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 5 Feb 2014 17:14:44 +0100 Subject: include site_nagios::client by default --- puppet/modules/site_config/manifests/default.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index d85d9c8f..a09a30d2 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -86,4 +86,6 @@ class site_config::default { if defined( '::site_custom') { include ::site_custom } + + include site_nagios::client } -- cgit v1.2.3 From db04294845924edb70a6f181f67a49a80cf3a09e Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 5 Feb 2014 17:17:00 +0100 Subject: updated submodule check_mk --- puppet/modules/check_mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/check_mk b/puppet/modules/check_mk index b449ad81..e291b2c0 160000 --- a/puppet/modules/check_mk +++ b/puppet/modules/check_mk @@ -1 +1 @@ -Subproject commit b449ad813d8c9672d23393ca30bbfd3dc1dd7fe3 +Subproject commit e291b2c07667ebfd73058cd2cab618d497f25f69 -- cgit v1.2.3 From dbca8237f915e2a4d3802d90dcb10aece50a4cc4 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 5 Feb 2014 17:24:49 +0100 Subject: updated submodule check_mk --- puppet/modules/check_mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/check_mk b/puppet/modules/check_mk index e291b2c0..cd99b5b9 160000 --- a/puppet/modules/check_mk +++ b/puppet/modules/check_mk @@ -1 +1 @@ -Subproject commit e291b2c07667ebfd73058cd2cab618d497f25f69 +Subproject commit cd99b5b90f8096e0c444aa923692342881346998 -- cgit v1.2.3 From 3d22399b2da5fe010ab15de5c641b67f45dc1982 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 5 Feb 2014 17:29:01 +0100 Subject: use check_mk::agent to install check-mk-agent --- puppet/modules/site_nagios/manifests/client.pp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_nagios/manifests/client.pp b/puppet/modules/site_nagios/manifests/client.pp index ea6062a0..82063dc3 100644 --- a/puppet/modules/site_nagios/manifests/client.pp +++ b/puppet/modules/site_nagios/manifests/client.pp @@ -1,5 +1,9 @@ class site_nagios::client { - package { [ 'check-mk-agent', 'check-mk-agent-logwatch' ]: - ensure => installed, + class { 'check_mk::agent': + agent_package_name => 'check-mk-agent', + agent_logwatch_package_name => 'check-mk-agent-logwatch', + method => 'ssh', + homedir => '/etc/nagios/check_mk', + register_agent => false } } -- cgit v1.2.3 From 166bf4a33123afe5b17db68c22712408ebfb26ad Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Feb 2014 14:00:42 +0100 Subject: added site_nagios::server::check_mk --- .../site_nagios/manifests/server/check_mk.pp | 24 ++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 puppet/modules/site_nagios/manifests/server/check_mk.pp diff --git a/puppet/modules/site_nagios/manifests/server/check_mk.pp b/puppet/modules/site_nagios/manifests/server/check_mk.pp new file mode 100644 index 00000000..c6676d76 --- /dev/null +++ b/puppet/modules/site_nagios/manifests/server/check_mk.pp @@ -0,0 +1,24 @@ +class site_nagios::server::check_mk { + + # override paths to use the system check_mk rather than OMD + class { 'check_mk::config': + site => '', + etc_dir => '/etc', + bin_dir => '/usr/bin', + host_groups => undef + } + + file { + '/etc/nagios/check_mk': + ensure => directory, + owner => root, + group => root, + mode => '0755'; + + '/etc/nagios/check_mk/.ssh': + ensure => directory, + owner => root, + group => root, + mode => '0755'; + } +} -- cgit v1.2.3 From f7d12c8b3c31891635f188a37844e33288429a9f Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Feb 2014 14:05:38 +0100 Subject: added site_nagios::server::apache --- puppet/modules/site_nagios/manifests/server.pp | 1 + puppet/modules/site_nagios/manifests/server/apache.pp | 7 +++++++ 2 files changed, 8 insertions(+) create mode 100644 puppet/modules/site_nagios/manifests/server/apache.pp diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 3e1ef7e7..3cb58f9a 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -37,5 +37,6 @@ class site_nagios::server inherits nagios::base { create_resources ( site_nagios::add_host, $hosts ) + include site_nagios::apache include site_shorewall::monitor } diff --git a/puppet/modules/site_nagios/manifests/server/apache.pp b/puppet/modules/site_nagios/manifests/server/apache.pp new file mode 100644 index 00000000..8dbc7e9b --- /dev/null +++ b/puppet/modules/site_nagios/manifests/server/apache.pp @@ -0,0 +1,7 @@ +class site_nagios::server::apache { + include x509::variables + include site_config::x509::commercial::cert + include site_config::x509::commercial::key + include site_config::x509::commercial::ca + +} -- cgit v1.2.3 From 36e5202181452c385b52e183e50166dec6c456d9 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Feb 2014 15:36:12 +0100 Subject: move leap_webapp.conf template to common.conf which is included by the nagios and webapp node (#5096) --- provider_base/services/monitor.json | 9 +++ puppet/modules/site_apache/manifests/common.pp | 26 ++++++++ .../site_apache/templates/vhosts.d/common.conf.erb | 72 ++++++++++++++++++++++ .../templates/vhosts.d/leap_webapp.conf.erb | 67 -------------------- puppet/modules/site_nagios/manifests/server.pp | 22 +++++-- puppet/modules/site_webapp/manifests/apache.pp | 18 +----- 6 files changed, 126 insertions(+), 88 deletions(-) create mode 100644 puppet/modules/site_apache/manifests/common.pp create mode 100644 puppet/modules/site_apache/templates/vhosts.d/common.conf.erb delete mode 100644 puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json index c3e2b954..142a4b5e 100644 --- a/provider_base/services/monitor.json +++ b/provider_base/services/monitor.json @@ -2,5 +2,14 @@ "nagios": { "nagiosadmin_pw": "= secret :nagios_admin_password", "hosts": "= nodes_like_me.pick_fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')" + }, + "x509": { + "use": true, + "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", + "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'", + "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'", + "commercial_cert": "= file [:commercial_cert, domain.full_suffix]", + "commercial_key": "= file [:commercial_key, domain.full_suffix]", + "commercial_ca_cert": "= try_file :commercial_ca_cert" } } diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp new file mode 100644 index 00000000..72f24838 --- /dev/null +++ b/puppet/modules/site_apache/manifests/common.pp @@ -0,0 +1,26 @@ +class site_apache::common { + # installs x509 cert + key and common config + # that both nagios + leap webapp use + + $web_domain = hiera('domain') + $domain_name = $web_domain['name'] + + include x509::variables + include site_config::x509::commercial::cert + include site_config::x509::commercial::key + include site_config::x509::commercial::ca + + Class['Site_config::X509::Commercial::Key'] ~> Service[apache] + Class['Site_config::X509::Commercial::Cert'] ~> Service[apache] + Class['Site_config::X509::Commercial::Ca'] ~> Service[apache] + + include site_apache::module::rewrite + + class { '::apache': no_default_site => true, ssl => true } + + apache::vhost::file { + 'common': + content => template('site_apache/vhosts.d/common.conf.erb') + } + +} diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb new file mode 100644 index 00000000..30f0a6b1 --- /dev/null +++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb @@ -0,0 +1,72 @@ + + ServerName <%= domain %> + ServerAlias www.<%= domain %> + RewriteEngine On + RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L] + + + + ServerName <%= domain_name %> + ServerAlias <%= domain %> + ServerAlias www.<%= domain %> + + SSLEngine on + SSLProtocol -all +SSLv3 +TLSv1 + SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLHonorCipherOrder on + + SSLCACertificatePath /etc/ssl/certs + SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt + SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt + + RequestHeader set X_FORWARDED_PROTO 'https' + + +<% if (defined? @services) and (@services.include? 'webapp') and (@webapp['secure']) -%> + Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" +<% end -%> + Header always unset X-Powered-By + Header always unset X-Runtime + + +<% if (defined? @services) and (@services.include? 'webapp') -%> + DocumentRoot /srv/leap/webapp/public + + RewriteEngine On + # Check for maintenance file and redirect all requests + RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f + RewriteCond %{SCRIPT_FILENAME} !maintenance.html + RewriteCond %{REQUEST_URI} !/images/maintenance.jpg + RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L] + + # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt + AllowEncodedSlashes on + PassengerAllowEncodedSlashes on + PassengerFriendlyErrorPages off + SetEnv TMPDIR /var/tmp + + # Allow rails assets to be cached for a very long time (since the URLs change whenever the content changes) + + Header unset ETag + FileETag None + ExpiresActive On + ExpiresDefault "access plus 1 year" + +<% end -%> + + +<% if (defined? @services) and (@services.include? 'monitor') -%> + + <% if (defined? @services) and (@services.include? 'webapp') -%> + PassengerEnabled off + <% end -%> + AllowOverride all + # Nagios won't work with setting this option to "DENY", + # as set in conf.d/security (#4169). Therefor we allow + # it here, only for nagios. + Header set X-Frame-Options: "ALLOW" + +<% end -%> + + diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb deleted file mode 100644 index a001552a..00000000 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ /dev/null @@ -1,67 +0,0 @@ - - ServerName <%= domain %> - ServerAlias www.<%= domain %> - RewriteEngine On - RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L] - - - - ServerName <%= domain_name %> - ServerAlias <%= domain %> - ServerAlias www.<%= domain %> - - SSLEngine on - SSLProtocol -all +SSLv3 +TLSv1 - SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH - SSLHonorCipherOrder on - - SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt - SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key - SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt - - RequestHeader set X_FORWARDED_PROTO 'https' - - -<% if @webapp['secure'] -%> - Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" -<% end -%> - Header always unset X-Powered-By - Header always unset X-Runtime - - - DocumentRoot /srv/leap/webapp/public - - RewriteEngine On - # Check for maintenance file and redirect all requests - RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f - RewriteCond %{SCRIPT_FILENAME} !maintenance.html - RewriteCond %{REQUEST_URI} !/images/maintenance.jpg - RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L] - - # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt - AllowEncodedSlashes on - PassengerAllowEncodedSlashes on - PassengerFriendlyErrorPages off - SetEnv TMPDIR /var/tmp - - # Allow rails assets to be cached for a very long time (since the URLs change whenever the content changes) - - Header unset ETag - FileETag None - ExpiresActive On - ExpiresDefault "access plus 1 year" - - - <% if (defined? @services) and (@services.include? 'monitor') -%> - - PassengerEnabled off - AllowOverride all - # Nagios won't work with setting this option to "DENY", - # as set in conf.d/security (#4169). Therefor we allow - # it here, only for nagios. - Header set X-Frame-Options: "ALLOW" - - <% end -%> - - diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 3e1ef7e7..9f66c8ea 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -11,18 +11,32 @@ class site_nagios::server inherits nagios::base { include nagios::defaults include nagios::base - #Class ['nagios'] -> Class ['nagios::defaults'] - class {'nagios::apache': + class {'nagios': + # don't manage apache class from nagios, cause we already include + # it in site_apache::common + httpd => 'absent', allow_external_cmd => true, stored_config => false, - #before => Class ['nagios::defaults'] } + # - [monitor2] err: /Stage[main]/Site_nagios::Server/Apache::Config::Global[nagios3.conf]/Apache::Config::File[nagios3.conf]/File[apache_nagios3.conf]/ensure: change from absent to link failed: Cannot create a symlink without a target at /srv/leap/puppet/modules/apache/manifests/config/file.pp:32 + #apache::config::global { 'nagios3.conf': + # ensure => link, + # target => '/usr/share/doc/nagios3-common/examples/apache2.conf', + #} + + file { '/etc/apache2/conf.d/nagios3.conf': + ensure => link, + target => '/usr/share/doc/nagios3-common/examples/apache2.conf', + notify => Service['apache'] + } + + include site_apache::common include site_apache::module::headers File ['nagios_htpasswd'] { source => undef, - content => "nagiosadmin:$nagiosadmin_pw", + content => "nagiosadmin:${nagiosadmin_pw}", mode => '0640', } diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index d327877a..21243d34 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -7,30 +7,14 @@ class site_webapp::apache { $web_domain = hiera('domain') $domain_name = $web_domain['name'] - include x509::variables - include site_config::x509::commercial::cert - include site_config::x509::commercial::key - include site_config::x509::commercial::ca - - Class['Site_config::X509::Commercial::Key'] ~> Service[apache] - Class['Site_config::X509::Commercial::Cert'] ~> Service[apache] - Class['Site_config::X509::Commercial::Ca'] ~> Service[apache] - - class { '::apache': no_default_site => true, ssl => true } - + include site_apache::common include site_apache::module::headers - include site_apache::module::rewrite include site_apache::module::alias include site_apache::module::expires include site_apache::module::removeip class { 'passenger': use_munin => false } - apache::vhost::file { - 'leap_webapp': - content => template('site_apache/vhosts.d/leap_webapp.conf.erb') - } - apache::vhost::file { 'api': content => template('site_apache/vhosts.d/api.conf.erb') -- cgit v1.2.3 From f2580e5f504aaa2b763e838fc50705355990e98e Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Feb 2014 18:58:35 +0100 Subject: updated submodule check_mk --- puppet/modules/check_mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/check_mk b/puppet/modules/check_mk index cd99b5b9..382cb6d2 160000 --- a/puppet/modules/check_mk +++ b/puppet/modules/check_mk @@ -1 +1 @@ -Subproject commit cd99b5b90f8096e0c444aa923692342881346998 +Subproject commit 382cb6d2ab5fe05b9db7e4178cd16b71685bef59 -- cgit v1.2.3 From 102a22ff35c8cf844a3eabeb213a508e658e47c2 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Feb 2014 23:46:04 +0100 Subject: add a comment why we use a custom way to populate authorized_keys --- puppet/modules/site_sshd/manifests/authorized_keys.pp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp index c18f691c..f36fe20f 100644 --- a/puppet/modules/site_sshd/manifests/authorized_keys.pp +++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp @@ -1,4 +1,7 @@ define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') { + # We use a custom define here to deploy the authorized_keys file + # cause puppet doesn't allow purgin before populating this file + # (see https://tickets.puppetlabs.com/browse/PUP-1174) # This line allows default homedir based on $title variable. # If $home is empty, the default is used. $homedir = $home ? {'' => "/home/${title}", default => $home} -- cgit v1.2.3 From b14ceb03bf9bfc77f43f1848400c868a2ab2208f Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 6 Feb 2014 23:38:00 -0800 Subject: added support for monitor ssh keys (requires latest leap_cli) --- platform.rb | 10 ++++++++-- provider_base/services/monitor.json | 6 ++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/platform.rb b/platform.rb index 60b0d9a5..62fb0215 100644 --- a/platform.rb +++ b/platform.rb @@ -3,8 +3,8 @@ # Leap::Platform.define do - self.version = "0.2.4" - self.compatible_cli = "1.2.4".."1.99" + self.version = "0.3.0" + self.compatible_cli = "1.3.0".."1.99" # # the facter facts that should be gathered @@ -43,6 +43,8 @@ Leap::Platform.define do :user_pgp => 'users/#{arg}/#{arg}_pgp.pub', :known_hosts => 'files/ssh/known_hosts', :authorized_keys => 'files/ssh/authorized_keys', + :monitor_pub_key => 'files/ssh/monitor_ssh.pub', + :monitor_priv_key => 'files/ssh/monitor_ssh', :ca_key => 'files/ca/ca.key', :ca_cert => 'files/ca/ca.crt', :client_ca_key => 'files/ca/client_ca.key', @@ -73,5 +75,9 @@ Leap::Platform.define do self.node_files = [ :node_config, :hiera, :node_x509_cert, :node_x509_key, :node_ssh_pub_key ] + + self.monitor_username = 'monitor' + + self.reserved_usernames = ['monitor'] end diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json index c3e2b954..b6886603 100644 --- a/provider_base/services/monitor.json +++ b/provider_base/services/monitor.json @@ -2,5 +2,11 @@ "nagios": { "nagiosadmin_pw": "= secret :nagios_admin_password", "hosts": "= nodes_like_me.pick_fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')" + }, + "ssh": { + "monitor": { + "username": "= Leap::Platform.monitor_username", + "private_key": "= file(:monitor_priv_key)" + } } } -- cgit v1.2.3 From b9fa9cfc83d552faafe41ebba183fb06f45f6ca5 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 7 Feb 2014 00:01:42 -0800 Subject: monitor nodes get all nodes listed in /etc/hosts --- platform.rb | 2 +- provider_base/services/monitor.json | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/platform.rb b/platform.rb index 62fb0215..ee87789a 100644 --- a/platform.rb +++ b/platform.rb @@ -4,7 +4,7 @@ Leap::Platform.define do self.version = "0.3.0" - self.compatible_cli = "1.3.0".."1.99" + self.compatible_cli = "1.3.1".."1.99" # # the facter facts that should be gathered diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json index b6886603..cf117869 100644 --- a/provider_base/services/monitor.json +++ b/provider_base/services/monitor.json @@ -3,6 +3,7 @@ "nagiosadmin_pw": "= secret :nagios_admin_password", "hosts": "= nodes_like_me.pick_fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')" }, + "hosts": "= hosts_file(nodes_like_me[:services => '!monitor'])", "ssh": { "monitor": { "username": "= Leap::Platform.monitor_username", -- cgit v1.2.3 From 0ca517eabf4b4e2c0dd81c9941e5e503fb2469e1 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Feb 2014 14:40:37 +0100 Subject: platform version -> 0.5rc2 --- platform.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/platform.rb b/platform.rb index 60b0d9a5..7d84c3fb 100644 --- a/platform.rb +++ b/platform.rb @@ -3,8 +3,8 @@ # Leap::Platform.define do - self.version = "0.2.4" - self.compatible_cli = "1.2.4".."1.99" + self.version = "0.5rc2" + self.compatible_cli = "1.3.1".."1.99" # # the facter facts that should be gathered -- cgit v1.2.3 From f544b5d5fa6d7ad941332bbc787fc97e78a658b6 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Feb 2014 15:41:09 +0100 Subject: added custom $datasource_programs check_mk variable to call the agent via ssh --- puppet/modules/site_check_mk/files/use_ssh.mk | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 puppet/modules/site_check_mk/files/use_ssh.mk diff --git a/puppet/modules/site_check_mk/files/use_ssh.mk b/puppet/modules/site_check_mk/files/use_ssh.mk new file mode 100644 index 00000000..dbdcd4b5 --- /dev/null +++ b/puppet/modules/site_check_mk/files/use_ssh.mk @@ -0,0 +1,5 @@ +# http://mathias-kettner.de/checkmk_datasource_programs.html +datasource_programs = [ + ( "ssh -l root -i /etc/check_mk/.ssh/id_rsa check_mk_agent", ALL_HOSTS ), +] + -- cgit v1.2.3 From d400d271e616f669cc6383a5893dd992a0efada2 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Feb 2014 15:42:12 +0100 Subject: deploy check_mk pubkey on clients --- puppet/modules/site_nagios/manifests/client.pp | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/puppet/modules/site_nagios/manifests/client.pp b/puppet/modules/site_nagios/manifests/client.pp index 82063dc3..cb72db54 100644 --- a/puppet/modules/site_nagios/manifests/client.pp +++ b/puppet/modules/site_nagios/manifests/client.pp @@ -1,4 +1,9 @@ class site_nagios::client { + + $ssh_hash = hiera('ssh') + $pubkey = $ssh_hash['authorized_keys']['monitor']['key'] + $type = $ssh_hash['authorized_keys']['monitor']['type'] + class { 'check_mk::agent': agent_package_name => 'check-mk-agent', agent_logwatch_package_name => 'check-mk-agent-logwatch', @@ -6,4 +11,12 @@ class site_nagios::client { homedir => '/etc/nagios/check_mk', register_agent => false } + + file { '/root/.ssh/authorized_keys2': + owner => 'root', + group => 'root', + mode => '0600', + content => "command=\"/usr/bin/check_mk_agent\",no-port-forwarding,no-x11-forwarding,no-agent-forwarding ${type} ${pubkey} monitor" + } + } -- cgit v1.2.3 From 65281c7d46a0ebbb7c70eddaef9802ddb1885c65 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Feb 2014 15:42:46 +0100 Subject: deploy check_mk on monitoring server --- puppet/modules/site_nagios/manifests/server.pp | 3 +- .../site_nagios/manifests/server/check_mk.pp | 48 +++++++++++++++------- 2 files changed, 35 insertions(+), 16 deletions(-) diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 6ade7d06..59a3bbb0 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -51,6 +51,7 @@ class site_nagios::server inherits nagios::base { create_resources ( site_nagios::add_host, $hosts ) - include site_nagios::apache + include site_nagios::server::apache + include site_nagios::server::check_mk include site_shorewall::monitor } diff --git a/puppet/modules/site_nagios/manifests/server/check_mk.pp b/puppet/modules/site_nagios/manifests/server/check_mk.pp index c6676d76..75bd4538 100644 --- a/puppet/modules/site_nagios/manifests/server/check_mk.pp +++ b/puppet/modules/site_nagios/manifests/server/check_mk.pp @@ -1,24 +1,42 @@ class site_nagios::server::check_mk { + $ssh_hash = hiera('ssh') + $pubkey = $ssh_hash['authorized_keys']['monitor']['key'] + $type = $ssh_hash['authorized_keys']['monitor']['type'] + $seckey = $ssh_hash['monitor']['private_key'] + $all_hosts = '"localhost", "plain1"' + + package { 'check-mk-server': + ensure => installed, + } + # override paths to use the system check_mk rather than OMD class { 'check_mk::config': - site => '', - etc_dir => '/etc', - bin_dir => '/usr/bin', - host_groups => undef + site => '', + etc_dir => '/etc', + nagios_subdir => 'nagios3', + bin_dir => '/usr/bin', + host_groups => undef, + require => Package['check-mk-server'] } file { - '/etc/nagios/check_mk': - ensure => directory, - owner => root, - group => root, - mode => '0755'; - - '/etc/nagios/check_mk/.ssh': - ensure => directory, - owner => root, - group => root, - mode => '0755'; + '/etc/check_mk/conf.d/use_ssh.mk': + source => 'puppet:///modules/site_check_mk/use_ssh.mk', + notify => Exec['check_mk-refresh']; + '/etc/check_mk/all_hosts_static': + content => $all_hosts, + notify => Exec['check_mk-refresh']; + '/etc/check_mk/.ssh': + ensure => directory; + '/etc/check_mk/.ssh/id_rsa': + content => $seckey, + owner => 'nagios', + mode => '0600'; + '/etc/check_mk/.ssh/id_rsa.pub': + content => "${type} ${pubkey} monitor", + owner => 'nagios', + mode => '0644'; } + } -- cgit v1.2.3 From b733f9b49b48f700673d4a4a98832a6c00a39dbf Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Feb 2014 21:29:46 +0100 Subject: updated LEAP archive signing key 0x1E34A1828E207901 --- puppet/modules/site_apt/files/keys/leap_key.asc | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_apt/files/keys/leap_key.asc b/puppet/modules/site_apt/files/keys/leap_key.asc index b69251f0..b6b5077b 100644 --- a/puppet/modules/site_apt/files/keys/leap_key.asc +++ b/puppet/modules/site_apt/files/keys/leap_key.asc @@ -1,5 +1,5 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.11 (GNU/Linux) +Version: GnuPG v1.4.14 (GNU/Linux) mQINBFESwt0BEAC2CR+XgW04DVwT427v2T4+qz+O/xGOwQcalVaSOUuguYgf29en Apb6mUqROOTuJWN1nw1lvXiA6iFxg6DjDUhsp6j54X7GAAAjZ9QuavPgcsractsJ @@ -36,7 +36,19 @@ y9k8peFB7wwf0sW3Eg78XFsfy4gyV619VnBR+PbfOpKqFFXAodF1mFiIrPeefaVp F9fiQ5Owt0sJjDaJnYT83ksAO2Aj+VsY3UjnDrGFaiV8Neit9y/8W8DqmZ3EZEF/ M3iS0yDjqqt9ACFD+jkGlKYsyHv7gbpTq0yi6u/kRXHUTIvVwFL9M6Z6AUcG8gzo qbKhXGfWKEq0lN5HAjJ//V9ro3DekFd0A+NQOlFV6XtspZwphVdtW1WS078HmVlw -F5dbD8pcfT/RjbkCDQRREsLdARAA3Frw+j6H9McEIi/gjiGwvxnIdGc8McWchnFp +F5dbD8pcfT/RjYkCPQQTAQoAJwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUC +UvT9ZgUJA8NuBQAKCRAeNKGCjiB5AXB+D/9k/BzZdAczQ3/v7hKrN9y3/D8kOEYK +rF8HdcBOH522sN6mqvm7wGkf3RmNSi731m6vzlbBSonrAT5KDMpj+THOmUcY29V5 +a1YOgFCCkToOfl+LmlLiuqfrGCJyE28MKMrsi2zMBKhsSxhvcI0EhJkQpPBu8gUs +XW1GSHuh5CYzwf/i8eNDpVrhHjRF0AVCOWIq52LTR62QchR+6ci/wVDHWd9Ase5X +8rxNnt2/pCbgATklQbmRcQS6efTVk3oXk1DZ8M46vayJ1g2BFuIi7pohiekLAAAt +MCwRKHTHvtPkGAUAEXExPGS78qHxLHIau2VCtSBxm+bQX+ZyCMANDpI+ZTFp1APJ +9SpbtGozuQOpWFjWY1rERunrbyWHIb2DuVVNKGiHlkMJB76zzysvbIPYWx1RqD6s +KFJBkjrM0xn8H+D6qzwzGfmX1Yaw12oYA6pcai4aK5sO7KHt+THAxYAcVF7qxGU7 +lnDifM56hrH/DbE5InlDC8OUqDysj0cHacRee+ZYtj7TiEykWfP5RrZCLQ7L6Jd/ +HtgQti/9TVUaFkIlQCfvF+l4BYZQYvnhx3MVK7ChKLmy6AVQLWnDrBrDvl07HLvW +6pslRzVHfWyIYng0pZ0HvK+MpQztCoUcDK470mjlpAtjNHuyKh6r6TtaiVK8MgbR +Sx/NMHb1/PXQJrkCDQRREsLdARAA3Frw+j6H9McEIi/gjiGwvxnIdGc8McWchnFp OWvdhTW9056v+y22DoKbULjT8k+8GzuRQ0xp4VwCC1rX3UExwceczzGs+tSKuIGm g1ELygsaOZHdQBNLGPvn+TZNGlaYXPlQo7m8YhXGHwgQrdKyjcFD5xnOHxe981LT q+IQ6jVYhho7/Qik9rVE1XHxoOfYvnNZJD0cFdf9OcX47YoqmM4sZYPMoOmKoVQT @@ -59,5 +71,5 @@ Dxix2FBXQU/4pVpGHjXTQP6RqeTrAedXvpgCHWP1UIlswIQecGmQcJ/hRZjd+0vl cjfCYhZHr7N96Da6Cy8v2fZiZHaSAt7T2oIZ9X3gEh/kOlLDcuIdvMHUfojn0MrP Ce1AqOHyQQqhkVylvZpS0PdE0VW3PmJ98uKfX2FVAOTUD4Rw3n9Ew7bfM249HuP4 JOXi/Skp4sBB/xgrtV1u+E+BW0SS/BOiwfrI4xUy+MrWuw== -=4STg +=Om8x -----END PGP PUBLIC KEY BLOCK----- -- cgit v1.2.3 From cac0061fe20ab42c9efee4dd80ec6a940c03c54e Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Feb 2014 21:32:19 +0100 Subject: added local check_mk dir /etc/nagios3/local to nagios.cfg --- puppet/modules/site_nagios/files/configs/Debian/nagios.cfg | 3 +++ 1 file changed, 3 insertions(+) diff --git a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg index 753d1610..61d9f2da 100644 --- a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg +++ b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg @@ -25,6 +25,9 @@ log_file=/var/log/nagios3/nagios.log # Puppet-managed configuration files cfg_dir=/etc/nagios3/conf.d +# check-mk managed configuration files +cfg_dir=/etc/nagios3/local + # Debian also defaults to using the check commands defined by the debian # nagios-plugins package cfg_dir=/etc/nagios-plugins/config -- cgit v1.2.3 From 313b91b77cf4496d7cc31c46ef1e8e69ed53610c Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 8 Feb 2014 00:04:23 +0100 Subject: restricted check_mk ssh login a bit more --- puppet/modules/site_nagios/manifests/client.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_nagios/manifests/client.pp b/puppet/modules/site_nagios/manifests/client.pp index cb72db54..ff569142 100644 --- a/puppet/modules/site_nagios/manifests/client.pp +++ b/puppet/modules/site_nagios/manifests/client.pp @@ -16,7 +16,7 @@ class site_nagios::client { owner => 'root', group => 'root', mode => '0600', - content => "command=\"/usr/bin/check_mk_agent\",no-port-forwarding,no-x11-forwarding,no-agent-forwarding ${type} ${pubkey} monitor" + content => "command=\"/usr/bin/check_mk_agent\",no-port-forwarding,no-x11-forwarding,no-agent-forwarding,no-pty,no-user-rc, ${type} ${pubkey} monitor" } } -- cgit v1.2.3 From f2f019d402345d6133cdfb6274d4b78d44e08ec9 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 8 Feb 2014 13:59:37 +0100 Subject: reload nagios after check_mk --- puppet/modules/site_nagios/manifests/server/check_mk.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/puppet/modules/site_nagios/manifests/server/check_mk.pp b/puppet/modules/site_nagios/manifests/server/check_mk.pp index 75bd4538..02cb8407 100644 --- a/puppet/modules/site_nagios/manifests/server/check_mk.pp +++ b/puppet/modules/site_nagios/manifests/server/check_mk.pp @@ -20,6 +20,8 @@ class site_nagios::server::check_mk { require => Package['check-mk-server'] } + Exec['check_mk-reload'] -> Service['nagios'] + file { '/etc/check_mk/conf.d/use_ssh.mk': source => 'puppet:///modules/site_check_mk/use_ssh.mk', -- cgit v1.2.3 From 6720bdba0c67893de713eee7f753fb582d06aa61 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 8 Feb 2014 14:00:10 +0100 Subject: disable purging of /etc/nagios3 and /etc/nagios3/conf.d --- puppet/modules/site_nagios/manifests/server/purge.pp | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_nagios/manifests/server/purge.pp b/puppet/modules/site_nagios/manifests/server/purge.pp index 39735cd3..18993586 100644 --- a/puppet/modules/site_nagios/manifests/server/purge.pp +++ b/puppet/modules/site_nagios/manifests/server/purge.pp @@ -1,7 +1,17 @@ -class site_nagios::server::purge { - exec {'purge_conf.d': - command => '/bin/rm -rf /etc/nagios3/conf.d/*', - onlyif => 'test -e /etc/nagios3/conf.d' +class site_nagios::server::purge inherits nagios::base { + # we don't want to get /etc/nagios3 and /etc/nagios3/conf.d + # purged, cause the check-mk-config-nagios3 package + # places its templates in /etc/nagios3/conf.d/check_mk, + # and check_mk -O updated it's nagios config in /etc/nagios3/conf.d/check_mk + File['nagios_cfgdir'] { + purge => false + } + File['nagios_confd'] { + purge => false } + exec {'purge_conf.d': + command => '/bin/rm -f /etc/nagios3/conf.d/nagios_*', + onlyif => 'find /etc/nagios3/conf.d/ | grep -q "/etc/nagios3/conf.d/nagios_"' + } } -- cgit v1.2.3 From 665db30f37838bcebbfdc368f65ed369282c31b8 Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 9 Feb 2014 17:04:58 -0800 Subject: deploy a valid /etc/ssh/ssh_known_hosts for all nodes (requires new leap_cli) --- platform.rb | 4 ++-- provider_base/common.json | 1 - provider_base/services/monitor.json | 2 +- puppet/modules/site_sshd/manifests/init.pp | 9 +++++++++ puppet/modules/site_sshd/manifests/known_hosts.pp | 11 +++++++++++ puppet/modules/site_sshd/templates/ssh_known_hosts.erb | 5 +++++ 6 files changed, 28 insertions(+), 4 deletions(-) create mode 100644 puppet/modules/site_sshd/manifests/known_hosts.pp create mode 100644 puppet/modules/site_sshd/templates/ssh_known_hosts.erb diff --git a/platform.rb b/platform.rb index ee87789a..54590f4b 100644 --- a/platform.rb +++ b/platform.rb @@ -3,8 +3,8 @@ # Leap::Platform.define do - self.version = "0.3.0" - self.compatible_cli = "1.3.1".."1.99" + self.version = "0.4.0" + self.compatible_cli = "1.4.0".."1.99" # # the facter facts that should be gathered diff --git a/provider_base/common.json b/provider_base/common.json index 07a45972..07a58bba 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -16,7 +16,6 @@ }, "ssh": { "authorized_keys": "= authorized_keys", - "known_hosts": "=> known_hosts_file", "port": 22, "mosh": { "ports": "60000:61000", diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json index cf117869..53e6b1f1 100644 --- a/provider_base/services/monitor.json +++ b/provider_base/services/monitor.json @@ -1,7 +1,7 @@ { "nagios": { "nagiosadmin_pw": "= secret :nagios_admin_password", - "hosts": "= nodes_like_me.pick_fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')" + "hosts": "= nodes_like_me[:services => '!monitor'].pick_fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')" }, "hosts": "= hosts_file(nodes_like_me[:services => '!monitor'])", "ssh": { diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index 90dd2d0e..d2b13822 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -1,5 +1,6 @@ class site_sshd { $ssh = hiera_hash('ssh') + $hosts = hiera_hash('hosts') ## ## SETUP AUTHORIZED KEYS @@ -11,6 +12,14 @@ class site_sshd { keys => $authorized_keys } + ## + ## SETUP KNOWN HOSTS + ## + + class { 'site_sshd::known_hosts': + hosts => $hosts + } + ## ## OPTIONAL MOSH SUPPORT ## diff --git a/puppet/modules/site_sshd/manifests/known_hosts.pp b/puppet/modules/site_sshd/manifests/known_hosts.pp new file mode 100644 index 00000000..290ffd0b --- /dev/null +++ b/puppet/modules/site_sshd/manifests/known_hosts.pp @@ -0,0 +1,11 @@ +class site_sshd::known_hosts ($hosts) { + # these owner and permissions seem odd to me, but it is what is defined + # in modules/sshd/manifests/client/base.pp, so we are going to stick with it. + file { '/etc/ssh/ssh_known_hosts': + ensure => present, + owner => root, + group => 0, + mode => '0644', + content => template('site_sshd/ssh_known_hosts.erb'); + } +} diff --git a/puppet/modules/site_sshd/templates/ssh_known_hosts.erb b/puppet/modules/site_sshd/templates/ssh_known_hosts.erb new file mode 100644 index 00000000..c5a71378 --- /dev/null +++ b/puppet/modules/site_sshd/templates/ssh_known_hosts.erb @@ -0,0 +1,5 @@ +# This file is generated by Puppet + +<% hosts.sort.each do |name, hash| -%> +<%=name%>,<%=hash['domain_full']%>,<%=hash['domain_internal']%>,<%=hash['ip_address']%> <%=hash['host_pub_key']%> +<% end -%> -- cgit v1.2.3 From 8054778e83fbc1f5a34dcaee4b364b8ded44dbab Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 10 Feb 2014 14:44:01 +0100 Subject: use default value for hiera lookup (#5118) --- puppet/modules/site_sshd/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index d2b13822..d2de41c8 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -1,6 +1,6 @@ class site_sshd { $ssh = hiera_hash('ssh') - $hosts = hiera_hash('hosts') + $hosts = hiera('hosts', '') ## ## SETUP AUTHORIZED KEYS -- cgit v1.2.3 From df342b1d4a12ea14aaaede6d876cca16028ba9a2 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 10 Feb 2014 18:33:05 +0100 Subject: add all nodes to check_mk main.mk config --- puppet/modules/site_nagios/manifests/server/check_mk.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_nagios/manifests/server/check_mk.pp b/puppet/modules/site_nagios/manifests/server/check_mk.pp index 02cb8407..5e0795c1 100644 --- a/puppet/modules/site_nagios/manifests/server/check_mk.pp +++ b/puppet/modules/site_nagios/manifests/server/check_mk.pp @@ -4,7 +4,10 @@ class site_nagios::server::check_mk { $pubkey = $ssh_hash['authorized_keys']['monitor']['key'] $type = $ssh_hash['authorized_keys']['monitor']['type'] $seckey = $ssh_hash['monitor']['private_key'] - $all_hosts = '"localhost", "plain1"' + + $nagios_hiera = hiera_hash('nagios') + $hosts = $nagios_hiera['hosts'] + $all_hosts = inline_template("<% @hosts.keys.sort.each do |key| -%>\"<%= key %>\", <% end -%>") package { 'check-mk-server': ensure => installed, -- cgit v1.2.3 From 6255e58bf9ff3489bf2707bc2be9759ec5c7db68 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Feb 2014 15:36:12 +0100 Subject: move leap_webapp.conf template to common.conf which is included by the nagios and webapp node (#5096) --- provider_base/services/monitor.json | 9 +++ puppet/modules/site_apache/manifests/common.pp | 26 ++++++++ .../site_apache/templates/vhosts.d/common.conf.erb | 72 ++++++++++++++++++++++ .../templates/vhosts.d/leap_webapp.conf.erb | 67 -------------------- puppet/modules/site_nagios/manifests/server.pp | 16 +++-- puppet/modules/site_webapp/manifests/apache.pp | 18 +----- 6 files changed, 120 insertions(+), 88 deletions(-) create mode 100644 puppet/modules/site_apache/manifests/common.pp create mode 100644 puppet/modules/site_apache/templates/vhosts.d/common.conf.erb delete mode 100644 puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json index c3e2b954..142a4b5e 100644 --- a/provider_base/services/monitor.json +++ b/provider_base/services/monitor.json @@ -2,5 +2,14 @@ "nagios": { "nagiosadmin_pw": "= secret :nagios_admin_password", "hosts": "= nodes_like_me.pick_fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')" + }, + "x509": { + "use": true, + "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", + "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'", + "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'", + "commercial_cert": "= file [:commercial_cert, domain.full_suffix]", + "commercial_key": "= file [:commercial_key, domain.full_suffix]", + "commercial_ca_cert": "= try_file :commercial_ca_cert" } } diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp new file mode 100644 index 00000000..72f24838 --- /dev/null +++ b/puppet/modules/site_apache/manifests/common.pp @@ -0,0 +1,26 @@ +class site_apache::common { + # installs x509 cert + key and common config + # that both nagios + leap webapp use + + $web_domain = hiera('domain') + $domain_name = $web_domain['name'] + + include x509::variables + include site_config::x509::commercial::cert + include site_config::x509::commercial::key + include site_config::x509::commercial::ca + + Class['Site_config::X509::Commercial::Key'] ~> Service[apache] + Class['Site_config::X509::Commercial::Cert'] ~> Service[apache] + Class['Site_config::X509::Commercial::Ca'] ~> Service[apache] + + include site_apache::module::rewrite + + class { '::apache': no_default_site => true, ssl => true } + + apache::vhost::file { + 'common': + content => template('site_apache/vhosts.d/common.conf.erb') + } + +} diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb new file mode 100644 index 00000000..30f0a6b1 --- /dev/null +++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb @@ -0,0 +1,72 @@ + + ServerName <%= domain %> + ServerAlias www.<%= domain %> + RewriteEngine On + RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L] + + + + ServerName <%= domain_name %> + ServerAlias <%= domain %> + ServerAlias www.<%= domain %> + + SSLEngine on + SSLProtocol -all +SSLv3 +TLSv1 + SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLHonorCipherOrder on + + SSLCACertificatePath /etc/ssl/certs + SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt + SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt + + RequestHeader set X_FORWARDED_PROTO 'https' + + +<% if (defined? @services) and (@services.include? 'webapp') and (@webapp['secure']) -%> + Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" +<% end -%> + Header always unset X-Powered-By + Header always unset X-Runtime + + +<% if (defined? @services) and (@services.include? 'webapp') -%> + DocumentRoot /srv/leap/webapp/public + + RewriteEngine On + # Check for maintenance file and redirect all requests + RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f + RewriteCond %{SCRIPT_FILENAME} !maintenance.html + RewriteCond %{REQUEST_URI} !/images/maintenance.jpg + RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L] + + # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt + AllowEncodedSlashes on + PassengerAllowEncodedSlashes on + PassengerFriendlyErrorPages off + SetEnv TMPDIR /var/tmp + + # Allow rails assets to be cached for a very long time (since the URLs change whenever the content changes) + + Header unset ETag + FileETag None + ExpiresActive On + ExpiresDefault "access plus 1 year" + +<% end -%> + + +<% if (defined? @services) and (@services.include? 