From 59635ff7904645075bf3ddd30a70a05a58102bed Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Sep 2012 11:21:23 +0200 Subject: added submodule openvpn --- .gitmodules | 3 +++ puppet/modules/openvpn | 1 + 2 files changed, 4 insertions(+) create mode 100644 .gitmodules create mode 160000 puppet/modules/openvpn diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 00000000..a1a8c588 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "puppet/modules/openvpn"] + path = puppet/modules/openvpn + url = git://github.com/luxflux/puppet-openvpn.git diff --git a/puppet/modules/openvpn b/puppet/modules/openvpn new file mode 160000 index 00000000..25f1fe8d --- /dev/null +++ b/puppet/modules/openvpn @@ -0,0 +1 @@ +Subproject commit 25f1fe8d813f6128068d890a40f5e24be78fb47c -- cgit v1.2.3 From 2c2e3608a251bdb8210767484e05c896f6803d6c Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Sep 2012 11:29:17 +0200 Subject: beginning of openvpn server config --- puppet/manifests/site.pp | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 3a136015..39173f95 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,3 +1,15 @@ -node "default" { - notify {'Hello World':} +node 'cougar.leap.se' { + openvpn::server { + 'cougar.leap.se': + country => 'TR', + province => 'Ankara', + city => 'Ankara', + organization => 'leap.se', + email => 'sysdev@leap.se'; +} + +} + +node 'default' { + notify {'Please specify a host in site.pp!':} } -- cgit v1.2.3 From 653efcee3f3427817e63a8432df99c1e932e3261 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Sep 2012 11:46:46 +0200 Subject: install puppet+facter from backports --- deploy.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/deploy.sh b/deploy.sh index c8f89b90..4da972b5 100755 --- a/deploy.sh +++ b/deploy.sh @@ -1,3 +1,15 @@ #!/bin/sh +# +# missing: header, licence, usage + + +apt-get install lsb-release git + +# we need puppet from backports +dist="`lsb_release -cs`" +[ -f /etc/apt/sources.list.d/$dist-backports.list ] || echo "deb http://backports.debian.org/debian-backports/ $dist-backports main contrib non-free">/etc/apt/sources.list.d/$dist-backports.list + +apt-get update +apt-get install -t $dist-backports facter puppet puppet apply --modulepath=$PWD/puppet/modules $PWD/puppet/manifests/site.pp $@ -- cgit v1.2.3 From 670819cbaa3cf78e2fce45aeb030ece78a920a57 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Sep 2012 11:55:35 +0200 Subject: added submodule concat --- .gitmodules | 3 +++ puppet/modules/concat | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/concat diff --git a/.gitmodules b/.gitmodules index a1a8c588..f84f173e 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,6 @@ [submodule "puppet/modules/openvpn"] path = puppet/modules/openvpn url = git://github.com/luxflux/puppet-openvpn.git +[submodule "puppet/modules/concat"] + path = puppet/modules/concat + url = git://code.leap.se/puppet_concat diff --git a/puppet/modules/concat b/puppet/modules/concat new file mode 160000 index 00000000..abce1280 --- /dev/null +++ b/puppet/modules/concat @@ -0,0 +1 @@ +Subproject commit abce1280e07b544d8455f1572dd870bbd2f14892 -- cgit v1.2.3 From 54270961d928e5398f1b7d7a4947bbe14c94d746 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Sep 2012 11:56:26 +0200 Subject: batch mode for apt-get install --- deploy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy.sh b/deploy.sh index 4da972b5..441a1128 100755 --- a/deploy.sh +++ b/deploy.sh @@ -10,6 +10,6 @@ dist="`lsb_release -cs`" [ -f /etc/apt/sources.list.d/$dist-backports.list ] || echo "deb http://backports.debian.org/debian-backports/ $dist-backports main contrib non-free">/etc/apt/sources.list.d/$dist-backports.list apt-get update -apt-get install -t $dist-backports facter puppet +apt-get install -y -t $dist-backports facter puppet puppet apply --modulepath=$PWD/puppet/modules $PWD/puppet/manifests/site.pp $@ -- cgit v1.2.3 From caeac390b217849e8e57ac3afeb4061099e3fec5 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Sep 2012 12:10:21 +0200 Subject: use node default again, more openvpn config --- puppet/manifests/site.pp | 75 ++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 70 insertions(+), 5 deletions(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 39173f95..890d2623 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,4 +1,6 @@ -node 'cougar.leap.se' { +node 'default' { + notify {'Please specify a host in site.pp!':} + openvpn::server { 'cougar.leap.se': country => 'TR', @@ -6,10 +8,73 @@ node 'cougar.leap.se' { city => 'Ankara', organization => 'leap.se', email => 'sysdev@leap.se'; -} + } -} +# configure server + + + openvpn::option { + "dev server1": + key => "dev", + value => "tun0", + server => "server1"; + "script-security server1": + key => "script-security", + value => "3", + server => "server1"; + "daemon server1": + key => "daemon", + server => "server1"; + "keepalive server1": + key => "keepalive", + value => "10 60", + server => "server1"; + "ping-timer-rem server1": + key => "ping-timer-rem", + server => "server1"; + "persist-tun server1": + key => "persist-tun", + server => "server1"; + "persist-key server1": + key => "persist-key", + server => "server1"; + "proto server1": + key => "proto", + value => "tcp-server", + server => "server1"; + "cipher server1": + key => "cipher", + value => "BF-CBC", + server => "server1"; + "local server1": + key => "local", + value => $ipaddress, + server => "server1"; + "tls-server server1": + key => "tls-server", + server => "server1"; + "server server1": + key => "server", + value => "10.10.10.0 255.255.255.0", + server => "server1"; + "lport server1": + key => "lport", + value => "1194", + server => "server1"; + "management server1": + key => "management", + value => "/var/run/openvpn-server1.sock unix", + server => "server1"; + "comp-lzo server1": + key => "comp-lzo", + server => "server1"; + "topology server1": + key => "topology", + value => "subnet", + server => "server1"; + "client-to-client server1": + key => "client-to-client", + server => "server1"; + } -node 'default' { - notify {'Please specify a host in site.pp!':} } -- cgit v1.2.3 From 72987f7f86bd322e8ea68ff2633c76a29c6c2f95 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Sep 2012 12:14:06 +0200 Subject: more openvpn config testing --- puppet/manifests/site.pp | 74 +++++++++++++++++++++++++----------------------- 1 file changed, 38 insertions(+), 36 deletions(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 890d2623..de551aed 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,8 +1,10 @@ node 'default' { notify {'Please specify a host in site.pp!':} + $openvpn_server='cougar.leap.se' + openvpn::server { - 'cougar.leap.se': + "$openvpn_server": country => 'TR', province => 'Ankara', city => 'Ankara', @@ -14,67 +16,67 @@ node 'default' { openvpn::option { - "dev server1": + "dev $openvpn_server": key => "dev", value => "tun0", - server => "server1"; - "script-security server1": + server => "$openvpn_server"; + "script-security $openvpn_server": key => "script-security", value => "3", - server => "server1"; - "daemon server1": + server => "$openvpn_server"; + "daemon $openvpn_server": key => "daemon", - server => "server1"; - "keepalive server1": + server => "$openvpn_server"; + "keepalive $openvpn_server": key => "keepalive", value => "10 60", - server => "server1"; - "ping-timer-rem server1": + server => "$openvpn_server"; + "ping-timer-rem $openvpn_server": key => "ping-timer-rem", - server => "server1"; - "persist-tun server1": + server => "$openvpn_server"; + "persist-tun $openvpn_server": key => "persist-tun", - server => "server1"; - "persist-key server1": + server => "$openvpn_server"; + "persist-key $openvpn_server": key => "persist-key", - server => "server1"; - "proto server1": + server => "$openvpn_server"; + "proto $openvpn_server": key => "proto", value => "tcp-server", - server => "server1"; - "cipher server1": + server => "$openvpn_server"; + "cipher $openvpn_server": key => "cipher", value => "BF-CBC", - server => "server1"; - "local server1": + server => "$openvpn_server"; + "local $openvpn_server": key => "local", value => $ipaddress, - server => "server1"; - "tls-server server1": + server => "$openvpn_server"; + "tls-server $openvpn_server": key => "tls-server", - server => "server1"; - "server server1": + server => "$openvpn_server"; + "server $openvpn_server": key => "server", value => "10.10.10.0 255.255.255.0", - server => "server1"; - "lport server1": + server => "$openvpn_server"; + "lport $openvpn_server": key => "lport", value => "1194", - server => "server1"; - "management server1": + server => "$openvpn_server"; + "management $openvpn_server": key => "management", - value => "/var/run/openvpn-server1.sock unix", - server => "server1"; - "comp-lzo server1": + value => "/var/run/openvpn-$openvpn_server.sock unix", + server => "$openvpn_server"; + "comp-lzo $openvpn_server": key => "comp-lzo", - server => "server1"; - "topology server1": + server => "$openvpn_server"; + "topology $openvpn_server": key => "topology", value => "subnet", - server => "server1"; - "client-to-client server1": + server => "$openvpn_server"; + "client-to-client $openvpn_server": key => "client-to-client", - server => "server1"; + server => "$openvpn_server"; } } -- cgit v1.2.3 From 81812a5f631d40b83f862de3da30e2e0b4e2efaa Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Sep 2012 14:20:56 +0200 Subject: initial README --- README | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 README diff --git a/README b/README new file mode 100644 index 00000000..aae48d73 --- /dev/null +++ b/README @@ -0,0 +1,6 @@ +... + +Installation +------------ + +- Run the deploy.sh script as root -- cgit v1.2.3 From 45c8d3fb727e00ac2a9de3a9fc83f4500b981d55 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Sep 2012 14:23:17 +0200 Subject: install ruby-hiera-puppet --- deploy.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/deploy.sh b/deploy.sh index 441a1128..fd109c13 100755 --- a/deploy.sh +++ b/deploy.sh @@ -7,9 +7,19 @@ apt-get install lsb-release git # we need puppet from backports dist="`lsb_release -cs`" + +# enable backports for puppet + facter [ -f /etc/apt/sources.list.d/$dist-backports.list ] || echo "deb http://backports.debian.org/debian-backports/ $dist-backports main contrib non-free">/etc/apt/sources.list.d/$dist-backports.list +# enable debian testing for ruby-hiera-puppet +cat > /etc/apt/preferences.d/wheezy < Date: Fri, 7 Sep 2012 12:49:38 +0200 Subject: main hiera config --- puppet/hiera.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 puppet/hiera.yaml diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml new file mode 100644 index 00000000..01b0d3b8 --- /dev/null +++ b/puppet/hiera.yaml @@ -0,0 +1,16 @@ +--- +:backends: + - yaml + - puppet + +:logger: console + +:hierarchy: + - "%{location}" + - common + +:yaml: + :datadir: /etc/leap/hieradata + +:puppet: + :datasource: data -- cgit v1.2.3 From ed2a625dd431233ca8813daab144b949b72c0402 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Sep 2012 12:58:48 +0200 Subject: working on deploy.sh --- deploy.sh | 36 ++++++++++++++++++++++++------------ 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/deploy.sh b/deploy.sh index fd109c13..e6a6c7ea 100755 --- a/deploy.sh +++ b/deploy.sh @@ -1,25 +1,37 @@ -#!/bin/sh +#!/bin/sh -x # # missing: header, licence, usage -apt-get install lsb-release git +install_packages () +{ + apt-get install lsb-release git -# we need puppet from backports -dist="`lsb_release -cs`" + # we need puppet from backports + dist="`lsb_release -cs`" -# enable backports for puppet + facter -[ -f /etc/apt/sources.list.d/$dist-backports.list ] || echo "deb http://backports.debian.org/debian-backports/ $dist-backports main contrib non-free">/etc/apt/sources.list.d/$dist-backports.list + # enable backports for puppet + facter + [ -f /etc/apt/sources.list.d/$dist-backports.list ] || echo "deb http://backports.debian.org/debian-backports/ $dist-backports main contrib non-free">/etc/apt/sources.list.d/$dist-backports.list -# enable debian testing for ruby-hiera-puppet -cat > /etc/apt/preferences.d/wheezy < /etc/apt/preferences.d/wheezy < Date: Fri, 7 Sep 2012 12:59:28 +0200 Subject: extending README --- README | 1 + 1 file changed, 1 insertion(+) diff --git a/README b/README index aae48d73..73f219a1 100644 --- a/README +++ b/README @@ -3,4 +3,5 @@ Installation ------------ +- Edit /etc/leap/hieradata/common.yaml for your needs - Run the deploy.sh script as root -- cgit v1.2.3 From cc435b580fc5cc45d99aa4d17e81f951197b837d Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Sep 2012 13:04:19 +0200 Subject: provide common.yaml.example --- common.yaml.example | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 common.yaml.example diff --git a/common.yaml.example b/common.yaml.example new file mode 100644 index 00000000..4065f215 --- /dev/null +++ b/common.yaml.example @@ -0,0 +1,7 @@ +--- +country: TR +province: Ankara +city: Ankara +organization: leap.se +email: sysdev@leap.se + -- cgit v1.2.3 From bdfcfbb8702748ab013190b0116735fe56f7531e Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Sep 2012 13:06:00 +0200 Subject: use hiere for openvpn CA --- puppet/manifests/site.pp | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index de551aed..0d1f426d 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,15 +1,15 @@ node 'default' { notify {'Please specify a host in site.pp!':} - $openvpn_server='cougar.leap.se' + $openvpn_server=$::fqdn openvpn::server { "$openvpn_server": - country => 'TR', - province => 'Ankara', - city => 'Ankara', - organization => 'leap.se', - email => 'sysdev@leap.se'; + country => hiera("country"), + province => hiera("province"), + city => hiera("city"), + organization => hiera("organization"), + email => hiera("email"); } # configure server -- cgit v1.2.3 From c255a6a8772684397f545a560119428ac44993ca Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 20 Sep 2012 11:49:00 +0200 Subject: use relative path, hieradata outline --- puppet/hiera.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml index 01b0d3b8..76584ad1 100644 --- a/puppet/hiera.yaml +++ b/puppet/hiera.yaml @@ -6,11 +6,14 @@ :logger: console :hierarchy: - - "%{location}" - - common + - hosts/%{fqdn} + - services/%{service} + - defaults +# relative from where puppet is run, so we need to run puppet +# from the root dir of the leap_platform repo :yaml: - :datadir: /etc/leap/hieradata + :datadir: config :puppet: :datasource: data -- cgit v1.2.3 From 33ed5aadaa9080d8c424a9b626cbf7fb9422dedc Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 20 Sep 2012 11:49:24 +0200 Subject: config dir --- config/defaults.yaml | 2 ++ config/hosts/cougar.leap.se.yaml | 4 ++++ config/hosts/rocinante.bitrigger.de.yaml | 5 +++++ config/services/eip.yaml | 5 +++++ 4 files changed, 16 insertions(+) create mode 100644 config/defaults.yaml create mode 100644 config/hosts/cougar.leap.se.yaml create mode 100644 config/hosts/rocinante.bitrigger.de.yaml create mode 100644 config/services/eip.yaml diff --git a/config/defaults.yaml b/config/defaults.yaml new file mode 100644 index 00000000..3126c897 --- /dev/null +++ b/config/defaults.yaml @@ -0,0 +1,2 @@ +--- +testpw: secret diff --git a/config/hosts/cougar.leap.se.yaml b/config/hosts/cougar.leap.se.yaml new file mode 100644 index 00000000..ebd58979 --- /dev/null +++ b/config/hosts/cougar.leap.se.yaml @@ -0,0 +1,4 @@ +--- +openvpn_ports: - 999 + - 1000 +tor: true diff --git a/config/hosts/rocinante.bitrigger.de.yaml b/config/hosts/rocinante.bitrigger.de.yaml new file mode 100644 index 00000000..e83c802a --- /dev/null +++ b/config/hosts/rocinante.bitrigger.de.yaml @@ -0,0 +1,5 @@ +--- +# varac's local machine +openvpn_ports: - 1 + - 2 +tor: true diff --git a/config/services/eip.yaml b/config/services/eip.yaml new file mode 100644 index 00000000..d8ac5a4f --- /dev/null +++ b/config/services/eip.yaml @@ -0,0 +1,5 @@ +--- +openvpn_ports: - 80 + - 443 + - 1194 +tor: false -- cgit v1.2.3 From 429944efaac25766a5999966d8f52f74a0e0292b Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 20 Sep 2012 11:49:52 +0200 Subject: using class site_openvpn --- puppet/manifests/site.pp | 86 ++++-------------------------------------------- 1 file changed, 7 insertions(+), 79 deletions(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 0d1f426d..1bfc730e 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,82 +1,10 @@ node 'default' { - notify {'Please specify a host in site.pp!':} - - $openvpn_server=$::fqdn - - openvpn::server { - "$openvpn_server": - country => hiera("country"), - province => hiera("province"), - city => hiera("city"), - organization => hiera("organization"), - email => hiera("email"); - } - -# configure server - - - openvpn::option { - "dev $openvpn_server": - key => "dev", - value => "tun0", - server => "$openvpn_server"; - "script-security $openvpn_server": - key => "script-security", - value => "3", - server => "$openvpn_server"; - "daemon $openvpn_server": - key => "daemon", - server => "$openvpn_server"; - "keepalive $openvpn_server": - key => "keepalive", - value => "10 60", - server => "$openvpn_server"; - "ping-timer-rem $openvpn_server": - key => "ping-timer-rem", - server => "$openvpn_server"; - "persist-tun $openvpn_server": - key => "persist-tun", - server => "$openvpn_server"; - "persist-key $openvpn_server": - key => "persist-key", - server => "$openvpn_server"; - "proto $openvpn_server": - key => "proto", - value => "tcp-server", - server => "$openvpn_server"; - "cipher $openvpn_server": - key => "cipher", - value => "BF-CBC", - server => "$openvpn_server"; - "local $openvpn_server": - key => "local", - value => $ipaddress, - server => "$openvpn_server"; - "tls-server $openvpn_server": - key => "tls-server", - server => "$openvpn_server"; - "server $openvpn_server": - key => "server", - value => "10.10.10.0 255.255.255.0", - server => "$openvpn_server"; - "lport $openvpn_server": - key => "lport", - value => "1194", - server => "$openvpn_server"; - "management $openvpn_server": - key => "management", - value => "/var/run/openvpn-$openvpn_server.sock unix", - server => "$openvpn_server"; - "comp-lzo $openvpn_server": - key => "comp-lzo", - server => "$openvpn_server"; - "topology $openvpn_server": - key => "topology", - value => "subnet", - server => "$openvpn_server"; - "client-to-client $openvpn_server": - key => "client-to-client", - server => "$openvpn_server"; - } + $service='eip' + $password=hiera('testpw') + $openvpn_ports=hiera_array('openvpn_ports') + $tor=hiera('tor') + notify {"Password: $password":} + notify {"Openvpn Config for $fqdn: openvpn_ports=$openvpn_ports, tor=$tor":} + #include site_openvpn } -- cgit v1.2.3 From 075d6fb40ddaace0442a8d5ba9396c9f1849bddc Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 20 Sep 2012 11:50:22 +0200 Subject: beginning of site_openvpn --- puppet/modules/site_openvpn/manifests/init.pp | 81 +++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 puppet/modules/site_openvpn/manifests/init.pp diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp new file mode 100644 index 00000000..3d753af9 --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -0,0 +1,81 @@ +class site_openvpn { + + $openvpn_server=$::fqdn + + openvpn::server { + $openvpn_server: + country => hiera("country"), + province => hiera("province"), + city => hiera("city"), + organization => hiera("organization"), + email => hiera("email"); + } + +# configure server + + + openvpn::option { + "dev $openvpn_server": + key => "dev", + value => "tun0", + server => "$openvpn_server"; + "script-security $openvpn_server": + key => "script-security", + value => "3", + server => "$openvpn_server"; + "daemon $openvpn_server": + key => "daemon", + server => "$openvpn_server"; + "keepalive $openvpn_server": + key => "keepalive", + value => "10 60", + server => "$openvpn_server"; + "ping-timer-rem $openvpn_server": + key => "ping-timer-rem", + server => "$openvpn_server"; + "persist-tun $openvpn_server": + key => "persist-tun", + server => "$openvpn_server"; + "persist-key $openvpn_server": + key => "persist-key", + server => "$openvpn_server"; + "proto $openvpn_server": + key => "proto", + value => "tcp-server", + server => "$openvpn_server"; + "cipher $openvpn_server": + key => "cipher", + value => "BF-CBC", + server => "$openvpn_server"; + "local $openvpn_server": + key => "local", + value => $ipaddress, + server => "$openvpn_server"; + "tls-server $openvpn_server": + key => "tls-server", + server => "$openvpn_server"; + "server $openvpn_server": + key => "server", + value => "10.10.10.0 255.255.255.0", + server => "$openvpn_server"; + "lport $openvpn_server": + key => "lport", + value => "1194", + server => "$openvpn_server"; + "management $openvpn_server": + key => "management", + value => "/var/run/openvpn-$openvpn_server.sock unix", + server => "$openvpn_server"; + "comp-lzo $openvpn_server": + key => "comp-lzo", + server => "$openvpn_server"; + "topology $openvpn_server": + key => "topology", + value => "subnet", + server => "$openvpn_server"; + "client-to-client $openvpn_server": + key => "client-to-client", + server => "$openvpn_server"; + } + +} -- cgit v1.2.3 From 71e3e3cf022db2c83a52414f9c1cd2e3a985b25d Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 20 Sep 2012 12:12:50 +0200 Subject: no need for local configs here --- config/hosts/rocinante.bitrigger.de.yaml | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 config/hosts/rocinante.bitrigger.de.yaml diff --git a/config/hosts/rocinante.bitrigger.de.yaml b/config/hosts/rocinante.bitrigger.de.yaml deleted file mode 100644 index e83c802a..00000000 --- a/config/hosts/rocinante.bitrigger.de.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# varac's local machine -openvpn_ports: - 1 - - 2 -tor: true -- cgit v1.2.3 From 7ad84a65744250098be1e05ef998f32f5c0a0523 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 20 Sep 2012 12:20:15 +0200 Subject: hierachy levels need to be unambiguous, so we can't use services here, as one host could provide multiple services --- puppet/hiera.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml index 76584ad1..764966a2 100644 --- a/puppet/hiera.yaml +++ b/puppet/hiera.yaml @@ -7,7 +7,7 @@ :hierarchy: - hosts/%{fqdn} - - services/%{service} +# - services/%{service} # that's not possible, as hiera needs _one_ target per hierarchy - defaults # relative from where puppet is run, so we need to run puppet -- cgit v1.2.3 From 5c7ce0a1c90ab1c0844369882f7fcdb6ff05c16d Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 20 Sep 2012 13:39:00 +0200 Subject: new config layout --- config/defaults.yaml | 1 + config/eip/cougar.leap.se.yaml | 5 +++++ config/eip/defaults.yml | 7 +++++++ config/hosts/cougar.leap.se.yaml | 6 +++--- config/services/eip.yaml | 5 ----- puppet/hiera.yaml | 5 ++++- 6 files changed, 20 insertions(+), 9 deletions(-) create mode 100644 config/eip/cougar.leap.se.yaml create mode 100644 config/eip/defaults.yml delete mode 100644 config/services/eip.yaml diff --git a/config/defaults.yaml b/config/defaults.yaml index 3126c897..17fa03bf 100644 --- a/config/defaults.yaml +++ b/config/defaults.yaml @@ -1,2 +1,3 @@ --- testpw: secret +services: - diff --git a/config/eip/cougar.leap.se.yaml b/config/eip/cougar.leap.se.yaml new file mode 100644 index 00000000..39926616 --- /dev/null +++ b/config/eip/cougar.leap.se.yaml @@ -0,0 +1,5 @@ +--- +openvpn_ports: - 80 + - 443 + - 1194 +tor: 'true' diff --git a/config/eip/defaults.yml b/config/eip/defaults.yml new file mode 100644 index 00000000..7be713b5 --- /dev/null +++ b/config/eip/defaults.yml @@ -0,0 +1,7 @@ +--- + +# make shure 'false' is quoted +tor: 'false' +openvpn_ports: - 80 + - 443 + - 1194 diff --git a/config/hosts/cougar.leap.se.yaml b/config/hosts/cougar.leap.se.yaml index ebd58979..312d0141 100644 --- a/config/hosts/cougar.leap.se.yaml +++ b/config/hosts/cougar.leap.se.yaml @@ -1,4 +1,4 @@ --- -openvpn_ports: - 999 - - 1000 -tor: true +# varac's local machine +services: - eip + - couchdb diff --git a/config/services/eip.yaml b/config/services/eip.yaml deleted file mode 100644 index d8ac5a4f..00000000 --- a/config/services/eip.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -openvpn_ports: - 80 - - 443 - - 1194 -tor: false diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml index 764966a2..66efa299 100644 --- a/puppet/hiera.yaml +++ b/puppet/hiera.yaml @@ -7,7 +7,10 @@ :hierarchy: - hosts/%{fqdn} -# - services/%{service} # that's not possible, as hiera needs _one_ target per hierarchy + - ca/%{fqdn} + - ca/defaults + - eip/%{fqdn} + - eip/defaults - defaults # relative from where puppet is run, so we need to run puppet -- cgit v1.2.3 From 764ae6f21a8a54af78b29fc14876af36e2dd4651 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 20 Sep 2012 13:39:23 +0200 Subject: parse new config layout --- puppet/manifests/site.pp | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 1bfc730e..bb29e393 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,10 +1,22 @@ +define print() { + notice("The value is: '${name}'") +} + + node 'default' { - $service='eip' - $password=hiera('testpw') - $openvpn_ports=hiera_array('openvpn_ports') - $tor=hiera('tor') - notify {"Password: $password":} - notify {"Openvpn Config for $fqdn: openvpn_ports=$openvpn_ports, tor=$tor":} - #include site_openvpn + #$password=hiera('testpw') + #notify {"Password: $password":} + + $services=hiera_array('services') + notice("Services for $fqdn: $services") + + if 'eip' in $services { + $openvpn_ports=hiera_array('openvpn_ports') + $tor=hiera('tor') + notice("Openvpn Config for $fqdn: openvpn_ports=$openvpn_ports, tor=$tor") + print{$openvpn_ports:} + #include site_openvpn + } + } -- cgit v1.2.3 From 0c828109f9e9e70c817e5125473c9c561495ac57 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 20 Sep 2012 13:52:33 +0200 Subject: as we have the configuration inside the repo now, no need to provide an common.yaml.example --- common.yaml.example | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 common.yaml.example diff --git a/common.yaml.example b/common.yaml.example deleted file mode 100644 index 4065f215..00000000 --- a/common.yaml.example +++ /dev/null @@ -1,7 +0,0 @@ ---- -country: TR -province: Ankara -city: Ankara -organization: leap.se -email: sysdev@leap.se - -- cgit v1.2.3 From 1a0d1907b303c2ab1e8da2a26e061e8a7327241e Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 20 Sep 2012 13:58:03 +0200 Subject: just a comment --- puppet/hiera.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml index 66efa299..a992c057 100644 --- a/puppet/hiera.yaml +++ b/puppet/hiera.yaml @@ -11,6 +11,7 @@ - ca/defaults - eip/%{fqdn} - eip/defaults +# more services following - defaults # relative from where puppet is run, so we need to run puppet -- cgit v1.2.3 From 75e57c74d5aa0595e02435ca4de15b9df1cc6002 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 21 Sep 2012 12:45:36 +0200 Subject: parsing of hiera config hash works --- config/eip/cougar.leap.se.yaml | 12 ++++++++---- config/eip/defaults.yml | 5 +---- config/hosts/cougar.leap.se.yaml | 1 - puppet/manifests/site.pp | 21 +++++++++++++-------- 4 files changed, 22 insertions(+), 17 deletions(-) diff --git a/config/eip/cougar.leap.se.yaml b/config/eip/cougar.leap.se.yaml index 39926616..d98787d0 100644 --- a/config/eip/cougar.leap.se.yaml +++ b/config/eip/cougar.leap.se.yaml @@ -1,5 +1,9 @@ --- -openvpn_ports: - 80 - - 443 - - 1194 -tor: 'true' +openvpn: + port80_tcp: + port: 80 + protocol: tcp + port1194_udp: + port: 1194 + protocol: udp +tor: 'false' diff --git a/config/eip/defaults.yml b/config/eip/defaults.yml index 7be713b5..fab63a5c 100644 --- a/config/eip/defaults.yml +++ b/config/eip/defaults.yml @@ -1,7 +1,4 @@ --- - # make shure 'false' is quoted tor: 'false' -openvpn_ports: - 80 - - 443 - - 1194 +openvpn: diff --git a/config/hosts/cougar.leap.se.yaml b/config/hosts/cougar.leap.se.yaml index 312d0141..5cf37bb1 100644 --- a/config/hosts/cougar.leap.se.yaml +++ b/config/hosts/cougar.leap.se.yaml @@ -1,4 +1,3 @@ --- -# varac's local machine services: - eip - couchdb diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index bb29e393..abb81511 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,7 +1,15 @@ define print() { - notice("The value is: '${name}'") + notice("The value is: '${name}'") +} + +define create_openvpn_config($port, $protocol) { + $openvpn_configname=$name + notice("Creating OpenVPN $openvpn_configname: + Port: $port, Protocol: $protocol") + # ... + #include site_openvpn + } - node 'default' { #$password=hiera('testpw') @@ -11,12 +19,9 @@ node 'default' { notice("Services for $fqdn: $services") if 'eip' in $services { - $openvpn_ports=hiera_array('openvpn_ports') + $openvpn=hiera('openvpn') $tor=hiera('tor') - notice("Openvpn Config for $fqdn: openvpn_ports=$openvpn_ports, tor=$tor") - print{$openvpn_ports:} - #include site_openvpn + notice("Tor enabled: $tor") + create_resources('create_openvpn_config', $openvpn) } - - } -- cgit v1.2.3 From 1c5eb8a64426c93d8118acac52870a6a95f73010 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 21 Sep 2012 15:03:08 +0200 Subject: oved things around --- puppet/manifests/site.pp | 18 ++--- puppet/modules/site_openvpn/manifests/init.pp | 79 -------------------- .../site_openvpn/manifests/server_config.pp | 84 ++++++++++++++++++++++ 3 files changed, 89 insertions(+), 92 deletions(-) create mode 100644 puppet/modules/site_openvpn/manifests/server_config.pp diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index abb81511..98e683af 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -2,26 +2,18 @@ define print() { notice("The value is: '${name}'") } -define create_openvpn_config($port, $protocol) { - $openvpn_configname=$name - notice("Creating OpenVPN $openvpn_configname: - Port: $port, Protocol: $protocol") - # ... - #include site_openvpn - -} - node 'default' { - #$password=hiera('testpw') - #notify {"Password: $password":} + $concat_basedir = '/var/lib/puppet/modules/concat' + include concat::setup $services=hiera_array('services') notice("Services for $fqdn: $services") if 'eip' in $services { - $openvpn=hiera('openvpn') $tor=hiera('tor') notice("Tor enabled: $tor") - create_resources('create_openvpn_config', $openvpn) + + $openvpn_config=hiera('openvpn') + create_resources('site_openvpn::server_config', $openvpn_config) } } diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 3d753af9..7d63d569 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,81 +1,2 @@ class site_openvpn { - - $openvpn_server=$::fqdn - - openvpn::server { - $openvpn_server: - country => hiera("country"), - province => hiera("province"), - city => hiera("city"), - organization => hiera("organization"), - email => hiera("email"); - } - -# configure server - - - openvpn::option { - "dev $openvpn_server": - key => "dev", - value => "tun0", - server => "$openvpn_server"; - "script-security $openvpn_server": - key => "script-security", - value => "3", - server => "$openvpn_server"; - "daemon $openvpn_server": - key => "daemon", - server => "$openvpn_server"; - "keepalive $openvpn_server": - key => "keepalive", - value => "10 60", - server => "$openvpn_server"; - "ping-timer-rem $openvpn_server": - key => "ping-timer-rem", - server => "$openvpn_server"; - "persist-tun $openvpn_server": - key => "persist-tun", - server => "$openvpn_server"; - "persist-key $openvpn_server": - key => "persist-key", - server => "$openvpn_server"; - "proto $openvpn_server": - key => "proto", - value => "tcp-server", - server => "$openvpn_server"; - "cipher $openvpn_server": - key => "cipher", - value => "BF-CBC", - server => "$openvpn_server"; - "local $openvpn_server": - key => "local", - value => $ipaddress, - server => "$openvpn_server"; - "tls-server $openvpn_server": - key => "tls-server", - server => "$openvpn_server"; - "server $openvpn_server": - key => "server", - value => "10.10.10.0 255.255.255.0", - server => "$openvpn_server"; - "lport $openvpn_server": - key => "lport", - value => "1194", - server => "$openvpn_server"; - "management $openvpn_server": - key => "management", - value => "/var/run/openvpn-$openvpn_server.sock unix", - server => "$openvpn_server"; - "comp-lzo $openvpn_server": - key => "comp-lzo", - server => "$openvpn_server"; - "topology $openvpn_server": - key => "topology", - value => "subnet", - server => "$openvpn_server"; - "client-to-client $openvpn_server": - key => "client-to-client", - server => "$openvpn_server"; - } - } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp new file mode 100644 index 00000000..e0e8db4f --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -0,0 +1,84 @@ +define site_openvpn::server_config($port, $protocol) { + $openvpn_configname=$name + notice("Creating OpenVPN $openvpn_configname: + Port: $port, Protocol: $protocol") + + $openvpn_server=$::fqdn + # we don't need a ca generated + #openvpn::server { + # $openvpn_configname: + # country => hiera("country"), + # province => hiera("province"), + # city => hiera("city"), + # organization => hiera("organization"), + # email => hiera("email"); + #} + + # configure server + # all config options need to be "hieraized" + + openvpn::option { + "dev $openvpn_configname": + key => "dev", + value => "tun", + server => "$openvpn_server"; + "script-security $openvpn_configname": + key => "script-security", + value => "3", + server => "$openvpn_server"; + "daemon $openvpn_configname": + key => "daemon", + server => "$openvpn_server"; + "keepalive $openvpn_configname": + key => "keepalive", + value => "10 60", + server => "$openvpn_server"; + "ping-timer-rem $openvpn_configname": + key => "ping-timer-rem", + server => "$openvpn_server"; + "persist-tun $openvpn_configname": + key => "persist-tun", + server => "$openvpn_server"; + "persist-key $openvpn_configname": + key => "persist-key", + server => "$openvpn_server"; + "proto $openvpn_configname": + key => "proto", + value => "$proto", + server => "$openvpn_server"; + "cipher $openvpn_configname": + key => "cipher", + value => "BF-CBC", + server => "$openvpn_server"; + "local $openvpn_configname": + key => "local", + value => $ipaddress, + server => "$openvpn_server"; + "tls-server $openvpn_configname": + key => "tls-server", + server => "$openvpn_server"; + "server $openvpn_configname": + key => "server", + value => "$server", + server => "$openvpn_server"; + "lport $openvpn_configname": + key => "lport", + value => "$port", + server => "$openvpn_server"; + "management $openvpn_configname": + key => "management", + value => "/var/run/openvpn-$openvpn_configname.sock unix", + server => "$openvpn_server"; + "comp-lzo $openvpn_configname": + key => "comp-lzo", + server => "$openvpn_server"; + "topology $openvpn_configname": + key => "topology", + value => "subnet", + server => "$openvpn_server"; + "client-to-client $openvpn_configname": + key => "client-to-client", + server => "$openvpn_server"; + } + +} -- cgit v1.2.3 From 276de1e249b25e5e00c49229132215681aee6467 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 21 Sep 2012 20:26:20 +0200 Subject: basic configuration for openvpn server files --- config/eip/cougar.leap.se.yaml | 7 +- puppet/manifests/site.pp | 13 ++- puppet/modules/site_openvpn/manifests/init.pp | 41 +++++++++ .../site_openvpn/manifests/server_config.pp | 100 +++++++++++++-------- 4 files changed, 115 insertions(+), 46 deletions(-) diff --git a/config/eip/cougar.leap.se.yaml b/config/eip/cougar.leap.se.yaml index d98787d0..fd83d48e 100644 --- a/config/eip/cougar.leap.se.yaml +++ b/config/eip/cougar.leap.se.yaml @@ -1,9 +1,10 @@ --- -openvpn: +openvpn_server_configs: port80_tcp: port: 80 - protocol: tcp + proto: tcp-server port1194_udp: port: 1194 - protocol: udp + proto: udp + tor: 'false' diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 98e683af..f7b7303f 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,19 +1,18 @@ -define print() { - notice("The value is: '${name}'") -} - node 'default' { - $concat_basedir = '/var/lib/puppet/modules/concat' + # $concat_basedir = '/var/lib/puppet/modules/concat' # do we need this ? include concat::setup $services=hiera_array('services') notice("Services for $fqdn: $services") if 'eip' in $services { + include site_openvpn + $tor=hiera('tor') notice("Tor enabled: $tor") - $openvpn_config=hiera('openvpn') - create_resources('site_openvpn::server_config', $openvpn_config) + $openvpn_configs=hiera('openvpn_server_configs') + create_resources('site_openvpn::server_config', $openvpn_configs) + } } diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 7d63d569..c83b98c7 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,2 +1,43 @@ class site_openvpn { + package { + "openvpn": + ensure => installed; + } + service { + "openvpn": + ensure => running, + hasrestart => true, + hasstatus => true, + require => Exec["concat_/etc/default/openvpn"]; + } + file { + "/etc/openvpn": + ensure => directory, + require => Package["openvpn"]; + } + + include concat::setup + + concat { + "/etc/default/openvpn": + owner => root, + group => root, + mode => 644, + warn => true, + notify => Service["openvpn"]; + } + + concat::fragment { + "openvpn.default.header": + content => template("openvpn/etc-default-openvpn.erb"), + target => "/etc/default/openvpn", + order => 01; + } + + concat::fragment { + "openvpn.default.autostart.${name}": + content => "AUTOSTART=all", + target => "/etc/default/openvpn", + order => 10; + } } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index e0e8db4f..4a130d13 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,84 +1,112 @@ -define site_openvpn::server_config($port, $protocol) { +define site_openvpn::server_config($port, $proto) { $openvpn_configname=$name notice("Creating OpenVPN $openvpn_configname: - Port: $port, Protocol: $protocol") + Port: $port, Protocol: $proto") + + file { + "/etc/openvpn/${name}": + ensure => directory, + require => Package["openvpn"]; + } + + concat { + "/etc/openvpn/${openvpn_configname}.conf": + owner => root, + group => root, + mode => 644, + warn => true, + require => File["/etc/openvpn"], + notify => Service["openvpn"]; + } - $openvpn_server=$::fqdn - # we don't need a ca generated - #openvpn::server { - # $openvpn_configname: - # country => hiera("country"), - # province => hiera("province"), - # city => hiera("city"), - # organization => hiera("organization"), - # email => hiera("email"); - #} - # configure server - # all config options need to be "hieraized" openvpn::option { + "ca ${openvpn_configname}": + key => "ca", + value => "/etc/openvpn/ca.crt", + #require => Exec["initca ${openvpn_configname}"], + server => "${openvpn_configname}"; + "cert ${openvpn_configname}": + key => "cert", + value => "/etc/openvpn/${openvpn_configname}/server.crt", + #require => Exec["generate server cert ${openvpn_configname}"], + server => "${openvpn_configname}"; + "key ${openvpn_configname}": + key => "key", + value => "/etc/openvpn/${openvpn_configname}/server.key", + #require => Exec["generate server cert ${openvpn_configname}"], + server => "${openvpn_configname}"; + "dh ${openvpn_configname}": + key => "dh", + value => "/etc/openvpn/dh1024.pem", + #require => Exec["generate dh param ${openvpn_configname}"], + server => "${openvpn_configname}"; "dev $openvpn_configname": key => "dev", value => "tun", - server => "$openvpn_server"; + server => "$openvpn_configname"; + "mode ${openvpn_configname}": + key => 'mode', + value => 'server', + server => $openvpn_configname; "script-security $openvpn_configname": key => "script-security", value => "3", - server => "$openvpn_server"; + server => "$openvpn_configname"; "daemon $openvpn_configname": key => "daemon", - server => "$openvpn_server"; + server => "$openvpn_configname"; "keepalive $openvpn_configname": key => "keepalive", value => "10 60", - server => "$openvpn_server"; + server => "$openvpn_configname"; "ping-timer-rem $openvpn_configname": key => "ping-timer-rem", - server => "$openvpn_server"; + server => "$openvpn_configname"; "persist-tun $openvpn_configname": key => "persist-tun", - server => "$openvpn_server"; + server => "$openvpn_configname"; "persist-key $openvpn_configname": key => "persist-key", - server => "$openvpn_server"; + server => "$openvpn_configname"; "proto $openvpn_configname": key => "proto", value => "$proto", - server => "$openvpn_server"; + server => "$openvpn_configname"; "cipher $openvpn_configname": key => "cipher", value => "BF-CBC", - server => "$openvpn_server"; + server => "$openvpn_configname"; "local $openvpn_configname": key => "local", value => $ipaddress, - server => "$openvpn_server"; + server => "$openvpn_configname"; "tls-server $openvpn_configname": key => "tls-server", - server => "$openvpn_server"; - "server $openvpn_configname": - key => "server", - value => "$server", - server => "$openvpn_server"; + server => "$openvpn_configname"; + #"server $openvpn_configname": + # key => "server", + # value => "$server", + # server => "$openvpn_configname"; "lport $openvpn_configname": key => "lport", value => "$port", - server => "$openvpn_server"; + server => "$openvpn_configname"; "management $openvpn_configname": key => "management", value => "/var/run/openvpn-$openvpn_configname.sock unix", - server => "$openvpn_server"; + server => "$openvpn_configname"; "comp-lzo $openvpn_configname": key => "comp-lzo", - server => "$openvpn_server"; + server => "$openvpn_configname"; "topology $openvpn_configname": key => "topology", value => "subnet", - server => "$openvpn_server"; - "client-to-client $openvpn_configname": - key => "client-to-client", - server => "$openvpn_server"; + server => "$openvpn_configname"; + #"client-to-client $openvpn_configname": + # key => "client-to-client", + # server => "$openvpn_configname"; } } -- cgit v1.2.3 From f6ab238512364ea640dc46e35590d5a5d5de51f3 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Sep 2012 11:55:35 +0200 Subject: added submodule concat --- .gitmodules | 3 +++ puppet/modules/concat | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/concat diff --git a/.gitmodules b/.gitmodules index a1a8c588..f84f173e 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,6 @@ [submodule "puppet/modules/openvpn"] path = puppet/modules/openvpn url = git://github.com/luxflux/puppet-openvpn.git +[submodule "puppet/modules/concat"] + path = puppet/modules/concat + url = git://code.leap.se/puppet_concat diff --git a/puppet/modules/concat b/puppet/modules/concat new file mode 160000 index 00000000..abce1280 --- /dev/null +++ b/puppet/modules/concat @@ -0,0 +1 @@ +Subproject commit abce1280e07b544d8455f1572dd870bbd2f14892 -- cgit v1.2.3 From 8fb0fcd72bdb357942d5e9adc2092e78ce6e1ee0 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 23 Sep 2012 16:06:56 +0200 Subject: added submodule sshd --- .gitmodules | 3 +++ puppet/modules/sshd | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/sshd diff --git a/.gitmodules b/.gitmodules index f84f173e..a7781983 100644 --- a/.gitmodules +++ b/.gitmodules @@ -4,3 +4,6 @@ [submodule "puppet/modules/concat"] path = puppet/modules/concat url = git://code.leap.se/puppet_concat +[submodule "puppet/modules/sshd"] + path = puppet/modules/sshd + url = git://labs.riseup.net/shared-sshd diff --git a/puppet/modules/sshd b/puppet/modules/sshd new file mode 160000 index 00000000..bd2e283a --- /dev/null +++ b/puppet/modules/sshd @@ -0,0 +1 @@ +Subproject commit bd2e283ab59430a7b3194804f1c8da7a9b58f8ff -- cgit v1.2.3 From 413c306cf95f985d84a782f2f7dbbe795cb05c6c Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 23 Sep 2012 16:37:02 +0200 Subject: renamed eip/defaults.yml -> eip/defaults.yaml --- config/eip/defaults.yaml | 4 ++++ config/eip/defaults.yml | 4 ---- 2 files changed, 4 insertions(+), 4 deletions(-) create mode 100644 config/eip/defaults.yaml delete mode 100644 config/eip/defaults.yml diff --git a/config/eip/defaults.yaml b/config/eip/defaults.yaml new file mode 100644 index 00000000..250f741c --- /dev/null +++ b/config/eip/defaults.yaml @@ -0,0 +1,4 @@ +--- +# make shure 'false' is quoted +tor: 'false' +openvpn_server_configs: diff --git a/config/eip/defaults.yml b/config/eip/defaults.yml deleted file mode 100644 index fab63a5c..00000000 --- a/config/eip/defaults.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -# make shure 'false' is quoted -tor: 'false' -openvpn: -- cgit v1.2.3 From 42b7b1c0568ce7f0f4a38745acc5363a0b676dd2 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 23 Sep 2012 16:37:31 +0200 Subject: towards ssh-keys --- config/defaults.yaml | 2 +- config/eip/cougar.leap.se.yaml | 2 +- config/eip/defaults.