'monitor') -%> + + <% if (defined? @services) and (@services.include? 'webapp') -%> + PassengerEnabled off + <% end -%> + AllowOverride all + # Nagios won't work with setting this option to "DENY", + # as set in conf.d/security (#4169). Therefor we allow + # it here, only for nagios. + Header set X-Frame-Options: "ALLOW" + +<% end -%> + + diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb deleted file mode 100644 index a001552a..00000000 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ /dev/null @@ -1,67 +0,0 @@ - - ServerName <%= domain %> - ServerAlias www.<%= domain %> - RewriteEngine On - RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L] - - - - ServerName <%= domain_name %> - ServerAlias <%= domain %> - ServerAlias www.<%= domain %> - - SSLEngine on - SSLProtocol -all +SSLv3 +TLSv1 - SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH - SSLHonorCipherOrder on - - SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt - SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key - SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt - - RequestHeader set X_FORWARDED_PROTO 'https' - - -<% if @webapp['secure'] -%> - Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" -<% end -%> - Header always unset X-Powered-By - Header always unset X-Runtime - - - DocumentRoot /srv/leap/webapp/public - - RewriteEngine On - # Check for maintenance file and redirect all requests - RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f - RewriteCond %{SCRIPT_FILENAME} !maintenance.html - RewriteCond %{REQUEST_URI} !/images/maintenance.jpg - RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L] - - # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt - AllowEncodedSlashes on - PassengerAllowEncodedSlashes on - PassengerFriendlyErrorPages off - SetEnv TMPDIR /var/tmp - - # Allow rails assets to be cached for a very long time (since the URLs change whenever the content changes) - - Header unset ETag - FileETag None - ExpiresActive On - ExpiresDefault "access plus 1 year" - - - <% if (defined? @services) and (@services.include? 'monitor') -%> - - PassengerEnabled off - AllowOverride all - # Nagios won't work with setting this option to "DENY", - # as set in conf.d/security (#4169). Therefor we allow - # it here, only for nagios. - Header set X-Frame-Options: "ALLOW" - - <% end -%> - - diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 3e1ef7e7..b1e8a8cb 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -11,18 +11,26 @@ class site_nagios::server inherits nagios::base { include nagios::defaults include nagios::base - #Class ['nagios'] -> Class ['nagios::defaults'] - class {'nagios::apache': + class {'nagios': + # don't manage apache class from nagios, cause we already include + # it in site_apache::common + httpd => 'absent', allow_external_cmd => true, stored_config => false, - #before => Class ['nagios::defaults'] } + file { '/etc/apache2/conf.d/nagios3.conf': + ensure => link, + target => '/usr/share/doc/nagios3-common/examples/apache2.conf', + notify => Service['apache'] + } + + include site_apache::common include site_apache::module::headers File ['nagios_htpasswd'] { source => undef, - content => "nagiosadmin:$nagiosadmin_pw", + content => "nagiosadmin:${nagiosadmin_pw}", mode => '0640', } diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index d327877a..21243d34 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -7,30 +7,14 @@ class site_webapp::apache { $web_domain = hiera('domain') $domain_name = $web_domain['name'] - include x509::variables - include site_config::x509::commercial::cert - include site_config::x509::commercial::key - include site_config::x509::commercial::ca - - Class['Site_config::X509::Commercial::Key'] ~> Service[apache] - Class['Site_config::X509::Commercial::Cert'] ~> Service[apache] - Class['Site_config::X509::Commercial::Ca'] ~> Service[apache] - - class { '::apache': no_default_site => true, ssl => true } - + include site_apache::common include site_apache::module::headers - include site_apache::module::rewrite include site_apache::module::alias include site_apache::module::expires include site_apache::module::removeip class { 'passenger': use_munin => false } - apache::vhost::file { - 'leap_webapp': - content => template('site_apache/vhosts.d/leap_webapp.conf.erb') - } - apache::vhost::file { 'api': content => template('site_apache/vhosts.d/api.conf.erb') -- cgit v1.2.3 From 0b3e87cd6916d4ca4404fd2b375d21468d17f343 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 10 Feb 2014 15:43:39 -0800 Subject: turn off StrictHostKeyChecking for vagrant ssh clients --- puppet/modules/site_sshd/manifests/init.pp | 15 +++++++++++--- puppet/modules/site_sshd/manifests/known_hosts.pp | 11 ----------- puppet/modules/site_sshd/templates/ssh_config.erb | 23 ++++++++++++++++++++++ .../site_sshd/templates/ssh_known_hosts.erb | 6 ++++-- 4 files changed, 39 insertions(+), 16 deletions(-) delete mode 100644 puppet/modules/site_sshd/manifests/known_hosts.pp create mode 100644 puppet/modules/site_sshd/templates/ssh_config.erb diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index d2b13822..2bcde603 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -13,11 +13,20 @@ class site_sshd { } ## - ## SETUP KNOWN HOSTS + ## SETUP KNOWN HOSTS and SSH_CONFIG ## - class { 'site_sshd::known_hosts': - hosts => $hosts + file { + '/etc/ssh/ssh_known_hosts': + owner => root, + group => root, + mode => '0644', + content => template('site_sshd/ssh_known_hosts.erb'); + '/etc/ssh/ssh_config': + owner => root, + group => root, + mode => '0644', + content => template('site_sshd/ssh_config.erb'); } ## diff --git a/puppet/modules/site_sshd/manifests/known_hosts.pp b/puppet/modules/site_sshd/manifests/known_hosts.pp deleted file mode 100644 index 290ffd0b..00000000 --- a/puppet/modules/site_sshd/manifests/known_hosts.pp +++ /dev/null @@ -1,11 +0,0 @@ -class site_sshd::known_hosts ($hosts) { - # these owner and permissions seem odd to me, but it is what is defined - # in modules/sshd/manifests/client/base.pp, so we are going to stick with it. - file { '/etc/ssh/ssh_known_hosts': - ensure => present, - owner => root, - group => 0, - mode => '0644', - content => template('site_sshd/ssh_known_hosts.erb'); - } -} diff --git a/puppet/modules/site_sshd/templates/ssh_config.erb b/puppet/modules/site_sshd/templates/ssh_config.erb new file mode 100644 index 00000000..7e967413 --- /dev/null +++ b/puppet/modules/site_sshd/templates/ssh_config.erb @@ -0,0 +1,23 @@ +# This file is generated by Puppet +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +Host * + SendEnv LANG LC_* + HashKnownHosts yes + GSSAPIAuthentication yes + GSSAPIDelegateCredentials no +<% if scope.lookupvar('::site_config::params::environment') == 'local' -%> + # + # Vagrant nodes should have strict host key checking + # turned off. The problem is that the host key for a vagrant + # node is specific to the particular instance of the vagrant + # node you have running locally. For this reason, we can't + # track the host keys, or your host key for vpn1 would conflict + # with my host key for vpn1. + # + StrictHostKeyChecking no +<% end -%> + diff --git a/puppet/modules/site_sshd/templates/ssh_known_hosts.erb b/puppet/modules/site_sshd/templates/ssh_known_hosts.erb index c5a71378..002ab732 100644 --- a/puppet/modules/site_sshd/templates/ssh_known_hosts.erb +++ b/puppet/modules/site_sshd/templates/ssh_known_hosts.erb @@ -1,5 +1,7 @@ # This file is generated by Puppet -<% hosts.sort.each do |name, hash| -%> -<%=name%>,<%=hash['domain_full']%>,<%=hash['domain_internal']%>,<%=hash['ip_address']%> <%=hash['host_pub_key']%> +<% @hosts.sort.each do |name, hash| -%> +<% if hash['host_pub_key'] -%> +<%= name%>,<%=hash['domain_full']%>,<%=hash['domain_internal']%>,<%=hash['ip_address']%> <%=hash['host_pub_key']%> +<% end -%> <% end -%> -- cgit v1.2.3 From 27cd293b4ed3f3632044e914375a45a5345e8cee Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 11 Feb 2014 14:00:45 +0100 Subject: use instead of , because we cannot use public ips in DC --- puppet/modules/site_check_mk/files/use_ssh.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_check_mk/files/use_ssh.mk b/puppet/modules/site_check_mk/files/use_ssh.mk index dbdcd4b5..a10e67a3 100644 --- a/puppet/modules/site_check_mk/files/use_ssh.mk +++ b/puppet/modules/site_check_mk/files/use_ssh.mk @@ -1,5 +1,5 @@ # http://mathias-kettner.de/checkmk_datasource_programs.html datasource_programs = [ - ( "ssh -l root -i /etc/check_mk/.ssh/id_rsa check_mk_agent", ALL_HOSTS ), + ( "ssh -l root -i /etc/check_mk/.ssh/id_rsa check_mk_agent", ALL_HOSTS ), ] -- cgit v1.2.3 From 9a13819dbe7c8e8a51f802356e6fbebe32a7a11f Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 11 Feb 2014 17:39:12 +0100 Subject: use use_ssh.mk as template, include ssh port --- puppet/modules/site_check_mk/files/use_ssh.mk | 5 ----- puppet/modules/site_check_mk/templates/use_ssh.mk | 5 +++++ puppet/modules/site_nagios/manifests/server/check_mk.pp | 5 +++-- 3 files changed, 8 insertions(+), 7 deletions(-) delete mode 100644 puppet/modules/site_check_mk/files/use_ssh.mk create mode 100644 puppet/modules/site_check_mk/templates/use_ssh.mk diff --git a/puppet/modules/site_check_mk/files/use_ssh.mk b/puppet/modules/site_check_mk/files/use_ssh.mk deleted file mode 100644 index a10e67a3..00000000 --- a/puppet/modules/site_check_mk/files/use_ssh.mk +++ /dev/null @@ -1,5 +0,0 @@ -# http://mathias-kettner.de/checkmk_datasource_programs.html -datasource_programs = [ - ( "ssh -l root -i /etc/check_mk/.ssh/id_rsa check_mk_agent", ALL_HOSTS ), -] - diff --git a/puppet/modules/site_check_mk/templates/use_ssh.mk b/puppet/modules/site_check_mk/templates/use_ssh.mk new file mode 100644 index 00000000..4c5523db --- /dev/null +++ b/puppet/modules/site_check_mk/templates/use_ssh.mk @@ -0,0 +1,5 @@ +# http://mathias-kettner.de/checkmk_datasource_programs.html +datasource_programs = [ + ( "ssh -l root -i /etc/check_mk/.ssh/id_rsa -p <%= @ssh_port %> check_mk_agent", ALL_HOSTS ), +] + diff --git a/puppet/modules/site_nagios/manifests/server/check_mk.pp b/puppet/modules/site_nagios/manifests/server/check_mk.pp index 5e0795c1..f0fd3a76 100644 --- a/puppet/modules/site_nagios/manifests/server/check_mk.pp +++ b/puppet/modules/site_nagios/manifests/server/check_mk.pp @@ -4,6 +4,7 @@ class site_nagios::server::check_mk { $pubkey = $ssh_hash['authorized_keys']['monitor']['key'] $type = $ssh_hash['authorized_keys']['monitor']['type'] $seckey = $ssh_hash['monitor']['private_key'] + $ssh_port = $ssh_hash['port'] $nagios_hiera = hiera_hash('nagios') $hosts = $nagios_hiera['hosts'] @@ -27,8 +28,8 @@ class site_nagios::server::check_mk { file { '/etc/check_mk/conf.d/use_ssh.mk': - source => 'puppet:///modules/site_check_mk/use_ssh.mk', - notify => Exec['check_mk-refresh']; + content => template('site_check_mk/use_ssh.mk'), + notify => Exec['check_mk-refresh']; '/etc/check_mk/all_hosts_static': content => $all_hosts, notify => Exec['check_mk-refresh']; -- cgit v1.2.3 From 142eee6d9162c762c35fb79312ec572ce274b6d0 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 11 Feb 2014 17:39:37 +0100 Subject: properly purge nagios3/conf.d dir --- puppet/modules/site_nagios/manifests/server/purge.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_nagios/manifests/server/purge.pp b/puppet/modules/site_nagios/manifests/server/purge.pp index 18993586..1c12cfb0 100644 --- a/puppet/modules/site_nagios/manifests/server/purge.pp +++ b/puppet/modules/site_nagios/manifests/server/purge.pp @@ -10,8 +10,9 @@ class site_nagios::server::purge inherits nagios::base { purge => false } + # only purge find in the /etc/nagios3/conf.d/ dir, not in any subdir exec {'purge_conf.d': - command => '/bin/rm -f /etc/nagios3/conf.d/nagios_*', - onlyif => 'find /etc/nagios3/conf.d/ | grep -q "/etc/nagios3/conf.d/nagios_"' + command => '/usr/bin/find /etc/nagios3/conf.d/ -maxdepth 1 -type f -exec rm {} \;', + onlyif => '/usr/bin/find /etc/nagios3/conf.d/ -maxdepth 1 -type f | grep -q "/etc/nagios3/conf.d"' } } -- cgit v1.2.3 From 3516ef17f41b80409a50cffe5b81a7777e6742cb Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 11 Feb 2014 18:17:36 +0100 Subject: changed submodule url for check_mk module to https://leap.se/git/puppet_check_mk --- .gitmodules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitmodules b/.gitmodules index 13b43e88..7005b770 100644 --- a/.gitmodules +++ b/.gitmodules @@ -90,4 +90,4 @@ url = https://leap.se/git/puppet_sysctl [submodule "puppet/modules/check_mk"] path = puppet/modules/check_mk - url = https://git.codecoop.org/varacanero/puppet_check_mk.git + url = https://leap.se/git/puppet_check_mk -- cgit v1.2.3 From 902d1dbcbd0761f0dea9c2af1b04d69673d65a9e Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 12 Feb 2014 12:38:36 +0100 Subject: added puppet/bin/apply_on_node.sh to debug puppet on node this is useful for debugging puppet with higher verbosit or debug output. i put it into puppet/bin/ because puppet/ will get synced to a node. --- puppet/bin/apply_on_node.sh | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100755 puppet/bin/apply_on_node.sh diff --git a/puppet/bin/apply_on_node.sh b/puppet/bin/apply_on_node.sh new file mode 100755 index 00000000..09e5b035 --- /dev/null +++ b/puppet/bin/apply_on_node.sh @@ -0,0 +1,30 @@ +#!/bin/sh + +# Script to use on a node for debugging +# Usage: ./apply_on_node.sh +# +# Example: ./apply_on_node.sh --debug --verbose + +ROOTDIR='/srv/leap' +PLATFORM="$ROOTDIR" +MODULEPATH="$PLATFORM/puppet/modules" +LOG=/var/log/leap.log + +# example tags to use +#TAGS='--tags=leap_base,leap_service,leap_slow' +#TAGS='--tags=leap_base,leap_slow' +#TAGS='--tags=leap_base,leap_service' + +####### +# Setup +####### + +puppet apply -v --confdir $PLATFORM/puppet --libdir $PLATFORM/puppet/lib --modulepath=$MODULEPATH $PLATFORM/puppet/manifests/setup.pp $TAGS $@ |tee $LOG 2>&1 + +######### +# site.pp +######### + +puppet apply -v --confdir $PLATFORM/puppet --libdir $PLATFORM/puppet/lib --modulepath=$MODULEPATH $PLATFORM/puppet/manifests/site.pp $TAGS $@ |tee $LOG 2>&1 + + -- cgit v1.2.3 From 15ddd997572a4845f5a16f1af16c5ce5b7ac4c11 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Feb 2014 21:29:46 +0100 Subject: updated LEAP archive signing key 0x1E34A1828E207901 --- puppet/modules/site_apt/files/keys/leap_key.asc | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_apt/files/keys/leap_key.asc b/puppet/modules/site_apt/files/keys/leap_key.asc index b69251f0..b6b5077b 100644 --- a/puppet/modules/site_apt/files/keys/leap_key.asc +++ b/puppet/modules/site_apt/files/keys/leap_key.asc @@ -1,5 +1,5 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.11 (GNU/Linux) +Version: GnuPG v1.4.14 (GNU/Linux) mQINBFESwt0BEAC2CR+XgW04DVwT427v2T4+qz+O/xGOwQcalVaSOUuguYgf29en Apb6mUqROOTuJWN1nw1lvXiA6iFxg6DjDUhsp6j54X7GAAAjZ9QuavPgcsractsJ @@ -36,7 +36,19 @@ y9k8peFB7wwf0sW3Eg78XFsfy4gyV619VnBR+PbfOpKqFFXAodF1mFiIrPeefaVp F9fiQ5Owt0sJjDaJnYT83ksAO2Aj+VsY3UjnDrGFaiV8Neit9y/8W8DqmZ3EZEF/ M3iS0yDjqqt9ACFD+jkGlKYsyHv7gbpTq0yi6u/kRXHUTIvVwFL9M6Z6AUcG8gzo qbKhXGfWKEq0lN5HAjJ//V9ro3DekFd0A+NQOlFV6XtspZwphVdtW1WS078HmVlw -F5dbD8pcfT/RjbkCDQRREsLdARAA3Frw+j6H9McEIi/gjiGwvxnIdGc8McWchnFp +F5dbD8pcfT/RjYkCPQQTAQoAJwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUC +UvT9ZgUJA8NuBQAKCRAeNKGCjiB5AXB+D/9k/BzZdAczQ3/v7hKrN9y3/D8kOEYK +rF8HdcBOH522sN6mqvm7wGkf3RmNSi731m6vzlbBSonrAT5KDMpj+THOmUcY29V5 +a1YOgFCCkToOfl+LmlLiuqfrGCJyE28MKMrsi2zMBKhsSxhvcI0EhJkQpPBu8gUs +XW1GSHuh5CYzwf/i8eNDpVrhHjRF0AVCOWIq52LTR62QchR+6ci/wVDHWd9Ase5X +8rxNnt2/pCbgATklQbmRcQS6efTVk3oXk1DZ8M46vayJ1g2BFuIi7pohiekLAAAt +MCwRKHTHvtPkGAUAEXExPGS78qHxLHIau2VCtSBxm+bQX+ZyCMANDpI+ZTFp1APJ +9SpbtGozuQOpWFjWY1rERunrbyWHIb2DuVVNKGiHlkMJB76zzysvbIPYWx1RqD6s +KFJBkjrM0xn8H+D6qzwzGfmX1Yaw12oYA6pcai4aK5sO7KHt+THAxYAcVF7qxGU7 +lnDifM56hrH/DbE5InlDC8OUqDysj0cHacRee+ZYtj7TiEykWfP5RrZCLQ7L6Jd/ +HtgQti/9TVUaFkIlQCfvF+l4BYZQYvnhx3MVK7ChKLmy6AVQLWnDrBrDvl07HLvW +6pslRzVHfWyIYng0pZ0HvK+MpQztCoUcDK470mjlpAtjNHuyKh6r6TtaiVK8MgbR +Sx/NMHb1/PXQJrkCDQRREsLdARAA3Frw+j6H9McEIi/gjiGwvxnIdGc8McWchnFp OWvdhTW9056v+y22DoKbULjT8k+8GzuRQ0xp4VwCC1rX3UExwceczzGs+tSKuIGm g1ELygsaOZHdQBNLGPvn+TZNGlaYXPlQo7m8YhXGHwgQrdKyjcFD5xnOHxe981LT q+IQ6jVYhho7/Qik9rVE1XHxoOfYvnNZJD0cFdf9OcX47YoqmM4sZYPMoOmKoVQT @@ -59,5 +71,5 @@ Dxix2FBXQU/4pVpGHjXTQP6RqeTrAedXvpgCHWP1UIlswIQecGmQcJ/hRZjd+0vl cjfCYhZHr7N96Da6Cy8v2fZiZHaSAt7T2oIZ9X3gEh/kOlLDcuIdvMHUfojn0MrP Ce1AqOHyQQqhkVylvZpS0PdE0VW3PmJ98uKfX2FVAOTUD4Rw3n9Ew7bfM249HuP4 JOXi/Skp4sBB/xgrtV1u+E+BW0SS/BOiwfrI4xUy+MrWuw== -=4STg +=Om8x -----END PGP PUBLIC KEY BLOCK----- -- cgit v1.2.3 From 251c250fe5cf44c99a74d4359cb29b0bf165f3af Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Feb 2014 21:29:46 +0100 Subject: updated LEAP archive signing key 0x1E34A1828E207901 --- puppet/modules/site_apt/files/keys/leap_key.asc | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_apt/files/keys/leap_key.asc b/puppet/modules/site_apt/files/keys/leap_key.asc index b69251f0..b6b5077b 100644 --- a/puppet/modules/site_apt/files/keys/leap_key.asc +++ b/puppet/modules/site_apt/files/keys/leap_key.asc @@ -1,5 +1,5 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.11 (GNU/Linux) +Version: GnuPG v1.4.14 (GNU/Linux) mQINBFESwt0BEAC2CR+XgW04DVwT427v2T4+qz+O/xGOwQcalVaSOUuguYgf29en Apb6mUqROOTuJWN1nw1lvXiA6iFxg6DjDUhsp6j54X7GAAAjZ9QuavPgcsractsJ @@ -36,7 +36,19 @@ y9k8peFB7wwf0sW3Eg78XFsfy4gyV619VnBR+PbfOpKqFFXAodF1mFiIrPeefaVp F9fiQ5Owt0sJjDaJnYT83ksAO2Aj+VsY3UjnDrGFaiV8Neit9y/8W8DqmZ3EZEF/ M3iS0yDjqqt9ACFD+jkGlKYsyHv7gbpTq0yi6u/kRXHUTIvVwFL9M6Z6AUcG8gzo qbKhXGfWKEq0lN5HAjJ//V9ro3DekFd0A+NQOlFV6XtspZwphVdtW1WS078HmVlw -F5dbD8pcfT/RjbkCDQRREsLdARAA3Frw+j6H9McEIi/gjiGwvxnIdGc8McWchnFp +F5dbD8pcfT/RjYkCPQQTAQoAJwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUC +UvT9ZgUJA8NuBQAKCRAeNKGCjiB5AXB+D/9k/BzZdAczQ3/v7hKrN9y3/D8kOEYK +rF8HdcBOH522sN6mqvm7wGkf3RmNSi731m6vzlbBSonrAT5KDMpj+THOmUcY29V5 +a1YOgFCCkToOfl+LmlLiuqfrGCJyE28MKMrsi2zMBKhsSxhvcI0EhJkQpPBu8gUs +XW1GSHuh5CYzwf/i8eNDpVrhHjRF0AVCOWIq52LTR62QchR+6ci/wVDHWd9Ase5X +8rxNnt2/pCbgATklQbmRcQS6efTVk3oXk1DZ8M46vayJ1g2BFuIi7pohiekLAAAt +MCwRKHTHvtPkGAUAEXExPGS78qHxLHIau2VCtSBxm+bQX+ZyCMANDpI+ZTFp1APJ +9SpbtGozuQOpWFjWY1rERunrbyWHIb2DuVVNKGiHlkMJB76zzysvbIPYWx1RqD6s +KFJBkjrM0xn8H+D6qzwzGfmX1Yaw12oYA6pcai4aK5sO7KHt+THAxYAcVF7qxGU7 +lnDifM56hrH/DbE5InlDC8OUqDysj0cHacRee+ZYtj7TiEykWfP5RrZCLQ7L6Jd/ +HtgQti/9TVUaFkIlQCfvF+l4BYZQYvnhx3MVK7ChKLmy6AVQLWnDrBrDvl07HLvW +6pslRzVHfWyIYng0pZ0HvK+MpQztCoUcDK470mjlpAtjNHuyKh6r6TtaiVK8MgbR +Sx/NMHb1/PXQJrkCDQRREsLdARAA3Frw+j6H9McEIi/gjiGwvxnIdGc8McWchnFp OWvdhTW9056v+y22DoKbULjT8k+8GzuRQ0xp4VwCC1rX3UExwceczzGs+tSKuIGm g1ELygsaOZHdQBNLGPvn+TZNGlaYXPlQo7m8YhXGHwgQrdKyjcFD5xnOHxe981LT q+IQ6jVYhho7/Qik9rVE1XHxoOfYvnNZJD0cFdf9OcX47YoqmM4sZYPMoOmKoVQT @@ -59,5 +71,5 @@ Dxix2FBXQU/4pVpGHjXTQP6RqeTrAedXvpgCHWP1UIlswIQecGmQcJ/hRZjd+0vl cjfCYhZHr7N96Da6Cy8v2fZiZHaSAt7T2oIZ9X3gEh/kOlLDcuIdvMHUfojn0MrP Ce1AqOHyQQqhkVylvZpS0PdE0VW3PmJ98uKfX2FVAOTUD4Rw3n9Ew7bfM249HuP4 JOXi/Skp4sBB/xgrtV1u+E+BW0SS/BOiwfrI4xUy+MrWuw== -=4STg +=Om8x -----END PGP PUBLIC KEY BLOCK----- -- cgit v1.2.3 From efc3e3eaa0788271cf61155d7e9be4d46e6e9d47 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 12 Feb 2014 16:26:59 +0100 Subject: moved check_mk server and client class to site_check_mk module --- puppet/modules/site_check_mk/manifests/client.pp | 24 +++++++++++ puppet/modules/site_check_mk/manifests/server.pp | 48 ++++++++++++++++++++++ puppet/modules/site_config/manifests/default.pp | 2 +- puppet/modules/site_nagios/manifests/client.pp | 22 ---------- puppet/modules/site_nagios/manifests/init.pp | 2 +- puppet/modules/site_nagios/manifests/server.pp | 2 +- .../site_nagios/manifests/server/check_mk.pp | 48 ---------------------- 7 files changed, 75 insertions(+), 73 deletions(-) create mode 100644 puppet/modules/site_check_mk/manifests/client.pp create mode 100644 puppet/modules/site_check_mk/manifests/server.pp delete mode 100644 puppet/modules/site_nagios/manifests/client.pp delete mode 100644 puppet/modules/site_nagios/manifests/server/check_mk.pp diff --git a/puppet/modules/site_check_mk/manifests/client.pp b/puppet/modules/site_check_mk/manifests/client.pp new file mode 100644 index 00000000..ae269168 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/client.pp @@ -0,0 +1,24 @@ +class site_check_mk::client { + + $ssh_hash = hiera('ssh') + $pubkey = $ssh_hash['authorized_keys']['monitor']['key'] + $type = $ssh_hash['authorized_keys']['monitor']['type'] + + include site_apt::preferences::check_mk + + class { 'check_mk::agent': + agent_package_name => 'check-mk-agent', + agent_logwatch_package_name => 'check-mk-agent-logwatch', + method => 'ssh', + homedir => '/etc/nagios/check_mk', + register_agent => false + } + + file { '/root/.ssh/authorized_keys2': + owner => 'root', + group => 'root', + mode => '0600', + content => "command=\"/usr/bin/check_mk_agent\",no-port-forwarding,no-x11-forwarding,no-agent-forwarding,no-pty,no-user-rc, ${type} ${pubkey} monitor" + } + +} diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp new file mode 100644 index 00000000..625fc688 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/server.pp @@ -0,0 +1,48 @@ +class site_check_mk::server { + + $ssh_hash = hiera('ssh') + $pubkey = $ssh_hash['authorized_keys']['monitor']['key'] + $type = $ssh_hash['authorized_keys']['monitor']['type'] + $seckey = $ssh_hash['monitor']['private_key'] + $ssh_port = $ssh_hash['port'] + + $nagios_hiera = hiera_hash('nagios') + $hosts = $nagios_hiera['hosts'] + $all_hosts = inline_template("<% @hosts.keys.sort.each do |key| -%>\"<%= key %>\", <% end -%>") + + package { 'check-mk-server': + ensure => installed, + } + + # override paths to use the system check_mk rather than OMD + class { 'check_mk::config': + site => '', + etc_dir => '/etc', + nagios_subdir => 'nagios3', + bin_dir => '/usr/bin', + host_groups => undef, + require => Package['check-mk-server'] + } + + Exec['check_mk-reload'] -> Service['nagios'] + + file { + '/etc/check_mk/conf.d/use_ssh.mk': + content => template('site_check_mk/use_ssh.mk'), + notify => Exec['check_mk-refresh']; + '/etc/check_mk/all_hosts_static': + content => $all_hosts, + notify => Exec['check_mk-refresh']; + '/etc/check_mk/.ssh': + ensure => directory; + '/etc/check_mk/.ssh/id_rsa': + content => $seckey, + owner => 'nagios', + mode => '0600'; + '/etc/check_mk/.ssh/id_rsa.pub': + content => "${type} ${pubkey} monitor", + owner => 'nagios', + mode => '0644'; + } + include check_mk::agent::local_checks +} diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index a09a30d2..25f9b3f8 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -87,5 +87,5 @@ class site_config::default { include ::site_custom } - include site_nagios::client + include site_check_mk::client } diff --git a/puppet/modules/site_nagios/manifests/client.pp b/puppet/modules/site_nagios/manifests/client.pp deleted file mode 100644 index ff569142..00000000 --- a/puppet/modules/site_nagios/manifests/client.pp +++ /dev/null @@ -1,22 +0,0 @@ -class site_nagios::client { - - $ssh_hash = hiera('ssh') - $pubkey = $ssh_hash['authorized_keys']['monitor']['key'] - $type = $ssh_hash['authorized_keys']['monitor']['type'] - - class { 'check_mk::agent': - agent_package_name => 'check-mk-agent', - agent_logwatch_package_name => 'check-mk-agent-logwatch', - method => 'ssh', - homedir => '/etc/nagios/check_mk', - register_agent => false - } - - file { '/root/.ssh/authorized_keys2': - owner => 'root', - group => 'root', - mode => '0600', - content => "command=\"/usr/bin/check_mk_agent\",no-port-forwarding,no-x11-forwarding,no-agent-forwarding,no-pty,no-user-rc, ${type} ${pubkey} monitor" - } - -} diff --git a/puppet/modules/site_nagios/manifests/init.pp b/puppet/modules/site_nagios/manifests/init.pp index c3cfa02e..eb08cdcb 100644 --- a/puppet/modules/site_nagios/manifests/init.pp +++ b/puppet/modules/site_nagios/manifests/init.pp @@ -1,6 +1,6 @@ class site_nagios { tag 'leap_service' Class['site_config::default'] -> Class['site_nagios'] - + include site_nagios::server } diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index d740d8b7..b1795826 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -46,6 +46,6 @@ class site_nagios::server inherits nagios::base { create_resources ( site_nagios::add_host, $hosts ) include site_nagios::server::apache - include site_nagios::server::check_mk + include site_check_mk::server include site_shorewall::monitor } diff --git a/puppet/modules/site_nagios/manifests/server/check_mk.pp b/puppet/modules/site_nagios/manifests/server/check_mk.pp deleted file mode 100644 index f0fd3a76..00000000 --- a/puppet/modules/site_nagios/manifests/server/check_mk.pp +++ /dev/null @@ -1,48 +0,0 @@ -class site_nagios::server::check_mk { - - $ssh_hash = hiera('ssh') - $pubkey = $ssh_hash['authorized_keys']['monitor']['key'] - $type = $ssh_hash['authorized_keys']['monitor']['type'] - $seckey = $ssh_hash['monitor']['private_key'] - $ssh_port = $ssh_hash['port'] - - $nagios_hiera = hiera_hash('nagios') - $hosts = $nagios_hiera['hosts'] - $all_hosts = inline_template("<% @hosts.keys.sort.each do |key| -%>\"<%= key %>\", <% end -%>") - - package { 'check-mk-server': - ensure => installed, - } - - # override paths to use the system check_mk rather than OMD - class { 'check_mk::config': - site => '', - etc_dir => '/etc', - nagios_subdir => 'nagios3', - bin_dir => '/usr/bin', - host_groups => undef, - require => Package['check-mk-server'] - } - - Exec['check_mk-reload'] -> Service['nagios'] - - file { - '/etc/check_mk/conf.d/use_ssh.mk': - content => template('site_check_mk/use_ssh.mk'), - notify => Exec['check_mk-refresh']; - '/etc/check_mk/all_hosts_static': - content => $all_hosts, - notify => Exec['check_mk-refresh']; - '/etc/check_mk/.ssh': - ensure => directory; - '/etc/check_mk/.ssh/id_rsa': - content => $seckey, - owner => 'nagios', - mode => '0600'; - '/etc/check_mk/.ssh/id_rsa.pub': - content => "${type} ${pubkey} monitor", - owner => 'nagios', - mode => '0644'; - } - -} -- cgit v1.2.3 From cafa3fc37229ad9fa8e78c1a06ef6e5444ba3ebb Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 12 Feb 2014 16:36:57 +0100 Subject: updated submodule check_mk --- puppet/modules/check_mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/check_mk b/puppet/modules/check_mk index 382cb6d2..f9e49426 160000 --- a/puppet/modules/check_mk +++ b/puppet/modules/check_mk @@ -1 +1 @@ -Subproject commit 382cb6d2ab5fe05b9db7e4178cd16b71685bef59 +Subproject commit f9e494265f6c7b83ab9ef418e40cc7aac5589563 -- cgit v1.2.3 From 6d1a379f59612b79ddfbc10cac79cb5dfdafae58 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 12 Feb 2014 16:51:46 +0100 Subject: added apt::preferences file for check-mk-\* to install from backports --- puppet/modules/site_apt/manifests/preferences/check_mk.pp | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 puppet/modules/site_apt/manifests/preferences/check_mk.pp diff --git a/puppet/modules/site_apt/manifests/preferences/check_mk.pp b/puppet/modules/site_apt/manifests/preferences/check_mk.pp new file mode 100644 index 00000000..580e0d3f --- /dev/null +++ b/puppet/modules/site_apt/manifests/preferences/check_mk.pp @@ -0,0 +1,9 @@ +class site_apt::preferences::check_mk { + + apt::preferences_snippet { 'check-mk': + package => 'check-mk-*', + release => "${::lsbdistcodename}-backports", + priority => 999; + } + +} -- cgit v1.2.3 From 7bfc884008d26cc7dca3b10e0aeef9073f55e5d3 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 12 Feb 2014 17:01:00 +0100 Subject: include monitor node into hosts hash so check-mk-agent can run on monitor host itself via ssh to localhost (requires latest leap_cli) --- provider_base/services/monitor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json index 5656fe80..7ad0d637 100644 --- a/provider_base/services/monitor.json +++ b/provider_base/services/monitor.json @@ -3,7 +3,7 @@ "nagiosadmin_pw": "= secret :nagios_admin_password", "hosts": "= nodes_like_me[:services => '!monitor'].pick_fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')" }, - "hosts": "= hosts_file(nodes_like_me[:services => '!monitor'])", + "hosts": "= hosts_file(nodes_like_me)", "ssh": { "monitor": { "username": "= Leap::Platform.monitor_username", -- cgit v1.2.3 From 060124b047ac44f9f54573a389fea6c5b6ab18ea Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 12 Feb 2014 18:14:19 +0100 Subject: renamed site_check_mk::client to site_check_mk::agent --- puppet/modules/site_check_mk/manifests/agent.pp | 24 ++++++++++++++++++++++++ puppet/modules/site_check_mk/manifests/client.pp | 24 ------------------------ puppet/modules/site_config/manifests/default.pp | 2 +- 3 files changed, 25 insertions(+), 25 deletions(-) create mode 100644 puppet/modules/site_check_mk/manifests/agent.pp delete mode 100644 puppet/modules/site_check_mk/manifests/client.pp diff --git a/puppet/modules/site_check_mk/manifests/agent.pp b/puppet/modules/site_check_mk/manifests/agent.pp new file mode 100644 index 00000000..bb0cb167 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent.pp @@ -0,0 +1,24 @@ +class site_check_mk::agent { + + $ssh_hash = hiera('ssh') + $pubkey = $ssh_hash['authorized_keys']['monitor']['key'] + $type = $ssh_hash['authorized_keys']['monitor']['type'] + + include site_apt::preferences::check_mk + + class { 'check_mk::agent': + agent_package_name => 'check-mk-agent', + agent_logwatch_package_name => 'check-mk-agent-logwatch', + method => 'ssh', + homedir => '/etc/nagios/check_mk', + register_agent => false + } + + file { '/root/.ssh/authorized_keys2': + owner => 'root', + group => 'root', + mode => '0600', + content => "command=\"/usr/bin/check_mk_agent\",no-port-forwarding,no-x11-forwarding,no-agent-forwarding,no-pty,no-user-rc, ${type} ${pubkey} monitor" + } + +} diff --git a/puppet/modules/site_check_mk/manifests/client.pp b/puppet/modules/site_check_mk/manifests/client.pp deleted file mode 100644 index ae269168..00000000 --- a/puppet/modules/site_check_mk/manifests/client.pp +++ /dev/null @@ -1,24 +0,0 @@ -class site_check_mk::client { - - $ssh_hash = hiera('ssh') - $pubkey = $ssh_hash['authorized_keys']['monitor']['key'] - $type = $ssh_hash['authorized_keys']['monitor']['type'] - - include site_apt::preferences::check_mk - - class { 'check_mk::agent': - agent_package_name => 'check-mk-agent', - agent_logwatch_package_name => 'check-mk-agent-logwatch', - method => 'ssh', - homedir => '/etc/nagios/check_mk', - register_agent => false - } - - file { '/root/.ssh/authorized_keys2': - owner => 'root', - group => 'root', - mode => '0600', - content => "command=\"/usr/bin/check_mk_agent\",no-port-forwarding,no-x11-forwarding,no-agent-forwarding,no-pty,no-user-rc, ${type} ${pubkey} monitor" - } - -} diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 25f9b3f8..53cc60f6 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -87,5 +87,5 @@ class site_config::default { include ::site_custom } - include site_check_mk::client + include site_check_mk::agent } -- cgit v1.2.3 From 9431d1c9da024f98f5c6eb7cf2eff68b2e3a1926 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 12 Feb 2014 18:43:47 +0100 Subject: include monitor node also into nagios hash so check-mk-agent can run on monitor host itself via ssh to localhost (requires latest leap_cli) --- provider_base/services/monitor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json index 7ad0d637..82c18745 100644 --- a/provider_base/services/monitor.json +++ b/provider_base/services/monitor.json @@ -1,7 +1,7 @@ { "nagios": { "nagiosadmin_pw": "= secret :nagios_admin_password", - "hosts": "= nodes_like_me[:services => '!monitor'].pick_fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')" + "hosts": "= nodes_like_me.pick_fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')" }, "hosts": "= hosts_file(nodes_like_me)", "ssh": { -- cgit v1.2.3 From 1c8c4f6f3b68ba1da13e6b6374c6c55fe8214789 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 12 Feb 2014 18:45:17 +0100 Subject: execute nagios plugins locally with mrpe --- puppet/modules/site_check_mk/manifests/agent.pp | 1 + puppet/modules/site_check_mk/manifests/agent/mrpe.pp | 17 +++++++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 puppet/modules/site_check_mk/manifests/agent/mrpe.pp diff --git a/puppet/modules/site_check_mk/manifests/agent.pp b/puppet/modules/site_check_mk/manifests/agent.pp index bb0cb167..ac5a7ebd 100644 --- a/puppet/modules/site_check_mk/manifests/agent.pp +++ b/puppet/modules/site_check_mk/manifests/agent.pp @@ -21,4 +21,5 @@ class site_check_mk::agent { content => "command=\"/usr/bin/check_mk_agent\",no-port-forwarding,no-x11-forwarding,no-agent-forwarding,no-pty,no-user-rc, ${type} ${pubkey} monitor" } + include site_check_mk::agent::mrpe } diff --git a/puppet/modules/site_check_mk/manifests/agent/mrpe.pp b/puppet/modules/site_check_mk/manifests/agent/mrpe.pp new file mode 100644 index 00000000..37df7f74 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/mrpe.pp @@ -0,0 +1,17 @@ +class site_check_mk::agent::mrpe { + # check_mk can use standard nagios plugins using + # a wrapper called mrpe + # see http://mathias-kettner.de/checkmk_mrpe.html + + package { 'nagios-plugins-basic': + ensure => latest, + } + + file { '/etc/check_mk/mrpe.cfg': + ensure => present + } -> + file_line { 'Apt': + line => 'APT /usr/lib/nagios/plugins/check_apt', + path => '/etc/check_mk/mrpe.cfg', + } +} -- cgit v1.2.3 From 12cea40d5dffe5aa6e269c05773ed49d9f00a9ea Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 13 Feb 2014 00:10:09 +0100 Subject: added site_check_mk::agent::couchdb and site_check_mk::agent::soledad for local checks --- puppet/modules/site_check_mk/manifests/agent/couchdb.pp | 17 +++++++++++++++++ puppet/modules/site_check_mk/manifests/agent/soledad.pp | 10 ++++++++++ puppet/modules/site_couchdb/manifests/init.pp | 2 ++ puppet/modules/soledad/manifests/init.pp | 2 ++ 4 files changed, 31 insertions(+) create mode 100644 puppet/modules/site_check_mk/manifests/agent/couchdb.pp create mode 100644 puppet/modules/site_check_mk/manifests/agent/soledad.pp diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp new file mode 100644 index 00000000..5b50e5a9 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp @@ -0,0 +1,17 @@ +class site_check_mk::agent::couchdb { + + # local custom checks + file { '/usr/lib/check_mk_agent/local/check_bigcouch_errors.sh': + ensure => link, + target => '/srv/leap/couchdb/scripts/tests/check_bigcouch_errors.sh', + require => Vcsrepo['/srv/leap/couchdb/scripts'] + } + + # local nagios plugin checks via mrpe + file_line { + 'Tapicero_Procs': + line => 'Tapicero_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a tapicero', + path => '/etc/check_mk/mrpe.cfg'; + } + +} diff --git a/puppet/modules/site_check_mk/manifests/agent/soledad.pp b/puppet/modules/site_check_mk/manifests/agent/soledad.pp new file mode 100644 index 00000000..d75ae732 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/soledad.pp @@ -0,0 +1,10 @@ +class site_check_mk::agent::soledad { + + # local nagios plugin checks via mrpe + file_line { + 'Soledad_Procs': + line => 'Soledad_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a soledad', + path => '/etc/check_mk/mrpe.cfg'; + } + +} diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 137b661f..a9512577 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -107,4 +107,6 @@ class site_couchdb { } if $couchdb_backup { include site_couchdb::backup } + + include site_check_mk::agent::couchdb } diff --git a/puppet/modules/soledad/manifests/init.pp b/puppet/modules/soledad/manifests/init.pp index 7d44c8b4..35adc28e 100644 --- a/puppet/modules/soledad/manifests/init.pp +++ b/puppet/modules/soledad/manifests/init.pp @@ -27,4 +27,6 @@ class soledad { require => User['soledad']; } + include site_check_mk::agent::soledad + } -- cgit v1.2.3 From c1d1d9d7cf6fefd1203cc09a66c2e0230b930b5e Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 10 Feb 2014 14:44:01 +0100 Subject: use default value for hiera lookup (#5118) --- puppet/modules/site_sshd/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index 2bcde603..d9bc1d51 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -1,6 +1,6 @@ class site_sshd { $ssh = hiera_hash('ssh') - $hosts = hiera_hash('hosts') + $hosts = hiera('hosts', '') ## ## SETUP AUTHORIZED KEYS -- cgit v1.2.3 From d0eea33d88a6ffcbe01544678372d80e8c8de51f Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 14 Feb 2014 17:38:02 +0100 Subject: Include check_mk monitor pubkey in /root/.ssh/authorized_keys instead of creating a /root/.ssh/authorized_keys2 see https://review.leap.se/r/148/#comment153 --- puppet/modules/site_check_mk/manifests/agent.pp | 7 ------- puppet/modules/site_sshd/templates/authorized_keys.erb | 4 ++++ 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/puppet/modules/site_check_mk/manifests/agent.pp b/puppet/modules/site_check_mk/manifests/agent.pp index ac5a7ebd..75188c7b 100644 --- a/puppet/modules/site_check_mk/manifests/agent.pp +++ b/puppet/modules/site_check_mk/manifests/agent.pp @@ -14,12 +14,5 @@ class site_check_mk::agent { register_agent => false } - file { '/root/.ssh/authorized_keys2': - owner => 'root', - group => 'root', - mode => '0600', - content => "command=\"/usr/bin/check_mk_agent\",no-port-forwarding,no-x11-forwarding,no-agent-forwarding,no-pty,no-user-rc, ${type} ${pubkey} monitor" - } - include site_check_mk::agent::mrpe } diff --git a/puppet/modules/site_sshd/templates/authorized_keys.erb b/puppet/modules/site_sshd/templates/authorized_keys.erb index 3c65e8ab..69f4d8e6 100644 --- a/puppet/modules/site_sshd/templates/authorized_keys.erb +++ b/puppet/modules/site_sshd/templates/authorized_keys.erb @@ -2,5 +2,9 @@ # all manually added keys will be overridden <% keys.sort.each do |user, hash| -%> +<% if user == 'monitor' -%> +command="/usr/bin/check_mk_agent",no-port-forwarding,no-x11-forwarding,no-agent-forwarding,no-pty,no-user-rc, <%=hash['type']-%> <%=hash['key']%> <%=user%> +<% else -%> <%=hash['type']-%> <%=hash['key']%> <%=user%> +<% end -%> <% end -%> -- cgit v1.2.3 From 2436fddb4a63075f74f295bacd23128c766beb4c Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 17 Feb 2014 13:50:42 +0100 Subject: Remove adding of hosts from site_nagios::server (Feature #5132) because now, check_mk will add the hosts --- puppet/modules/site_check_mk/manifests/server.pp | 2 +- puppet/modules/site_nagios/manifests/add_host.pp | 32 ---------------------- .../site_nagios/manifests/add_host_services.pp | 26 ++++++++++++++++++ puppet/modules/site_nagios/manifests/server.pp | 2 +- 4 files changed, 28 insertions(+), 34 deletions(-) delete mode 100644 puppet/modules/site_nagios/manifests/add_host.pp create mode 100644 puppet/modules/site_nagios/manifests/add_host_services.pp diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp index 625fc688..e77862e5 100644 --- a/puppet/modules/site_check_mk/manifests/server.pp +++ b/puppet/modules/site_check_mk/manifests/server.pp @@ -8,7 +8,7 @@ class site_check_mk::server { $nagios_hiera = hiera_hash('nagios') $hosts = $nagios_hiera['hosts'] - $all_hosts = inline_template("<% @hosts.keys.sort.each do |key| -%>\"<%= key %>\", <% end -%>") + $all_hosts = inline_template ('<% @hosts.keys.sort.each do |key| -%>"<%= @hosts[key]["domain_internal"] %>", <% end -%>') package { 'check-mk-server': ensure => installed, diff --git a/puppet/modules/site_nagios/manifests/add_host.pp b/puppet/modules/site_nagios/manifests/add_host.pp deleted file mode 100644 index 94352de4..00000000 --- a/puppet/modules/site_nagios/manifests/add_host.pp +++ /dev/null @@ -1,32 +0,0 @@ -define site_nagios::add_host ( - $domain_internal, - $ip_address, - $services, - $openvpn_gateway_address='' ) { - - $nagios_hostname = $domain_internal - - # Add Nagios host - nagios_host { $nagios_hostname: - address => $ip_address, - use => 'generic-host', - } - - # Add Nagios service - - # First, we need to turn the serice array into hash, using a "hash template" - # see https://github.com/ashak/puppet-resource-looping - $nagios_service_hashpart = { - 'hostname' => $nagios_hostname, - 'ip_address' => $ip_address, - 'openvpn_gw' => $openvpn_gateway_address, - } - $dynamic_parameters = { - 'service' => '%s' - } - $nagios_servicename = "${nagios_hostname}_%s" - - $nagios_service_hash = create_resources_hash_from($nagios_servicename, $services, $nagios_service_hashpart, $dynamic_parameters) - - create_resources ( site_nagios::add_service, $nagios_service_hash ) -} diff --git a/puppet/modules/site_nagios/manifests/add_host_services.pp b/puppet/modules/site_nagios/manifests/add_host_services.pp new file mode 100644 index 00000000..2d615ff1 --- /dev/null +++ b/puppet/modules/site_nagios/manifests/add_host_services.pp @@ -0,0 +1,26 @@ +define site_nagios::add_host_services ( + $domain_internal, + $ip_address, + $services, + $openvpn_gateway_address='' ) { + + $nagios_hostname = $domain_internal + + # Add Nagios service + + # First, we need to turn the serice array into hash, using a "hash template" + # see https://github.com/ashak/puppet-resource-looping + $nagios_service_hashpart = { + 'hostname' => $nagios_hostname, + 'ip_address' => $ip_address, + 'openvpn_gw' => $openvpn_gateway_address, + } + $dynamic_parameters = { + 'service' => '%s' + } + $nagios_servicename = "${nagios_hostname}_%s" + + $nagios_service_hash = create_resources_hash_from($nagios_servicename, $services, $nagios_service_hashpart, $dynamic_parameters) + + create_resources ( site_nagios::add_service, $nagios_service_hash ) +} diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index b1795826..ca38d7fc 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -43,7 +43,7 @@ class site_nagios::server inherits nagios::base { group => 'nagios', } - create_resources ( site_nagios::add_host, $hosts ) + create_resources ( site_nagios::add_host_services, $hosts ) include site_nagios::server::apache include site_check_mk::server -- cgit v1.2.3 From 91bee3e81439cca0536856094edc7ceee7da60ff Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 13 Feb 2014 08:32:14 +0100 Subject: set up logwatch.d directory, added for soledad logwatch config --- puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg | 4 ++++ puppet/modules/site_check_mk/manifests/agent/soledad.pp | 4 ++++ 2 files changed, 8 insertions(+) create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg new file mode 100644 index 00000000..54b782d3 --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg @@ -0,0 +1,4 @@ +/var/log/soledad.log + C WSGI application error + C error + diff --git a/puppet/modules/site_check_mk/manifests/agent/soledad.pp b/puppet/modules/site_check_mk/manifests/agent/soledad.pp index d75ae732..cbae81fe 100644 --- a/puppet/modules/site_check_mk/manifests/agent/soledad.pp +++ b/puppet/modules/site_check_mk/manifests/agent/soledad.pp @@ -1,5 +1,9 @@ class site_check_mk::agent::soledad { + file { '/etc/check_mk/logwatch.d/soledad.cfg': + source => 'puppet:///modules/site_check_mk/agent/logwatch/soledad.cfg', + } + # local nagios plugin checks via mrpe file_line { 'Soledad_Procs': -- cgit v1.2.3 From 6007c2e5b8556460471d4cae9206a950dd184fec Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 19 Feb 2014 15:14:04 +0100 Subject: added mk_logwatch.1.2.4 (#5135) --- .../files/agent/plugins/mk_logwatch.1.2.4 | 374 +++++++++++++++++++++ puppet/modules/site_check_mk/manifests/agent.pp | 1 + .../site_check_mk/manifests/agent/logwatch.pp | 11 + 3 files changed, 386 insertions(+) create mode 100755 puppet/modules/site_check_mk/files/agent/plugins/mk_logwatch.1.2.4 create mode 100644 puppet/modules/site_check_mk/manifests/agent/logwatch.pp diff --git a/puppet/modules/site_check_mk/files/agent/plugins/mk_logwatch.1.2.4 b/puppet/modules/site_check_mk/files/agent/plugins/mk_logwatch.1.2.4 new file mode 100755 index 00000000..3dbca322 --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/plugins/mk_logwatch.1.2.4 @@ -0,0 +1,374 @@ +#!/usr/bin/python +# -*- encoding: utf-8; py-indent-offset: 4 -*- +# +------------------------------------------------------------------+ +# | ____ _ _ __ __ _ __ | +# | / ___| |__ ___ ___| | __ | \/ | |/ / | +# | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / | +# | | |___| | | | __/ (__| < | | | | . \ | +# | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ | +# | | +# | Copyright Mathias Kettner 2010 mk@mathias-kettner.de | +# +------------------------------------------------------------------+ +# +# This file is part of Check_MK. +# The official homepage is at http://mathias-kettner.de/check_mk. +# +# check_mk is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation in version 2. check_mk is distributed +# in the hope that it will be useful, but WITHOUT ANY WARRANTY; with- +# out even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. See the GNU General Public License for more de- +# ails. You should have received a copy of the GNU General Public +# License along with GNU Make; see the file COPYING. If not, write +# to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, +# Boston, MA 02110-1301 USA. + +# Call with -d for debug mode: colored output, no saving of status + +import sys, os, re, time +import glob + +if '-d' in sys.argv[1:] or '--debug' in sys.argv[1:]: + tty_red = '\033[1;31m' + tty_green = '\033[1;32m' + tty_yellow = '\033[1;33m' + tty_blue = '\033[1;34m' + tty_normal = '\033[0m' + debug = True +else: + tty_red = '' + tty_green = '' + tty_yellow = '' + tty_blue = '' + tty_normal = '' + debug = False + +# The configuration file and status file are searched +# in the directory named by the environment variable +# LOGWATCH_DIR. If that is not set, MK_CONFDIR is used. +# If that is not set either, the current directory ist +# used. +logwatch_dir = os.getenv("LOGWATCH_DIR") +if not logwatch_dir: + logwatch_dir = os.getenv("MK_CONFDIR") + if not logwatch_dir: + logwatch_dir = "." + +print "<<>>" + +config_filename = logwatch_dir + "/logwatch.cfg" +status_filename = logwatch_dir + "/logwatch.state" +config_dir = logwatch_dir + "/logwatch.d/*.cfg" + +def is_not_comment(line): + if line.lstrip().startswith('#') or \ + line.strip() == '': + return False + return True + +def parse_filenames(line): + return line.split() + +def parse_pattern(level, pattern): + if level not in [ 'C', 'W', 'I', 'O' ]: + raise(Exception("Invalid pattern line '%s'" % line)) + try: + compiled = re.compile(pattern) + except: + raise(Exception("Invalid regular expression in line '%s'" % line)) + return (level, compiled) + +def read_config(): + config_lines = [ line.rstrip() for line in filter(is_not_comment, file(config_filename).readlines()) ] + # Add config from a logwatch.d folder + for config_file in glob.glob(config_dir): + config_lines += [ line.rstrip() for line in filter(is_not_comment, file(config_file).readlines()) ] + + have_filenames = False + config = [] + + for line in config_lines: + rewrite = False + if line[0].isspace(): # pattern line + if not have_filenames: + raise Exception("Missing logfile names") + level, pattern = line.split(None, 1) + if level == 'A': + cont_list.append(parse_cont_pattern(pattern)) + elif level == 'R': + rewrite_list.append(pattern) + else: + level, compiled = parse_pattern(level, pattern) + cont_list = [] # List of continuation patterns + rewrite_list = [] # List of rewrite patterns + patterns.append((level, compiled, cont_list, rewrite_list)) + else: # filename line + patterns = [] + config.append((parse_filenames(line), patterns)) + have_filenames = True + return config + +def parse_cont_pattern(pattern): + try: + return int(pattern) + except: + try: + return re.compile(pattern) + except: + if debug: + raise + raise Exception("Invalid regular expression in line '%s'" % pattern) + +# structure of statusfile +# # LOGFILE OFFSET INODE +# /var/log/messages|7767698|32455445 +# /var/test/x12134.log|12345|32444355 +def read_status(): + if debug: + return {} + + status = {} + for line in file(status_filename): + # TODO: Remove variants with spaces. rsplit is + # not portable. split fails if logfilename contains + # spaces + inode = -1 + try: + parts = line.split('|') + filename = parts[0] + offset = parts[1] + if len(parts) >= 3: + inode = parts[2] + + except: + try: + filename, offset = line.rsplit(None, 1) + except: + filename, offset = line.split(None, 1) + status[filename] = int(offset), int(inode) + return status + +def save_status(status): + f = file(status_filename, "w") + for filename, (offset, inode) in status.items(): + f.write("%s|%d|%d\n" % (filename, offset, inode)) + +pushed_back_line = None +def next_line(f): + global pushed_back_line + if pushed_back_line != None: + line = pushed_back_line + pushed_back_line = None + return line + else: + try: + line = f.next() + return line + except: + return None + + +def process_logfile(logfile, patterns): + global pushed_back_line + + # Look at which file offset we have finished scanning + # the logfile last time. If we have never seen this file + # before, we set the offset to -1 + offset, prev_inode = status.get(logfile, (-1, -1)) + try: + fl = os.open(logfile, os.O_RDONLY) + inode = os.fstat(fl)[1] # 1 = st_ino + except: + if debug: + raise + print "[[[%s:cannotopen]]]" % logfile + return + + print "[[[%s]]]" % logfile + + # Seek to the current end in order to determine file size + current_end = os.lseek(fl, 0, 2) # os.SEEK_END not available in Python 2.4 + status[logfile] = current_end, inode + + # If we have never seen this file before, we just set the + # current pointer to the file end. We do not want to make + # a fuss about ancient log messages... + if offset == -1: + if not debug: + return + else: + offset = 0 + + + # If the inode of the logfile has changed it has appearently + # been started from new (logfile rotation). At least we must + # assume that. In some rare cases (restore of a backup, etc) + # we are wrong and resend old log messages + if prev_inode >= 0 and inode != prev_inode: + offset = 0 + + # Our previously stored offset is the current end -> + # no new lines in this file + if offset == current_end: + return # nothing new + + # If our offset is beyond the current end, the logfile has been + # truncated or wrapped while keeping the same inode. We assume + # that it contains all new data in that case and restart from + # offset 0. + if offset > current_end: + offset = 0 + + # now seek to offset where interesting data begins + os.lseek(fl, offset, 0) # os.SEEK_SET not available in Python 2.4 + f = os.fdopen(fl) + worst = -1 + outputtxt = "" + lines_parsed = 0 + start_time = time.time() + + while True: + line = next_line(f) + if line == None: + break # End of file + + lines_parsed += 1 + # Check if maximum number of new log messages is exceeded + if opt_maxlines != None and lines_parsed > opt_maxlines: + outputtxt += "%s Maximum number (%d) of new log messages exceeded.\n" % ( + opt_overflow, opt_maxlines) + worst = max(worst, opt_overflow_level) + os.lseek(fl, 0, 2) # Seek to end of file, skip all other messages + break + + # Check if maximum processing time (per file) is exceeded. Check only + # every 100'th line in order to save system calls + if opt_maxtime != None and lines_parsed % 100 == 10 \ + and time.time() - start_time > opt_maxtime: + outputtxt += "%s Maximum parsing time (%.1f sec) of this log file exceeded.\n" % ( + opt_overflow, opt_maxtime) + worst = max(worst, opt_overflow_level) + os.lseek(fl, 0, 2) # Seek to end of file, skip all other messages + break + + level = "." + for lev, pattern, cont_patterns, replacements in patterns: + matches = pattern.search(line[:-1]) + if matches: + level = lev + levelint = {'C': 2, 'W': 1, 'O': 0, 'I': -1, '.': -1}[lev] + worst = max(levelint, worst) + + # Check for continuation lines + for cont_pattern in cont_patterns: + if type(cont_pattern) == int: # add that many lines + for x in range(cont_pattern): + cont_line = next_line(f) + if cont_line == None: # end of file + break + line = line[:-1] + "\1" + cont_line + + else: # pattern is regex + while True: + cont_line = next_line(f) + if cont_line == None: # end of file + break + elif cont_pattern.search(cont_line[:-1]): + line = line[:-1] + "\1" + cont_line + else: + pushed_back_line = cont_line # sorry for stealing this line + break + + # Replacement + for replace in replacements: + line = replace.replace('\\0', line) + "\n" + for nr, group in enumerate(matches.groups()): + line = line.replace('\\%d' % (nr+1), group) + + break # matching rule found and executed + + color = {'C': tty_red, 'W': tty_yellow, 'O': tty_green, 'I': tty_blue, '.': ''}[level] + if debug: + line = line.replace("\1", "\nCONT:") + if level == "I": + level = "." + if opt_nocontext and level == '.': + continue + outputtxt += "%s%s %s%s\n" % (color, level, line[:-1], tty_normal) + + new_offset = os.lseek(fl, 0, 1) # os.SEEK_CUR not available in Python 2.4 + status[logfile] = new_offset, inode + + # output all lines if at least one warning, error or ok has been found + if worst > -1: + sys.stdout.write(outputtxt) + sys.stdout.flush() + +try: + config = read_config() +except Exception, e: + if debug: + raise + print "CANNOT READ CONFIG FILE: %s" % e + sys.exit(1) + +# Simply ignore errors in the status file. In case of a corrupted status file we simply begin +# with an empty status. That keeps the monitoring up and running - even if we might loose a +# message in the extreme case of a corrupted status file. +try: + status = read_status() +except Exception, e: + status = {} + + +# The filename line may contain options like 'maxlines=100' or 'maxtime=10' +for filenames, patterns in config: + # Initialize options with default values + opt_maxlines = None + opt_maxtime = None + opt_regex = None + opt_overflow = 'C' + opt_overflow_level = 2 + opt_nocontext = False + try: + options = [ o.split('=', 1) for o in filenames if '=' in o ] + for key, value in options: + if key == 'maxlines': + opt_maxlines = int(value) + elif key == 'maxtime': + opt_maxtime = float(value) + elif key == 'overflow': + if value not in [ 'C', 'I', 'W', 'O' ]: + raise Exception("Invalid value %s for overflow. Allowed are C, I, O and W" % value) + opt_overflow = value + opt_overflow_level = {'C':2, 'W':1, 'O':0, 'I':0}[value] + elif key == 'regex': + opt_regex = re.compile(value) + elif key == 'iregex': + opt_regex = re.compile(value, re.I) + elif key == 'nocontext': + opt_nocontext = True + else: + raise Exception("Invalid option %s" % key) + except Exception, e: + if debug: + raise + print "INVALID CONFIGURATION: %s" % e + sys.exit(1) + + + for glob in filenames: + if '=' in glob: + continue + logfiles = [ l.strip() for l in os.popen("ls %s 2>/dev/null" % glob).readlines() ] + if opt_regex: + logfiles = [ f for f in logfiles if opt_regex.search(f) ] + if len(logfiles) == 0: + print '[[[%s:missing]]]' % glob + else: + for logfile in logfiles: + process_logfile(logfile, patterns) + +if not debug: + save_status(status) diff --git a/puppet/modules/site_check_mk/manifests/agent.pp b/puppet/modules/site_check_mk/manifests/agent.pp index 75188c7b..a29923c1 100644 --- a/puppet/modules/site_check_mk/manifests/agent.pp +++ b/puppet/modules/site_check_mk/manifests/agent.pp @@ -15,4 +15,5 @@ class site_check_mk::agent { } include site_check_mk::agent::mrpe + include site_check_mk::agent::logwatch } diff --git a/puppet/modules/site_check_mk/manifests/agent/logwatch.pp b/puppet/modules/site_check_mk/manifests/agent/logwatch.pp new file mode 100644 index 00000000..763b01a7 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/logwatch.pp @@ -0,0 +1,11 @@ +class site_check_mk::agent::logwatch { + # Deploy mk_logwatch 1.2.4 so we can split the config + # into multiple config files in /etc/check_mk/logwatch.d + # see https://leap.se/code/issues/5135 + + file { '/usr/lib/check_mk_agent/plugins/mk_logwatch': + source => 'puppet:///modules/site_check_mk/agent/plugins/mk_logwatch.1.2.4', + mode => '0755' + } + +} -- cgit v1.2.3 From 20e1830ab70c2f63d240f909ab5622476b095ec9 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 19 Feb 2014 15:39:51 +0100 Subject: add site_check_mk::agent::tapicero, site_check_mk::agent::couchdb --- .../modules/site_check_mk/files/agent/logwatch/couchdb.cfg | 9 +++++++++ puppet/modules/site_check_mk/manifests/agent/couchdb.pp | 12 +++++------- puppet/modules/site_check_mk/manifests/agent/tapicero.pp | 10 ++++++++++ puppet/modules/site_couchdb/manifests/init.pp | 1 + 4 files changed, 25 insertions(+), 7 deletions(-) create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg create mode 100644 puppet/modules/site_check_mk/manifests/agent/tapicero.pp diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg new file mode 100644 index 00000000..0911d09a --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg @@ -0,0 +1,9 @@ +/opt/bigcouch/var/log/bigcouch.log + C Uncaught error in HTTP request: {exit, + C Uncaught error in HTTP request: {exit,normal} + C Uncaught error in HTTP request: {error, + C Response abnormally terminated: {nodedown, + C rexi_DOWN,noproc + C rexi_DOWN,noconnection + C error + W Shutting down group server diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp index 5b50e5a9..c954292a 100644 --- a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp +++ b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp @@ -1,5 +1,10 @@ class site_check_mk::agent::couchdb { + file { '/etc/check_mk/logwatch.d/couchdb.cfg': + source => 'puppet:///modules/site_check_mk/agent/logwatch/couchdb.cfg', + } + + # local custom checks file { '/usr/lib/check_mk_agent/local/check_bigcouch_errors.sh': ensure => link, @@ -7,11 +12,4 @@ class site_check_mk::agent::couchdb { require => Vcsrepo['/srv/leap/couchdb/scripts'] } - # local nagios plugin checks via mrpe - file_line { - 'Tapicero_Procs': - line => 'Tapicero_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a tapicero', - path => '/etc/check_mk/mrpe.cfg'; - } - } diff --git a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp new file mode 100644 index 00000000..2379881c --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp @@ -0,0 +1,10 @@ +class site_check_mk::agent::tapicero { + + # local nagios plugin checks via mrpe + file_line { + 'Tapicero_Procs': + line => 'Tapicero_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a tapicero', + path => '/etc/check_mk/mrpe.cfg'; + } + +} diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index a9512577..e4c0211b 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -109,4 +109,5 @@ class site_couchdb { if $couchdb_backup { include site_couchdb::backup } include site_check_mk::agent::couchdb + include site_check_mk::agent::tapicero } -- cgit v1.2.3 From 9d19be450d84e1fd281cbfc0f795ca411a2f5879 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 19 Feb 2014 15:51:09 +0100 Subject: set up logwatch.d directory --- puppet/modules/site_check_mk/manifests/agent/logwatch.pp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/puppet/modules/site_check_mk/manifests/agent/logwatch.pp b/puppet/modules/site_check_mk/manifests/agent/logwatch.pp index 763b01a7..67db5a12 100644 --- a/puppet/modules/site_check_mk/manifests/agent/logwatch.pp +++ b/puppet/modules/site_check_mk/manifests/agent/logwatch.pp @@ -8,4 +8,8 @@ class site_check_mk::agent::logwatch { mode => '0755' } + file { '/etc/check_mk/logwatch.d': + ensure => directory + } + } -- cgit v1.2.3 From 867fce7a855ceef8891b5f9bea1f71c6663cd403 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 20 Feb 2014 00:05:17 +0100 Subject: include site_check_mk::agent::soledad from soledad::server and not from soledad class (Feature #5149) cause leap_mk includes the soledad class --- puppet/modules/soledad/manifests/init.pp | 3 --- puppet/modules/soledad/manifests/server.pp | 1 + 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/puppet/modules/soledad/manifests/init.pp b/puppet/modules/soledad/manifests/init.pp index 35adc28e..7cf0b729 100644 --- a/puppet/modules/soledad/manifests/init.pp +++ b/puppet/modules/soledad/manifests/init.pp @@ -26,7 +26,4 @@ class soledad { group => 'soledad', require => User['soledad']; } - - include site_check_mk::agent::soledad - } diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 572cad44..1137080f 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -59,4 +59,5 @@ class soledad::server { } include site_shorewall::soledad + include site_check_mk::agent::soledad } -- cgit v1.2.3 From 6bb879a46c754958d07b530cf62d69a01537ccba Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 20 Feb 2014 00:31:39 +0100 Subject: added tapicero logwatch check --- puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg | 5 +++++ puppet/modules/site_check_mk/manifests/agent/tapicero.pp | 4 ++++ 2 files changed, 9 insertions(+) create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg new file mode 100644 index 00000000..9402de9b --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg @@ -0,0 +1,5 @@ +/var/log/syslog + C tapicero.*RestClient::InternalServerError: + C tapicero.*RestClient::PreconditionFailed: + C tapicero.*failed + W tapicero.*Couch stream ended unexpectedly. diff --git a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp index 2379881c..088900f4 100644 --- a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp +++ b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp @@ -1,5 +1,9 @@ class site_check_mk::agent::tapicero { + file { '/etc/check_mk/logwatch.d/tapicero.cfg': + source => 'puppet:///modules/site_check_mk/agent/logwatch/tapicero.cfg', + } + # local nagios plugin checks via mrpe file_line { 'Tapicero_Procs': -- cgit v1.2.3 From c0d0a5a0af891c360dded0c508591cf50899bc66 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 20 Feb 2014 17:07:48 +0100 Subject: now using concanated check_mk logwatch files where needed (#5155) --- .../files/agent/logwatch/logwatch.cfg | 31 ++++++++++++++++++++++ .../site_check_mk/files/agent/logwatch/syslog.cfg | 5 ++++ .../files/agent/logwatch/tapicero.cfg | 1 - .../site_check_mk/manifests/agent/logwatch.pp | 21 ++++++++++++++- .../manifests/agent/logwatch/syslog.pp | 13 +++++++++ .../site_check_mk/manifests/agent/tapicero.pp | 6 +++-- 6 files changed, 73 insertions(+), 4 deletions(-) create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/logwatch.cfg create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg create mode 100644 puppet/modules/site_check_mk/manifests/agent/logwatch/syslog.pp diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/logwatch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/logwatch.cfg new file mode 100644 index 00000000..c4acae40 --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/logwatch.cfg @@ -0,0 +1,31 @@ +# This file is managed by Puppet. DO NOT EDIT. + +# logwatch.cfg +# This file configures mk_logwatch. Define your logfiles +# and patterns to be looked for here. + +# Name one or more logfiles +/var/log/messages +# Patterns are indented with one space are prefixed with: +# C: Critical messages +# W: Warning messages +# I: ignore these lines (OK) +# The first match decided. Lines that do not match any pattern +# are ignored + C Fail event detected on md device + I mdadm.*: Rebuild.*event detected + W mdadm\[ + W ata.*hard resetting link + W ata.*soft reset failed (.*FIS failed) + W device-mapper: thin:.*reached low water mark + C device-mapper: thin:.*no free space + +/var/log/auth.log + W sshd.*Corrupted MAC on input + +/var/log/kern.log + C panic + C Oops + W generic protection rip + W .*Unrecovered read error - auto reallocate failed + diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg new file mode 100644 index 00000000..3703b5e1 --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg @@ -0,0 +1,5 @@ +/var/log/syslog + C panic + C Oops + W generic protection rip + W .*Unrecovered read error - auto reallocate failed diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg index 9402de9b..4e3808eb 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg @@ -1,4 +1,3 @@ -/var/log/syslog C tapicero.*RestClient::InternalServerError: C tapicero.*RestClient::PreconditionFailed: C tapicero.*failed diff --git a/puppet/modules/site_check_mk/manifests/agent/logwatch.pp b/puppet/modules/site_check_mk/manifests/agent/logwatch.pp index 67db5a12..38514af2 100644 --- a/puppet/modules/site_check_mk/manifests/agent/logwatch.pp +++ b/puppet/modules/site_check_mk/manifests/agent/logwatch.pp @@ -8,8 +8,27 @@ class site_check_mk::agent::logwatch { mode => '0755' } + # only config files that watch a distinct logfile should go in logwatch.d/ file { '/etc/check_mk/logwatch.d': - ensure => directory + ensure => directory, + recurse => true, + purge => true, } + # service that share a common logfile (i.e. /var/log/syslog) need to get + # concanated in one file, otherwise the last file sourced will override + # the config before + # see mk_logwatch: "logwatch.cfg overwrites config files in logwatch.d", + # https://leap.se/code/issues/5155 + + # first, we need to deploy a custom logwatch.cfg that doesn't include + # a section about /var/log/syslog + + file { '/etc/check_mk/logwatch.cfg': + source => 'puppet:///modules/site_check_mk/agent/logwatch/logwatch.cfg', + require => Package['check_mk-agent-logwatch'] + } + + include concat::setup + include site_check_mk::agent::logwatch::syslog } diff --git a/puppet/modules/site_check_mk/manifests/agent/logwatch/syslog.pp b/puppet/modules/site_check_mk/manifests/agent/logwatch/syslog.pp new file mode 100644 index 00000000..ac3dda64 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/logwatch/syslog.pp @@ -0,0 +1,13 @@ +class site_check_mk::agent::logwatch::syslog { + + concat { '/etc/check_mk/logwatch.d/syslog.cfg': + warn => true + } + + concat::fragment { 'syslog_header': + source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog.cfg', + target => '/etc/check_mk/logwatch.d/syslog.cfg', + order => '01'; + } + +} diff --git a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp index 088900f4..dc785e52 100644 --- a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp +++ b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp @@ -1,7 +1,9 @@ class site_check_mk::agent::tapicero { - file { '/etc/check_mk/logwatch.d/tapicero.cfg': - source => 'puppet:///modules/site_check_mk/agent/logwatch/tapicero.cfg', + concat::fragment { 'syslog_tapicero': + source => 'puppet:///modules/site_check_mk/agent/logwatch/tapicero.cfg', + target => '/etc/check_mk/logwatch.d/syslog.cfg', + order => '02'; } # local nagios plugin checks via mrpe -- cgit v1.2.3 From ddc190489964008ffa085685e06b93a9e86c058b Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 25 Feb 2014 17:43:29 -0800 Subject: added a checkmk mode to the script `run_tests` (run with `run_tests --checkmk`. you can symlink `/srv/leap/bin/run_tests` script to anywhere if needed) --- bin/run_tests | 58 ++++++++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 44 insertions(+), 14 deletions(-) diff --git a/bin/run_tests b/bin/run_tests index a44fcdcf..ee517ae5 100755 --- a/bin/run_tests +++ b/bin/run_tests @@ -318,35 +318,57 @@ class LeapRunner < MiniTest::Unit end # - # override default status slightly + # override default status summary # def status(io = self.output) - format = "%d tests, %d assertions, %d passes, %d failures, %d errors, %d skips" - output.puts format % [test_count, assertion_count, passes, failures, errors, skips] + if $output_format == :human + format = "%d tests, %d assertions, %d passes, %d failures, %d errors, %d skips" + output.puts format % [test_count, assertion_count, passes, failures, errors, skips] + end end # # returns a string for a PASS, SKIP, or FAIL error # def report_line(prefix, klass, meth, e=nil, message=nil) + msg_txt = nil if message message = message.sub(/http:\/\/([a-z_]+):([a-zA-Z0-9_]+)@/, "http://\\1:password@") - indent = "\n " - msg_txt = indent + message.split("\n").join(indent) + if $output_format == :human + indent = "\n " + msg_txt = indent + message.split("\n").join(indent) + else + msg_txt = message.gsub("\n", ' ') + end end - if e && message - output.puts "#{prefix}: #{readable(klass.name)} > #{readable(meth)} [#{File.basename(location(e))}]:#{msg_txt}" - elsif message - output.puts "#{prefix}: #{readable(klass.name)} > #{readable(meth)}:#{msg_txt}" - else - output.puts "#{prefix}: #{readable(klass.name)} > #{readable(meth)}" + + if $output_format == :human + if e && msg_txt + output.puts "#{prefix}: #{readable(klass.name)} > #{readable(meth)} [#{File.basename(location(e))}]:#{msg_txt}" + elsif msg_txt + output.puts "#{prefix}: #{readable(klass.name)} > #{readable(meth)}:#{msg_txt}" + else + output.puts "#{prefix}: #{readable(klass.name)} > #{readable(meth)}" + end + # I don't understand at all why, but adding a very tiny sleep here will + sleep(0.0001) # keep lines from being joined together by the logger. output.flush doesn't. + elsif $output_format == :checkmk + code = CHECKMK_CODES[prefix] + msg_txt ||= "Success" if prefix == "PASS" + if e && msg_txt + output.puts "#{code} #{klass.name}/#{machine_readable(meth)} - [#{File.basename(location(e))}]:#{msg_txt}" + elsif msg_txt + output.puts "#{code} #{klass.name}/#{machine_readable(meth)} - #{msg_txt}" + else + output.puts "#{code} #{klass.name}/#{machine_readable(meth)} - no message" + end end - # I don't understand at all why, but adding a very tiny sleep here will - sleep(0.0001) # keep lines from being joined together by the logger. output.flush doesn't. end private + CHECKMK_CODES = {"PASS" => 0, "SKIP" => 1, "FAIL" => 2, "ERROR" => 3} + # # Converts snake_case and CamelCase to something more pleasant for humans to read. # @@ -357,6 +379,11 @@ class LeapRunner < MiniTest::Unit sub(/^test (\d* )?/i, ''). downcase.capitalize end + + def machine_readable(str) + str.sub(/^test_(\d+_)?/i, '') + end + end ## @@ -402,7 +429,8 @@ else end # load all test classes -Dir[File.expand_path('../../tests/white-box/*.rb', __FILE__)].each do |test_file| +this_file = File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__ +Dir[File.expand_path('../../tests/white-box/*.rb', this_file)].each do |test_file| begin require test_file rescue SkipTest @@ -411,9 +439,11 @@ end # parse command line options $halt_on_failure = true +$output_format = :human loop do case ARGV[0] when '--continue' then ARGV.shift; $halt_on_failure = false + when '--checkmk' then ARGV.shift; $output_format = :checkmk; $halt_on_failure = false else break end end -- cgit v1.2.3 From 2c2091cbfbe7a65234e985b3d004b4c3ec73c560 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 26 Feb 2014 15:00:17 +0100 Subject: create 'messages' db to store messages to the clients such as payment reminders reviewed by azul --- puppet/modules/site_couchdb/manifests/create_dbs.pp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp index b0ebca4d..41500d3a 100644 --- a/puppet/modules/site_couchdb/manifests/create_dbs.pp +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -59,4 +59,12 @@ class site_couchdb::create_dbs { members => "{ \"names\": [], \"roles\": [\"users\"] }", require => Couchdb::Query::Setup['localhost'] } + + ## messages db + ## store messages to the clients such as payment reminders + ## r/w: webapp + couchdb::create_db { 'messages': + members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", + require => Couchdb::Query::Setup['localhost'] + } } -- cgit v1.2.3 From face1d929175b94e26ca11858e3b055873fdde92 Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 26 Feb 2014 14:55:47 +0100 Subject: update design docs, include messages (#5188) --- .../site_couchdb/files/designs/messages/Message.json | 18 ++++++++++++++++++ .../modules/site_couchdb/files/designs/users/User.json | 6 +++++- 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_couchdb/files/designs/messages/Message.json diff --git a/puppet/modules/site_couchdb/files/designs/messages/Message.json b/puppet/modules/site_couchdb/files/designs/messages/Message.json new file mode 100644 index 00000000..7bcd74c7 --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/messages/Message.json @@ -0,0 +1,18 @@ +{ + "_id": "_design/Message", + "language": "javascript", + "views": { + "by_user_ids_to_show_and_created_at": { + "map": "// not using at moment\n// call with something like Message.by_user_ids_to_show_and_created_at.startkey([user_id, start_date]).endkey([user_id,end_date])\nfunction (doc) {\n if (doc.type === 'Message' && doc.user_ids_to_show && Array.isArray(doc.user_ids_to_show)) {\n doc.user_ids_to_show.forEach(function (userId) {\n emit([userId, doc.created_at], 1);\n });\n }\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "by_user_ids_to_show": { + "map": "function (doc) {\n if (doc.type === 'Message' && doc.user_ids_to_show && Array.isArray(doc.user_ids_to_show)) {\n doc.user_ids_to_show.forEach(function (userId) {\n emit(userId, 1);\n });\n }\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "all": { + "map": " function(doc) {\n if (doc['type'] == 'Message') {\n emit(doc._id, null);\n }\n }\n" + } + }, + "couchrest-hash": "0967e7cc5bb1e61edc1c085f6f0cecbf" +} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/users/User.json b/puppet/modules/site_couchdb/files/designs/users/User.json index c99666cb..4089ad97 100644 --- a/puppet/modules/site_couchdb/files/designs/users/User.json +++ b/puppet/modules/site_couchdb/files/designs/users/User.json @@ -9,10 +9,14 @@ "all": { "map": " function(doc) {\n if (doc['type'] == 'User') {\n emit(doc._id, null);\n }\n }\n" }, + "by_created_at_and_one_month_warning_not_sent": { + "map": "function (doc) {\n if ((doc['type'] == 'User') && (doc['created_at'] != null) && (doc['one_month_warning_sent'] == null)) {\n emit(doc['created_at'], 1);\n } \n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, "by_created_at": { "map": " function(doc) {\n if ((doc['type'] == 'User') && (doc['created_at'] != null)) {\n emit(doc['created_at'], 1);\n }\n }\n", "reduce": "_sum" } }, - "couchrest-hash": "3bdbcd85b928ad911e0c89a8924e015c" + "couchrest-hash": "61840ab3ec0f94ef8bbd6dd208db3b70" } \ No newline at end of file -- cgit v1.2.3 From e724a32316e9d183ec437a5dc2687ca547efdc75 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 26 Feb 2014 12:45:45 -0800 Subject: run_tests: added command line options --list-tests and --test (see --help) --- bin/run_tests | 125 ++++++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 100 insertions(+), 25 deletions(-) diff --git a/bin/run_tests b/bin/run_tests index ee517ae5..2336eba8 100755 --- a/bin/run_tests +++ b/bin/run_tests @@ -59,6 +59,20 @@ class LeapTest < MiniTest::Unit::TestCase @dependencies || [] end + # + # returns all the test classes, sorted in dependency order. + # + def self.test_classes + classes = ObjectSpace.each_object(Class).select {|test_class| + test_class.ancestors.include?(self) + } + return TestDependencyGraph.new(classes).sorted + end + + def self.tests + self.instance_methods.grep(/^test_/).sort + end + # # The default pass just does an `assert true`. In our case, we want to make the passes more explicit. # @@ -272,9 +286,16 @@ class LeapRunner < MiniTest::Unit # LeapTest._run # def _run args = [] - suites = LeapTest.send "test_suites" + if $pinned_test_class + suites = [$pinned_test_class] + if $pinned_test_method + options.merge!(:filter => $pinned_test_method.to_s) + end + else + suites = LeapTest.send "test_suites" + suites = TestDependencyGraph.new(suites).sorted + end output.sync = true - suites = TestDependencyGraph.new(suites).sorted results = _run_suites(suites, :test) @test_count = results.inject(0) { |sum, (tc, _)| sum + tc } @assertion_count = results.inject(0) { |sum, (_, ac)| sum + ac } @@ -418,36 +439,90 @@ class TestDependencyGraph end ## -## RUN THE TESTS +## COMMAND LINE ACTIONS ## -# load node data from hiera file -if File.exists?('/etc/leap/hiera.yaml') - $node = YAML.load_file('/etc/leap/hiera.yaml') -else - $node = {"services" => [], "dummy" => true} +def die(test, msg) + if $output_format == :human + puts "ERROR in test `#{test}`: #{msg}" + elsif $output_format == :checkmk + puts "3 #{test} - #{msg}" + end + exit(1) +end + +def print_help + puts ["USAGE: run_tests [OPTIONS]", + " --continue Don't halt on an error, but continue to the next test.", + " --checkmk Print test results in checkmk format (must come before --test).", + " --test TEST Run only the test with name TEST.", + " --list-tests Prints the names of all available tests and exit."].join("\n") + exit(0) end -# load all test classes -this_file = File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__ -Dir[File.expand_path('../../tests/white-box/*.rb', this_file)].each do |test_file| - begin - require test_file - rescue SkipTest +def list_tests + LeapTest.test_classes.each do |test_class| + test_class.tests.each do |test| + puts test_class.name + "/" + test.to_s.sub(/^test_(\d+_)?