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/config/defaults.yaml b/config/defaults.yaml index 17fa03bf..489975b2 100644 --- a/config/defaults.yaml +++ b/config/defaults.yaml @@ -1,3 +1,3 @@ --- testpw: secret -services: - +ssh-keys: - diff --git a/config/eip/cougar.leap.se.yaml b/config/eip/cougar.leap.se.yaml index fd83d48e..2bbd71e0 100644 --- a/config/eip/cougar.leap.se.yaml +++ b/config/eip/cougar.leap.se.yaml @@ -7,4 +7,4 @@ openvpn_server_configs: port: 1194 proto: udp -tor: 'false' +#tor: 'false' diff --git a/config/eip/defaults.yaml b/config/eip/defaults.yaml index 250f741c..0938e655 100644 --- a/config/eip/defaults.yaml +++ b/config/eip/defaults.yaml @@ -1,4 +1,4 @@ --- # make shure 'false' is quoted tor: 'false' -openvpn_server_configs: +openvpn_server_configs: - -- cgit v1.2.3 From 1dba92e9a2d71b7a1259ecb5f627e57e1a8fc7b8 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 23 Sep 2012 19:01:54 +0200 Subject: beginning of site_sshd --- puppet/modules/site_sshd/manifests/init.pp | 1 + puppet/modules/site_sshd/manifests/ssh_key.pp | 3 +++ 2 files changed, 4 insertions(+) create mode 100644 puppet/modules/site_sshd/manifests/init.pp create mode 100644 puppet/modules/site_sshd/manifests/ssh_key.pp diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp new file mode 100644 index 00000000..630e9bdf --- /dev/null +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -0,0 +1 @@ +class site_sshd {} diff --git a/puppet/modules/site_sshd/manifests/ssh_key.pp b/puppet/modules/site_sshd/manifests/ssh_key.pp new file mode 100644 index 00000000..b47b2ebd --- /dev/null +++ b/puppet/modules/site_sshd/manifests/ssh_key.pp @@ -0,0 +1,3 @@ +define site_sshd::ssh_key($key) { + # ... todo: deploy ssh_key +} -- cgit v1.2.3 From 8320de2fd5bd8fcb429dfc1b68527a1c39a8341f Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 23 Sep 2012 19:02:28 +0200 Subject: reorderd config, include site_sshd --- config/defaults.yaml | 6 +++++- config/eip/defaults.yaml | 1 + puppet/manifests/site.pp | 8 ++++++++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/config/defaults.yaml b/config/defaults.yaml index 489975b2..62f047e3 100644 --- a/config/defaults.yaml +++ b/config/defaults.yaml @@ -1,3 +1,7 @@ --- testpw: secret -ssh-keys: - +services: - none + +ssh_keys: + test_key: + key: ssh-rsa random_noiseAAdABIwAAAGEA3FSyQwBI6Z+nCSjUUk8EEAnnkhXlukKoppND/RRClWz2s5TCzIkd3Ou5+Cyz71X0XmazM3l5WgeErvtIwQMyT1KjNoMhoJMrJnWqQPOt5Q8zWd9qG7PBl9+eiH5qV7NZ diff --git a/config/eip/defaults.yaml b/config/eip/defaults.yaml index 0938e655..29022408 100644 --- a/config/eip/defaults.yaml +++ b/config/eip/defaults.yaml @@ -2,3 +2,4 @@ # make shure 'false' is quoted tor: 'false' openvpn_server_configs: - + diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index f7b7303f..a897de11 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -5,6 +5,14 @@ node 'default' { $services=hiera_array('services') notice("Services for $fqdn: $services") + # configure ssh and inculde ssh-keys + #include sshd + $ssh_keys=hiera_hash('ssh_keys') + include site_sshd + notice($ssh_keys) + create_resources('site_sshd::ssh_key', $ssh_keys) + + if 'eip' in $services { include site_openvpn -- cgit v1.2.3 From 967c231e754d769225e26cbd7b2ad3738bce833b Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Sep 2012 17:36:58 +0200 Subject: added submodule apt --- .gitmodules | 3 +++ puppet/modules/apt | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/apt diff --git a/.gitmodules b/.gitmodules index a7781983..c3e82a04 100644 --- a/.gitmodules +++ b/.gitmodules @@ -7,3 +7,6 @@ [submodule "puppet/modules/sshd"] path = puppet/modules/sshd url = git://labs.riseup.net/shared-sshd +[submodule "puppet/modules/apt"] + path = puppet/modules/apt + url = git://code.leap.se/puppet_apt diff --git a/puppet/modules/apt b/puppet/modules/apt new file mode 160000 index 00000000..02bd3269 --- /dev/null +++ b/puppet/modules/apt @@ -0,0 +1 @@ +Subproject commit 02bd3269948f1a3c5a586e581a7fec22da69a2cc -- cgit v1.2.3 From 1b52d7de0f6214ceec879382932968fd07212624 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Sep 2012 17:45:08 +0200 Subject: added submodule lsb --- .gitmodules | 3 +++ puppet/modules/lsb | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/lsb diff --git a/.gitmodules b/.gitmodules index c3e82a04..43bd266c 100644 --- a/.gitmodules +++ b/.gitmodules @@ -10,3 +10,6 @@ [submodule "puppet/modules/apt"] path = puppet/modules/apt url = git://code.leap.se/puppet_apt +[submodule "puppet/modules/lsb"] + path = puppet/modules/lsb + url = git://labs.riseup.net/shared-lsb diff --git a/puppet/modules/lsb b/puppet/modules/lsb new file mode 160000 index 00000000..3742c1a0 --- /dev/null +++ b/puppet/modules/lsb @@ -0,0 +1 @@ +Subproject commit 3742c1a00c5602154a81834443ec5b0ca32c4ca0 -- cgit v1.2.3 From 3fc154d5b495338b7cce2971a0fba2c4faef4ee2 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Sep 2012 17:46:03 +0200 Subject: added submodule ntp --- .gitmodules | 3 +++ puppet/modules/ntp | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/ntp diff --git a/.gitmodules b/.gitmodules index 43bd266c..583a5e1a 100644 --- a/.gitmodules +++ b/.gitmodules @@ -13,3 +13,6 @@ [submodule "puppet/modules/lsb"] path = puppet/modules/lsb url = git://labs.riseup.net/shared-lsb +[submodule "puppet/modules/ntp"] + path = puppet/modules/ntp + url = git://github.com/puppetlabs/puppetlabs-ntp.git diff --git a/puppet/modules/ntp b/puppet/modules/ntp new file mode 160000 index 00000000..27f2bc72 --- /dev/null +++ b/puppet/modules/ntp @@ -0,0 +1 @@ +Subproject commit 27f2bc72110b1001233eb0907aa07e06cdf33194 -- cgit v1.2.3 From 53dea7cd638ebf8d353d052b2d2185940c2056b9 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Sep 2012 17:54:53 +0200 Subject: added submodule git --- .gitmodules | 3 +++ puppet/modules/git | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/git diff --git a/.gitmodules b/.gitmodules index 583a5e1a..52f3d748 100644 --- a/.gitmodules +++ b/.gitmodules @@ -16,3 +16,6 @@ [submodule "puppet/modules/ntp"] path = puppet/modules/ntp url = git://github.com/puppetlabs/puppetlabs-ntp.git +[submodule "puppet/modules/git"] + path = puppet/modules/git + url = git://code.leap.se/puppet_git diff --git a/puppet/modules/git b/puppet/modules/git new file mode 160000 index 00000000..497a1034 --- /dev/null +++ b/puppet/modules/git @@ -0,0 +1 @@ +Subproject commit 497a1034489e0dc3cab5dab2fb0a857785769734 -- cgit v1.2.3 From 914eddd89cbd33383c5b84bfdd063e670b848c09 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Sep 2012 18:32:22 +0200 Subject: cleaned deploy.sh --- deploy.sh | 32 ++++++++------------------------ 1 file changed, 8 insertions(+), 24 deletions(-) diff --git a/deploy.sh b/deploy.sh index e6a6c7ea..6aab1119 100755 --- a/deploy.sh +++ b/deploy.sh @@ -2,36 +2,20 @@ # # missing: header, licence, usage +PUPPET_ENV='--confdir=puppet' -install_packages () -{ - apt-get install lsb-release git - - # we need puppet from backports - dist="`lsb_release -cs`" - - # enable backports for puppet + facter - [ -f /etc/apt/sources.list.d/$dist-backports.list ] || echo "deb http://backports.debian.org/debian-backports/ $dist-backports main contrib non-free">/etc/apt/sources.list.d/$dist-backports.list - - # enable debian wheezy for ruby-hiera-puppet - if [ "$dist" != "wheezy" ] - then - cat > /etc/apt/preferences.d/wheezy < Date: Mon, 24 Sep 2012 18:32:40 +0200 Subject: include some basic mclasses --- puppet/manifests/site.pp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index a897de11..f70c0673 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,6 +1,10 @@ node 'default' { + + # include some basic classes # $concat_basedir = '/var/lib/puppet/modules/concat' # do we need this ? include concat::setup + include apt,git,lsb + $services=hiera_array('services') notice("Services for $fqdn: $services") @@ -21,6 +25,6 @@ node 'default' { $openvpn_configs=hiera('openvpn_server_configs') create_resources('site_openvpn::server_config', $openvpn_configs) - } + } -- cgit v1.2.3 From bedef1a878698997c5c8490599dc9269fef60c37 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Sep 2012 18:35:38 +0200 Subject: added submodule common --- .gitmodules | 3 +++ puppet/modules/common | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/common diff --git a/.gitmodules b/.gitmodules index 52f3d748..8f2fd482 100644 --- a/.gitmodules +++ b/.gitmodules @@ -19,3 +19,6 @@ [submodule "puppet/modules/git"] path = puppet/modules/git url = git://code.leap.se/puppet_git +[submodule "puppet/modules/common"] + path = puppet/modules/common + url = git://labs.riseup.net/shared-common diff --git a/puppet/modules/common b/puppet/modules/common new file mode 160000 index 00000000..0961ad45 --- /dev/null +++ b/puppet/modules/common @@ -0,0 +1 @@ +Subproject commit 0961ad453b8befb4ea61bbd19f6ecea32b9619c9 -- cgit v1.2.3 From e6651283ac7b7c4114224e90936e5cf26f4b8c65 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Sep 2012 18:41:16 +0200 Subject: handle submodules --- deploy.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/deploy.sh b/deploy.sh index 6aab1119..0db6cf91 100755 --- a/deploy.sh +++ b/deploy.sh @@ -6,16 +6,18 @@ PUPPET_ENV='--confdir=puppet' install_prerequisites () { apt-get update - apt-get install puppet + apt-get install puppet git # lsb is needed for a first puppet run puppet apply $PUPPET_ENV --execute 'include lsb' + git submodule init + git submodule update } # main # commented for testing purposes -#install_prerequisites +install_prerequisites puppet apply $PUPPET_ENV puppet/manifests/site.pp $@ -- cgit v1.2.3 From e73a5e34742a63d82ee4b1a84a779403d9f71bd7 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Sep 2012 18:41:37 +0200 Subject: include common --- puppet/manifests/site.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index f70c0673..5f58a733 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -3,8 +3,8 @@ node 'default' { # include some basic classes # $concat_basedir = '/var/lib/puppet/modules/concat' # do we need this ? include concat::setup - include apt,git,lsb - + include apt, lsb, git + import "common" $services=hiera_array('services') notice("Services for $fqdn: $services") -- cgit v1.2.3 From f7cd516218ccfb5ec1a68f9953dfce6be605b25b Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Sep 2012 21:28:36 +0200 Subject: added submodule couchdb --- .gitmodules | 3 +++ puppet/modules/couchdb | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/couchdb diff --git a/.gitmodules b/.gitmodules index 8f2fd482..33064a2c 100644 --- a/.gitmodules +++ b/.gitmodules @@ -22,3 +22,6 @@ [submodule "puppet/modules/common"] path = puppet/modules/common url = git://labs.riseup.net/shared-common +[submodule "puppet/modules/couchdb"] + path = puppet/modules/couchdb + url = git://github.com/Benjamin-Ds/puppet-module-couchdb.git diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb new file mode 160000 index 00000000..a8052f92 --- /dev/null +++ b/puppet/modules/couchdb @@ -0,0 +1 @@ +Subproject commit a8052f92424ea020250265d89f5bc8df02104c7e -- cgit v1.2.3 From 8c078cbe1c607e0cb2df917196c00eade55b3a01 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Sep 2012 22:20:57 +0200 Subject: test class couchdb --- puppet/manifests/site.pp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 5f58a733..3b28be2f 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -27,4 +27,9 @@ node 'default' { create_resources('site_openvpn::server_config', $openvpn_configs) } + if 'couchdb' in $services { + class { 'couchdb': + #bind => '0.0.0.0' + } + } } -- cgit v1.2.3 From 97979201818f8f830dba2f001cfb5c8bce3822ed Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Sep 2012 22:56:56 +0200 Subject: deleted submodule couchdb (from Benjamin-D) --- .gitmodules | 3 --- puppet/modules/couchdb | 1 - 2 files changed, 4 deletions(-) delete mode 160000 puppet/modules/couchdb diff --git a/.gitmodules b/.gitmodules index 33064a2c..8f2fd482 100644 --- a/.gitmodules +++ b/.gitmodules @@ -22,6 +22,3 @@ [submodule "puppet/modules/common"] path = puppet/modules/common url = git://labs.riseup.net/shared-common -[submodule "puppet/modules/couchdb"] - path = puppet/modules/couchdb - url = git://github.com/Benjamin-Ds/puppet-module-couchdb.git diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb deleted file mode 160000 index a8052f92..00000000 --- a/puppet/modules/couchdb +++ /dev/null @@ -1 +0,0 @@ -Subproject commit a8052f92424ea020250265d89f5bc8df02104c7e -- cgit v1.2.3 From 5486456528dd074b5ce705d23fab1da625043992 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Sep 2012 23:48:00 +0200 Subject: added camptocamp's submodule couchdb --- .gitmodules | 3 +++ puppet/modules/couchdb | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/couchdb diff --git a/.gitmodules b/.gitmodules index 8f2fd482..7dabc497 100644 --- a/.gitmodules +++ b/.gitmodules @@ -22,3 +22,6 @@ [submodule "puppet/modules/common"] path = puppet/modules/common url = git://labs.riseup.net/shared-common +[submodule "puppet/modules/couchdb"] + path = puppet/modules/couchdb + url = git://github.com/camptocamp/puppet-couchdb.git diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb new file mode 160000 index 00000000..e97e4081 --- /dev/null +++ b/puppet/modules/couchdb @@ -0,0 +1 @@ +Subproject commit e97e408116525f28b53162b89e6b582fb71020d2 -- cgit v1.2.3 From e6b33a004b38ee4ebe3b31fd715d32669fbe435a Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Sep 2012 09:57:10 +0200 Subject: use leap's puppet_couchdb --- .gitmodules | 2 +- puppet/modules/couchdb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitmodules b/.gitmodules index 7dabc497..2e4f3f22 100644 --- a/.gitmodules +++ b/.gitmodules @@ -24,4 +24,4 @@ url = git://labs.riseup.net/shared-common [submodule "puppet/modules/couchdb"] path = puppet/modules/couchdb - url = git://github.com/camptocamp/puppet-couchdb.git + url = git://code.leap.se/puppet_couchdb diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index e97e4081..8daa8625 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit e97e408116525f28b53162b89e6b582fb71020d2 +Subproject commit 8daa862541facd5207a75760f3656e857faf73fd -- cgit v1.2.3 From 3cac4caa546be66abf16b96452a749854a99ce24 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Tue, 25 Sep 2012 11:54:42 +0200 Subject: typo --- deploy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy.sh b/deploy.sh index 0db6cf91..6a582637 100755 --- a/deploy.sh +++ b/deploy.sh @@ -1,6 +1,6 @@ #!/bin/sh -x # -# missing: header, licence, usage +# missing: header, license, usage PUPPET_ENV='--confdir=puppet' -- cgit v1.2.3 From 4b31de05ad453fe6a0a69a5dae39424fa3d1c995 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 27 Sep 2012 15:41:07 +0200 Subject: cleaned hierdata --- config/defaults.yaml | 4 ++-- config/eip/cougar.leap.se.yaml | 2 +- config/eip/defaults.yaml | 3 ++- config/hosts/cougar.leap.se.yaml | 6 +++++- 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/config/defaults.yaml b/config/defaults.yaml index 62f047e3..44fae3d2 100644 --- a/config/defaults.yaml +++ b/config/defaults.yaml @@ -1,7 +1,7 @@ --- testpw: secret -services: - none +# as hashes will get aggregated, this ssh-key would always be present, in addition to others specified in hosts/{fqdn} ssh_keys: - test_key: + default_key: key: ssh-rsa random_noiseAAdABIwAAAGEA3FSyQwBI6Z+nCSjUUk8EEAnnkhXlukKoppND/RRClWz2s5TCzIkd3Ou5+Cyz71X0XmazM3l5WgeErvtIwQMyT1KjNoMhoJMrJnWqQPOt5Q8zWd9qG7PBl9+eiH5qV7NZ diff --git a/config/eip/cougar.leap.se.yaml b/config/eip/cougar.leap.se.yaml index 2bbd71e0..c051d30b 100644 --- a/config/eip/cougar.leap.se.yaml +++ b/config/eip/cougar.leap.se.yaml @@ -7,4 +7,4 @@ openvpn_server_configs: port: 1194 proto: udp -#tor: 'false' +tor: 'true' diff --git a/config/eip/defaults.yaml b/config/eip/defaults.yaml index 29022408..a56a34c8 100644 --- a/config/eip/defaults.yaml +++ b/config/eip/defaults.yaml @@ -1,5 +1,6 @@ --- # make shure 'false' is quoted tor: 'false' -openvpn_server_configs: - +openvpn_server_configs: + none: diff --git a/config/hosts/cougar.leap.se.yaml b/config/hosts/cougar.leap.se.yaml index 5cf37bb1..dabeead4 100644 --- a/config/hosts/cougar.leap.se.yaml +++ b/config/hosts/cougar.leap.se.yaml @@ -1,3 +1,7 @@ --- services: - eip - - couchdb + - couchdb +ssh_keys: + second_key: + key: ssh-rsa more_random_noiseAAdABIwAAAGEA3FSyQwBI6Z+nCSjUUk8EEAnnkhXlukKoppND/RRClWz2s5TCzIkd3Ou5+Cyz71X0XmazM3l5WgeErvtIwQMyT1KjNoMhoJMrJnWqQPOt5Q8zWd9qG7PBl9+eiH5qV7NZ + -- cgit v1.2.3 From 1d02eb68b2bbb3151cfeeef78aa34ed3a5e6edc4 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 27 Sep 2012 15:44:41 +0200 Subject: cleaned hierdata, again --- config/eip/defaults.yaml | 2 -- config/hosts/cougar.leap.se.yaml | 5 +++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/config/eip/defaults.yaml b/config/eip/defaults.yaml index a56a34c8..07846fdd 100644 --- a/config/eip/defaults.yaml +++ b/config/eip/defaults.yaml @@ -1,6 +1,4 @@ --- # make shure 'false' is quoted tor: 'false' -openvpn_server_configs: - none: diff --git a/config/hosts/cougar.leap.se.yaml b/config/hosts/cougar.leap.se.yaml index dabeead4..758e96a3 100644 --- a/config/hosts/cougar.leap.se.yaml +++ b/config/hosts/cougar.leap.se.yaml @@ -1,6 +1,7 @@ --- -services: - eip - - couchdb +services: + - eip + - couchdb ssh_keys: second_key: key: ssh-rsa more_random_noiseAAdABIwAAAGEA3FSyQwBI6Z+nCSjUUk8EEAnnkhXlukKoppND/RRClWz2s5TCzIkd3Ou5+Cyz71X0XmazM3l5WgeErvtIwQMyT1KjNoMhoJMrJnWqQPOt5Q8zWd9qG7PBl9+eiH5qV7NZ -- cgit v1.2.3 From 49ffa8032c8043e9e47d801ccebb5d0fe1839a78 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 12:39:25 +0200 Subject: added submodule shorewall --- .gitmodules | 3 +++ puppet/modules/shorewall | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/shorewall diff --git a/.gitmodules b/.gitmodules index 8f2fd482..224b83d7 100644 --- a/.gitmodules +++ b/.gitmodules @@ -22,3 +22,6 @@ [submodule "puppet/modules/common"] path = puppet/modules/common url = git://labs.riseup.net/shared-common +[submodule "puppet/modules/shorewall"] + path = puppet/modules/shorewall + url = git://labs.riseup.net/shared-shorewall diff --git a/puppet/modules/shorewall b/puppet/modules/shorewall new file mode 160000 index 00000000..911cc18e --- /dev/null +++ b/puppet/modules/shorewall @@ -0,0 +1 @@ +Subproject commit 911cc18e594bb5a3ab642ebb24615a0447050c32 -- cgit v1.2.3 From 2575ccbae4cc5941adce3d101b42471f6b18b504 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 12:40:38 +0200 Subject: added submodule resolvconf --- .gitmodules | 3 +++ puppet/modules/resolvconf | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/resolvconf diff --git a/.gitmodules b/.gitmodules index 224b83d7..c95048d9 100644 --- a/.gitmodules +++ b/.gitmodules @@ -25,3 +25,6 @@ [submodule "puppet/modules/shorewall"] path = puppet/modules/shorewall url = git://labs.riseup.net/shared-shorewall +[submodule "puppet/modules/resolvconf"] + path = puppet/modules/resolvconf + url = git://git.puppet.immerda.ch/module-resolvconf.git diff --git a/puppet/modules/resolvconf b/puppet/modules/resolvconf new file mode 160000 index 00000000..c7eca077 --- /dev/null +++ b/puppet/modules/resolvconf @@ -0,0 +1 @@ +Subproject commit c7eca077fdda063edc96d3bea02c4774569e4b10 -- cgit v1.2.3 From e5244f7015de9ffd88c20e9b8136996bfbfe0f0d Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 16:08:07 +0200 Subject: added site_config::eip --- puppet/manifests/site.pp | 10 ++-------- puppet/modules/site_config/manifests/eip.pp | 10 ++++++++++ 2 files changed, 12 insertions(+), 8 deletions(-) create mode 100644 puppet/modules/site_config/manifests/eip.pp diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 5f58a733..3ae9ebea 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -4,7 +4,7 @@ node 'default' { # $concat_basedir = '/var/lib/puppet/modules/concat' # do we need this ? include concat::setup include apt, lsb, git - import "common" + import 'common' $services=hiera_array('services') notice("Services for $fqdn: $services") @@ -18,13 +18,7 @@ node 'default' { if 'eip' in $services { - include site_openvpn - - $tor=hiera('tor') - notice("Tor enabled: $tor") - - $openvpn_configs=hiera('openvpn_server_configs') - create_resources('site_openvpn::server_config', $openvpn_configs) + include site_config::eip } } diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp new file mode 100644 index 00000000..56eb1452 --- /dev/null +++ b/puppet/modules/site_config/manifests/eip.pp @@ -0,0 +1,10 @@ +class site_config::eip { + include site_openvpn + + $tor=hiera('tor') + notice("Tor enabled: $tor") + + $openvpn_configs=hiera('openvpn_server_configs') + create_resources('site_openvpn::server_config', $openvpn_configs) + +} -- cgit v1.2.3 From b8f727635254453503bd1d9b22e20d69cc23630a Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 16:31:24 +0200 Subject: deleted old README --- README | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 README diff --git a/README b/README deleted file mode 100644 index 73f219a1..00000000 --- a/README +++ /dev/null @@ -1,7 +0,0 @@ -... - -Installation ------------- - -- Edit /etc/leap/hieradata/common.yaml for your needs -- Run the deploy.sh script as root -- cgit v1.2.3 From 14305e553c4f71fbeec997d585383c4c6211c1a5 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 17:29:26 +0200 Subject: don't pull openvpn config from hiera --- puppet/modules/site_config/manifests/eip.pp | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 56eb1452..c8677696 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -4,7 +4,15 @@ class site_config::eip { $tor=hiera('tor') notice("Tor enabled: $tor") - $openvpn_configs=hiera('openvpn_server_configs') - create_resources('site_openvpn::server_config', $openvpn_configs) - + #$openvpn_configs=hiera('openvpn_server_configs') + #create_resources('site_openvpn::server_config', $openvpn_configs) + + site_openvpn::server_config { 'tcp_config': + port => '1194', + proto => 'tcp' + } + site_openvpn::server_config { 'udp_config': + port => '1194', + proto => 'udp' + } } -- cgit v1.2.3 From 05fcb0db28279ae7c08b8c76c887f633f78a2947 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 17:38:01 +0200 Subject: cosmetics for server_config.pp --- .../site_openvpn/manifests/server_config.pp | 66 +++++++++++----------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 4a130d13..1af08b4a 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,52 +1,52 @@ define site_openvpn::server_config($port, $proto) { $openvpn_configname=$name - notice("Creating OpenVPN $openvpn_configname: + notice("Creating OpenVPN $openvpn_configname: Port: $port, Protocol: $proto") - file { - "/etc/openvpn/${name}": - ensure => directory, - require => Package["openvpn"]; - } + file { + "/etc/openvpn/${name}": + ensure => directory, + require => Package['openvpn']; + } - concat { - "/etc/openvpn/${openvpn_configname}.conf": - owner => root, - group => root, - mode => 644, - warn => true, - require => File["/etc/openvpn"], - notify => Service["openvpn"]; - } + concat { + "/etc/openvpn/$openvpn_configname.conf": + owner => root, + group => root, + mode => 644, + warn => true, + require => File['/etc/openvpn'], + notify => Service['openvpn']; + } openvpn::option { - "ca ${openvpn_configname}": - key => "ca", - value => "/etc/openvpn/ca.crt", - #require => Exec["initca ${openvpn_configname}"], - server => "${openvpn_configname}"; - "cert ${openvpn_configname}": - key => "cert", - value => "/etc/openvpn/${openvpn_configname}/server.crt", - #require => Exec["generate server cert ${openvpn_configname}"], - server => "${openvpn_configname}"; - "key ${openvpn_configname}": + "ca $openvpn_configname": + key => 'ca', + value => '/etc/openvpn/ca.crt', + #require => Exec["initca $openvpn_configname"], + server => $openvpn_configname; + "cert $openvpn_configname": + key => 'cert', + value => "/etc/openvpn/$openvpn_configname/server.crt", + #require => Exec["generate server cert $openvpn_configname"], + server => $openvpn_configname; + "key $openvpn_configname": key => "key", - value => "/etc/openvpn/${openvpn_configname}/server.key", - #require => Exec["generate server cert ${openvpn_configname}"], - server => "${openvpn_configname}"; - "dh ${openvpn_configname}": + value => "/etc/openvpn/$openvpn_configname/server.key", + #require => Exec["generate server cert $openvpn_configname"], + server => "$openvpn_configname"; + "dh $openvpn_configname": key => "dh", value => "/etc/openvpn/dh1024.pem", - #require => Exec["generate dh param ${openvpn_configname}"], - server => "${openvpn_configname}"; + #require => Exec["generate dh param $openvpn_configname"], + server => "$openvpn_configname"; "dev $openvpn_configname": key => "dev", value => "tun", server => "$openvpn_configname"; - "mode ${openvpn_configname}": + "mode $openvpn_configname": key => 'mode', value => 'server', server => $openvpn_configname; -- cgit v1.2.3 From df5fa56faa60d743acc1d8351b738a279263b62d Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 17:48:44 +0200 Subject: deploy.sh testing --- deploy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy.sh b/deploy.sh index 6a582637..7754f91c 100755 --- a/deploy.sh +++ b/deploy.sh @@ -17,7 +17,7 @@ install_prerequisites () { # main # commented for testing purposes -install_prerequisites +#install_prerequisites puppet apply $PUPPET_ENV puppet/manifests/site.pp $@ -- cgit v1.2.3 From ad018cb7c6b85252783e0f8ae5ce26afcc37d9e8 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 17:58:04 +0200 Subject: seperate config from leap_platform --- config/defaults.yaml | 7 ------- config/eip/cougar.leap.se.yaml | 10 ---------- config/eip/defaults.yaml | 4 ---- config/hosts/cougar.leap.se.yaml | 8 -------- puppet/hiera.yaml | 2 +- 5 files changed, 1 insertion(+), 30 deletions(-) delete mode 100644 config/defaults.yaml delete mode 100644 config/eip/cougar.leap.se.yaml delete mode 100644 config/eip/defaults.yaml delete mode 100644 config/hosts/cougar.leap.se.yaml diff --git a/config/defaults.yaml b/config/defaults.yaml deleted file mode 100644 index 44fae3d2..00000000 --- a/config/defaults.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -testpw: secret - -# as hashes will get aggregated, this ssh-key would always be present, in addition to others specified in hosts/{fqdn} -ssh_keys: - default_key: - key: ssh-rsa random_noiseAAdABIwAAAGEA3FSyQwBI6Z+nCSjUUk8EEAnnkhXlukKoppND/RRClWz2s5TCzIkd3Ou5+Cyz71X0XmazM3l5WgeErvtIwQMyT1KjNoMhoJMrJnWqQPOt5Q8zWd9qG7PBl9+eiH5qV7NZ diff --git a/config/eip/cougar.leap.se.yaml b/config/eip/cougar.leap.se.yaml deleted file mode 100644 index c051d30b..00000000 --- a/config/eip/cougar.leap.se.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -openvpn_server_configs: - port80_tcp: - port: 80 - proto: tcp-server - port1194_udp: - port: 1194 - proto: udp - -tor: 'true' diff --git a/config/eip/defaults.yaml b/config/eip/defaults.yaml deleted file mode 100644 index 07846fdd..00000000 --- a/config/eip/defaults.yaml +++ /dev/null @@ -1,4 +0,0 @@ ---- -# make shure 'false' is quoted -tor: 'false' - diff --git a/config/hosts/cougar.leap.se.yaml b/config/hosts/cougar.leap.se.yaml deleted file mode 100644 index 758e96a3..00000000 --- a/config/hosts/cougar.leap.se.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -services: - - eip - - couchdb -ssh_keys: - second_key: - key: ssh-rsa more_random_noiseAAdABIwAAAGEA3FSyQwBI6Z+nCSjUUk8EEAnnkhXlukKoppND/RRClWz2s5TCzIkd3Ou5+Cyz71X0XmazM3l5WgeErvtIwQMyT1KjNoMhoJMrJnWqQPOt5Q8zWd9qG7PBl9+eiH5qV7NZ - diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml index a992c057..95283394 100644 --- a/puppet/hiera.yaml +++ b/puppet/hiera.yaml @@ -17,7 +17,7 @@ # relative from where puppet is run, so we need to run puppet # from the root dir of the leap_platform repo :yaml: - :datadir: config + :datadir: ../config :puppet: :datasource: data -- cgit v1.2.3 From b7277a8c666248a2a134f1d5b84c994df9904b7c Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 22:34:20 +0200 Subject: moved most includes to site_config --- puppet/manifests/site.pp | 18 ++++++------------ puppet/modules/site_config/manifests/init.pp | 7 +++++++ 2 files changed, 13 insertions(+), 12 deletions(-) create mode 100644 puppet/modules/site_config/manifests/init.pp diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 3ae9ebea..89c97888 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,22 +1,16 @@ node 'default' { + # prerequisites + import 'common' + include concat::setup # include some basic classes - # $concat_basedir = '/var/lib/puppet/modules/concat' # do we need this ? - include concat::setup - include apt, lsb, git - import 'common' + #include site_config + # parse services for host $services=hiera_array('services') notice("Services for $fqdn: $services") - # configure ssh and inculde ssh-keys - #include sshd - $ssh_keys=hiera_hash('ssh_keys') - include site_sshd - notice($ssh_keys) - create_resources('site_sshd::ssh_key', $ssh_keys) - - + # configure eip if 'eip' in $services { include site_config::eip } diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp new file mode 100644 index 00000000..64eb06f4 --- /dev/null +++ b/puppet/modules/site_config/manifests/init.pp @@ -0,0 +1,7 @@ +class site_config { + include apt, lsb, git + + # configure ssh and inculde ssh-keys + include site_config::sshd + +} -- cgit v1.2.3 From fc72260f601fb77b90d9f2f2afd2a43c4d5916f6 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 22:35:16 +0200 Subject: + site_openvpn::keys --- puppet/modules/site_config/manifests/eip.pp | 5 +++-- puppet/modules/site_openvpn/manifests/keys.pp | 23 +++++++++++++++++++++++ 2 files changed, 26 insertions(+), 2 deletions(-) create mode 100644 puppet/modules/site_openvpn/manifests/keys.pp diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index c8677696..6e866b1c 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -1,8 +1,9 @@ class site_config::eip { include site_openvpn + include site_openvpn::keys - $tor=hiera('tor') - notice("Tor enabled: $tor") + #$tor=hiera('tor') + #notice("Tor enabled: $tor") #$openvpn_configs=hiera('openvpn_server_configs') #create_resources('site_openvpn::server_config', $openvpn_configs) diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp new file mode 100644 index 00000000..b31369c9 --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -0,0 +1,23 @@ +class site_openvpn::keys { + $openvpn_keys = hiera_hash('openvpn_keys') + + file { '/etc/openvpn/keys/ca.crt': + content => $openvpn_keys['ca'], + mode => '0644', + } + + file { '/etc/openvpn/keys/dh.pem': + content => $openvpn_keys['dh'], + mode => '0644', + } + + file { '/etc/openvpn/keys/server.key': + content => $openvpn_keys['server_key'], + mode => '0600', + } + + file { '/etc/openvpn/keys/server.crt': + content => $openvpn_keys['server_cert'], + mode => '0644', + } +} -- cgit v1.2.3 From e89082114be280c7fd3c7b62863e19ff5c89df26 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 22:36:12 +0200 Subject: cosmetics --- puppet/modules/site_openvpn/manifests/init.pp | 59 +++++++++++++++------------ 1 file changed, 32 insertions(+), 27 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index c83b98c7..e95e67d5 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,43 +1,48 @@ class site_openvpn { package { - "openvpn": - ensure => installed; + 'openvpn': + ensure => installed; } service { - "openvpn": - ensure => running, - hasrestart => true, - hasstatus => true, - require => Exec["concat_/etc/default/openvpn"]; + 'openvpn': + ensure => running, + hasrestart => true, + hasstatus => true, + require => Exec['concat_/etc/default/openvpn']; } + file { - "/etc/openvpn": - ensure => directory, - require => Package["openvpn"]; + '/etc/openvpn': + ensure => directory, + require => Package['openvpn']; } - include concat::setup + file { + '/etc/openvpn/keys': + ensure => directory, + require => Package['openvpn']; + } concat { - "/etc/default/openvpn": - owner => root, - group => root, - mode => 644, - warn => true, - notify => Service["openvpn"]; + '/etc/default/openvpn': + owner => root, + group => root, + mode => 644, + warn => true, + notify => Service['openvpn']; } concat::fragment { - "openvpn.default.header": - content => template("openvpn/etc-default-openvpn.erb"), - target => "/etc/default/openvpn", - order => 01; + 'openvpn.default.header': + content => template('openvpn/etc-default-openvpn.erb'), + target => '/etc/default/openvpn', + order => 01; } - concat::fragment { - "openvpn.default.autostart.${name}": - content => "AUTOSTART=all", - target => "/etc/default/openvpn", - order => 10; - } + concat::fragment { + "openvpn.default.autostart.${name}": + content => 'AUTOSTART=all', + target => '/etc/default/openvpn', + order => 10; + } } -- cgit v1.2.3 From c067421f34d375c2b39e88a5994353c71ac4c9af Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 22:36:48 +0200 Subject: include openvpn keys --- .../site_openvpn/manifests/server_config.pp | 23 ++++++---------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 1af08b4a..5a47954a 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,14 +1,9 @@ define site_openvpn::server_config($port, $proto) { - $openvpn_configname=$name + $openvpn_configname = $name + notice("Creating OpenVPN $openvpn_configname: Port: $port, Protocol: $proto") - file { - "/etc/openvpn/${name}": - ensure => directory, - require => Package['openvpn']; - } - concat { "/etc/openvpn/$openvpn_configname.conf": owner => root, @@ -19,28 +14,22 @@ define site_openvpn::server_config($port, $proto) { notify => Service['openvpn']; } - - openvpn::option { "ca $openvpn_configname": key => 'ca', - value => '/etc/openvpn/ca.crt', - #require => Exec["initca $openvpn_configname"], + value => '/etc/openvpn/keys/ca.crt', server => $openvpn_configname; "cert $openvpn_configname": key => 'cert', - value => "/etc/openvpn/$openvpn_configname/server.crt", - #require => Exec["generate server cert $openvpn_configname"], + value => "/etc/openvpn/keys/server.crt", server => $openvpn_configname; "key $openvpn_configname": key => "key", - value => "/etc/openvpn/$openvpn_configname/server.key", - #require => Exec["generate server cert $openvpn_configname"], + value => "/etc/openvpn/keys/server.key", server => "$openvpn_configname"; "dh $openvpn_configname": key => "dh", - value => "/etc/openvpn/dh1024.pem", - #require => Exec["generate dh param $openvpn_configname"], + value => "/etc/openvpn/keys/dh1024.pem", server => "$openvpn_configname"; "dev $openvpn_configname": key => "dev", -- cgit v1.2.3 From 9fb0bcc2901bf5cf79d3ac0a46c610d302e0df7b Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 22:38:15 +0200 Subject: + site_config::sshd --- puppet/modules/site_config/manifests/sshd.pp | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 puppet/modules/site_config/manifests/sshd.pp diff --git a/puppet/modules/site_config/manifests/sshd.pp b/puppet/modules/site_config/manifests/sshd.pp new file mode 100644 index 00000000..8e33ca7f --- /dev/null +++ b/puppet/modules/site_config/manifests/sshd.pp @@ -0,0 +1,8 @@ +class site_config::sshd { + # configure ssh and inculde ssh-keys + include sshd + $ssh_keys=hiera_hash('ssh_keys') + include site_sshd + notice($ssh_keys) + create_resources('site_sshd::ssh_key', $ssh_keys) +} -- cgit v1.2.3 From b59ce36a29a770847368773db543b38c62ea55cf Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 23:05:32 +0200 Subject: adopted most static parameters --- .../site_openvpn/manifests/server_config.pp | 137 ++++++++++----------- 1 file changed, 67 insertions(+), 70 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 5a47954a..320a4add 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,8 +1,8 @@ define site_openvpn::server_config($port, $proto) { $openvpn_configname = $name - notice("Creating OpenVPN $openvpn_configname: - Port: $port, Protocol: $proto") + #notice("Creating OpenVPN $openvpn_configname: + # Port: $port, Protocol: $proto") concat { "/etc/openvpn/$openvpn_configname.conf": @@ -21,81 +21,78 @@ define site_openvpn::server_config($port, $proto) { server => $openvpn_configname; "cert $openvpn_configname": key => 'cert', - value => "/etc/openvpn/keys/server.crt", + value => '/etc/openvpn/keys/server.crt', server => $openvpn_configname; "key $openvpn_configname": - key => "key", - value => "/etc/openvpn/keys/server.key", - server => "$openvpn_configname"; + key => 'key', + value => '/etc/openvpn/keys/server.key', + server => $openvpn_configname; "dh $openvpn_configname": - key => "dh", - value => "/etc/openvpn/keys/dh1024.pem", - server => "$openvpn_configname"; + key => 'dh', + value => '/etc/openvpn/keys/dh1024.pem', + server => $openvpn_configname; + "dev $openvpn_configname": - key => "dev", - value => "tun", - server => "$openvpn_configname"; - "mode $openvpn_configname": - key => 'mode', - value => 'server', - server => $openvpn_configname; - "script-security $openvpn_configname": - key => "script-security", - value => "3", - server => "$openvpn_configname"; - "daemon $openvpn_configname": - key => "daemon", - server => "$openvpn_configname"; + key => 'dev', + value => 'tun', + server => $openvpn_configname; + "duplicate-cn $openvpn_configname": + key => 'duplicate-cn', + server => $openvpn_configname; "keepalive $openvpn_configname": - key => "keepalive", - value => "10 60", - server => "$openvpn_configname"; - "ping-timer-rem $openvpn_configname": - key => "ping-timer-rem", - server => "$openvpn_configname"; - "persist-tun $openvpn_configname": - key => "persist-tun", - server => "$openvpn_configname"; - "persist-key $openvpn_configname": - key => "persist-key", - server => "$openvpn_configname"; - "proto $openvpn_configname": - key => "proto", - value => "$proto", - server => "$openvpn_configname"; - "cipher $openvpn_configname": - key => "cipher", - value => "BF-CBC", - server => "$openvpn_configname"; + key => 'keepalive', + value => '5 20', + server => $openvpn_configname; "local $openvpn_configname": - key => "local", - value => $ipaddress, - server => "$openvpn_configname"; - "tls-server $openvpn_configname": - key => "tls-server", - server => "$openvpn_configname"; - #"server $openvpn_configname": - # key => "server", - # value => "$server", - # server => "$openvpn_configname"; - "lport $openvpn_configname": - key => "lport", - value => "$port", - server => "$openvpn_configname"; + key => 'local', + value => $::ipaddress, + server => $openvpn_configname; + "mute $openvpn_configname": + key => 'mute', + value => '5', + server => $openvpn_configname; + "mute-replay-warnings $openvpn_configname": + key => 'mute-replay-warnings', + server => $openvpn_configname; "management $openvpn_configname": - key => "management", - value => "/var/run/openvpn-$openvpn_configname.sock unix", - server => "$openvpn_configname"; - "comp-lzo $openvpn_configname": - key => "comp-lzo", - server => "$openvpn_configname"; + key => 'management', + value => '127.0.0.1 1000', + server => $openvpn_configname; + "proto $openvpn_configname": + key => 'proto', + value => $proto, + server => $openvpn_configname; + "push $openvpn_configname": + key => 'push', + value => "\"redirect-gateway def1\"", + server => $openvpn_configname; + "script-security $openvpn_configname": + key => 'script-security', + value => '2', + server => $openvpn_configname; + "server $openvpn_configname": + key => 'server', + value => "10.42.0.0 255.255.248.0", + server => $openvpn_configname; + "status $openvpn_configname": + key => 'status', + value => '/var/run/openvpn-status 10', + server => $openvpn_configname; + "status-version $openvpn_configname": + key => 'status-version', + value => '3', + server => $openvpn_configname; "topology $openvpn_configname": - key => "topology", - value => "subnet", - server => "$openvpn_configname"; - #"client-to-client $openvpn_configname": - # key => "client-to-client", - # server => "$openvpn_configname"; + key => 'topology', + value => 'subnet', + server => $openvpn_configname; + "up $openvpn_configname": + key => 'up', + value => '/etc/openvpn/server-up.sh', + server => $openvpn_configname; + "verb $openvpn_configname": + key => 'verb', + value => '3', + server => $openvpn_configname; } - } -- cgit v1.2.3 From 1ec1b9b56bc821b81f3797ea158846b41cc03853 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 23:38:57 +0200 Subject: finished site_openvpn::server_config --- puppet/modules/site_config/manifests/eip.pp | 16 +++++++++++----- puppet/modules/site_openvpn/manifests/server_config.pp | 16 +++++++++++----- 2 files changed, 22 insertions(+), 10 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 6e866b1c..e6f80d25 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -7,13 +7,19 @@ class site_config::eip { #$openvpn_configs=hiera('openvpn_server_configs') #create_resources('site_openvpn::server_config', $openvpn_configs) - + site_openvpn::server_config { 'tcp_config': - port => '1194', - proto => 'tcp' + port => '1194', + proto => 'tcp', + local => $::ipaddress_eth0_1, + server => '10.42.0.0 255.255.248.0', + push => '"dhcp-option DNS 10.42.0.1"', } site_openvpn::server_config { 'udp_config': - port => '1194', - proto => 'udp' + port => '1194', + proto => 'udp', + local => $::ipaddress_eth0_1, + server => '10.43.0.0 255.255.248.0', + push => '"dhcp-option DNS 10.43.0.1"', } } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 320a4add..784152b7 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,6 +1,8 @@ -define site_openvpn::server_config($port, $proto) { +define site_openvpn::server_config ($port, $proto, $local, $server, $push ) { + $openvpn_configname = $name + #notice("Creating OpenVPN $openvpn_configname: # Port: $port, Protocol: $proto") @@ -45,7 +47,7 @@ define site_openvpn::server_config($port, $proto) { server => $openvpn_configname; "local $openvpn_configname": key => 'local', - value => $::ipaddress, + value => $local, server => $openvpn_configname; "mute $openvpn_configname": key => 'mute', @@ -62,9 +64,13 @@ define site_openvpn::server_config($port, $proto) { key => 'proto', value => $proto, server => $openvpn_configname; - "push $openvpn_configname": + "push1 $openvpn_configname": + key => 'push', + value => $push, + server => $openvpn_configname; + "push2 $openvpn_configname": key => 'push', - value => "\"redirect-gateway def1\"", + value => '"redirect-gateway def1"', server => $openvpn_configname; "script-security $openvpn_configname": key => 'script-security', @@ -72,7 +78,7 @@ define site_openvpn::server_config($port, $proto) { server => $openvpn_configname; "server $openvpn_configname": key => 'server', - value => "10.42.0.0 255.255.248.0", + value => "$server", server => $openvpn_configname; "status $openvpn_configname": key => 'status', -- cgit v1.2.3 From c9b2c36a5e9327c011af1345bdf54a9c4b84d857 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 23:47:40 +0200 Subject: dh1204.pem -> dh.pen --- puppet/modules/site_openvpn/manifests/server_config.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 784152b7..d8a8bc0b 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -31,7 +31,7 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push ) { server => $openvpn_configname; "dh $openvpn_configname": key => 'dh', - value => '/etc/openvpn/keys/dh1024.pem', + value => '/etc/openvpn/keys/dh.pem', server => $openvpn_configname; "dev $openvpn_configname": -- cgit v1.2.3 From 97e5a3270df10b8fe699a13966ee6b34b864735e Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 23:54:37 +0200 Subject: different parameter for each config --- puppet/modules/site_openvpn/manifests/server_config.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index d8a8bc0b..441a21e3 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,4 +1,4 @@ -define site_openvpn::server_config ($port, $proto, $local, $server, $push ) { +define site_openvpn::server_config ($port, $proto, $local, $server, $push, $management ) { $openvpn_configname = $name @@ -58,7 +58,7 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push ) { server => $openvpn_configname; "management $openvpn_configname": key => 'management', - value => '127.0.0.1 1000', + value => $management, server => $openvpn_configname; "proto $openvpn_configname": key => 'proto', -- cgit v1.2.3 From b49ab6a1a06bcc31984e09a5371510643eef3c87 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 23:55:03 +0200 Subject: use different parameter for each config --- puppet/modules/site_config/manifests/eip.pp | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index e6f80d25..9f1c205c 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -9,17 +9,19 @@ class site_config::eip { #create_resources('site_openvpn::server_config', $openvpn_configs) site_openvpn::server_config { 'tcp_config': - port => '1194', - proto => 'tcp', - local => $::ipaddress_eth0_1, - server => '10.42.0.0 255.255.248.0', - push => '"dhcp-option DNS 10.42.0.1"', + port => '1194', + proto => 'tcp', + local => $::ipaddress_eth0_1, + server => '10.1.0.0 255.255.248.0', + push => '"dhcp-option DNS 10.1.0.1"', + management => 'management 127.0.0.1 1000' } site_openvpn::server_config { 'udp_config': - port => '1194', - proto => 'udp', - local => $::ipaddress_eth0_1, - server => '10.43.0.0 255.255.248.0', - push => '"dhcp-option DNS 10.43.0.1"', + port => '1194', + proto => 'udp', + local => $::ipaddress_eth0_1, + server => '10.2.0.0 255.255.248.0', + push => '"dhcp-option DNS 10.2.0.1"', + management => 'management 127.0.0.1 1001' } } -- cgit v1.2.3 From 76f15950d637a79604f6472ba19f662069e59dc8 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 23:56:36 +0200 Subject: typo in eip.pp --- puppet/modules/site_config/manifests/eip.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 9f1c205c..2c696d21 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -14,7 +14,7 @@ class site_config::eip { local => $::ipaddress_eth0_1, server => '10.1.0.0 255.255.248.0', push => '"dhcp-option DNS 10.1.0.1"', - management => 'management 127.0.0.1 1000' + management => '127.0.0.1 1000' } site_openvpn::server_config { 'udp_config': port => '1194', @@ -22,6 +22,6 @@ class site_config::eip { local => $::ipaddress_eth0_1, server => '10.2.0.0 255.255.248.0', push => '"dhcp-option DNS 10.2.0.1"', - management => 'management 127.0.0.1 1001' + management => '127.0.0.1 1001' } } -- cgit v1.2.3 From c5196bcd0f1e93a1f56cd9b5387577c0e438eda6 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 5 Oct 2012 23:14:15 +0200 Subject: flatten hiera hierarchy --- puppet/hiera.yaml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml index 95283394..4194c6c9 100644 --- a/puppet/hiera.yaml +++ b/puppet/hiera.yaml @@ -6,13 +6,15 @@ :logger: console :hierarchy: - - hosts/%{fqdn} - - ca/%{fqdn} - - ca/defaults - - eip/%{fqdn} - - eip/defaults + - %{fqdn} +#former hierarchy, not used anymore +# - hosts/%{fqdn} +# - ca/%{fqdn} +# - ca/defaults +# - eip/%{fqdn} +# - eip/defaults # more services following - - defaults +# - defaults # relative from where puppet is run, so we need to run puppet # from the root dir of the leap_platform repo -- cgit v1.2.3 From a2fdea96778a01acabf9f1e40cc8cc295520cd61 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 6 Oct 2012 09:06:20 +0200 Subject: added submodule sysctl --- .gitmodules | 3 +++ puppet/modules/sysctl | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/sysctl diff --git a/.gitmodules b/.gitmodules index c95048d9..c151aaf7 100644 --- a/.gitmodules +++ b/.gitmodules @@ -28,3 +28,6 @@ [submodule "puppet/modules/resolvconf"] path = puppet/modules/resolvconf url = git://git.puppet.immerda.ch/module-resolvconf.git +[submodule "puppet/modules/sysctl"] + path = puppet/modules/sysctl + url = git://github.com/luxflux/puppet-sysctl.git diff --git a/puppet/modules/sysctl b/puppet/modules/sysctl new file mode 160000 index 00000000..6ad210b3 --- /dev/null +++ b/puppet/modules/sysctl @@ -0,0 +1 @@ +Subproject commit 6ad210b3f90f24878cfccd61c758275e2ab022bd -- cgit v1.2.3 From e373def213a4e55c37c7940195ea9cd33e604f2d Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 21:54:34 +0200 Subject: + site_shorewall::eip --- puppet/modules/site_config/manifests/eip.pp | 2 ++ .../modules/site_shorewall/manifests/defaults.pp | 26 ++++++++++++++ puppet/modules/site_shorewall/manifests/eip.pp | 42 ++++++++++++++++++++++ 3 files changed, 70 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/defaults.pp create mode 100644 puppet/modules/site_shorewall/manifests/eip.pp diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 2c696d21..95f9dbf4 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -24,4 +24,6 @@ class site_config::eip { push => '"dhcp-option DNS 10.2.0.1"', management => '127.0.0.1 1001' } + + include site_shorewall::eip } diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp new file mode 100644 index 00000000..cfe7bae2 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -0,0 +1,26 @@ +class site_shorewall::defaults { + include shorewall + + # If you want logging: + shorewall::params { + 'LOG': value => 'debug'; + } + + shorewall::zone {'net': type => 'ipv4'; } + + shorewall::rule_section { 'NEW': order => 10; } + + case $shorewall_rfc1918_maineth { + '': {$shorewall_rfc1918_maineth = true } + } + + case $shorewall_main_interface { + '': { $shorewall_main_interface = 'eth0' } + } + + shorewall::interface {$shorewall_main_interface: + zone => 'net', + rfc1918 => $shorewall_rfc1918_maineth, + options => 'tcpflags,blacklist,nosmurfs'; + } +} diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp new file mode 100644 index 00000000..bfa77206 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -0,0 +1,42 @@ +class site_shorewall::eip { + + # be safe for development + $shorewall_startup='0' + + include site_shorewall::defaults + + shorewall::interface {'tun0': + zone => 'eip', + rfc1918 => $shorewall_rfc1918_maineth, + options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::zone {'eip': + type => 'ipv4'; } + shorewall::routestopped {'eth0': + interface => 'eth0'; } + + shorewall::policy { + 'all-to-all': + sourcezone => 'all', + destinationzone => 'all', + policy => 'DROP', + order => 200; + } + + shorewall::rule { + 'all2all-ping': + source => 'all', + destination => 'all', + action => 'Ping(ACCEPT)', + order => 200; + 'all2all-ssh': + source => 'all', + destination => 'all', + action => 'SSH(ACCEPT)', + order => 200; + 'all2all-openvpn': + source => 'all', + destination => 'all', + action => 'OpenVPN(ACCEPT)', + order => 200; + } +} -- cgit v1.2.3 From 208ba98de3ab459d49303497587927fddcc30f12 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 22:00:01 +0200 Subject: second if for site_shorewall::eip --- puppet/modules/site_shorewall/manifests/eip.pp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index bfa77206..1ef0c48f 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -9,8 +9,14 @@ class site_shorewall::eip { zone => 'eip', rfc1918 => $shorewall_rfc1918_maineth, options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::interface {'tun1': + zone => 'eip', + rfc1918 => $shorewall_rfc1918_maineth, + options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::zone {'eip': type => 'ipv4'; } + shorewall::routestopped {'eth0': interface => 'eth0'; } -- cgit v1.2.3 From 949ab1afa57771f44371da6da5e510056ada6d3b Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 22:03:06 +0200 Subject: shorewall: + dns,http --- puppet/modules/site_shorewall/manifests/eip.pp | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 1ef0c48f..1e458b1a 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -44,5 +44,15 @@ class site_shorewall::eip { destination => 'all', action => 'OpenVPN(ACCEPT)', order => 200; + 'fw2all-http': + source => '$FW', + destination => 'all', + action => 'HTTP(ACCEPT)', + order => 200; + 'fw2all-DNS': + source => '$FW', + destination => 'all', + action => 'DNS(ACCEPT)', + order => 200; } } -- cgit v1.2.3 From 492280a9d097fde4c1a9e43d7b0a079d1fe4e10f Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:12:51 +0200 Subject: shorewall: + https, masquerading --- puppet/modules/site_shorewall/manifests/eip.pp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 1e458b1a..9a4454f9 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -20,6 +20,9 @@ class site_shorewall::eip { shorewall::routestopped {'eth0': interface => 'eth0'; } + shorewall::masq {'eth0': + interface => 'eth0'; } + shorewall::policy { 'all-to-all': sourcezone => 'all', @@ -49,10 +52,15 @@ class site_shorewall::eip { destination => 'all', action => 'HTTP(ACCEPT)', order => 200; - 'fw2all-DNS': + 'fw2all-DNS': source => '$FW', destination => 'all', action => 'DNS(ACCEPT)', order => 200; + 'eip2fw-https': + source => 'eip', + destination => '$FW', + action => 'HTTPS(ACCEPT)', + order => 200; } } -- cgit v1.2.3 From 9398b62b4de978a782fd6ba8c8c1bb2237b4fa04 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:18:22 +0200 Subject: shorewall: add empty source for masq --- puppet/modules/site_shorewall/manifests/eip.