/, '') + end end + exit(0) end -# parse command line options -$halt_on_failure = true -$output_format = :human -loop do - case ARGV[0] - when '--continue' then ARGV.shift; $halt_on_failure = false - when '--checkmk' then ARGV.shift; $output_format = :checkmk; $halt_on_failure = false - else break +def pin_test_name(name) + test_class, test_name = name.split('/') + $pinned_test_class = LeapTest.test_classes.detect{|c| c.name == test_class} + unless $pinned_test_class + die name, "there is no test class `#{test_class}`" + end + if test_name + $pinned_test_method = $pinned_test_class.tests.detect{|m| m.to_s =~ /^test_(\d+_)?#{test_name}$/} + unless $pinned_test_method + die name, "there is no test `#{test_name}` in class `#{test_class}`" + end + end +end + +def run_tests + MiniTest::Unit.runner = LeapRunner.new + MiniTest::Unit.new.run +end + +## +## MAIN +## + +def main + # load node data from hiera file + if File.exists?('/etc/leap/hiera.yaml') + $node = YAML.load_file('/etc/leap/hiera.yaml') + else + $node = {"services" => [], "dummy" => true} + end + + # load all test classes + this_file = File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__ + Dir[File.expand_path('../../tests/white-box/*.rb', this_file)].each do |test_file| + begin + require test_file + rescue SkipTest + end + end + + # parse command line options + $halt_on_failure = true + $output_format = :human + loop do + case ARGV[0] + when '--continue' then ARGV.shift; $halt_on_failure = false; + when '--checkmk' then ARGV.shift; $output_format = :checkmk; $halt_on_failure = false + when '--help' then print_help + when '--test' then ARGV.shift; pin_test_name(ARGV.shift) + when '--list-tests' then list_tests + else break + end end + run_tests end -# run some tests already -MiniTest::Unit.runner = LeapRunner.new -MiniTest::Unit.new.run +main() \ No newline at end of file -- cgit v1.2.3 From 22fe74edaecbf8e9c76e74e7e74ce8a1cb8a629a Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 27 Feb 2014 09:04:53 -0800 Subject: fixed horrible bug that caused all environments to use the same couchdb soledad password. --- provider_base/services/soledad.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/provider_base/services/soledad.json b/provider_base/services/soledad.json index fc349ce1..ed6fbc9f 100644 --- a/provider_base/services/soledad.json +++ b/provider_base/services/soledad.json @@ -2,7 +2,11 @@ "soledad": { "port": 2323, "require_couchdb": "=> assert %(services.include? 'couchdb')", - "couchdb_soledad_user": "= global.services[:couchdb].couch.users[:soledad]" + "couchdb_soledad_user": { + "username": "= global.services[:couchdb].couch.users[:soledad].username", + "password": "= secret :couch_soledad_password", + "salt": "= hex_secret :couch_soledad_password_salt, 128" + } }, "service_type": "public_service" } -- cgit v1.2.3 From 488022986a54f6031d4547701031c7b0017e729c Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 27 Feb 2014 09:04:53 -0800 Subject: fixed horrible bug that caused all environments to use the same couchdb soledad password. --- provider_base/services/soledad.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/provider_base/services/soledad.json b/provider_base/services/soledad.json index fc349ce1..ed6fbc9f 100644 --- a/provider_base/services/soledad.json +++ b/provider_base/services/soledad.json @@ -2,7 +2,11 @@ "soledad": { "port": 2323, "require_couchdb": "=> assert %(services.include? 'couchdb')", - "couchdb_soledad_user": "= global.services[:couchdb].couch.users[:soledad]" + "couchdb_soledad_user": { + "username": "= global.services[:couchdb].couch.users[:soledad].username", + "password": "= secret :couch_soledad_password", + "salt": "= hex_secret :couch_soledad_password_salt, 128" + } }, "service_type": "public_service" } -- cgit v1.2.3 From f8e01ef3c5cc725a685f03869d8d821176181baa Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 25 Feb 2014 12:04:39 -0800 Subject: new monitor hosts rule: local environment monitors just see local machines, other monitors see the nodes from all environments (except local) --- provider_base/services/monitor.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json index 82c18745..03f6c6d1 100644 --- a/provider_base/services/monitor.json +++ b/provider_base/services/monitor.json @@ -1,9 +1,9 @@ { "nagios": { "nagiosadmin_pw": "= secret :nagios_admin_password", - "hosts": "= nodes_like_me.pick_fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')" + "hosts": "= (self.environment == 'local' ? nodes_like_me : nodes[:environment => '!local']).pick_fields('domain.internal', 'domain.full_suffix', 'ip_address', 'services', 'openvpn.gateway_address', 'ssh.port')" }, - "hosts": "= hosts_file(nodes_like_me)", + "hosts": "= self.environment == 'local' ? hosts_file(nodes_like_me) : hosts_file(nodes[:environment => '!local'])", "ssh": { "monitor": { "username": "= Leap::Platform.monitor_username", -- cgit v1.2.3 From 2b875d23a3d2a53c9276dfee1a71085967dec4c0 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Feb 2014 13:45:50 +0100 Subject: One monitor node for non-local environments and one for local environment (Feature #2981), wip also, use the configured ssh port for every node --- puppet/modules/site_check_mk/manifests/server.pp | 5 +++-- puppet/modules/site_check_mk/templates/use_ssh.mk | 5 +++-- puppet/modules/site_nagios/manifests/add_host_services.pp | 2 ++ puppet/modules/site_nagios/manifests/server.pp | 4 ++-- 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp index e77862e5..4bbeb850 100644 --- a/puppet/modules/site_check_mk/manifests/server.pp +++ b/puppet/modules/site_check_mk/manifests/server.pp @@ -4,10 +4,11 @@ class site_check_mk::server { $pubkey = $ssh_hash['authorized_keys']['monitor']['key'] $type = $ssh_hash['authorized_keys']['monitor']['type'] $seckey = $ssh_hash['monitor']['private_key'] - $ssh_port = $ssh_hash['port'] $nagios_hiera = hiera_hash('nagios') - $hosts = $nagios_hiera['hosts'] + $nagios_hosts = $nagios_hiera['hosts'] + + $hosts = hiera_hash('hosts') $all_hosts = inline_template ('<% @hosts.keys.sort.each do |key| -%>"<%= @hosts[key]["domain_internal"] %>", <% end -%>') package { 'check-mk-server': diff --git a/puppet/modules/site_check_mk/templates/use_ssh.mk b/puppet/modules/site_check_mk/templates/use_ssh.mk index 4c5523db..0bebebcf 100644 --- a/puppet/modules/site_check_mk/templates/use_ssh.mk +++ b/puppet/modules/site_check_mk/templates/use_ssh.mk @@ -1,5 +1,6 @@ # http://mathias-kettner.de/checkmk_datasource_programs.html datasource_programs = [ - ( "ssh -l root -i /etc/check_mk/.ssh/id_rsa -p <%= @ssh_port %> check_mk_agent", ALL_HOSTS ), -] +<% nagios_hosts.sort.each do |name,config| %> + ( "ssh -l root -i /etc/check_mk/.ssh/id_rsa -p <%=config['ssh_port']%> <%=config['domain_internal']%> check_mk_agent", [ "<%=config['domain_internal']%>" ], ),<%- end -%> +] diff --git a/puppet/modules/site_nagios/manifests/add_host_services.pp b/puppet/modules/site_nagios/manifests/add_host_services.pp index 2d615ff1..279809d1 100644 --- a/puppet/modules/site_nagios/manifests/add_host_services.pp +++ b/puppet/modules/site_nagios/manifests/add_host_services.pp @@ -1,7 +1,9 @@ define site_nagios::add_host_services ( + $domain_full_suffix, $domain_internal, $ip_address, $services, + $ssh_port, $openvpn_gateway_address='' ) { $nagios_hostname = $domain_internal diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index ca38d7fc..9aae8ae8 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -7,7 +7,7 @@ class site_nagios::server inherits nagios::base { $nagios_hiera = hiera('nagios') $nagiosadmin_pw = htpasswd_sha1($nagios_hiera['nagiosadmin_pw']) - $hosts = $nagios_hiera['hosts'] + $nagios_hosts = $nagios_hiera['hosts'] include nagios::defaults include nagios::base @@ -43,7 +43,7 @@ class site_nagios::server inherits nagios::base { group => 'nagios', } - create_resources ( site_nagios::add_host_services, $hosts ) + create_resources ( site_nagios::add_host_services, $nagios_hosts ) include site_nagios::server::apache include site_check_mk::server -- cgit v1.2.3 From 5372bba5dd503cb4fe9620bc342992c94863c8e6 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Feb 2014 12:35:51 +0100 Subject: monitor connection attempts from disallowed bigcouch node --- puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg index 0911d09a..ee64b3c0 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg @@ -6,4 +6,5 @@ C rexi_DOWN,noproc C rexi_DOWN,noconnection C error + C Connection attempt from disallowed node W Shutting down group server -- cgit v1.2.3 From a81ce0750dbd5b000739e28279639e382ce347a2 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Feb 2014 12:36:36 +0100 Subject: don't use syslog for nagios log, cause it will clutter logwatch with false-positive warnings --- puppet/modules/site_nagios/files/configs/Debian/nagios.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg index 61d9f2da..9bd3da28 100644 --- a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg +++ b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg @@ -251,7 +251,7 @@ log_archive_path=/var/log/nagios3/archives # If you want messages logged to the syslog facility, as well as the # Nagios log file set this option to 1. If not, set it to 0. -use_syslog=1 +use_syslog=0 -- cgit v1.2.3 From 59b09ce45333778619baca2bd4e34e5beba63584 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Feb 2014 13:55:15 +0100 Subject: we use logwatch now to check for bigcouch errors --- puppet/modules/site_check_mk/manifests/agent/couchdb.pp | 9 --------- 1 file changed, 9 deletions(-) diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp index c954292a..cc166d42 100644 --- a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp +++ b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp @@ -3,13 +3,4 @@ class site_check_mk::agent::couchdb { file { '/etc/check_mk/logwatch.d/couchdb.cfg': source => 'puppet:///modules/site_check_mk/agent/logwatch/couchdb.cfg', } - - - # local custom checks - file { '/usr/lib/check_mk_agent/local/check_bigcouch_errors.sh': - ensure => link, - target => '/srv/leap/couchdb/scripts/tests/check_bigcouch_errors.sh', - require => Vcsrepo['/srv/leap/couchdb/scripts'] - } - } -- cgit v1.2.3 From 299c059c239936901c4b234f78e89d99ce94e19c Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Feb 2014 13:58:52 +0100 Subject: renamed logwatch/couchdb.cfg to logwatch/bigcouch.cfg --- puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg | 10 ++++++++++ puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg | 10 ---------- puppet/modules/site_check_mk/manifests/agent/couchdb.pp | 5 +++-- 3 files changed, 13 insertions(+), 12 deletions(-) create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg delete mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg new file mode 100644 index 00000000..ee64b3c0 --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg @@ -0,0 +1,10 @@ +/opt/bigcouch/var/log/bigcouch.log + C Uncaught error in HTTP request: {exit, + C Uncaught error in HTTP request: {exit,normal} + C Uncaught error in HTTP request: {error, + C Response abnormally terminated: {nodedown, + C rexi_DOWN,noproc + C rexi_DOWN,noconnection + C error + C Connection attempt from disallowed node + W Shutting down group server diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg deleted file mode 100644 index ee64b3c0..00000000 --- a/puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg +++ /dev/null @@ -1,10 +0,0 @@ -/opt/bigcouch/var/log/bigcouch.log - C Uncaught error in HTTP request: {exit, - C Uncaught error in HTTP request: {exit,normal} - C Uncaught error in HTTP request: {error, - C Response abnormally terminated: {nodedown, - C rexi_DOWN,noproc - C rexi_DOWN,noconnection - C error - C Connection attempt from disallowed node - W Shutting down group server diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp index cc166d42..f2d286ca 100644 --- a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp +++ b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp @@ -1,6 +1,7 @@ class site_check_mk::agent::couchdb { - file { '/etc/check_mk/logwatch.d/couchdb.cfg': - source => 'puppet:///modules/site_check_mk/agent/logwatch/couchdb.cfg', + file { '/etc/check_mk/logwatch.d/bigcouch.cfg': + source => 'puppet:///modules/site_check_mk/agent/logwatch/bigcouch.cfg', } + } -- cgit v1.2.3 From 3df2e8761ce6c54f6914d24e7acd24634d43c44d Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Feb 2014 14:00:47 +0100 Subject: added some error checking to logwatch/syslog.cfg --- puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg | 3 +++ 1 file changed, 3 insertions(+) diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg index 3703b5e1..52c479ef 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg @@ -1,5 +1,8 @@ /var/log/syslog C panic C Oops + I Error: Driver 'pcspkr' is already registered, aborting... + C Error + C error W generic protection rip W .*Unrecovered read error - auto reallocate failed -- cgit v1.2.3 From ee83c7227f64bab9a36ecbfd86049bc3153b3760 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Feb 2014 14:03:28 +0100 Subject: moved logwatch/tapicero.cfg to logwatch/syslog/tapicero.cfg --- puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg | 4 ++++ puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg | 4 ---- puppet/modules/site_check_mk/manifests/agent/tapicero.pp | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg delete mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg new file mode 100644 index 00000000..4e3808eb --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg @@ -0,0 +1,4 @@ + C tapicero.*RestClient::InternalServerError: + C tapicero.*RestClient::PreconditionFailed: + C tapicero.*failed + W tapicero.*Couch stream ended unexpectedly. diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg deleted file mode 100644 index 4e3808eb..00000000 --- a/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg +++ /dev/null @@ -1,4 +0,0 @@ - C tapicero.*RestClient::InternalServerError: - C tapicero.*RestClient::PreconditionFailed: - C tapicero.*failed - W tapicero.*Couch stream ended unexpectedly. diff --git a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp index dc785e52..369ed00b 100644 --- a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp +++ b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp @@ -1,7 +1,7 @@ class site_check_mk::agent::tapicero { concat::fragment { 'syslog_tapicero': - source => 'puppet:///modules/site_check_mk/agent/logwatch/tapicero.cfg', + source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/tapicero.cfg', target => '/etc/check_mk/logwatch.d/syslog.cfg', order => '02'; } -- cgit v1.2.3 From 91365fb3b9b455253484fca6ffbc3dac8361e5b9 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Feb 2014 15:11:56 +0100 Subject: check syslog for /usr/local/bin/couch-doc-update failures --- .../modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg | 2 ++ puppet/modules/site_check_mk/manifests/agent/couchdb.pp | 6 ++++++ 2 files changed, 8 insertions(+) create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg new file mode 100644 index 00000000..5f8d5b95 --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg @@ -0,0 +1,2 @@ + C /usr/local/bin/couch-doc-update.*failed + C /usr/local/bin/couch-doc-update.*ERROR diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp index f2d286ca..9456efcc 100644 --- a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp +++ b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp @@ -4,4 +4,10 @@ class site_check_mk::agent::couchdb { source => 'puppet:///modules/site_check_mk/agent/logwatch/bigcouch.cfg', } + concat::fragment { 'syslog_couchdb': + source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/couchdb.cfg', + target => '/etc/check_mk/logwatch.d/syslog.cfg', + order => '02'; + } + } -- cgit v1.2.3 From 42512cc9428afcd7d949e373e75da4f0d9fc8086 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Feb 2014 16:02:53 +0100 Subject: check syslog for stunnel failures --- .../site_check_mk/files/agent/logwatch/syslog/stunnel.cfg | 3 +++ puppet/modules/site_check_mk/manifests/agent/stunnel.pp | 9 +++++++++ puppet/modules/site_stunnel/manifests/clients.pp | 2 ++ 3 files changed, 14 insertions(+) create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg create mode 100644 puppet/modules/site_check_mk/manifests/agent/stunnel.pp diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg new file mode 100644 index 00000000..31c229b7 --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg @@ -0,0 +1,3 @@ +# check for stunnel failures + C stunnel:.*Connection refused + C stunnel:.*Connection reset by peer diff --git a/puppet/modules/site_check_mk/manifests/agent/stunnel.pp b/puppet/modules/site_check_mk/manifests/agent/stunnel.pp new file mode 100644 index 00000000..64022824 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/stunnel.pp @@ -0,0 +1,9 @@ +class site_check_mk::agent::stunnel { + + concat::fragment { 'syslog_stunnel': + source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/stunnel.cfg', + target => '/etc/check_mk/logwatch.d/syslog.cfg', + order => '02'; + } + +} diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp index 791fdbc5..837665a3 100644 --- a/puppet/modules/site_stunnel/manifests/clients.pp +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -28,4 +28,6 @@ define site_stunnel::clients ( Class['Site_config::X509::Ca'] ]; } + + include site_check_mk::agent::stunnel } -- cgit v1.2.3 From 40b13221967368060773af008f791ca7a053d18d Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Feb 2014 16:27:57 +0100 Subject: set /usr/lib/nagios/plugins/check_icmp to setuid root (Feature #5171) --- puppet/modules/site_check_mk/manifests/server.pp | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp index 4bbeb850..0c98cd5a 100644 --- a/puppet/modules/site_check_mk/manifests/server.pp +++ b/puppet/modules/site_check_mk/manifests/server.pp @@ -44,6 +44,13 @@ class site_check_mk::server { content => "${type} ${pubkey} monitor", owner => 'nagios', mode => '0644'; + # check_icmp must be suid root or called by sudo + # see https://leap.se/code/issues/5171 + '/usr/lib/nagios/plugins/check_icmp': + mode => '4755', + require => Package['nagios-plugins-basic']; } + + include check_mk::agent::local_checks } -- cgit v1.2.3 From 0a6fbced6f2177464c000fc79a90c03171a3bcf6 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Feb 2014 16:45:33 +0100 Subject: complete nagios monitoring for couchdb (Feature #2175) --- puppet/modules/site_check_mk/manifests/agent/couchdb.pp | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp index 9456efcc..97e4a777 100644 --- a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp +++ b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp @@ -1,13 +1,25 @@ class site_check_mk::agent::couchdb { + # watch logs file { '/etc/check_mk/logwatch.d/bigcouch.cfg': source => 'puppet:///modules/site_check_mk/agent/logwatch/bigcouch.cfg', } - concat::fragment { 'syslog_couchdb': source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/couchdb.cfg', target => '/etc/check_mk/logwatch.d/syslog.cfg', order => '02'; } + + # check bigcouch processes + file_line { + 'Bigcouch_epmd_procs': + line => 'Bigcouch_epmd_procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a /opt/bigcouch/erts-5.9.1/bin/epmd', + path => '/etc/check_mk/mrpe.cfg'; + 'Bigcouch_beam_procs': + line => 'Bigcouch_beam_procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a /opt/bigcouch/erts-5.9.1/bin/beam', + path => '/etc/check_mk/mrpe.cfg'; + } + + } -- cgit v1.2.3 From 5cc2e0d7a10c088d024bf0e5e4538b31a7d2844c Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Feb 2014 17:19:36 +0100 Subject: nagios monitoring of haproxy nodes (Feature #2657) --- puppet/modules/site_check_mk/manifests/agent/haproxy.pp | 12 ++++++++++++ .../manifests/agent/package/nagios_plugins_contrib.pp | 5 +++++ puppet/modules/site_haproxy/files/haproxy-stats.cfg | 6 ++++++ puppet/modules/site_haproxy/manifests/init.pp | 7 +++++++ 4 files changed, 30 insertions(+) create mode 100644 puppet/modules/site_check_mk/manifests/agent/haproxy.pp create mode 100644 puppet/modules/site_check_mk/manifests/agent/package/nagios_plugins_contrib.pp create mode 100644 puppet/modules/site_haproxy/files/haproxy-stats.cfg diff --git a/puppet/modules/site_check_mk/manifests/agent/haproxy.pp b/puppet/modules/site_check_mk/manifests/agent/haproxy.pp new file mode 100644 index 00000000..e7986db1 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/haproxy.pp @@ -0,0 +1,12 @@ +class site_check_mk::agent::haproxy { + + include site_check_mk::agent::package::nagios_plugins_contrib + + # local nagios plugin checks via mrpe + file_line { + 'haproxy': + line => 'Haproxy /usr/lib/nagios/plugins/check_haproxy -u "http://localhost:8000/haproxy;csv"', + path => '/etc/check_mk/mrpe.cfg'; + } + +} diff --git a/puppet/modules/site_check_mk/manifests/agent/package/nagios_plugins_contrib.pp b/puppet/modules/site_check_mk/manifests/agent/package/nagios_plugins_contrib.pp new file mode 100644 index 00000000..95a60d17 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/package/nagios_plugins_contrib.pp @@ -0,0 +1,5 @@ +class site_check_mk::agent::package::nagios_plugins_contrib { + package { 'nagios-plugins-contrib': + ensure => installed, + } +} diff --git a/puppet/modules/site_haproxy/files/haproxy-stats.cfg b/puppet/modules/site_haproxy/files/haproxy-stats.cfg new file mode 100644 index 00000000..e6335ba2 --- /dev/null +++ b/puppet/modules/site_haproxy/files/haproxy-stats.cfg @@ -0,0 +1,6 @@ +# provide access to stats for the nagios plugin +listen stats 127.0.0.1:8000 + mode http + stats enable + stats uri /haproxy + diff --git a/puppet/modules/site_haproxy/manifests/init.pp b/puppet/modules/site_haproxy/manifests/init.pp index 602e26be..1a681373 100644 --- a/puppet/modules/site_haproxy/manifests/init.pp +++ b/puppet/modules/site_haproxy/manifests/init.pp @@ -22,4 +22,11 @@ class site_haproxy { } } + # monitor haproxy + concat::fragment { 'stats': + target => '/etc/haproxy/haproxy.cfg', + order => '90', + source => 'puppet:///modules/site_haproxy/haproxy-stats.cfg'; + } + include site_check_mk::agent::haproxy } -- cgit v1.2.3 From 835d1f9699507e9e40cae32ffc90940e26bed3ee Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Feb 2014 17:58:48 +0100 Subject: nagios: check open files for bigcouch process (Feature #4965) --- .../agent/nagios_plugins/check_unix_open_fds.pl | 322 +++++++++++++++++++++ puppet/modules/site_check_mk/manifests/agent.pp | 4 + .../site_check_mk/manifests/agent/couchdb.pp | 11 + .../manifests/agent/package/perl_plugin.pp | 5 + 4 files changed, 342 insertions(+) create mode 100755 puppet/modules/site_check_mk/files/agent/nagios_plugins/check_unix_open_fds.pl create mode 100644 puppet/modules/site_check_mk/manifests/agent/package/perl_plugin.pp diff --git a/puppet/modules/site_check_mk/files/agent/nagios_plugins/check_unix_open_fds.pl b/puppet/modules/site_check_mk/files/agent/nagios_plugins/check_unix_open_fds.pl new file mode 100755 index 00000000..06163d49 --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/nagios_plugins/check_unix_open_fds.pl @@ -0,0 +1,322 @@ +#!/usr/bin/perl -w + +# check_unix_open_fds Nagios Plugin +# +# TComm - Carlos Peris Pla +# +# This nagios plugin is free software, and comes with ABSOLUTELY +# NO WARRANTY. It may be used, redistributed and/or modified under +# the terms of the GNU General Public Licence (see +# http://www.fsf.org/licensing/licenses/gpl.txt). + + +# MODULE DECLARATION + +use strict; +use Nagios::Plugin; + + +# FUNCTION DECLARATION + +sub CreateNagiosManager (); +sub CheckArguments (); +sub PerformCheck (); + + +# CONSTANT DEFINITION + +use constant NAME => 'check_unix_open_fds'; +use constant VERSION => '0.1b'; +use constant USAGE => "Usage:\ncheck_unix_open_fds -w -c \n". + "\t\t[-V ]\n"; +use constant BLURB => "This plugin checks, in UNIX systems with the command lsof installed and with its SUID bit activated, the number\n". + "of file descriptors opened by an application and its processes.\n"; +use constant LICENSE => "This nagios plugin is free software, and comes with ABSOLUTELY\n". + "no WARRANTY. It may be used, redistributed and/or modified under\n". + "the terms of the GNU General Public Licence\n". + "(see http://www.fsf.org/licensing/licenses/gpl.txt).\n"; +use constant EXAMPLE => "\n\n". + "Example:\n". + "\n". + "check_unix_open_fds -a /usr/local/nagios/bin/ndo2db -w 20,75 -c 25,85\n". + "\n". + "It returns CRITICAL if number of file descriptors opened by ndo2db is higher than 85,\n". + "if not it returns WARNING if number of file descriptors opened by ndo2db is higher \n". + "than 75, if not it returns CRITICAL if number of file descriptors opened by any process\n". + "of ndo2db is higher than 25, if not it returns WARNING if number of file descriptors \n". + "opened by any process of ndo2db is higher than 20.\n". + "In other cases it returns OK if check has been performed succesfully.\n\n"; + + +# VARIABLE DEFINITION + +my $Nagios; +my $Error; +my $PluginResult; +my $PluginOutput; +my @WVRange; +my @CVRange; + + +# MAIN FUNCTION + +# Get command line arguments +$Nagios = &CreateNagiosManager(USAGE, VERSION, BLURB, LICENSE, NAME, EXAMPLE); +eval {$Nagios->getopts}; + +if (!$@) { + # Command line parsed + if (&CheckArguments($Nagios, \$Error, \@WVRange, \@CVRange)) { + # Argument checking passed + $PluginResult = &PerformCheck($Nagios, \$PluginOutput, \@WVRange, \@CVRange) + } + else { + # Error checking arguments + $PluginOutput = $Error; + $PluginResult = UNKNOWN; + } + $Nagios->nagios_exit($PluginResult,$PluginOutput); +} +else { + # Error parsing command line + $Nagios->nagios_exit(UNKNOWN,$@); +} + + + +# FUNCTION DEFINITIONS + +# Creates and configures a Nagios plugin object +# Input: strings (usage, version, blurb, license, name and example) to configure argument parsing functionality +# Return value: reference to a Nagios plugin object + +sub CreateNagiosManager() { + # Create GetOpt object + my $Nagios = Nagios::Plugin->new(usage => $_[0], version => $_[1], blurb => $_[2], license => $_[3], plugin => $_[4], extra => $_[5]); + + # Add argument units + $Nagios->add_arg(spec => 'application|a=s', + help => 'Application path for which you want to check the number of open file descriptors', + required => 1); + + # Add argument warning + $Nagios->add_arg(spec => 'warning|w=s', + help => "Warning thresholds. Format: ", + required => 1); + # Add argument critical + $Nagios->add_arg(spec => 'critical|c=s', + help => "Critical thresholds. Format: ", + required => 1); + + # Return value + return $Nagios; +} + + +# Checks argument values and sets some default values +# Input: Nagios Plugin object +# Output: reference to Error description string, Memory Unit, Swap Unit, reference to WVRange ($_[4]), reference to CVRange ($_[5]) +# Return value: True if arguments ok, false if not + +sub CheckArguments() { + my ($Nagios, $Error, $WVRange, $CVRange) = @_; + my $commas; + my $units; + my $i; + my $firstpos; + my $secondpos; + + # Check Warning thresholds list + $commas = $Nagios->opts->warning =~ tr/,//; + if ($commas !=1){ + ${$Error} = "Invalid Warning list format. One comma is expected."; + return 0; + } + else{ + $i=0; + $firstpos=0; + my $warning=$Nagios->opts->warning; + while ($warning =~ /[,]/g) { + $secondpos=pos $warning; + if ($secondpos - $firstpos==1){ + @{$WVRange}[$i] = "~:"; + } + else{ + @{$WVRange}[$i] = substr $Nagios->opts->warning, $firstpos, ($secondpos-$firstpos-1); + } + $firstpos=$secondpos; + $i++ + } + if (length($Nagios->opts->warning) - $firstpos==0){#La coma es el ultimo elemento del string + @{$WVRange}[$i] = "~:"; + } + else{ + @{$WVRange}[$i] = substr $Nagios->opts->warning, $firstpos, (length($Nagios->opts->warning)-$firstpos); + } + + if (@{$WVRange}[0] !~/^(@?(\d+|(\d+|~):(\d+)?))?$/){ + ${$Error} = "Invalid Process Warning threshold in ${$WVRange[0]}"; + return 0; + }if (@{$WVRange}[1] !~/^(@?(\d+|(\d+|~):(\d+)?))?$/){ + ${$Error} = "Invalid Application Warning threshold in ${$WVRange[1]}"; + return 0; + } + } + + # Check Critical thresholds list + $commas = $Nagios->opts->critical =~ tr/,//; + if ($commas !=1){ + ${$Error} = "Invalid Critical list format. One comma is expected."; + return 0; + } + else{ + $i=0; + $firstpos=0; + my $critical=$Nagios->opts->critical; + while ($critical =~ /[,]/g) { + $secondpos=pos $critical ; + if ($secondpos - $firstpos==1){ + @{$CVRange}[$i] = "~:"; + } + else{ + @{$CVRange}[$i] =substr $Nagios->opts->critical, $firstpos, ($secondpos-$firstpos-1); + } + $firstpos=$secondpos; + $i++ + } + if (length($Nagios->opts->critical) - $firstpos==0){#La coma es el ultimo elemento del string + @{$CVRange}[$i] = "~:"; + } + else{ + @{$CVRange}[$i] = substr $Nagios->opts->critical, $firstpos, (length($Nagios->opts->critical)-$firstpos); + } + + if (@{$CVRange}[0] !~/^(@?(\d+|(\d+|~):(\d+)?))?$/) { + ${$Error} = "Invalid Process Critical threshold in @{$CVRange}[0]"; + return 0; + } + if (@{$CVRange}[1] !~/^(@?(\d+|(\d+|~):(\d+)?))?$/) { + ${$Error} = "Invalid Application Critical threshold in @{$CVRange}[1]"; + return 0; + } + } + + return 1; +} + + +# Performs whole check: +# Input: Nagios Plugin object, reference to Plugin output string, Application, referece to WVRange, reference to CVRange +# Output: Plugin output string +# Return value: Plugin return value + +sub PerformCheck() { + my ($Nagios, $PluginOutput, $WVRange, $CVRange) = @_; + my $Application; + my @AppNameSplitted; + my $ApplicationName; + my $PsCommand; + my $PsResult; + my @PsResultLines; + my $ProcLine; + my $ProcPid; + my $LsofCommand; + my $LsofResult; + my $ProcCount = 0; + my $FDCount = 0; + my $ProcFDAvg = 0; + my $PerProcMaxFD = 0; + my $ProcOKFlag = 0; + my $ProcWarningFlag = 0; + my $ProcCriticalFlag = 0; + my $OKFlag = 0; + my $WarningFlag = 0; + my $CriticalFlag = 0; + my $LastWarningProcFDs = 0; + my $LastWarningProc = -1; + my $LastCriticalProcFDs = 0; + my $LastCriticalProc = -1; + my $ProcPluginReturnValue = UNKNOWN; + my $AppPluginReturnValue = UNKNOWN; + my $PluginReturnValue = UNKNOWN; + my $PerformanceData = ""; + my $PerfdataUnit = "FDs"; + + $Application = $Nagios->opts->application; + $PsCommand = "ps -eaf | grep $Application"; + $PsResult = `$PsCommand`; + @AppNameSplitted = split(/\//, $Application); + $ApplicationName = $AppNameSplitted[$#AppNameSplitted]; + @PsResultLines = split(/\n/, $PsResult); + if ( $#PsResultLines > 1 ) { + foreach my $Proc (split(/\n/, $PsResult)) { + if ($Proc !~ /check_unix_open_fds/ && $Proc !~ / grep /) { + $ProcCount += 1; + $ProcPid = (split(/\s+/, $Proc))[1]; + $LsofCommand = "lsof -p $ProcPid | wc -l"; + $LsofResult = `$LsofCommand`; + $LsofResult = ($LsofResult > 0 ) ? ($LsofResult - 1) : 0; + $FDCount += $LsofResult; + if ($LsofResult >= $PerProcMaxFD) { $PerProcMaxFD = $LsofResult; } + $ProcPluginReturnValue = $Nagios->check_threshold(check => $LsofResult,warning => @{$WVRange}[0],critical => @{$CVRange}[0]); + if ($ProcPluginReturnValue eq OK) { + $ProcOKFlag = 1; + } + elsif ($ProcPluginReturnValue eq WARNING) { + $ProcWarningFlag = 1; + if ($LsofResult >= $LastWarningProcFDs) { + $LastWarningProcFDs = $LsofResult; + $LastWarningProc = $ProcPid; + } + } + #if ($LsofResult >= $PCT) { + elsif ($ProcPluginReturnValue eq CRITICAL) { + $ProcCriticalFlag = 1; + if ($LsofResult >= $LastCriticalProcFDs) { + $LastCriticalProcFDs = $LsofResult; + $LastCriticalProc = $ProcPid; + } + } + } + } + if ($ProcCount) { $ProcFDAvg = int($FDCount / $ProcCount); } + $AppPluginReturnValue = $Nagios->check_threshold(check => $FDCount,warning => @{$WVRange}[1],critical => @{$CVRange}[1]); + #if ($FDCount >= $TWT) { + if ($AppPluginReturnValue eq OK) { $OKFlag = 1; } + elsif ($AppPluginReturnValue eq WARNING) { $WarningFlag = 1; } + elsif ($AppPluginReturnValue eq CRITICAL) { $CriticalFlag = 1; } + + # PluginReturnValue and PluginOutput + if ($CriticalFlag) { + $PluginReturnValue = CRITICAL; + ${$PluginOutput} .= "$ApplicationName handling $FDCount files (critical threshold set to @{$CVRange}[1])"; + } + elsif ($WarningFlag) { + $PluginReturnValue = WARNING; + ${$PluginOutput} .= "$ApplicationName handling $FDCount files (warning threshold set to @{$WVRange}[1])"; + } + elsif ($ProcCriticalFlag) { + $PluginReturnValue = CRITICAL; + ${$PluginOutput} .= "Process ID $LastCriticalProc handling $LastCriticalProcFDs files (critical threshold set to @{$CVRange}[0])"; + } + elsif ($ProcWarningFlag) { + $PluginReturnValue = WARNING; + ${$PluginOutput} .= "Process ID $LastWarningProc handling $LastWarningProcFDs files (warning threshold set to @{$WVRange}[0])"; + } + elsif ($OKFlag && $ProcOKFlag) { + $PluginReturnValue = OK; + ${$PluginOutput} .= "$ApplicationName handling $FDCount files"; + } + } + else { + ${$PluginOutput} .= "No existe la aplicacion $ApplicationName"; + } + + + $PerformanceData .= "ProcCount=$ProcCount$PerfdataUnit FDCount=$FDCount$PerfdataUnit ProcFDAvg=$ProcFDAvg$PerfdataUnit PerProcMaxFD=$PerProcMaxFD$PerfdataUnit"; + + # Output with performance data: + ${$PluginOutput} .= " | $PerformanceData"; + + return $PluginReturnValue; +} diff --git a/puppet/modules/site_check_mk/manifests/agent.pp b/puppet/modules/site_check_mk/manifests/agent.pp index a29923c1..efb05b37 100644 --- a/puppet/modules/site_check_mk/manifests/agent.pp +++ b/puppet/modules/site_check_mk/manifests/agent.pp @@ -14,6 +14,10 @@ class site_check_mk::agent { register_agent => false } + file { [ '/srv/leap/nagios', '/srv/leap/nagios/plugins' ]: + ensure => directory, + } + include site_check_mk::agent::mrpe include site_check_mk::agent::logwatch } diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp index 97e4a777..01e2b886 100644 --- a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp +++ b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp @@ -21,5 +21,16 @@ class site_check_mk::agent::couchdb { path => '/etc/check_mk/mrpe.cfg'; } + # check open files for bigcouch proc + include site_check_mk::agent::package::perl_plugin + file { '/srv/leap/nagios/plugins/check_unix_open_fds.pl': + source => 'puppet:///modules/site_check_mk/agent/nagios_plugins/check_unix_open_fds.pl', + mode => '0755' + } + file_line { + 'Bigcouch_open_files': + line => 'Bigcouch_open_files /srv/leap/nagios/plugins/check_unix_open_fds.pl -a beam -w 750,750 -c 1000,1000', + path => '/etc/check_mk/mrpe.cfg'; + } } diff --git a/puppet/modules/site_check_mk/manifests/agent/package/perl_plugin.pp b/puppet/modules/site_check_mk/manifests/agent/package/perl_plugin.pp new file mode 100644 index 00000000..4feda375 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/package/perl_plugin.pp @@ -0,0 +1,5 @@ +class site_check_mk::agent::package::perl_plugin { + package { 'libnagios-plugin-perl': + ensure => installed, + } +} -- cgit v1.2.3 From 0daa46300cddc6c56e07b42c131852e839235a7f Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 26 Feb 2014 14:02:39 +0100 Subject: ignore logwatch pattern for tapicero: 412 Precondition Failed while creating user db (Bug #5168) --- .../modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg index 4e3808eb..9983d27c 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg @@ -1,4 +1,7 @@ C tapicero.*RestClient::InternalServerError: - C tapicero.*RestClient::PreconditionFailed: +# possible race condition between multiple tapicero +# instances, so we ignore it +# see https://leap.se/code/issues/5168 + I tapicero.*RestClient::PreconditionFailed: C tapicero.*failed W tapicero.*Couch stream ended unexpectedly. -- cgit v1.2.3 From 877e6daa7e281c27114759482879e6f8c6903283 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 26 Feb 2014 14:08:48 +0100 Subject: ignore logwatch pattern 'sunnel: SSL_shutdown: Connection reset by peer' --- puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg index 31c229b7..cf7ebca8 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg @@ -1,3 +1,5 @@ # check for stunnel failures C stunnel:.*Connection refused - C stunnel:.*Connection reset by peer +# this is a temporary failure and happens very often, so we +# ignore it + I stunnel:.*Connection reset by peer -- cgit v1.2.3 From 5b15447055de66f30bc7f036a588dec4638b9a7d Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 26 Feb 2014 14:52:04 +0100 Subject: check syslog for webapp errors --- .../modules/site_check_mk/files/agent/logwatch/syslog/webapp.cfg | 2 ++ puppet/modules/site_check_mk/manifests/agent/webapp.pp | 9 +++++++++ puppet/modules/site_webapp/manifests/init.pp | 2 +- 3 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/syslog/webapp.cfg create mode 100644 puppet/modules/site_check_mk/manifests/agent/webapp.pp diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/webapp.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/webapp.cfg new file mode 100644 index 00000000..14fcf34a --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/webapp.cfg @@ -0,0 +1,2 @@ +# check for webapp errors + C webapp.*Could not connect to couch database messages due to 401 Unauthorized: {"error":"unauthorized","reason":"You are not a server admin."} diff --git a/puppet/modules/site_check_mk/manifests/agent/webapp.pp b/puppet/modules/site_check_mk/manifests/agent/webapp.pp new file mode 100644 index 00000000..dc2baf19 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/webapp.pp @@ -0,0 +1,9 @@ +class site_check_mk::agent::webapp { + + concat::fragment { 'syslog_webapp': + source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/webapp.cfg', + target => '/etc/check_mk/logwatch.d/syslog.cfg', + order => '02'; + } + +} diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index f8216aa4..d02a7261 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -157,5 +157,5 @@ class site_webapp { } include site_shorewall::webapp - + include site_check_mk::agent::webapp } -- cgit v1.2.3 From fa75c9406b1c4cfeccca046ba01d108b681e53fe Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 26 Feb 2014 15:20:34 +0100 Subject: ignore RoutingErrors that rails throw when it can't handle a url (#5173) --- puppet/modules/site_check_mk/files/agent/logwatch/syslog/webapp.cfg | 3 +++ 1 file changed, 3 insertions(+) diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/webapp.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/webapp.cfg index 14fcf34a..00f9c7fd 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/webapp.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/webapp.cfg @@ -1,2 +1,5 @@ # check for webapp errors C webapp.*Could not connect to couch database messages due to 401 Unauthorized: {"error":"unauthorized","reason":"You are not a server admin."} +# ignore RoutingErrors that rails throw when it can't handle a url +# see https://leap.se/code/issues/5173 + I webapp.*ActionController::RoutingError -- cgit v1.2.3 From fdb0e27d6df35b511e4883becf3bc2afb945550b Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 26 Feb 2014 15:30:54 +0100 Subject: check syslog for 'Undefined' logpattern --- puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg index 52c479ef..f3505c1c 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg @@ -1,4 +1,5 @@ /var/log/syslog +# some general patterns C panic C Oops I Error: Driver 'pcspkr' is already registered, aborting... @@ -6,3 +7,6 @@ C error W generic protection rip W .*Unrecovered read error - auto reallocate failed +# 401 Unauthorized error logged by webapp and possible other +# applications + C Unauthorized -- cgit v1.2.3 From 66cc1345c3af4e814d98c8e4b90d90158ac9d399 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 26 Feb 2014 15:53:12 +0100 Subject: ignore valid log patterns from bigcouch.log --- puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg index ee64b3c0..a1eb1312 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg @@ -8,3 +8,8 @@ C error C Connection attempt from disallowed node W Shutting down group server +# ignore requests that are fine + I undefined - -.*200$ + I undefined - -.*201$ + I 127.0.0.1 undefined.* ok + I 127.0.0.1 localhost:5984 .* ok -- cgit v1.2.3 From 8882880d5959f14a7edb94ca95ebcdd15cbc3f51 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 27 Feb 2014 13:27:00 +0100 Subject: provide nagios_test_pw in hiera files --- provider_base/services/couchdb.json | 3 +++ provider_base/services/webapp.json | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json index 0cb044ef..5f1b5381 100644 --- a/provider_base/services/couchdb.json +++ b/provider_base/services/couchdb.json @@ -48,6 +48,9 @@ "password": "= secret :couch_webapp_password", "salt": "= hex_secret :couch_webapp_password_salt, 128" } + }, + "webapp": { + "nagios_test_pw": "= secret :nagios_test_password" } } } diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 08c7c5b0..b1f03f06 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -15,7 +15,8 @@ "source": "https://leap.se/git/leap_web", "revision": "origin/master" }, - "client_version": "= global.provider.client_version" + "client_version": "= global.provider.client_version", + "nagios_test_pw": "= secret :nagios_test_password" }, "stunnel": { "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)" -- cgit v1.2.3 From 2887bbbac9f350c0912e3b2bf8fd643994eaee84 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 27 Feb 2014 16:41:05 +0100 Subject: include "127.0.1.1 @domain_public @api['domain']" in /etc/hosts for nagios webapp log check --- puppet/modules/site_config/manifests/hosts.pp | 1 + puppet/modules/site_config/templates/hosts | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index a3ce0c1f..e5d4dd70 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -3,6 +3,7 @@ class site_config::hosts() { $hostname = hiera('name') $domain_hash = hiera('domain') $domain_public = $domain_hash['full_suffix'] + $api = hiera('api', '') file { '/etc/hostname': ensure => present, diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts index c0a2740f..bfcabaa5 100644 --- a/puppet/modules/site_config/templates/hosts +++ b/puppet/modules/site_config/templates/hosts @@ -1,7 +1,8 @@ # This file is managed by puppet, any changes will be overwritten! 127.0.0.1 localhost -127.0.1.1 <%= @hostname %>.<%= @domain_public %> <%= @hostname %> +127.0.1.1 <%= @hostname %>.<%= @domain_public %> <%= @hostname %> <% if (defined? @services) and (@services.include? 'webapp') -%><%= @domain_public %> <%= @api['domain'] %><% end -%> + <%- if @hosts then -%> <% @hosts.keys.sort.each do |name| -%> -- cgit v1.2.3 From 66f44f61c0279cac22f121f14376b99f57fe20aa Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 27 Feb 2014 18:01:10 +0100 Subject: include nagios_test user credentials in webapp hiera files --- provider_base/services/webapp.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index b1f03f06..d6a1e198 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -16,7 +16,10 @@ "revision": "origin/master" }, "client_version": "= global.provider.client_version", - "nagios_test_pw": "= secret :nagios_test_password" + "nagios_test_user": { + "username": "nagios_test", + "password": "= secret :nagios_test_password" + } }, "stunnel": { "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)" -- cgit v1.2.3 From 2209afd630a75335e26516c6d9fa1c796bca8a49 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 27 Feb 2014 18:01:34 +0100 Subject: check webapp login (Feature #5172) --- puppet/modules/site_check_mk/manifests/agent/webapp.pp | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/puppet/modules/site_check_mk/manifests/agent/webapp.pp b/puppet/modules/site_check_mk/manifests/agent/webapp.pp index dc2baf19..48fa0828 100644 --- a/puppet/modules/site_check_mk/manifests/agent/webapp.pp +++ b/puppet/modules/site_check_mk/manifests/agent/webapp.pp @@ -1,5 +1,14 @@ class site_check_mk::agent::webapp { + # check webapp login + package { 'python-srp': ensure => installed } + file { '/usr/lib/check_mk_agent/local/nagios-webapp_login.py': + ensure => link, + target => '/srv/leap/webapp/test/nagios/webapp_login.py' + } + + + # check syslog concat::fragment { 'syslog_webapp': source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/webapp.cfg', target => '/etc/check_mk/logwatch.d/syslog.cfg', -- cgit v1.2.3 From d2b3a5827bfec4e505484e84ece024a768d20cfa Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 27 Feb 2014 11:57:54 -0800 Subject: fixed more places where passwords were set to the wrong environment. --- provider_base/services/mx.json | 6 +++++- provider_base/services/webapp.json | 12 ++++++++++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index d57c3168..7e3f20ba 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -5,7 +5,11 @@ "haproxy": { "servers": "= haproxy_servers(nodes_like_me[:services => :couchdb], stunnel.couch_client)" }, - "couchdb_leap_mx_user": "= global.services[:couchdb].couch.users[:leap_mx]", + "couchdb_leap_mx_user": { + "username": "= global.services[:couchdb].couch.users[:leap_mx].username", + "password": "= secret :couch_leap_mx_password", + "salt": "= hex_secret :couch_leap_mx_password_salt, 128" + }, "mx_nodes": "= nodes['services' => 'mx']['environment' => '!local'].field('ip_address')", "x509": { "use": true, diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 08c7c5b0..8974f851 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -2,7 +2,11 @@ "webapp": { "admins": [], "modules": ["user", "billing", "help"], - "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]", + "couchdb_webapp_user": { + "username": "= global.services[:couchdb].couch.users[:webapp].username", + "password": "= secret :couch_webapp_password", + "salt": "= hex_secret :couch_webapp_password_salt, 128" + }, "customization_dir": "= file_path 'webapp'", "client_certificates": "= global.provider.ca.client_certificates", "allow_limited_certs": "= global.provider.service.allow_limited_bandwidth", @@ -36,7 +40,11 @@ }, "nickserver": { "domain": "= 'nicknym.' + domain.full_suffix", - "couchdb_nickserver_user": "= global.services[:couchdb].couch.users[:nickserver]", + "couchdb_nickserver_user": { + "username": "= global.services[:couchdb].couch.users[:nickserver].username", + "password": "= secret :couch_nickserver_password", + "salt": "= hex_secret :couch_nickserver_password_salt, 128" + }, "port": 6425 }, "dns": { -- cgit v1.2.3 From e8cd9ab2d4480aa7c16d15f5db664fa650d4c655 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 27 Feb 2014 11:57:54 -0800 Subject: fixed more places where passwords were set to the wrong environment. --- provider_base/services/mx.json | 6 +++++- provider_base/services/webapp.json | 12 ++++++++++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index d57c3168..7e3f20ba 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -5,7 +5,11 @@ "haproxy": { "servers": "= haproxy_servers(nodes_like_me[:services => :couchdb], stunnel.couch_client)" }, - "couchdb_leap_mx_user": "= global.services[:couchdb].couch.users[:leap_mx]", + "couchdb_leap_mx_user": { + "username": "= global.services[:couchdb].couch.users[:leap_mx].username", + "password": "= secret :couch_leap_mx_password", + "salt": "= hex_secret :couch_leap_mx_password_salt, 128" + }, "mx_nodes": "= nodes['services' => 'mx']['environment' => '!local'].field('ip_address')", "x509": { "use": true, diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 08c7c5b0..8974f851 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -2,7 +2,11 @@ "webapp": { "admins": [], "modules": ["user", "billing", "help"], - "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]", + "couchdb_webapp_user": { + "username": "= global.services[:couchdb].couch.users[:webapp].username", + "password": "= secret :couch_webapp_password", + "salt": "= hex_secret :couch_webapp_password_salt, 128" + }, "customization_dir": "= file_path 'webapp'", "client_certificates": "= global.provider.ca.client_certificates", "allow_limited_certs": "= global.provider.service.allow_limited_bandwidth", @@ -36,7 +40,11 @@ }, "nickserver": { "domain": "= 'nicknym.' + domain.full_suffix", - "couchdb_nickserver_user": "= global.services[:couchdb].couch.users[:nickserver]", + "couchdb_nickserver_user": { + "username": "= global.services[:couchdb].couch.users[:nickserver].username", + "password": "= secret :couch_nickserver_password", + "salt": "= hex_secret :couch_nickserver_password_salt, 128" + }, "port": 6425 }, "dns": { -- cgit v1.2.3 From 2630c998af6e4d03c3bcc3f4566093aed533dd0c Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 28 Feb 2014 22:57:23 +0100 Subject: leap_mx: watch /var/mail/vmail/Maildir instead of /var/mail/vmai (Feature #5223) --- puppet/modules/leap_mx/templates/mx.conf.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/leap_mx/templates/mx.conf.erb b/puppet/modules/leap_mx/templates/mx.conf.erb index bf1e6421..e05bc150 100644 --- a/puppet/modules/leap_mx/templates/mx.conf.erb +++ b/puppet/modules/leap_mx/templates/mx.conf.erb @@ -1,5 +1,5 @@ [mail1] -path=/var/mail/vmail +path=/var/mail/vmail/Maildir recursive=True [couchdb] @@ -12,4 +12,4 @@ port=<%= @couchdb_port %> port=4242 [check recipient] -port=2244 \ No newline at end of file +port=2244 -- cgit v1.2.3 From 89c5fd126f73dff0bd4258ec51ad03f523d64ade Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 28 Feb 2014 00:40:07 +0100 Subject: install more needed packages for webapp login check --- puppet/modules/site_check_mk/manifests/agent/webapp.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_check_mk/manifests/agent/webapp.pp b/puppet/modules/site_check_mk/manifests/agent/webapp.pp index 48fa0828..932d6bb9 100644 --- a/puppet/modules/site_check_mk/manifests/agent/webapp.pp +++ b/puppet/modules/site_check_mk/manifests/agent/webapp.pp @@ -1,7 +1,9 @@ class site_check_mk::agent::webapp { # check webapp login - package { 'python-srp': ensure => installed } + package { [ 'python-srp', 'python-requests', 'python-yaml' ]: + ensure => installed + } file { '/usr/lib/check_mk_agent/local/nagios-webapp_login.py': ensure => link, target => '/srv/leap/webapp/test/nagios/webapp_login.py' -- cgit v1.2.3 From 08f0fa4c8b1853db04835f407350c052ccfdb3d8 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 28 Feb 2014 00:41:44 +0100 Subject: don't displa ycontext for errors in bigcouch.log (reported too many context lines), ignore patterns first --- .../modules/site_check_mk/files/agent/logwatch/bigcouch.cfg | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg index a1eb1312..92c5eb5a 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg @@ -1,4 +1,9 @@ -/opt/bigcouch/var/log/bigcouch.log +/opt/bigcouch/var/log/bigcouch.log nocontext=1 +# ignore requests that are fine + I undefined - -.*200$ + I undefined - -.*201$ + I 127.0.0.1 undefined.* ok + I 127.0.0.1 localhost:5984 .* ok C Uncaught error in HTTP request: {exit, C Uncaught error in HTTP request: {exit,normal} C Uncaught error in HTTP request: {error, @@ -8,8 +13,3 @@ C error C Connection attempt from disallowed node W Shutting down group server -# ignore requests that are fine - I undefined - -.*200$ - I undefined - -.*201$ - I 127.0.0.1 undefined.* ok - I 127.0.0.1 localhost:5984 .* ok -- cgit v1.2.3 From f802fcdc7396d8a3b804be6480adb8611638f2c0 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 28 Feb 2014 01:18:33 +0100 Subject: Make leap_cli tests accessible for check_mk (Feature #5148) --- .../files/agent/local_checks/all_hosts/run_node_tests.sh | 5 +++++ puppet/modules/site_check_mk/manifests/agent.pp | 5 +++++ 2 files changed, 10 insertions(+) create mode 100644 puppet/modules/site_check_mk/files/agent/local_checks/all_hosts/run_node_tests.sh diff --git a/puppet/modules/site_check_mk/files/agent/local_checks/all_hosts/run_node_tests.sh b/puppet/modules/site_check_mk/files/agent/local_checks/all_hosts/run_node_tests.sh new file mode 100644 index 00000000..1dd0afc9 --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/local_checks/all_hosts/run_node_tests.sh @@ -0,0 +1,5 @@ +#!/bin/sh +# +# runs node tests + +/srv/leap/bin/run_tests --checkmk diff --git a/puppet/modules/site_check_mk/manifests/agent.pp b/puppet/modules/site_check_mk/manifests/agent.pp index efb05b37..b752182e 100644 --- a/puppet/modules/site_check_mk/manifests/agent.pp +++ b/puppet/modules/site_check_mk/manifests/agent.pp @@ -18,6 +18,11 @@ class site_check_mk::agent { ensure => directory, } + file { '/usr/lib/check_mk_agent/local/run_node_tests.sh': + source => 'puppet:///modules/site_check_mk/agent/local_checks/all_hosts/run_node_tests.sh', + mode => '0755' + } + include site_check_mk::agent::mrpe include site_check_mk::agent::logwatch } -- cgit v1.2.3 From c7af5055fd9f255357a8dcd6e318c7a15a3b709c Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 28 Feb 2014 21:53:12 +0100 Subject: check leap_mx queue --- .../files/agent/local_checks/mx/check_leap_mx.sh | 33 ++++++++++++++++++++++ puppet/modules/site_check_mk/manifests/agent/mx.pp | 8 ++++++ puppet/modules/site_mx/manifests/init.pp | 1 + 3 files changed, 42 insertions(+) create mode 100755 puppet/modules/site_check_mk/files/agent/local_checks/mx/check_leap_mx.sh create mode 100644 puppet/modules/site_check_mk/manifests/agent/mx.pp diff --git a/puppet/modules/site_check_mk/files/agent/local_checks/mx/check_leap_mx.sh b/puppet/modules/site_check_mk/files/agent/local_checks/mx/check_leap_mx.sh new file mode 100755 index 00000000..2958d2ed --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/local_checks/mx/check_leap_mx.sh @@ -0,0 +1,33 @@ +#!/bin/bash + + +WARN=1 +CRIT=5 + +# in minutes +MAXAGE=10 + +STATUS[0]='OK' +STATUS[1]='Warning' +STATUS[2]='Critical' +CHECKNAME='Leap_MX_Queue' + +WATCHDIR='/var/mail/vmail/Maildir/new/' + + +total=`find $WATCHDIR -type f -mmin +$MAXAGE | wc -l` + +if [ $total -lt $WARN ] +then + exitcode=0 +else + if [ $total -le $CRIT ] + then + exitcode=1 + else + exitcode=2 + fi +fi + +echo "$exitcode $CHECKNAME stale_files=$total ${STATUS[exitcode]}: $total stale files (>=$MAXAGE min) in $WATCHDIR." + diff --git a/puppet/modules/site_check_mk/manifests/agent/mx.pp b/puppet/modules/site_check_mk/manifests/agent/mx.pp new file mode 100644 index 00000000..c4d3ea13 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/mx.pp @@ -0,0 +1,8 @@ +class site_check_mk::agent::mx { + + file { '/usr/lib/check_mk_agent/local/check_leap_mx.sh': + source => 'puppet:///modules/site_check_mk/agent/local_checks/mx/check_leap_mx.sh', + mode => '0755' + } + +} diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index cdb84b54..3949c787 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -15,4 +15,5 @@ class site_mx { include site_shorewall::service::smtp include site_mx::couchdb include leap_mx + include site_check_mk::agent::mx } -- cgit v1.2.3 From 34b7c8ebb3462fea880c848d960261cabd4a6a9f Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 28 Feb 2014 22:56:16 +0100 Subject: check soledad.log for 'Timing out client:' --- puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg index 54b782d3..0f4c9469 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg @@ -1,4 +1,4 @@ /var/log/soledad.log C WSGI application error C error - + W Timing out client: -- cgit v1.2.3 From efb262a0337493b7a7954ccdd72119d8519370af Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 28 Feb 2014 23:05:52 +0100 Subject: check leap_mx (Feature #5175) --- .../modules/site_check_mk/files/agent/logwatch/leap_mx.cfg | 4 ++++ puppet/modules/site_check_mk/manifests/agent/mx.pp | 14 ++++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/leap_mx.cfg diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/leap_mx.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/leap_mx.cfg new file mode 100644 index 00000000..c71c5392 --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/leap_mx.cfg @@ -0,0 +1,4 @@ +/var/log/leap_mx.log + W Don't know how to deliver mail + W No public key, stopping the processing chain + diff --git a/puppet/modules/site_check_mk/manifests/agent/mx.pp b/puppet/modules/site_check_mk/manifests/agent/mx.pp index c4d3ea13..2dd50400 100644 --- a/puppet/modules/site_check_mk/manifests/agent/mx.pp +++ b/puppet/modules/site_check_mk/manifests/agent/mx.pp @@ -1,5 +1,19 @@ class site_check_mk::agent::mx { + # watch logs + file { '/etc/check_mk/logwatch.d/leap_mx.cfg': + source => 'puppet:///modules/site_check_mk/agent/logwatch/leap_mx.cfg', + } + + # local nagios plugin checks via mrpe + file_line { + 'Leap_MX_Procs': + line => 'Leap_MX_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a leap_mx', + path => '/etc/check_mk/mrpe.cfg'; + } + + + # check stale files in queue dir file { '/usr/lib/check_mk_agent/local/check_leap_mx.sh': source => 'puppet:///modules/site_check_mk/agent/local_checks/mx/check_leap_mx.sh', mode => '0755' -- cgit v1.2.3 From 5dd248238cdf5ab27232ecf426aada05503d2b10 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 3 Mar 2014 17:17:02 +0100 Subject: check syslog for bigcouch restarts --- puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg index 92c5eb5a..3f6cc413 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg @@ -13,3 +13,4 @@ C error C Connection attempt from disallowed node W Shutting down group server + W Apache CouchDB has started -- cgit v1.2.3 From 8811b41222a98037eaae9bb0de1835c3c0282178 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 3 Mar 2014 17:18:41 +0100 Subject: check soledad.log also for Upper case pattern 'Error' --- puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg index 0f4c9469..623d1e46 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg @@ -1,4 +1,5 @@ /var/log/soledad.log C WSGI application error + C Error C error W Timing out client: -- cgit v1.2.3 From ba6edc92bc27f219401b5610d2f99d679fbc865f Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 3 Mar 2014 17:19:32 +0100 Subject: check syslog for bigcouch error "epmd: got partial packet only on file descriptor" --- puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg | 2 ++ 1 file changed, 2 insertions(+) diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg index 5f8d5b95..c92b5af7 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg @@ -1,2 +1,4 @@ C /usr/local/bin/couch-doc-update.*failed C /usr/local/bin/couch-doc-update.*ERROR + W epmd: got partial packet only on file descriptor + -- cgit v1.2.3 From 0152667c246e1f835021ad13f3df00a6c08eb5c0 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 3 Mar 2014 17:20:56 +0100 Subject: ignore stunnel pattern "Peer suddenly disconnected" (#5218) --- puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg index cf7ebca8..a4e428b4 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg @@ -3,3 +3,4 @@ # this is a temporary failure and happens very often, so we # ignore it I stunnel:.*Connection reset by peer + I stunnel:.*Peer suddenly disconnected -- cgit v1.2.3 From 984939c4a74b71ce67db27a035ca5017f82c416f Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 3 Mar 2014 17:32:42 +0100 Subject: move generic syslog patterns to the end of syslog.cfg so we can ignore patterns first --- puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg | 12 ------------ .../site_check_mk/files/agent/logwatch/syslog_header.cfg | 1 + .../site_check_mk/files/agent/logwatch/syslog_tail.cfg | 11 +++++++++++ .../modules/site_check_mk/manifests/agent/logwatch/syslog.pp | 7 ++++++- 4 files changed, 18 insertions(+), 13 deletions(-) delete mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/syslog_header.cfg create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg deleted file mode 100644 index f3505c1c..00000000 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg +++ /dev/null @@ -1,12 +0,0 @@ -/var/log/syslog -# some general patterns - C panic - C Oops - I Error: Driver 'pcspkr' is already registered, aborting... - C Error - C error - W generic protection rip - W .*Unrecovered read error - auto reallocate failed -# 401 Unauthorized error logged by webapp and possible other -# applications - C Unauthorized diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog_header.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_header.cfg new file mode 100644 index 00000000..f60d752b --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_header.cfg @@ -0,0 +1 @@ +/var/log/syslog diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg new file mode 100644 index 00000000..450b9e90 --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg @@ -0,0 +1,11 @@ +# some general patterns + C panic + C Oops + I Error: Driver 'pcspkr' is already registered, aborting... + C Error + C error + W generic protection rip + W .*Unrecovered read error - auto reallocate failed +# 401 Unauthorized error logged by webapp and possible other +# applications + C Unauthorized diff --git a/puppet/modules/site_check_mk/manifests/agent/logwatch/syslog.pp b/puppet/modules/site_check_mk/manifests/agent/logwatch/syslog.pp index ac3dda64..c927780d 100644 --- a/puppet/modules/site_check_mk/manifests/agent/logwatch/syslog.pp +++ b/puppet/modules/site_check_mk/manifests/agent/logwatch/syslog.pp @@ -5,9 +5,14 @@ class site_check_mk::agent::logwatch::syslog { } concat::fragment { 'syslog_header': - source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog.cfg', + source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog_header.cfg', target => '/etc/check_mk/logwatch.d/syslog.cfg', order => '01'; } + concat::fragment { 'syslog_tail': + source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog_tail.cfg', + target => '/etc/check_mk/logwatch.d/syslog.cfg', + order => '99'; + } } -- cgit v1.2.3 From 851aaacb3ba3e746dd966e9477b7a3a289b0bf61 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 3 Mar 2014 23:17:56 +0100 Subject: ignore "Uncaught error in HTTP request: {exit, normal}" error (#5226) --- puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg index 3f6cc413..96bf190c 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg @@ -4,8 +4,11 @@ I undefined - -.*201$ I 127.0.0.1 undefined.* ok I 127.0.0.1 localhost:5984 .* ok - C Uncaught error in HTTP request: {exit, - C Uncaught error in HTTP request: {exit,normal} + # ignore "Uncaught error in HTTP request: {exit, normal}" error + # it's suppressed in later versions of bigcouch anhow + # see https://leap.se/code/issues/5226 + I Uncaught error in HTTP request: {exit,normal} + I Uncaught error in HTTP request: {exit, C Uncaught error in HTTP request: {error, C Response abnormally terminated: {nodedown, C rexi_DOWN,noproc -- cgit v1.2.3 From 236d996a76b42fdf1adbc519813e2318571cbf08 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 4 Mar 2014 00:37:46 +0100 Subject: ignore 'epmd: got partial packet only on file descriptor' (#5244) --- puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg index c92b5af7..a5438e61 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg @@ -1,4 +1,7 @@ C /usr/local/bin/couch-doc-update.*failed C /usr/local/bin/couch-doc-update.*ERROR - W epmd: got partial packet only on file descriptor +# on one-node bigcouch setups, we'll get this msg +# a lot, so we ignore it here until we fix +# https://leap.se/code/issues/5244 + I epmd: got partial packet only on file descriptor -- cgit v1.2.3 From 3ffaf0bc613228f9639f50c6ace966778af52111 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 4 Mar 2014 01:02:34 +0100 Subject: ignore stunnel 'Connection refused' errors that happen too often until we fix #5218 --- .../site_check_mk/files/agent/logwatch/syslog/stunnel.cfg | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg index a4e428b4..865c9b9b 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg @@ -1,6 +1,9 @@ # check for stunnel failures - C stunnel:.*Connection refused -# this is a temporary failure and happens very often, so we -# ignore it +# +# those are temporary failure and happen very often, so we +# ignore them until we tuned stunnel timeouts/logging, +# see https://leap.se/code/issues/5218 I stunnel:.*Connection reset by peer I stunnel:.*Peer suddenly disconnected + I stunnel:.*Connection refused + -- cgit v1.2.3 From f6c633699adbce362b3101ea3b140083e8698f3a Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 4 Mar 2014 13:43:47 +0100 Subject: watch syslog for stunnel issues on couch nodes --- puppet/modules/site_couchdb/manifests/stunnel.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 87c35f05..91f1e3aa 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -107,4 +107,6 @@ class site_couchdb::stunnel { } create_resources(site_stunnel::clients, $ednp_clients, $ednp_client_defaults) + + include site_check_mk::agent::stunnel } -- cgit v1.2.3 From 02a2a74058de9e541822a88e7b5872cdb5cbe45f Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 4 Mar 2014 13:48:06 +0100 Subject: ignore failing creation of user-dbs by tapicero, see #5168 --- .../modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg index 9983d27c..a39cb504 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg @@ -3,5 +3,11 @@ # instances, so we ignore it # see https://leap.se/code/issues/5168 I tapicero.*RestClient::PreconditionFailed: +# until we can analyze multiline patterns with +# check_mk logwatch, we unfortunatly need ignore this +# line too, which shows up in combination with the +# above PreconditionFailed error. +# see https://leap.se/code/issues/4821#note-5 + I tapicero.*Creating database.*failed due to: C tapicero.*failed W tapicero.*Couch stream ended unexpectedly. -- cgit v1.2.3 From e85bc5c99fc2d1d09a86aa7a5c8ad4038dd2de47 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 4 Mar 2014 14:57:01 +0100 Subject: ignore bigcouch 'Shutting down group server' error (#5246) --- puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg index 96bf190c..28f333b0 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg @@ -4,6 +4,8 @@ I undefined - -.*201$ I 127.0.0.1 undefined.* ok I 127.0.0.1 localhost:5984 .* ok + # https://leap.se/code/issues/5246 + I Shutting down group server # ignore "Uncaught error in HTTP request: {exit, normal}" error # it's suppressed in later versions of bigcouch anhow # see https://leap.se/code/issues/5226 @@ -15,5 +17,4 @@ C rexi_DOWN,noconnection C error C Connection attempt from disallowed node - W Shutting down group server W Apache CouchDB has started -- cgit v1.2.3 From 32217e18179687cd4adde350379c57c7f96ca59f Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 4 Mar 2014 15:16:39 +0100 Subject: fix check_mk resource dependencies (Bug #5145) --- .../modules/site_check_mk/manifests/agent/logwatch.pp | 6 ++++-- puppet/modules/site_check_mk/manifests/agent/mrpe.pp | 3 ++- puppet/modules/site_check_mk/manifests/server.pp | 19 +++++++++++++------ 3 files changed, 19 insertions(+), 9 deletions(-) diff --git a/puppet/modules/site_check_mk/manifests/agent/logwatch.pp b/puppet/modules/site_check_mk/manifests/agent/logwatch.pp index 38514af2..4c249e6f 100644 --- a/puppet/modules/site_check_mk/manifests/agent/logwatch.pp +++ b/puppet/modules/site_check_mk/manifests/agent/logwatch.pp @@ -4,8 +4,9 @@ class site_check_mk::agent::logwatch { # see https://leap.se/code/issues/5135 file { '/usr/lib/check_mk_agent/plugins/mk_logwatch': - source => 'puppet:///modules/site_check_mk/agent/plugins/mk_logwatch.1.2.4', - mode => '0755' + source => 'puppet:///modules/site_check_mk/agent/plugins/mk_logwatch.1.2.4', + mode => '0755', + require => Package['check-mk-agent'] } # only config files that watch a distinct logfile should go in logwatch.d/ @@ -13,6 +14,7 @@ class site_check_mk::agent::logwatch { ensure => directory, recurse => true, purge => true, + require => Package['check-mk-server'] } # service that share a common logfile (i.e. /var/log/syslog) need to get diff --git a/puppet/modules/site_check_mk/manifests/agent/mrpe.pp b/puppet/modules/site_check_mk/manifests/agent/mrpe.pp index 37df7f74..7222e4e1 100644 --- a/puppet/modules/site_check_mk/manifests/agent/mrpe.pp +++ b/puppet/modules/site_check_mk/manifests/agent/mrpe.pp @@ -8,7 +8,8 @@ class site_check_mk::agent::mrpe { } file { '/etc/check_mk/mrpe.cfg': - ensure => present + ensure => present, + require => Package['check-mk-server'] } -> file_line { 'Apt': line => 'APT /usr/lib/nagios/plugins/check_apt', diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp index 0c98cd5a..d1bc5930 100644 --- a/puppet/modules/site_check_mk/manifests/server.pp +++ b/puppet/modules/site_check_mk/manifests/server.pp @@ -25,25 +25,32 @@ class site_check_mk::server { require => Package['check-mk-server'] } - Exec['check_mk-reload'] -> Service['nagios'] + Exec['check_mk-reload'] -> + Exec['check_mk-refresh-inventory-daily'] -> + Service['nagios'] file { '/etc/check_mk/conf.d/use_ssh.mk': content => template('site_check_mk/use_ssh.mk'), - notify => Exec['check_mk-refresh']; + notify => Exec['check_mk-refresh'], + require => Package['check-mk-server']; '/etc/check_mk/all_hosts_static': content => $all_hosts, - notify => Exec['check_mk-refresh']; + notify => Exec['check_mk-refresh'], + require => Package['check-mk-server']; '/etc/check_mk/.ssh': - ensure => directory; + ensure => directory, + require => Package['check-mk-server']; '/etc/check_mk/.ssh/id_rsa': content => $seckey, owner => 'nagios', - mode => '0600'; + mode => '0600', + require => Package['check-mk-server']; '/etc/check_mk/.ssh/id_rsa.pub': content => "${type} ${pubkey} monitor", owner => 'nagios', - mode => '0644'; + mode => '0644', + require => Package['check-mk-server']; # check_icmp must be suid root or called by sudo # see https://leap.se/code/issues/5171 '/usr/lib/nagios/plugins/check_icmp': -- cgit v1.2.3 From e603adab7cd31177e133487ba817300ce68a1e5c Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 4 Mar 2014 15:49:58 +0100 Subject: fix duplicate declarations in /etc/nagios3/conf.d/ on first deploy (Bug #5129) --- puppet/modules/site_nagios/manifests/server.pp | 4 +--- puppet/modules/site_nagios/manifests/server/purge.pp | 5 +++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 9aae8ae8..7106c36a 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -1,9 +1,7 @@ class site_nagios::server inherits nagios::base { # First, purge old nagios config (see #1467) - class { 'site_nagios::server::purge': - stage => setup - } + class { 'site_nagios::server::purge': } $nagios_hiera = hiera('nagios') $nagiosadmin_pw = htpasswd_sha1($nagios_hiera['nagiosadmin_pw']) diff --git a/puppet/modules/site_nagios/manifests/server/purge.pp b/puppet/modules/site_nagios/manifests/server/purge.pp index 1c12cfb0..6815a703 100644 --- a/puppet/modules/site_nagios/manifests/server/purge.pp +++ b/puppet/modules/site_nagios/manifests/server/purge.pp @@ -10,9 +10,10 @@ class site_nagios::server::purge inherits nagios::base { purge => false } - # only purge find in the /etc/nagios3/conf.d/ dir, not in any subdir + # only purge files in the /etc/nagios3/conf.d/ dir, not in any subdir exec {'purge_conf.d': command => '/usr/bin/find /etc/nagios3/conf.d/ -maxdepth 1 -type f -exec rm {} \;', - onlyif => '/usr/bin/find /etc/nagios3/conf.d/ -maxdepth 1 -type f | grep -q "/etc/nagios3/conf.d"' + onlyif => '/usr/bin/find /etc/nagios3/conf.d/ -maxdepth 1 -type f | grep -q "/etc/nagios3/conf.d"', + require => Package['nagios'] } } -- cgit v1.2.3 From 8c43ea97e565cc7a76ea15964249a9fb6edccbfb Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 4 Mar 2014 16:37:24 +0100 Subject: don't use storedconfigs for check_mk, requires current check_mk module (#5253) --- puppet/modules/site_check_mk/manifests/server.pp | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp index d1bc5930..e544ef0d 100644 --- a/puppet/modules/site_check_mk/manifests/server.pp +++ b/puppet/modules/site_check_mk/manifests/server.pp @@ -17,12 +17,13 @@ class site_check_mk::server { # override paths to use the system check_mk rather than OMD class { 'check_mk::config': - site => '', - etc_dir => '/etc', - nagios_subdir => 'nagios3', - bin_dir => '/usr/bin', - host_groups => undef, - require => Package['check-mk-server'] + site => '', + etc_dir => '/etc', + nagios_subdir => 'nagios3', + bin_dir => '/usr/bin', + host_groups => undef, + use_storedconfigs => false, + require => Package['check-mk-server'] } Exec['check_mk-reload'] -> -- cgit v1.2.3 From c1dca55e9a9a6827ffcce120523e7a27e113f3c7 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 4 Mar 2014 16:45:18 +0100 Subject: use curly brackets for variables in check_leap_mx.sh output, see https://review.leap.se/r/160/#comment156 --- .../modules/site_check_mk/files/agent/local_checks/mx/check_leap_mx.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_check_mk/files/agent/local_checks/mx/check_leap_mx.sh b/puppet/modules/site_check_mk/files/agent/local_checks/mx/check_leap_mx.sh index 2958d2ed..b8687c9a 100755 --- a/puppet/modules/site_check_mk/files/agent/local_checks/mx/check_leap_mx.sh +++ b/puppet/modules/site_check_mk/files/agent/local_checks/mx/check_leap_mx.sh @@ -29,5 +29,5 @@ else fi fi -echo "$exitcode $CHECKNAME stale_files=$total ${STATUS[exitcode]}: $total stale files (>=$MAXAGE min) in $WATCHDIR." +echo "${exitcode} ${CHECKNAME} stale_files=${total} ${STATUS[exitcode]}: ${total} stale files (>=${MAXAGE} min) in ${WATCHDIR}." -- cgit v1.2.3 From 313d4c2d3b2cccf6894d7cf5c01f6c63ac4e5f65 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 4 Mar 2014 18:21:29 +0100 Subject: updated submodule check_mk --- puppet/modules/check_mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/check_mk b/puppet/modules/check_mk index f9e49426..5c11597a 160000 --- a/puppet/modules/check_mk +++ b/puppet/modules/check_mk @@ -1 +1 @@ -Subproject commit f9e494265f6c7b83ab9ef418e40cc7aac5589563 +Subproject commit 5c11597a055858b5ddc1ce8f7f8db249f5f1b336 -- cgit v1.2.3 From 3b7c8e273a0e75e58c736b2eacf89b4c7b9d81e5 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 4 Mar 2014 18:56:10 +0100 Subject: remove trailing whitespaces from logwatch config files --- puppet/modules/site_check_mk/files/agent/logwatch/logwatch.cfg | 2 +- puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg | 2 +- puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg | 4 ++-- puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/logwatch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/logwatch.cfg index c4acae40..4f16d1bd 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/logwatch.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/logwatch.cfg @@ -8,7 +8,7 @@ /var/log/messages # Patterns are indented with one space are prefixed with: # C: Critical messages -# W: Warning messages +# W: Warning messages # I: ignore these lines (OK) # The first match decided. Lines that do not match any pattern # are ignored diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg index a5438e61..f546135a 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg @@ -1,7 +1,7 @@ C /usr/local/bin/couch-doc-update.*failed C /usr/local/bin/couch-doc-update.*ERROR # on one-node bigcouch setups, we'll get this msg -# a lot, so we ignore it here until we fix +# a lot, so we ignore it here until we fix # https://leap.se/code/issues/5244 I epmd: got partial packet only on file descriptor diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg index 865c9b9b..eb3131f2 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg @@ -1,7 +1,7 @@ # check for stunnel failures # -# those are temporary failure and happen very often, so we -# ignore them until we tuned stunnel timeouts/logging, +# these are temporary failures and happen very often, so we +# ignore them until we tuned stunnel timeouts/logging, # see https://leap.se/code/issues/5218 I stunnel:.*Connection reset by peer I stunnel:.*Peer suddenly disconnected diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg index a39cb504..7f43a18c 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg @@ -3,7 +3,7 @@ # instances, so we ignore it # see https://leap.se/code/issues/5168 I tapicero.