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 9a4454f9..98a39837 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -21,7 +21,8 @@ class site_shorewall::eip { interface => 'eth0'; } shorewall::masq {'eth0': - interface => 'eth0'; } + interface => 'eth0', + source => ''; } shorewall::policy { 'all-to-all': -- cgit v1.2.3 From dd59c82520aba539e15351cc69395ec48fff7999 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:26:29 +0200 Subject: shorewall: policy: accept eip2all --- puppet/modules/site_shorewall/manifests/eip.pp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 98a39837..9cd332e1 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -25,6 +25,11 @@ class site_shorewall::eip { source => ''; } shorewall::policy { + 'eip-to-all': + sourcezone => 'eip', + destinationzone => 'all', + policy => 'ACCEPT', + order => 200; 'all-to-all': sourcezone => 'all', destinationzone => 'all', -- cgit v1.2.3 From 0bf3dc82f81c8147b2e4e5e32b3515d6ba373aee Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:29:35 +0200 Subject: shorewall: allow git access for --- puppet/modules/site_shorewall/manifests/eip.pp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 9cd332e1..3edd1bcc 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -53,6 +53,8 @@ class site_shorewall::eip { destination => 'all', action => 'OpenVPN(ACCEPT)', order => 200; + + # eip gw itself to outside 'fw2all-http': source => '$FW', destination => 'all', @@ -63,6 +65,12 @@ class site_shorewall::eip { destination => 'all', action => 'DNS(ACCEPT)', order => 200; + 'fw2all-DNS': + source => '$FW', + destination => 'all', + action => 'Git(ACCEPT)', + order => 200; + 'eip2fw-https': source => 'eip', destination => '$FW', -- cgit v1.2.3 From a11a41c94a8ebfa217f27141268e472858a91feb Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:30:17 +0200 Subject: shorewall: allow git access for --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 3edd1bcc..0806a862 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -65,7 +65,7 @@ class site_shorewall::eip { destination => 'all', action => 'DNS(ACCEPT)', order => 200; - 'fw2all-DNS': + 'fw2all-git': source => '$FW', destination => 'all', action => 'Git(ACCEPT)', -- cgit v1.2.3 From 7f40d1b15e84416bd56e8b6ffbc8e09cda859c87 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:39:49 +0200 Subject: shorewall: reorder policy --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 0806a862..a4d1231d 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -29,7 +29,7 @@ class site_shorewall::eip { sourcezone => 'eip', destinationzone => 'all', policy => 'ACCEPT', - order => 200; + order => 100; 'all-to-all': sourcezone => 'all', destinationzone => 'all', -- cgit v1.2.3 From cf2f7703b615dd4568beeebea59f514a20cf169a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:52:50 +0200 Subject: cleaned defaults.pp --- puppet/modules/site_shorewall/manifests/defaults.pp | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index cfe7bae2..c68b8370 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -10,17 +10,8 @@ class site_shorewall::defaults { shorewall::rule_section { 'NEW': order => 10; } - case $shorewall_rfc1918_maineth { - '': {$shorewall_rfc1918_maineth = true } - } - - case $shorewall_main_interface { - '': { $shorewall_main_interface = 'eth0' } - } - - shorewall::interface {$shorewall_main_interface: + shorewall::interface {'eth0': zone => 'net', - rfc1918 => $shorewall_rfc1918_maineth, options => 'tcpflags,blacklist,nosmurfs'; } } -- cgit v1.2.3 From 912d7103855ba674255d2dbeda87ab358388ecc0 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:53:18 +0200 Subject: cleaned eip.pp, added second main if --- puppet/modules/site_shorewall/manifests/eip.pp | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index a4d1231d..80119ee8 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,13 +5,16 @@ class site_shorewall::eip { include site_shorewall::defaults + shorewall::interface {'eth0:1': + zone => 'net', + options => 'tcpflags,blacklist,nosmurfs'; } shorewall::interface {'tun0': zone => 'eip', - rfc1918 => $shorewall_rfc1918_maineth, + rfc1918 => true, options => 'tcpflags,blacklist,nosmurfs'; } shorewall::interface {'tun1': zone => 'eip', - rfc1918 => $shorewall_rfc1918_maineth, + rfc1918 => true, options => 'tcpflags,blacklist,nosmurfs'; } shorewall::zone {'eip': -- cgit v1.2.3 From acc806b363b5bc5f1b6a994e525d20b65bc06fa8 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:55:31 +0200 Subject: Support for the norfc1918 interface option has been removed from Shorewall --- puppet/modules/site_shorewall/manifests/eip.pp | 2 -- 1 file changed, 2 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 80119ee8..6ccfff69 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -10,11 +10,9 @@ class site_shorewall::eip { options => 'tcpflags,blacklist,nosmurfs'; } shorewall::interface {'tun0': zone => 'eip', - rfc1918 => true, options => 'tcpflags,blacklist,nosmurfs'; } shorewall::interface {'tun1': zone => 'eip', - rfc1918 => true, options => 'tcpflags,blacklist,nosmurfs'; } shorewall::zone {'eip': -- cgit v1.2.3 From 81c20fd7d39300c27a2d8196871a832767c5623a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:57:59 +0200 Subject: no virtual IFs in shorewall --- puppet/modules/site_shorewall/manifests/eip.pp | 3 --- 1 file changed, 3 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 6ccfff69..590a01ba 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,9 +5,6 @@ class site_shorewall::eip { include site_shorewall::defaults - shorewall::interface {'eth0:1': - zone => 'net', - options => 'tcpflags,blacklist,nosmurfs'; } shorewall::interface {'tun0': zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; } -- cgit v1.2.3 From c716f40cf2011c3141e2e7150fd3f928ffac626a Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Oct 2012 00:46:06 +0200 Subject: shorewall: made rules more precise, use own macro --- puppet/modules/site_shorewall/manifests/eip.pp | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 590a01ba..8624af87 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,6 +5,10 @@ class site_shorewall::eip { include site_shorewall::defaults + # define macro + file { "/etc/shorewall/macro.leap_eip": + content => 'PARAM - - - 53,80,443,1194', } + shorewall::interface {'tun0': zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; } @@ -41,15 +45,16 @@ class site_shorewall::eip { destination => 'all', action => 'Ping(ACCEPT)', order => 200; - 'all2all-ssh': - source => 'all', - destination => 'all', + + 'net2fw-ssh': + source => 'net', + destination => '$FW', action => 'SSH(ACCEPT)', order => 200; - 'all2all-openvpn': - source => 'all', - destination => 'all', - action => 'OpenVPN(ACCEPT)', + 'net2fw-openvpn': + source => 'net', + destination => '$FW', + action => 'leap_eip(ACCEPT)', order => 200; # eip gw itself to outside -- cgit v1.2.3 From a3cd8ac7a637111281f32d6ed5c8e856fe5be973 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Oct 2012 00:48:21 +0200 Subject: shorewall: need to sprecify protocol --- puppet/modules/site_shorewall/manifests/eip.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 8624af87..0902039c 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -7,7 +7,9 @@ class site_shorewall::eip { # define macro file { "/etc/shorewall/macro.leap_eip": - content => 'PARAM - - - 53,80,443,1194', } + content => 'PARAM - - tcp 53,80,443,1194 +PARAM - - udp 53,80,443,1194 +', } shorewall::interface {'tun0': zone => 'eip', -- cgit v1.2.3 From 9fc9b19057fcf322e8d3fcaead0032859f873f53 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 11 Oct 2012 19:49:48 +0200 Subject: renamed hiera keys to work with leap_cli --- puppet/manifests/site.pp | 2 +- puppet/modules/site_openvpn/manifests/keys.pp | 13 +++++++++---- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 89c97888..d451bdf5 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -11,7 +11,7 @@ node 'default' { notice("Services for $fqdn: $services") # configure eip - if 'eip' in $services { + if 'openvpn' in $services { include site_config::eip } diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index b31369c9..d029fbac 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -1,13 +1,18 @@ class site_openvpn::keys { - $openvpn_keys = hiera_hash('openvpn_keys') + $openvpn_keys = hiera_hash('openvpn') + + file { '/etc/openvpn/keys/ca.key': + content => $openvpn_keys['ca_key'], + mode => '0600', + } file { '/etc/openvpn/keys/ca.crt': - content => $openvpn_keys['ca'], + content => $openvpn_keys['ca_crt'], mode => '0644', } file { '/etc/openvpn/keys/dh.pem': - content => $openvpn_keys['dh'], + content => $openvpn_keys['dh_key'], mode => '0644', } @@ -17,7 +22,7 @@ class site_openvpn::keys { } file { '/etc/openvpn/keys/server.crt': - content => $openvpn_keys['server_cert'], + content => $openvpn_keys['server_crt'], mode => '0644', } } -- cgit v1.2.3 From df1cb1b7445adcabbe355290d1e720040b916f6b Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 12 Oct 2012 14:01:11 +0200 Subject: + site_config::resolvconf --- puppet/modules/site_config/manifests/init.pp | 4 ++++ puppet/modules/site_config/manifests/resolvconf.pp | 13 +++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 puppet/modules/site_config/manifests/resolvconf.pp diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp index 64eb06f4..8aa1b54d 100644 --- a/puppet/modules/site_config/manifests/init.pp +++ b/puppet/modules/site_config/manifests/init.pp @@ -1,7 +1,11 @@ class site_config { + # default class, use by all hosts + include apt, lsb, git # configure ssh and inculde ssh-keys include site_config::sshd + # configure /etc/resolv.conf + include site_config::resolvconf } diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp new file mode 100644 index 00000000..ec3ce9e9 --- /dev/null +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -0,0 +1,13 @@ +class site_config::resolvconf { + package { 'bind9': + ensure => installed, + } + + $domain_hash = hiera('domain') + $domain = $domain_hash['public'] + + $resolvconf_search = $domain + $resolvconf_domain = $domain + $resolvconf_nameservers = '127.0.0.1 # caching-only local bind:87.118.100.175 # http://server.privacyfoundation.de' + include resolvconf +} -- cgit v1.2.3 From 082efdddf4b5a4c741a655e6833b8d86bb717303 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 12 Oct 2012 14:44:05 +0200 Subject: ssh_keys -> ssh_pubkeys for clarity --- puppet/modules/site_config/manifests/sshd.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_config/manifests/sshd.pp b/puppet/modules/site_config/manifests/sshd.pp index 8e33ca7f..4834bb6f 100644 --- a/puppet/modules/site_config/manifests/sshd.pp +++ b/puppet/modules/site_config/manifests/sshd.pp @@ -1,8 +1,8 @@ class site_config::sshd { # configure ssh and inculde ssh-keys include sshd - $ssh_keys=hiera_hash('ssh_keys') + $ssh_pubkeys=hiera_hash('ssh_pubkeys') include site_sshd - notice($ssh_keys) - create_resources('site_sshd::ssh_key', $ssh_keys) + notice($ssh_pubkeys) + create_resources('site_sshd::ssh_key', $ssh_pubkeys) } -- cgit v1.2.3 From 18482bf1a47474771f72bb92e766bff2781ad3fd Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 12 Oct 2012 15:01:34 +0200 Subject: new resolvconf module uses parameterized class --- puppet/modules/site_config/manifests/resolvconf.pp | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index ec3ce9e9..6536969a 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -4,10 +4,13 @@ class site_config::resolvconf { } $domain_hash = hiera('domain') - $domain = $domain_hash['public'] + $domain_public = $domain_hash['public'] - $resolvconf_search = $domain - $resolvconf_domain = $domain - $resolvconf_nameservers = '127.0.0.1 # caching-only local bind:87.118.100.175 # http://server.privacyfoundation.de' - include resolvconf + # 127.0.0.1: caching-only local bind + # 87.118.100.175: http://server.privacyfoundation.de + class { 'resolvconf': + $domain = $domain_public, + $search = $domain_public, + $nameservers = [ '127.0.0.1', '87.118.100.175' ] + } } -- cgit v1.2.3 From dfe67e888d5ab6b74c0dd9cc7e3d738c07b0ae5d Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 12 Oct 2012 15:06:59 +0200 Subject: fixes resolvconf call --- puppet/modules/site_config/manifests/resolvconf.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index 6536969a..dca48b21 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -8,9 +8,9 @@ class site_config::resolvconf { # 127.0.0.1: caching-only local bind # 87.118.100.175: http://server.privacyfoundation.de - class { 'resolvconf': - $domain = $domain_public, - $search = $domain_public, - $nameservers = [ '127.0.0.1', '87.118.100.175' ] + class { '::resolvconf': + domain => $domain_public, + search => $domain_public, + nameservers => [ '127.0.0.1', '87.118.100.175' ] } } -- cgit v1.2.3 From b297dd3c47a9d23eaba6070555ecec47f3acbcc6 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 12 Oct 2012 15:09:40 +0200 Subject: add third dns server (swiss privacy found.) --- puppet/modules/site_config/manifests/resolvconf.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index dca48b21..bd0539b9 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -6,11 +6,12 @@ class site_config::resolvconf { $domain_hash = hiera('domain') $domain_public = $domain_hash['public'] - # 127.0.0.1: caching-only local bind + # 127.0.0.1: caching-only local bind # 87.118.100.175: http://server.privacyfoundation.de + # 62.141.58.13: http://www.privacyfoundation.ch/de/service/server.html class { '::resolvconf': domain => $domain_public, search => $domain_public, - nameservers => [ '127.0.0.1', '87.118.100.175' ] + nameservers => [ '127.0.0.1', '87.118.100.175', '62.141.58.13' ] } } -- cgit v1.2.3 From 0eff2049fa8d846dffee3236824b8bc42e581467 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 12 Oct 2012 15:32:15 +0200 Subject: added ruby-hiera-puppet as dependency --- deploy.sh | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/deploy.sh b/deploy.sh index 7754f91c..d5bca7d0 100755 --- a/deploy.sh +++ b/deploy.sh @@ -5,19 +5,28 @@ PUPPET_ENV='--confdir=puppet' install_prerequisites () { - apt-get update - apt-get install puppet git + PACKAGES='git puppet ruby-hiera-puppet' + dpkg -l $PACKAGES > /dev/null 2>&1 + if [ ! $? -eq 0 ] + then + apt-get update + apt-get install $PACKAGES + fi # lsb is needed for a first puppet run puppet apply $PUPPET_ENV --execute 'include lsb' - git submodule init - git submodule update } # main # commented for testing purposes +# this should be run once on every host on setup #install_prerequisites -puppet apply $PUPPET_ENV puppet/manifests/site.pp $@ +# keep repository up to date +git pull +git submodule init +git submodule update +# run puppet without irritating deprecation warnings +puppet apply $PUPPET_ENV puppet/manifests/site.pp $@ | grep -v 'warning:.*is deprecated' -- cgit v1.2.3 From 84ec7db785dafacbc881fa6d8a626f9673de2942 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 12 Oct 2012 22:29:51 +0200 Subject: added --init --- deploy.sh | 41 +++++++++++++++++++++++++++++++++++------ 1 file changed, 35 insertions(+), 6 deletions(-) diff --git a/deploy.sh b/deploy.sh index d5bca7d0..4606f27d 100755 --- a/deploy.sh +++ b/deploy.sh @@ -1,11 +1,25 @@ -#!/bin/sh -x +#!/bin/sh # -# missing: header, license, usage +# missing: header, license -PUPPET_ENV='--confdir=puppet' +bad_usage() { usage 1>&2; [ $# -eq 0 ] || echo "$@"; exit 1; } + +usage() { + cat < /dev/null 2>&1 if [ ! $? -eq 0 ] then @@ -17,11 +31,26 @@ install_prerequisites () { puppet apply $PUPPET_ENV --execute 'include lsb' } + # main -# commented for testing purposes -# this should be run once on every host on setup -#install_prerequisites +PUPPET_ENV='--confdir=puppet' + +long_opts="init" +getopt_out=$(getopt --name "${0##*/}" \ + --options "${short_opts}" --long "${long_opts}" -- "$@") && \ + eval set -- "${getopt_out}" || bad_usage +while [ $# -ne 0 ]; do + cur=${1}; next=${2}; + case "$cur" in + --help) usage ; exit 0;; + --init) install_prerequisites ; exit 0;; + --) shift; break;; + esac + shift; +done + +[ $# -gt 0 ] && bad_usage "too many arguments" # keep repository up to date git pull -- cgit v1.2.3 From 26327946f9f414960679f3bab201a6b1385f49c9 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 12 Oct 2012 22:36:25 +0200 Subject: don't prompt when installing --- deploy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy.sh b/deploy.sh index 4606f27d..9a8fcccf 100755 --- a/deploy.sh +++ b/deploy.sh @@ -24,7 +24,7 @@ install_prerequisites () { if [ ! $? -eq 0 ] then apt-get update - apt-get install $PACKAGES + apt-get install -y $PACKAGES fi # lsb is needed for a first puppet run -- cgit v1.2.3 From caea416c370bd2f6aa4c012f4ca40ac312269ad1 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 13 Oct 2012 10:42:49 +0200 Subject: use defaults.yaml as fallback --- puppet/hiera.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml index 4194c6c9..af448d57 100644 --- a/puppet/hiera.yaml +++ b/puppet/hiera.yaml @@ -7,6 +7,7 @@ :hierarchy: - %{fqdn} + - defaults #former hierarchy, not used anymore # - hosts/%{fqdn} # - ca/%{fqdn} -- cgit v1.2.3 From 4c5f0726d3eee0caa62f509743762968dc4b544b Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 13 Oct 2012 11:00:17 +0200 Subject: use debian unstable for couchdb --- puppet/modules/site_apt/files/unstable.list | 1 + puppet/modules/site_couchdb/manifests/init.pp | 6 ++++++ 2 files changed, 7 insertions(+) create mode 100644 puppet/modules/site_apt/files/unstable.list create mode 100644 puppet/modules/site_couchdb/manifests/init.pp diff --git a/puppet/modules/site_apt/files/unstable.list b/puppet/modules/site_apt/files/unstable.list new file mode 100644 index 00000000..0e289136 --- /dev/null +++ b/puppet/modules/site_apt/files/unstable.list @@ -0,0 +1 @@ +deb http://http.debian.net/debian unstable main diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp new file mode 100644 index 00000000..4e347567 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -0,0 +1,6 @@ +class site_config::couchdb { + apt::sources_list { "unstable.list": + source => [ "puppet:///modules/site_apt/unstable.list"], + } + +} -- cgit v1.2.3 From 01732be30c06919f85e4887a500f7e9b11e56e4f Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 13 Oct 2012 11:08:22 +0200 Subject: use site_couchdb --- puppet/manifests/site.pp | 6 ++---- puppet/modules/site_couchdb/manifests/init.pp | 11 ++++++++--- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index ef5c3a8a..e0b573ce 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -15,9 +15,7 @@ node 'default' { include site_config::eip } - if 'couchdb' in $services { - class { 'couchdb': - #bind => '0.0.0.0' - } + if 'couchdb' in $services { + include site_couchdb } } diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 4e347567..bb14595a 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,6 +1,11 @@ -class site_config::couchdb { - apt::sources_list { "unstable.list": - source => [ "puppet:///modules/site_apt/unstable.list"], +class site_couchdb { + apt::sources_list { 'unstable.list': + source => [ 'puppet:///modules/site_apt/unstable.list'], + } + + + class { 'couchdb': + #bind => '0.0.0.0' } } -- cgit v1.2.3 From 3c244c02f4c6ddd6f361297ab63e41905fac96e5 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 13 Oct 2012 11:14:55 +0200 Subject: include site_config again --- puppet/manifests/site.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index e0b573ce..6abf9b48 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -4,7 +4,7 @@ node 'default' { include concat::setup # include some basic classes - #include site_config + include site_config # parse services for host $services=hiera_array('services') -- cgit v1.2.3 From 06a1546a36698dd75fb500ad2a12e9bbf9b43f03 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 13 Oct 2012 11:30:30 +0200 Subject: install couchdb from unstable, see init.pp --- puppet/modules/site_couchdb/manifests/init.pp | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index bb14595a..06c29181 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,8 +1,15 @@ class site_couchdb { + + # for now, we need to install couchdb from unstable, + # because of this bug while installing: + # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681549 + # can be removed when couchdb/1.2.0-2 is integrated into testing apt::sources_list { 'unstable.list': source => [ 'puppet:///modules/site_apt/unstable.list'], } - + apt::preferences_snippet{ + 'couchdb': release => "unstable", priority => 999; + } class { 'couchdb': #bind => '0.0.0.0' -- cgit v1.2.3 From 69c456f5a16fa4484754a809ded93ddd554b1d16 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Oct 2012 18:25:49 +0200 Subject: hiera config now in /etc/leap/hiera.yaml --- puppet/hiera.yaml | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml index af448d57..93448e23 100644 --- a/puppet/hiera.yaml +++ b/puppet/hiera.yaml @@ -5,22 +5,11 @@ :logger: console -:hierarchy: - - %{fqdn} - - defaults -#former hierarchy, not used anymore -# - hosts/%{fqdn} -# - ca/%{fqdn} -# - ca/defaults -# - eip/%{fqdn} -# - eip/defaults -# more services following -# - defaults - -# relative from where puppet is run, so we need to run puppet -# from the root dir of the leap_platform repo :yaml: - :datadir: ../config + :datadir: /etc/leap +:hierarchy: + - hiera + :puppet: :datasource: data -- cgit v1.2.3 From 2b9c04a66cdc591be22800fcbcf3010517d95e94 Mon Sep 17 00:00:00 2001 From: Kwadronaut Date: Wed, 24 Oct 2012 15:13:42 +0200 Subject: Adding getting started content, needs more cleanup --- README.md | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/README.md b/README.md index 6be733cb..9dc3470e 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,79 @@ Leap Platform ============= +What is it? +----------- + +The LEAP Provider Platform is the server-side part of the LEAP Encryption Access Project that is run by service providers. It consists of a set of complementary packages and recipes to automate the maintenance of LEAP services in a hardened GNU/Linux environment. LEAP makes it easy and straightforward for service providers and ISPs to deploy a secure communications platform for their users. + +The LEAP Platform is essentially a git repository of puppet recipes, with a few scripts to help with bootstrapping and deployment. A service provider who wants to deploy LEAP services will clone or fork this repository, edit the main configuration file to specify which services should run on which hosts, and run scripts to deploy this configuration. + +Documentation +------------- +Most of the current documentation can be found in Readme files of the different pieces. Eventually this will be consolidated on the website https://leap.se + +Requirements +------------ +This highly depends on your (expected) user base. For a minimal test or develop install we recommend a fairly recent computer x86_64 with hardware virtualization features (AMD-V or VT-x) with plenty of RAM. You could use Vagrant or KVM to simulate a live deployment. + +For a live deployment of the platform the amount of required (virtual) servers depends on your needs and which services you want to deploy. In it's initial release you can deploy OpenVPN, DNS, CouchDB and a webapp to administer your users (billing, help tickets,...). + +To get started you will need to have git, ruby1.8, rails, rubygems, bundler, ruby1.8-dev, libgpgme-ruby. + +Configuration +------------- +Edit config/ + + +Installation +------------ + +- Edit /etc/leap/hieradata/common.yaml for your needs +- Run the deploy.sh script as root + +git clone ssh://gitolite@leap.se/leap_platform +git clone ssh://gitolite@leap.se/leap_cli + + cd leap_cli + + bundle + + cd .. + +git clone ssh://gitolite@leap.se/leap_testprovider +ln -s /home/me/dev/leap_cli/bin ~/bin # or whatever to have leap_cli/bin/leap in your path. +cd leap_testprovider +ln -s ../leap_platform . +cd leap_testprovider/provider +leap help +leap clean +leap compile +leap add-user --self + +More Information +---------------- +For more information about the LEAP Encryption Access Project, please visit the website https://leap.se which also lists contact data. + + +Following needs to be written: + +Copyright/License +----------------- + +Read LICENSE + +Known bugs +---------- + +Troubleshooting +--------------- + +Changelog +--------- + + +Authors and Credits +------------------ + +a file manifest + -- cgit v1.2.3 From 78bed6218cc6a52d812d0df23c537654bc6b5fed Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 25 Oct 2012 09:43:58 +0200 Subject: README: git clone should use git: instead of ssh: --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 9dc3470e..641538bb 100644 --- a/README.md +++ b/README.md @@ -31,8 +31,8 @@ Installation - Edit /etc/leap/hieradata/common.yaml for your needs - Run the deploy.sh script as root -git clone ssh://gitolite@leap.se/leap_platform -git clone ssh://gitolite@leap.se/leap_cli +git clone git://code.leap.se/leap_platform +git clone git://code.leap.se/leap_cli cd leap_cli @@ -40,7 +40,7 @@ git clone ssh://gitolite@leap.se/leap_cli cd .. -git clone ssh://gitolite@leap.se/leap_testprovider +git clone git://code.leap.se/leap_testprovider ln -s /home/me/dev/leap_cli/bin ~/bin # or whatever to have leap_cli/bin/leap in your path. cd leap_testprovider ln -s ../leap_platform . -- cgit v1.2.3 From b5a5bfb69f62f5f31f8e81bdcb0dcabb7b4082f6 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 25 Oct 2012 15:34:27 +0200 Subject: replace hardcoded interface eth0 with hiera variable --- puppet/modules/site_shorewall/manifests/eip.pp | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 0902039c..31ee3e6c 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,6 +5,8 @@ class site_shorewall::eip { include site_shorewall::defaults + $interface = hiera('interface') + # define macro file { "/etc/shorewall/macro.leap_eip": content => 'PARAM - - tcp 53,80,443,1194 @@ -21,11 +23,11 @@ PARAM - - udp 53,80,443,1194 shorewall::zone {'eip': type => 'ipv4'; } - shorewall::routestopped {'eth0': - interface => 'eth0'; } + shorewall::routestopped {'$interface': + interface => '$interface'; } - shorewall::masq {'eth0': - interface => 'eth0', + shorewall::masq {'$interface': + interface => '$interface', source => ''; } shorewall::policy { -- cgit v1.2.3 From 76bbc01eae893206a8ed0d8d248ee565e3acdc61 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 25 Oct 2012 15:35:24 +0200 Subject: use hiera gateway_address and interface variables --- puppet/modules/site_config/manifests/eip.pp | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 95f9dbf4..df17771a 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -5,13 +5,14 @@ class site_config::eip { #$tor=hiera('tor') #notice("Tor enabled: $tor") - #$openvpn_configs=hiera('openvpn_server_configs') - #create_resources('site_openvpn::server_config', $openvpn_configs) - + $openvpn_config = hiera('openvpn') + $interface = hiera('interface') + $gateway_address = $openvpn_config['gateway_address'] + site_openvpn::server_config { 'tcp_config': port => '1194', proto => 'tcp', - local => $::ipaddress_eth0_1, + local => $gateway_address, server => '10.1.0.0 255.255.248.0', push => '"dhcp-option DNS 10.1.0.1"', management => '127.0.0.1 1000' @@ -19,7 +20,7 @@ class site_config::eip { site_openvpn::server_config { 'udp_config': port => '1194', proto => 'udp', - local => $::ipaddress_eth0_1, + local => $gateway_address, server => '10.2.0.0 255.255.248.0', push => '"dhcp-option DNS 10.2.0.1"', management => '127.0.0.1 1001' -- cgit v1.2.3 From 6146c50f4ae9ef7b0887ee4abff66b5b62a6da9d Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Oct 2012 13:06:35 +0200 Subject: added submoule interfaces, from git://github.com/x-way/puppet-interfaces.git --- .gitmodules | 3 +++ puppet/modules/interfaces | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/interfaces diff --git a/.gitmodules b/.gitmodules index 10a21c03..e3e8d6db 100644 --- a/.gitmodules +++ b/.gitmodules @@ -34,3 +34,6 @@ [submodule "puppet/modules/couchdb"] path = puppet/modules/couchdb url = git://code.leap.se/puppet_couchdb +[submodule "puppet/modules/interfaces"] + path = puppet/modules/interfaces + url = git://github.com/x-way/puppet-interfaces.git diff --git a/puppet/modules/interfaces b/puppet/modules/interfaces new file mode 160000 index 00000000..1d7dc717 --- /dev/null +++ b/puppet/modules/interfaces @@ -0,0 +1 @@ +Subproject commit 1d7dc7178881c56102c043e96763176f66445c1e -- cgit v1.2.3 From 8128fd27d9d3637654ebf924c860a701a4a08911 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Oct 2012 13:14:37 +0200 Subject: beginning config of main interface --- puppet/modules/site_config/manifests/eip.pp | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index df17771a..0077137b 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -5,9 +5,25 @@ class site_config::eip { #$tor=hiera('tor') #notice("Tor enabled: $tor") - $openvpn_config = hiera('openvpn') - $interface = hiera('interface') - $gateway_address = $openvpn_config['gateway_address'] + $ip_address = hiera('ip_address') + $interface = hiera('interface') + $gateway_address = hiera('gateway_address') + $openvpn_config = hiera('openvpn') + $openvpn_gateway_address = $openvpn_config['gateway_address'] + + include interfaces + interfaces::iface { $interface: + family => 'inet', + method => 'static', + options => [ "address $ip_address", + 'netmask 255.255.255.0', + "gateway $gateway", + "up ip addr add $openvpn_gateway_address/24 dev eth0 label", + "down ip addr del $openvpn_gateway_address/24 dev eth0 label", + ], + auto => 1, + allow_hotplug => 1 } + site_openvpn::server_config { 'tcp_config': port => '1194', -- cgit v1.2.3 From 92368db363406ebf47419814e1ac1bfc9f17c44a Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Oct 2012 15:08:15 +0200 Subject: linted, variable updated --- puppet/modules/site_config/manifests/eip.pp | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 0077137b..57b6d831 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -12,16 +12,16 @@ class site_config::eip { $openvpn_gateway_address = $openvpn_config['gateway_address'] include interfaces - interfaces::iface { $interface: - family => 'inet', - method => 'static', - options => [ "address $ip_address", + interfaces::iface { $interface: + family => 'inet', + method => 'static', + options => [ "address $ip_address", 'netmask 255.255.255.0', - "gateway $gateway", + "gateway $gateway_address", "up ip addr add $openvpn_gateway_address/24 dev eth0 label", "down ip addr del $openvpn_gateway_address/24 dev eth0 label", - ], - auto => 1, + ], + auto => 1, allow_hotplug => 1 } -- cgit v1.2.3 From 8253e3ebeb88ba33131365a1b584878a12bbd225 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Oct 2012 15:14:23 +0200 Subject: removed label for ip addr --- puppet/modules/site_config/manifests/eip.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 57b6d831..1beea9ce 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -18,8 +18,8 @@ class site_config::eip { options => [ "address $ip_address", 'netmask 255.255.255.0', "gateway $gateway_address", - "up ip addr add $openvpn_gateway_address/24 dev eth0 label", - "down ip addr del $openvpn_gateway_address/24 dev eth0 label", + "up ip addr add $openvpn_gateway_address/24 dev eth0", + "down ip addr del $openvpn_gateway_address/24 dev eth0", ], auto => 1, allow_hotplug => 1 } -- cgit v1.2.3 From c40a1bce442aab4ba8baf062ffcb65e006ad13e0 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 14:53:06 +0100 Subject: use script to add second ip --- puppet/modules/site_config/manifests/eip.pp | 47 +++++++++++++++++++---------- 1 file changed, 31 insertions(+), 16 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 1beea9ce..c81ad33a 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -18,29 +18,44 @@ class site_config::eip { options => [ "address $ip_address", 'netmask 255.255.255.0', "gateway $gateway_address", - "up ip addr add $openvpn_gateway_address/24 dev eth0", - "down ip addr del $openvpn_gateway_address/24 dev eth0", + "up ip addr add $openvpn_gateway_address/24 dev $interface", + "down ip addr del $openvpn_gateway_address/24 dev $interface", ], auto => 1, allow_hotplug => 1 } - site_openvpn::server_config { 'tcp_config': - port => '1194', - proto => 'tcp', - local => $gateway_address, - server => '10.1.0.0 255.255.248.0', - push => '"dhcp-option DNS 10.1.0.1"', - management => '127.0.0.1 1000' + #site_openvpn::server_config { 'tcp_config': + # port => '1194', + # proto => 'tcp', + # local => $gateway_address, + # server => '10.1.0.0 255.255.248.0', + # push => '"dhcp-option DNS 10.1.0.1"', + # management => '127.0.0.1 1000' + #} + #site_openvpn::server_config { 'udp_config': + # port => '1194', + # proto => 'udp', + # local => $gateway_address, + # server => '10.2.0.0 255.255.248.0', + # push => '"dhcp-option DNS 10.2.0.1"', + # management => '127.0.0.1 1001' + #} + + file { '/usr/local/bin/leap_add_second_ip.sh': + content => '#!/bin/sh + ip addr show dev eth0 | grep -q "$openvpn_gateway_address/24" || ip addr add "$openvpn_gateway_address/24" dev eth0', + mode => '0755', } - site_openvpn::server_config { 'udp_config': - port => '1194', - proto => 'udp', - local => $gateway_address, - server => '10.2.0.0 255.255.248.0', - push => '"dhcp-option DNS 10.2.0.1"', - management => '127.0.0.1 1001' + + exec { '/usr/local/bin/leap_add_second_ip.sh': + subscribe => File['/usr/local/bin/leap_add_second_ip.sh'], } + #exec { "ip addr add $openvpn_gateway_address/24 dev $interface": + # path => '/usr/bin:/sbin', + # unless => "ip addr show dev $interface | grep -q '$interface/24'" + #} + include site_shorewall::eip } -- cgit v1.2.3 From 189e8957c23fb09ef8c130f64e53f58c9da7d3ec Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 14:58:55 +0100 Subject: pass variable to leap_add_second_ip.sh --- puppet/modules/site_config/manifests/eip.pp | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index c81ad33a..ed1d395b 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -11,19 +11,18 @@ class site_config::eip { $openvpn_config = hiera('openvpn') $openvpn_gateway_address = $openvpn_config['gateway_address'] - include interfaces - interfaces::iface { $interface: - family => 'inet', - method => 'static', - options => [ "address $ip_address", - 'netmask 255.255.255.0', - "gateway $gateway_address", - "up ip addr add $openvpn_gateway_address/24 dev $interface", - "down ip addr del $openvpn_gateway_address/24 dev $interface", - ], - auto => 1, - allow_hotplug => 1 } - + #include interfaces + #interfaces::iface { $interface: + # family => 'inet', + # method => 'static', + # options => [ "address $ip_address", + # 'netmask 255.255.255.0', + # "gateway $gateway_address", + # "up ip addr add $openvpn_gateway_address/24 dev $interface", + # "down ip addr del $openvpn_gateway_address/24 dev $interface", + # ], + # auto => 1, + # allow_hotplug => 1 } #site_openvpn::server_config { 'tcp_config': # port => '1194', @@ -43,8 +42,8 @@ class site_config::eip { #} file { '/usr/local/bin/leap_add_second_ip.sh': - content => '#!/bin/sh - ip addr show dev eth0 | grep -q "$openvpn_gateway_address/24" || ip addr add "$openvpn_gateway_address/24" dev eth0', + content => "#!/bin/sh +ip addr show dev $interface | grep -q "$openvpn_gateway_address/24" || ip addr add "$openvpn_gateway_address/24" dev $interface", mode => '0755', } -- cgit v1.2.3 From 7c7c3f6ff9806febe903a9cfdef97c36e3743587 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 18:34:51 +0100 Subject: double double quoting solved --- puppet/modules/site_config/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index ed1d395b..59889a92 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -43,7 +43,7 @@ class site_config::eip { file { '/usr/local/bin/leap_add_second_ip.sh': content => "#!/bin/sh -ip addr show dev $interface | grep -q "$openvpn_gateway_address/24" || ip addr add "$openvpn_gateway_address/24" dev $interface", +ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface", mode => '0755', } -- cgit v1.2.3 From 8d2b6978e809004f4bca38d4fef27149497ad309 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 20:01:48 +0100 Subject: linted --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 31ee3e6c..54f3ea6e 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -8,7 +8,7 @@ class site_shorewall::eip { $interface = hiera('interface') # define macro - file { "/etc/shorewall/macro.leap_eip": + file { '/etc/shorewall/macro.leap_eip': content => 'PARAM - - tcp 53,80,443,1194 PARAM - - udp 53,80,443,1194 ', } -- cgit v1.2.3 From 7f82917633ad444e1a303df5bd02ebe29aa05921 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 20:02:05 +0100 Subject: no need for server-up.sh right now --- puppet/modules/site_openvpn/manifests/server_config.pp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 441a21e3..f4c5237e 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -92,10 +92,11 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana key => 'topology', value => 'subnet', server => $openvpn_configname; - "up $openvpn_configname": - key => 'up', - value => '/etc/openvpn/server-up.sh', - server => $openvpn_configname; + # no need for server-up.sh right now + #"up $openvpn_configname": + # key => 'up', + # value => '/etc/openvpn/server-up.sh', + # server => $openvpn_configname; "verb $openvpn_configname": key => 'verb', value => '3', -- cgit v1.2.3 From 372797b1f0b2a65698e8f4cd52fdf5d93a274965 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 20:04:23 +0100 Subject: reenabled site_openvpn::server_config, leap_add_second_ip.sh @reboot --- puppet/modules/site_config/manifests/eip.pp | 57 +++++++++++------------------ 1 file changed, 21 insertions(+), 36 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 59889a92..498d7eed 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -2,44 +2,28 @@ class site_config::eip { include site_openvpn include site_openvpn::keys - #$tor=hiera('tor') - #notice("Tor enabled: $tor") - $ip_address = hiera('ip_address') $interface = hiera('interface') $gateway_address = hiera('gateway_address') $openvpn_config = hiera('openvpn') $openvpn_gateway_address = $openvpn_config['gateway_address'] - #include interfaces - #interfaces::iface { $interface: - # family => 'inet', - # method => 'static', - # options => [ "address $ip_address", - # 'netmask 255.255.255.0', - # "gateway $gateway_address", - # "up ip addr add $openvpn_gateway_address/24 dev $interface", - # "down ip addr del $openvpn_gateway_address/24 dev $interface", - # ], - # auto => 1, - # allow_hotplug => 1 } - - #site_openvpn::server_config { 'tcp_config': - # port => '1194', - # proto => 'tcp', - # local => $gateway_address, - # server => '10.1.0.0 255.255.248.0', - # push => '"dhcp-option DNS 10.1.0.1"', - # management => '127.0.0.1 1000' - #} - #site_openvpn::server_config { 'udp_config': - # port => '1194', - # proto => 'udp', - # local => $gateway_address, - # server => '10.2.0.0 255.255.248.0', - # push => '"dhcp-option DNS 10.2.0.1"', - # management => '127.0.0.1 1001' - #} + site_openvpn::server_config { 'tcp_config': + port => '1194', + proto => 'tcp', + local => $openvpn_gateway_address, + server => '10.1.0.0 255.255.248.0', + push => '"dhcp-option DNS 10.1.0.1"', + management => '127.0.0.1 1000' + } + site_openvpn::server_config { 'udp_config': + port => '1194', + proto => 'udp', + local => $openvpn_gateway_address, + server => '10.2.0.0 255.255.248.0', + push => '"dhcp-option DNS 10.2.0.1"', + management => '127.0.0.1 1001' + } file { '/usr/local/bin/leap_add_second_ip.sh': content => "#!/bin/sh @@ -51,10 +35,11 @@ ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr a subscribe => File['/usr/local/bin/leap_add_second_ip.sh'], } - #exec { "ip addr add $openvpn_gateway_address/24 dev $interface": - # path => '/usr/bin:/sbin', - # unless => "ip addr show dev $interface | grep -q '$interface/24'" - #} + cron { 'leap_add_second_ip.sh': + command => "/usr/local/bin/leap_add_second_ip.sh", + user => 'root', + special => 'reboot', + } include site_shorewall::eip } -- cgit v1.2.3 From 7361c79e1e864c16450455a3ae374393a04f9eb7 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 20:27:52 +0100 Subject: no need for gateway_address --- puppet/modules/site_config/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 498d7eed..15bf8be2 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -4,7 +4,7 @@ class site_config::eip { $ip_address = hiera('ip_address') $interface = hiera('interface') - $gateway_address = hiera('gateway_address') + #$gateway_address = hiera('gateway_address') $openvpn_config = hiera('openvpn') $openvpn_gateway_address = $openvpn_config['gateway_address'] -- cgit v1.2.3 From c72160f993345c184ce01d7e4c14c9923fc194e9 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 20:48:02 +0100 Subject: move interface definition for eth0 to eip.pp, use variable --- puppet/modules/site_shorewall/manifests/defaults.pp | 4 ---- puppet/modules/site_shorewall/manifests/eip.pp | 8 ++++++++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index c68b8370..88981e5f 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -10,8 +10,4 @@ class site_shorewall::defaults { shorewall::rule_section { 'NEW': order => 10; } - shorewall::interface {'eth0': - zone => 'net', - options => 'tcpflags,blacklist,nosmurfs'; - } } diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 54f3ea6e..0c9bfa9c 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -13,6 +13,13 @@ class site_shorewall::eip { PARAM - - udp 53,80,443,1194 ', } + + # define interfaces + shorewall::interface {"$interface": + zone => 'net', + options => 'tcpflags,blacklist,nosmurfs'; + } + shorewall::interface {'tun0': zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; } @@ -20,6 +27,7 @@ PARAM - - udp 53,80,443,1194 zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::zone {'eip': type => 'ipv4'; } -- cgit v1.2.3 From fa31e200b5cbf4ac9b01a864410d535cbf84420d Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 21:07:07 +0100 Subject: put in double quotes --- puppet/modules/site_shorewall/manifests/eip.pp | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 0c9bfa9c..87e1e16f 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -13,9 +13,9 @@ class site_shorewall::eip { PARAM - - udp 53,80,443,1194 ', } - + # define interfaces - shorewall::interface {"$interface": + shorewall::interface { $interface: zone => 'net', options => 'tcpflags,blacklist,nosmurfs'; } @@ -31,11 +31,12 @@ PARAM - - udp 53,80,443,1194 shorewall::zone {'eip': type => 'ipv4'; } - shorewall::routestopped {'$interface': - interface => '$interface'; } + shorewall::routestopped { $interface: + interface => $interface; } + - shorewall::masq {'$interface': - interface => '$interface', + shorewall::masq {"$interface": + interface => $interface, source => ''; } shorewall::policy { -- cgit v1.2.3 From d235cd5292783722653ff34b35ce28ff31d30935 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 21:57:34 +0100 Subject: pass ssh_port to shorewall --- puppet/modules/site_shorewall/manifests/eip.pp | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 87e1e16f..230752dc 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,13 +5,15 @@ class site_shorewall::eip { include site_shorewall::defaults - $interface = hiera('interface') + $interface = hiera('interface') + $ssh_config = hiera('ssh') + $ssh_port = $ssh_config['port'] # define macro file { '/etc/shorewall/macro.leap_eip': - content => 'PARAM - - tcp 53,80,443,1194 + content => "PARAM - - tcp 53,80,443,1194,$ssh_port PARAM - - udp 53,80,443,1194 -', } +", } # define interfaces -- cgit v1.2.3 From c26c2c18d0abb7dec76a748bf0c2c2f9000298da Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 22:17:26 +0100 Subject: openvpn_tcp/udp_network_prefix and openvpn_tcp/udp_netmask variables --- puppet/modules/site_config/manifests/eip.pp | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 15bf8be2..ecac446b 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -2,26 +2,30 @@ class site_config::eip { include site_openvpn include site_openvpn::keys - $ip_address = hiera('ip_address') - $interface = hiera('interface') - #$gateway_address = hiera('gateway_address') - $openvpn_config = hiera('openvpn') - $openvpn_gateway_address = $openvpn_config['gateway_address'] + $ip_address = hiera('ip_address') + $interface = hiera('interface') + #$gateway_address = hiera('gateway_address') + $openvpn_config = hiera('openvpn') + $openvpn_gateway_address = $openvpn_config['gateway_address'] + $openvpn_tcp_network_prefix = '10.1.0' + $openvpn_tcp_netmask = '255.255.248.0' + $openvpn_udp_network_prefix = '10.2.0' + $openvpn_udp_netmask = '255.255.248.0' site_openvpn::server_config { 'tcp_config': port => '1194', proto => 'tcp', local => $openvpn_gateway_address, - server => '10.1.0.0 255.255.248.0', - push => '"dhcp-option DNS 10.1.0.1"', + server => "$openvpn_tcp_network_prefix.0 $openvpn_tcp_netmask", + push => "\"dhcp-option DNS $openvpn_tcp_network_prefix.1\"", management => '127.0.0.1 1000' } site_openvpn::server_config { 'udp_config': port => '1194', proto => 'udp', + server => "$openvpn_udp_network_prefix.0 $openvpn_udp_netmask", + push => "\"dhcp-option DNS $openvpn_udp_network_prefix.1\"", local => $openvpn_gateway_address, - server => '10.2.0.0 255.255.248.0', - push => '"dhcp-option DNS 10.2.0.1"', management => '127.0.0.1 1001' } -- cgit v1.2.3 From 1e3e9658a2309569e73d6bef72d441a6851d2653 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 22:22:37 +0100 Subject: also provide openvpn_tcp/udp_cidr variable --- puppet/modules/site_config/manifests/eip.