*RestClient::PreconditionFailed: -# until we can analyze multiline patterns with +# until we can analyze multiline patterns with # check_mk logwatch, we unfortunatly need ignore this # line too, which shows up in combination with the # above PreconditionFailed error. -- cgit v1.2.3 From 8bf1fa304a047fd74538345d1ffa5c2c4312dd55 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 5 Mar 2014 16:08:41 +0100 Subject: use the right package dependencies for site_check_mk::agent class and subclasses --- puppet/modules/site_check_mk/manifests/agent/logwatch.pp | 4 ++-- puppet/modules/site_check_mk/manifests/agent/mrpe.pp | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_check_mk/manifests/agent/logwatch.pp b/puppet/modules/site_check_mk/manifests/agent/logwatch.pp index 4c249e6f..423cace2 100644 --- a/puppet/modules/site_check_mk/manifests/agent/logwatch.pp +++ b/puppet/modules/site_check_mk/manifests/agent/logwatch.pp @@ -6,7 +6,7 @@ class site_check_mk::agent::logwatch { file { '/usr/lib/check_mk_agent/plugins/mk_logwatch': source => 'puppet:///modules/site_check_mk/agent/plugins/mk_logwatch.1.2.4', mode => '0755', - require => Package['check-mk-agent'] + require => Package['check-mk-agent-logwatch'] } # only config files that watch a distinct logfile should go in logwatch.d/ @@ -14,7 +14,7 @@ class site_check_mk::agent::logwatch { ensure => directory, recurse => true, purge => true, - require => Package['check-mk-server'] + require => Package['check-mk-agent-logwatch'] } # service that share a common logfile (i.e. /var/log/syslog) need to get diff --git a/puppet/modules/site_check_mk/manifests/agent/mrpe.pp b/puppet/modules/site_check_mk/manifests/agent/mrpe.pp index 7222e4e1..6921574f 100644 --- a/puppet/modules/site_check_mk/manifests/agent/mrpe.pp +++ b/puppet/modules/site_check_mk/manifests/agent/mrpe.pp @@ -9,7 +9,7 @@ class site_check_mk::agent::mrpe { file { '/etc/check_mk/mrpe.cfg': ensure => present, - require => Package['check-mk-server'] + require => Package['check-mk-agent'] } -> file_line { 'Apt': line => 'APT /usr/lib/nagios/plugins/check_apt', -- cgit v1.2.3 From a9f757f169611ce9ab65a6e0053e88fd744bfb7b Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 5 Mar 2014 16:27:54 +0100 Subject: updated submodule rubygems (#3827) --- puppet/modules/rubygems | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/rubygems b/puppet/modules/rubygems index 1e5ed3db..ef820cfe 160000 --- a/puppet/modules/rubygems +++ b/puppet/modules/rubygems @@ -1 +1 @@ -Subproject commit 1e5ed3dbef9381bb9d5e2a7b4957bb3f5288d6a8 +Subproject commit ef820cfec3321d17be99ef814318adb4e3cc1e91 -- cgit v1.2.3 From c209a38a687f57cc9728492928fc9ae1ea53a723 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 5 Mar 2014 16:27:54 +0100 Subject: updated submodule rubygems (#3827) --- puppet/modules/rubygems | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/rubygems b/puppet/modules/rubygems index 7e0240ac..ef820cfe 160000 --- a/puppet/modules/rubygems +++ b/puppet/modules/rubygems @@ -1 +1 @@ -Subproject commit 7e0240acce5a338e7cc2b55f1f8ba749634c5da4 +Subproject commit ef820cfec3321d17be99ef814318adb4e3cc1e91 -- cgit v1.2.3 From 7c4ab59e744e051c45f9e3204fcbb25eba24e156 Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 8 Mar 2014 23:14:18 -0800 Subject: allow for (optional) configured node order when running tests. requires latest leap_cli to work, but won't break with older leap_cli --- tests/order.rb | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 tests/order.rb diff --git a/tests/order.rb b/tests/order.rb new file mode 100644 index 00000000..ffa6ae4e --- /dev/null +++ b/tests/order.rb @@ -0,0 +1,15 @@ +class LeapCli::Config::Node + # + # returns a list of node names that should be tested before this node. + # make sure to not return ourselves (please no dependency loops!). + # + def test_dependencies + dependents = LeapCli::Config::ObjectList.new + unless services.include?('couchdb') + if services.include?('webapp') || services.include?('mx') || services.include?('soledad') + dependents.merge! nodes_like_me[:services => 'couchdb'] + end + end + dependents.keys.delete_if {|name| self.name == name} + end +end \ No newline at end of file -- cgit v1.2.3 From 8d6b36eff5fcdd39bf1065eb481a0f98a6135696 Mon Sep 17 00:00:00 2001 From: irregulator Date: Wed, 12 Mar 2014 03:20:54 +0200 Subject: DirPortFrontPage serves a static webpage only when Tor node is exit. See leap.se/code/issues/5241 --- puppet/modules/site_tor/manifests/init.pp | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index b6e73a23..28bc5240 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -19,12 +19,17 @@ class site_tor { my_family => '$2A431444756B0E7228A7918C85A8DACFF7E3B050', } - tor::daemon::directory { $::hostname: port => 80 } - - include site_shorewall::tor - - if ( $tor_type != 'exit' ) { + if ( $tor_type == 'exit'){ + tor::daemon::directory { $::hostname: port => 80 } + } + else { + tor::daemon::directory { $::hostname: + port => 80, + port_front_page => ''; + } include site_tor::disable_exit } + include site_shorewall::tor + } -- cgit v1.2.3 From 507391adf853ea39daac4772143fc5aa4abef47b Mon Sep 17 00:00:00 2001 From: irregulator Date: Wed, 12 Mar 2014 04:16:17 +0200 Subject: Indentation fix. --- puppet/modules/site_tor/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index 28bc5240..02368a0e 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -24,7 +24,7 @@ class site_tor { } else { tor::daemon::directory { $::hostname: - port => 80, + port => 80, port_front_page => ''; } include site_tor::disable_exit -- cgit v1.2.3 From 0b3cba122d0393540ca1625e56047ac67f457314 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 12 Mar 2014 23:49:32 +0100 Subject: check if soledad is working (Feature #5239) --- puppet/modules/site_check_mk/manifests/agent/webapp.pp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_check_mk/manifests/agent/webapp.pp b/puppet/modules/site_check_mk/manifests/agent/webapp.pp index 932d6bb9..cb160d83 100644 --- a/puppet/modules/site_check_mk/manifests/agent/webapp.pp +++ b/puppet/modules/site_check_mk/manifests/agent/webapp.pp @@ -1,13 +1,17 @@ class site_check_mk::agent::webapp { - # check webapp login - package { [ 'python-srp', 'python-requests', 'python-yaml' ]: + # check webapp login + soledad sync + package { [ 'python-srp', 'python-requests', 'python-yaml', 'python-u1db' ]: ensure => installed } file { '/usr/lib/check_mk_agent/local/nagios-webapp_login.py': ensure => link, target => '/srv/leap/webapp/test/nagios/webapp_login.py' } + file { '/usr/lib/check_mk_agent/local/soledad_sync.py': + ensure => link, + target => '/srv/leap/webapp/test/nagios/soledad_sync.py' + } # check syslog -- cgit v1.2.3 From 42cd675108ab480787ad821625fa6cccf599d2ce Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 13 Mar 2014 20:14:26 +0100 Subject: removed trailing whitespaces in nagios.cfg --- .../site_nagios/files/configs/Debian/nagios.cfg | 84 +++++++++++----------- 1 file changed, 42 insertions(+), 42 deletions(-) diff --git a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg index 9bd3da28..0bc69bc1 100644 --- a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg +++ b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg @@ -1,6 +1,6 @@ ############################################################################## # -# NAGIOS.CFG - Sample Main Config File for Nagios +# NAGIOS.CFG - Sample Main Config File for Nagios # # ############################################################################## @@ -8,7 +8,7 @@ # LOG FILE # This is the main log file where service and host events are logged -# for historical purposes. This should be the first option specified +# for historical purposes. This should be the first option specified # in the config file!!! log_file=/var/log/nagios3/nagios.log @@ -36,7 +36,7 @@ cfg_dir=/etc/nagios-plugins/config # OBJECT CACHE FILE # This option determines where object definitions are cached when -# Nagios starts/restarts. The CGIs read object definitions from +# Nagios starts/restarts. The CGIs read object definitions from # this cache file (rather than looking at the object config files # directly) in order to prevent inconsistencies that can occur # when the config files are modified after Nagios starts. @@ -52,7 +52,7 @@ object_cache_file=/var/cache/nagios3/objects.cache # file. You can then start Nagios with the -u option to have it read # object definitions from this precached file, rather than the standard # object configuration files (see the cfg_file and cfg_dir options above). -# Using a precached object file can speed up the time needed to (re)start +# Using a precached object file can speed up the time needed to (re)start # the Nagios process if you've got a large and/or complex configuration. # Read the documentation section on optimizing Nagios to find our more # about how this feature works. @@ -86,7 +86,7 @@ status_file=/var/cache/nagios3/status.dat # STATUS FILE UPDATE INTERVAL # This option determines the frequency (in seconds) that -# Nagios will periodically dump program, host, and +# Nagios will periodically dump program, host, and # service status data. status_update_interval=10 @@ -94,7 +94,7 @@ status_update_interval=10 # NAGIOS USER -# This determines the effective user that Nagios should run as. +# This determines the effective user that Nagios should run as. # You can either supply a username or a UID. nagios_user=nagios @@ -102,7 +102,7 @@ nagios_user=nagios # NAGIOS GROUP -# This determines the effective group that Nagios should run as. +# This determines the effective group that Nagios should run as. # You can either supply a group name or a GID. nagios_group=nagios @@ -128,7 +128,7 @@ check_external_commands=1 # Nagios to check for external commands every minute. If you specify a # number followed by an "s" (i.e. 15s), this will be interpreted to mean # actual seconds rather than a multiple of the interval_length variable. -# Note: In addition to reading the external command file at regularly +# Note: In addition to reading the external command file at regularly # scheduled intervals, Nagios will also check for external commands after # event handlers are executed. # NOTE: Setting this value to -1 causes Nagios to check the external @@ -143,7 +143,7 @@ command_check_interval=-1 # This is the file that Nagios checks for external command requests. # It is also where the command CGI will write commands that are submitted # by users, so it must be writeable by the user that the web server -# is running as (usually 'nobody'). Permissions should be set at the +# is running as (usually 'nobody'). Permissions should be set at the # directory level instead of on the file, as the file is deleted every # time its contents are processed. # Debian Users: In case you didn't read README.Debian yet, _NOW_ is the @@ -155,9 +155,9 @@ command_file=/var/lib/nagios3/rw/nagios.cmd # EXTERNAL COMMAND BUFFER SLOTS # This settings is used to tweak the number of items or "slots" that -# the Nagios daemon should allocate to the buffer that holds incoming -# external commands before they are processed. As external commands -# are processed by the daemon, they are removed from the buffer. +# the Nagios daemon should allocate to the buffer that holds incoming +# external commands before they are processed. As external commands +# are processed by the daemon, they are removed from the buffer. external_command_buffer_slots=4096 @@ -240,7 +240,7 @@ log_rotation_method=d # LOG ARCHIVE PATH -# This is the directory where archived (rotated) log files should be +# This is the directory where archived (rotated) log files should be # placed (assuming you've chosen to do log rotation). log_archive_path=/var/log/nagios3/archives @@ -403,7 +403,7 @@ max_host_check_spread=30 # MAXIMUM CONCURRENT SERVICE CHECKS -# This option allows you to specify the maximum number of +# This option allows you to specify the maximum number of # service checks that can be run in parallel at any given time. # Specifying a value of 1 for this variable essentially prevents # any service checks from being parallelized. A value of 0 @@ -425,7 +425,7 @@ check_result_reaper_frequency=10 # MAX CHECK RESULT REAPER TIME # This is the max amount of time (in seconds) that a single -# check result reaper event will be allowed to run before +# check result reaper event will be allowed to run before # returning control back to Nagios so it can perform other # duties. @@ -439,7 +439,7 @@ max_check_result_reaper_time=30 # service checks that have not yet been processed. # # Note: Make sure that only one instance of Nagios has access -# to this directory! +# to this directory! check_result_path=/var/lib/nagios3/spool/checkresults @@ -448,7 +448,7 @@ check_result_path=/var/lib/nagios3/spool/checkresults # MAX CHECK RESULT FILE AGE # This option determines the maximum age (in seconds) which check -# result files are considered to be valid. Files older than this +# result files are considered to be valid. Files older than this # threshold will be mercilessly deleted without further processing. max_check_result_file_age=3600 @@ -510,14 +510,14 @@ enable_predictive_service_dependency_checks=1 # SOFT STATE DEPENDENCIES -# This option determines whether or not Nagios will use soft state -# information when checking host and service dependencies. Normally -# Nagios will only use the latest hard host or service state when +# This option determines whether or not Nagios will use soft state +# information when checking host and service dependencies. Normally +# Nagios will only use the latest hard host or service state when # checking dependencies. If you want it to use the latest state (regardless -# of whether its a soft or hard state type), enable this option. +# of whether its a soft or hard state type), enable this option. # Values: -# 0 = Don't use soft state dependencies (default) -# 1 = Use soft state dependencies +# 0 = Don't use soft state dependencies (default) +# 1 = Use soft state dependencies soft_state_dependencies=0 @@ -535,7 +535,7 @@ soft_state_dependencies=0 # This option determines whether or not Nagios will attempt to # automatically reschedule active host and service checks to # "smooth" them out over time. This can help balance the load on -# the monitoring server. +# the monitoring server. # WARNING: THIS IS AN EXPERIMENTAL FEATURE - IT CAN DEGRADE # PERFORMANCE, RATHER THAN INCREASE IT, IF USED IMPROPERLY @@ -598,7 +598,7 @@ perfdata_timeout=5 # This setting determines whether or not Nagios will save state # information for services and hosts before it shuts down. Upon # startup Nagios will reload all saved service and host state -# information before starting to monitor. This is useful for +# information before starting to monitor. This is useful for # maintaining long-term data on state statistics, etc, but will # slow Nagios down a bit when it (re)starts. Since its only # a one-time penalty, I think its well worth the additional @@ -610,7 +610,7 @@ retain_state_information=1 # STATE RETENTION FILE # This is the file that Nagios should use to store host and -# service state information before it shuts down. The state +# service state information before it shuts down. The state # information in this file is also read immediately prior to # starting to monitor the network when Nagios is restarted. # This file is used only if the preserve_state_information @@ -633,7 +633,7 @@ retention_update_interval=60 # USE RETAINED PROGRAM STATE -# This setting determines whether or not Nagios will set +# This setting determines whether or not Nagios will set # program status variables based on the values saved in the # retention file. If you want to use retained program status # information, set this value to 1. If not, set this value @@ -660,7 +660,7 @@ use_retained_scheduling_info=1 # program restarts. # # The values of the masks are bitwise ANDs of values specified -# by the "MODATTR_" definitions found in include/common.h. +# by the "MODATTR_" definitions found in include/common.h. # For example, if you do not want the current enabled/disabled state # of flap detection and event handlers for hosts to be retained, you # would use a value of 24 for the host attribute mask... @@ -711,7 +711,7 @@ use_aggressive_host_checking=0 # SERVICE CHECK EXECUTION OPTION # This determines whether or not Nagios will actively execute -# service checks when it initially starts. If this option is +# service checks when it initially starts. If this option is # disabled, checks are not actively made, but Nagios can still # receive and process passive check results that come in. Unless # you're implementing redundant hosts or have a special need for @@ -733,7 +733,7 @@ accept_passive_service_checks=1 # HOST CHECK EXECUTION OPTION # This determines whether or not Nagios will actively execute -# host checks when it initially starts. If this option is +# host checks when it initially starts. If this option is # disabled, checks are not actively made, but Nagios can still # receive and process passive check results that come in. Unless # you're implementing redundant hosts or have a special need for @@ -790,7 +790,7 @@ process_performance_data=0 # These commands are run after every host and service check is # performed. These commands are executed only if the # enable_performance_data option (above) is set to 1. The command -# argument is the short name of a command definition that you +# argument is the short name of a command definition that you # define in your host configuration file. Read the HTML docs for # more information on performance data. @@ -870,7 +870,7 @@ obsess_over_services=0 # OBSESSIVE COMPULSIVE SERVICE PROCESSOR COMMAND # This is the command that is run for every service check that is # processed by Nagios. This command is executed only if the -# obsess_over_services option (above) is set to 1. The command +# obsess_over_services option (above) is set to 1. The command # argument is the short name of a command definition that you # define in your host configuration file. Read the HTML docs for # more information on implementing distributed monitoring. @@ -894,7 +894,7 @@ obsess_over_hosts=0 # OBSESSIVE COMPULSIVE HOST PROCESSOR COMMAND # This is the command that is run for every host check that is # processed by Nagios. This command is executed only if the -# obsess_over_hosts option (above) is set to 1. The command +# obsess_over_hosts option (above) is set to 1. The command # argument is the short name of a command definition that you # define in your host configuration file. Read the HTML docs for # more information on implementing distributed monitoring. @@ -933,9 +933,9 @@ passive_host_checks_are_soft=0 # ORPHANED HOST/SERVICE CHECK OPTIONS -# These options determine whether or not Nagios will periodically +# These options determine whether or not Nagios will periodically # check for orphaned host service checks. Since service checks are -# not rescheduled until the results of their previous execution +# not rescheduled until the results of their previous execution # instance are processed, there exists a possibility that some # checks may never get rescheduled. A similar situation exists for # host checks, although the exact scheduling details differ a bit @@ -1003,9 +1003,9 @@ additional_freshness_latency=15 # FLAP DETECTION OPTION # This option determines whether or not Nagios will try -# and detect hosts and services that are "flapping". +# and detect hosts and services that are "flapping". # Flapping occurs when a host or service changes between -# states too frequently. When Nagios detects that a +# states too frequently. When Nagios detects that a # host or service is flapping, it will temporarily suppress # notifications for that host/service until it stops # flapping. Flap detection is very experimental, so read @@ -1049,7 +1049,7 @@ date_format=iso8601 # the system configured timezone. # # NOTE: In order to display the correct timezone in the CGIs, you -# will also need to alter the Apache directives for the CGI path +# will also need to alter the Apache directives for the CGI path # to include your timezone. Example: # # @@ -1086,7 +1086,7 @@ enable_embedded_perl=1 # This option determines whether or not Nagios will process Perl plugins # and scripts with the embedded Perl interpreter if the plugins/scripts # do not explicitly indicate whether or not it is okay to do so. Read -# the HTML documentation on the embedded Perl interpreter for more +# the HTML documentation on the embedded Perl interpreter for more # information on how this option works. use_embedded_perl_implicitly=1 @@ -1133,7 +1133,7 @@ use_regexp_matching=0 # "TRUE" REGULAR EXPRESSION MATCHING -# This option controls whether or not "true" regular expression +# This option controls whether or not "true" regular expression # matching takes place in the object config files. This option # only has an effect if regular expression matching is enabled # (see above). If this option is DISABLED, regular expression @@ -1186,7 +1186,7 @@ use_large_installation_tweaks=0 # This option determines whether or not Nagios will make all standard # macros available as environment variables when host/service checks # and system commands (event handlers, notifications, etc.) are -# executed. Enabling this option can cause performance issues in +# executed. Enabling this option can cause performance issues in # large installations, as it will consume a bit more memory and (more # importantly) consume more CPU. # Values: 1 - Enable environment variable macros (default) @@ -1227,7 +1227,7 @@ enable_environment_macros=1 # This option determines how much (if any) debugging information will # be written to the debug file. OR values together to log multiple # types of information. -# Values: +# Values: # -1 = Everything # 0 = Nothing # 1 = Functions -- cgit v1.2.3 From 75d169a2e709c891613cd9ca759469a8b951e580 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 13 Mar 2014 20:19:07 +0100 Subject: Dont't archive nagios logs (#5324) --- puppet/modules/site_nagios/files/configs/Debian/nagios.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg index 0bc69bc1..e46ebf62 100644 --- a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg +++ b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg @@ -235,7 +235,7 @@ event_broker_options=-1 # w = Weekly rotation (midnight on Saturday evening) # m = Monthly rotation (midnight last day of month) -log_rotation_method=d +log_rotation_method=n -- cgit v1.2.3 From a7ff480b5946f30445add762839118d878a775de Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 13 Mar 2014 20:32:45 +0100 Subject: Dont't archive nagios logs, use logrotate for it (Feature #5324) --- puppet/modules/site_nagios/manifests/server.pp | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 7106c36a..85443917 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -46,4 +46,13 @@ class site_nagios::server inherits nagios::base { include site_nagios::server::apache include site_check_mk::server include site_shorewall::monitor + + augeas { + 'logrotate_nagios': + context => '/files/etc/logrotate.d/nagios/rule', + changes => [ 'set file /var/log/nagios3/nagios.log', 'set rotate 7', + 'set schedule daily', 'set compress compress', + 'set missingok missingok', 'set ifempty notifempty', + 'set copytruncate copytruncate' ] + } } -- cgit v1.2.3 From cb003cfff3002e111eced280b5a664c327a4ab11 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 13 Mar 2014 21:23:57 +0100 Subject: deploy automatic compaction via platform (Feature #4798) --- puppet/modules/site_couchdb/manifests/bigcouch/compaction.pp | 8 ++++++++ puppet/modules/site_couchdb/manifests/init.pp | 6 ++++++ 2 files changed, 14 insertions(+) create mode 100644 puppet/modules/site_couchdb/manifests/bigcouch/compaction.pp diff --git a/puppet/modules/site_couchdb/manifests/bigcouch/compaction.pp b/puppet/modules/site_couchdb/manifests/bigcouch/compaction.pp new file mode 100644 index 00000000..84aab4ef --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/bigcouch/compaction.pp @@ -0,0 +1,8 @@ +class site_couchdb::bigcouch::compaction { + cron { + 'compact_all_shards': + command => '/srv/leap/couchdb/scripts/bigcouch_compact_all_shards.sh >> /var/log/bigcouch/compaction.log', + hour => 3, + minute => 17; + } +} diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index e4c0211b..c67ce8c8 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -94,6 +94,7 @@ class site_couchdb { include site_couchdb::add_users include site_couchdb::designs include site_couchdb::logrotate + include site_couchdb::bigcouch::compaction include site_shorewall::couchdb include site_shorewall::couchdb::bigcouch @@ -110,4 +111,9 @@ class site_couchdb { include site_check_mk::agent::couchdb include site_check_mk::agent::tapicero + + file { '/var/log/bigcouch': + ensure => directory + } + } -- cgit v1.2.3 From 8b207aba9c12d1e4b6320ee800de60578b9521cd Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 13 Mar 2014 22:02:01 +0100 Subject: catch errors when tapicero fails to create a userdb (Feature #5306) --- .../modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg index 7f43a18c..93ce0311 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg @@ -3,11 +3,6 @@ # instances, so we ignore it # see https://leap.se/code/issues/5168 I tapicero.*RestClient::PreconditionFailed: -# until we can analyze multiline patterns with -# check_mk logwatch, we unfortunatly need ignore this -# line too, which shows up in combination with the -# above PreconditionFailed error. -# see https://leap.se/code/issues/4821#note-5 - I tapicero.*Creating database.*failed due to: + C tapicero.*Creating database.*failed due to: C tapicero.*failed W tapicero.*Couch stream ended unexpectedly. -- cgit v1.2.3 From 18121335c200b86a39f83a7cd240258c40a81f4e Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 14 Mar 2014 17:54:01 -0700 Subject: added support for environment specific providers (e.g. provider.production.json). requires latest leap_cli. --- platform.rb | 3 ++- provider_base/common.json | 6 +++--- .../files/service-definitions/provider.json.erb | 2 +- provider_base/provider.json | 18 +++++++++--------- provider_base/services/openvpn.json | 10 +++++----- provider_base/services/tor.json | 2 +- provider_base/services/webapp.json | 10 +++++----- provider_base/tags/development.json | 4 ++-- 8 files changed, 28 insertions(+), 27 deletions(-) diff --git a/platform.rb b/platform.rb index 54590f4b..3882ed8d 100644 --- a/platform.rb +++ b/platform.rb @@ -4,7 +4,7 @@ Leap::Platform.define do self.version = "0.4.0" - self.compatible_cli = "1.4.0".."1.99" + self.compatible_cli = "1.5.0".."1.99" # # the facter facts that should be gathered @@ -26,6 +26,7 @@ Leap::Platform.define do # input config files :common_config => 'common.json', :provider_config => 'provider.json', + :provider_env_config => 'provider.#{arg}.json', :secrets_config => 'secrets.json', :node_config => 'nodes/#{arg}.json', :service_config => 'services/#{arg}.json', diff --git a/provider_base/common.json b/provider_base/common.json index 07a58bba..a4d9c5f2 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -3,10 +3,10 @@ "environment": null, "services": [], "tags": [], - "contacts": "= global.provider.contacts.default", + "contacts": "= provider.contacts.default", "domain": { - "full_suffix": "= global.provider.domain", - "internal_suffix": "= global.provider.domain_internal", + "full_suffix": "= provider.domain", + "internal_suffix": "= provider.domain_internal", "full": "= node.name + '.' + domain.full_suffix", "internal": "= node.name + '.' + domain.internal_suffix", "name": "= node.name + '.' + (dns.public ? domain.full_suffix : domain.internal_suffix)" diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb index 5d4c63a0..97454f81 100644 --- a/provider_base/files/service-definitions/provider.json.erb +++ b/provider_base/files/service-definitions/provider.json.erb @@ -1,6 +1,6 @@ <%= # grab some fields from provider.json - hsh = global.provider.pick( + hsh = provider.pick( :languages, :description, :name, :enrollment_policy, :default_language, :service ) diff --git a/provider_base/provider.json b/provider_base/provider.json index 8864e24d..fa69318b 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -23,17 +23,17 @@ ], "default_service_level": 1, "bandwidth_limit": 102400, - "allow_free": "= global.provider.service.levels.select {|l| l['rate'].nil?}.any?", - "allow_paid": "= global.provider.service.levels.select {|l| !l['rate'].nil?}.any?", - "allow_anonymous": "= global.provider.service.levels.select {|l| l['name'] == 'anonymous'}.any?", - "allow_registration": "= global.provider.service.levels.select {|l| l['name'] != 'anonymous'}.any?", - "allow_limited_bandwidth": "= global.provider.service.levels.select {|l| l['bandwidth'] == 'limited'}.any?", - "allow_unlimited_bandwidth": "= global.provider.service.levels.select {|l| l['bandwidth'].nil?}.any?" + "allow_free": "= provider.service.levels.select {|l| l['rate'].nil?}.any?", + "allow_paid": "= provider.service.levels.select {|l| !l['rate'].nil?}.any?", + "allow_anonymous": "= provider.service.levels.select {|l| l['name'] == 'anonymous'}.any?", + "allow_registration": "= provider.service.levels.select {|l| l['name'] != 'anonymous'}.any?", + "allow_limited_bandwidth": "= provider.service.levels.select {|l| l['bandwidth'] == 'limited'}.any?", + "allow_unlimited_bandwidth": "= provider.service.levels.select {|l| l['bandwidth'].nil?}.any?" }, "ca": { - "name": "= global.provider.ca.organization + ' Root CA'", - "organization": "= global.provider.name[global.provider.default_language]", - "organizational_unit": "= 'https://' + global.provider.domain", + "name": "= provider.ca.organization + ' Root CA'", + "organization": "= provider.name[provider.default_language]", + "organizational_unit": "= 'https://' + provider.domain", "bit_size": 4096, "digest": "SHA256", "life_span": "10y", diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 5d77f946..5a87335b 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -14,10 +14,10 @@ "filter_dns": false, "adblock": false, "user_ips": false, - "allow_limited": "= global.provider.service.allow_limited_bandwidth", - "allow_unlimited": "= global.provider.service.allow_unlimited_bandwidth", - "limited_prefix": "= global.provider.ca.client_certificates.limited_prefix", - "unlimited_prefix": "= global.provider.ca.client_certificates.unlimited_prefix", - "rate_limit": "= openvpn.allow_limited ? global.provider.service.bandwidth_limit : nil" + "allow_limited": "= provider.service.allow_limited_bandwidth", + "allow_unlimited": "= provider.service.allow_unlimited_bandwidth", + "limited_prefix": "= provider.ca.client_certificates.limited_prefix", + "unlimited_prefix": "= provider.ca.client_certificates.unlimited_prefix", + "rate_limit": "= openvpn.allow_limited ? provider.service.bandwidth_limit : nil" } } diff --git a/provider_base/services/tor.json b/provider_base/services/tor.json index 9173b8d4..ed75285c 100644 --- a/provider_base/services/tor.json +++ b/provider_base/services/tor.json @@ -1,6 +1,6 @@ { "tor": { "bandwidth_rate": 6550, - "contacts": "= global.provider.contacts['tor'] || global.provider.contacts.default" + "contacts": "= provider.contacts['tor'] || provider.contacts.default" } } diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index f7abdffd..29c0cbf9 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -8,10 +8,10 @@ "salt": "= hex_secret :couch_webapp_password_salt, 128" }, "customization_dir": "= file_path 'webapp'", - "client_certificates": "= global.provider.ca.client_certificates", - "allow_limited_certs": "= global.provider.service.allow_limited_bandwidth", - "allow_unlimited_certs": "= global.provider.service.allow_unlimited_bandwidth", - "allow_anonymous_certs": "= global.provider.service.allow_anonymous", + "client_certificates": "= provider.ca.client_certificates", + "allow_limited_certs": "= provider.service.allow_limited_bandwidth", + "allow_unlimited_certs": "= provider.service.allow_unlimited_bandwidth", + "allow_anonymous_certs": "= provider.service.allow_anonymous", "secret_token": "= secret :webapp_secret_token", "api_version": 1, "secure": false, @@ -19,7 +19,7 @@ "source": "https://leap.se/git/leap_web", "revision": "origin/master" }, - "client_version": "= global.provider.client_version", + "client_version": "= provider.client_version", "nagios_test_user": { "username": "nagios_test", "password": "= secret :nagios_test_password" diff --git a/provider_base/tags/development.json b/provider_base/tags/development.json index 6d4f9e25..d9c2c007 100644 --- a/provider_base/tags/development.json +++ b/provider_base/tags/development.json @@ -1,7 +1,7 @@ { "environment": "development", "domain": { - "full_suffix": "= 'dev.' + global.provider.domain", - "internal_suffix": "= 'dev.' + global.provider.domain_internal" + "full_suffix": "= 'dev.' + provider.domain", + "internal_suffix": "= 'dev.' + provider.domain_internal" } } \ No newline at end of file -- cgit v1.2.3 From cd09ed9eb9d183123652a52651a427bab558c496 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 18 Mar 2014 00:19:45 -0700 Subject: clean up the names of tests --- bin/run_tests | 15 +++++++++------ tests/white-box/couchdb.rb | 16 ++++++++-------- tests/white-box/network.rb | 6 +++--- tests/white-box/openvpn.rb | 6 +++--- tests/white-box/webapp.rb | 10 +++++----- 5 files changed, 28 insertions(+), 25 deletions(-) diff --git a/bin/run_tests b/bin/run_tests index 2336eba8..f4fb0157 100755 --- a/bin/run_tests +++ b/bin/run_tests @@ -394,11 +394,9 @@ class LeapRunner < MiniTest::Unit # Converts snake_case and CamelCase to something more pleasant for humans to read. # def readable(str) - str.gsub(/([A-Z]+)([A-Z][a-z])/, '\1 \2'). - gsub(/([a-z])([A-Z])/, '\1 \2'). + str. gsub(/_/, ' '). - sub(/^test (\d* )?/i, ''). - downcase.capitalize + sub(/^test (\d* )?/i, '') end def machine_readable(str) @@ -428,7 +426,12 @@ class TestDependencyGraph end def tsort_each_child(test_class_name, &block) - @dependencies[test_class_name].each(&block) + if @dependencies[test_class_name] + @dependencies[test_class_name].each(&block) + else + puts "ERROR: bad dependency, no such class `#{test_class_name}`" + exit(1) + end end def sorted @@ -476,7 +479,7 @@ def pin_test_name(name) die name, "there is no test class `#{test_class}`" end if test_name - $pinned_test_method = $pinned_test_class.tests.detect{|m| m.to_s =~ /^test_(\d+_)?#{test_name}$/} + $pinned_test_method = $pinned_test_class.tests.detect{|m| m.to_s =~ /^test_(\d+_)?#{Regexp.escape(test_name)}$/} unless $pinned_test_method die name, "there is no test `#{test_name}` in class `#{test_class}`" end diff --git a/tests/white-box/couchdb.rb b/tests/white-box/couchdb.rb index 93551367..9d5da94f 100644 --- a/tests/white-box/couchdb.rb +++ b/tests/white-box/couchdb.rb @@ -2,13 +2,13 @@ raise SkipTest unless $node["services"].include?("couchdb") require 'json' -class TestCouchdb < LeapTest - depends_on "TestNetwork" +class CouchDB < LeapTest + depends_on "Network" def setup end - def test_00_daemons_running + def test_00_Are_daemons_running? assert_running 'tapicero' assert_running 'bin/beam' assert_running 'bin/epmd' @@ -18,7 +18,7 @@ class TestCouchdb < LeapTest # # check to make sure we can get welcome response from local couchdb # - def test_01_couch_is_working + def test_01_Is_CouchDB_running? assert_get(couchdb_url) do |body| assert_match /"couchdb":"Welcome"/, body, "Could not get welcome message from #{couchdb_url}. Probably couchdb is not running." end @@ -28,7 +28,7 @@ class TestCouchdb < LeapTest # # compare the configured nodes to the nodes that are actually listed in bigcouch # - def test_02_nodes_are_in_replication_database + def test_02_Is_cluster_membership_ok? url = couchdb_backend_url("/nodes/_all_docs") neighbors = assert_property('couch.bigcouch.neighbors') neighbors << assert_property('domain.full') @@ -47,7 +47,7 @@ class TestCouchdb < LeapTest # # this seems backward to me, so it might be the other way around. # - def test_03_replica_membership_is_kosher + def test_03_Are_configured_nodes_online? url = couchdb_url("/_membership") assert_get(url) do |body| response = JSON.parse(body) @@ -65,7 +65,7 @@ class TestCouchdb < LeapTest end end - def test_04_acl_users_exist + def test_04_Do_ACL_users_exist? acl_users = ['_design/_auth', 'leap_mx', 'nickserver', 'soledad', 'tapicero', 'webapp'] url = couchdb_backend_url("/_users/_all_docs") assert_get(url) do |body| @@ -77,7 +77,7 @@ class TestCouchdb < LeapTest pass end - def test_05_required_databases_exist + def test_05_Do_required_databases_exist? dbs_that_should_exist = ["customers","identities","keycache","sessions","shared","tickets","tokens","users"] dbs_that_should_exist.each do |db_name| assert_get(couchdb_url("/"+db_name)) do |body| diff --git a/tests/white-box/network.rb b/tests/white-box/network.rb index 53df80dc..14de2eac 100644 --- a/tests/white-box/network.rb +++ b/tests/white-box/network.rb @@ -2,12 +2,12 @@ require 'socket' raise SkipTest if $node["dummy"] -class TestNetwork < LeapTest +class Network < LeapTest def setup end - def test_01_can_connect_to_internet + def test_01_Can_connect_to_internet? assert_get('http://www.google.com/images/srpr/logo11w.png') pass end @@ -25,7 +25,7 @@ class TestNetwork < LeapTest # accept: 15984 # connect: "127.0.0.1:5984" # - def test_02_stunnel_is_running + def test_02_Is_stunnel_running? if $node['stunnel'] good_stunnel_pids = [] $node['stunnel'].each do |stunnel_type, stunnel_configs| diff --git a/tests/white-box/openvpn.rb b/tests/white-box/openvpn.rb index 2b1276f4..5eb2bdb5 100644 --- a/tests/white-box/openvpn.rb +++ b/tests/white-box/openvpn.rb @@ -1,12 +1,12 @@ raise SkipTest unless $node["services"].include?("openvpn") -class TestOpenvpn < LeapTest - depends_on "TestNetwork" +class Openvpn < LeapTest + depends_on "Network" def setup end - def test_01_daemons_running + def test_01_Are_daemons_running? assert_running '/usr/sbin/openvpn .* /etc/openvpn/tcp_config.conf' assert_running '/usr/sbin/openvpn .* /etc/openvpn/udp_config.conf' assert_running '/usr/sbin/unbound' diff --git a/tests/white-box/webapp.rb b/tests/white-box/webapp.rb index 09e92797..142ac2de 100644 --- a/tests/white-box/webapp.rb +++ b/tests/white-box/webapp.rb @@ -2,8 +2,8 @@ raise SkipTest unless $node["services"].include?