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index ecac446b..d7a59157 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -9,8 +9,10 @@ class site_config::eip { $openvpn_gateway_address = $openvpn_config['gateway_address'] $openvpn_tcp_network_prefix = '10.1.0' $openvpn_tcp_netmask = '255.255.248.0' + $openvpn_tcp_cidr = '21' $openvpn_udp_network_prefix = '10.2.0' $openvpn_udp_netmask = '255.255.248.0' + $openvpn_udp_cidr = '21' site_openvpn::server_config { 'tcp_config': port => '1194', -- cgit v1.2.3 From 1f7dbac75c5c2a610ca4e6763109fd3e06c9072a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 22:25:11 +0100 Subject: configure tcp masquerading --- puppet/modules/site_shorewall/manifests/eip.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 230752dc..0849d711 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -37,9 +37,9 @@ PARAM - - udp 53,80,443,1194 interface => $interface; } - shorewall::masq {"$interface": + shorewall::masq { $interface: interface => $interface, - source => ''; } + source => "$site_config::eip::openvpn_tcp_netmask.0/$site_config::eip::openvpn_tcp_cidr"; } shorewall::policy { 'eip-to-all': -- cgit v1.2.3 From 0d89ea18da5dd520bf71df42e15b813b706e2189 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 22:46:04 +0100 Subject: configure tcp+udp masquerading --- puppet/modules/site_shorewall/manifests/eip.pp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 0849d711..5105b85a 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -39,7 +39,11 @@ PARAM - - udp 53,80,443,1194 shorewall::masq { $interface: interface => $interface, - source => "$site_config::eip::openvpn_tcp_netmask.0/$site_config::eip::openvpn_tcp_cidr"; } + source => "$site_config::eip::openvpn_tcp_network_prefix.0/$site_config::eip::openvpn_tcp_cidr"; } + + shorewall::masq { $interface: + interface => $interface, + source => "$site_config::eip::openvpn_udp_network_prefix.0/$site_config::eip::openvpn_udp_cidr"; } shorewall::policy { 'eip-to-all': -- cgit v1.2.3 From 04d324a61cb33ff282e2dc3228e25723b564ea1f Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 22:49:14 +0100 Subject: differentiate masq definition names --- puppet/modules/site_shorewall/manifests/eip.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 5105b85a..a5af0dde 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -37,11 +37,11 @@ PARAM - - udp 53,80,443,1194 interface => $interface; } - shorewall::masq { $interface: + shorewall::masq { "${interface}_tcp": interface => $interface, source => "$site_config::eip::openvpn_tcp_network_prefix.0/$site_config::eip::openvpn_tcp_cidr"; } - shorewall::masq { $interface: + shorewall::masq { "${interface}_udp": interface => $interface, source => "$site_config::eip::openvpn_udp_network_prefix.0/$site_config::eip::openvpn_udp_cidr"; } -- cgit v1.2.3 From 2f747b961a1fd5f7197e63dde58b64ab465ac39d Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Oct 2012 12:16:49 +0100 Subject: commenting --- puppet/modules/site_config/manifests/eip.pp | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index d7a59157..4280fb67 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -1,7 +1,6 @@ class site_config::eip { - include site_openvpn - include site_openvpn::keys + # parse hiera config $ip_address = hiera('ip_address') $interface = hiera('interface') #$gateway_address = hiera('gateway_address') @@ -14,6 +13,12 @@ class site_config::eip { $openvpn_udp_netmask = '255.255.248.0' $openvpn_udp_cidr = '21' + include site_openvpn + + # deploy ca + server keys + include site_openvpn::keys + + # create 2 openvpn config files, one for tcp, one for udp site_openvpn::server_config { 'tcp_config': port => '1194', proto => 'tcp', @@ -31,6 +36,7 @@ class site_config::eip { management => '127.0.0.1 1001' } + # add second IP on given interface file { '/usr/local/bin/leap_add_second_ip.sh': content => "#!/bin/sh ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface", -- cgit v1.2.3 From 038380e042289a9586141d7154febea2a2a6a56c Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Oct 2012 12:18:06 +0100 Subject: prettyfying --- puppet/modules/site_openvpn/manifests/server_config.pp | 4 ---- 1 file changed, 4 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index f4c5237e..482c6ab7 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -2,10 +2,6 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana $openvpn_configname = $name - - #notice("Creating OpenVPN $openvpn_configname: - # Port: $port, Protocol: $proto") - concat { "/etc/openvpn/$openvpn_configname.conf": owner => root, -- cgit v1.2.3 From 9586f6ec95b6bdba7ca3df4135055f2cced9e972 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Oct 2012 12:41:17 +0100 Subject: start shorewall by default --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index a5af0dde..34268125 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -1,7 +1,7 @@ class site_shorewall::eip { # be safe for development - $shorewall_startup='0' + #$shorewall_startup='0' include site_shorewall::defaults -- cgit v1.2.3 From b4a32c98e5bd2184f6fc5fef1300e35ab36dbb99 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Oct 2012 15:14:06 +0100 Subject: no need for configuring authorized_keys as leap_cli cares for that --- puppet/modules/site_config/manifests/sshd.pp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_config/manifests/sshd.pp b/puppet/modules/site_config/manifests/sshd.pp index 4834bb6f..944dbce2 100644 --- a/puppet/modules/site_config/manifests/sshd.pp +++ b/puppet/modules/site_config/manifests/sshd.pp @@ -1,8 +1,9 @@ class site_config::sshd { - # configure ssh and inculde ssh-keys + # configure sshd include sshd - $ssh_pubkeys=hiera_hash('ssh_pubkeys') include site_sshd - notice($ssh_pubkeys) - create_resources('site_sshd::ssh_key', $ssh_pubkeys) + # no need for configuring authorized_keys as leap_cli cares for that + #$ssh_pubkeys=hiera_hash('ssh_pubkeys') + #notice($ssh_pubkeys) + #create_resources('site_sshd::ssh_key', $ssh_pubkeys) } -- cgit v1.2.3 From 69ba8553f483d99782775e8ed5ab01cd45a75e72 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Oct 2012 16:01:41 +0100 Subject: configure unstable pinning for couchdb before install --- puppet/modules/site_couchdb/manifests/init.pp | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 06c29181..a9e6343a 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,18 +1,5 @@ class site_couchdb { - # for now, we need to install couchdb from unstable, - # because of this bug while installing: - # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681549 - # can be removed when couchdb/1.2.0-2 is integrated into testing - apt::sources_list { 'unstable.list': - source => [ 'puppet:///modules/site_apt/unstable.list'], - } - apt::preferences_snippet{ - 'couchdb': release => "unstable", priority => 999; - } - - class { 'couchdb': - #bind => '0.0.0.0' - } + class {'site_couchdb::package':} -> class {'site_couchdb::configure':} } -- cgit v1.2.3 From 761e87e8ab93bfab4bd81b25125c1c8fb554c8a5 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Oct 2012 16:41:51 +0100 Subject: try explicit class relation --- puppet/modules/site_couchdb/manifests/init.pp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index a9e6343a..57b1d038 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,5 +1,10 @@ class site_couchdb { - class {'site_couchdb::package':} -> class {'site_couchdb::configure':} + # install couchdb package first, then configure it + + Class[site_couchdb::package] -> Class[site_couchdb::configure] + + include site_couchdb::package + include site_couchdb::configure } -- cgit v1.2.3 From 139fe307ebc544e95f7c84bc921bbed3d9f20857 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Oct 2012 16:42:00 +0100 Subject: try explicit class relation --- puppet/modules/site_couchdb/manifests/configure.pp | 7 +++++++ puppet/modules/site_couchdb/manifests/package.pp | 13 +++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 puppet/modules/site_couchdb/manifests/configure.pp create mode 100644 puppet/modules/site_couchdb/manifests/package.pp diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp new file mode 100644 index 00000000..969e2e4d --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/configure.pp @@ -0,0 +1,7 @@ +class site_couchdb::configure { + #Class[site_couchdb::package] -> Class[site_couchdb::configure] + class { 'couchdb': + #bind => '0.0.0.0' + } + +} diff --git a/puppet/modules/site_couchdb/manifests/package.pp b/puppet/modules/site_couchdb/manifests/package.pp new file mode 100644 index 00000000..c091316a --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/package.pp @@ -0,0 +1,13 @@ +class site_couchdb::package { + + # for now, we need to install couchdb from unstable, + # because of this bug while installing: + # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681549 + # can be removed when couchdb/1.2.0-2 is integrated into testing + apt::sources_list { 'unstable.list': + source => [ 'puppet:///modules/site_apt/unstable.list'], + } + apt::preferences_snippet{ + 'couchdb': release => 'unstable', priority => 999; + } +} -- cgit v1.2.3 From b9141fa98a3d22ee738ad7add3fed445a9576346 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Oct 2012 22:25:08 +0100 Subject: add dnat rule to redirect other ports to port 1194 --- .../modules/site_shorewall/manifests/dnat_rule.pp | 25 +++++++++++++ puppet/modules/site_shorewall/manifests/eip.pp | 42 ++++++++++++---------- 2 files changed, 49 insertions(+), 18 deletions(-) create mode 100644 puppet/modules/site_shorewall/manifests/dnat_rule.pp diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp new file mode 100644 index 00000000..4fc62f85 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp @@ -0,0 +1,25 @@ +define site_shorewall::dnat_rule { + + $port = $name + if $port != 1194 { + shorewall::rule { + "dnat_tcp_port_$port": + action => 'DNAT', + source => 'net', + destination => "\$FW:${site_config::eip::openvpn_gateway_address}:1194", + proto => 'tcp', + destinationport => $port, + order => 100; + } + + shorewall::rule { + "dnat_udp_port_$port": + action => 'DNAT', + source => 'net', + destination => "\$FW:${site_config::eip::openvpn_gateway_address}:1194", + proto => 'udp', + destinationport => $port, + order => 100; + } + } +} diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 34268125..7a86db21 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -1,18 +1,24 @@ class site_shorewall::eip { # be safe for development - #$shorewall_startup='0' + $shorewall_startup='0' include site_shorewall::defaults - $interface = hiera('interface') - $ssh_config = hiera('ssh') - $ssh_port = $ssh_config['port'] + $interface = hiera('interface') + $ssh_config = hiera('ssh') + $ssh_port = $ssh_config['port'] + $openvpn_config = hiera('openvpn') + $openvpn_ports = $openvpn_config['ports'] + $openvpn_gateway_address = $site_config::eip::openvpn_gateway_address - # define macro + notify {"openvpn: $openvpn":} + notify {"openvpn_ports: $openvpn_ports":} + + # define macro, allowing incoming openvpn and ssh file { '/etc/shorewall/macro.leap_eip': - content => "PARAM - - tcp 53,80,443,1194,$ssh_port -PARAM - - udp 53,80,443,1194 + content => "PARAM - - tcp 1194,$ssh_port +PARAM - - udp 1194 ", } @@ -65,12 +71,7 @@ PARAM - - udp 53,80,443,1194 action => 'Ping(ACCEPT)', order => 200; - 'net2fw-ssh': - source => 'net', - destination => '$FW', - action => 'SSH(ACCEPT)', - order => 200; - 'net2fw-openvpn': + 'net2fw-openvpn_ssh': source => 'net', destination => '$FW', action => 'leap_eip(ACCEPT)', @@ -93,10 +94,15 @@ PARAM - - udp 53,80,443,1194 action => 'Git(ACCEPT)', order => 200; - 'eip2fw-https': - source => 'eip', - destination => '$FW', - action => 'HTTPS(ACCEPT)', - order => 200; + #'eip2fw-https': + # source => 'eip', + # destination => '$FW', + # action => 'HTTPS(ACCEPT)', + # order => 200; } + + # create dnat rule for each port + #create_resources('site_shorewall::dnat_rule', $openvpn_ports) + site_shorewall::dnat_rule { $openvpn_ports: } + } -- cgit v1.2.3 From ffc0bba5390b30093b0cfdf9f927ba1f7db66ee8 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 1 Nov 2012 09:15:54 +0100 Subject: another try of class relationships --- puppet/modules/site_couchdb/manifests/configure.pp | 4 ++-- puppet/modules/site_couchdb/manifests/init.pp | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp index 969e2e4d..3ab87e1e 100644 --- a/puppet/modules/site_couchdb/manifests/configure.pp +++ b/puppet/modules/site_couchdb/manifests/configure.pp @@ -1,7 +1,7 @@ class site_couchdb::configure { - #Class[site_couchdb::package] -> Class[site_couchdb::configure] + Class[site_couchdb::package] -> Class[couchdb] class { 'couchdb': + require => Class['site_couchdb::package'] #bind => '0.0.0.0' } - } diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 57b1d038..e27bdd59 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,10 +1,10 @@ class site_couchdb { # install couchdb package first, then configure it - - Class[site_couchdb::package] -> Class[site_couchdb::configure] + Class['site_couchdb::package'] -> Class['site_couchdb::configure'] include site_couchdb::package include site_couchdb::configure + include couchdb::deploy_config } -- cgit v1.2.3 From 659f145711fefd0bf1046088ce89aa70448fe6f9 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 1 Nov 2012 09:18:07 +0100 Subject: custom local.ini with ssl support --- puppet/modules/site_couchdb/files/local.ini | 84 +++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 puppet/modules/site_couchdb/files/local.ini diff --git a/puppet/modules/site_couchdb/files/local.ini b/puppet/modules/site_couchdb/files/local.ini new file mode 100644 index 00000000..0da2fb44 --- /dev/null +++ b/puppet/modules/site_couchdb/files/local.ini @@ -0,0 +1,84 @@ +; CouchDB Configuration Settings + +; Custom settings should be made in this file. They will override settings +; in default.ini, but unlike changes made to default.ini, this file won't be +; overwritten on server upgrade. + +[couchdb] +;max_document_size = 4294967296 ; bytes + +[httpd] +;port = 5984 +;bind_address = 127.0.0.1 +; Options for the MochiWeb HTTP server. +;server_options = [{backlog, 128}, {acceptor_pool_size, 16}] +; For more socket options, consult Erlang's module 'inet' man page. +;socket_options = [{recbuf, 262144}, {sndbuf, 262144}, {nodelay, true}] + +; Uncomment next line to trigger basic-auth popup on unauthorized requests. +;WWW-Authenticate = Basic realm="administrator" + +; Uncomment next line to set the configuration modification whitelist. Only +; whitelisted values may be changed via the /_config URLs. To allow the admin +; to change this value over HTTP, remember to include {httpd,config_whitelist} +; itself. Excluding it from the list would require editing this file to update +; the whitelist. +;config_whitelist = [{httpd,config_whitelist}, {log,level}, {etc,etc}] + +[httpd_global_handlers] +;_google = {couch_httpd_proxy, handle_proxy_req, <<"http://www.google.com">>} + +[couch_httpd_auth] +; If you set this to true, you should also uncomment the WWW-Authenticate line +; above. If you don't configure a WWW-Authenticate header, CouchDB will send +; Basic realm="server" in order to prevent you getting logged out. +; require_valid_user = false + +[log] +;level = debug + +[os_daemons] +; For any commands listed here, CouchDB will attempt to ensure that +; the process remains alive while CouchDB runs as well as shut them +; down when CouchDB exits. +;foo = /path/to/command -with args + +[daemons] +; enable SSL support by uncommenting the following line and supply the PEM's below. +; the default ssl port CouchDB listens on is 6984 +httpsd = {couch_httpd, start_link, [https]} + +[ssl] +cert_file = /etc/couchdb/server_cert.pem +key_file = /etc/couchdb/server_key.pem +;password = somepassword +; set to true to validate peer certificates +verify_ssl_certificates = false +; Path to file containing PEM encoded CA certificates (trusted +; certificates used for verifying a peer certificate). May be omitted if +; you do not want to verify the peer. +;cacert_file = /full/path/to/cacertf +; The verification fun (optionnal) if not specidied, the default +; verification fun will be used. +;verify_fun = {Module, VerifyFun} +ssl_certificate_max_depth = 1 +; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to +; the Virual Host will be redirected to the path. In the example below all requests +; to http://example.com/ are redirected to /database. +; If you run CouchDB on a specific port, include the port number in the vhost: +; example.com:5984 = /database + +[vhosts] +;example.com = /database/ + +[update_notification] +;unique notifier name=/full/path/to/exe -with "cmd line arg" + +; To create an admin account uncomment the '[admins]' section below and add a +; line in the format 'username = password'. When you next start CouchDB, it +; will change the password to a hash (so that your passwords don't linger +; around in plain-text files). You can add more admin accounts with more +; 'username = password' lines. Don't forget to restart CouchDB after +; changing this. +[admins] +;admin = mysecretpassword -- cgit v1.2.3 From f94788ce35c564babedb987e2c01d44021898739 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 1 Nov 2012 09:23:55 +0100 Subject: automatic update of submodule puppet_couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 8daa8625..3fbdba6f 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 8daa862541facd5207a75760f3656e857faf73fd +Subproject commit 3fbdba6f03758337350f3e43352f993b74ff72a8 -- cgit v1.2.3 From 628b60f3db3f9150ae456f976a44916affd08e20 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 1 Nov 2012 09:33:15 +0100 Subject: automatic update of submodule puppet_couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 3fbdba6f..8ccd0565 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 3fbdba6f03758337350f3e43352f993b74ff72a8 +Subproject commit 8ccd0565c9afdee9dd9d916063a98c209940716d -- cgit v1.2.3 From ced30b2e8eb182fa099d407e2d969288bb07b0dd Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 1 Nov 2012 09:39:37 +0100 Subject: deploy ssl certs --- puppet/modules/site_couchdb/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index e27bdd59..8865bde8 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -6,5 +6,6 @@ class site_couchdb { include site_couchdb::package include site_couchdb::configure + include couchdb::ssl::deploy_certs include couchdb::deploy_config } -- cgit v1.2.3 From 4b26a17f6e2e01e7c9fd810cbae2e01be24b8438 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 1 Nov 2012 09:54:15 +0100 Subject: automatic update of submodule puppet_couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 8ccd0565..293e609c 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 8ccd0565c9afdee9dd9d916063a98c209940716d +Subproject commit 293e609c70157cbe73e9a7962b6bc9b5393b3778 -- cgit v1.2.3 From 60c9f0ed9cb957efcbd9972512f5a17a5d828651 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 1 Nov 2012 10:05:46 +0100 Subject: automatic update of submodule puppet_couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 293e609c..fd8c6d94 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 293e609c70157cbe73e9a7962b6bc9b5393b3778 +Subproject commit fd8c6d9481910d7ee587cbd1098346da868f5068 -- cgit v1.2.3 From 9f7a64ab2813e2c475a776efff4ad9a380ca6cc1 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 1 Nov 2012 10:09:37 +0100 Subject: deploy ssl cert working --- puppet/modules/site_couchdb/manifests/init.pp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 8865bde8..f1cca46f 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,11 +1,19 @@ class site_couchdb { + $couchdb_config = hiera('couchdb') + $key = $couchdb_config['key'] + $cert = $couchdb_config['crt'] + # install couchdb package first, then configure it Class['site_couchdb::package'] -> Class['site_couchdb::configure'] include site_couchdb::package include site_couchdb::configure - include couchdb::ssl::deploy_certs + + couchdb::ssl::deploy_cert { 'cert': + key => $key, + cert => $cert, + } include couchdb::deploy_config } -- cgit v1.2.3 From 6a2453574e45b6778bfc66fc12a47421669d1614 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 1 Nov 2012 15:15:11 +0100 Subject: use couchdb x509 hiera values --- puppet/modules/site_couchdb/manifests/init.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index f1cca46f..e3f5e59f 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,8 +1,8 @@ class site_couchdb { - $couchdb_config = hiera('couchdb') - $key = $couchdb_config['key'] - $cert = $couchdb_config['crt'] + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] # install couchdb package first, then configure it Class['site_couchdb::package'] -> Class['site_couchdb::configure'] -- cgit v1.2.3 From 7a9b7bed9cd8e2f2c02c4ce3627c874350d954f7 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 2 Nov 2012 16:19:04 +0100 Subject: accept all outgoing traffic on eip gw --- puppet/modules/site_shorewall/manifests/eip.pp | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 34268125..e94c7db4 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -7,9 +7,9 @@ class site_shorewall::eip { $interface = hiera('interface') $ssh_config = hiera('ssh') - $ssh_port = $ssh_config['port'] + $ssh_port = $ssh_config['port'] - # define macro + # define macro for incoming services file { '/etc/shorewall/macro.leap_eip': content => "PARAM - - tcp 53,80,443,1194,$ssh_port PARAM - - udp 53,80,443,1194 @@ -51,6 +51,11 @@ PARAM - - udp 53,80,443,1194 destinationzone => 'all', policy => 'ACCEPT', order => 100; + 'fw-to-all': + sourcezone => '$FW', + destinationzone => 'all', + policy => 'ACCEPT', + order => 100; 'all-to-all': sourcezone => 'all', destinationzone => 'all', @@ -59,12 +64,14 @@ PARAM - - udp 53,80,443,1194 } shorewall::rule { + # ping party 'all2all-ping': source => 'all', destination => 'all', action => 'Ping(ACCEPT)', order => 200; + # outside to server 'net2fw-ssh': source => 'net', destination => '$FW', @@ -76,7 +83,7 @@ PARAM - - udp 53,80,443,1194 action => 'leap_eip(ACCEPT)', order => 200; - # eip gw itself to outside + # server to outside 'fw2all-http': source => '$FW', destination => 'all', @@ -93,10 +100,11 @@ PARAM - - udp 53,80,443,1194 action => 'Git(ACCEPT)', order => 200; - 'eip2fw-https': - source => 'eip', - destination => '$FW', - action => 'HTTPS(ACCEPT)', - order => 200; + # Webfrontend is running on another server + #'eip2fw-https': + # source => 'eip', + # destination => '$FW', + # action => 'HTTPS(ACCEPT)', + # order => 200; } } -- cgit v1.2.3 From 82c21f345c78c4f06e4aa78ab6020f1393816812 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 3 Nov 2012 10:18:38 +0100 Subject: added local.d/admin.ini to set admin pw --- puppet/modules/site_couchdb/manifests/configure.pp | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp index 3ab87e1e..0d0eb24f 100644 --- a/puppet/modules/site_couchdb/manifests/configure.pp +++ b/puppet/modules/site_couchdb/manifests/configure.pp @@ -1,7 +1,18 @@ class site_couchdb::configure { - Class[site_couchdb::package] -> Class[couchdb] + Class[site_couchdb::package] -> Class[couchdb] + class { 'couchdb': - require => Class['site_couchdb::package'] - #bind => '0.0.0.0' + require => Class['site_couchdb::package'], + } + + $adminpw = hiera('couchdb_adminpw') + file { '/etc/couchdb/local.d/admin.ini': + content => "[admins] +admin = $adminpw +", + mode => '0600', + owner => 'couchdb', + group => 'couchdb', + notify => Service[couchdb] } } -- cgit v1.2.3 From 5abce06ff562fb508504af4370c0cc8eda266b56 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 3 Nov 2012 10:19:24 +0100 Subject: [admins] section moved to local.d/admin.ini --- puppet/modules/site_couchdb/files/local.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_couchdb/files/local.ini b/puppet/modules/site_couchdb/files/local.ini index 0da2fb44..79dd112e 100644 --- a/puppet/modules/site_couchdb/files/local.ini +++ b/puppet/modules/site_couchdb/files/local.ini @@ -80,5 +80,5 @@ ssl_certificate_max_depth = 1 ; around in plain-text files). You can add more admin accounts with more ; 'username = password' lines. Don't forget to restart CouchDB after ; changing this. -[admins] +;[admins] ;admin = mysecretpassword -- cgit v1.2.3 From 16f007c540d56c2e64c1f73bd1ff49674bd0afeb Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 3 Nov 2012 10:21:49 +0100 Subject: added submodule apache from git://labs.riseup.net/shared-apache --- .gitmodules | 3 +++ puppet/modules/apache | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/apache diff --git a/.gitmodules b/.gitmodules index e3e8d6db..dd5aa4f0 100644 --- a/.gitmodules +++ b/.gitmodules @@ -37,3 +37,6 @@ [submodule "puppet/modules/interfaces"] path = puppet/modules/interfaces url = git://github.com/x-way/puppet-interfaces.git +[submodule "puppet/modules/apache"] + path = puppet/modules/apache + url = git://labs.riseup.net/shared-apache diff --git a/puppet/modules/apache b/puppet/modules/apache new file mode 160000 index 00000000..9f12e863 --- /dev/null +++ b/puppet/modules/apache @@ -0,0 +1 @@ +Subproject commit 9f12e8635b4253955e19ed6b18d90142ed27d2f8 -- cgit v1.2.3 From 5493d362f7b3abd6c8aa9350341a551c53622604 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 3 Nov 2012 11:33:38 +0100 Subject: configure apache ssl proxy for couchdb --- puppet/modules/site-apache | 1 + .../site_apache/files/vhosts.d/couchdb_proxy.conf | 10 ++++++++++ puppet/modules/site_couchdb/files/local.ini | 10 +++++----- puppet/modules/site_couchdb/manifests/init.pp | 18 +++++++++++++----- 4 files changed, 29 insertions(+), 10 deletions(-) create mode 120000 puppet/modules/site-apache create mode 100644 puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf diff --git a/puppet/modules/site-apache b/puppet/modules/site-apache new file mode 120000 index 00000000..f0517fa5 --- /dev/null +++ b/puppet/modules/site-apache @@ -0,0 +1 @@ +site_apache \ No newline at end of file diff --git a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf new file mode 100644 index 00000000..79ad931d --- /dev/null +++ b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf @@ -0,0 +1,10 @@ +Listen 0.0.0.0:6984 + + + SSLEngine On + SSLProxyEngine On + SSLCertificateKeyFile /etc/couchdb/server_key.pem + SSLCertificateFile /etc/couchdb/server_cert.pem + ProxyPass / http://127.0.0.1:5984/ + ProxyPassReverse / http://127.0.0.1:5984/ + diff --git a/puppet/modules/site_couchdb/files/local.ini b/puppet/modules/site_couchdb/files/local.ini index 79dd112e..485c9a29 100644 --- a/puppet/modules/site_couchdb/files/local.ini +++ b/puppet/modules/site_couchdb/files/local.ini @@ -46,14 +46,14 @@ [daemons] ; enable SSL support by uncommenting the following line and supply the PEM's below. ; the default ssl port CouchDB listens on is 6984 -httpsd = {couch_httpd, start_link, [https]} +;httpsd = {couch_httpd, start_link, [https]} [ssl] -cert_file = /etc/couchdb/server_cert.pem -key_file = /etc/couchdb/server_key.pem +;cert_file = /etc/couchdb/server_cert.pem +;key_file = /etc/couchdb/server_key.pem ;password = somepassword ; set to true to validate peer certificates -verify_ssl_certificates = false +;verify_ssl_certificates = false ; Path to file containing PEM encoded CA certificates (trusted ; certificates used for verifying a peer certificate). May be omitted if ; you do not want to verify the peer. @@ -61,7 +61,7 @@ verify_ssl_certificates = false ; The verification fun (optionnal) if not specidied, the default ; verification fun will be used. ;verify_fun = {Module, VerifyFun} -ssl_certificate_max_depth = 1 +;ssl_certificate_max_depth = 1 ; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to ; the Virual Host will be redirected to the path. In the example below all requests ; to http://example.com/ are redirected to /database. diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index e3f5e59f..b296279c 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -9,11 +9,19 @@ class site_couchdb { include site_couchdb::package include site_couchdb::configure + include couchdb::deploy_config - couchdb::ssl::deploy_cert { 'cert': - key => $key, - cert => $cert, - } - include couchdb::deploy_config + #couchdb::ssl::deploy_cert { 'cert': + # key => $key, + # cert => $cert, + #} + + include apache::ssl + apache::module { + 'rewrite': ensure => present; + 'proxy': ensure => present; + 'proxy_http': ensure => present; + } + apache::vhost::file { 'couchdb_proxy': } } -- cgit v1.2.3 From 5981a73edce0a64f26bb8abb799c180b856abbbd Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 3 Nov 2012 11:43:58 +0100 Subject: overwrite /etc/apache2/ports.conf so 0-default.conf and 0-default_ssl.conf don't start on port 80/443 --- puppet/modules/site_couchdb/manifests/init.pp | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index b296279c..4c923b35 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -16,12 +16,20 @@ class site_couchdb { # key => $key, # cert => $cert, #} - + include apache::ssl - apache::module { - 'rewrite': ensure => present; - 'proxy': ensure => present; - 'proxy_http': ensure => present; - } + apache::module { + 'rewrite': ensure => present; + 'proxy': ensure => present; + 'proxy_http': ensure => present; + } apache::vhost::file { 'couchdb_proxy': } + # prevent 0-default.conf and 0-default_ssl.conf from apache module + # from starting on port 80 / 443 + file { '/etc/apache2/ports.conf': + content => '', + mode => '0644', + owner => 'root', + group => 'root', + } } -- cgit v1.2.3 From b7d3bd9c119ce70f1823ffd06567a127c390c4f0 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 3 Nov 2012 12:16:22 +0100 Subject: deploy server_cert.pem + server_key.pem, notify apache --- puppet/modules/site_couchdb/manifests/init.pp | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 4c923b35..04b46bf6 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -11,12 +11,6 @@ class site_couchdb { include site_couchdb::configure include couchdb::deploy_config - - #couchdb::ssl::deploy_cert { 'cert': - # key => $key, - # cert => $cert, - #} - include apache::ssl apache::module { 'rewrite': ensure => present; @@ -32,4 +26,21 @@ class site_couchdb { owner => 'root', group => 'root', } + + file { '/etc/couchdb/server_cert.pem': + mode => '0644', + owner => 'couchdb', + group => 'couchdb', + content => $cert, + notify => Service[apache], + } + + file { '/etc/couchdb/server_key.pem': + mode => '0600', + owner => 'couchdb', + group => 'couchdb', + content => $key, + notify => Service[apache], + } + } -- cgit v1.2.3 From 995bde9b3c1c54b70b5884e2d06534a5cf38d654 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 3 Nov 2012 21:34:54 +0100 Subject: query hiera adminpw in site_couchdb --- puppet/modules/site_couchdb/manifests/configure.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp index 0d0eb24f..3adce785 100644 --- a/puppet/modules/site_couchdb/manifests/configure.pp +++ b/puppet/modules/site_couchdb/manifests/configure.pp @@ -5,7 +5,7 @@ class site_couchdb::configure { require => Class['site_couchdb::package'], } - $adminpw = hiera('couchdb_adminpw') + $adminpw = $site_couchdb::adminpw file { '/etc/couchdb/local.d/admin.ini': content => "[admins] admin = $adminpw -- cgit v1.2.3 From 8f0ea9039310a348ade5e1e5637aa62fce01579f Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 3 Nov 2012 21:44:12 +0100 Subject: install apache_ssl_proxy, add users, create DBs + security roles --- puppet/modules/site_couchdb/manifests/init.pp | 58 ++++++++++++++------------- 1 file changed, 30 insertions(+), 28 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 04b46bf6..26e5cdfd 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,8 +1,16 @@ class site_couchdb { - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $adminpw = hiera('couchdb_adminpw') + $couchdb_leap_web_user = hiera('couchdb_leap_web_user') + $couchdb_leap_web_username = $couchdb_leap_web_user['user'] + $couchdb_leap_web_pw = $couchdb_leap_web_user['pw'] + $couchdb_leap_ca_user = hiera('couchdb_leap_ca_user') + $couchdb_leap_ca_username = $couchdb_leap_ca_user['user'] + $couchdb_leap_ca_pw = $couchdb_leap_ca_user['pw'] + $couchdb_host = "admin:$adminpw@127.0.0.1:5984" # install couchdb package first, then configure it Class['site_couchdb::package'] -> Class['site_couchdb::configure'] @@ -11,36 +19,30 @@ class site_couchdb { include site_couchdb::configure include couchdb::deploy_config - include apache::ssl - apache::module { - 'rewrite': ensure => present; - 'proxy': ensure => present; - 'proxy_http': ensure => present; + site_couchdb::apache_ssl_proxy { 'apache_ssl_proxy': + key => $key, + cert => $cert } - apache::vhost::file { 'couchdb_proxy': } - # prevent 0-default.conf and 0-default_ssl.conf from apache module - # from starting on port 80 / 443 - file { '/etc/apache2/ports.conf': - content => '', - mode => '0644', - owner => 'root', - group => 'root', + + couchdb::add_user { $couchdb_leap_web_username: + host => $couchdb_host, + roles => '["certs"]', + pw => $couchdb_leap_web_pw } - file { '/etc/couchdb/server_cert.pem': - mode => '0644', - owner => 'couchdb', - group => 'couchdb', - content => $cert, - notify => Service[apache], + couchdb::add_user { $couchdb_leap_ca_username: + host => $couchdb_host, + roles => '["certs"]', + pw => $couchdb_leap_ca_pw } - file { '/etc/couchdb/server_key.pem': - mode => '0600', - owner => 'couchdb', - group => 'couchdb', - content => $key, - notify => Service[apache], + couchdb::create_db { 'leap_web': + host => $couchdb_host, + readers => "{ \"names\": [\"leap_web\"], \"roles\": [] }" } + couchdb::create_db { 'leap_ca': + host => $couchdb_host, + readers => "{ \"names\": [], \"roles\": [\"certs\"] }" + } } -- cgit v1.2.3 From a555f779fb90e5b817319eca478d517696898789 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 3 Nov 2012 21:47:42 +0100 Subject: automatic update of submodule puppet_couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index fd8c6d94..3ae28de3 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit fd8c6d9481910d7ee587cbd1098346da868f5068 +Subproject commit 3ae28de3ba018d5064122dbceb31af336a090167 -- cgit v1.2.3 From b1a4e8c8b31e7b648b4eb5e7ef0e165a23a3110b Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 3 Nov 2012 21:48:35 +0100 Subject: added apache_ssl_proxy.pp --- .../site_couchdb/manifests/apache_ssl_proxy.pp | 35 ++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp new file mode 100644 index 00000000..87b21e62 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp @@ -0,0 +1,35 @@ +define site_couchdb::apache_ssl_proxy ($key, $cert) { + + include apache::ssl + apache::module { + 'rewrite': ensure => present; + 'proxy': ensure => present; + 'proxy_http': ensure => present; + } + apache::vhost::file { 'couchdb_proxy': } + # prevent 0-default.conf and 0-default_ssl.conf from apache module + # from starting on port 80 / 443 + file { '/etc/apache2/ports.conf': + content => '', + mode => '0644', + owner => 'root', + group => 'root', + } + + file { '/etc/couchdb/server_cert.pem': + mode => '0644', + owner => 'couchdb', + group => 'couchdb', + content => $cert, + notify => Service[apache], + } + + file { '/etc/couchdb/server_key.pem': + mode => '0600', + owner => 'couchdb', + group => 'couchdb', + content => $key, + notify => Service[apache], + } + +} -- cgit v1.2.3 From 65dd85c494580170799d3ca0746d5ef6996919f5 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 3 Nov 2012 21:51:29 +0100 Subject: automatic update of submodule puppet_couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 3ae28de3..110fed8a 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 3ae28de3ba018d5064122dbceb31af336a090167 +Subproject commit 110fed8abd8c2d7ef4f73bd1a6d0e0f3665190cf -- cgit v1.2.3 From a58524af8a97d6c2eee8d26ccdf192fecb855fe9 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 4 Nov 2012 18:53:24 +0100 Subject: provide coustom couchdb initscript to ensure stop/restart is working --- puppet/modules/site_couchdb/files/couchdb | 160 ++++++++++++++++++++++++++++++ 1 file changed, 160 insertions(+) create mode 100755 puppet/modules/site_couchdb/files/couchdb diff --git a/puppet/modules/site_couchdb/files/couchdb b/puppet/modules/site_couchdb/files/couchdb new file mode 100755 index 00000000..ccdfe716 --- /dev/null +++ b/puppet/modules/site_couchdb/files/couchdb @@ -0,0 +1,160 @@ +#!/bin/sh -e + +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy of +# the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations under +# the License. + +### BEGIN INIT INFO +# Provides: couchdb +# Required-Start: $local_fs $remote_fs +# Required-Stop: $local_fs $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Apache CouchDB init script +# Description: Apache CouchDB init script for the database server. +### END INIT INFO + +SCRIPT_OK=0 +SCRIPT_ERROR=1 + +DESCRIPTION="database server" +NAME=couchdb +SCRIPT_NAME=`basename $0` +COUCHDB=/usr/bin/couchdb +CONFIGURATION_FILE=/etc/default/couchdb +RUN_DIR=/var/run/couchdb +LSB_LIBRARY=/lib/lsb/init-functions + +if test ! -x $COUCHDB; then + exit $SCRIPT_ERROR +fi + +if test -r $CONFIGURATION_FILE; then + . $CONFIGURATION_FILE +fi + +log_daemon_msg () { + # Dummy function to be replaced by LSB library. + + echo $@ +} + +log_end_msg () { + # Dummy function to be replaced by LSB library. + + if test "$1" != "0"; then + echo "Error with $DESCRIPTION: $NAME" + fi + return $1 +} + +if test -r $LSB_LIBRARY; then + . $LSB_LIBRARY +fi + +run_command () { + command="$1" + if test -n "$COUCHDB_OPTIONS"; then + command="$command $COUCHDB_OPTIONS" + fi + if test -n "$COUCHDB_USER"; then + if su $COUCHDB_USER -c "$command"; then + return $SCRIPT_OK + else + return $SCRIPT_ERROR + fi + else + if $command; then + return $SCRIPT_OK + else + return $SCRIPT_ERROR + fi + fi +} + +start_couchdb () { + # Start Apache CouchDB as a background process. + + mkdir -p "$RUN_DIR" + chown -R "$COUCHDB_USER" "$RUN_DIR" + command="$COUCHDB -b" + if test -n "$COUCHDB_STDOUT_FILE"; then + command="$command -o $COUCHDB_STDOUT_FILE" + fi + if test -n "$COUCHDB_STDERR_FILE"; then + command="$command -e $COUCHDB_STDERR_FILE" + fi + if test -n "$COUCHDB_RESPAWN_TIMEOUT"; then + command="$command -r $COUCHDB_RESPAWN_TIMEOUT" + fi + run_command "$command" > /dev/null +} + +stop_couchdb () { + # Stop the running Apache CouchDB process. + + run_command "$COUCHDB -d" > /dev/null + pkill -u couchdb + # always return true even if no remaining couchdb procs got killed + /bin/true +} + +display_status () { + # Display the status of the running Apache CouchDB process. + + run_command "$COUCHDB -s" +} + +parse_script_option_list () { + # Parse arguments passed to the script and take appropriate action. + + case "$1" in + start) + log_daemon_msg "Starting $DESCRIPTION" $NAME + if start_couchdb; then + log_end_msg $SCRIPT_OK + else + log_end_msg $SCRIPT_ERROR + fi + ;; + stop) + log_daemon_msg "Stopping $DESCRIPTION" $NAME + if stop_couchdb; then + log_end_msg $SCRIPT_OK + else + log_end_msg $SCRIPT_ERROR + fi + ;; + restart|force-reload) + log_daemon_msg "Restarting $DESCRIPTION" $NAME + if stop_couchdb; then + if start_couchdb; then + log_end_msg $SCRIPT_OK + else + log_end_msg $SCRIPT_ERROR + fi + else + log_end_msg $SCRIPT_ERROR + fi + ;; + status) + display_status + ;; + *) + cat << EOF >&2 +Usage: $SCRIPT_NAME {start|stop|restart|force-reload|status} +EOF + exit $SCRIPT_ERROR + ;; + esac +} + +parse_script_option_list $@ -- cgit v1.2.3 From 0a3fdfff7bd8c11d6099f23aef505fbd5333ba99 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 4 Nov 2012 20:45:53 +0100 Subject: deploy couchdb initscript, restart couchdb after config file change --- puppet/modules/site_couchdb/manifests/configure.pp | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp index 3adce785..4343cc2b 100644 --- a/puppet/modules/site_couchdb/manifests/configure.pp +++ b/puppet/modules/site_couchdb/manifests/configure.pp @@ -2,10 +2,17 @@ class site_couchdb::configure { Class[site_couchdb::package] -> Class[couchdb] class { 'couchdb': - require => Class['site_couchdb::package'], + require => Class['site_couchdb::package'], } + + + file { '/etc/init.d/couchdb': + source => 'puppet:///modules/site_couchdb/couchdb', + mode => '0755', + owner => 'root', + group => 'root', } - $adminpw = $site_couchdb::adminpw + $adminpw = $site_couchdb::adminpw file { '/etc/couchdb/local.d/admin.ini': content => "[admins] admin = $adminpw @@ -15,4 +22,12 @@ admin = $adminpw group => 'couchdb', notify => Service[couchdb] } + + + exec { '/etc/init.d/couchdb restart; sleep 3': + path => ['/bin', '/usr/bin',], + subscribe => File['/etc/couchdb/local.d/admin.ini', + '/etc/couchdb/local.ini'], + refreshonly => true + } } -- cgit v1.2.3 From 41a10e2475d056a621964f17757b28581661b053 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 4 Nov 2012 20:47:25 +0100 Subject: working resource relationships for deployment --- puppet/modules/site_couchdb/manifests/init.pp | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 26e5cdfd..e4d97e34 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -12,8 +12,16 @@ class site_couchdb { $couchdb_leap_ca_pw = $couchdb_leap_ca_user['pw'] $couchdb_host = "admin:$adminpw@127.0.0.1:5984" - # install couchdb package first, then configure it - Class['site_couchdb::package'] -> Class['site_couchdb::configure'] + Class['site_couchdb::package'] + -> Package ['couchdb'] + -> File['/etc/init.d/couchdb'] + -> File['/etc/couchdb/local.ini'] + -> File['/etc/couchdb/local.d/admin.ini'] + -> Couchdb::Create_db[leap_web] + -> Couchdb::Create_db[leap_ca] + -> Couchdb::Add_user[leap_web] + -> Couchdb::Add_user[leap_ca] + -> Site_couchdb::Apache_ssl_proxy['apache_ssl_proxy'] include site_couchdb::package include site_couchdb::configure -- cgit v1.2.3 From a2bd420ac47ac7292204d3b9af191b29ca878e74 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 4 Nov 2012 20:53:43 +0100 Subject: changed submodule remote for apache to use leap one --- .gitmodules | 3 ++- puppet/modules/apache | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitmodules b/.gitmodules index dd5aa4f0..c2d42cc5 100644 --- a/.gitmodules +++ b/.gitmodules @@ -39,4 +39,5 @@ url = git://github.com/x-way/puppet-interfaces.git [submodule "puppet/modules/apache"] path = puppet/modules/apache - url = git://labs.riseup.net/shared-apache + url = git://code.leap.se/puppet_apache + diff --git a/puppet/modules/apache b/puppet/modules/apache index 9f12e863..a2874ab6 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit 9f12e8635b4253955e19ed6b18d90142ed27d2f8 +Subproject commit a2874ab6b1bab2c0a75ad9c62a77490d37846e0f -- cgit v1.2.3 From 5bfc45558090fe41085f9db29e32b4515626cc6e Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 4 Nov 2012 21:16:31 +0100 Subject: automatic update of submodule puppet_apache --- puppet/modules/apache | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/apache b/puppet/modules/apache index a2874ab6..9eea95a3 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit a2874ab6b1bab2c0a75ad9c62a77490d37846e0f +Subproject commit 9eea95a38b9c03d9d769de2f9cc2e2820e3d4cb3 -- cgit v1.2.3 From 0fdf251c78891cee9a95f93954a43876d0399be6 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 4 Nov 2012 21:30:37 +0100 Subject: automatic update of submodule puppet_apache --- puppet/modules/apache | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/apache b/puppet/modules/apache index 9eea95a3..104b2e09 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit 9eea95a38b9c03d9d769de2f9cc2e2820e3d4cb3 +Subproject commit 104b2e09399e02a8aa9687df0de795644e4b83e0 -- cgit v1.2.3 From 561ea1c6dace320455990b880d8a7da421fcb8bc Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 6 Nov 2012 10:36:18 +0100 Subject: sleep some more after couchdb restart, adopt new hiera creditials --- puppet/modules/site_couchdb/manifests/configure.pp | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp index 4343cc2b..25ea7a0b 100644 --- a/puppet/modules/site_couchdb/manifests/configure.pp +++ b/puppet/modules/site_couchdb/manifests/configure.pp @@ -12,10 +12,9 @@ class site_couchdb::configure { group => 'root', } - $adminpw = $site_couchdb::adminpw file { '/etc/couchdb/local.d/admin.ini': content => "[admins] -admin = $adminpw +admin = $site_couchdb::couchdb_admin_pw ", mode => '0600', owner => 'couchdb', @@ -24,7 +23,7 @@ admin = $adminpw } - exec { '/etc/init.d/couchdb restart; sleep 3': + exec { '/etc/init.d/couchdb restart; sleep 6': path => ['/bin', '/usr/bin',], subscribe => File['/etc/couchdb/local.d/admin.ini', '/etc/couchdb/local.ini'], -- cgit v1.2.3 From a5b8f30cdb68997e523c0f9fac65d894acddf40f Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 6 Nov 2012 10:36:45 +0100 Subject: adopt new hiera creditials --- puppet/modules/site_couchdb/manifests/init.pp | 51 +++++++++++++++------------ 1 file changed, 29 insertions(+), 22 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index e4d97e34..30ce7f54 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,28 +1,33 @@ class site_couchdb { - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $adminpw = hiera('couchdb_adminpw') - $couchdb_leap_web_user = hiera('couchdb_leap_web_user') - $couchdb_leap_web_username = $couchdb_leap_web_user['user'] - $couchdb_leap_web_pw = $couchdb_leap_web_user['pw'] - $couchdb_leap_ca_user = hiera('couchdb_leap_ca_user') - $couchdb_leap_ca_username = $couchdb_leap_ca_user['user'] - $couchdb_leap_ca_pw = $couchdb_leap_ca_user['pw'] - $couchdb_host = "admin:$adminpw@127.0.0.1:5984" + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $couchdb_config = hiera('couch') + $couchdb_users = $couchdb_config['users'] + $couchdb_admin = $couchdb_users['admin'] + $couchdb_admin_user = $couchdb_admin['username'] + $couchdb_admin_pw = $couchdb_admin['password'] + $couchdb_webapp = $couchdb_users['webapp'] + $couchdb_webapp_user = $couchdb_webapp['username'] + $couchdb_webapp_pw = $couchdb_webapp['password'] + $couchdb_ca_daemon = $couchdb_users['ca_daemon'] + $couchdb_ca_daemon_user = $couchdb_ca_daemon['username'] + $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password'] Class['site_couchdb::package'] -> Package ['couchdb'] -> File['/etc/init.d/couchdb'] -> File['/etc/couchdb/local.ini'] -> File['/etc/couchdb/local.d/admin.ini'] + -> File['/etc/couchdb/couchdb.netrc'] -> Couchdb::Create_db[leap_web] -> Couchdb::Create_db[leap_ca] - -> Couchdb::Add_user[leap_web] - -> Couchdb::Add_user[leap_ca] + -> Couchdb::Add_user[$couchdb_webapp_user] + -> Couchdb::Add_user[$couchdb_ca_daemon_user] -> Site_couchdb::Apache_ssl_proxy['apache_ssl_proxy'] + # Setup couchdb include site_couchdb::package include site_couchdb::configure include couchdb::deploy_config @@ -32,25 +37,27 @@ class site_couchdb { cert => $cert } - couchdb::add_user { $couchdb_leap_web_username: - host => $couchdb_host, + couchdb::query::setup { 'localhost': + user => $couchdb_admin_user, + pw => $couchdb_admin_pw + } + + # Populate couchdb + couchdb::add_user { $couchdb_webapp_user: roles => '["certs"]', - pw => $couchdb_leap_web_pw + pw => $couchdb_webapp_pw } - couchdb::add_user { $couchdb_leap_ca_username: - host => $couchdb_host, + couchdb::add_user { $couchdb_ca_daemon_user: roles => '["certs"]', - pw => $couchdb_leap_ca_pw + pw => $couchdb_ca_daemon_pw } couchdb::create_db { 'leap_web': - host => $couchdb_host, - readers => "{ \"names\": [\"leap_web\"], \"roles\": [] }" + readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }" } couchdb::create_db { 'leap_ca': - host => $couchdb_host, readers => "{ \"names\": [], \"roles\": [\"certs\"] }" } } -- cgit v1.2.3 From 7ca4f22e4cd76d986fece61674f487809d1369c6 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 6 Nov 2012 10:39:27 +0100 Subject: automatic update of submodule puppet_couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 110fed8a..b598e7d2 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 110fed8abd8c2d7ef4f73bd1a6d0e0f3665190cf +Subproject commit b598e7d2a4be7ee863ae70450a73bfcda381634e -- cgit v1.2.3 From e6d9dca1e6c695e52f5052cb6877787e13bb0fb2 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 6 Nov 2012 10:54:19 +0100 Subject: automatic update of submodule puppet_couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 8daa8625..b598e7d2 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 8daa862541facd5207a75760f3656e857faf73fd +Subproject commit b598e7d2a4be7ee863ae70450a73bfcda381634e -- cgit v1.2.3 From b08f959aa17f05821a6a4a58266b9250cdc59cbb Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 6 Nov 2012 11:14:28 +0100 Subject: fixed unseen merge conflicts --- puppet/modules/site_shorewall/manifests/eip.pp | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 7dee6b7a..20e22cb3 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -75,9 +75,6 @@ PARAM - - udp 1194 action => 'Ping(ACCEPT)', order => 200; -<<<<<<< HEAD - 'net2fw-openvpn_ssh': -======= # outside to server 'net2fw-ssh': source => 'net', @@ -85,7 +82,6 @@ PARAM - - udp 1194 action => 'SSH(ACCEPT)', order => 200; 'net2fw-openvpn': ->>>>>>> feature/couchdb source => 'net', destination => '$FW', action => 'leap_eip(ACCEPT)', @@ -108,14 +104,9 @@ PARAM - - udp 1194 action => 'Git(ACCEPT)', order => 200; -<<<<<<< HEAD - #'eip2fw-https': - # source => 'eip', -======= # Webfrontend is running on another server #'eip2fw-https': - # source => 'eip', ->>>>>>> feature/couchdb + # source => 'eip', # destination => '$FW', # action => 'HTTPS(ACCEPT)', # order => 200; -- cgit v1.2.3 From 6022635279a4c6481b1f53fcad43c3b179405405 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 6 Nov 2012 11:23:10 +0100 Subject: duplicate definition after merge --- puppet/modules/site_shorewall/manifests/eip.pp | 1 - 1 file changed, 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 20e22cb3..086bf75a 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -11,7 +11,6 @@ class site_shorewall::eip { $openvpn_config = hiera('openvpn') $openvpn_ports = $openvpn_config['ports'] $openvpn_gateway_address = $site_config::eip::openvpn_gateway_address - $interface = hiera('interface') # define macro for incoming services file { '/etc/shorewall/macro.leap_eip': -- cgit v1.2.3 From 9a41d72f1477e0ba4659207633358d36105caea7 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 6 Nov 2012 14:03:29 +0100 Subject: updated README.md --- README.md | 102 ++++++++++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 76 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index 641538bb..231aeaa7 100644 --- a/README.md +++ b/README.md @@ -1,54 +1,100 @@ +============= Leap Platform ============= What is it? ------------ +=========== The LEAP Provider Platform is the server-side part of the LEAP Encryption Access Project that is run by service providers. It consists of a set of complementary packages and recipes to automate the maintenance of LEAP services in a hardened GNU/Linux environment. LEAP makes it easy and straightforward for service providers and ISPs to deploy a secure communications platform for their users. The LEAP Platform is essentially a git repository of puppet recipes, with a few scripts to help with bootstrapping and deployment. A service provider who wants to deploy LEAP services will clone or fork this repository, edit the main configuration file to specify which services should run on which hosts, and run scripts to deploy this configuration. Documentation -------------- +============= + Most of the current documentation can be found in Readme files of the different pieces. Eventually this will be consolidated on the website https://leap.se Requirements ------------- -This highly depends on your (expected) user base. For a minimal test or develop install we recommend a fairly recent computer x86_64 with hardware virtualization features (AMD-V or VT-x) with plenty of RAM. You could use Vagrant or KVM to simulate a live deployment. +============ -For a live deployment of the platform the amount of required (virtual) servers depends on your needs and which services you want to deploy. In it's initial release you can deploy OpenVPN, DNS, CouchDB and a webapp to administer your users (billing, help tickets,...). +This highly depends on your (expected) user base. +For a minimal test or develop install we recommend a fairly recent computer x86_64 with hardware virtualization features (AMD-V or VT-x) with plenty of RAM. You could use Vagrant or KVM to simulate a live deployment. -To get started you will need to have git, ruby1.8, rails, rubygems, bundler, ruby1.8-dev, libgpgme-ruby. +For a live deployment of the platform the amount of required (virtual) servers depends on your needs and which services you want to deploy. +In it's initial release you can deploy OpenVPN, CouchDB and a webapp to administer your users (billing, help tickets,...). +While you can deploy all services on one server, we stronly recommend to use seperate servers for better security. -Configuration -------------- -Edit config/ +To get started you will need to have git, ruby1.8, rails, rubygems, bundler, ruby1.8-dev, libgpgme-ruby. Installation ------------- +============ + +Create a working directory +-------------------------- + + mkdir ~/Leap + cd ~/Leap + +Install leap_cli +---------------- + + git clone git://code.leap.se/leap_cli + cd leap_cli + +See also README.md for installation hints, but this should work in most cases: -- Edit /etc/leap/hieradata/common.yaml for your needs -- Run the deploy.sh script as root + bundle + rake build + rake install + leap help -git clone git://code.leap.se/leap_platform -git clone git://code.leap.se/leap_cli +Install leap_platform +--------------------- - cd leap_cli + cd ~/Leap + git clone git://code.leap.se/leap_platform + cd leap_platform + +Right now, use the develop branch - bundle + git checkout develop - cd .. +Initialize Submodules -git clone git://code.leap.se/leap_testprovider -ln -s /home/me/dev/leap_cli/bin ~/bin # or whatever to have leap_cli/bin/leap in your path. -cd leap_testprovider -ln -s ../leap_platform . -cd leap_testprovider/provider -leap help -leap clean -leap compile -leap add-user --self + git submodule init + git submodule update + +Configuration +============= + +Create config file templates +---------------------------- + + cd ~/Leap + leap init-provider vagrant_test + cd vagrant_test + +Configure +--------- + +Edit following files: + + * common.yaml + * nodes/COUCHDB_SERVER.yaml + * nodes/WEBAPP_SERVER.yaml + * nodes/VPN_SERVER.yaml + + leap add-user --self + leap compile + +Initialize and deploy nodes +--------------------------- + +For every server you configured do: + + leap node-init SERVERNAME + leap -v 2 deploy SERVERNAME More Information ---------------- @@ -71,6 +117,10 @@ Troubleshooting Changelog --------- +For a changelog of the current branch: + + cd ~/Leap + git log Authors and Credits ------------------ -- cgit v1.2.3 From 73047b814fe66c42aebc0d29e1a227af3a14d428 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 6 Nov 2012 17:01:56 -0500 Subject: update README to provide additional information about the leap help step and to combine the submodule initialization into one step --- README.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 231aeaa7..7917a42f 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,7 @@ See also README.md for installation hints, but this should work in most cases: bundle rake build rake install - leap help + leap help - this should provide you with the help output of the leap command-line tool Install leap_platform --------------------- @@ -62,8 +62,7 @@ Right now, use the develop branch Initialize Submodules - git submodule init - git submodule update + git submodule update --init Configuration ============= -- cgit v1.2.3 From 18141b30287738e9891d6be7ca589ffb219d4bca Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 8 Nov 2012 22:26:02 +0100 Subject: automatic update of submodule puppet_apache --- puppet/modules/apache | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/apache b/puppet/modules/apache index 104b2e09..077d4d15 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit 104b2e09399e02a8aa9687df0de795644e4b83e0 +Subproject commit 077d4d1508b9ff3355f73ff8597991043b3ba5d9 -- cgit v1.2.3 From f1f6803eb12065ec7bc248241d781669f8c94579 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 8 Nov 2012 23:49:48 +0100 Subject: = true --- puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp index 87b21e62..92170780 100644 --- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp +++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp @@ -1,5 +1,6 @@ define site_couchdb::apache_ssl_proxy ($key, $cert) { + $apache_no_default_site = true include apache::ssl apache::module { 'rewrite': ensure => present; -- cgit v1.2.3 From b6eeb5d59f7b298002dbad06c29c0f4ddb609375 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 9 Nov 2012 00:15:53 +0100 Subject: removed submodule "puppet/modules/sysctl" (url: git://github.com/luxflux/puppet-sysctl.git) --- .gitmodules | 3 --- puppet/modules/sysctl | 1 - 2 files changed, 4 deletions(-) delete mode 160000 puppet/modules/sysctl diff --git a/.gitmodules b/.gitmodules index c2d42cc5..a8613452 100644 --- a/.gitmodules +++ b/.gitmodules @@ -28,9 +28,6 @@ [submodule "puppet/modules/resolvconf"] path = puppet/modules/resolvconf url = git://git.puppet.immerda.ch/module-resolvconf.git -[submodule "puppet/modules/sysctl"] - path = puppet/modules/sysctl - url = git://github.com/luxflux/puppet-sysctl.git [submodule "puppet/modules/couchdb"] path = puppet/modules/couchdb url = git://code.leap.se/puppet_couchdb diff --git a/puppet/modules/sysctl b/puppet/modules/sysctl deleted file mode 160000 index 6ad210b3..00000000 --- a/puppet/modules/sysctl +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 6ad210b3f90f24878cfccd61c758275e2ab022bd -- cgit v1.2.3 From bc5906cacdd6cfd236a66a717dcba7263ff39605 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 9 Nov 2012 00:16:03 +0100 Subject: removed submodule "puppet/modules/interfaces" (url: git://github.com/x-way/puppet-interfaces.git) --- .gitmodules | 3 --- puppet/modules/interfaces | 1 - 2 files changed, 4 deletions(-) delete mode 160000 puppet/modules/interfaces diff --git a/.gitmodules b/.gitmodules index a8613452..09f185f8 100644 --- a/.gitmodules +++ b/.gitmodules @@ -31,9 +31,6 @@ [submodule "puppet/modules/couchdb"] path = puppet/modules/couchdb url = git://code.leap.se/puppet_couchdb -[submodule "puppet/modules/interfaces"] - path = puppet/modules/interfaces - url = git://github.com/x-way/puppet-interfaces.git [submodule "puppet/modules/apache"] path = puppet/modules/apache url = git://code.leap.se/puppet_apache diff --git a/puppet/modules/interfaces b/puppet/modules/interfaces deleted file mode 160000 index 1d7dc717..00000000 --- a/puppet/modules/interfaces +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 1d7dc7178881c56102c043e96763176f66445c1e -- cgit v1.2.3 From ac74640c5f4a65f8f117deeaed8d1cd29a22bc3c Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 14 Nov 2012 23:49:56 -0800 Subject: added provider_base (latest leap_cli required) --- provider_base/README | 9 ++++++++ provider_base/common.json | 25 ++++++++++++++++++++ .../files/service-definitions/provider.json.erb | 20 ++++++++++++++++ provider_base/provider.json | 27 ++++++++++++++++++++++ provider_base/services/ca.json | 6 +++++ provider_base/services/couchdb.json | 22 ++++++++++++++++++ provider_base/services/dns.json | 7 ++++++ provider_base/services/openvpn.json | 14 +++++++++++ provider_base/services/webapp.json | 19 +++++++++++++++ 9 files changed, 149 insertions(+) create mode 100644 provider_base/README create mode 100644 provider_base/common.json create mode 100644 provider_base/files/service-definitions/provider.json.erb create mode 100644 provider_base/provider.json create mode 100644 provider_base/services/ca.json create mode 100644 provider_base/services/couchdb.json create mode 100644 provider_base/services/dns.json create mode 100644 provider_base/services/openvpn.json create mode 100644 provider_base/services/webapp.json diff --git a/provider_base/README b/provider_base/README new file mode 100644 index 00000000..bb80df50 --- /dev/null +++ b/provider_base/README @@ -0,0 +1,9 @@ +This directory holds the base provider files that actual providers inherit from. + +For example: + + the file........ myproject/provider/common.json + inherits from... myproject/leap_platform/provider_base/common.json + + + diff --git a/provider_base/common.json b/provider_base/common.json new file mode 100644 index 00000000..f3557800 --- /dev/null +++ b/provider_base/common.json @@ -0,0 +1,25 @@ +{ + "ip_address": "REQUIRED", + "services": [], + "domain": { + "full_suffix": "= global.provider.domain", + "internal_suffix": "= global.provider.internal_domain", + "full": "= node.name + '.' + domain.full_suffix", + "internal": "= node.name + '.' + domain.internal_suffix", + "name": "= node.name + '.' + (dns.public ? domain.full_suffix : domain.internal_suffix)" + }, + "dns": { + "public": "= service_type != 'internal_service'" + }, + "ssh": { + "authorized_keys": "= file :authorized_keys", + "known_hosts": "= file :known_hosts", + "port": 22 + }, + "x509": { + "use": false, + "cert": "= x509.use ? file(:node_x509_cert, :missing => 'x509 certificate for node $node. Run `leap update-cert`') : nil", + "key": "= x509.use ? file(:node_x509_key, :missing => 'x509 key for node $node. Run `leap update-cert`') : nil" + }, + "local": "= self.vagrant?" +} diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb new file mode 100644 index 00000000..76245739 --- /dev/null +++ b/provider_base/files/service-definitions/provider.json.erb @@ -0,0 +1,20 @@ +<%= + hsh = {} + + # grab some fields from provider.json + hsh = global.provider.pick( + :languages, :description, :name, + :enrollment_policy, :default_language, :domain + ) + + # advertise services that are 'user services' + hsh['services'] = global.services[:service_type => :user_service].field(:name) + + hsh['api_version'] = "1" + hsh['api_uri'] = "https://" + api_domain + + hsh['ca_cert_uri'] = 'https://' + global.provider.domain + '/ca.crt' + hsh['ca_cert_fingerprint'] = "" + + generate_json hsh +%> \ No newline at end of file diff --git a/provider_base/provider.json b/provider_base/provider.json new file mode 100644 index 00000000..a144d04e --- /dev/null +++ b/provider_base/provider.json @@ -0,0 +1,27 @@ +{ + "domain": "REQUIRED", + "internal_domain": "= domain.sub(/\\..*$/,'.i')", + "name": { + "en": "REQUIRED" + }, + "description": { + "en": "REQUIRED" + }, + "languages": ["en"], + "default_language": "en", + "enrollment_policy": "open", + "ca": { + "name": "= global.provider.ca.organization + ' Root CA'", + "organization": "= global.provider.name[global.provider.default_language]", + "organizational_unit": "= 'https://' + global.common.domain.full_suffix", + "bit_size": 4096, + "life_span": "10y", + "server_certificates": { + "bit_size": 3248, + "life_span": "1y" + } + }, + "vagrant":{ + "network":"10.5.5.0/24" + } +} \ No newline at end of file diff --git a/provider_base/services/ca.json b/provider_base/services/ca.json new file mode 100644 index 00000000..68f970f7 --- /dev/null +++ b/provider_base/services/ca.json @@ -0,0 +1,6 @@ +{ + "service_type": "internal_service", + "x509": { + "use": true + } +} diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json new file mode 100644 index 00000000..1c8005c2 --- /dev/null +++ b/provider_base/services/couchdb.json @@ -0,0 +1,22 @@ +{ + "service_type": "internal_service", + "x509": { + "use": true + }, + "couch": { + "users": { + "admin": { + "username": "admin", + "password": "= secret :couch_admin_password" + }, + "webapp": { + "username": "webapp", + "password": "= secret :couch_webapp_password" + }, + "ca_daemon": { + "username": "ca_daemon", + "password": "= secret :couch_ca_daemon_password" + } + } + } +} diff --git a/provider_base/services/dns.json b/provider_base/services/dns.json new file mode 100644 index 00000000..677d9b2c --- /dev/null +++ b/provider_base/services/dns.json @@ -0,0 +1,7 @@ +{ + "hosts": { + "public": "= nodes['dns.public' => true].fields('domain.name', 'dns.aliases', 'ip_address')", + "private": "= nodes['dns.public' => false].fields('domain.name', 'dns.aliases', 'ip_address')" + }, + "service_type": "public_service" +} \ No newline at end of file diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json new file mode 100644 index 00000000..4b7d25ec --- /dev/null +++ b/provider_base/services/openvpn.json @@ -0,0 +1,14 @@ +{ + "service_type": "user_service", + "x509": { + "use": true + }, + "openvpn": { + "ports": ["80", "443", "53", "1194"], + "filter_dns": false, + "nat": true, + "ca_crt": "= file :ca_cert", + "ca_key": "= file :ca_key", + "dh": "= file :dh_params" + } +} diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json new file mode 100644 index 00000000..6e5c029c --- /dev/null +++ b/provider_base/services/webapp.json @@ -0,0 +1,19 @@ +{ + "webapp": { + "modules": ["user", "billing", "help"], + "couchdb_hosts": "= nodes[:services => :couchdb].field('domain.name')", + "couchdb_user": "= global.services[:couchdb].couch.users[:webapp]" + }, + "definition_files": { + "provider": "= file('service-definitions/provider.json.erb')", + "eip_service": "file('service-definitions/eip-service.json.erb')" + }, + "service_type": "public_service", + "api_domain": "= 'api.' + domain.full_suffix", + "dns": { + "aliases": "= [domain.full, api_domain]" + }, + "x509": { + "use": true + } +} \ No newline at end of file -- cgit v1.2.3 From 74047765ad815ae72a1e0eb2355e6fbc68d4db57 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 15 Nov 2012 01:18:10 -0800 Subject: added eip-service.json --- .../files/service-definitions/eip-service.json.erb | 33 ++++++++++++++++++++++ provider_base/services/openvpn.json | 5 +++- provider_base/services/webapp.json | 4 +-- 3 files changed, 39 insertions(+), 3 deletions(-) create mode 100644 provider_base/files/service-definitions/eip-service.json.erb diff --git a/provider_base/files/service-definitions/eip-service.json.erb b/provider_base/files/service-definitions/eip-service.json.erb new file mode 100644 index 00000000..095f3530 --- /dev/null +++ b/provider_base/files/service-definitions/eip-service.json.erb @@ -0,0 +1,33 @@ +<%= + def underscore(words) + words = words.to_s.dup + words.downcase! + words.gsub! /[^a-z]/, '_' + words + end + + hsh = {} + hsh["serial"] = 1 + hsh["version"] = 1 + clusters = {} + gateways = [] + global.services['openvpn'].node_list.each_node do |node| + next if node.vagrant? + gateway = {} + gateway["capabilities"] = node.openvpn.pick( + :ports, :protocols, :user_ips, :adblock, :filter_dns) + gateway["capabilities"]["transport"] = ["openvpn"] + gateway["ip_address"] = node.ip_address + gateway["host"] = node.domain.full + gateway["cluster"] = underscore(node.openvpn.location) + gateways << gateway + clusters[gateway["cluster"]] ||= { + "name" => gateway["cluster"], + "label" => {"en" => node.openvpn.location} + } + end + hsh["gateways"] = gateways + hsh["clusters"] = clusters.values + + generate_json hsh +%> \ No newline at end of file diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 4b7d25ec..46dcd50e 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -4,9 +4,12 @@ "use": true }, "openvpn": { + "location": "Location Unknown", "ports": ["80", "443", "53", "1194"], + "protocols": ["tcp", "udp"], "filter_dns": false, - "nat": true, + "adblock": false, + "user_ips": false, "ca_crt": "= file :ca_cert", "ca_key": "= file :ca_key", "dh": "= file :dh_params" diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 6e5c029c..7e12d26e 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -5,8 +5,8 @@ "couchdb_user": "= global.services[:couchdb].couch.users[:webapp]" }, "definition_files": { - "provider": "= file('service-definitions/provider.json.erb')", - "eip_service": "file('service-definitions/eip-service.json.erb')" + "provider": "= file 'service-definitions/provider.json.erb'", + "eip_service": "= file 'service-definitions/eip-service.json.erb'" }, "service_type": "public_service", "api_domain": "= 'api.' + domain.full_suffix", -- cgit v1.2.3 From eee2441572db5de3a4aceeeda4caaf02b2eabe05 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 15 Nov 2012 09:53:30 -0500 Subject: fix node configuration suffix and provide more information; fix init-node --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 7917a42f..b7f07e27 100644 --- a/README.md +++ b/README.md @@ -79,10 +79,10 @@ Configure Edit following files: - * common.yaml - * nodes/COUCHDB_SERVER.yaml - * nodes/WEBAPP_SERVER.yaml - * nodes/VPN_SERVER.yaml + * common.json + * nodes/.json - change to be the hostname of the server hosting couchdb + * nodes/.json - change to be the hostname of the server hosting the webapp + * nodes/.json - change to be the hostname of the server hosting the VPN server leap add-user --self leap compile @@ -92,7 +92,7 @@ Initialize and deploy nodes For every server you configured do: - leap node-init SERVERNAME + leap init-node SERVERNAME leap -v 2 deploy SERVERNAME More Information -- cgit v1.2.3 From a70587080576517716986230a6eb5792aa248e9b Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 16 Nov 2012 14:26:49 -0800 Subject: added digest to provider.ca --- provider_base/provider.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/provider_base/provider.json b/provider_base/provider.json index a144d04e..de5ad446 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -15,13 +15,15 @@ "organization": "= global.provider.name[global.provider.default_language]", "organizational_unit": "= 'https://' + global.common.domain.full_suffix", "bit_size": 4096, + "digest": "SHA256", "life_span": "10y", "server_certificates": { "bit_size": 3248, + "digest": "SHA256", "life_span": "1y" } }, "vagrant":{ "network":"10.5.5.0/24" } -} \ No newline at end of file +} -- cgit v1.2.3 From 0c65e5c1169fa33d08c3ffa02d5cf3060a009892 Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 17 Nov 2012 01:24:00 -0800 Subject: added commercial_cert to webapp --- provider_base/services/webapp.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 7e12d26e..ca9edf33 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -14,6 +14,8 @@ "aliases": "= [domain.full, api_domain]" }, "x509": { - "use": true + "use": true, + "commercial_cert": "= file [:commercial_cert, global.provider.domain]", + "commercial_key": "= file [:commercial_key, global.provider.domain]" } } \ No newline at end of file -- cgit v1.2.3 From 25bbdd69cd2f2c19e3a183b38388b88db1b412a9 Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 17 Nov 2012 01:24:19 -0800 Subject: added better warnings to openvpn service when files are missing --- provider_base/services/openvpn.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 46dcd50e..71d1d2c7 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -10,8 +10,8 @@ "filter_dns": false, "adblock": false, "user_ips": false, - "ca_crt": "= file :ca_cert", - "ca_key": "= file :ca_key", - "dh": "= file :dh_params" + "ca_crt": "= file :ca_cert, :missing => 'Certificate Authority. Run `leap init-ca`'", + "ca_key": "= file :ca_key, :missing => 'Certificate Authority. Run `leap init-ca`'", + "dh": "= file :dh_params, :missing => 'Diffie-Hellman parameters. Run `leap init-dh`'" } } -- cgit v1.2.3 From cee55f72a33ca735745045ea304a9b6a78c79e96 Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 17 Nov 2012 01:24:36 -0800 Subject: added missing fingerprint of ca cert to provider definition --- provider_base/files/service-definitions/provider.json.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb index 76245739..c19e5538 100644 --- a/provider_base/files/service-definitions/provider.json.erb +++ b/provider_base/files/service-definitions/provider.json.erb @@ -14,7 +14,7 @@ hsh['api_uri'] = "https://" + api_domain hsh['ca_cert_uri'] = 'https://' + global.provider.domain + '/ca.crt' - hsh['ca_cert_fingerprint'] = "" + hsh['ca_cert_fingerprint'] = fingerprint(:ca_cert) generate_json hsh %> \ No newline at end of file -- cgit v1.2.3 From 930eac488f8175fe17e9cb73ed3dff6763895562 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 20 Nov 2012 15:04:46 -0500 Subject: add ca_cert key because we will need to place the cert into the webroot on the webapp --- provider_base/common.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/provider_base/common.json b/provider_base/common.json index f3557800..4e85c9b0 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -19,7 +19,8 @@ "x509": { "use": false, "cert": "= x509.use ? file(:node_x509_cert, :missing => 'x509 certificate for node $node. Run `leap update-cert`') : nil", - "key": "= x509.use ? file(:node_x509_key, :missing => 'x509 key for node $node. Run `leap update-cert`') : nil" + "key": "= x509.use ? file(:node_x509_key, :missing => 'x509 key for node $node. Run `leap update-cert`') : nil", + "ca_cert": "= file :ca_cert" }, "local": "= self.vagrant?" } -- cgit v1.2.3 From ddd6fd82cc9e81d7ff912e390d956d6b2d958d8d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 20 Nov 2012 21:20:52 -0500 Subject: add bundler, ruby, rubygems and vcsrepo submodules --- .gitmodules | 12 ++++++++++++ puppet/modules/bundler | 1 + puppet/modules/ruby | 1 + puppet/modules/rubygems | 1 + puppet/modules/vcsrepo | 1 + 5 files changed, 16 insertions(+) create mode 160000 puppet/modules/bundler create mode 160000 puppet/modules/ruby create mode 160000 puppet/modules/rubygems create mode 160000 puppet/modules/vcsrepo diff --git a/.gitmodules b/.gitmodules index 09f185f8..0f30c381 100644 --- a/.gitmodules +++ b/.gitmodules @@ -35,3 +35,15 @@ path = puppet/modules/apache url = git://code.leap.se/puppet_apache +[submodule "puppet/modules/bundler"] + path = puppet/modules/bundler + url = git://code.leap.se/puppet_bundler +[submodule "puppet/modules/vcsrepo"] + path = puppet/modules/vcsrepo + url = git://github.com/puppetlabs/puppetlabs-vcsrepo.git +[submodule "puppet/modules/rubygems"] + path = puppet/modules/rubygems + url = git://code.leap.se/puppet_rubygems +[submodule "puppet/modules/ruby"] + path = puppet/modules/ruby + url = git://code.leap.se/puppet_ruby diff --git a/puppet/modules/bundler b/puppet/modules/bundler new file mode 160000 index 00000000..b91d6abf --- /dev/null +++ b/puppet/modules/bundler @@ -0,0 +1 @@ +Subproject commit b91d6abfa931b8ef63594092d841701d3ee23280 diff --git a/puppet/modules/ruby b/puppet/modules/ruby new file mode 160000 index 00000000..e4de25d7 --- /dev/null +++ b/puppet/modules/ruby @@ -0,0 +1 @@ +Subproject commit e4de25d78eefc7df70a35dee22a3e0dc1b7e1d0b diff --git a/puppet/modules/rubygems b/puppet/modules/rubygems new file mode 160000 index 00000000..1e5ed3db --- /dev/null +++ b/puppet/modules/rubygems @@ -0,0 +1 @@ +Subproject commit 1e5ed3dbef9381bb9d5e2a7b4957bb3f5288d6a8 diff --git a/puppet/modules/vcsrepo b/puppet/modules/vcsrepo new file mode 160000 index 00000000..04851c28 --- /dev/null +++ b/puppet/modules/vcsrepo @@ -0,0 +1 @@ +Subproject commit 04851c28b12973c679fc9f234fd0f5a193df9d7a -- cgit v1.2.3 From 515ca5ce0d19ac29fff6397c7b146ddabc123f05 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 20 Nov 2012 16:24:38 -0500 Subject: add initial site_webapp module --- puppet/modules/site_webapp/manifests/init.pp | 50 ++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 puppet/modules/site_webapp/manifests/init.pp diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp new file mode 100644 index 00000000..107aa617 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -0,0 +1,50 @@ +class site_webapp { + + Class[Ruby] -> Class[rubygems] -> Class[bundler::install] + + class { 'ruby': ruby_version => '1.9.3' } + + include rubygems + + class { 'bundler::install': install_method => '' } + + group { 'leap-webapp': + ensure => present, + allowdupe => false; + } + + user { 'leap-webapp': + ensure => present, + allowdupe => false, + gid => 'leap-webapp', + home => '/srv/leap-webapp', + require => [ Group['leap-webapp'] ]; + } + + file { '/srv/leap-webapp': + ensure => present, + owner => 'leap-webapp', + group => 'leap-webapp', + require => User['leap-webapp']; + } + + vcsrepo { '/srv/leap-webapp': + ensure => present, + revision => 'master', + provider => git, + source => 'git://code.leap.se/leap_web', + owner => 'leap-webapp', + group => 'leap-webapp', + require => [ User['leap-webapp'], Group['leap-webapp'] ], + notify => Exec['bundler_update'] + } + + exec { 'bundler_update': + cwd => '/srv/leap-webapp', + command => '/bin/bash -c \"/usr/bin/bundle check || /usr/bin/bundle install\"', + unless => '/usr/bin/bundle check', + require => [ Class['bundler::install'], Vcsrepo['/srv/leap-webapp'] ]; + } +} + + -- cgit v1.2.3 From b1c8c57b1fb028ea4ce8c8954bfdad9b9e7f2766 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 20 Nov 2012 16:20:37 -0500 Subject: setup webapp in site.pp --- puppet/manifests/site.pp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 6abf9b48..70c97030 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -18,4 +18,8 @@ node 'default' { if 'couchdb' in $services { include site_couchdb } + + if 'webapp' in $services { + include site_webapp + } } -- cgit v1.2.3 From a6daa12966867acae7885f48bc2cdee4553f9099 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 21 Nov 2012 17:29:54 +0100 Subject: hiera variable for openvpn dh parameters changed --- puppet/modules/site_openvpn/manifests/keys.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index d029fbac..47d0fa26 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -12,7 +12,7 @@ class site_openvpn::keys { } file { '/etc/openvpn/keys/dh.pem': - content => $openvpn_keys['dh_key'], + content => $openvpn_keys['dh'], mode => '0644', } -- cgit v1.2.3 From c2d57624c15dfaff038f9991f04ade46b5ad1d40 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 21 Nov 2012 17:45:44 +0100 Subject: move site_config::eip to site_openvpn (Feature #943) --- puppet/manifests/site.pp | 2 +- puppet/modules/site_config/manifests/eip.pp | 57 ---------------------- puppet/modules/site_openvpn/manifests/init.pp | 55 +++++++++++++++++++++ .../modules/site_shorewall/manifests/dnat_rule.pp | 4 +- puppet/modules/site_shorewall/manifests/eip.pp | 6 +-- 5 files changed, 61 insertions(+), 63 deletions(-) delete mode 100644 puppet/modules/site_config/manifests/eip.pp diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 6abf9b48..0ae86f8e 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -12,7 +12,7 @@ node 'default' { # configure eip if 'openvpn' in $services { - include site_config::eip + include site_openvpn } if 'couchdb' in $services { diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp deleted file mode 100644 index 4280fb67..00000000 --- a/puppet/modules/site_config/manifests/eip.pp +++ /dev/null @@ -1,57 +0,0 @@ -class site_config::eip { - - # parse hiera config - $ip_address = hiera('ip_address') - $interface = hiera('interface') - #$gateway_address = hiera('gateway_address') - $openvpn_config = hiera('openvpn') - $openvpn_gateway_address = $openvpn_config['gateway_address'] - $openvpn_tcp_network_prefix = '10.1.0' - $openvpn_tcp_netmask = '255.255.248.0' - $openvpn_tcp_cidr = '21' - $openvpn_udp_network_prefix = '10.2.0' - $openvpn_udp_netmask = '255.255.248.0' - $openvpn_udp_cidr = '21' - - include site_openvpn - - # deploy ca + server keys - include site_openvpn::keys - - # create 2 openvpn config files, one for tcp, one for udp - site_openvpn::server_config { 'tcp_config': - port => '1194', - proto => 'tcp', - local => $openvpn_gateway_address, - server => "$openvpn_tcp_network_prefix.0 $openvpn_tcp_netmask", - push => "\"dhcp-option DNS $openvpn_tcp_network_prefix.1\"", - management => '127.0.0.1 1000' - } - site_openvpn::server_config { 'udp_config': - port => '1194', - proto => 'udp', - server => "$openvpn_udp_network_prefix.0 $openvpn_udp_netmask", - push => "\"dhcp-option DNS $openvpn_udp_network_prefix.1\"", - local => $openvpn_gateway_address, - management => '127.0.0.1 1001' - } - - # add second IP on given interface - file { '/usr/local/bin/leap_add_second_ip.sh': - content => "#!/bin/sh -ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface", - mode => '0755', - } - - exec { '/usr/local/bin/leap_add_second_ip.sh': - subscribe => File['/usr/local/bin/leap_add_second_ip.sh'], - } - - cron { 'leap_add_second_ip.sh': - command => "/usr/local/bin/leap_add_second_ip.sh", - user => 'root', - special => 'reboot', - } - - include site_shorewall::eip -} diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index e95e67d5..7268fe76 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,4 +1,59 @@ class site_openvpn { + # parse hiera config + $ip_address = hiera('ip_address') + $interface = hiera('interface') + #$gateway_address = hiera('gateway_address') + $openvpn_config = hiera('openvpn') + $openvpn_gateway_address = $openvpn_config['gateway_address'] + $openvpn_tcp_network_prefix = '10.1.0' + $openvpn_tcp_netmask = '255.255.248.0' + $openvpn_tcp_cidr = '21' + $openvpn_udp_network_prefix = '10.2.0' + $openvpn_udp_netmask = '255.255.248.0' + $openvpn_udp_cidr = '21' + + include site_openvpn + + # deploy ca + server keys + include site_openvpn::keys + + # create 2 openvpn config files, one for tcp, one for udp + site_openvpn::server_config { 'tcp_config': + port => '1194', + proto => 'tcp', + local => $openvpn_gateway_address, + server => "$openvpn_tcp_network_prefix.0 $openvpn_tcp_netmask", + push => "\"dhcp-option DNS $openvpn_tcp_network_prefix.1\"", + management => '127.0.0.1 1000' + } + site_openvpn::server_config { 'udp_config': + port => '1194', + proto => 'udp', + server => "$openvpn_udp_network_prefix.0 $openvpn_udp_netmask", + push => "\"dhcp-option DNS $openvpn_udp_network_prefix.1\"", + local => $openvpn_gateway_address, + management => '127.0.0.1 1001' + } + + # add second IP on given interface + file { '/usr/local/bin/leap_add_second_ip.sh': + content => "#!/bin/sh +ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface", + mode => '0755', + } + + exec { '/usr/local/bin/leap_add_second_ip.sh': + subscribe => File['/usr/local/bin/leap_add_second_ip.sh'], + } + + cron { 'leap_add_second_ip.sh': + command => "/usr/local/bin/leap_add_second_ip.sh", + user => 'root', + special => 'reboot', + } + + include site_shorewall::eip + package { 'openvpn': ensure => installed; diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp index 4fc62f85..68f480d8 100644 --- a/puppet/modules/site_shorewall/manifests/dnat_rule.pp +++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp @@ -6,7 +6,7 @@ define site_shorewall::dnat_rule { "dnat_tcp_port_$port": action => 'DNAT', source => 'net', - destination => "\$FW:${site_config::eip::openvpn_gateway_address}:1194", + destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194", proto => 'tcp', destinationport => $port, order => 100; @@ -16,7 +16,7 @@ define site_shorewall::dnat_rule { "dnat_udp_port_$port": action => 'DNAT', source => 'net', - destination => "\$FW:${site_config::eip::openvpn_gateway_address}:1194", + destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194", proto => 'udp', destinationport => $port, order => 100; diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 086bf75a..57dc17e9 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -10,7 +10,7 @@ class site_shorewall::eip { $ssh_port = $ssh_config['port'] $openvpn_config = hiera('openvpn') $openvpn_ports = $openvpn_config['ports'] - $openvpn_gateway_address = $site_config::eip::openvpn_gateway_address + $openvpn_gateway_address = $site_openvpn::openvpn_gateway_address # define macro for incoming services file { '/etc/shorewall/macro.leap_eip': @@ -42,11 +42,11 @@ PARAM - - udp 1194 shorewall::masq { "${interface}_tcp": interface => $interface, - source => "$site_config::eip::openvpn_tcp_network_prefix.0/$site_config::eip::openvpn_tcp_cidr"; } + source => "$site_openvpn::openvpn_tcp_network_prefix.0/$site_openvpn::openvpn_tcp_cidr"; } shorewall::masq { "${interface}_udp": interface => $interface, - source => "$site_config::eip::openvpn_udp_network_prefix.0/$site_config::eip::openvpn_udp_cidr"; } + source => "$site_openvpn::openvpn_udp_network_prefix.0/$site_openvpn::openvpn_udp_cidr"; } shorewall::policy { 'eip-to-all': -- cgit v1.2.3 From 9491f15a64c13f2424b781d32d5734db3bb4a22f Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 21 Nov 2012 13:47:41 -0800 Subject: added x509.commercial_ca_cert. x509.ca_cert is now optional, except for webapp. --- provider_base/common.json | 2 +- provider_base/services/webapp.json | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/provider_base/common.json b/provider_base/common.json index 4e85c9b0..0eeef6e5 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -20,7 +20,7 @@ "use": false, "cert": "= x509.use ? file(:node_x509_cert, :missing => 'x509 certificate for node $node. Run `leap update-cert`') : nil", "key": "= x509.use ? file(:node_x509_key, :missing => 'x509 key for node $node. Run `leap update-cert`') : nil", - "ca_cert": "= file :ca_cert" + "ca_cert": "= try_file :ca_cert" }, "local": "= self.vagrant?" } diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index ca9edf33..bdef5761 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -15,7 +15,9 @@ }, "x509": { "use": true, + "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap init-ca`'", "commercial_cert": "= file [:commercial_cert, global.provider.domain]", - "commercial_key": "= file [:commercial_key, global.provider.domain]" + "commercial_key": "= file [:commercial_key, global.provider.domain]", + "commercial_ca_cert": "= try_file :commercial_ca_cert" } } \ No newline at end of file -- cgit v1.2.3 From 0d1ac3dc005721858623ca2e9f0a1d4bf50fff42 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 22 Nov 2012 11:06:26 -0500 Subject: remove escaping double-quotes, it turns out these are passed directly to the command causing it to fail --- puppet/modules/site_webapp/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 107aa617..b44ef01a 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -41,7 +41,7 @@ class site_webapp { exec { 'bundler_update': cwd => '/srv/leap-webapp', - command => '/bin/bash -c \"/usr/bin/bundle check || /usr/bin/bundle install\"', + command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install"', unless => '/usr/bin/bundle check', require => [ Class['bundler::install'], Vcsrepo['/srv/leap-webapp'] ]; } -- cgit v1.2.3 From 96d60568648555e28effd1398a791241a7ad3f7a Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 22 Nov 2012 17:07:08 +0100 Subject: deploy openvpn server.crt and server.key --- puppet/modules/site_openvpn/manifests/init.pp | 1 + puppet/modules/site_openvpn/manifests/keys.pp | 11 +++++------ 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 7268fe76..ae24b276 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -11,6 +11,7 @@ class site_openvpn { $openvpn_udp_network_prefix = '10.2.0' $openvpn_udp_netmask = '255.255.248.0' $openvpn_udp_cidr = '21' + $x509_config = hiera('x509') include site_openvpn diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index 47d0fa26..e198cbf8 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -1,28 +1,27 @@ class site_openvpn::keys { - $openvpn_keys = hiera_hash('openvpn') file { '/etc/openvpn/keys/ca.key': - content => $openvpn_keys['ca_key'], + content => $site_openvpn::openvpn_config['ca_key'], mode => '0600', } file { '/etc/openvpn/keys/ca.crt': - content => $openvpn_keys['ca_crt'], + content => $site_openvpn::openvpn_config['ca_crt'], mode => '0644', } file { '/etc/openvpn/keys/dh.pem': - content => $openvpn_keys['dh'], + content => $site_openvpn::openvpn_config['dh'], mode => '0644', } file { '/etc/openvpn/keys/server.key': - content => $openvpn_keys['server_key'], + content => $site_openvpn::x509_config['key'], mode => '0600', } file { '/etc/openvpn/keys/server.crt': - content => $openvpn_keys['server_crt'], + content => $site_openvpn::x509_config['cert'], mode => '0644', } } -- cgit v1.2.3 From 2944b31e5cd4203938317076c895f0500f7bcf62 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 22 Nov 2012 11:26:50 -0500 Subject: switch to the develop branch for the webapp git repository for deployment/testing. when released, this should track a stable release --- puppet/modules/site_webapp/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index b44ef01a..de8c070a 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -30,7 +30,7 @@ class site_webapp { vcsrepo { '/srv/leap-webapp': ensure => present, - revision => 'master', + revision => 'develop', provider => git, source => 'git://code.leap.se/leap_web', owner => 'leap-webapp', -- cgit v1.2.3 From 0e01b3d162860ec76d17fb4c10089f6bc832bd92 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 22 Nov 2012 17:46:41 +0100 Subject: removed deploy.sh cause leap init-node is taking is takeing care of installing prerequisites --- deploy.sh | 61 ------------------------------------------------------------- 1 file changed, 61 deletions(-) delete mode 100755 deploy.sh diff --git a/deploy.sh b/deploy.sh deleted file mode 100755 index 9a8fcccf..00000000 --- a/deploy.sh +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/sh -# -# missing: header, license - -bad_usage() { usage 1>&2; [ $# -eq 0 ] || echo "$@"; exit 1; } - -usage() { - cat < /dev/null 2>&1 - if [ ! $? -eq 0 ] - then - apt-get update - apt-get install -y $PACKAGES - fi - - # lsb is needed for a first puppet run - puppet apply $PUPPET_ENV --execute 'include lsb' -} - - -# main - -PUPPET_ENV='--confdir=puppet' - -long_opts="init" -getopt_out=$(getopt --name "${0##*/}" \ - --options "${short_opts}" --long "${long_opts}" -- "$@") && \ - eval set -- "${getopt_out}" || bad_usage -while [ $# -ne 0 ]; do - cur=${1}; next=${2}; - case "$cur" in - --help) usage ; exit 0;; - --init) install_prerequisites ; exit 0;; - --) shift; break;; - esac - shift; -done - -[ $# -gt 0 ] && bad_usage "too many arguments" - -# keep repository up to date -git pull -git submodule init -git submodule update - -# run puppet without irritating deprecation warnings -puppet apply $PUPPET_ENV puppet/manifests/site.pp $@ | grep -v 'warning:.*is deprecated' -- cgit v1.2.3 From 7b803d54a625e13f52a33e1c7a9264b344474df8 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 22 Nov 2012 17:48:29 +0100 Subject: call refresh_apt before installing couchdb, solves https://leap.se/code/issues/994 --- puppet/modules/site_couchdb/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 30ce7f54..10408094 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -16,6 +16,7 @@ class site_couchdb { $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password'] Class['site_couchdb::package'] + -> Exec['refresh_apt'] -> Package ['couchdb'] -> File['/etc/init.d/couchdb'] -> File['/etc/couchdb/local.ini'] -- cgit v1.2.3 From 0f80d8429832bd118034e5a34444ff04c76fe992 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 22 Nov 2012 11:50:18 -0500 Subject: remove unnecessary blank line in .gitmodules --- .gitmodules | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitmodules b/.gitmodules index 0f30c381..de1c0173 100644 --- a/.gitmodules +++ b/.gitmodules @@ -34,7 +34,6 @@ [submodule "puppet/modules/apache"] path = puppet/modules/apache url = git://code.leap.se/puppet_apache - [submodule "puppet/modules/bundler"] path = puppet/modules/bundler url = git://code.leap.se/puppet_bundler -- cgit v1.2.3 From 74600045dacbdcfc3479f566e997320db5443908 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 22 Nov 2012 20:07:31 +0100 Subject: use origin/develop instead of develop as revision --- puppet/modules/site_webapp/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index de8c070a..99f6df6c 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -30,7 +30,7 @@ class site_webapp { vcsrepo { '/srv/leap-webapp': ensure => present, - revision => 'develop', + revision => 'origin/develop', provider => git, source => 'git://code.leap.se/leap_web', owner => 'leap-webapp', -- cgit v1.2.3 From f3704fc0ac81ca6ccb7e7d19ae931d9c391f3975 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 22 Nov 2012 11:43:23 -0800 Subject: clean up openvpn and x509 paths --- provider_base/services/openvpn.json | 9 ++++----- puppet/modules/site_openvpn/manifests/keys.pp | 9 ++------- 2 files changed, 6 insertions(+), 12 deletions(-) diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 71d1d2c7..15deab70 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -1,7 +1,9 @@ { "service_type": "user_service", "x509": { - "use": true + "use": true, + "ca_cert": "= file :ca_cert, :missing => 'Certificate Authority. Run `leap init-ca`'", + "dh": "= file :dh_params, :missing => 'Diffie-Hellman parameters. Run `leap init-dh`'" }, "openvpn": { "location": "Location Unknown", @@ -9,9 +11,6 @@ "protocols": ["tcp", "udp"], "filter_dns": false, "adblock": false, - "user_ips": false, - "ca_crt": "= file :ca_cert, :missing => 'Certificate Authority. Run `leap init-ca`'", - "ca_key": "= file :ca_key, :missing => 'Certificate Authority. Run `leap init-ca`'", - "dh": "= file :dh_params, :missing => 'Diffie-Hellman parameters. Run `leap init-dh`'" + "user_ips": false } } diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index e198cbf8..12c1bd8f 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -1,17 +1,12 @@ class site_openvpn::keys { - file { '/etc/openvpn/keys/ca.key': - content => $site_openvpn::openvpn_config['ca_key'], - mode => '0600', - } - file { '/etc/openvpn/keys/ca.crt': - content => $site_openvpn::openvpn_config['ca_crt'], + content => $site_openvpn::x509_config['ca_cert'], mode => '0644', } file { '/etc/openvpn/keys/dh.pem': - content => $site_openvpn::openvpn_config['dh'], + content => $site_openvpn::x509_config['dh'], mode => '0644', } -- cgit v1.2.3 From 3c253f7015540dde8e2402ba084cc48a70403d33 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 23 Nov 2012 01:53:34 -0800 Subject: fix bugs in eip-service.json template --- provider_base/files/service-definitions/eip-service.json.erb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/provider_base/files/service-definitions/eip-service.json.erb b/provider_base/files/service-definitions/eip-service.json.erb index 095f3530..8dc7211d 100644 --- a/provider_base/files/service-definitions/eip-service.json.erb +++ b/provider_base/files/service-definitions/eip-service.json.erb @@ -17,7 +17,7 @@ gateway["capabilities"] = node.openvpn.pick( :ports, :protocols, :user_ips, :adblock, :filter_dns) gateway["capabilities"]["transport"] = ["openvpn"] - gateway["ip_address"] = node.ip_address + gateway["ip_address"] = node.openvpn.gateway_address gateway["host"] = node.domain.full gateway["cluster"] = underscore(node.openvpn.location) gateways << gateway @@ -28,6 +28,10 @@ end hsh["gateways"] = gateways hsh["clusters"] = clusters.values - + hsh["openvpn_configuration"] = { + "tls-cipher" => "DHE-RSA-AES128-SHA", + "auth" => "SHA1", + "cipher" => "AES-128-CBC" + } generate_json hsh %> \ No newline at end of file -- cgit v1.2.3 From 6dd91a6084521a99789e08f877b359600884ff0d Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 23 Nov 2012 01:54:07 -0800 Subject: added a template that is used to generate a client config file for openvpn (to be used for testing). --- provider_base/test/openvpn/client.ovpn.erb | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 provider_base/test/openvpn/client.ovpn.erb diff --git a/provider_base/test/openvpn/client.ovpn.erb b/provider_base/test/openvpn/client.ovpn.erb new file mode 100644 index 00000000..96cb7177 --- /dev/null +++ b/provider_base/test/openvpn/client.ovpn.erb @@ -0,0 +1,28 @@ +client +dev tun +remote-cert-tls server +remote-random +nobind +script-security 2 +verb 3 +auth SHA1 +cipher AES-128-CBC +tls-cipher DHE-RSA-AES128-SHA + +<% manager.services['openvpn'].node_list.each_node do |node| -%> +<% unless node.local -%> +<%= "remote #{node.openvpn.gateway_address} 1194 udp"%> +<% end -%> +<% end -%> + + +<%= read_file! :ca_cert -%> + + + +<%= read_file! :test_client_cert -%> + + + +<%= read_file! :test_client_key -%> + -- cgit v1.2.3 From 3e53ba65fbf1eb48dbe01526342e601a1c10c824 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 23 Nov 2012 01:54:40 -0800 Subject: get rid of paths in webapp.json, use symbolic filenames instead. --- provider_base/services/webapp.