("webapp") require 'socket' -class TestWebapp < LeapTest - depends_on "TestNetwork" +class Webapp < LeapTest + depends_on "Network" HAPROXY_CONFIG = '/etc/haproxy/haproxy.cfg' @@ -20,7 +20,7 @@ class TestWebapp < LeapTest # connect: couch1.bitmask.i # connect_port: 15984 # - def test_01_can_contact_couchdb + def test_01_Can_contact_couchdb? assert_property('stunnel.couch_client') $node['stunnel']['couch_client'].values.each do |stunnel_conf| assert port = stunnel_conf['accept_port'], 'Field `accept_port` must be present in `stunnel` property.' @@ -45,7 +45,7 @@ class TestWebapp < LeapTest # port: 4000 # weight: 10 # - def test_02_haproxy_is_working + def test_02_Is_haproxy_working? port = file_match(HAPROXY_CONFIG, /^ bind localhost:(\d+)$/) url = "http://localhost:#{port}" assert_get(url) do |body| @@ -54,7 +54,7 @@ class TestWebapp < LeapTest pass end - def test_03_daemons_running + def test_03_Are_daemons_running? assert_running '/usr/sbin/apache2' assert_running '/usr/bin/nickserver' pass -- cgit v1.2.3 From 222fd1568d7af9ea953a4d6179578da5994ea1fd Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 20 Mar 2014 13:10:44 -0700 Subject: allow ability to customize openvpn security stuff: tls-cipher, auth, and cipher config options. --- .../service-definitions/v1/eip-service.json.erb | 11 ++++---- provider_base/services/openvpn.json | 7 ++++- puppet/modules/site_openvpn/manifests/init.pp | 33 +++++++++++++--------- .../site_openvpn/manifests/server_config.pp | 8 +++--- 4 files changed, 35 insertions(+), 24 deletions(-) diff --git a/provider_base/files/service-definitions/v1/eip-service.json.erb b/provider_base/files/service-definitions/v1/eip-service.json.erb index feaea25b..3b8976fd 100644 --- a/provider_base/files/service-definitions/v1/eip-service.json.erb +++ b/provider_base/files/service-definitions/v1/eip-service.json.erb @@ -27,6 +27,7 @@ hsh["version"] = 1 locations = {} gateways = [] + configuration = nil nodes_like_me[:services => 'openvpn'].each_node do |node| if node.openvpn.allow_limited && node.openvpn.allow_unlimited gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => false) @@ -36,13 +37,13 @@ elsif node.openvpn.allow_limited gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => true) end + if configuration && node.openvpn.configuration != configuration + log :error, "OpenVPN nodes in the environment `#{node.environment}` have conflicting `openvpn.configuration` values. This will result in bad errors." + end + configuration = node.openvpn.configuration end hsh["gateways"] = gateways.compact hsh["locations"] = locations - hsh["openvpn_configuration"] = { - "tls-cipher" => "DHE-RSA-AES128-SHA", - "auth" => "SHA1", - "cipher" => "AES-128-CBC" - } + hsh["openvpn_configuration"] = configuration JSON.sorted_generate hsh %> \ No newline at end of file diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 5a87335b..e5b97ed9 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -18,6 +18,11 @@ "allow_unlimited": "= provider.service.allow_unlimited_bandwidth", "limited_prefix": "= provider.ca.client_certificates.limited_prefix", "unlimited_prefix": "= provider.ca.client_certificates.unlimited_prefix", - "rate_limit": "= openvpn.allow_limited ? provider.service.bandwidth_limit : nil" + "rate_limit": "= openvpn.allow_limited ? provider.service.bandwidth_limit : nil", + "configuration": { + "tls-cipher": "TLS-DHE-RSA-WITH-AES-128-CBC-SHA", + "auth": "SHA1", + "cipher": "AES-128-CBC" + } } } diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 42146741..abcac41c 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -27,22 +27,23 @@ class site_openvpn { Class['site_config::default'] -> Class['site_openvpn'] - $openvpn_config = hiera('openvpn') - $openvpn_ports = $openvpn_config['ports'] + $openvpn = hiera('openvpn') + $openvpn_ports = $openvpn['ports'] + $openvpn_config = $openvpn['configuration'] if $::ec2_instance_id { $openvpn_gateway_address = $::ipaddress } else { - $openvpn_gateway_address = $openvpn_config['gateway_address'] - if $openvpn_config['second_gateway_address'] { - $openvpn_second_gateway_address = $openvpn_config['second_gateway_address'] + $openvpn_gateway_address = $openvpn['gateway_address'] + if $openvpn['second_gateway_address'] { + $openvpn_second_gateway_address = $openvpn['second_gateway_address'] } else { $openvpn_second_gateway_address = undef } } - $openvpn_allow_unlimited = $openvpn_config['allow_unlimited'] - $openvpn_unlimited_prefix = $openvpn_config['unlimited_prefix'] + $openvpn_allow_unlimited = $openvpn['allow_unlimited'] + $openvpn_unlimited_prefix = $openvpn['unlimited_prefix'] $openvpn_unlimited_tcp_network_prefix = '10.41.0' $openvpn_unlimited_tcp_netmask = '255.255.248.0' $openvpn_unlimited_tcp_cidr = '21' @@ -51,9 +52,9 @@ class site_openvpn { $openvpn_unlimited_udp_cidr = '21' if !$::ec2_instance_id { - $openvpn_allow_limited = $openvpn_config['allow_limited'] - $openvpn_limited_prefix = $openvpn_config['limited_prefix'] - $openvpn_rate_limit = $openvpn_config['rate_limit'] + $openvpn_allow_limited = $openvpn['allow_limited'] + $openvpn_limited_prefix = $openvpn['limited_prefix'] + $openvpn_rate_limit = $openvpn['rate_limit'] $openvpn_limited_tcp_network_prefix = '10.43.0' $openvpn_limited_tcp_netmask = '255.255.248.0' $openvpn_limited_tcp_cidr = '21' @@ -90,7 +91,8 @@ class site_openvpn { tls_remote => "\"${openvpn_unlimited_prefix}\"", server => "${openvpn_unlimited_tcp_network_prefix}.0 ${openvpn_unlimited_tcp_netmask}", push => "\"dhcp-option DNS ${openvpn_unlimited_tcp_network_prefix}.1\"", - management => '127.0.0.1 1000' + management => '127.0.0.1 1000', + config => $openvpn_config } site_openvpn::server_config { 'udp_config': port => '1194', @@ -99,7 +101,8 @@ class site_openvpn { tls_remote => "\"${openvpn_unlimited_prefix}\"", server => "${openvpn_unlimited_udp_network_prefix}.0 ${openvpn_unlimited_udp_netmask}", push => "\"dhcp-option DNS ${openvpn_unlimited_udp_network_prefix}.1\"", - management => '127.0.0.1 1001' + management => '127.0.0.1 1001', + config => $openvpn_config } } else { tidy { '/etc/openvpn/tcp_config.conf': } @@ -114,7 +117,8 @@ class site_openvpn { tls_remote => "\"${openvpn_limited_prefix}\"", server => "${openvpn_limited_tcp_network_prefix}.0 ${openvpn_limited_tcp_netmask}", push => "\"dhcp-option DNS ${openvpn_limited_tcp_network_prefix}.1\"", - management => '127.0.0.1 1002' + management => '127.0.0.1 1002', + config => $openvpn_config } site_openvpn::server_config { 'limited_udp_config': port => '1194', @@ -123,7 +127,8 @@ class site_openvpn { tls_remote => "\"${openvpn_limited_prefix}\"", server => "${openvpn_limited_udp_network_prefix}.0 ${openvpn_limited_udp_netmask}", push => "\"dhcp-option DNS ${openvpn_limited_udp_network_prefix}.1\"", - management => '127.0.0.1 1003' + management => '127.0.0.1 1003', + config => $openvpn_config } } else { tidy { '/etc/openvpn/limited_tcp_config.conf': } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index befeaef7..6246a836 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -54,7 +54,7 @@ define site_openvpn::server_config( $port, $proto, $local, $server, $push, - $management, $tls_remote = undef) { + $management, $config, $tls_remote = undef) { $openvpn_configname = $name @@ -96,15 +96,15 @@ define site_openvpn::server_config( server => $openvpn_configname; "tls-cipher ${openvpn_configname}": key => 'tls-cipher', - value => 'DHE-RSA-AES128-SHA', + value => $config['tls-cipher'], server => $openvpn_configname; "auth ${openvpn_configname}": key => 'auth', - value => 'SHA1', + value => $config['auth'], server => $openvpn_configname; "cipher ${openvpn_configname}": key => 'cipher', - value => 'AES-128-CBC', + value => $config['cipher'], server => $openvpn_configname; "dev ${openvpn_configname}": key => 'dev', -- cgit v1.2.3 From 482c3d5a77d05043f5276d4f19168d2b777d3ef0 Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 23 Mar 2014 16:11:32 -0700 Subject: modules/site_static: part 1 - amber --- provider_base/services/static.json | 6 ++++++ puppet/manifests/site.pp | 5 +++++ .../modules/site_config/manifests/packages/base.pp | 16 -------------- .../manifests/packages/build_essential.pp | 8 +++++++ .../site_config/manifests/packages/uninstall.pp | 20 +++++++++++++++++ puppet/modules/site_config/manifests/params.pp | 1 + puppet/modules/site_config/manifests/ruby/dev.pp | 2 ++ puppet/modules/site_static/README | 3 +++ puppet/modules/site_static/manifests/domain.pp | 9 ++++++++ puppet/modules/site_static/manifests/init.pp | 13 +++++++++++ puppet/modules/site_static/manifests/location.pp | 25 ++++++++++++++++++++++ 11 files changed, 92 insertions(+), 16 deletions(-) create mode 100644 provider_base/services/static.json create mode 100644 puppet/modules/site_config/manifests/packages/build_essential.pp create mode 100644 puppet/modules/site_config/manifests/packages/uninstall.pp create mode 100644 puppet/modules/site_static/README create mode 100644 puppet/modules/site_static/manifests/domain.pp create mode 100644 puppet/modules/site_static/manifests/init.pp create mode 100644 puppet/modules/site_static/manifests/location.pp diff --git a/provider_base/services/static.json b/provider_base/services/static.json new file mode 100644 index 00000000..d9155a84 --- /dev/null +++ b/provider_base/services/static.json @@ -0,0 +1,6 @@ +{ + "static": { + "formats": "=> (self.static.domains||{}).values.collect{|d| (d.locations||{}).values.collect{|l|l['format']}}.flatten.uniq" + }, + "service_type": "public_service" +} \ No newline at end of file diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index def0a642..ff8f8c6c 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -38,3 +38,8 @@ if $services =~ /\bmx\b/ { include site_mx } +if $services =~ /\bstatic\b/ { + include site_static +} + +include site_config::packages::uninstall \ No newline at end of file diff --git a/puppet/modules/site_config/manifests/packages/base.pp b/puppet/modules/site_config/manifests/packages/base.pp index 9d416043..28aa4dbb 100644 --- a/puppet/modules/site_config/manifests/packages/base.pp +++ b/puppet/modules/site_config/manifests/packages/base.pp @@ -1,7 +1,5 @@ class site_config::packages::base { - include site_config::params - # base set of packages that we want to have installed everywhere package { [ 'etckeeper', 'screen', 'less', 'ntp' ]: ensure => installed, @@ -16,18 +14,4 @@ class site_config::packages::base { 'x11-utils', 'xterm' ]: ensure => absent; } - - if $::site_config::params::environment == 'local' or $::services =~ /\bwebapp\b/ { - $dev_packages_ensure = present - } else { - $dev_packages_ensure = absent - } - - # g++ and ruby1.9.1-dev are needed for nickserver/eventmachine (#4079) - # dev_packages are needed for building gems on the webapp node - - package { [ 'build-essential', 'g++', 'g++-4.7', 'gcc', - 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: - ensure => $dev_packages_ensure - } } diff --git a/puppet/modules/site_config/manifests/packages/build_essential.pp b/puppet/modules/site_config/manifests/packages/build_essential.pp new file mode 100644 index 00000000..c9efaafb --- /dev/null +++ b/puppet/modules/site_config/manifests/packages/build_essential.pp @@ -0,0 +1,8 @@ +# +# include this whenever you want to ensure build-essential package and related compilers are installed. +# +class site_config::packages::build_essential { + if $install_build_essential == undef { + $install_build_essential = true + } +} \ No newline at end of file diff --git a/puppet/modules/site_config/manifests/packages/uninstall.pp b/puppet/modules/site_config/manifests/packages/uninstall.pp new file mode 100644 index 00000000..2919cc96 --- /dev/null +++ b/puppet/modules/site_config/manifests/packages/uninstall.pp @@ -0,0 +1,20 @@ +# +# this should be included last to allow other modules to set $::install_build_packages +# +class site_config::packages::uninstall { + + if $site_config::packages::build_essential::install_essential == true { + $dev_packages_ensure = present + } else { + $dev_packages_ensure = absent + } + + # generally, dev packages are needed for installing ruby gems with native extensions. + # (nickserver, webapp, etc) + + package { [ 'build-essential', 'g++', 'g++-4.7', 'gcc', + 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: + ensure => $dev_packages_ensure + } + +} \ No newline at end of file diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index 5bdc0077..012b3ce0 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -8,6 +8,7 @@ class site_config::params { if $environment == 'local' { $interface = 'eth1' + include site_config::packages::build_essential } elsif hiera('interface','') != '' { $interface = hiera('interface') diff --git a/puppet/modules/site_config/manifests/ruby/dev.pp b/puppet/modules/site_config/manifests/ruby/dev.pp index dbc77ae7..3ea6ca96 100644 --- a/puppet/modules/site_config/manifests/ruby/dev.pp +++ b/puppet/modules/site_config/manifests/ruby/dev.pp @@ -3,4 +3,6 @@ class site_config::ruby::dev inherits site_config::ruby { ruby_version => '1.9.3', install_dev => true } + # building gems locally probably requires build-essential and gcc: + include site_config::packages::build_essential } diff --git a/puppet/modules/site_static/README b/puppet/modules/site_static/README new file mode 100644 index 00000000..bc719782 --- /dev/null +++ b/puppet/modules/site_static/README @@ -0,0 +1,3 @@ +Deploy one or more static websites to a node. + +For now, it only supports `amber` based static sites. Should support plain html and jekyll in the future. diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp new file mode 100644 index 00000000..48284106 --- /dev/null +++ b/puppet/modules/site_static/manifests/domain.pp @@ -0,0 +1,9 @@ +define site_static::domain ( + $locations, + $ca_cert, + $key, + $cert, + $tls_only) { + + create_resources(site_static::location, $locations) +} diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp new file mode 100644 index 00000000..cc447cf7 --- /dev/null +++ b/puppet/modules/site_static/manifests/init.pp @@ -0,0 +1,13 @@ +class site_static { + tag 'leap_service' + $static = hiera('static') + $domains = $static['domains'] + $formats = $static['formats'] + + if (member($formats, 'amber')) { + include site_config::ruby::dev + rubygems::gem{'amber': } + } + + create_resources(site_static::domain, $domains) +} \ No newline at end of file diff --git a/puppet/modules/site_static/manifests/location.pp b/puppet/modules/site_static/manifests/location.pp new file mode 100644 index 00000000..1ba6807e --- /dev/null +++ b/puppet/modules/site_static/manifests/location.pp @@ -0,0 +1,25 @@ +define site_static::location($path, $format, $source) { + + $file_path = "/srv/static/${name}" + + if ($format == 'amber') { + exec {"amber_build_${name}": + cwd => $file_path, + command => 'amber rebuild', + user => 'www-data', + timeout => 600, + subscribe => Vcsrepo[$file_path] + } + } + + vcsrepo { $file_path: + ensure => present, + force => true, + revision => $source['revision'], + provider => $source['type'], + source => $source['repo'], + owner => 'www-data', + group => 'www-data' + } + +} -- cgit v1.2.3 From b45d265a08884a65e7100e34067a0d8c390da8f0 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Mon, 24 Mar 2014 08:07:18 +0100 Subject: fixes #5360 adds admin@ as reserved address + linting --- puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp index aea66f78..83e27376 100644 --- a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp +++ b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp @@ -1,11 +1,13 @@ +# Defines which mail addresses shouldn't be available and where they should fwd class site_postfix::mx::reserved_aliases { postfix::mailalias { - [ 'postmaster', 'hostmaster', 'domainadmin', 'certmaster', 'ssladmin', - 'arin-admin', 'administrator', 'webmaster', 'www-data', 'www', - 'nobody', 'sys', 'postgresql', 'mysql', 'bin', 'cron', 'lp', 'games', - 'maildrop', 'abuse', 'noc', 'security', 'usenet', 'news', 'uucp', - 'ftp' ]: + [ 'abuse', 'admin', 'arin-admin', 'administrator', 'bin', 'cron', + 'certmaster', 'domainadmin', 'games', 'ftp', 'hostmaster', 'lp', + 'maildrop', 'mysql', 'news', 'nobody', 'noc', 'postmaster', 'postgresql', + 'security', 'ssladmin', 'sys', 'usenet', 'uucp', 'webmaster', 'www', + 'www-data', + ]: ensure => present, recipient => 'root' } -- cgit v1.2.3 From 51f320178a58d7a05860cfd8d6129a16cd4ca9d8 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 24 Mar 2014 01:47:46 -0700 Subject: modules/site_static: part 2 - apache --- puppet/modules/site_static/manifests/domain.pp | 19 ++++ puppet/modules/site_static/manifests/init.pp | 4 + .../modules/site_static/templates/apache.conf.erb | 109 +++++++++++++++++++++ 3 files changed, 132 insertions(+) create mode 100644 puppet/modules/site_static/templates/apache.conf.erb diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp index 48284106..8af2230f 100644 --- a/puppet/modules/site_static/manifests/domain.pp +++ b/puppet/modules/site_static/manifests/domain.pp @@ -5,5 +5,24 @@ define site_static::domain ( $cert, $tls_only) { + $domain = $name + $base_dir = '/srv/static' + create_resources(site_static::location, $locations) + + x509::cert { $domain: content => $cert } + x509::key { $domain: content => $key } + x509::ca { "${domain}_ca": content => $ca_cert } + + class { '::apache': no_default_site => true, ssl => true } + include site_apache::module::headers + include site_apache::module::alias + include site_apache::module::expires + include site_apache::module::removeip + include site_apache::module::rewrite + + apache::vhost::file { $domain: + content => template('site_static/apache.conf.erb') + } + } diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index cc447cf7..91a4a7a9 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -10,4 +10,8 @@ class site_static { } create_resources(site_static::domain, $domains) + + include site_shorewall::defaults + include site_shorewall::service::http + include site_shorewall::service::https } \ No newline at end of file diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb new file mode 100644 index 00000000..76534911 --- /dev/null +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -0,0 +1,109 @@ +<%- + ## + ## An apache config for static websites. + ## + def location_directory(name, location) + if location['format'] == 'amber' + File.join(@base_dir, name, 'public') + else + File.join(@base_dir, name) + end + end + document_root = '/var/www' + @locations.each do |name, location| + if location['path'] == '/' + document_root = location_directory(name, location) + end + end +-%> + + + ServerName <%= @domain %> + ServerAlias www.<%= @domain %> + RewriteEngine On + RewriteRule ^.*$ https://<%= @domain -%>%{REQUEST_URI} [R=permanent,L] + + + + ServerName <%= @domain %> + ServerAlias www.<%= @domain %> + + #RewriteLog "/var/log/apache2/rewrite.log" + #RewriteLogLevel 3 + + SSLEngine on + SSLProtocol -all +SSLv3 +TLSv1 + SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLHonorCipherOrder on + + Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" + Header set X-Frame-Options "deny" + + SSLCertificateKeyFile /etc/x509/keys/<%= @domain %>.key + SSLCertificateFile /etc/x509/certs/<%= @domain %>.crt + SSLCertificateChainFile /etc/ssl/certs/<%= @domain %>_ca.pem + + RequestHeader set X_FORWARDED_PROTO 'https' + + DocumentRoot <%= document_root %> + +<%- @locations.each do |name, location| -%> + ## + ## <%= name %> + ## + <%- if location['path'] == '/' -%> + # Location / + <%- else -%> + Alias <%= location['path'] %> <%= location_directory(name, location) %> + > + <%- end -%> + # remove trailing slashes + RewriteEngine On + RewriteRule ^(.+)/$ /$1 [R=301,L] + + # e.g. /de/blah => /blah/index.de.html + RewriteCond %{DOCUMENT_ROOT}/$2/index.$1.html -f + RewriteRule ^/([a-z]{2})/(.*) /$2/index.$1.html [L] + + # e.g. /de/foo/bar => /foo/bar.de.html + RewriteCond %{DOCUMENT_ROOT}/$2.$1.html -f + RewriteRule ^/([a-z]{2})/(.*) /$2.$1.html [L] + + # e.g. /de => /index.de.html + RewriteCond %{DOCUMENT_ROOT}/index.$1.html -f + RewriteRule ^/([a-z]{2})$ /index.$1.html [L] + + # e.g. /de/img.png => /img.png + RewriteCond %{DOCUMENT_ROOT}/$2 -f + RewriteRule ^/([a-z]{2})/(.*) /$2 [L] + + # Simulate "DirectorySlash On" + # e.g. /foo/bar => /foo/bar/ (so that MultiViews will negotiate correct locale file) + RewriteCond %{DOCUMENT_ROOT}/$1 -d + RewriteRule ^/(.*[^/])$ /$1/ [PT] + <%- if location['path'] == '/' -%> + # end Location / + <%- else -%> + + <%- end -%> + > + ## + ## PERMISSIONS + ## + AllowOverride None + Order deny,allow + Allow from all + + ## + ## LOCALE SUPPORT (e.g. index.en.html) + ## + LanguagePriority en + ForceLanguagePriority Prefer Fallback + DirectoryIndex index + DirectorySlash Off + Options +MultiViews + + +<%- end -%> + + -- cgit v1.2.3 From 87ab435d2a00811c3d63fed40fe172d1377e6afa Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 24 Mar 2014 10:14:59 -0700 Subject: ensure platform.rb is utf8 --- platform.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/platform.rb b/platform.rb index 54590f4b..ed68e595 100644 --- a/platform.rb +++ b/platform.rb @@ -1,3 +1,4 @@ +# encoding: utf-8 # # These are variables defined by this leap_platform and used by leap_cli. # -- cgit v1.2.3 From 1ebece7b07ee721eb888873e47fa512a6a42f807 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Mar 2014 08:31:20 +0100 Subject: ignore openvpn TLS initialization errors (Feature #5374) --- .../site_check_mk/files/agent/logwatch/syslog/openvpn.cfg | 7 +++++++ puppet/modules/site_check_mk/manifests/agent/openvpn.pp | 10 ++++++++++ puppet/modules/site_openvpn/manifests/init.pp | 3 +++ 3 files changed, 20 insertions(+) create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/syslog/openvpn.cfg create mode 100644 puppet/modules/site_check_mk/manifests/agent/openvpn.pp diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/openvpn.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/openvpn.cfg new file mode 100644 index 00000000..d58e876d --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/openvpn.cfg @@ -0,0 +1,7 @@ +# ignore openvpn TLS initialization errors when clients +# suddenly hangup before properly establishing +# a tls connection + I ovpn-.*TLS Error: Unroutable control packet received from + I ovpn-.*TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) + I ovpn-.*TLS Error: TLS handshake failed + diff --git a/puppet/modules/site_check_mk/manifests/agent/openvpn.pp b/puppet/modules/site_check_mk/manifests/agent/openvpn.pp new file mode 100644 index 00000000..919a408d --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/openvpn.pp @@ -0,0 +1,10 @@ +class site_check_mk::agent::openvpn { + + # check syslog + concat::fragment { 'syslog_openpvn': + source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/openvpn.cfg', + target => '/etc/check_mk/logwatch.d/syslog.cfg', + order => '02'; + } + +} diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 42146741..4c2a3967 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -213,4 +213,7 @@ class site_openvpn { target => '/etc/default/openvpn', order => 10; } + + include site_check_mk::agent::openvpn + } -- cgit v1.2.3 From c946f47448e0b902d227492c33c5f56998a82875 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Mar 2014 22:25:08 +0100 Subject: couch node: same packages removed on every (second ?) puppetrun (Feature #5018) --- puppet/modules/site_config/manifests/packages/base.pp | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_config/manifests/packages/base.pp b/puppet/modules/site_config/manifests/packages/base.pp index 9d416043..9f802771 100644 --- a/puppet/modules/site_config/manifests/packages/base.pp +++ b/puppet/modules/site_config/manifests/packages/base.pp @@ -17,10 +17,12 @@ class site_config::packages::base { ensure => absent; } - if $::site_config::params::environment == 'local' or $::services =~ /\bwebapp\b/ { - $dev_packages_ensure = present + if $::site_config::params::environment == 'local' + or $::services =~ /\bwebapp\b/ + or $::services =~ /\bcouchdb\b/ { + $dev_packages_ensure = present } else { - $dev_packages_ensure = absent + $dev_packages_ensure = absent } # g++ and ruby1.9.1-dev are needed for nickserver/eventmachine (#4079) -- cgit v1.2.3 From 1457c4a85ad3e7f2fbdc6f969b801542b3396581 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Mar 2014 23:42:19 +0100 Subject: Move setup.pp to a subclass (site_config::setup) (Feature #2993) --- puppet/manifests/setup.pp | 36 +----------------- puppet/manifests/site.pp | 1 + puppet/modules/site_config/manifests/default.pp | 26 ------------- puppet/modules/site_config/manifests/setup.pp | 49 +++++++++++++++++++++++++ 4 files changed, 51 insertions(+), 61 deletions(-) create mode 100644 puppet/modules/site_config/manifests/setup.pp diff --git a/puppet/manifests/setup.pp b/puppet/manifests/setup.pp index f89b7032..4dd03203 100644 --- a/puppet/manifests/setup.pp +++ b/puppet/manifests/setup.pp @@ -1,39 +1,5 @@ # # this is applied before each run of site.pp # -$services = '' -Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } - -include site_config::params - -include concat::setup - -include site_config::hosts - -include site_config::initial_firewall - -include site_apt - -package { 'facter': - ensure => latest, - require => Exec['refresh_apt'] -} - -if hiera('squid_deb_proxy_client', false) { - include site_squid_deb_proxy::client -} - -# shorewall is installed/half-configured during setup.pp (Bug #3871) -# we need to include shorewall::interface{eth0} in setup.pp so -# packages can be installed during main puppetrun, even before shorewall -# is configured completly -if ( $::site_config::params::environment == 'local' ) { - include site_config::vagrant -} - -# if class site_custom::setup exists, include it. -# possibility for users to define custom puppet recipes -if defined( '::site_custom::setup') { - include ::site_custom::setup -} +include ::site_config::setup diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index def0a642..d83a189d 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -5,6 +5,7 @@ Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } $services=join(hiera_array('services', ['']), ' ') notice("Services for ${fqdn}: ${services}") +include site_config::setup include site_config::default # configure eip diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 53cc60f6..7e421a21 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -8,19 +8,12 @@ class site_config::default { include apt::update Package { require => Exec['apt_updated'] } - include stdlib - include site_config::slow - include concat::setup - # default class, used by all hosts include lsb, git - # configure apt - include site_apt - # configure sysctl parameters include site_config::sysctl @@ -35,21 +28,12 @@ class site_config::default { include site_config::dhclient } - if ( $::site_config::params::environment == 'local' ) { - include site_config::vagrant - } - # configure /etc/resolv.conf include site_config::resolvconf # configure caching, local resolver include site_config::caching_resolver - # configure /etc/hosts - class { 'site_config::hosts': - stage => setup, - } - # install/configure syslog include site_config::syslog @@ -67,16 +51,6 @@ class site_config::default { # set up core leap files and directories include site_config::files - # redundant declarations, remove if - # "Move setup.pp to a subclass (site_config::setup) (Feature #2993)" - # is solved. - - # if squid_deb_proxy_client is set to true, install and configure - # squid_deb_proxy_client for apt caching - if hiera('squid_deb_proxy_client', false) { - include site_squid_deb_proxy::client - } - if $::services !~ /\bmx\b/ { include site_postfix::satellite } diff --git a/puppet/modules/site_config/manifests/setup.pp b/puppet/modules/site_config/manifests/setup.pp new file mode 100644 index 00000000..ffe01f53 --- /dev/null +++ b/puppet/modules/site_config/manifests/setup.pp @@ -0,0 +1,49 @@ +class site_config::setup { + + # + # this is applied before each run of site.pp + # + #$services = '' + + Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } + + include site_config::params + + include concat::setup + include stdlib + + # configure /etc/hosts + class { 'site_config::hosts': + stage => setup, + } + + include site_config::initial_firewall + + include site_apt + + package { 'facter': + ensure => latest, + require => Exec['refresh_apt'] + } + + # if squid_deb_proxy_client is set to true, install and configure + # squid_deb_proxy_client for apt caching + if hiera('squid_deb_proxy_client', false) { + include site_squid_deb_proxy::client + } + + # shorewall is installed/half-configured during setup.pp (Bug #3871) + # we need to include shorewall::interface{eth0} in setup.pp so + # packages can be installed during main puppetrun, even before shorewall + # is configured completly + if ( $::site_config::params::environment == 'local' ) { + include site_config::vagrant + } + + # if class site_custom::setup exists, include it. + # possibility for users to define custom puppet recipes + if defined( '::site_custom::setup') { + include ::site_custom::setup + } + +} -- cgit v1.2.3 From 55f2f69783676937601f45c9c231913f198a034b Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 26 Mar 2014 09:51:39 -0700 Subject: contacts.tor must be an array --- provider_base/services/tor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provider_base/services/tor.json b/provider_base/services/tor.json index 9173b8d4..ae4da46d 100644 --- a/provider_base/services/tor.json +++ b/provider_base/services/tor.json @@ -1,6 +1,6 @@ { "tor": { "bandwidth_rate": 6550, - "contacts": "= global.provider.contacts['tor'] || global.provider.contacts.default" + "contacts": "= [provider.contacts['tor'] || provider.contacts.default].flatten" } } -- cgit v1.2.3 From 7451213d5e0772d0d6cba4613bf66792da495909 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 26 Mar 2014 10:25:29 -0700 Subject: minor: fix message on stunnel test. --- tests/white-box/network.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/white-box/network.rb b/tests/white-box/network.rb index 53df80dc..57002beb 100644 --- a/tests/white-box/network.rb +++ b/tests/white-box/network.rb @@ -53,8 +53,8 @@ class TestNetwork < LeapTest end all_stunnel_pids = pgrep('/usr/bin/stunnel').collect{|process| process[:pid]}.uniq assert_equal good_stunnel_pids.sort, all_stunnel_pids.sort, "There should not be any extra stunnel processes that are not configured in /etc/stunnel" + pass end - pass end end -- cgit v1.2.3 From 1906f13a7df02522bcd83a3c25101555870b5279 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 1 Apr 2014 15:28:54 -0400 Subject: Include all the ips that are allowed to send mail through the relay in the mynetworks parameter. Previously we only allowed other mx servers to relay to each other, but this prevents system mail from non-mx nodes from getting out. Fixes "Helo command rejected: You are not in domain bitmask.net (in reply to RCPT TO command))" (#5343) Change-Id: I5e204958cb235808eedc3a1724fb2dc6c7a5b73b --- provider_base/services/mx.json | 2 +- puppet/modules/site_postfix/manifests/mx.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index 7e3f20ba..0d1ec877 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -10,7 +10,7 @@ "password": "= secret :couch_leap_mx_password", "salt": "= hex_secret :couch_leap_mx_password_salt, 128" }, - "mx_nodes": "= nodes['services' => 'mx']['environment' => '!local'].field('ip_address')", + "mynetworks": "= nodes['environment' => '!local'].field('ip_address')", "x509": { "use": true, "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index de89c26e..a37c7af9 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -4,7 +4,7 @@ class site_postfix::mx { $domain = $domain_hash['full_suffix'] $host_domain = $domain_hash['full'] $cert_name = hiera('name') - $mynetworks = join(hiera('mx_nodes'), ' ') + $mynetworks = join(hiera('mynetworks'), ' ') $root_mail_recipient = hiera ('contacts') $postfix_smtp_listen = 'all' -- cgit v1.2.3 From 0e6c5cad63c038c0719ac409bb3cf02b8019f7ad Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 1 Apr 2014 16:40:23 -0400 Subject: Fix for Openstack/Amazon special case needing to allow ec2_public_ipv4 in mynetworks (#5427) Change-Id: Iee954f8cacd852f8c7c598c68a8793a3523c0132 --- provider_base/services/mx.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index 0d1ec877..731dee9a 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -10,7 +10,7 @@ "password": "= secret :couch_leap_mx_password", "salt": "= hex_secret :couch_leap_mx_password_salt, 128" }, - "mynetworks": "= nodes['environment' => '!local'].field('ip_address')", + "mynetworks": "= nodes['environment' => '!local'].map{|name, n| [n.ip_address, (global.facts[name]||{})['ec2_public_ipv4']]}.flatten.compact.uniq", "x509": { "use": true, "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", -- cgit v1.2.3 From 905a5260ec476acd7d49ac47433aeaddb382527f Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 2 Apr 2014 13:29:29 +0200 Subject: couch design docs should be always deployed, not only on update of the design docs json files (Feature #5359) --- puppet/modules/site_couchdb/manifests/designs.pp | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/designs.pp b/puppet/modules/site_couchdb/manifests/designs.pp index 83d6c8cd..9e88de64 100644 --- a/puppet/modules/site_couchdb/manifests/designs.pp +++ b/puppet/modules/site_couchdb/manifests/designs.pp @@ -12,9 +12,8 @@ class site_couchdb::designs { } exec { '/srv/leap/couchdb/scripts/load_design_documents.sh': - subscribe => File['/srv/leap/couchdb/designs'], - refreshonly => true, - require => Vcsrepo['/srv/leap/couchdb/scripts'] + require => Vcsrepo['/srv/leap/couchdb/scripts'], + refreshonly => false } } -- cgit v1.2.3 From b12c315edef56515321306a692d0f2098f4e8ee0 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 2 Apr 2014 12:38:28 -0400 Subject: Fix for satellite hosts that are unable to contact their relayhost because the DNS lookup is either impossible (.local domain), or incorrect (certain openstack/amazon/piston cloud configurations create this setup when the relayhost is in the same cluster as the satellite). Fixes #5225 Change-Id: Ifbc201678f2c0e97ee0e12bbf1c7f71d035d45c1 --- puppet/modules/site_postfix/manifests/satellite.pp | 24 ++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/puppet/modules/site_postfix/manifests/satellite.pp b/puppet/modules/site_postfix/manifests/satellite.pp index 7be51b22..f5d5c7b7 100644 --- a/puppet/modules/site_postfix/manifests/satellite.pp +++ b/puppet/modules/site_postfix/manifests/satellite.pp @@ -10,5 +10,29 @@ class site_postfix::satellite { root_mail_recipient => $root_mail_recipient } + # There are special conditions for satellite hosts that will make them not be + # able to contact their relayhost: + # + # 1. they are on openstack/amazon/PC and are on the same cluster as the relay + # host, the MX lookup for the relay host will use the public IP, which cannot + # be contacted + # + # 2. When a domain is used that is not in DNS, because it is internal, + # a testing domain, etc. eg. a .local domain cannot be looked up in DNS + # + # to resolve this, so the satellite can contact the relayhost, we need to set + # the http://www.postfix.org/postconf.5.html#smtp_host_lookup to be 'native' + # which will cause the lookup to use the native naming service + # (nsswitch.conf), which typically defaults to 'files, dns' allowing the + # /etc/hosts to be consulted first, then DNS if the entry doesn't exist. + # + # NOTE: this will make it not possible to enable DANE support through DNSSEC + # with http://www.postfix.org/postconf.5.html#smtp_dns_support_level - but + # this parameter is not available until 2.11. If this ends up being important + # we could also make this an optional parameter for providers without + # dns / local domains + + postfix::config { 'smtp_host_lookup': value => 'native'; } + include site_postfix::mx::smtp_tls } -- cgit v1.2.3 From 5cca6d100ffd991e6f943d916361bf0497728d70 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 2 Apr 2014 13:17:20 -0400 Subject: Update TLS apache vhost TLS configuration (#5137): . We want to allow for TLS1.2 to be enabled (supported in wheezy) . Explicitly disable SSLCompression. This aids in protecting against the BREACH attack: see http://breachattack.com), and SPDY version 3 is vulnerable to the CRIME attack when compression is on . Switch the cipher suites to match https://wiki.mozilla.org/Security/Server_Side_TLS#Apache for these reasons: . Prefer PFS, with ECDHE first then DHE (TLS 1.2, not many implementations support this, and there are no known attacks). . Prefer AES128 to AES256 because the key schedule in AES256 is considered weaker, and maybe AES128 is more resistant to timing attacks . Prefer AES to RC4. BEAST attacks on AES are mitigated in >=TLS1.1, and difficult in TLS1.0. They are not in RC4, and likely to become more dangerous . RC4 is on the path to removal, but still present for backward compatibility Change-Id: I99a7f0ebf2ac438f075835d1cb38f63080321043 --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 5 +++-- puppet/modules/site_apache/templates/vhosts.d/common.conf.erb | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 5f1f4c1d..3360ac59 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -10,9 +10,10 @@ Listen 0.0.0.0:<%= api_port %> ServerName <%= api_domain %> SSLEngine on - SSLProtocol -all +SSLv3 +TLSv1 - SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLProtocol all -SSLv2 SSLHonorCipherOrder on + SSLCompression off + SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb index 30f0a6b1..ed430510 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb @@ -11,9 +11,10 @@ ServerAlias www.<%= domain %> SSLEngine on - SSLProtocol -all +SSLv3 +TLSv1 - SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLProtocol all -SSLv2 SSLHonorCipherOrder on + SSLCompression off + SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt -- cgit v1.2.3 From 1551f785c5c7c515781995928eec7659365d8988 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 2 Apr 2014 15:35:01 -0400 Subject: Force satellite hosts that only speak to relayhost to have a smtp_tls_security_level of 'encrypt', so it is not optional (#1902) Change-Id: I61ad0823e3eb8df6c224767d63f0911dcba42a16 --- puppet/modules/site_postfix/manifests/mx.pp | 4 ++++ puppet/modules/site_postfix/manifests/mx/smtp_tls.pp | 2 -- puppet/modules/site_postfix/manifests/satellite.pp | 11 ++++++++++- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index a37c7af9..bdfee665 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -31,6 +31,10 @@ class site_postfix::mx { value => 'vmail'; 'smtpd_tls_received_header': value => 'yes'; + # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls + # because the satellites need to have a different value + 'smtp_tls_security_level': + value => 'may'; } include site_postfix::mx::smtpd_checks diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp index 3cc7ea72..d9b59f40 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp @@ -20,8 +20,6 @@ class site_postfix::mx::smtp_tls { value => 'sha1'; 'smtp_tls_session_cache_database': value => 'btree:${data_directory}/smtp_cache'; - 'smtp_tls_security_level': - value => 'may'; # see issue #4011 'smtp_tls_protocols': value => '!SSLv2, !SSLv3'; diff --git a/puppet/modules/site_postfix/manifests/satellite.pp b/puppet/modules/site_postfix/manifests/satellite.pp index f5d5c7b7..5725e6b8 100644 --- a/puppet/modules/site_postfix/manifests/satellite.pp +++ b/puppet/modules/site_postfix/manifests/satellite.pp @@ -32,7 +32,16 @@ class site_postfix::satellite { # we could also make this an optional parameter for providers without # dns / local domains - postfix::config { 'smtp_host_lookup': value => 'native'; } + postfix::config { + 'smtp_host_lookup': + value => 'native'; + + # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls + # because the mx server has to have a different value + 'smtp_tls_security_level': + value => 'encrypt'; + } include site_postfix::mx::smtp_tls + } -- cgit v1.2.3 From 50d2aae1a0611d1266303c5a4d2ab168d696afbc Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 2 Apr 2014 12:53:31 -0700 Subject: revert openvpn tls-cipher: closes https://leap.se/code/issues/5429 --- provider_base/services/openvpn.