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index bdef5761..321c26ea 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -5,8 +5,8 @@ "couchdb_user": "= global.services[:couchdb].couch.users[:webapp]" }, "definition_files": { - "provider": "= file 'service-definitions/provider.json.erb'", - "eip_service": "= file 'service-definitions/eip-service.json.erb'" + "provider": "= file :provider_json_template", + "eip_service": "= file :eip_service_json_template" }, "service_type": "public_service", "api_domain": "= 'api.' + domain.full_suffix", -- cgit v1.2.3 From e172773fa29275853649bec14d906d2899bf1de7 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 23 Nov 2012 01:55:05 -0800 Subject: openvpn -- enforce certain cipher choices on the server --- .../site_openvpn/manifests/server_config.pp | 67 +++++++++++++++++++++- 1 file changed, 66 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 482c6ab7..6fc3a3c2 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,3 +1,57 @@ +# +# Cipher discussion +# ================================ +# +# We want to specify explicit values for the crypto options to prevent a MiTM from forcing +# a weaker cipher. These should be set in both the server and the client ('auth' and 'cipher' +# MUST be the same on both ends or no data will get transmitted). +# +# tls-cipher DHE-RSA-AES128-SHA +# +# dkg: For the TLS control channel, we want to make sure we choose a +# key exchange mechanism that has PFS (meaning probably some form of ephemeral +# Diffie-Hellman key exchange), and that uses a standard, well-tested cipher +# (I recommend AES, and 128 bits is probably fine, since there are some known +# weaknesses in the 192- and 256-bit key schedules). That leaves us with the +# choice of public key algorithms: /usr/sbin/openvpn --show-tls | grep DHE | +# grep AES128 | grep GCM. +# +# elijah: +# I could not get any of these working: +# * openvpn --show-tls | grep GCM +# * openvpn --show-tls | grep DHE | grep AES128 | grep SHA256 +# so, i went with this: +# * openvpn --show-tls | grep DHE | grep AES128 | grep -v SHA256 | grep -v GCM +# Also, i couldn't get any of the elliptical curve algorithms to work. Not sure how +# our cert generation interacts with the tls-cipher algorithms. +# +# note: in my tests, DHE-RSA-AES256-SHA is the one it negotiates if no value is set. +# +# auth SHA1 +# +# dkg: For HMAC digest to authenticate packets, we just want SHA256. OpenVPN lists +# a number of “digest” with names like “RSA-SHA256”, but this are legacy and +# should be avoided. +# +# elijah: i am not so sure that the digest algo matters for 'auth' option, because +# i think an attacker would have to forge the digest in real time, which is still far from +# a possibility for SHA1. So, i am leaving the default for now (SHA1). +# +# cipher AES-128-CBC +# +# dkg: For the choice of cipher, we need to select an algorithm and a +# cipher mode. OpenVPN defaults to Blowfish, which is a fine algorithm — but +# our control channel is already relying on AES not being broken; if the +# control channel is cracked, then the key material for the tunnel is exposed, +# and the choice of algorithm is moot. So it makes more sense to me to rely on +# the same cipher here: AES128. As for the cipher mode, OFB seems cleaner to +# me, but CBC is more well-tested, and the OpenVPN man page (at least as of +# version 2.2.1) says “CBC is recommended and CFB and OFB should be considered +# advanced modes.” +# +# note: the default is BF-CBC (blowfish) +# + define site_openvpn::server_config ($port, $proto, $local, $server, $push, $management ) { $openvpn_configname = $name @@ -29,7 +83,18 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana key => 'dh', value => '/etc/openvpn/keys/dh.pem', server => $openvpn_configname; - + "tls-cipher $openvpn_configname": + key => 'tls-cipher', + value => 'DHE-RSA-AES128-SHA', + server => $openvpn_configname; + "auth $openvpn_configname": + key => 'auth', + value => 'SHA1', + server => $openvpn_configname; + "cipher $openvpn_configname": + key => 'cipher', + value => 'AES-128-CBC', + server => $openvpn_configname; "dev $openvpn_configname": key => 'dev', value => 'tun', -- cgit v1.2.3 From d70b723f17a6ff7d22a044fe57f1e8438eef5ae7 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 23 Nov 2012 19:37:22 +0100 Subject: enable ip_forwarding #1029 --- puppet/modules/site_openvpn/manifests/init.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index ae24b276..548d1df2 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -39,7 +39,9 @@ class site_openvpn { # add second IP on given interface file { '/usr/local/bin/leap_add_second_ip.sh': content => "#!/bin/sh -ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface", +ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface +/bin/echo 1 > /proc/sys/net/ipv4/ip_forward +", mode => '0755', } -- cgit v1.2.3 From be2300a01a7744986d6ea76b44c663df619aae03 Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 24 Nov 2012 21:35:40 -0800 Subject: new leap_cli sets local tag automatically. --- provider_base/common.json | 4 ++-- provider_base/tags/local.json | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 provider_base/tags/local.json diff --git a/provider_base/common.json b/provider_base/common.json index 0eeef6e5..12b9dab6 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -1,6 +1,7 @@ { "ip_address": "REQUIRED", "services": [], + "tags": [], "domain": { "full_suffix": "= global.provider.domain", "internal_suffix": "= global.provider.internal_domain", @@ -21,6 +22,5 @@ "cert": "= x509.use ? file(:node_x509_cert, :missing => 'x509 certificate for node $node. Run `leap update-cert`') : nil", "key": "= x509.use ? file(:node_x509_key, :missing => 'x509 key for node $node. Run `leap update-cert`') : nil", "ca_cert": "= try_file :ca_cert" - }, - "local": "= self.vagrant?" + } } diff --git a/provider_base/tags/local.json b/provider_base/tags/local.json new file mode 100644 index 00000000..9cb16602 --- /dev/null +++ b/provider_base/tags/local.json @@ -0,0 +1,3 @@ +{ + "local": true +} \ No newline at end of file -- cgit v1.2.3 From d5596882123891ea1b3e3c9ddc1a1f683f213771 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 12:17:00 -0500 Subject: add passenger and x509 submodules --- .gitmodules | 6 ++++++ puppet/modules/passenger | 1 + puppet/modules/x509 | 1 + 3 files changed, 8 insertions(+) create mode 160000 puppet/modules/passenger create mode 160000 puppet/modules/x509 diff --git a/.gitmodules b/.gitmodules index de1c0173..417457e8 100644 --- a/.gitmodules +++ b/.gitmodules @@ -46,3 +46,9 @@ [submodule "puppet/modules/ruby"] path = puppet/modules/ruby url = git://code.leap.se/puppet_ruby +[submodule "puppet/modules/x509"] + path = puppet/modules/x509 + url = git://code.leap.se/puppet_x509 +[submodule "puppet/modules/passenger"] + path = puppet/modules/passenger + url = git://code.leap.se/puppet_passenger diff --git a/puppet/modules/passenger b/puppet/modules/passenger new file mode 160000 index 00000000..d1b46de8 --- /dev/null +++ b/puppet/modules/passenger @@ -0,0 +1 @@ +Subproject commit d1b46de84acf4d9e3582b64e019935fb1125f9bb diff --git a/puppet/modules/x509 b/puppet/modules/x509 new file mode 160000 index 00000000..d7a252b7 --- /dev/null +++ b/puppet/modules/x509 @@ -0,0 +1 @@ +Subproject commit d7a252b77db843e800ed9fc92a56d5214f432026 -- cgit v1.2.3 From da0d9f3c407ffdae0d7583ef148d7e37cbbc20ad Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 11:12:17 -0500 Subject: add hiera keys for provider include site_webapp::apache --- puppet/modules/site_webapp/manifests/init.pp | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 99f6df6c..08b7f92c 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -1,13 +1,17 @@ class site_webapp { + $definition_files = hiera('definition_files') + $provider = $definition_files['provider'] + Class[Ruby] -> Class[rubygems] -> Class[bundler::install] class { 'ruby': ruby_version => '1.9.3' } - include rubygems - class { 'bundler::install': install_method => '' } + include rubygems + include site_webapp::apache + group { 'leap-webapp': ensure => present, allowdupe => false; @@ -46,5 +50,3 @@ class site_webapp { require => [ Class['bundler::install'], Vcsrepo['/srv/leap-webapp'] ]; } } - - -- cgit v1.2.3 From a2e2f558bcfc4b35c7d81f282d73e06f78590113 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 11:12:43 -0500 Subject: place the provider.json and ca.crt in the webroot --- puppet/modules/site_webapp/manifests/init.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 08b7f92c..22f69e7a 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -49,4 +49,15 @@ class site_webapp { unless => '/usr/bin/bundle check', require => [ Class['bundler::install'], Vcsrepo['/srv/leap-webapp'] ]; } + + file { + '/srv/leap-webapp/public/provider.json': + content => $provider, + owner => leap-webapp, group => leap-webapp, mode => '0644'; + + '/srv/leap-webapp/public/ca.crt': + content => $cert_root, + owner => leap-webapp, group => leap-webapp, mode => '0644'; + } + } -- cgit v1.2.3 From 0876cc7c712f273991cbb1177d7416afd0a1462d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 11:49:08 -0500 Subject: add site_webapp class to install the certs/keys/CAs and virtual host configurations --- .../site_apache/templates/vhosts.d/api.conf.erb | 36 +++++++++++++ .../templates/vhosts.d/leap_webapp.conf.erb | 39 ++++++++++++++ puppet/modules/site_webapp/manifests/apache.pp | 61 ++++++++++++++++++++++ 3 files changed, 136 insertions(+) create mode 100644 puppet/modules/site_apache/templates/vhosts.d/api.conf.erb create mode 100644 puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb create mode 100644 puppet/modules/site_webapp/manifests/apache.pp diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb new file mode 100644 index 00000000..fc26190c --- /dev/null +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -0,0 +1,36 @@ + + ServerName <%= api_domain %> + RewriteEngine On + RewriteRule ^.*$ https://<%= api_domain -%>%{REQUEST_URI} [R=permanent,L] + + + + ServerName <%= api_domain %> + + SSLEngine on + SSLProtocol -all +SSLv3 +TLSv1 + SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLHonorCipherOrder on + + SSLCACertificatePath /etc/ssl/certs + SSLCertificateChainFile /etc/ssl/certs/leap_api.crt + SSLCertificateKeyFile /etc/x509/keys/leap_api.key + SSLCertificateFile /etc/x509/certs/leap_api.crt + + RequestHeader set X_FORWARDED_PROTO 'https' + + DocumentRoot /srv/leap_webapp/public + + # Check for maintenance file and redirect all requests + RewriteEngine On + RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f + RewriteCond %{SCRIPT_FILENAME} !maintenance.html + RewriteCond %{REQUEST_URI} !/images/maintenance.jpg + RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L] + + # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt + AllowEncodedSlashes on + PassengerAllowEncodedSlashes on + PassengerFriendlyErrorPages off + SetEnv TMPDIR /var/tmp + diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb new file mode 100644 index 00000000..bb035cd2 --- /dev/null +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -0,0 +1,39 @@ + + ServerName <%= domain %> + ServerAlias www.<%= domain %> + RewriteEngine On + RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L] + + + + ServerName <%= domain %> + ServerAlias www.<%= domain %> + + SSLEngine on + SSLProtocol -all +SSLv3 +TLSv1 + SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLHonorCipherOrder on + + SSLCACertificatePath /etc/ssl/certs + SSLCertificateChainFile /etc/ssl/certs/leap_webapp.crt + SSLCertificateKeyFile /etc/x509/keys/leap_webapp.key + SSLCertificateFile /etc/x509/certs/leap_webapp.crt + + RequestHeader set X_FORWARDED_PROTO 'https' + + DocumentRoot /srv/leap_webapp/public + + # Check for maintenance file and redirect all requests + RewriteEngine On + RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f + RewriteCond %{SCRIPT_FILENAME} !maintenance.html + RewriteCond %{REQUEST_URI} !/images/maintenance.jpg + RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L] + + # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt + AllowEncodedSlashes on + PassengerAllowEncodedSlashes on + PassengerFriendlyErrorPages off + SetEnv TMPDIR /var/tmp + + diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp new file mode 100644 index 00000000..d6470186 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -0,0 +1,61 @@ +class site_webapp::apache { + + $api_domain = hiera('api_domain') + $x509 = hiera('x509') + $commercial_key = $x509['commercial_key'] + $commercial_cert = $x509['commercial_cert'] + $commercial_root = $x509['commercial_ca_cert'] + $api_key = $x509['key'] + $api_cert = $x509['cert'] + $api_root = $x509['ca_cert'] + + $apache_no_default_site = true + include apache::ssl + + apache::module { + 'rewrite': ensure => present; + 'headers': ensure => present; + } + + class { 'passenger': use_munin => false } + + apache::vhost::file { + 'leap_webapp': + content => template('site_apache/vhosts.d/leap_webapp.conf.erb') + } + + apache::vhost::file { + 'api': + content => template('site_apache/vhosts.d/api.conf.erb') + } + + x509::key { + 'leap_webapp': + content => $commercial_key, + notify => Service[apache]; + + 'leap_api': + content => $api_key, + notify => Service[apache]; + } + + x509::cert { + 'leap_webapp': + content => $commercial_cert, + notify => Service[apache]; + + 'leap_api': + content => $api_cert, + notify => Service[apache]; + } + + x509::ca { + 'leap_webapp': + content => $commercial_root, + notify => Service[apache]; + + 'leap_api': + content => $api_root, + notify => Service[apache]; + } +} -- cgit v1.2.3 From e49f4038b9a5c6b8b0d3f0eed8735abf5ef54c0e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 14:40:10 -0500 Subject: map /1 -> document root --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 1 + puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 3 ++- puppet/modules/site_webapp/manifests/apache.pp | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index fc26190c..49bd5c79 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -20,6 +20,7 @@ RequestHeader set X_FORWARDED_PROTO 'https' DocumentRoot /srv/leap_webapp/public + Alias /1 /srv/leap_webapp/public # Check for maintenance file and redirect all requests RewriteEngine On diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index bb035cd2..f2b43928 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -22,9 +22,10 @@ RequestHeader set X_FORWARDED_PROTO 'https' DocumentRoot /srv/leap_webapp/public + Alias /1 /srv/leap_webapp/public - # Check for maintenance file and redirect all requests RewriteEngine On + # Check for maintenance file and redirect all requests RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f RewriteCond %{SCRIPT_FILENAME} !maintenance.html RewriteCond %{REQUEST_URI} !/images/maintenance.jpg diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index d6470186..8532cc38 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -13,6 +13,7 @@ class site_webapp::apache { include apache::ssl apache::module { + 'alias': ensure => present; 'rewrite': ensure => present; 'headers': ensure => present; } -- cgit v1.2.3 From 140975a265b971b14805370dc704e5a10806cd5f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 15:26:58 -0500 Subject: make sure the webapp/public/config directory exists and the eip-service.json is provided there --- puppet/modules/site_webapp/manifests/init.pp | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 22f69e7a..5eaf9dc1 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -2,6 +2,7 @@ class site_webapp { $definition_files = hiera('definition_files') $provider = $definition_files['provider'] + $eap_service = $definition_files['eap_service'] Class[Ruby] -> Class[rubygems] -> Class[bundler::install] @@ -58,6 +59,14 @@ class site_webapp { '/srv/leap-webapp/public/ca.crt': content => $cert_root, owner => leap-webapp, group => leap-webapp, mode => '0644'; + + '/srv/leap-webapp/public/config': + ensure => directory, + owner => leap-webapp, group => leap-webapp, mode => '0755'; + + '/srv/leap-webapp/public/config/eip-service.json': + content => $eap_service, + owner => leap-webapp, group => leap-webapp, mode => '0644'; } } -- cgit v1.2.3 From 05d3c0903f48e9c0d69145c9e027b70a392c9602 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 27 Nov 2012 12:27:35 -0800 Subject: fix webapp: only list couchdb hosts that match node's 'local' value. --- provider_base/common.json | 3 ++- provider_base/services/webapp.json | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/provider_base/common.json b/provider_base/common.json index 12b9dab6..6d4291c6 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -22,5 +22,6 @@ "cert": "= x509.use ? file(:node_x509_cert, :missing => 'x509 certificate for node $node. Run `leap update-cert`') : nil", "key": "= x509.use ? file(:node_x509_key, :missing => 'x509 key for node $node. Run `leap update-cert`') : nil", "ca_cert": "= try_file :ca_cert" - } + }, + "local": false } diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 321c26ea..afb51ee1 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -1,7 +1,7 @@ { "webapp": { "modules": ["user", "billing", "help"], - "couchdb_hosts": "= nodes[:services => :couchdb].field('domain.name')", + "couchdb_hosts": "= nodes[:services => :couchdb][:local => local].field('domain.name')", "couchdb_user": "= global.services[:couchdb].couch.users[:webapp]" }, "definition_files": { -- cgit v1.2.3 From 6272b9f72808afc4f5b93616df313d079580fbf7 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 15:27:43 -0500 Subject: setup the couchdb class to provide the couchdb connection parameters --- puppet/modules/site_webapp/manifests/couchdb.pp | 16 ++++++++++++++++ puppet/modules/site_webapp/manifests/init.pp | 1 + 2 files changed, 17 insertions(+) create mode 100644 puppet/modules/site_webapp/manifests/couchdb.pp diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp new file mode 100644 index 00000000..caa4f19b --- /dev/null +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -0,0 +1,16 @@ +class site_webapp::couchdb { + + $webapp = hiera_array('webapp') + $couchdb_host = $webapp['couchdb_hosts'] + $couchdb_user = $webapp['couchdb_user']['username'] + $couchdb_password = $webapp['couchdb_user']['password'] + + file { + '/srv/leap-webapp/config/couchdb.yml': + content => template('couchdb.yml.erb'), + owner => leap-webapp, + group => leap-webapp, + mode => '0600'; + } + +} diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 5eaf9dc1..3c374d93 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -12,6 +12,7 @@ class site_webapp { include rubygems include site_webapp::apache + include site_webapp::couchdb group { 'leap-webapp': ensure => present, -- cgit v1.2.3 From e47e7fc15183a5ba4f879c2046ab29515f528903 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 15:34:22 -0500 Subject: add the couchdb configuration template --- puppet/modules/site_webapp/templates/couchdb.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 puppet/modules/site_webapp/templates/couchdb.yml diff --git a/puppet/modules/site_webapp/templates/couchdb.yml b/puppet/modules/site_webapp/templates/couchdb.yml new file mode 100644 index 00000000..f5132599 --- /dev/null +++ b/puppet/modules/site_webapp/templates/couchdb.yml @@ -0,0 +1,7 @@ +production: + protocol: 'https' + host: <%= couchdb_host %> + port: 443 + username: <%= couchdb_user %> + password: <%= couchdb_password %> + -- cgit v1.2.3 From c1bc263947c3265d4e9e5b2780765351036f756a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 16:01:40 -0500 Subject: fix name of couchdb.yml template --- puppet/modules/site_webapp/templates/couchdb.yml | 7 ------- puppet/modules/site_webapp/templates/couchdb.yml.erb | 7 +++++++ 2 files changed, 7 insertions(+), 7 deletions(-) delete mode 100644 puppet/modules/site_webapp/templates/couchdb.yml create mode 100644 puppet/modules/site_webapp/templates/couchdb.yml.erb diff --git a/puppet/modules/site_webapp/templates/couchdb.yml b/puppet/modules/site_webapp/templates/couchdb.yml deleted file mode 100644 index f5132599..00000000 --- a/puppet/modules/site_webapp/templates/couchdb.yml +++ /dev/null @@ -1,7 +0,0 @@ -production: - protocol: 'https' - host: <%= couchdb_host %> - port: 443 - username: <%= couchdb_user %> - password: <%= couchdb_password %> - diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb new file mode 100644 index 00000000..f5132599 --- /dev/null +++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb @@ -0,0 +1,7 @@ +production: + protocol: 'https' + host: <%= couchdb_host %> + port: 443 + username: <%= couchdb_user %> + password: <%= couchdb_password %> + -- cgit v1.2.3 From 77368affb8773cf91755f47e25c378c7472fb50b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 16:02:05 -0500 Subject: fix name of eip_service --- puppet/modules/site_webapp/manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 3c374d93..c5f33b5a 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -2,7 +2,7 @@ class site_webapp { $definition_files = hiera('definition_files') $provider = $definition_files['provider'] - $eap_service = $definition_files['eap_service'] + $eip_service = $definition_files['eip_service'] Class[Ruby] -> Class[rubygems] -> Class[bundler::install] @@ -66,7 +66,7 @@ class site_webapp { owner => leap-webapp, group => leap-webapp, mode => '0755'; '/srv/leap-webapp/public/config/eip-service.json': - content => $eap_service, + content => $eip_service, owner => leap-webapp, group => leap-webapp, mode => '0644'; } -- cgit v1.2.3 From a706fff9f79d6f57eff4ec238c3f316c33ae278a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 16:02:44 -0500 Subject: fix location of couchdb.yml template --- puppet/modules/site_webapp/manifests/couchdb.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index caa4f19b..38057bf6 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -7,7 +7,7 @@ class site_webapp::couchdb { file { '/srv/leap-webapp/config/couchdb.yml': - content => template('couchdb.yml.erb'), + content => template('site_webapp/couchdb.yml.erb'), owner => leap-webapp, group => leap-webapp, mode => '0600'; -- cgit v1.2.3 From 6f7f760f7f17da7cb0ff362eac3f78ab042f132d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 16:02:56 -0500 Subject: switch from hiera_array to just hiera --- puppet/modules/site_webapp/manifests/couchdb.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 38057bf6..6cac666f 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -1,6 +1,6 @@ class site_webapp::couchdb { - $webapp = hiera_array('webapp') + $webapp = hiera('webapp') $couchdb_host = $webapp['couchdb_hosts'] $couchdb_user = $webapp['couchdb_user']['username'] $couchdb_password = $webapp['couchdb_user']['password'] -- cgit v1.2.3 From ea60af41f4a5a7bdd67fd7da129716c8f698cf1a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 16:03:16 -0500 Subject: fix location of SSLCertificateChainFile location --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 2 +- puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 49bd5c79..37c4a727 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -13,7 +13,7 @@ SSLHonorCipherOrder on SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile /etc/ssl/certs/leap_api.crt + SSLCertificateChainFile /etc/ssl/certs/leap_api.pem SSLCertificateKeyFile /etc/x509/keys/leap_api.key SSLCertificateFile /etc/x509/certs/leap_api.crt diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index f2b43928..85e7289b 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -15,7 +15,7 @@ SSLHonorCipherOrder on SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile /etc/ssl/certs/leap_webapp.crt + SSLCertificateChainFile /etc/ssl/certs/leap_webapp.pem SSLCertificateKeyFile /etc/x509/keys/leap_webapp.key SSLCertificateFile /etc/x509/certs/leap_webapp.crt -- cgit v1.2.3 From bef21f7f132438777b2ab92525559ba8ed869fb9 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 28 Nov 2012 14:09:23 -0800 Subject: updated service templates to reflect new command names --- provider_base/services/openvpn.json | 4 ++-- provider_base/services/webapp.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 15deab70..0008a2d2 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -2,8 +2,8 @@ "service_type": "user_service", "x509": { "use": true, - "ca_cert": "= file :ca_cert, :missing => 'Certificate Authority. Run `leap init-ca`'", - "dh": "= file :dh_params, :missing => 'Diffie-Hellman parameters. Run `leap init-dh`'" + "ca_cert": "= file :ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'", + "dh": "= file :dh_params, :missing => 'Diffie-Hellman parameters. Run `leap cert dh`'" }, "openvpn": { "location": "Location Unknown", diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index afb51ee1..b04ed684 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -15,7 +15,7 @@ }, "x509": { "use": true, - "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap init-ca`'", + "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", "commercial_cert": "= file [:commercial_cert, global.provider.domain]", "commercial_key": "= file [:commercial_key, global.provider.domain]", "commercial_ca_cert": "= try_file :commercial_ca_cert" -- cgit v1.2.3 From 737d286fdfb8036e8b1078efbec4f9902bc1108e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 29 Nov 2012 15:54:46 -0500 Subject: updated bundler module to accept 'package' to install_method to be a little more obvious how it is operating --- puppet/modules/bundler | 2 +- puppet/modules/site_webapp/manifests/init.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/bundler b/puppet/modules/bundler index b91d6abf..b4a4a843 160000 --- a/puppet/modules/bundler +++ b/puppet/modules/bundler @@ -1 +1 @@ -Subproject commit b91d6abfa931b8ef63594092d841701d3ee23280 +Subproject commit b4a4a8434616247156e59b860b47cc6256ead8d1 diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index c5f33b5a..644cca98 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -8,7 +8,7 @@ class site_webapp { class { 'ruby': ruby_version => '1.9.3' } - class { 'bundler::install': install_method => '' } + class { 'bundler::install': install_method => 'package' } include rubygems include site_webapp::apache -- cgit v1.2.3 From ec7c030c73ab0215bca60494ff310d8b4a5a744d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 29 Nov 2012 15:55:29 -0500 Subject: change ensure parameter to explicit 'directory' for /srv/leap-webapp --- puppet/modules/site_webapp/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 644cca98..4da6242c 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -28,7 +28,7 @@ class site_webapp { } file { '/srv/leap-webapp': - ensure => present, + ensure => directory, owner => 'leap-webapp', group => 'leap-webapp', require => User['leap-webapp']; -- cgit v1.2.3 From 2727291d734ab5f45be3905982d42192119dce86 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 29 Nov 2012 15:56:14 -0500 Subject: change api CA cert deployment to just symlink to the already deployed file --- puppet/modules/site_webapp/manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 4da6242c..6a60ab15 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -58,8 +58,8 @@ class site_webapp { owner => leap-webapp, group => leap-webapp, mode => '0644'; '/srv/leap-webapp/public/ca.crt': - content => $cert_root, - owner => leap-webapp, group => leap-webapp, mode => '0644'; + ensure => link, + target => '/usr/local/share/ca-certificates/leap_api.crt'; '/srv/leap-webapp/public/config': ensure => directory, -- cgit v1.2.3 From 2ac79162239266b6dd0038b54903852675e7c54f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 29 Nov 2012 15:57:18 -0500 Subject: disable apt pdiffs, they are slow on fast links --- puppet/modules/site_config/manifests/apt.pp | 6 ++++++ puppet/modules/site_config/manifests/init.pp | 9 ++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) create mode 100644 puppet/modules/site_config/manifests/apt.pp diff --git a/puppet/modules/site_config/manifests/apt.pp b/puppet/modules/site_config/manifests/apt.pp new file mode 100644 index 00000000..c7490337 --- /dev/null +++ b/puppet/modules/site_config/manifests/apt.pp @@ -0,0 +1,6 @@ +class site_config::apt { + + apt::apt_conf { '90disable-pdiffs': + content => 'Acquire::PDiffs "false";'; + } +} diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp index 8aa1b54d..7f67ad4e 100644 --- a/puppet/modules/site_config/manifests/init.pp +++ b/puppet/modules/site_config/manifests/init.pp @@ -1,9 +1,12 @@ class site_config { - # default class, use by all hosts + # default class, used by all hosts - include apt, lsb, git + include lsb, git - # configure ssh and inculde ssh-keys + # configure apt + include site_config::apt + + # configure ssh and include ssh-keys include site_config::sshd # configure /etc/resolv.conf -- cgit v1.2.3 From 138dcd8cea024d79923e9ae89df975396ed6cac7 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 29 Nov 2012 17:13:36 -0500 Subject: include apt in the site_config/apt class --- puppet/modules/site_config/manifests/apt.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/puppet/modules/site_config/manifests/apt.pp b/puppet/modules/site_config/manifests/apt.pp index c7490337..4f611ac8 100644 --- a/puppet/modules/site_config/manifests/apt.pp +++ b/puppet/modules/site_config/manifests/apt.pp @@ -1,5 +1,7 @@ class site_config::apt { + include ::apt + apt::apt_conf { '90disable-pdiffs': content => 'Acquire::PDiffs "false";'; } -- cgit v1.2.3 From 6f6d29c43da75b1bd8d2068f8c7cf3ffd0064580 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 4 Dec 2012 14:18:24 +0100 Subject: use site_ca --- puppet/manifests/site.pp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 9da2174c..304e989d 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -22,4 +22,8 @@ node 'default' { if 'webapp' in $services { include site_webapp } + + if 'ca' in $services { + include site_ca + } } -- cgit v1.2.3 From a8fce0ab83d64b963f5a0f9848c9a0a255038f96 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 4 Dec 2012 15:31:19 -0500 Subject: changed shorewall submodule location, this requires you do a git submodule sync --- .gitmodules | 5 ++++- puppet/modules/augeas | 1 + puppet/modules/shorewall | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) create mode 160000 puppet/modules/augeas diff --git a/.gitmodules b/.gitmodules index 417457e8..6597612b 100644 --- a/.gitmodules +++ b/.gitmodules @@ -24,7 +24,7 @@ url = git://labs.riseup.net/shared-common [submodule "puppet/modules/shorewall"] path = puppet/modules/shorewall - url = git://labs.riseup.net/shared-shorewall + url = git://code.leap.se/puppet_shorewall [submodule "puppet/modules/resolvconf"] path = puppet/modules/resolvconf url = git://git.puppet.immerda.ch/module-resolvconf.git @@ -52,3 +52,6 @@ [submodule "puppet/modules/passenger"] path = puppet/modules/passenger url = git://code.leap.se/puppet_passenger +[submodule "puppet/modules/augeas"] + path = puppet/modules/augeas + url = git://code.leap.se/puppet_augeas diff --git a/puppet/modules/augeas b/puppet/modules/augeas new file mode 160000 index 00000000..c1e385f5 --- /dev/null +++ b/puppet/modules/augeas @@ -0,0 +1 @@ +Subproject commit c1e385f55f11c81772e243ebb9a7277769d40f92 diff --git a/puppet/modules/shorewall b/puppet/modules/shorewall index 911cc18e..cf0f8bb5 160000 --- a/puppet/modules/shorewall +++ b/puppet/modules/shorewall @@ -1 +1 @@ -Subproject commit 911cc18e594bb5a3ab642ebb24615a0447050c32 +Subproject commit cf0f8bb58178df4b7ce54abab3684a2240c43855 -- cgit v1.2.3 From 22e658810e6e47a7d10d06a28610a634a38877b8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 4 Dec 2012 15:49:12 -0500 Subject: update shorewall module to latest revision, fixing a bug on the shorewall.conf sources --- puppet/modules/shorewall | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/shorewall b/puppet/modules/shorewall index cf0f8bb5..29e80fe6 160000 --- a/puppet/modules/shorewall +++ b/puppet/modules/shorewall @@ -1 +1 @@ -Subproject commit cf0f8bb58178df4b7ce54abab3684a2240c43855 +Subproject commit 29e80fe61983821dc50ea54a05013c351206d5bd -- cgit v1.2.3 From 3bc680557ca4a70887c99ab9d53cd446730ec00d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 4 Dec 2012 15:50:08 -0500 Subject: set ip_forwarding using augeas --- puppet/modules/site_shorewall/manifests/defaults.pp | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index 88981e5f..0ee20744 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -10,4 +10,13 @@ class site_shorewall::defaults { shorewall::rule_section { 'NEW': order => 10; } + include augeas + + augeas { 'enable_ip_forwarding': + changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall]; + } + } -- cgit v1.2.3 From 8d50b9ded53420fc4824b77933ce9357b11a5a45 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 4 Dec 2012 22:35:30 -0500 Subject: Stop the [warn] NameVirtualHost *:443 has no VirtualHosts errors When we include apache::ssl it ships the ssl.conf file which sets up the NameVirtualHost *:443, so we just do what that class does fixes: https://leap.se/code/issues/944 --- puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp index 92170780..21db3f56 100644 --- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp +++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp @@ -1,9 +1,10 @@ define site_couchdb::apache_ssl_proxy ($key, $cert) { $apache_no_default_site = true - include apache::ssl + include apache apache::module { 'rewrite': ensure => present; + 'ssl': ensure => present; 'proxy': ensure => present; 'proxy_http': ensure => present; } -- cgit v1.2.3 From 8b7ca862253b1212ae392c58099df9b6feaa0ca2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 4 Dec 2012 22:36:14 -0500 Subject: alphabetize the apache modules --- puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp index 21db3f56..a2ca9618 100644 --- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp +++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp @@ -3,10 +3,10 @@ define site_couchdb::apache_ssl_proxy ($key, $cert) { $apache_no_default_site = true include apache apache::module { - 'rewrite': ensure => present; - 'ssl': ensure => present; 'proxy': ensure => present; 'proxy_http': ensure => present; + 'rewrite': ensure => present; + 'ssl': ensure => present; } apache::vhost::file { 'couchdb_proxy': } # prevent 0-default.conf and 0-default_ssl.conf from apache module -- cgit v1.2.3 From 2a9dbd931e095c933831edd19337607f5f356ae5 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 4 Dec 2012 22:36:34 -0500 Subject: remove no longer needed removal of the ports.conf file --- puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp | 8 -------- 1 file changed, 8 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp index a2ca9618..fb3477db 100644 --- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp +++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp @@ -9,14 +9,6 @@ define site_couchdb::apache_ssl_proxy ($key, $cert) { 'ssl': ensure => present; } apache::vhost::file { 'couchdb_proxy': } - # prevent 0-default.conf and 0-default_ssl.conf from apache module - # from starting on port 80 / 443 - file { '/etc/apache2/ports.conf': - content => '', - mode => '0644', - owner => 'root', - group => 'root', - } file { '/etc/couchdb/server_cert.pem': mode => '0644', -- cgit v1.2.3 From 450c3ba29c0e8d3a3c8cf1946aa71160b3c48897 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Dec 2012 14:17:52 +0100 Subject: added couchdb hiera variables to services/ca.json --- provider_base/services/ca.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/provider_base/services/ca.json b/provider_base/services/ca.json index 68f970f7..f3758ab6 100644 --- a/provider_base/services/ca.json +++ b/provider_base/services/ca.json @@ -1,4 +1,8 @@ { + "ca": { + "couchdb_hosts": "= nodes[:services => :couchdb][:local => local].field('domain.name')", + "couchdb_user": "= global.services[:couchdb].couch.users[:ca_daemon]" + }, "service_type": "internal_service", "x509": { "use": true -- cgit v1.2.3 From 51f37d8132a44e25350db66b7156892980d3e4fa Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Dec 2012 14:48:55 +0100 Subject: ca -> ca_daemon in site.pp and services/ca.json --- provider_base/services/ca.json | 2 +- puppet/manifests/site.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/provider_base/services/ca.json b/provider_base/services/ca.json index f3758ab6..800c995d 100644 --- a/provider_base/services/ca.json +++ b/provider_base/services/ca.json @@ -1,5 +1,5 @@ { - "ca": { + "ca_daemon": { "couchdb_hosts": "= nodes[:services => :couchdb][:local => local].field('domain.name')", "couchdb_user": "= global.services[:couchdb].couch.users[:ca_daemon]" }, diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 304e989d..c8502bc7 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -24,6 +24,6 @@ node 'default' { } if 'ca' in $services { - include site_ca + include site_ca_daemon } } -- cgit v1.2.3 From 528aaee2f24b2b1b57435df6db42b89af6ba76de Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Dec 2012 14:49:22 +0100 Subject: added module site_ca_daemon --- puppet/modules/site_ca_daemon/manifests/apache.pp | 62 ++++++++++++++++++++++ puppet/modules/site_ca_daemon/manifests/couchdb.pp | 16 ++++++ puppet/modules/site_ca_daemon/manifests/init.pp | 55 +++++++++++++++++++ .../site_ca_daemon/templates/couchdb.yml.erb | 7 +++ 4 files changed, 140 insertions(+) create mode 100644 puppet/modules/site_ca_daemon/manifests/apache.pp create mode 100644 puppet/modules/site_ca_daemon/manifests/couchdb.pp create mode 100644 puppet/modules/site_ca_daemon/manifests/init.pp create mode 100644 puppet/modules/site_ca_daemon/templates/couchdb.yml.erb diff --git a/puppet/modules/site_ca_daemon/manifests/apache.pp b/puppet/modules/site_ca_daemon/manifests/apache.pp new file mode 100644 index 00000000..ab6b08fd --- /dev/null +++ b/puppet/modules/site_ca_daemon/manifests/apache.pp @@ -0,0 +1,62 @@ +class site_ca_daemon::apache { + + $api_domain = hiera('api_domain') + $x509 = hiera('x509') + $commercial_key = $x509['commercial_key'] + $commercial_cert = $x509['commercial_cert'] + $commercial_root = $x509['commercial_ca_cert'] + $api_key = $x509['key'] + $api_cert = $x509['cert'] + $api_root = $x509['ca_cert'] + + $apache_no_default_site = true + include apache::ssl + + apache::module { + 'alias': ensure => present; + 'rewrite': ensure => present; + 'headers': ensure => present; + } + + class { 'passenger': use_munin => false } + + apache::vhost::file { + 'leap_ca_daemon': + content => template('site_apache/vhosts.d/leap_ca_daemon.conf.erb') + } + + apache::vhost::file { + 'api': + content => template('site_apache/vhosts.d/api.conf.erb') + } + + x509::key { + 'leap_ca_daemon': + content => $commercial_key, + notify => Service[apache]; + + 'leap_api': + content => $api_key, + notify => Service[apache]; + } + + x509::cert { + 'leap_ca_daemon': + content => $commercial_cert, + notify => Service[apache]; + + 'leap_api': + content => $api_cert, + notify => Service[apache]; + } + + x509::ca { + 'leap_ca_daemon': + content => $commercial_root, + notify => Service[apache]; + + 'leap_api': + content => $api_root, + notify => Service[apache]; + } +} diff --git a/puppet/modules/site_ca_daemon/manifests/couchdb.pp b/puppet/modules/site_ca_daemon/manifests/couchdb.pp new file mode 100644 index 00000000..b5a1d2d4 --- /dev/null +++ b/puppet/modules/site_ca_daemon/manifests/couchdb.pp @@ -0,0 +1,16 @@ +class site_ca_daemon::couchdb { + + $ca = hiera('ca_daemon') + $couchdb_host = $ca['couchdb_hosts'] + $couchdb_user = $ca['couchdb_user']['username'] + $couchdb_password = $ca['couchdb_user']['password'] + + file { + '/srv/leap_ca_daemon/config/couchdb.yml': + content => template('site_ca_daemon/couchdb.yml.erb'), + owner => leap_ca_daemon, + group => leap_ca_daemon, + mode => '0600'; + } + +} diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp new file mode 100644 index 00000000..c749da12 --- /dev/null +++ b/puppet/modules/site_ca_daemon/manifests/init.pp @@ -0,0 +1,55 @@ +class site_ca_daemon { + + #$definition_files = hiera('definition_files') + #$provider = $definition_files['provider'] + #$eip_service = $definition_files['eip_service'] + + Class[Ruby] -> Class[rubygems] -> Class[bundler::install] + + class { 'ruby': ruby_version => '1.9.3' } + + class { 'bundler::install': install_method => 'package' } + + include rubygems + #include site_ca_daemon::apache + include site_ca_daemon::couchdb + + group { 'leap_ca_daemon': + ensure => present, + allowdupe => false; + } + + user { 'leap_ca_daemon': + ensure => present, + allowdupe => false, + gid => 'leap_ca_daemon', + home => '/srv/leap_ca_daemon', + require => [ Group['leap_ca_daemon'] ]; + } + + file { '/srv/leap_ca_daemon': + ensure => directory, + owner => 'leap_ca_daemon', + group => 'leap_ca_daemon', + require => User['leap_ca_daemon']; + } + + vcsrepo { '/srv/leap_ca_daemon': + ensure => present, + revision => 'origin/deploy', + provider => git, + source => 'git://code.leap.se/leap_ca', + owner => 'leap_ca_daemon', + group => 'leap_ca_daemon', + require => [ User['leap_ca_daemon'], Group['leap_ca_daemon'] ], + notify => Exec['bundler_update'] + } + + exec { 'bundler_update': + cwd => '/srv/leap_ca_daemon', + command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install"', + unless => '/usr/bin/bundle check', + require => [ Class['bundler::install'], Vcsrepo['/srv/leap_ca_daemon'] ]; + } + +} diff --git a/puppet/modules/site_ca_daemon/templates/couchdb.yml.erb b/puppet/modules/site_ca_daemon/templates/couchdb.yml.erb new file mode 100644 index 00000000..f5132599 --- /dev/null +++ b/puppet/modules/site_ca_daemon/templates/couchdb.yml.erb @@ -0,0 +1,7 @@ +production: + protocol: 'https' + host: <%= couchdb_host %> + port: 443 + username: <%= couchdb_user %> + password: <%= couchdb_password %> + -- cgit v1.2.3 From febd4532872d8b3b6b6e846a6399a63152fac9a0 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Dec 2012 16:39:18 +0100 Subject: removed pinning couchdb to unstable because 1.2.0-3 is in wheezy, finally --- puppet/modules/site_couchdb/manifests/configure.pp | 5 ----- puppet/modules/site_couchdb/manifests/init.pp | 8 +++----- puppet/modules/site_couchdb/manifests/package.pp | 13 ------------- 3 files changed, 3 insertions(+), 23 deletions(-) delete mode 100644 puppet/modules/site_couchdb/manifests/package.pp diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp index 25ea7a0b..333511b5 100644 --- a/puppet/modules/site_couchdb/manifests/configure.pp +++ b/puppet/modules/site_couchdb/manifests/configure.pp @@ -1,9 +1,4 @@ class site_couchdb::configure { - Class[site_couchdb::package] -> Class[couchdb] - - class { 'couchdb': - require => Class['site_couchdb::package'], } - file { '/etc/init.d/couchdb': source => 'puppet:///modules/site_couchdb/couchdb', diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 10408094..3f577d8b 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,5 +1,7 @@ class site_couchdb { + include couchdb + $x509 = hiera('x509') $key = $x509['key'] $cert = $x509['cert'] @@ -15,9 +17,7 @@ class site_couchdb { $couchdb_ca_daemon_user = $couchdb_ca_daemon['username'] $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password'] - Class['site_couchdb::package'] - -> Exec['refresh_apt'] - -> Package ['couchdb'] + Package ['couchdb'] -> File['/etc/init.d/couchdb'] -> File['/etc/couchdb/local.ini'] -> File['/etc/couchdb/local.d/admin.ini'] @@ -28,8 +28,6 @@ class site_couchdb { -> Couchdb::Add_user[$couchdb_ca_daemon_user] -> Site_couchdb::Apache_ssl_proxy['apache_ssl_proxy'] - # Setup couchdb - include site_couchdb::package include site_couchdb::configure include couchdb::deploy_config diff --git a/puppet/modules/site_couchdb/manifests/package.pp b/puppet/modules/site_couchdb/manifests/package.pp deleted file mode 100644 index c091316a..00000000 --- a/puppet/modules/site_couchdb/manifests/package.pp +++ /dev/null @@ -1,13 +0,0 @@ -class site_couchdb::package { - - # for now, we need to install couchdb from unstable, - # because of this bug while installing: - # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681549 - # can be removed when couchdb/1.2.0-2 is integrated into testing - apt::sources_list { 'unstable.list': - source => [ 'puppet:///modules/site_apt/unstable.list'], - } - apt::preferences_snippet{ - 'couchdb': release => 'unstable', priority => 999; - } -} -- cgit v1.2.3 From b525a1799808959f702441b330ff3ab5de8fdf75 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Dec 2012 17:12:10 +0100 Subject: new names for couchdb DBs --- puppet/modules/site_couchdb/manifests/init.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 3f577d8b..04f2ca1a 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -22,8 +22,8 @@ class site_couchdb { -> File['/etc/couchdb/local.ini'] -> File['/etc/couchdb/local.d/admin.ini'] -> File['/etc/couchdb/couchdb.netrc'] - -> Couchdb::Create_db[leap_web] - -> Couchdb::Create_db[leap_ca] + -> Couchdb::Create_db['users'] + -> Couchdb::Create_db['client_certificates'] -> Couchdb::Add_user[$couchdb_webapp_user] -> Couchdb::Add_user[$couchdb_ca_daemon_user] -> Site_couchdb::Apache_ssl_proxy['apache_ssl_proxy'] @@ -52,11 +52,11 @@ class site_couchdb { pw => $couchdb_ca_daemon_pw } - couchdb::create_db { 'leap_web': + couchdb::create_db { 'users': readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }" } - couchdb::create_db { 'leap_ca': + couchdb::create_db { 'client_certificates': readers => "{ \"names\": [], \"roles\": [\"certs\"] }" } } -- cgit v1.2.3 From 6af460dd3b2e686734df876eff9b621f2162da69 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 7 Dec 2012 15:52:50 -0800 Subject: added hostname tracking and late evaluation. new key "hosts" added, for building /etc/hosts. also, now ssh.known_hosts only includes what is necessary. --- provider_base/common.json | 3 ++- provider_base/services/ca.json | 2 +- provider_base/services/webapp.json | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/provider_base/common.json b/provider_base/common.json index 6d4291c6..42444b1f 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -14,9 +14,10 @@ }, "ssh": { "authorized_keys": "= file :authorized_keys", - "known_hosts": "= file :known_hosts", + "known_hosts": "=> known_hosts_file", "port": 22 }, + "hosts": "=> hosts_file", "x509": { "use": false, "cert": "= x509.use ? file(:node_x509_cert, :missing => 'x509 certificate for node $node. Run `leap update-cert`') : nil", diff --git a/provider_base/services/ca.json b/provider_base/services/ca.json index 800c995d..a4ded72b 100644 --- a/provider_base/services/ca.json +++ b/provider_base/services/ca.json @@ -1,6 +1,6 @@ { "ca_daemon": { - "couchdb_hosts": "= nodes[:services => :couchdb][:local => local].field('domain.name')", + "couchdb_hosts": "= hostnames nodes[:services => :couchdb][:local => local]", "couchdb_user": "= global.services[:couchdb].couch.users[:ca_daemon]" }, "service_type": "internal_service", diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index b04ed684..3eb0ba62 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -1,7 +1,7 @@ { "webapp": { "modules": ["user", "billing", "help"], - "couchdb_hosts": "= nodes[:services => :couchdb][:local => local].field('domain.name')", + "couchdb_hosts": "= hostnames nodes[:services => :couchdb][:local => local]", "couchdb_user": "= global.services[:couchdb].couch.users[:webapp]" }, "definition_files": { -- cgit v1.2.3 From 9c671a9b1e4d13545c511eefd1eac274c16f80de Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 8 Dec 2012 20:03:00 -0800 Subject: minor - fix hint. --- provider_base/common.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/provider_base/common.json b/provider_base/common.json index 42444b1f..b5d37f8e 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -1,5 +1,5 @@ { - "ip_address": "REQUIRED", + "ip_address": null, "services": [], "tags": [], "domain": { @@ -20,8 +20,8 @@ "hosts": "=> hosts_file", "x509": { "use": false, - "cert": "= x509.use ? file(:node_x509_cert, :missing => 'x509 certificate for node $node. Run `leap update-cert`') : nil", - "key": "= x509.use ? file(:node_x509_key, :missing => 'x509 key for node $node. Run `leap update-cert`') : nil", + "cert": "= x509.use ? file(:node_x509_cert, :missing => 'x509 certificate for node $node. Run `leap cert update`') : nil", + "key": "= x509.use ? file(:node_x509_key, :missing => 'x509 key for node $node. Run `leap cert update`') : nil", "ca_cert": "= try_file :ca_cert" }, "local": false -- cgit v1.2.3 From d54dabff2726e728da6a9d31588bc2a52783a9a6 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 10 Dec 2012 15:54:32 +0100 Subject: include site_apt::dist_upgrade (fixes #1107) --- puppet/modules/site_apt/manifests/dist_upgrade.pp | 10 ++++++++++ puppet/modules/site_config/manifests/apt.pp | 2 ++ 2 files changed, 12 insertions(+) create mode 100644 puppet/modules/site_apt/manifests/dist_upgrade.pp diff --git a/puppet/modules/site_apt/manifests/dist_upgrade.pp b/puppet/modules/site_apt/manifests/dist_upgrade.pp new file mode 100644 index 00000000..5ae9297f --- /dev/null +++ b/puppet/modules/site_apt/manifests/dist_upgrade.pp @@ -0,0 +1,10 @@ +class site_apt::dist_upgrade inherits apt::dist_upgrade { + + # really upgrade on every puppetrun + Exec["apt_dist-upgrade"]{ + refreshonly => false, + } + + # Ensure apt-get upgrade has been run before installing any packages + Exec["apt_dist-upgrade"] -> Package <| name != 'lsb-release' |> +} diff --git a/puppet/modules/site_config/manifests/apt.pp b/puppet/modules/site_config/manifests/apt.pp index 4f611ac8..f7ba9ac9 100644 --- a/puppet/modules/site_config/manifests/apt.pp +++ b/puppet/modules/site_config/manifests/apt.pp @@ -1,8 +1,10 @@ class site_config::apt { include ::apt + include site_apt::dist_upgrade apt::apt_conf { '90disable-pdiffs': content => 'Acquire::PDiffs "false";'; } + } -- cgit v1.2.3 From 62381f11d920a738db6fa673ea29cf4cddd8ebe0 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 10 Dec 2012 22:32:16 +0100 Subject: use leap_ca master branch --- puppet/modules/site_ca_daemon/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp index c749da12..0bbc9030 100644 --- a/puppet/modules/site_ca_daemon/manifests/init.pp +++ b/puppet/modules/site_ca_daemon/manifests/init.pp @@ -36,7 +36,7 @@ class site_ca_daemon { vcsrepo { '/srv/leap_ca_daemon': ensure => present, - revision => 'origin/deploy', + revision => 'origin/master', provider => git, source => 'git://code.leap.se/leap_ca', owner => 'leap_ca_daemon', -- cgit v1.2.3 From c8dda5249aa146239dd681db98da2c273dd07d77 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 10 Dec 2012 22:54:47 +0100 Subject: updated leap_ca_daemon config file, deploying x509 cert+key --- puppet/modules/site_ca_daemon/manifests/couchdb.pp | 4 +-- puppet/modules/site_ca_daemon/manifests/init.pp | 16 +++++++++++ .../site_ca_daemon/templates/couchdb.yml.erb | 7 ----- .../site_ca_daemon/templates/leap_ca.yaml.erb | 31 ++++++++++++++++++++++ 4 files changed, 49 insertions(+), 9 deletions(-) delete mode 100644 puppet/modules/site_ca_daemon/templates/couchdb.yml.erb create mode 100644 puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb diff --git a/puppet/modules/site_ca_daemon/manifests/couchdb.pp b/puppet/modules/site_ca_daemon/manifests/couchdb.pp index b5a1d2d4..f446a05b 100644 --- a/puppet/modules/site_ca_daemon/manifests/couchdb.pp +++ b/puppet/modules/site_ca_daemon/manifests/couchdb.pp @@ -6,8 +6,8 @@ class site_ca_daemon::couchdb { $couchdb_password = $ca['couchdb_user']['password'] file { - '/srv/leap_ca_daemon/config/couchdb.yml': - content => template('site_ca_daemon/couchdb.yml.erb'), + '/etc/leap/leap_ca.yaml': + content => template('site_ca_daemon/leap_ca.yaml.erb'), owner => leap_ca_daemon, group => leap_ca_daemon, mode => '0600'; diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp index 0bbc9030..aa9219c1 100644 --- a/puppet/modules/site_ca_daemon/manifests/init.pp +++ b/puppet/modules/site_ca_daemon/manifests/init.pp @@ -3,6 +3,7 @@ class site_ca_daemon { #$definition_files = hiera('definition_files') #$provider = $definition_files['provider'] #$eip_service = $definition_files['eip_service'] + $x509 = hiera('x509') Class[Ruby] -> Class[rubygems] -> Class[bundler::install] @@ -27,6 +28,19 @@ class site_ca_daemon { require => [ Group['leap_ca_daemon'] ]; } + + x509::key { + 'leap_ca_daemon': + content => $x509['cert'], + #notify => Service[apache]; + } + + x509::cert { + 'leap_ca_daemon': + content => $x509['key'], + #notify => Service[apache]; + } + file { '/srv/leap_ca_daemon': ensure => directory, owner => 'leap_ca_daemon', @@ -52,4 +66,6 @@ class site_ca_daemon { require => [ Class['bundler::install'], Vcsrepo['/srv/leap_ca_daemon'] ]; } + + } diff --git a/puppet/modules/site_ca_daemon/templates/couchdb.yml.erb b/puppet/modules/site_ca_daemon/templates/couchdb.yml.erb deleted file mode 100644 index f5132599..00000000 --- a/puppet/modules/site_ca_daemon/templates/couchdb.yml.erb +++ /dev/null @@ -1,7 +0,0 @@ -production: - protocol: 'https' - host: <%= couchdb_host %> - port: 443 - username: <%= couchdb_user %> - password: <%= couchdb_password %> - diff --git a/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb b/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb new file mode 100644 index 00000000..e0b95278 --- /dev/null +++ b/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb @@ -0,0 +1,31 @@ +# +# Default configuration options for LEAP Certificate Authority Daemon +# + +# +# Certificate Authority +# +ca_key_path: "/etc/x509/keys/leap_ca_daemon.key" +ca_key_password: nil +ca_cert_path: "/etc/x509/certs/leap_ca_daemon.crt" + +# +# Certificate pool +# +max_pool_size: 100 +client_cert_lifespan: 2 +client_cert_bit_size: 2024 +client_cert_hash: "SHA256" + +# +# Database +# +db_name: "client_certificates" +couch_connection: + protocol: "https" + host: <%= couchdb_host %> + port: 6984 + username: <%= couchdb_user %> + password: <%= couchdb_password %> + prefix: "" + suffix: "" -- cgit v1.2.3 From 3c52477a6c0cb4d4cc3caee2aea350acc51a5c8a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 10 Dec 2012 23:16:27 +0100 Subject: also deploy ca_cert --- puppet/modules/site_ca_daemon/manifests/init.pp | 33 ++++++++++++++----------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp index aa9219c1..db76e0fb 100644 --- a/puppet/modules/site_ca_daemon/manifests/init.pp +++ b/puppet/modules/site_ca_daemon/manifests/init.pp @@ -3,7 +3,7 @@ class site_ca_daemon { #$definition_files = hiera('definition_files') #$provider = $definition_files['provider'] #$eip_service = $definition_files['eip_service'] - $x509 = hiera('x509') + $x509 = hiera('x509') Class[Ruby] -> Class[rubygems] -> Class[bundler::install] @@ -29,17 +29,24 @@ class site_ca_daemon { } - x509::key { - 'leap_ca_daemon': - content => $x509['cert'], - #notify => Service[apache]; - } - - x509::cert { - 'leap_ca_daemon': - content => $x509['key'], - #notify => Service[apache]; - } + x509::key { + 'leap_ca_daemon': + content => $x509['key'], + #notify => Service[apache]; + } + + x509::cert { + 'leap_ca_daemon': + content => $x509['cert'], + #notify => Service[apache]; + } + + x509::ca { + 'leap_ca_daemon': + content => $x509['ca_cert'], + #notify => Service[apache]; + } + file { '/srv/leap_ca_daemon': ensure => directory, @@ -66,6 +73,4 @@ class site_ca_daemon { require => [ Class['bundler::install'], Vcsrepo['/srv/leap_ca_daemon'] ]; } - - } -- cgit v1.2.3 From 3f0bbccb1b0020530ae4e4a0682fbf9f5f401e3b Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 10 Dec 2012 23:36:48 +0100 Subject: couchdb: use x509 module to deploy certs (fixes #1063) --- .../site_apache/files/vhosts.d/couchdb_proxy.conf | 4 ++-- .../site_couchdb/manifests/apache_ssl_proxy.pp | 20 ++++++++------------ 2 files changed, 10 insertions(+), 14 deletions(-) diff --git a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf index 79ad931d..0dff2cd6 100644 --- a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf +++ b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf @@ -3,8 +3,8 @@ Listen 0.0.0.0:6984 SSLEngine On SSLProxyEngine On - SSLCertificateKeyFile /etc/couchdb/server_key.pem - SSLCertificateFile /etc/couchdb/server_cert.pem + SSLCertificateKeyFile /etc/x509/keys/leap_couchdb.key + SSLCertificateFile /etc/x509/certs/leap_couchdb.crt ProxyPass / http://127.0.0.1:5984/ ProxyPassReverse / http://127.0.0.1:5984/ diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp index fb3477db..02aae0c3 100644 --- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp +++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp @@ -10,20 +10,16 @@ define site_couchdb::apache_ssl_proxy ($key, $cert) { } apache::vhost::file { 'couchdb_proxy': } - file { '/etc/couchdb/server_cert.pem': - mode => '0644', - owner => 'couchdb', - group => 'couchdb', - content => $cert, - notify => Service[apache], + x509::key { + 'leap_couchdb': + content => $x509['key'], + notify => Service[apache]; } - file { '/etc/couchdb/server_key.pem': - mode => '0600', - owner => 'couchdb', - group => 'couchdb', - content => $key, - notify => Service[apache], + x509::cert { + 'leap_couchdb': + content => $x509['cert'], + notify => Service[apache]; } } -- cgit v1.2.3 From e8f28cf269fe706ed556f84d6e03d6a574dfa26d Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 10 Dec 2012 23:45:05 +0100 Subject: openvpn: use x509 module to deploy certs (fixes #1064) --- puppet/modules/site_openvpn/manifests/keys.pp | 26 +++++++++++++--------- .../site_openvpn/manifests/server_config.pp | 6 ++--- 2 files changed, 18 insertions(+), 14 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index 12c1bd8f..4c43ec05 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -1,22 +1,26 @@ class site_openvpn::keys { - file { '/etc/openvpn/keys/ca.crt': - content => $site_openvpn::x509_config['ca_cert'], - mode => '0644', + x509::key { + 'leap_openvpn': + content => $site_openvpn::x509_config['key'], + notify => Service[openvpn]; } - file { '/etc/openvpn/keys/dh.pem': - content => $site_openvpn::x509_config['dh'], - mode => '0644', + x509::cert { + 'leap_openvpn': + content => $site_openvpn::x509_config['cert'], + notify => Service[openvpn]; } - file { '/etc/openvpn/keys/server.key': - content => $site_openvpn::x509_config['key'], - mode => '0600', + x509::ca { + 'leap_openvpn': + content => $site_openvpn::x509_config['ca_cert'], + notify => Service[openvpn]; } - file { '/etc/openvpn/keys/server.crt': - content => $site_openvpn::x509_config['cert'], + file { '/etc/openvpn/keys/dh.pem': + content => $site_openvpn::x509_config['dh'], mode => '0644', } + } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 6fc3a3c2..c4f64225 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -69,15 +69,15 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana openvpn::option { "ca $openvpn_configname": key => 'ca', - value => '/etc/openvpn/keys/ca.crt', + value => '/usr/local/share/ca-certificates/leap_openvpn.crt', server => $openvpn_configname; "cert $openvpn_configname": key => 'cert', - value => '/etc/openvpn/keys/server.crt', + value => '/etc/x509/certs/leap_openvpn.crt', server => $openvpn_configname; "key $openvpn_configname": key => 'key', - value => '/etc/openvpn/keys/server.key', + value => '/etc/x509/keys/leap_openvpn.key', server => $openvpn_configname; "dh $openvpn_configname": key => 'dh', -- cgit v1.2.3 From 090dca27921efe22fdc39c8598356bfb74e5fe99 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 11 Dec 2012 13:10:30 -0500 Subject: setup /etc/hosts based on a template and the hiera value 'hosts' This will replace the existing /etc/hosts, so we will want to make this more smart later --- puppet/modules/site_config/manifests/hosts.pp | 7 +++++++ puppet/modules/site_config/manifests/init.pp | 3 +++ puppet/modules/site_config/templates/hosts | 11 +++++++++++ 3 files changed, 21 insertions(+) create mode 100644 puppet/modules/site_config/manifests/hosts.pp create mode 100644 puppet/modules/site_config/templates/hosts diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp new file mode 100644 index 00000000..08890a5d --- /dev/null +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -0,0 +1,7 @@ +class site_config::hosts { + + file { '/etc/hosts': + content => template('site_config/hosts'), + mode => '0644', owner => root, group => root; + } +} diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp index 7f67ad4e..268ff2fc 100644 --- a/puppet/modules/site_config/manifests/init.pp +++ b/puppet/modules/site_config/manifests/init.pp @@ -11,4 +11,7 @@ class site_config { # configure /etc/resolv.conf include site_config::resolvconf + + # configure /etc/hosts + include site_config::hosts } diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts new file mode 100644 index 00000000..1a12addc --- /dev/null +++ b/puppet/modules/site_config/templates/hosts @@ -0,0 +1,11 @@ +# This file is managed by puppet, any changes will be overwritten! + +127.0.0.1 localhost +<%= scope.function_hiera('hosts') %> + +# The following lines are desirable for IPv6 capable hosts +::1 ip6-localhost ip6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters -- cgit v1.2.3 From 7391fac4a03a9db9655ca992dfed91a51f080f25 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 11 Dec 2012 13:17:06 -0500 Subject: update augeas submodule to try and resolve unreferenced commit --- puppet/modules/augeas | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/augeas b/puppet/modules/augeas index c1e385f5..44e84a98 160000 --- a/puppet/modules/augeas +++ b/puppet/modules/augeas @@ -1 +1 @@ -Subproject commit c1e385f55f11c81772e243ebb9a7277769d40f92 +Subproject commit 44e84a988b859622e7b3583ac27331cf816017ed -- cgit v1.2.3 From cbb834da5de7e2abe7399e34766492bfab48fa9c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 11 Dec 2012 15:37:15 -0500 Subject: test to see if the hosts value is empty before trying to reference it in a template also set the hostname to what the hiera 'name' is set to --- puppet/modules/site_config/manifests/hosts.pp | 10 ++++++++++ puppet/modules/site_config/templates/hosts | 6 ++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index 08890a5d..5269bf35 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -1,5 +1,15 @@ class site_config::hosts { + $hosts = hiera('hosts','') + $hostname = hiera('name') + + exec { "/bin/hostname $hostname ": } + + file { "/etc/hostname": + ensure => present, + content => $hostname + } + file { '/etc/hosts': content => template('site_config/hosts'), mode => '0644', owner => root, group => root; diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts index 1a12addc..c516eaf8 100644 --- a/puppet/modules/site_config/templates/hosts +++ b/puppet/modules/site_config/templates/hosts @@ -1,7 +1,9 @@ # This file is managed by puppet, any changes will be overwritten! -127.0.0.1 localhost -<%= scope.function_hiera('hosts') %> +127.0.0.1 localhost +<%- if hosts.to_s != '' then -%> +<%= hosts %> +<% end -%> # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback -- cgit v1.2.3 From 73de38e401dd5e1253d07d3419b74be2605016b1 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 11 Dec 2012 15:54:55 -0500 Subject: remove extra space in hostname exec --- puppet/modules/site_config/manifests/hosts.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index 5269bf35..dd8d7e47 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -3,7 +3,7 @@ class site_config::hosts { $hosts = hiera('hosts','') $hostname = hiera('name') - exec { "/bin/hostname $hostname ": } + exec { "/bin/hostname $hostname": } file { "/etc/hostname": ensure => present, -- cgit v1.2.3 From efb434fff348ee38ce688851791a91a1814240e7 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 11 Dec 2012 16:04:18 -0500 Subject: replace Documentroot path from - to _ --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 4 ++-- puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 37c4a727..05d5f69d 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -19,8 +19,8 @@ RequestHeader set X_FORWARDED_PROTO 'https' - DocumentRoot /srv/leap_webapp/public - Alias /1 /srv/leap_webapp/public + DocumentRoot /srv/leap-webapp/public + Alias /1 /srv/leap-webapp/public # Check for maintenance file and redirect all requests RewriteEngine On diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 85e7289b..8c820788 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -21,8 +21,8 @@ RequestHeader set X_FORWARDED_PROTO 'https' - DocumentRoot /srv/leap_webapp/public - Alias /1 /srv/leap_webapp/public + DocumentRoot /srv/leap-webapp/public + Alias /1 /srv/leap-webapp/public RewriteEngine On # Check for maintenance file and redirect all requests -- cgit v1.2.3 From a3f11bff64069e61df895d8bb9d5d80fdde0e7eb Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 11 Dec 2012 16:25:11 -0500 Subject: set up an 'initial' run stage to happen before the 'main' run stage and put the site_config::hosts to be in the initial run stage to make sure the hostname is set before anything else. --- puppet/modules/site_config/manifests/hosts.pp | 2 +- puppet/modules/site_config/manifests/init.pp | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index dd8d7e47..1312f870 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -1,4 +1,4 @@ -class site_config::hosts { +class site_config::hosts() { $hosts = hiera('hosts','') $hostname = hiera('name') diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp index 268ff2fc..bab186d0 100644 --- a/puppet/modules/site_config/manifests/init.pp +++ b/puppet/modules/site_config/manifests/init.pp @@ -13,5 +13,11 @@ class site_config { include site_config::resolvconf # configure /etc/hosts - include site_config::hosts + stage { 'initial': + before => Stage['main'], + } + + class { 'site_config::hosts': + stage => initial, + } } -- cgit v1.2.3 From 8d4e198fc0aa750128230659f6eb68d5a74f0f2a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 11 Dec 2012 16:32:56 -0500 Subject: change hostname exec to only apply when either the /etc/hostname or /etc/hosts files are changed (otherwise it runs on every run) --- puppet/modules/site_config/manifests/hosts.pp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index 1312f870..e3408b27 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -3,13 +3,15 @@ class site_config::hosts() { $hosts = hiera('hosts','') $hostname = hiera('name') - exec { "/bin/hostname $hostname": } - file { "/etc/hostname": ensure => present, content => $hostname } + exec { "/bin/hostname $hostname": + subscribe => [ File['/etc/hostname'], File['/etc/hosts'] ] + } + file { '/etc/hosts': content => template('site_config/hosts'), mode => '0644', owner => root, group => root; -- cgit v1.2.3 From be2c1c97db09d8db7ebfdc4b6d8e0341f15bce8e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 11 Dec 2012 16:41:01 -0500 Subject: neglected to add the 'refreshonly' parameter to the exec in previous commit --- puppet/modules/site_config/manifests/hosts.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index e3408b27..06cd5c01 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -9,9 +9,10 @@ class site_config::hosts() { } exec { "/bin/hostname $hostname": - subscribe => [ File['/etc/hostname'], File['/etc/hosts'] ] + subscribe => [ File['/etc/hostname'], File['/etc/hosts'] ], + refreshonly => true; } - + file { '/etc/hosts': content => template('site_config/hosts'), mode => '0644', owner => root, group => root; -- cgit v1.2.3 From 51bbe9d6d5ce7e780c25fe31d5250047c97b05e2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 11 Dec 2012 16:45:56 -0500 Subject: fix couchdb port --- puppet/modules/site_webapp/templates/couchdb.yml.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb index f5132599..be33770b 100644 --- a/puppet/modules/site_webapp/templates/couchdb.yml.erb +++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb @@ -1,7 +1,7 @@ production: protocol: 'https' host: <%= couchdb_host %> - port: 443 + port: 6984 username: <%= couchdb_user %> password: <%= couchdb_password %> -- cgit v1.2.3 From 70e4ca82f79e64a59e85c849092ad217d07fc1d5 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 11 Dec 2012 18:51:57 -0500 Subject: update shorewall submodule to fix the shorewall.conf problem --- puppet/modules/shorewall | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/shorewall b/puppet/modules/shorewall index 29e80fe6..e511291a 160000 --- a/puppet/modules/shorewall +++ b/puppet/modules/shorewall @@ -1 +1 @@ -Subproject commit 29e80fe61983821dc50ea54a05013c351206d5bd +Subproject commit e511291a111db7a7d88a8820c5423aa5b92304e0 -- cgit v1.2.3 From 063f3329cb6ff5769ea4667516d2f8c63cd236b6 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 11 Dec 2012 18:55:41 -0500 Subject: add prefix to couchdb.yaml --- puppet/modules/site_webapp/templates/couchdb.yml.erb | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb index be33770b..e5678680 100644 --- a/puppet/modules/site_webapp/templates/couchdb.yml.erb +++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb @@ -1,4 +1,5 @@ production: + prefix: "" protocol: 'https' host: <%= couchdb_host %> port: 6984 -- cgit v1.2.3 From 221976d2814009710b1a392a451fc4684004c971 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 14 Dec 2012 13:14:49 +0100 Subject: no need for sections in shorewall rules from the shorewall-rules manpage: "If no Section Headers appear in the file then all rules are assumed to be in the NEW section." --- puppet/modules/site_shorewall/manifests/defaults.pp | 2 -- 1 file changed, 2 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index 0ee20744..d348bf00 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -8,8 +8,6 @@ class site_shorewall::defaults { shorewall::zone {'net': type => 'ipv4'; } - shorewall::rule_section { 'NEW': order => 10; } - include augeas augeas { 'enable_ip_forwarding': -- cgit v1.2.3 From 4639b19a10d0fc2e1562a2135fe1b33b70571155 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 14 Dec 2012 16:20:29 +0100 Subject: moved site_config::apt to site_apt --- puppet/modules/site_apt/manifests/init.pp | 8 ++++++++ puppet/modules/site_config/manifests/apt.pp | 8 -------- puppet/modules/site_config/manifests/init.pp | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) create mode 100644 puppet/modules/site_apt/manifests/init.pp delete mode 100644 puppet/modules/site_config/manifests/apt.pp diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp new file mode 100644 index 00000000..7f8b09a1 --- /dev/null +++ b/puppet/modules/site_apt/manifests/init.pp @@ -0,0 +1,8 @@ +class site_apt { + + include ::apt + + apt::apt_conf { '90disable-pdiffs': + content => 'Acquire::PDiffs "false";'; + } +} diff --git a/puppet/modules/site_config/manifests/apt.pp b/puppet/modules/site_config/manifests/apt.pp deleted file mode 100644 index 4f611ac8..00000000 --- a/puppet/modules/site_config/manifests/apt.pp +++ /dev/null @@ -1,8 +0,0 @@ -class site_config::apt { - - include ::apt - - apt::apt_conf { '90disable-pdiffs': - content => 'Acquire::PDiffs "false";'; - } -} diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp index bab186d0..ef4ffbd3 100644 --- a/puppet/modules/site_config/manifests/init.pp +++ b/puppet/modules/site_config/manifests/init.pp @@ -4,7 +4,7 @@ class site_config { include lsb, git # configure apt - include site_config::apt + include site_apt # configure ssh and include ssh-keys include site_config::sshd -- cgit v1.2.3 From e074a620b3b661a46469f3bba43e699ec77c1a27 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 14 Dec 2012 16:58:51 +0100 Subject: leftover apt sources file, see commit febd45328 --- puppet/modules/site_apt/files/unstable.list | 1 - 1 file changed, 1 deletion(-) delete mode 100644 puppet/modules/site_apt/files/unstable.list diff --git a/puppet/modules/site_apt/files/unstable.list b/puppet/modules/site_apt/files/unstable.list deleted file mode 100644 index 0e289136..00000000 --- a/puppet/modules/site_apt/files/unstable.list +++ /dev/null @@ -1 +0,0 @@ -deb http://http.debian.net/debian unstable main -- cgit v1.2.3 From d0e49a478584b6ac6e18846e2f0b9b4c0d1c5b21 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 14 Dec 2012 16:59:21 +0100 Subject: deploy custom unettended upgrade file --- puppet/modules/site_apt/files/50unattended-upgrades | 13 +++++++++++++ puppet/modules/site_apt/manifests/init.pp | 2 ++ 2 files changed, 15 insertions(+) create mode 100644 puppet/modules/site_apt/files/50unattended-upgrades diff --git a/puppet/modules/site_apt/files/50unattended-upgrades b/puppet/modules/site_apt/files/50unattended-upgrades new file mode 100644 index 00000000..1639e68a --- /dev/null +++ b/puppet/modules/site_apt/files/50unattended-upgrades @@ -0,0 +1,13 @@ +Unattended-Upgrade::Origins-Pattern { + "o=${distro_id},n=${distro_codename}"; + "o=${distro_id},n=${distro_codename}-updates"; + "o=${distro_id},n=${distro_codename}-proposed-updates"; + "o=${dis tro_id},n=${distro_codename},l=Debian-security"; +}; + + +Unattended-Upgrade::Mail "root"; + +Unattended-Upgrade::MailOnlyOnError "true"; + + diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 7f8b09a1..7d1d039c 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -5,4 +5,6 @@ class site_apt { apt::apt_conf { '90disable-pdiffs': content => 'Acquire::PDiffs "false";'; } + + include ::apt::unattended_upgrades } -- cgit v1.2.3 From af7885a5a4b59985f55d8b28200fc750eb72ddbc Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 16 Dec 2012 11:17:10 +0100 Subject: no need for custom 50unattended-upgrades with new unattended_upgrades class --- puppet/modules/site_apt/files/50unattended-upgrades | 13 ------------- 1 file changed, 13 deletions(-) delete mode 100644 puppet/modules/site_apt/files/50unattended-upgrades diff --git a/puppet/modules/site_apt/files/50unattended-upgrades b/puppet/modules/site_apt/files/50unattended-upgrades deleted file mode 100644 index 1639e68a..00000000 --- a/puppet/modules/site_apt/files/50unattended-upgrades +++ /dev/null @@ -1,13 +0,0 @@ -Unattended-Upgrade::Origins-Pattern { - "o=${distro_id},n=${distro_codename}"; - "o=${distro_id},n=${distro_codename}-updates"; - "o=${distro_id},n=${distro_codename}-proposed-updates"; - "o=${dis tro_id},n=${distro_codename},l=Debian-security"; -}; - - -Unattended-Upgrade::Mail "root"; - -Unattended-Upgrade::MailOnlyOnError "true"; - - -- cgit v1.2.3 From cf5d685d01edd77f73fa4f21488dcaf1fe782996 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 16 Dec 2012 11:17:36 +0100 Subject: automatic update of submodule puppet_apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/apt b/puppet/modules/apt index 02bd3269..0d5311b1 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 02bd3269948f1a3c5a586e581a7fec22da69a2cc +Subproject commit 0d5311b1a9fa82e4e423a9e7ce7f5eb919bab40d -- cgit v1.2.3 From c32c92e18d98ed936e55d2aff29afebe49d58d7d Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 16 Dec 2012 14:11:18 +0100 Subject: /usr/local/bin/leap_ca_daemon symlink --- puppet/modules/site_ca_daemon/manifests/init.pp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp index db76e0fb..34b2c522 100644 --- a/puppet/modules/site_ca_daemon/manifests/init.pp +++ b/puppet/modules/site_ca_daemon/manifests/init.pp @@ -73,4 +73,8 @@ class site_ca_daemon { require => [ Class['bundler::install'], Vcsrepo['/srv/leap_ca_daemon'] ]; } + file { '/usr/local/bin/leap_ca_daemon': + ensure => link, + target => '/srv/leap_ca_daemon/bin/leap_ca', + } } -- cgit v1.2.3 From 98063e47889ad7a1b2fbb63513b428c2d53bd1f3 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 16 Dec 2012 14:45:28 +0100 Subject: bind: use local, ipv4 only name-caching resolver (fixes #1171) --- puppet/modules/site_config/files/bind9 | 8 ++++++++ puppet/modules/site_config/files/named.options | 6 ++++++ puppet/modules/site_config/manifests/resolvconf.pp | 21 +++++++++++++++++++++ 3 files changed, 35 insertions(+) create mode 100644 puppet/modules/site_config/files/bind9 create mode 100644 puppet/modules/site_config/files/named.options diff --git a/puppet/modules/site_config/files/bind9 b/puppet/modules/site_config/files/bind9 new file mode 100644 index 00000000..50d8ed14 --- /dev/null +++ b/puppet/modules/site_config/files/bind9 @@ -0,0 +1,8 @@ +# managed by puppet + +# run resolvconf? +RESOLVCONF=no + +# startup options for the server +OPTIONS="-u bind -4" + diff --git a/puppet/modules/site_config/files/named.options b/puppet/modules/site_config/files/named.options new file mode 100644 index 00000000..47df6c5d --- /dev/null +++ b/puppet/modules/site_config/files/named.options @@ -0,0 +1,6 @@ +options { + allow-query { 127.0.0.1; }; + allow-transfer { none; }; + listen-on { 127.0.0.1; }; +}; + diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index bd0539b9..b70dfa1c 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -1,8 +1,29 @@ class site_config::resolvconf { + + # bind9 package { 'bind9': ensure => installed, } + service { 'bind9': + ensure => running, + require => Package['bind9'], + } + + file { '/etc/default/bind9': + source => 'puppet:///modules/site_config/bind9', + require => Package['bind9'], + notify => Service['bind9'], + } + + file { '/etc/bind/named.options': + source => 'puppet:///modules/site_config/named.options', + require => Package['bind9'], + notify => Service['bind9'], + } + + + $domain_hash = hiera('domain') $domain_public = $domain_hash['public'] -- cgit v1.2.3 From 28745a2d4a0cdcf088af5240c67c77f0cde16bb4 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 16 Dec 2012 15:07:38 +0100 Subject: named.options -> named.conf.options --- puppet/modules/site_config/files/named.conf.options | 6 ++++++ puppet/modules/site_config/files/named.options | 6 ------ puppet/modules/site_config/manifests/resolvconf.pp | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) create mode 100644 puppet/modules/site_config/files/named.conf.options delete mode 100644 puppet/modules/site_config/files/named.options diff --git a/puppet/modules/site_config/files/named.conf.options b/puppet/modules/site_config/files/named.conf.options new file mode 100644 index 00000000..47df6c5d --- /dev/null +++ b/puppet/modules/site_config/files/named.conf.options @@ -0,0 +1,6 @@ +options { + allow-query { 127.0.0.1; }; + allow-transfer { none; }; + listen-on { 127.0.0.1; }; +}; + diff --git a/puppet/modules/site_config/files/named.options b/puppet/modules/site_config/files/named.options deleted file mode 100644 index 47df6c5d..00000000 --- a/puppet/modules/site_config/files/named.options +++ /dev/null @@ -1,6 +0,0 @@ -options { - allow-query { 127.0.0.1; }; - allow-transfer { none; }; - listen-on { 127.0.0.1; }; -}; - diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index b70dfa1c..78f83a62 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -16,8 +16,8 @@ class site_config::resolvconf { notify => Service['bind9'], } - file { '/etc/bind/named.options': - source => 'puppet:///modules/site_config/named.options', + file { '/etc/bind/named.conf.options': + source => 'puppet:///modules/site_config/named.conf.options', require => Package['bind9'], notify => Service['bind9'], } -- cgit v1.2.3 From cded90f839871cf6258d7dc28d3ce81cf7f9cf6c Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 18 Dec 2012 10:26:57 -0800 Subject: ca daemon -- ca daemon needs the x509 cert/key for the CA, not for the server. --- provider_base/services/ca.json | 3 ++- puppet/modules/site_ca_daemon/manifests/init.pp | 30 +++++++++++++++++-------- 2 files changed, 23 insertions(+), 10 deletions(-) diff --git a/provider_base/services/ca.json b/provider_base/services/ca.json index a4ded72b..3fb8bf6c 100644 --- a/provider_base/services/ca.json +++ b/provider_base/services/ca.json @@ -5,6 +5,7 @@ }, "service_type": "internal_service", "x509": { - "use": true + "use": true, + "ca_key": "= file(:ca_key, :missing => 'CA key. Run `leap cert ca` to create the Certificate Authority.')" } } diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp index 34b2c522..29a70df8 100644 --- a/puppet/modules/site_ca_daemon/manifests/init.pp +++ b/puppet/modules/site_ca_daemon/manifests/init.pp @@ -31,21 +31,33 @@ class site_ca_daemon { x509::key { 'leap_ca_daemon': - content => $x509['key'], - #notify => Service[apache]; + content => $x509['ca_key']; + #notify => Service['leap_ca_daemon']; <== no service yet for leap_ca_daemon } x509::cert { 'leap_ca_daemon': - content => $x509['cert'], - #notify => Service[apache]; + content => $x509['ca_cert']; + #notify => Service['leap_ca_daemon']; <== no service yet for leap_ca_daemon } - x509::ca { - 'leap_ca_daemon': - content => $x509['ca_cert'], - #notify => Service[apache]; - } + # + # Does CA need a server key/cert? I think not now. + # + # x509::key { + # 'server': + # content => $x509['key']; + # } + # + # x509::cert { + # 'server': + # content => $x509['cert']; + # } + + # x509::ca { + # 'leap_ca_daemon': + # content => $x509['ca_cert']; + # } file { '/srv/leap_ca_daemon': -- cgit v1.2.3 From 9115e761133cd06e369a22cc357ba718f1fa6020 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 19 Dec 2012 10:07:07 +0100 Subject: automatic update of submodule puppet_apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/apt b/puppet/modules/apt index 0d5311b1..ffb44c91 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 0d5311b1a9fa82e4e423a9e7ce7f5eb919bab40d +Subproject commit ffb44c91db24d30bb9584eb27d52f76958d6b732 -- cgit v1.2.3 From e97a022b52291a2593ee0efbab4c1b8f9d60be01 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 19 Dec 2012 10:56:06 +0100 Subject: move apt-get upgrade to inital stage --- puppet/modules/site_apt/manifests/dist_upgrade.pp | 3 ++- puppet/modules/site_apt/manifests/init.pp | 2 +- puppet/modules/site_config/manifests/init.pp | 5 +++++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_apt/manifests/dist_upgrade.pp b/puppet/modules/site_apt/manifests/dist_upgrade.pp index 5ae9297f..4baabc77 100644 --- a/puppet/modules/site_apt/manifests/dist_upgrade.pp +++ b/puppet/modules/site_apt/manifests/dist_upgrade.pp @@ -6,5 +6,6 @@ class site_apt::dist_upgrade inherits apt::dist_upgrade { } # Ensure apt-get upgrade has been run before installing any packages - Exec["apt_dist-upgrade"] -> Package <| name != 'lsb-release' |> + # Disables because apt-get update is moved to stage initial + # Exec["apt_dist-upgrade"] -> Package <| name != 'lsb-release' |> } diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 631f5742..99bcce4f 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -1,7 +1,7 @@ class site_apt { include ::apt - include site_apt::dist_upgrade + #include site_apt::dist_upgrade apt::apt_conf { '90disable-pdiffs': content => 'Acquire::PDiffs "false";'; diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp index ef4ffbd3..69ff2523 100644 --- a/puppet/modules/site_config/manifests/init.pp +++ b/puppet/modules/site_config/manifests/init.pp @@ -6,6 +6,7 @@ class site_config { # configure apt include site_apt + # configure ssh and include ssh-keys include site_config::sshd @@ -20,4 +21,8 @@ class site_config { class { 'site_config::hosts': stage => initial, } + + class { 'site_apt::dist_upgrade': + stage => initial, + } } -- cgit v1.2.3 From 2f4fe239515e5aee60f8a04358efd1fc0214ceb9 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 19 Dec 2012 16:22:36 +0100 Subject: added ca_daemon initscript for later --- puppet/modules/site_couchdb/files/leap_ca_daemon | 157 +++++++++++++++++++++++ 1 file changed, 157 insertions(+) create mode 100755 puppet/modules/site_couchdb/files/leap_ca_daemon diff --git a/puppet/modules/site_couchdb/files/leap_ca_daemon b/puppet/modules/site_couchdb/files/leap_ca_daemon new file mode 100755 index 00000000..9a1a0bc7 --- /dev/null +++ b/puppet/modules/site_couchdb/files/leap_ca_daemon @@ -0,0 +1,157 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: leap_ca_daemon +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: leap_ca_daemon initscript +# Description: Controls leap_ca_daemon (see https://github.com/leapcode/leap_ca +# for more information. +### END INIT INFO + +# Author: varac +# + +# Do NOT "set -e" + +# PATH should only include /usr/* if it runs after the mountnfs.sh script +PATH=/sbin:/usr/sbin:/bin:/usr/bin +DESC="leap_ca_daemon initscript" +NAME=leap_ca_daemon +DAEMON=/usr/local/bin/$NAME +DAEMON_ARGS="run " +PIDFILE=/var/run/$NAME.pid +SCRIPTNAME=/etc/init.d/$NAME + +# Exit if the package is not installed +[ -x "$DAEMON" ] || exit 0 + +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME + +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.2-14) to ensure that this file is present +# and status_of_proc is working. +. /lib/lsb/init-functions + +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ + || return 1 + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \ + $DAEMON_ARGS \ + || return 2 + # Add code here, if necessary, that waits for the process to be ready + # to handle requests from services started subsequently which depend + # on this one. As a last resort, sleep for some time. +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + # Wait for children to finish too if this is a daemon that forks + # and if the daemon is only ever run from this initscript. + # If the above conditions are not satisfied then add some other code + # that waits for the process to drop all resources that could be + # needed by services started subsequently. A last resort is to + # sleep for some time. + start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON + [ "$?" = 2 ] && return 2 + # Many daemons don't delete their pidfiles when they exit. + rm -f $PIDFILE + return "$RETVAL" +} + +# +# Function that sends a SIGHUP to the daemon/service +# +do_reload() { + # + # If the daemon can reload its configuration without + # restarting (for example, when it is sent a SIGHUP), + # then implement that here. + # + start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME + return 0 +} + +case "$1" in + start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" + do_start + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + status) + status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? + ;; + #reload|force-reload) + # + # If do_reload() is not implemented then leave this commented out + # and leave 'force-reload' as an alias for 'restart'. + # + #log_daemon_msg "Reloading $DESC" "$NAME" + #do_reload + #log_end_msg $? + #;; + restart|force-reload) + # + # If the "reload" option is implemented then remove the + # 'force-reload' alias + # + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) log_end_msg 0 ;; + 1) log_end_msg 1 ;; # Old process is still running + *) log_end_msg 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + log_end_msg 1 + ;; + esac + ;; + *) + #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 + echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 + exit 3 + ;; +esac + +: -- cgit v1.2.3 From 109334ec46ffdde3a96119fd6108080bd1d45c8a Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 19 Dec 2012 17:39:13 +0100 Subject: automatic update of submodule puppet_apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/apt b/puppet/modules/apt index ffb44c91..507d5448 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit ffb44c91db24d30bb9584eb27d52f76958d6b732 +Subproject commit 507d5448c85904d6471e829d3afe00cff89e7520 -- cgit v1.2.3 From c3c23bbc27dee3fdcdf9aec6addcc816ad7b52ba Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 19 Dec 2012 12:12:16 -0800 Subject: webapp api now uses a customizable port (so that we don't try to rely on SNI for hosting two TLS domains on one IP). --- provider_base/files/service-definitions/provider.json.erb | 2 +- provider_base/services/webapp.json | 7 +++++-- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 6 ++++-- puppet/modules/site_webapp/manifests/apache.pp | 5 ++++- 4 files changed, 14 insertions(+), 6 deletions(-) diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb index c19e5538..f26f25a2 100644 --- a/provider_base/files/service-definitions/provider.json.erb +++ b/provider_base/files/service-definitions/provider.json.erb @@ -11,7 +11,7 @@ hsh['services'] = global.services[:service_type => :user_service].field(:name) hsh['api_version'] = "1" - hsh['api_uri'] = "https://" + api_domain + hsh['api_uri'] = "https://" + api.domain + ':' + api.port hsh['ca_cert_uri'] = 'https://' + global.provider.domain + '/ca.crt' hsh['ca_cert_fingerprint'] = fingerprint(:ca_cert) diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 3eb0ba62..e40ed0ca 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -9,9 +9,12 @@ "eip_service": "= file :eip_service_json_template" }, "service_type": "public_service", - "api_domain": "= 'api.' + domain.full_suffix", + "api": { + "domain": "= 'api.' + domain.full_suffix", + "port": "4430" + }, "dns": { - "aliases": "= [domain.full, api_domain]" + "aliases": "= [domain.full, api.domain]" }, "x509": { "use": true, diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 05d5f69d..cdfcbd68 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -1,10 +1,12 @@ ServerName <%= api_domain %> RewriteEngine On - RewriteRule ^.*$ https://<%= api_domain -%>%{REQUEST_URI} [R=permanent,L] + RewriteRule ^.