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index e5b97ed9..6d20cf3e 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -20,7 +20,7 @@ "unlimited_prefix": "= provider.ca.client_certificates.unlimited_prefix", "rate_limit": "= openvpn.allow_limited ? provider.service.bandwidth_limit : nil", "configuration": { - "tls-cipher": "TLS-DHE-RSA-WITH-AES-128-CBC-SHA", + "tls-cipher": "DHE-RSA-AES128-SHA", "auth": "SHA1", "cipher": "AES-128-CBC" } -- cgit v1.2.3 From c07e3d075149af0bbcd840ad0743df46d3baca5f Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 5 Apr 2014 11:39:03 -0700 Subject: update site_static to work with new amber and have better tls ciphers --- .../modules/site_static/templates/apache.conf.erb | 70 ++++++---------------- 1 file changed, 19 insertions(+), 51 deletions(-) diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index 76534911..2abe1a98 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -15,6 +15,7 @@ document_root = location_directory(name, location) end end + document_root = document_root.gsub(%r{^/|/$}, '') -%> @@ -32,9 +33,10 @@ #RewriteLogLevel 3 SSLEngine on - SSLProtocol -all +SSLv3 +TLSv1 - SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLProtocol all -SSLv2 SSLHonorCipherOrder on + SSLCompression off + SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" Header set X-Frame-Options "deny" @@ -45,64 +47,30 @@ RequestHeader set X_FORWARDED_PROTO 'https' - DocumentRoot <%= document_root %> + DocumentRoot "/<%= document_root %>/" + AccessFileName .htaccess <%- @locations.each do |name, location| -%> + <%- path = location['path'].gsub(%r{^/|/$}, '') -%> + <%- directory = location_directory(name, location) -%> ## ## <%= name %> ## - <%- if location['path'] == '/' -%> - # Location / - <%- else -%> - Alias <%= location['path'] %> <%= location_directory(name, location) %> - > - <%- end -%> - # remove trailing slashes - RewriteEngine On - RewriteRule ^(.+)/$ /$1 [R=301,L] - - # e.g. /de/blah => /blah/index.de.html - RewriteCond %{DOCUMENT_ROOT}/$2/index.$1.html -f - RewriteRule ^/([a-z]{2})/(.*) /$2/index.$1.html [L] - - # e.g. /de/foo/bar => /foo/bar.de.html - RewriteCond %{DOCUMENT_ROOT}/$2.$1.html -f - RewriteRule ^/([a-z]{2})/(.*) /$2.$1.html [L] - - # e.g. /de => /index.de.html - RewriteCond %{DOCUMENT_ROOT}/index.$1.html -f - RewriteRule ^/([a-z]{2})$ /index.$1.html [L] - - # e.g. /de/img.png => /img.png - RewriteCond %{DOCUMENT_ROOT}/$2 -f - RewriteRule ^/([a-z]{2})/(.*) /$2 [L] - - # Simulate "DirectorySlash On" - # e.g. /foo/bar => /foo/bar/ (so that MultiViews will negotiate correct locale file) - RewriteCond %{DOCUMENT_ROOT}/$1 -d - RewriteRule ^/(.*[^/])$ /$1/ [PT] - <%- if location['path'] == '/' -%> - # end Location / + <%- if path == '' -%> + /"> + AllowOverride FileInfo Indexes Options=All,MultiViews + Order deny,allow + Allow from all + <%- else -%> - - <%- end -%> - > - ## - ## PERMISSIONS - ## - AllowOverride None + AliasMatch ^/[a-z]{2}/<%=path%>(/.+|/|)$ "/<%=directory%>/$1" + Alias /<%=path%> "/<%=directory%>/" + /"> + AllowOverride FileInfo Indexes Options=All,MultiViews Order deny,allow Allow from all - - ## - ## LOCALE SUPPORT (e.g. index.en.html) - ## - LanguagePriority en - ForceLanguagePriority Prefer Fallback - DirectoryIndex index - DirectorySlash Off - Options +MultiViews + <%- end -%> <%- end -%> -- cgit v1.2.3 From bafcfdf7643bcfa5715b5517578e0d9ca2eb399e Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 5 Apr 2014 11:49:53 -0700 Subject: better system for optionally uninstalling build-essential package. closes https://leap.se/code/issues/5426 --- .../site_config/manifests/packages/build_essential.pp | 7 +++++-- .../site_config/manifests/packages/uninstall.pp | 18 +++++++----------- 2 files changed, 12 insertions(+), 13 deletions(-) diff --git a/puppet/modules/site_config/manifests/packages/build_essential.pp b/puppet/modules/site_config/manifests/packages/build_essential.pp index c9efaafb..7dfb8b03 100644 --- a/puppet/modules/site_config/manifests/packages/build_essential.pp +++ b/puppet/modules/site_config/manifests/packages/build_essential.pp @@ -2,7 +2,10 @@ # include this whenever you want to ensure build-essential package and related compilers are installed. # class site_config::packages::build_essential { - if $install_build_essential == undef { - $install_build_essential = true + if !defined(Package['build-essential']) { + package { + ['build-essential', 'g++', 'g++-4.7', 'gcc', 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev']: + ensure => present + } } } \ No newline at end of file diff --git a/puppet/modules/site_config/manifests/packages/uninstall.pp b/puppet/modules/site_config/manifests/packages/uninstall.pp index 2919cc96..12f527d9 100644 --- a/puppet/modules/site_config/manifests/packages/uninstall.pp +++ b/puppet/modules/site_config/manifests/packages/uninstall.pp @@ -1,20 +1,16 @@ # -# this should be included last to allow other modules to set $::install_build_packages +# Uninstall build-essential and compilers, unless they have been explicitly installed elsewhere. # class site_config::packages::uninstall { - - if $site_config::packages::build_essential::install_essential == true { - $dev_packages_ensure = present - } else { - $dev_packages_ensure = absent - } + tag 'leap_base' # generally, dev packages are needed for installing ruby gems with native extensions. # (nickserver, webapp, etc) - package { [ 'build-essential', 'g++', 'g++-4.7', 'gcc', - 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: - ensure => $dev_packages_ensure + if !defined(Package['build-essential']) { + package { + ['build-essential', 'g++', 'g++-4.7', 'gcc', 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev']: + ensure => purged + } } - } \ No newline at end of file -- cgit v1.2.3 From 4a0feb8fa663c1c73c47f3298c1f303dffd942cc Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 5 Apr 2014 12:39:01 -0700 Subject: openvpn: allow for configurable keepalive (aka ping & ping-restart) closes https://leap.se/code/issues/4127 --- provider_base/services/openvpn.json | 3 ++- puppet/modules/site_openvpn/manifests/server_config.pp | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index e5b97ed9..d98e86a1 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -22,7 +22,8 @@ "configuration": { "tls-cipher": "TLS-DHE-RSA-WITH-AES-128-CBC-SHA", "auth": "SHA1", - "cipher": "AES-128-CBC" + "cipher": "AES-128-CBC", + "keepalive": "10 30" } } } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 6246a836..b1f4997c 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -115,7 +115,7 @@ define site_openvpn::server_config( server => $openvpn_configname; "keepalive ${openvpn_configname}": key => 'keepalive', - value => '5 20', + value => $config['keepalive'], server => $openvpn_configname; "local ${openvpn_configname}": key => 'local', -- cgit v1.2.3 From 75c4fb003d1a37f7c7a7c0aa726292aba27fd1e6 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 2 Apr 2014 12:53:31 -0700 Subject: revert openvpn tls-cipher: closes https://leap.se/code/issues/5429 --- provider_base/services/openvpn.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index d98e86a1..04e19aa2 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -20,7 +20,7 @@ "unlimited_prefix": "= provider.ca.client_certificates.unlimited_prefix", "rate_limit": "= openvpn.allow_limited ? provider.service.bandwidth_limit : nil", "configuration": { - "tls-cipher": "TLS-DHE-RSA-WITH-AES-128-CBC-SHA", + "tls-cipher": "DHE-RSA-AES128-SHA", "auth": "SHA1", "cipher": "AES-128-CBC", "keepalive": "10 30" -- cgit v1.2.3 From 615b5a218e843c9fe4e41729507b6ca1f14cf7b7 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 8 Apr 2014 10:51:42 -0700 Subject: minor: allow manual override of 'services' in provider.json --- provider_base/files/service-definitions/provider.json.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb index 97454f81..3e055e9a 100644 --- a/provider_base/files/service-definitions/provider.json.erb +++ b/provider_base/files/service-definitions/provider.json.erb @@ -1,13 +1,13 @@ <%= # grab some fields from provider.json hsh = provider.pick( - :languages, :description, :name, + :languages, :description, :name, :services, :enrollment_policy, :default_language, :service ) hsh['domain'] = domain.full_suffix # advertise services that are 'user services' and for which there are actually nodes - hsh['services'] = global.services[:service_type => :user_service].field(:name).select do |service| + hsh['services'] ||= global.services[:service_type => :user_service].field(:name).select do |service| nodes_like_me[:services => service].any? end -- cgit v1.2.3 From e3d4c14648ff4e108cec28112c119ee7115a44cb Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 8 Apr 2014 16:39:40 +0200 Subject: fix check_mk resource dependency deploy errors (Bug #5272) --- puppet/modules/site_check_mk/manifests/agent.pp | 20 ++++++++++---------- puppet/modules/site_check_mk/manifests/agent/mx.pp | 5 +++-- .../modules/site_check_mk/manifests/agent/webapp.pp | 10 ++++++---- 3 files changed, 19 insertions(+), 16 deletions(-) diff --git a/puppet/modules/site_check_mk/manifests/agent.pp b/puppet/modules/site_check_mk/manifests/agent.pp index b752182e..589041eb 100644 --- a/puppet/modules/site_check_mk/manifests/agent.pp +++ b/puppet/modules/site_check_mk/manifests/agent.pp @@ -4,7 +4,7 @@ class site_check_mk::agent { $pubkey = $ssh_hash['authorized_keys']['monitor']['key'] $type = $ssh_hash['authorized_keys']['monitor']['type'] - include site_apt::preferences::check_mk + class { 'site_apt::preferences::check_mk': } -> class { 'check_mk::agent': agent_package_name => 'check-mk-agent', @@ -12,17 +12,17 @@ class site_check_mk::agent { method => 'ssh', homedir => '/etc/nagios/check_mk', register_agent => false - } + } -> - file { [ '/srv/leap/nagios', '/srv/leap/nagios/plugins' ]: - ensure => directory, - } + class { 'site_check_mk::agent::mrpe': } -> + class { 'site_check_mk::agent::logwatch': } -> - file { '/usr/lib/check_mk_agent/local/run_node_tests.sh': - source => 'puppet:///modules/site_check_mk/agent/local_checks/all_hosts/run_node_tests.sh', - mode => '0755' + file { + [ '/srv/leap/nagios', '/srv/leap/nagios/plugins' ]: + ensure => directory; + '/usr/lib/check_mk_agent/local/run_node_tests.sh': + source => 'puppet:///modules/site_check_mk/agent/local_checks/all_hosts/run_node_tests.sh', + mode => '0755'; } - include site_check_mk::agent::mrpe - include site_check_mk::agent::logwatch } diff --git a/puppet/modules/site_check_mk/manifests/agent/mx.pp b/puppet/modules/site_check_mk/manifests/agent/mx.pp index 2dd50400..35a4e9a5 100644 --- a/puppet/modules/site_check_mk/manifests/agent/mx.pp +++ b/puppet/modules/site_check_mk/manifests/agent/mx.pp @@ -15,8 +15,9 @@ class site_check_mk::agent::mx { # check stale files in queue dir file { '/usr/lib/check_mk_agent/local/check_leap_mx.sh': - source => 'puppet:///modules/site_check_mk/agent/local_checks/mx/check_leap_mx.sh', - mode => '0755' + source => 'puppet:///modules/site_check_mk/agent/local_checks/mx/check_leap_mx.sh', + mode => '0755', + require => Package['check_mk-agent'] } } diff --git a/puppet/modules/site_check_mk/manifests/agent/webapp.pp b/puppet/modules/site_check_mk/manifests/agent/webapp.pp index cb160d83..64f5ea6d 100644 --- a/puppet/modules/site_check_mk/manifests/agent/webapp.pp +++ b/puppet/modules/site_check_mk/manifests/agent/webapp.pp @@ -5,12 +5,14 @@ class site_check_mk::agent::webapp { ensure => installed } file { '/usr/lib/check_mk_agent/local/nagios-webapp_login.py': - ensure => link, - target => '/srv/leap/webapp/test/nagios/webapp_login.py' + ensure => link, + target => '/srv/leap/webapp/test/nagios/webapp_login.py', + require => Package['check_mk-agent'] } file { '/usr/lib/check_mk_agent/local/soledad_sync.py': - ensure => link, - target => '/srv/leap/webapp/test/nagios/soledad_sync.py' + ensure => link, + target => '/srv/leap/webapp/test/nagios/soledad_sync.py', + require => Package['check_mk-agent'] } -- cgit v1.2.3 From 740cb615eae69235a649583359e23d834df0d7b5 Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 9 Apr 2014 11:53:26 +0200 Subject: #5315 update soledad design docs --- .../site_couchdb/files/designs/shared/docs.json | 14 +++++--------- .../site_couchdb/files/designs/shared/syncs.json | 16 ++++++++-------- .../files/designs/shared/transactions.json | 19 ++++++++++--------- 3 files changed, 23 insertions(+), 26 deletions(-) diff --git a/puppet/modules/site_couchdb/files/designs/shared/docs.json b/puppet/modules/site_couchdb/files/designs/shared/docs.json index 4aad02aa..004180cd 100644 --- a/puppet/modules/site_couchdb/files/designs/shared/docs.json +++ b/puppet/modules/site_couchdb/files/designs/shared/docs.json @@ -1,12 +1,8 @@ { - "views" : { - "get" : { - "map" : "function(doc) {\n if (doc.u1db_rev) {\n var is_tombstone = true;\n var has_conflicts = false;\n if (doc._attachments) {\n if (doc._attachments.u1db_content)\n is_tombstone = false;\n if (doc._attachments.u1db_conflicts)\n has_conflicts = true;\n }\n emit(doc._id,\n {\n \"couch_rev\": doc._rev,\n \"u1db_rev\": doc.u1db_rev,\n \"is_tombstone\": is_tombstone,\n \"has_conflicts\": has_conflicts,\n }\n );\n }\n}\n" + "_id": "_design/docs", + "views": { + "get": { + "map": "function(doc) {\n if (doc.u1db_rev) {\n var is_tombstone = true;\n var has_conflicts = false;\n if (doc._attachments) {\n if (doc._attachments.u1db_content)\n is_tombstone = false;\n if (doc._attachments.u1db_conflicts)\n has_conflicts = true;\n }\n emit(doc._id,\n {\n \"couch_rev\": doc._rev,\n \"u1db_rev\": doc.u1db_rev,\n \"is_tombstone\": is_tombstone,\n \"has_conflicts\": has_conflicts,\n }\n );\n }\n}\n" } - }, - "_id" : "_design/docs", - "updates" : { - "resolve_doc" : "function(doc, req){\n /* we expect to receive the following in `req.body`:\n * {\n * 'couch_rev': '',\n * 'conflicts': '',\n * }\n */\n var body = JSON.parse(req.body);\n\n // fail if no document was given\n if (!doc) {\n return [null, 'document does not exist']\n } \n\n // fail if couch revisions do not match\n if (body['couch_rev'] != null\n && doc['_rev'] != body['couch_rev']) {\n return [null, 'revision conflict']\n }\n\n // fail if conflicts were not sent\n if (body['conflicts'] == null)\n return [null, 'missing conflicts']\n\n // save conflicts as attachment if they were sent\n if (body['conflicts'] != null) {\n if (!doc._attachments)\n doc._attachments = {};\n doc._attachments.u1db_conflicts = {\n content_type: \"application/octet-stream\",\n data: body['conflicts'] // should be base64 encoded\n }\n }\n // or delete attachment if there are no conflicts\n else if (doc._attachments && doc._attachments.u1db_conflicts)\n delete doc._attachments.u1db_conflicts;\n\n return [doc, 'ok'];\n}\n", - "put" : "function(doc, req){\n /* we expect to receive the following in `req.body`:\n * {\n * 'couch_rev': '',\n * 'u1db_rev': '',\n * 'content': '',\n * 'trans_id': ''\n * 'conflicts': '',\n * 'update_conflicts': \n * }\n */\n var body = JSON.parse(req.body);\n\n // create a new document document\n if (!doc) {\n doc = {}\n doc['_id'] = req['id'];\n }\n // or fail if couch revisions do not match\n else if (doc['_rev'] != body['couch_rev']) {\n // of fail if revisions do not match\n return [null, 'revision conflict']\n }\n\n // store u1db rev\n doc.u1db_rev = body['u1db_rev'];\n\n // save content as attachment\n if (body['content'] != null) {\n // save u1db content as attachment\n if (!doc._attachments)\n doc._attachments = {};\n doc._attachments.u1db_content = {\n content_type: \"application/octet-stream\",\n data: body['content'] // should be base64 encoded\n };\n }\n // or delete the attachment if document is tombstone\n else if (doc._attachments &&\n doc._attachments.u1db_content)\n delete doc._attachments.u1db_content;\n\n // store the transaction id\n if (!doc.u1db_transactions)\n doc.u1db_transactions = [];\n var d = new Date();\n doc.u1db_transactions.push([d.getTime(), body['trans_id']]);\n\n // save conflicts as attachment if they were sent\n if (body['update_conflicts'])\n if (body['conflicts'] != null) {\n if (!doc._attachments)\n doc._attachments = {};\n doc._attachments.u1db_conflicts = {\n content_type: \"application/octet-stream\",\n data: body['conflicts'] // should be base64 encoded\n }\n } else {\n if(doc._attachments && doc._attachments.u1db_conflicts)\n delete doc._attachments.u1db_conflicts\n }\n\n return [doc, 'ok'];\n}\n" } -} +} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/shared/syncs.json b/puppet/modules/site_couchdb/files/designs/shared/syncs.json index 0df5ff74..bab5622f 100644 --- a/puppet/modules/site_couchdb/files/designs/shared/syncs.json +++ b/puppet/modules/site_couchdb/files/designs/shared/syncs.json @@ -1,11 +1,11 @@ { - "views" : { - "log" : { - "map" : "function(doc) {\n if (doc._id == 'u1db_sync_log') {\n if (doc.syncs)\n doc.syncs.forEach(function (entry) {\n emit(entry[0],\n {\n 'known_generation': entry[1],\n 'known_transaction_id': entry[2]\n });\n });\n }\n}\n" + "_id": "_design/syncs", + "updates": { + "put": "function(doc, req){\n if (!doc) {\n doc = {}\n doc['_id'] = 'u1db_sync_log';\n doc['syncs'] = [];\n }\n body = JSON.parse(req.body);\n // remove outdated info\n doc['syncs'] = doc['syncs'].filter(\n function (entry) {\n return entry[0] != body['other_replica_uid'];\n }\n );\n // store u1db rev\n doc['syncs'].push([\n body['other_replica_uid'],\n body['other_generation'],\n body['other_transaction_id']\n ]);\n return [doc, 'ok'];\n}\n\n" + }, + "views": { + "log": { + "map": "function(doc) {\n if (doc._id == 'u1db_sync_log') {\n if (doc.syncs)\n doc.syncs.forEach(function (entry) {\n emit(entry[0],\n {\n 'known_generation': entry[1],\n 'known_transaction_id': entry[2]\n });\n });\n }\n}\n" } - }, - "_id" : "_design/syncs", - "updates" : { - "put" : "function(doc, req){\n if (!doc) {\n doc = {}\n doc['_id'] = 'u1db_sync_log';\n doc['syncs'] = [];\n }\n body = JSON.parse(req.body);\n // remove outdated info\n doc['syncs'] = doc['syncs'].filter(\n function (entry) {\n return entry[0] != body['other_replica_uid'];\n }\n );\n // store u1db rev\n doc['syncs'].push([\n body['other_replica_uid'],\n body['other_generation'],\n body['other_transaction_id']\n ]);\n return [doc, 'ok'];\n}\n\n" } -} +} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/shared/transactions.json b/puppet/modules/site_couchdb/files/designs/shared/transactions.json index 8fcb84d1..106ad46c 100644 --- a/puppet/modules/site_couchdb/files/designs/shared/transactions.json +++ b/puppet/modules/site_couchdb/files/designs/shared/transactions.json @@ -1,12 +1,13 @@ { - "lists" : { - "generation" : "function(head, req) {\n var row;\n var rows=[];\n // fetch all rows\n while(row = getRow()) {\n rows.push(row);\n }\n if (rows.length > 0)\n send(JSON.stringify({\n \"generation\": rows.length,\n \"doc_id\": rows[rows.length-1]['id'],\n \"transaction_id\": rows[rows.length-1]['value']\n }));\n else\n send(JSON.stringify({\n \"generation\": 0,\n \"doc_id\": \"\",\n \"transaction_id\": \"\",\n }));\n}\n", - "whats_changed" : "function(head, req) {\n var row;\n var gen = 1;\n var old_gen = 0;\n if (req.query.old_gen)\n old_gen = parseInt(req.query['old_gen']);\n send('{\"transactions\":[\\n');\n // fetch all rows\n while(row = getRow()) {\n if (gen > old_gen) {\n if (gen > old_gen+1)\n send(',\\n');\n send(JSON.stringify({\n \"generation\": gen,\n \"doc_id\": row[\"id\"],\n \"transaction_id\": row[\"value\"]\n }));\n }\n gen++;\n }\n send('\\n]}');\n}\n", - "trans_id_for_gen" : "function(head, req) {\n var row;\n var rows=[];\n var i = 1;\n var gen = 1;\n if (req.query.gen)\n gen = parseInt(req.query['gen']);\n // fetch all rows\n while(row = getRow())\n rows.push(row);\n if (gen <= rows.length)\n send(JSON.stringify({\n \"generation\": gen,\n \"doc_id\": rows[gen-1]['id'],\n \"transaction_id\": rows[gen-1]['value'],\n }));\n else\n send('{}');\n}\n" - }, - "views" : { - "log" : { - "map" : "function(doc) {\n if (doc.u1db_transactions)\n doc.u1db_transactions.forEach(function(t) {\n emit(t[0], // use timestamp as key so the results are ordered\n t[1]); // value is the transaction_id\n });\n}\n" + "_id": "_design/transactions", + "lists": { + "generation": "function(head, req) {\n var row;\n var rows=[];\n // fetch all rows\n while(row = getRow()) {\n rows.push(row);\n }\n if (rows.length > 0)\n send(JSON.stringify({\n \"generation\": rows.length,\n \"doc_id\": rows[rows.length-1]['id'],\n \"transaction_id\": rows[rows.length-1]['value']\n }));\n else\n send(JSON.stringify({\n \"generation\": 0,\n \"doc_id\": \"\",\n \"transaction_id\": \"\",\n }));\n}\n", + "trans_id_for_gen": "function(head, req) {\n var row;\n var rows=[];\n var i = 1;\n var gen = 1;\n if (req.query.gen)\n gen = parseInt(req.query['gen']);\n // fetch all rows\n while(row = getRow())\n rows.push(row);\n if (gen <= rows.length)\n send(JSON.stringify({\n \"generation\": gen,\n \"doc_id\": rows[gen-1]['id'],\n \"transaction_id\": rows[gen-1]['value'],\n }));\n else\n send('{}');\n}\n", + "whats_changed": "function(head, req) {\n var row;\n var gen = 1;\n var old_gen = 0;\n if (req.query.old_gen)\n old_gen = parseInt(req.query['old_gen']);\n send('{\"transactions\":[\\n');\n // fetch all rows\n while(row = getRow()) {\n if (gen > old_gen) {\n if (gen > old_gen+1)\n send(',\\n');\n send(JSON.stringify({\n \"generation\": gen,\n \"doc_id\": row[\"id\"],\n \"transaction_id\": row[\"value\"]\n }));\n }\n gen++;\n }\n send('\\n]}');\n}\n" + }, + "views": { + "log": { + "map": "function(doc) {\n if (doc.u1db_transactions)\n doc.u1db_transactions.forEach(function(t) {\n emit(t[0], // use timestamp as key so the results are ordered\n t[1]); // value is the transaction_id\n });\n}\n" } } -} +} \ No newline at end of file -- cgit v1.2.3 From f7d82cba6684f5c7939e0ad2e4c615bbd3660f30 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 12 Apr 2014 11:51:48 -0400 Subject: make the soledad service subscribe to package changes, cert and key changes (#5499) Change-Id: Ia0efb4c129a71504a717c20e2e260a1ed83f2223 --- puppet/modules/soledad/manifests/server.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 1137080f..394e6032 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -50,8 +50,8 @@ class soledad::server { enable => true, hasstatus => true, hasrestart => true, - require => [ - Class['soledad'], + require => Class['soledad'], + subscribe => [ Package['soledad-server'], Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], -- cgit v1.2.3 From dae324f316666f65907c02877ffd566df45641f6 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 15 Apr 2014 16:54:57 +0200 Subject: fix concat::setup (#5503) --- puppet/modules/site_config/manifests/setup.pp | 1 + puppet/modules/site_config/manifests/vagrant.pp | 1 + 2 files changed, 2 insertions(+) diff --git a/puppet/modules/site_config/manifests/setup.pp b/puppet/modules/site_config/manifests/setup.pp index ffe01f53..6d89be86 100644 --- a/puppet/modules/site_config/manifests/setup.pp +++ b/puppet/modules/site_config/manifests/setup.pp @@ -1,4 +1,5 @@ class site_config::setup { + tag 'leap_base' # # this is applied before each run of site.pp diff --git a/puppet/modules/site_config/manifests/vagrant.pp b/puppet/modules/site_config/manifests/vagrant.pp index 04266735..8f50b305 100644 --- a/puppet/modules/site_config/manifests/vagrant.pp +++ b/puppet/modules/site_config/manifests/vagrant.pp @@ -1,6 +1,7 @@ class site_config::vagrant { # class for vagrant nodes + include site_shorewall::defaults # eth0 on vagrant nodes is the uplink if shorewall::interface { 'eth0': zone => 'net', -- cgit v1.2.3 From 5d3ece0ac0d02eb501f474bb37a59bb740c57c5d Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 8 Apr 2014 13:03:40 +0200 Subject: configure couchdb after starting shorewall (#53) --- puppet/modules/site_couchdb/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index c67ce8c8..2bcd25dc 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -59,6 +59,7 @@ class site_couchdb { Class['site_config::default'] -> Class['couchdb::bigcouch::package::cloudant'] + -> Service['shorewall'] -> Service['couchdb'] -> Class['site_couchdb::stunnel'] -> File['/root/.netrc'] -- cgit v1.2.3 From e2fc8c9ef1934e3884fcc8ddd1ff002fcbcf85ab Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 16 Apr 2014 01:19:24 -0700 Subject: exit codes for run_tests: 0 = success, 1 = warning, 2 = failure, 3 = error. --- bin/run_tests | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 55 insertions(+), 9 deletions(-) diff --git a/bin/run_tests b/bin/run_tests index f4fb0157..cb4458f3 100755 --- a/bin/run_tests +++ b/bin/run_tests @@ -16,6 +16,26 @@ require 'yaml' require 'tsort' require 'net/http' +## +## EXIT CODES +## + +EXIT_CODES = { + :success => 0, + :warning => 1, + :failure => 2, + :error => 3 +} + +def bail(code, msg=nil) + puts msg if msg + if code.is_a? Symbol + exit(EXIT_CODES[code]) + else + exit(code) + end +end + ## ## EXCEPTIONS ## @@ -90,7 +110,7 @@ class LeapTest < MiniTest::Unit::TestCase def warn(*msg) method_name = caller.first.split('`').last.gsub(/(block in |')/,'') - MiniTest::Unit.runner.report_line("WARN", self.class, method_name, nil, msg.join("\n")) + MiniTest::Unit.runner.warn(self.class, method_name, msg.join("\n")) end # Always runs test methods within a test class in alphanumeric order @@ -272,10 +292,11 @@ end # class LeapRunner < MiniTest::Unit - attr_accessor :passes + attr_accessor :passes, :warnings def initialize @passes = 0 + @warnings = 0 super end @@ -300,12 +321,13 @@ class LeapRunner < MiniTest::Unit @test_count = results.inject(0) { |sum, (tc, _)| sum + tc } @assertion_count = results.inject(0) { |sum, (_, ac)| sum + ac } status + return exit_code() rescue Interrupt - abort 'Tests halted on interrupt.' + bail :error, 'Tests halted on interrupt.' rescue TestFailure - abort 'Tests halted on failure (because of --no-continue).' + bail :failure, 'Tests halted on failure (because of --no-continue).' rescue TestError - abort 'Tests halted on error (because of --no-continue).' + bail :error, 'Tests halted on error (because of --no-continue).' end # @@ -320,7 +342,7 @@ class LeapRunner < MiniTest::Unit #end when LeapTest::Pass then @passes += 1 - @report << report_line("PASS", klass, meth) + report_line("PASS", klass, meth) when MiniTest::Assertion then @failures += 1 report_line("FAIL", klass, meth, e, e.message) @@ -348,6 +370,21 @@ class LeapRunner < MiniTest::Unit end end + # + # return an appropriate exit_code symbol + # + def exit_code + if @errors > 0 + :error + elsif @failures > 0 + :failure + elsif @warnings > 0 + :warning + else + :success + end + end + # # returns a string for a PASS, SKIP, or FAIL error # @@ -386,6 +423,14 @@ class LeapRunner < MiniTest::Unit end end + # + # a new function used by TestCase to report warnings. + # + def warn(klass, method_name, msg) + @warnings += 1 + report_line("WARN", klass, method_name, nil, msg) + end + private CHECKMK_CODES = {"PASS" => 0, "SKIP" => 1, "FAIL" => 2, "ERROR" => 3} @@ -430,7 +475,7 @@ class TestDependencyGraph @dependencies[test_class_name].each(&block) else puts "ERROR: bad dependency, no such class `#{test_class_name}`" - exit(1) + bail :error end end @@ -451,7 +496,7 @@ def die(test, msg) elsif $output_format == :checkmk puts "3 #{test} - #{msg}" end - exit(1) + bail :error end def print_help @@ -488,7 +533,8 @@ end def run_tests MiniTest::Unit.runner = LeapRunner.new - MiniTest::Unit.new.run + exit_code = MiniTest::Unit.new.run + bail exit_code end ## -- cgit v1.2.3 From 723433a385d4d72721efb36bdf144ad89ad613a7 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 16 Apr 2014 01:40:11 -0700 Subject: run_tests: added options --retry and --wait (to keep retrying tests if there is any problem). --- bin/run_tests | 34 ++++++++++++++++++++++++++-------- 1 file changed, 26 insertions(+), 8 deletions(-) diff --git a/bin/run_tests b/bin/run_tests index cb4458f3..b258e85a 100755 --- a/bin/run_tests +++ b/bin/run_tests @@ -365,8 +365,8 @@ class LeapRunner < MiniTest::Unit # def status(io = self.output) if $output_format == :human - format = "%d tests, %d assertions, %d passes, %d failures, %d errors, %d skips" - output.puts format % [test_count, assertion_count, passes, failures, errors, skips] + format = "%d tests: %d passes, %d skips, %d warnings, %d failures, %d errors" + output.puts format % [test_count, passes, skips, warnings, failures, errors] end end @@ -501,10 +501,12 @@ end def print_help puts ["USAGE: run_tests [OPTIONS]", - " --continue Don't halt on an error, but continue to the next test.", - " --checkmk Print test results in checkmk format (must come before --test).", - " --test TEST Run only the test with name TEST.", - " --list-tests Prints the names of all available tests and exit."].join("\n") + " --continue Don't halt on an error, but continue to the next test.", + " --checkmk Print test results in checkmk format (must come before --test).", + " --test TEST Run only the test with name TEST.", + " --list-tests Prints the names of all available tests and exit.", + " --retry COUNT If the tests don't pass, retry COUNT additional times (default is zero)", + " --wait SECONDS Wait for SECONDS between retries (default is 5)"].join("\n") exit(0) end @@ -531,9 +533,21 @@ def pin_test_name(name) end end +# +# run the tests, multiple times if `--repeat` and not all tests were successful. +# def run_tests - MiniTest::Unit.runner = LeapRunner.new - exit_code = MiniTest::Unit.new.run + exit_code = nil + run_count = $repeat ? $repeat + 1 : 1 + run_count.times do |i| + MiniTest::Unit.runner = LeapRunner.new + exit_code = MiniTest::Unit.new.run + if !$repeat || exit_code == :success + break + elsif i != run_count-1 + sleep $wait + end + end bail exit_code end @@ -561,6 +575,8 @@ def main # parse command line options $halt_on_failure = true $output_format = :human + $repeat = false + $wait = 5 loop do case ARGV[0] when '--continue' then ARGV.shift; $halt_on_failure = false; @@ -568,6 +584,8 @@ def main when '--help' then print_help when '--test' then ARGV.shift; pin_test_name(ARGV.shift) when '--list-tests' then list_tests + when '--repeat' then ARGV.shift; $repeat = ARGV.shift.to_i + when '--wait' then ARGV.shift; $wait = ARGV.shift.to_i else break end end -- cgit v1.2.3 From 2d64dafaf6238852d80b326ca22359da4371e912 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Apr 2014 15:22:57 -0400 Subject: fix --retry argument, the help listed it correctly, but the code was using --repeat (#5119) Change-Id: I48b0ae8b3d8ab91c4ca363a2bdece46952cce5a9 --- bin/run_tests | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/bin/run_tests b/bin/run_tests index b258e85a..9102c325 100755 --- a/bin/run_tests +++ b/bin/run_tests @@ -534,15 +534,15 @@ def pin_test_name(name) end # -# run the tests, multiple times if `--repeat` and not all tests were successful. +# run the tests, multiple times if `--retry` and not all tests were successful. # def run_tests exit_code = nil - run_count = $repeat ? $repeat + 1 : 1 + run_count = $retry ? $retry + 1 : 1 run_count.times do |i| MiniTest::Unit.runner = LeapRunner.new exit_code = MiniTest::Unit.new.run - if !$repeat || exit_code == :success + if !$retry || exit_code == :success break elsif i != run_count-1 sleep $wait @@ -575,7 +575,7 @@ def main # parse command line options $halt_on_failure = true $output_format = :human - $repeat = false + $retry = false $wait = 5 loop do case ARGV[0] @@ -584,7 +584,7 @@ def main when '--help' then print_help when '--test' then ARGV.shift; pin_test_name(ARGV.shift) when '--list-tests' then list_tests - when '--repeat' then ARGV.shift; $repeat = ARGV.shift.to_i + when '--retry' then ARGV.shift; $retry = ARGV.shift.to_i when '--wait' then ARGV.shift; $wait = ARGV.shift.to_i else break end @@ -592,4 +592,4 @@ def main run_tests end -main() \ No newline at end of file +main() -- cgit v1.2.3 From 42d93c7a939902ace20ed5602317530473ece364 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Apr 2014 16:58:32 -0400 Subject: add exec resources to run the couchdb tests to wait for nodes and cluster membership to settle, before attempting any operations (#5269, #4590, #3712) Change-Id: Ic9826dda1c242e705ce85ae218766496bdd8ecbd --- .../modules/site_couchdb/manifests/bigcouch/settle_cluster.pp | 11 +++++++++++ puppet/modules/site_couchdb/manifests/init.pp | 3 +++ 2 files changed, 14 insertions(+) create mode 100644 puppet/modules/site_couchdb/manifests/bigcouch/settle_cluster.pp diff --git a/puppet/modules/site_couchdb/manifests/bigcouch/settle_cluster.pp b/puppet/modules/site_couchdb/manifests/bigcouch/settle_cluster.pp new file mode 100644 index 00000000..aa843e2e --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/bigcouch/settle_cluster.pp @@ -0,0 +1,11 @@ +class site_couchdb::bigcouch::settle_cluster { + + exec { 'wait_for_couch_nodes': + command => '/srv/leap/bin/run_tests --test CouchDB/Are_configured_nodes_online? --retry 6 --wait 10' + } + + exec { 'settle_cluster_membership': + command => '/srv/leap/bin/run_tests --test CouchDB/Is_cluster_membership_ok? --retry 6 --wait 10', + require => Exec['wait_for_couch_nodes'] + } +} diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 2bcd25dc..8c790bd2 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -64,6 +64,7 @@ class site_couchdb { -> Class['site_couchdb::stunnel'] -> File['/root/.netrc'] -> Class['site_couchdb::bigcouch::add_nodes'] + -> Class['site_couchdb::bigcouch::settle_cluster'] -> Couchdb::Create_db['users'] -> Couchdb::Create_db['tokens'] -> Couchdb::Add_user[$couchdb_webapp_user] @@ -73,6 +74,8 @@ class site_couchdb { class { 'site_couchdb::bigcouch::add_nodes': } + class { 'site_couchdb::bigcouch::settle_cluster': } + # /etc/couchdb/couchdb.netrc is deployed by couchdb::query::setup # we symlink this to /root/.netrc for couchdb_scripts (eg. backup) # and makes life easier for the admin (i.e. using curl/wget without -- cgit v1.2.3 From af1f6d6fc248b02ef51ceedb3257579f09c8febf Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Apr 2014 09:35:17 -0400 Subject: Change couchdb ordering hints (#5269, #4590, #3712): . make the couchdb service start after the stunnels have been setup. This may improve the cluster membership coming online faster . replace the two Couchdb::Create_db ordering hints (for the 'users' and 'tokens' databases) with a generic Class['site_config::create_dbs'] hint. This makes it so we get the ordering hint for all databases, which we were not before, without having to individually list them . replace the two Couchdb::Add_user ordering hints (for the $couchdb_webapp_user and the $couchdb_soledad_user) with a generic ordering hint for Class['site_couchdb::add_users'] ordering hint. This makes it so we get the ordering hint for all the users, which we were not before, without having to individually list them Change-Id: Ia63e62d68d24e77a49d4ef928a2a8130ab7bccb9 --- puppet/modules/site_couchdb/manifests/init.pp | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 8c790bd2..d8e03e41 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -60,15 +60,13 @@ class site_couchdb { Class['site_config::default'] -> Class['couchdb::bigcouch::package::cloudant'] -> Service['shorewall'] - -> Service['couchdb'] -> Class['site_couchdb::stunnel'] + -> Service['couchdb'] -> File['/root/.netrc'] -> Class['site_couchdb::bigcouch::add_nodes'] -> Class['site_couchdb::bigcouch::settle_cluster'] - -> Couchdb::Create_db['users'] - -> Couchdb::Create_db['tokens'] - -> Couchdb::Add_user[$couchdb_webapp_user] - -> Couchdb::Add_user[$couchdb_soledad_user] + -> Class['site_couchdb::create_dbs'] + -> Class['site_couchdb::add_users'] class { 'site_couchdb::stunnel': } -- cgit v1.2.3 From ca34d880f65f62bf78623c80f6e76d1726f2068c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Apr 2014 11:56:36 -0400 Subject: change class instantiating to be includes and organizing things in the class to be more visually logical (#5269, #4590, #3712) Change-Id: I58c28c3bc62e67b25f33da3378e8146110471613 --- puppet/modules/site_couchdb/manifests/init.pp | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index d8e03e41..3614661d 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -68,12 +68,6 @@ class site_couchdb { -> Class['site_couchdb::create_dbs'] -> Class['site_couchdb::add_users'] - class { 'site_couchdb::stunnel': } - - class { 'site_couchdb::bigcouch::add_nodes': } - - class { 'site_couchdb::bigcouch::settle_cluster': } - # /etc/couchdb/couchdb.netrc is deployed by couchdb::query::setup # we symlink this to /root/.netrc for couchdb_scripts (eg. backup) # and makes life easier for the admin (i.e. using curl/wget without @@ -92,15 +86,6 @@ class site_couchdb { pw => $couchdb_admin_pw, } - include site_couchdb::create_dbs - include site_couchdb::add_users - include site_couchdb::designs - include site_couchdb::logrotate - include site_couchdb::bigcouch::compaction - - include site_shorewall::couchdb - include site_shorewall::couchdb::bigcouch - vcsrepo { '/srv/leap/couchdb/scripts': ensure => present, provider => git, @@ -109,8 +94,20 @@ class site_couchdb { require => File['/srv/leap/couchdb'] } + include site_couchdb::stunnel + include site_couchdb::bigcouch::add_nodes + include site_couchdb::bigcouch::settle_cluster + include site_couchdb::create_dbs + include site_couchdb::add_users + include site_couchdb::designs + include site_couchdb::logrotate + include site_couchdb::bigcouch::compaction + if $couchdb_backup { include site_couchdb::backup } + include site_shorewall::couchdb + include site_shorewall::couchdb::bigcouch + include site_check_mk::agent::couchdb include site_check_mk::agent::tapicero -- cgit v1.2.3 From 4295f334ea4f92d7fb47f7121a42633630c368d1 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Apr 2014 15:47:38 -0400 Subject: update couchdb submodule to get fix for timing issue that caused 409 Conflicts in certain situations (#5523) Change-Id: I1ca67e317a7eb84f64cb7b79daa2e500f0561707 --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 32dba50b..c8f5443e 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 32dba50beb0c24b9b883e495149b353aa70506c6 +Subproject commit c8f5443e0998d3d3d43505ff5a6fdf8c438d6c24 -- cgit v1.2.3