*$ https://<%= api_domain -%>:<%= api_port -%>%{REQUEST_URI} [R=permanent,L] - +Listen 0.0.0.0:<%= api_port %> + +> ServerName <%= api_domain %> SSLEngine on diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 8532cc38..554b9147 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -1,6 +1,9 @@ class site_webapp::apache { - $api_domain = hiera('api_domain') + $web_api = hiera('api') + $api_domain = $web_api['domain'] + $api_port = $web_api['port'] + $x509 = hiera('x509') $commercial_key = $x509['commercial_key'] $commercial_cert = $x509['commercial_cert'] -- cgit v1.2.3 From a1fae6722d541fe52d45deb690785562d0751265 Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 3 Jan 2013 11:02:10 +0100 Subject: using master branch for webapp now. develop branch is no longer used in webapp dev and will be removed. --- puppet/modules/site_webapp/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 6a60ab15..ebe58c95 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -36,7 +36,7 @@ class site_webapp { vcsrepo { '/srv/leap-webapp': ensure => present, - revision => 'origin/develop', + revision => 'origin/master', provider => git, source => 'git://code.leap.se/leap_web', owner => 'leap-webapp', -- cgit v1.2.3 From 886063ca1db3a4ce8fbd72e4ead9b5f2371979a5 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 11 Jan 2013 17:12:49 -0800 Subject: configure webapp with correct domain --- puppet/modules/site_webapp/manifests/init.pp | 10 ++++++++++ puppet/modules/site_webapp/templates/config.yml.erb | 3 +++ puppet/modules/site_webapp/templates/couchdb.yml.erb | 6 +++--- 3 files changed, 16 insertions(+), 3 deletions(-) create mode 100644 puppet/modules/site_webapp/templates/config.yml.erb diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index ebe58c95..22695966 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -3,6 +3,8 @@ class site_webapp { $definition_files = hiera('definition_files') $provider = $definition_files['provider'] $eip_service = $definition_files['eip_service'] + $node_domain = hiera('domain') + $provider_domain = $node_domain['full_suffix'] Class[Ruby] -> Class[rubygems] -> Class[bundler::install] @@ -70,4 +72,12 @@ class site_webapp { owner => leap-webapp, group => leap-webapp, mode => '0644'; } + file { + '/srv/leap-webapp/config/config.yml': + content => template('site_webapp/config.yml.erb'), + owner => leap-webapp, + group => leap-webapp, + mode => '0600'; + } + } diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb new file mode 100644 index 00000000..5e223a58 --- /dev/null +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -0,0 +1,3 @@ +production: + admins: [admin] + domain: <%= @provider_domain %> diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb index e5678680..ee521713 100644 --- a/puppet/modules/site_webapp/templates/couchdb.yml.erb +++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb @@ -1,8 +1,8 @@ production: prefix: "" protocol: 'https' - host: <%= couchdb_host %> + host: <%= @couchdb_host %> port: 6984 - username: <%= couchdb_user %> - password: <%= couchdb_password %> + username: <%= @couchdb_user %> + password: <%= @couchdb_password %> -- cgit v1.2.3 From ec6c48ab589d4174dc192a01c4b99833227c5942 Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 13 Jan 2013 20:30:24 -0800 Subject: added ability to customize the webapp appearance --- provider_base/files/branding/head.scss | 1 + provider_base/files/branding/tail.scss | 1 + provider_base/provider.json | 3 ++- provider_base/services/webapp.json | 6 +++++- puppet/modules/site_webapp/manifests/init.pp | 17 +++++++++++++++++ 5 files changed, 26 insertions(+), 2 deletions(-) create mode 100644 provider_base/files/branding/head.scss create mode 100644 provider_base/files/branding/tail.scss diff --git a/provider_base/files/branding/head.scss b/provider_base/files/branding/head.scss new file mode 100644 index 00000000..c100a004 --- /dev/null +++ b/provider_base/files/branding/head.scss @@ -0,0 +1 @@ +// no head.scss set diff --git a/provider_base/files/branding/tail.scss b/provider_base/files/branding/tail.scss new file mode 100644 index 00000000..919aeec6 --- /dev/null +++ b/provider_base/files/branding/tail.scss @@ -0,0 +1 @@ +// no tail.scss set diff --git a/provider_base/provider.json b/provider_base/provider.json index de5ad446..b659d47b 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -25,5 +25,6 @@ }, "vagrant":{ "network":"10.5.5.0/24" - } + }, + "hiera_sync_destination": "/etc/leap" } diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index e40ed0ca..311f1284 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -2,7 +2,11 @@ "webapp": { "modules": ["user", "billing", "help"], "couchdb_hosts": "= hostnames nodes[:services => :couchdb][:local => local]", - "couchdb_user": "= global.services[:couchdb].couch.users[:webapp]" + "couchdb_user": "= global.services[:couchdb].couch.users[:webapp]", + "favicon": "= file_path 'branding/favicon.ico'", + "tail_scss": "= file_path 'branding/tail.scss'", + "head_scss": "= file_path 'branding/head.scss'", + "img_dir": "= file_path 'branding/img'" }, "definition_files": { "provider": "= file :provider_json_template", diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 22695966..f7c6565e 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -5,6 +5,7 @@ class site_webapp { $eip_service = $definition_files['eip_service'] $node_domain = hiera('domain') $provider_domain = $node_domain['full_suffix'] + $webapp = hiera('webapp') Class[Ruby] -> Class[rubygems] -> Class[bundler::install] @@ -70,6 +71,22 @@ class site_webapp { '/srv/leap-webapp/public/config/eip-service.json': content => $eip_service, owner => leap-webapp, group => leap-webapp, mode => '0644'; + + '/srv/leap-webapp/public/favicon.ico': + ensure => 'link', + target => $webapp['favicon']; + + '/srv/leap-webapp/app/assets/stylesheets/tail.scss': + ensure => 'link', + target => $webapp['tail_scss']; + + '/srv/leap-webapp/app/assets/stylesheets/head.scss': + ensure => 'link', + target => $webapp['head_scss']; + + '/srv/leap-webapp/public/img': + ensure => 'link', + target => $webapp['img_dir']; } file { -- cgit v1.2.3 From 2ea357f5214762005d0bdc0b97d95af3d18a94b3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 15 Jan 2013 16:59:28 -0500 Subject: add stdlib and unbound submodules --- .gitmodules | 6 ++++++ puppet/modules/stdlib | 1 + puppet/modules/unbound | 1 + 3 files changed, 8 insertions(+) create mode 160000 puppet/modules/stdlib create mode 160000 puppet/modules/unbound diff --git a/.gitmodules b/.gitmodules index 6597612b..594ad749 100644 --- a/.gitmodules +++ b/.gitmodules @@ -55,3 +55,9 @@ [submodule "puppet/modules/augeas"] path = puppet/modules/augeas url = git://code.leap.se/puppet_augeas +[submodule "puppet/modules/stdlib"] + path = puppet/modules/stdlib + url = git://code.leap.se/puppet_stdlib +[submodule "puppet/modules/unbound"] + path = puppet/modules/unbound + url = git://code.leap.se/puppet_unbound diff --git a/puppet/modules/stdlib b/puppet/modules/stdlib new file mode 160000 index 00000000..2df66c04 --- /dev/null +++ b/puppet/modules/stdlib @@ -0,0 +1 @@ +Subproject commit 2df66c041109ecca1099bf3977657572cc32ad24 diff --git a/puppet/modules/unbound b/puppet/modules/unbound new file mode 160000 index 00000000..d8bf530e --- /dev/null +++ b/puppet/modules/unbound @@ -0,0 +1 @@ +Subproject commit d8bf530ec42fdc4d2281169234964d28d8a689ac -- cgit v1.2.3 From e9ddc9e157ca6491594ac3434d1838a51daa0218 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Jan 2013 10:53:37 -0500 Subject: remove unnecessary include that was left over from c2d57624c15dfaff038f9991f04ade46b5ad1d40: --- puppet/modules/site_openvpn/manifests/init.pp | 2 -- 1 file changed, 2 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 548d1df2..5505b8fc 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -13,8 +13,6 @@ class site_openvpn { $openvpn_udp_cidr = '21' $x509_config = hiera('x509') - include site_openvpn - # deploy ca + server keys include site_openvpn::keys -- cgit v1.2.3 From 5385602a435acb92e1588f74296b6a5339385199 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Jan 2013 10:54:32 -0500 Subject: setup site_unbound with a basic caching-only configuration and include that on the openvpn gateway (see #1172) --- puppet/modules/site_openvpn/manifests/init.pp | 2 ++ puppet/modules/site_unbound/manifests/init.pp | 20 ++++++++++++++++++++ 2 files changed, 22 insertions(+) create mode 100644 puppet/modules/site_unbound/manifests/init.pp diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 5505b8fc..d3c3e387 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -13,6 +13,8 @@ class site_openvpn { $openvpn_udp_cidr = '21' $x509_config = hiera('x509') + include site_unbound + # deploy ca + server keys include site_openvpn::keys diff --git a/puppet/modules/site_unbound/manifests/init.pp b/puppet/modules/site_unbound/manifests/init.pp new file mode 100644 index 00000000..6a210ab2 --- /dev/null +++ b/puppet/modules/site_unbound/manifests/init.pp @@ -0,0 +1,20 @@ +class site_unbound { + + class { 'unbound': + root_hints => false, + anchor => false, + ssl => false + settings => { + server => { + verbosity => '1', + interface => [ '127.0.0.1', '::1' ], + port => '53', + hide-identity => 'yes', + hide-version => 'yes', + harden-glue => 'yes', + access-control => [ '127.0.0.0/8 allow', '::1 allow' ] + } + } + } + +} -- cgit v1.2.3 From 06757bf230dc616832cf2eb560ee9c1570cc1a07 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Jan 2013 10:59:42 -0500 Subject: fix syntax error --- puppet/modules/site_unbound/manifests/init.pp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/puppet/modules/site_unbound/manifests/init.pp b/puppet/modules/site_unbound/manifests/init.pp index 6a210ab2..a968ac62 100644 --- a/puppet/modules/site_unbound/manifests/init.pp +++ b/puppet/modules/site_unbound/manifests/init.pp @@ -3,7 +3,7 @@ class site_unbound { class { 'unbound': root_hints => false, anchor => false, - ssl => false + ssl => false, settings => { server => { verbosity => '1', @@ -16,5 +16,4 @@ class site_unbound { } } } - } -- cgit v1.2.3 From 4e0021dede8aae43760b3e9a4b2317c3ed4c1e0d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Jan 2013 13:08:24 -0500 Subject: Swtich from bind9 as the local caching resolver to unbound. This will enable us to do tor lookups over DNS on servers, if tor services are defined. To do this, we remove the bind9 configurations from site_config::resolvconf.pp and replace it with site_config::caching_resolver with a basic unbound configuration that can be used everywhere. The unbound configuration enables a /etc/unbound/conf.d directory for additional config snippits that can be dropped in from other places. This will be used for setting up different interfaces in the vpn gateway, for example. There will be a set of transition package/file absent blocks to clean up providers. --- puppet/modules/site_config/files/bind9 | 8 ----- .../modules/site_config/files/named.conf.options | 6 ---- .../site_config/manifests/caching_resolver.pp | 35 ++++++++++++++++++++++ puppet/modules/site_config/manifests/init.pp | 3 ++ puppet/modules/site_config/manifests/resolvconf.pp | 14 +++------ puppet/modules/site_unbound/manifests/init.pp | 19 ------------ 6 files changed, 42 insertions(+), 43 deletions(-) delete mode 100644 puppet/modules/site_config/files/bind9 delete mode 100644 puppet/modules/site_config/files/named.conf.options create mode 100644 puppet/modules/site_config/manifests/caching_resolver.pp delete mode 100644 puppet/modules/site_unbound/manifests/init.pp diff --git a/puppet/modules/site_config/files/bind9 b/puppet/modules/site_config/files/bind9 deleted file mode 100644 index 50d8ed14..00000000 --- a/puppet/modules/site_config/files/bind9 +++ /dev/null @@ -1,8 +0,0 @@ -# managed by puppet - -# run resolvconf? -RESOLVCONF=no - -# startup options for the server -OPTIONS="-u bind -4" - diff --git a/puppet/modules/site_config/files/named.conf.options b/puppet/modules/site_config/files/named.conf.options deleted file mode 100644 index 47df6c5d..00000000 --- a/puppet/modules/site_config/files/named.conf.options +++ /dev/null @@ -1,6 +0,0 @@ -options { - allow-query { 127.0.0.1; }; - allow-transfer { none; }; - listen-on { 127.0.0.1; }; -}; - diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp new file mode 100644 index 00000000..e4374d8f --- /dev/null +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -0,0 +1,35 @@ +class site_config::caching_resolver { + + # Setup a conf.d directory to place additional unbound configuration files + # there must be at least one file in the directory, or unbound will not + # start, so create an empty placeholder to ensure this + file { + '/etc/unbound/conf.d': + ensure => directory, + owner => root, group => root, mode => '0755'; + + '/etc/unbound/conf.d/placeholder': + ensure => present, + content => '', + owner => root, group => root, mode => '0644'; + } + + class { 'unbound': + root_hints => false, + anchor => false, + ssl => false, + require => File['/etc/unbound/conf.d/placeholder'], + settings => { + server => { + verbosity => '1', + interface => [ '127.0.0.1', '::1' ], + port => '53', + hide-identity => 'yes', + hide-version => 'yes', + harden-glue => 'yes', + access-control => [ '127.0.0.0/8 allow', '::1 allow' ], + include => '/etc/unbound/conf.d/*' + } + } + } +} diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp index 69ff2523..f05bca1c 100644 --- a/puppet/modules/site_config/manifests/init.pp +++ b/puppet/modules/site_config/manifests/init.pp @@ -13,6 +13,9 @@ class site_config { # configure /etc/resolv.conf include site_config::resolvconf + # configure caching, local resolver + include site_config::caching_resolver + # configure /etc/hosts stage { 'initial': before => Stage['main'], diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index 78f83a62..3579aaf2 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -2,28 +2,22 @@ class site_config::resolvconf { # bind9 package { 'bind9': - ensure => installed, + ensure => absent, } service { 'bind9': - ensure => running, + ensure => stopped, require => Package['bind9'], } file { '/etc/default/bind9': - source => 'puppet:///modules/site_config/bind9', - require => Package['bind9'], - notify => Service['bind9'], + ensure => absent; } file { '/etc/bind/named.conf.options': - source => 'puppet:///modules/site_config/named.conf.options', - require => Package['bind9'], - notify => Service['bind9'], + ensure => absent; } - - $domain_hash = hiera('domain') $domain_public = $domain_hash['public'] diff --git a/puppet/modules/site_unbound/manifests/init.pp b/puppet/modules/site_unbound/manifests/init.pp deleted file mode 100644 index a968ac62..00000000 --- a/puppet/modules/site_unbound/manifests/init.pp +++ /dev/null @@ -1,19 +0,0 @@ -class site_unbound { - - class { 'unbound': - root_hints => false, - anchor => false, - ssl => false, - settings => { - server => { - verbosity => '1', - interface => [ '127.0.0.1', '::1' ], - port => '53', - hide-identity => 'yes', - hide-version => 'yes', - harden-glue => 'yes', - access-control => [ '127.0.0.0/8 allow', '::1 allow' ] - } - } - } -} -- cgit v1.2.3 From 6375cda36fc21687c59095e4750189b65a2c3b52 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Jan 2013 14:53:09 -0500 Subject: update unbound submodule to fix infinite service restart problem --- puppet/modules/site_openvpn/manifests/init.pp | 5 +++-- puppet/modules/site_openvpn/manifests/resolver.pp | 8 ++++++++ puppet/modules/unbound | 2 +- 3 files changed, 12 insertions(+), 3 deletions(-) create mode 100644 puppet/modules/site_openvpn/manifests/resolver.pp diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index d3c3e387..4606179c 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -13,8 +13,6 @@ class site_openvpn { $openvpn_udp_cidr = '21' $x509_config = hiera('x509') - include site_unbound - # deploy ca + server keys include site_openvpn::keys @@ -55,6 +53,9 @@ ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr a special => 'reboot', } + # setup the resolver to listen on the vpn IP + include site_openvpn::resolver + include site_shorewall::eip package { diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp new file mode 100644 index 00000000..0f0510c1 --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -0,0 +1,8 @@ +class site_openvpn::resolver { + + file { '/etc/unbound/conf.d/vpn_resolver': + content => "interface: $openvpn_gateway_address\n", + owner => root, group => root, mode => '0644', + require => Exec['/usr/local/bin/leap_add_second_ip.sh']; + } +} diff --git a/puppet/modules/unbound b/puppet/modules/unbound index d8bf530e..ca7eb732 160000 --- a/puppet/modules/unbound +++ b/puppet/modules/unbound @@ -1 +1 @@ -Subproject commit d8bf530ec42fdc4d2281169234964d28d8a689ac +Subproject commit ca7eb732064ce29fc83d4c32a4df7d9512d45802 -- cgit v1.2.3 From 4c649b08e215b229c280d0f15730418033b13fb9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Jan 2013 14:54:49 -0500 Subject: setup openvpn gateway resolver to listen on the udp/tcp virtual network ips so that queries can be made from clients on the vpn --- puppet/modules/site_openvpn/manifests/resolver.pp | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index 0f0510c1..eaa765fe 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -1,8 +1,14 @@ class site_openvpn::resolver { - file { '/etc/unbound/conf.d/vpn_resolver': - content => "interface: $openvpn_gateway_address\n", - owner => root, group => root, mode => '0644', - require => Exec['/usr/local/bin/leap_add_second_ip.sh']; + file { + '/etc/unbound/conf.d/vpn_udp_resolver': + content => "interface: ${openvpn_udp_network_prefix}.1\naccess-control: ${openvpn_udp_network_prefix}.0/${openvpn_udp_netmask}\n", + owner => root, group => root, mode => '0644', + require => Service['openvpn']; + + '/etc/unbound/conf.d/vpn_tcp_resolver': + content => "interface: ${openvpn_tcp_network_prefix}.1\naccess-control: ${openvpn_tcp_network_prefix}.0/${openvpn_tcp_netmask}\n", + owner => root, group => root, mode => '0644', + require => Service['openvpn']; } } -- cgit v1.2.3 From 03d2b1aec2a9ccd61f4804277c80541698f1dab8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 13:56:47 -0500 Subject: fix unbound access control --- puppet/modules/site_openvpn/manifests/resolver.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index eaa765fe..57a2d147 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -2,12 +2,12 @@ class site_openvpn::resolver { file { '/etc/unbound/conf.d/vpn_udp_resolver': - content => "interface: ${openvpn_udp_network_prefix}.1\naccess-control: ${openvpn_udp_network_prefix}.0/${openvpn_udp_netmask}\n", + content => "interface: ${openvpn_udp_network_prefix}.1\naccess-control: ${openvpn_udp_network_prefix}.0/${openvpn_udp_netmask} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; '/etc/unbound/conf.d/vpn_tcp_resolver': - content => "interface: ${openvpn_tcp_network_prefix}.1\naccess-control: ${openvpn_tcp_network_prefix}.0/${openvpn_tcp_netmask}\n", + content => "interface: ${openvpn_tcp_network_prefix}.1\naccess-control: ${openvpn_tcp_network_prefix}.0/${openvpn_tcp_netmask} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; } -- cgit v1.2.3 From ad3da4a59aebb6b7facc2e6616d8b81039b29892 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 14:17:18 -0500 Subject: unfortunately the version of unbound that is in wheezy does not support wildcard include directives, so this commit works around this by doing something less elegant than before. When we have the newer unbound available, we should switch to that method instead. --- .../site_config/manifests/caching_resolver.pp | 15 ++++++++++----- puppet/modules/site_openvpn/manifests/resolver.pp | 20 ++++++++++++++++++++ 2 files changed, 30 insertions(+), 5 deletions(-) diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index e4374d8f..ab2f52d1 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -1,8 +1,14 @@ class site_config::caching_resolver { - # Setup a conf.d directory to place additional unbound configuration files - # there must be at least one file in the directory, or unbound will not - # start, so create an empty placeholder to ensure this + # Setup a conf.d directory to place additional unbound configuration files. + # There must be at least one file in the directory, or unbound will not start, + # so create an empty placeholder to ensure this. + + # Note: the version of unbound we are working with does not accept a wildcard + # for an include directive, so we are not able to use this. When we can use + # the newer unbound, then we will add 'include: /etc/unbound.d/*' to the + # configuration file + file { '/etc/unbound/conf.d': ensure => directory, @@ -27,8 +33,7 @@ class site_config::caching_resolver { hide-identity => 'yes', hide-version => 'yes', harden-glue => 'yes', - access-control => [ '127.0.0.0/8 allow', '::1 allow' ], - include => '/etc/unbound/conf.d/*' + access-control => [ '127.0.0.0/8 allow', '::1 allow' ] } } } diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index 57a2d147..c8ef729c 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -1,5 +1,25 @@ class site_openvpn::resolver { + # this is an unfortunate way to get around the fact that the version of + # unbound we are working with does not accept a wildcard include directive + # (/etc/unbound/conf.d/*), when it does, these line definitions should + # go away and instead the caching_resolver should be configured to + # include: /etc/unbound/conf.d/* + + line { + 'add_tcp_resolver': + ensure => present, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver', + notify => Service['unbound']; + + 'add_udp_resolver': + ensure => present, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_udp_resolver', + notify => Service['unbound']; + } + file { '/etc/unbound/conf.d/vpn_udp_resolver': content => "interface: ${openvpn_udp_network_prefix}.1\naccess-control: ${openvpn_udp_network_prefix}.0/${openvpn_udp_netmask} allow\n", -- cgit v1.2.3 From 7444310ba919a871cbe646501c784af3f81f3d47 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 14:21:15 -0500 Subject: fully qualify the variables that are used in the vpn gateway resolver --- puppet/modules/site_openvpn/manifests/resolver.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index c8ef729c..c695b49a 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -22,12 +22,12 @@ class site_openvpn::resolver { file { '/etc/unbound/conf.d/vpn_udp_resolver': - content => "interface: ${openvpn_udp_network_prefix}.1\naccess-control: ${openvpn_udp_network_prefix}.0/${openvpn_udp_netmask} allow\n", + content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_netmask} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; '/etc/unbound/conf.d/vpn_tcp_resolver': - content => "interface: ${openvpn_tcp_network_prefix}.1\naccess-control: ${openvpn_tcp_network_prefix}.0/${openvpn_tcp_netmask} allow\n", + content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_netmask} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; } -- cgit v1.2.3 From ff1c732fbe76abe8fcb39e82233ad76e6acf3ab8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 14:31:24 -0500 Subject: set a default exec path for all nodes --- puppet/manifests/site.pp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index c8502bc7..a1917d6e 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,3 +1,6 @@ +# set a default exec path +Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } + node 'default' { # prerequisites import 'common' -- cgit v1.2.3 From 9d66c6712028c95212dba7a8d5a870efc70ce204 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 14:33:22 -0500 Subject: change to using the CIDR notation for unbound access list --- puppet/modules/site_openvpn/manifests/resolver.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index c695b49a..d77fd8b0 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -22,12 +22,12 @@ class site_openvpn::resolver { file { '/etc/unbound/conf.d/vpn_udp_resolver': - content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_netmask} allow\n", + content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cdr} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; '/etc/unbound/conf.d/vpn_tcp_resolver': - content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_netmask} allow\n", + content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cdr} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; } -- cgit v1.2.3 From 1c348dee62a30e33f7e00b9584629c89dcac016a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 14:35:14 -0500 Subject: fix typo in cidr variable name --- puppet/modules/site_openvpn/manifests/resolver.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index d77fd8b0..590af8ac 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -22,12 +22,12 @@ class site_openvpn::resolver { file { '/etc/unbound/conf.d/vpn_udp_resolver': - content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cdr} allow\n", + content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; '/etc/unbound/conf.d/vpn_tcp_resolver': - content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cdr} allow\n", + content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; } -- cgit v1.2.3 From fdcc33d4491470d88e1ab7e9869a3236d1e2c5fe Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 14:38:11 -0500 Subject: notify unbound when these configuration files change --- puppet/modules/site_openvpn/manifests/resolver.pp | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index 590af8ac..d3963c95 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -23,12 +23,14 @@ class site_openvpn::resolver { file { '/etc/unbound/conf.d/vpn_udp_resolver': content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr} allow\n", - owner => root, group => root, mode => '0644', - require => Service['openvpn']; + owner => root, group => root, mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; '/etc/unbound/conf.d/vpn_tcp_resolver': content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr} allow\n", - owner => root, group => root, mode => '0644', - require => Service['openvpn']; + owner => root, group => root, mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; } } -- cgit v1.2.3 From f9eb0d17ac2fabd8688201d9816a9a575d3b8d6a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 17:18:24 -0500 Subject: require the augeas class before doing any augeas operations (#1215) --- puppet/modules/site_shorewall/manifests/defaults.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index d348bf00..d5f60ec6 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -14,7 +14,8 @@ class site_shorewall::defaults { changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes', lens => 'Shellvars.lns', incl => '/etc/shorewall/shorewall.conf', - notify => Service[shorewall]; + notify => Service[shorewall], + require => Class[augeas]; } } -- cgit v1.2.3 From b81891c036f4573a8bc314e11d3be61fbbbd9aff Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 18 Jan 2013 16:37:39 +0100 Subject: create cronjob for leap_ca --- puppet/modules/site_ca_daemon/manifests/init.pp | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp index 29a70df8..4ec5b00b 100644 --- a/puppet/modules/site_ca_daemon/manifests/init.pp +++ b/puppet/modules/site_ca_daemon/manifests/init.pp @@ -87,6 +87,16 @@ class site_ca_daemon { file { '/usr/local/bin/leap_ca_daemon': ensure => link, - target => '/srv/leap_ca_daemon/bin/leap_ca', + target => '/srv/leap_ca_daemon/bin/leap_ca_daemon', } + + file { '/etc/cron.hourly/leap_ca': + ensure => present, + content => "#/bin/sh\n/srv/leap_ca_daemon/bin/leap_ca_daemon --run-once > /dev/null", + owner => 'root', + group => 0, + mode => '0755', + } + + } -- cgit v1.2.3 From 27651e6188325880244fe17d3bf82c3068095e8a Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 18 Jan 2013 22:32:47 +0100 Subject: linted --- puppet/modules/site_apt/manifests/dist_upgrade.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_apt/manifests/dist_upgrade.pp b/puppet/modules/site_apt/manifests/dist_upgrade.pp index 4baabc77..adf165bd 100644 --- a/puppet/modules/site_apt/manifests/dist_upgrade.pp +++ b/puppet/modules/site_apt/manifests/dist_upgrade.pp @@ -1,11 +1,11 @@ class site_apt::dist_upgrade inherits apt::dist_upgrade { # really upgrade on every puppetrun - Exec["apt_dist-upgrade"]{ - refreshonly => false, + Exec['apt_dist-upgrade']{ + refreshonly => false, } # Ensure apt-get upgrade has been run before installing any packages # Disables because apt-get update is moved to stage initial - # Exec["apt_dist-upgrade"] -> Package <| name != 'lsb-release' |> + # Exec["apt_dist-upgrade"] -> Package <| name != 'lsb-release' |> } -- cgit v1.2.3 From fc59f6c6a22a4659cefa29e18a658c852c6e89f7 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 20 Jan 2013 14:09:50 +0100 Subject: configure fqdn for host --- puppet/modules/site_config/templates/hosts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts index c516eaf8..05fb56b9 100644 --- a/puppet/modules/site_config/templates/hosts +++ b/puppet/modules/site_config/templates/hosts @@ -1,6 +1,8 @@ # This file is managed by puppet, any changes will be overwritten! 127.0.0.1 localhost +127.0.1.1 <%= hostname %>.<%= domain %> <%= hostname %> + <%- if hosts.to_s != '' then -%> <%= hosts %> <% end -%> -- cgit v1.2.3 From 1d9f25303a58f15feec071d81ddf13291fdd6002 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 20 Jan 2013 15:07:33 +0100 Subject: remove bind9 service stop (#1421) --- puppet/modules/site_config/manifests/resolvconf.pp | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index 3579aaf2..a525d8c6 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -1,19 +1,12 @@ class site_config::resolvconf { - # bind9 + # bind9 purging can be taken out after some time package { 'bind9': ensure => absent, } - - service { 'bind9': - ensure => stopped, - require => Package['bind9'], - } - file { '/etc/default/bind9': ensure => absent; } - file { '/etc/bind/named.conf.options': ensure => absent; } -- cgit v1.2.3 From d7f7bad9b6d4a45aa06c74a1f630b38a534092e0 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 20 Jan 2013 15:26:26 +0100 Subject: configure fqdn for host --- puppet/modules/site_config/manifests/hosts.pp | 2 ++ puppet/modules/site_config/manifests/init.pp | 2 ++ puppet/modules/site_config/manifests/resolvconf.pp | 3 +-- puppet/modules/site_config/templates/hosts | 2 +- 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index 06cd5c01..80619e33 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -3,6 +3,8 @@ class site_config::hosts() { $hosts = hiera('hosts','') $hostname = hiera('name') + $domain_public = $domain_hash['full_suffix'] + file { "/etc/hostname": ensure => present, content => $hostname diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp index f05bca1c..c27074ed 100644 --- a/puppet/modules/site_config/manifests/init.pp +++ b/puppet/modules/site_config/manifests/init.pp @@ -1,4 +1,6 @@ class site_config { + $domain_hash = hiera('domain') + # default class, used by all hosts include lsb, git diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index a525d8c6..adecb838 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -11,8 +11,7 @@ class site_config::resolvconf { ensure => absent; } - $domain_hash = hiera('domain') - $domain_public = $domain_hash['public'] + $domain_public = $domain_hash['full_suffix'] # 127.0.0.1: caching-only local bind # 87.118.100.175: http://server.privacyfoundation.de diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts index 05fb56b9..00cc6a79 100644 --- a/puppet/modules/site_config/templates/hosts +++ b/puppet/modules/site_config/templates/hosts @@ -1,7 +1,7 @@ # This file is managed by puppet, any changes will be overwritten! 127.0.0.1 localhost -127.0.1.1 <%= hostname %>.<%= domain %> <%= hostname %> +127.0.1.1 <%= hostname %>.<%= @domain_public %> <%= hostname %> <%- if hosts.to_s != '' then -%> <%= hosts %> -- cgit v1.2.3 From 5fdcfd3b80a038a18aba9a975270acc686efd185 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 20 Jan 2013 17:47:03 +0100 Subject: don't run if another apt-get process is running --- puppet/modules/site_apt/manifests/dist_upgrade.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_apt/manifests/dist_upgrade.pp b/puppet/modules/site_apt/manifests/dist_upgrade.pp index adf165bd..87a2fc00 100644 --- a/puppet/modules/site_apt/manifests/dist_upgrade.pp +++ b/puppet/modules/site_apt/manifests/dist_upgrade.pp @@ -1,11 +1,11 @@ class site_apt::dist_upgrade inherits apt::dist_upgrade { - # really upgrade on every puppetrun + if $::apt_running == 'true' { + fail ('apt-get is running in background - Please wait until it finishes. Exiting.') + } + # ensue dist-upgrade on every puppetrun Exec['apt_dist-upgrade']{ refreshonly => false, } - # Ensure apt-get upgrade has been run before installing any packages - # Disables because apt-get update is moved to stage initial - # Exec["apt_dist-upgrade"] -> Package <| name != 'lsb-release' |> } -- cgit v1.2.3 From 9ae011f2cbedfae166281f2f6a097acec35c943b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 21 Jan 2013 12:14:43 -0500 Subject: update augeas submodule to get new upstream lints and package fixes for wheezy --- puppet/modules/augeas | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/augeas b/puppet/modules/augeas index 44e84a98..4d8c8ba3 160000 --- a/puppet/modules/augeas +++ b/puppet/modules/augeas @@ -1 +1 @@ -Subproject commit 44e84a988b859622e7b3583ac27331cf816017ed +Subproject commit 4d8c8ba362cc57c12451e581f27feea97797e8c0 -- cgit v1.2.3 From 306a0e6c21d0e27035ba48530392eede59537516 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 21 Jan 2013 22:41:51 -0800 Subject: client ca -- configure the webapp with the client ca --- provider_base/services/openvpn.json | 2 +- provider_base/services/webapp.json | 2 ++ puppet/modules/site_webapp/manifests/client_ca.pp | 24 ++++++++++++++++++++++ puppet/modules/site_webapp/manifests/init.pp | 1 + .../modules/site_webapp/templates/config.yml.erb | 2 ++ 5 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_webapp/manifests/client_ca.pp diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 0008a2d2..7b67ccb3 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -2,7 +2,7 @@ "service_type": "user_service", "x509": { "use": true, - "ca_cert": "= file :ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'", + "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'", "dh": "= file :dh_params, :missing => 'Diffie-Hellman parameters. Run `leap cert dh`'" }, "openvpn": { diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 311f1284..c9e4c532 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -23,6 +23,8 @@ "x509": { "use": true, "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", + "client_ca_cert": "= file_path :client_ca_cert", + "client_ca_key": "= file_path :client_ca_key", "commercial_cert": "= file [:commercial_cert, global.provider.domain]", "commercial_key": "= file [:commercial_key, global.provider.domain]", "commercial_ca_cert": "= try_file :commercial_ca_cert" diff --git a/puppet/modules/site_webapp/manifests/client_ca.pp b/puppet/modules/site_webapp/manifests/client_ca.pp new file mode 100644 index 00000000..53c49d69 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/client_ca.pp @@ -0,0 +1,24 @@ +## +## This is for the special CA that is used exclusively for generating +## client certificates by the webapp. +## + +class site_webapp::client_ca { + include x509::variables + + $x509 = hiera('x509') + $cert_path = "${x509::variables::certs}/leap_client_ca.crt" + $key_path = "${x509::variables::keys}/leap_client_ca.key" + + x509::key { + 'leap_client_ca': + source => $x509['client_ca_key'], + notify => Service[apache]; + } + + x509::cert { + 'leap_client_ca': + source => $x509['client_ca_cert'], + notify => Service[apache]; + } +} diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index f7c6565e..717a9477 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -16,6 +16,7 @@ class site_webapp { include rubygems include site_webapp::apache include site_webapp::couchdb + include site_webapp::client_ca group { 'leap-webapp': ensure => present, diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 5e223a58..9cf85f0c 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -1,3 +1,5 @@ production: admins: [admin] domain: <%= @provider_domain %> + client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %> + client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %> -- cgit v1.2.3 From cde779720059965b4caf968c132c315821dd9b66 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 23 Jan 2013 10:39:34 -0500 Subject: require that the unbound package is installed before attempting to make sub-directories under /etc/unbound (#1412) --- puppet/modules/site_config/manifests/caching_resolver.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index ab2f52d1..922c394f 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -12,7 +12,8 @@ class site_config::caching_resolver { file { '/etc/unbound/conf.d': ensure => directory, - owner => root, group => root, mode => '0755'; + owner => root, group => root, mode => '0755', + require => Package['unbound']; '/etc/unbound/conf.d/placeholder': ensure => present, -- cgit v1.2.3 From 00252d3e425bb385135faf6bda4c462bcce75e59 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 24 Jan 2013 16:12:24 -0500 Subject: update shorewall module to latest release for fixes --- puppet/modules/shorewall | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/shorewall b/puppet/modules/shorewall index e511291a..614ee152 160000 --- a/puppet/modules/shorewall +++ b/puppet/modules/shorewall @@ -1 +1 @@ -Subproject commit e511291a111db7a7d88a8820c5423aa5b92304e0 +Subproject commit 614ee152c39bbc66c82a52022e2c05aa7856cd4b -- cgit v1.2.3 From 65d28a5e43ce3005b0560763809a09f64bfcfea7 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 26 Jan 2013 18:41:56 +0100 Subject: apply site_nagios::server --- puppet/manifests/site.pp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index a1917d6e..94835f61 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -29,4 +29,8 @@ node 'default' { if 'ca' in $services { include site_ca_daemon } + + if 'monitoring' in $services { + include site_nagios::server + } } -- cgit v1.2.3 From 3d6b0c7e852f83a0bc38f1b13cc8914b4768a59d Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 26 Jan 2013 18:42:17 +0100 Subject: added submodule nagios --- .gitmodules | 3 +++ puppet/modules/nagios | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/nagios diff --git a/.gitmodules b/.gitmodules index 594ad749..75fc99f0 100644 --- a/.gitmodules +++ b/.gitmodules @@ -61,3 +61,6 @@ [submodule "puppet/modules/unbound"] path = puppet/modules/unbound url = git://code.leap.se/puppet_unbound +[submodule "puppet/modules/nagios"] + path = puppet/modules/nagios + url = git://code.leap.se/puppet_nagios diff --git a/puppet/modules/nagios b/puppet/modules/nagios new file mode 160000 index 00000000..256cf866 --- /dev/null +++ b/puppet/modules/nagios @@ -0,0 +1 @@ +Subproject commit 256cf866cb3cc9e88e8cd89dd59ac24ab24e1366 -- cgit v1.2.3 From 440ca230359e28195ba44c452b462c5e69efff65 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 26 Jan 2013 18:52:31 +0100 Subject: beginning of puppet/modules/site_nagios --- puppet/modules/site_nagios/manifests/server.pp | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 puppet/modules/site_nagios/manifests/server.pp diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp new file mode 100644 index 00000000..e11ffd48 --- /dev/null +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -0,0 +1,7 @@ +class site_nagios::server { + class {'nagios': + allow_external_cmd => true + } + #include nagios::defaults + +} -- cgit v1.2.3 From ca6347905e4293883b196f6e2120754fb823ae49 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 26 Jan 2013 20:38:22 +0100 Subject: service_type: internal_service as default --- provider_base/common.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/provider_base/common.json b/provider_base/common.json index b5d37f8e..74eb494c 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -24,5 +24,6 @@ "key": "= x509.use ? file(:node_x509_key, :missing => 'x509 key for node $node. Run `leap cert update`') : nil", "ca_cert": "= try_file :ca_cert" }, - "local": false + "local": false, + "service_type": "internal_service" } -- cgit v1.2.3 From 078bc9674c247cc2c3ad715eec57903138e481e1 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 27 Jan 2013 11:15:36 +0100 Subject: added 'development' hiera hash to exclude certain class for better testing --- provider_base/common.json | 5 ++++- puppet/manifests/site.pp | 11 ++++++++--- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/provider_base/common.json b/provider_base/common.json index 74eb494c..8ffe8cd4 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -25,5 +25,8 @@ "ca_cert": "= try_file :ca_cert" }, "local": false, - "service_type": "internal_service" + "service_type": "internal_service", + "development": { + "site_config": true + } } diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 94835f61..1a76e3bd 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -6,8 +6,13 @@ node 'default' { import 'common' include concat::setup - # include some basic classes - include site_config + $development = hiera('development') + if $development['site_config'] == true { + # include some basic classes + include site_config + } else { + notice ('NOT applying site_config') + } # parse services for host $services=hiera_array('services') @@ -30,7 +35,7 @@ node 'default' { include site_ca_daemon } - if 'monitoring' in $services { + if 'monitor' in $services { include site_nagios::server } } -- cgit v1.2.3 From 51369107eefffca0c50784b2ad2b51bf56c53512 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 27 Jan 2013 14:42:04 +0100 Subject: site_nagios: add hosts + services --- .../parser/functions/create_resources_hash_from.rb | 116 +++++++++++++++++++++ puppet/modules/site_nagios/manifests/add_host.pp | 30 ++++++ .../modules/site_nagios/manifests/add_service.pp | 22 ++++ puppet/modules/site_nagios/manifests/server.pp | 17 ++- 4 files changed, 182 insertions(+), 3 deletions(-) create mode 100644 puppet/lib/puppet/parser/functions/create_resources_hash_from.rb create mode 100644 puppet/modules/site_nagios/manifests/add_host.pp create mode 100644 puppet/modules/site_nagios/manifests/add_service.pp diff --git a/puppet/lib/puppet/parser/functions/create_resources_hash_from.rb b/puppet/lib/puppet/parser/functions/create_resources_hash_from.rb new file mode 100644 index 00000000..47d0df9c --- /dev/null +++ b/puppet/lib/puppet/parser/functions/create_resources_hash_from.rb @@ -0,0 +1,116 @@ +# +# create_resources_hash_from.rb +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +module Puppet::Parser::Functions + newfunction(:create_resources_hash_from, :type => :rvalue, :doc => <<-EOS +Given: + A formatted string (to use as the resource name) + An array to loop through (because puppet cannot loop) + A hash defining the parameters for a resource + And optionally an hash of parameter names to add to the resource and an + associated formatted string that should be configured with the current + element of the loop array + +This function will return a hash of hashes that can be used with the +create_resources function. + +*Examples:* + $allowed_hosts = ['10.0.0.0/8', '192.168.0.0/24'] + $resource_name = "100 allow %s to apache on ports 80" + $my_resource_hash = { + 'proto' => 'tcp', + 'action' => 'accept', + 'dport' => 80 + } + $dynamic_parameters = { + 'source' => '%s' + } + + $created_resource_hash = create_resources_hash_from($resource_name, $allowed_hosts, $my_resource_hash, $dynamic_parameters) + +$created_resource_hash would equal: + { + '100 allow 10.0.0.0/8 to apache on ports 80' => { + 'proto' => 'tcp', + 'action' => 'accept', + 'dport' => 80, + 'source' => '10.0.0.0/8' + }, + '100 allow 192.168.0.0/24 to apache on ports 80' => { + 'proto' => 'tcp', + 'action' => 'accept', + 'dport' => 80, + 'source' => '192.168.0.0/24' + } + } + +$created_resource_hash could then be used with create_resources + + create_resources(firewall, $created_resource_hash) + +To create a bunch of resources in a way that would only otherwise be possible +with a loop of some description. + EOS + ) do |arguments| + + raise Puppet::ParseError, "create_resources_hash_from(): Wrong number of arguments " + + "given (#{arguments.size} for 3 or 4)" if arguments.size < 3 or arguments.size > 4 + + formatted_string = arguments[0] + + unless formatted_string.is_a?(String) + raise(Puppet::ParseError, 'create_resources_hash_from(): first argument must be a string') + end + + loop_array = arguments[1] + + unless loop_array.is_a?(Array) + raise(Puppet::ParseError, 'create_resources_hash_from(): second argument must be an array') + end + + resource_hash = arguments[2] + unless resource_hash.is_a?(Hash) + raise(Puppet::ParseError, 'create_resources_hash_from(): third argument must be a hash') + end + + if arguments.size == 4 + dynamic_parameters = arguments[3] + unless dynamic_parameters.is_a?(Hash) + raise(Puppet::ParseError, 'create_resources_hash_from(): fourth argument must be a hash') + end + end + + result = {} + + loop_array.each do |i| + my_resource_hash = resource_hash.clone + if dynamic_parameters + dynamic_parameters.each do |param, value| + if my_resource_hash.member?(param) + raise(Puppet::ParseError, "create_resources_hash_from(): dynamic_parameter '#{param}' already exists in resource hash") + end + my_resource_hash[param] = sprintf(value,[i]) + end + end + result[sprintf(formatted_string,[i])] = my_resource_hash + end + + result + end +end + +# vim: set ts=2 sw=2 et : +# encoding: utf-8 diff --git a/puppet/modules/site_nagios/manifests/add_host.pp b/puppet/modules/site_nagios/manifests/add_host.pp new file mode 100644 index 00000000..5148048d --- /dev/null +++ b/puppet/modules/site_nagios/manifests/add_host.pp @@ -0,0 +1,30 @@ +define site_nagios::add_host ($ip, $services='' ) { + + $nagios_hostname = $name + + #notice ("$nagios_hostname $ip $services") + + nagios_host { $nagios_hostname: + address => $ip, + use => 'generic-host', + } + + # turn serice array into hash + # https://github.com/ashak/puppet-resource-looping + $nagios_service_hashpart = { + 'host' => $nagios_hostname, + 'ip' => $ip, + } + $dynamic_parameters = { + 'service' => '%s' + } + + #$nagios_services = ['one', 'two'] + $nagios_servicename = "${nagios_hostname}_%s" + + $nagios_service_hash = create_resources_hash_from($nagios_servicename, $services, $nagios_service_hashpart, $dynamic_parameters) + #notice ($created_resource_hash) + + + create_resources ( site_nagios::add_service, $nagios_service_hash ) +} diff --git a/puppet/modules/site_nagios/manifests/add_service.pp b/puppet/modules/site_nagios/manifests/add_service.pp new file mode 100644 index 00000000..5a5b344f --- /dev/null +++ b/puppet/modules/site_nagios/manifests/add_service.pp @@ -0,0 +1,22 @@ +define site_nagios::add_service ($host, $ip, $service) { + + notice ('$name $host $ip $service') + + case $service { + 'openvpn': { + $check_command = 'check_openvpn!...' + $service_description = 'Openvpn' + } + 'webapp': { + $check_command = 'check_http!...' + $service_description = 'Website' + } + default: { fail ('unknown service') } + } + + nagios_service { $name: + use => 'generic-service', + check_command => $check_command, + service_description => $service_description, + host_name => $host } +} diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index e11ffd48..df3e00cd 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -1,7 +1,18 @@ class site_nagios::server { - class {'nagios': - allow_external_cmd => true + + $nagios_hiera=hiera('nagios') + $nagiosadmin_pw = $nagios_hiera['nagiosadmin_pw'] + $hosts = $nagios_hiera['hosts'] + + include nagios::defaults + include nagios::base + #Class ['nagios'] -> Class ['nagios::defaults'] + class {'nagios::apache': + allow_external_cmd => true, + stored_config => false, + #before => Class ['nagios::defaults'] } - #include nagios::defaults + + create_resources ( site_nagios::add_host, $hosts) } -- cgit v1.2.3 From a5708f899f8330e79ebf9c1d69377b89f1919b1b Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 28 Jan 2013 03:04:21 -0800 Subject: added 'monitor' service to provider_base --- provider_base/services/monitor.json | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 provider_base/services/monitor.json diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json new file mode 100644 index 00000000..0a44ded1 --- /dev/null +++ b/provider_base/services/monitor.json @@ -0,0 +1,6 @@ +{ + "nagios": { + "nagiosadmin_pw": "= secret :nagios_admin_password", + "hosts": "= nodes['production' => true].fields('domain.full', 'ip_address', 'services')" + } +} \ No newline at end of file -- cgit v1.2.3 From ef3ed5e3f898a4636b57ea4cf6fe2cc9da02dfaa Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 28 Jan 2013 13:01:27 +0100 Subject: automatic update of submodule puppet_nagios --- puppet/modules/nagios | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/nagios b/puppet/modules/nagios index 256cf866..23e65341 160000 --- a/puppet/modules/nagios +++ b/puppet/modules/nagios @@ -1 +1 @@ -Subproject commit 256cf866cb3cc9e88e8cd89dd59ac24ab24e1366 +Subproject commit 23e653414cbabed2ca8fd443eedd412ab5756d8c -- cgit v1.2.3 From ab0792667b57bb034fe23ae24064fad56f3c8163 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 28 Jan 2013 15:03:10 +0100 Subject: adapted new hiera config, see #1546 --- puppet/modules/site_nagios/manifests/add_host.pp | 29 +++++++++++----------- .../modules/site_nagios/manifests/add_service.pp | 22 ++++++++-------- puppet/modules/site_nagios/manifests/server.pp | 3 +-- 3 files changed, 26 insertions(+), 28 deletions(-) diff --git a/puppet/modules/site_nagios/manifests/add_host.pp b/puppet/modules/site_nagios/manifests/add_host.pp index 5148048d..d5aac67c 100644 --- a/puppet/modules/site_nagios/manifests/add_host.pp +++ b/puppet/modules/site_nagios/manifests/add_host.pp @@ -1,30 +1,29 @@ -define site_nagios::add_host ($ip, $services='' ) { - - $nagios_hostname = $name - - #notice ("$nagios_hostname $ip $services") +define site_nagios::add_host { + $nagios_host = $name + $nagios_hostname = $name['domain_full'] + $nagios_ip = $name['ip_address'] + $nagios_services = $name['services'] + # Add Nagios host nagios_host { $nagios_hostname: - address => $ip, + address => $nagios_ip, use => 'generic-host', } - # turn serice array into hash - # https://github.com/ashak/puppet-resource-looping + # Add Nagios service + + # First, we need to turn the serice array into hash, using a "hash template" + # see https://github.com/ashak/puppet-resource-looping $nagios_service_hashpart = { - 'host' => $nagios_hostname, - 'ip' => $ip, + 'hostname' => $nagios_hostname, + 'ip_address' => $nagios_ip, } $dynamic_parameters = { 'service' => '%s' } - - #$nagios_services = ['one', 'two'] $nagios_servicename = "${nagios_hostname}_%s" - $nagios_service_hash = create_resources_hash_from($nagios_servicename, $services, $nagios_service_hashpart, $dynamic_parameters) - #notice ($created_resource_hash) - + $nagios_service_hash = create_resources_hash_from($nagios_servicename, $nagios_services, $nagios_service_hashpart, $dynamic_parameters) create_resources ( site_nagios::add_service, $nagios_service_hash ) } diff --git a/puppet/modules/site_nagios/manifests/add_service.pp b/puppet/modules/site_nagios/manifests/add_service.pp index 5a5b344f..1a69e068 100644 --- a/puppet/modules/site_nagios/manifests/add_service.pp +++ b/puppet/modules/site_nagios/manifests/add_service.pp @@ -1,22 +1,22 @@ -define site_nagios::add_service ($host, $ip, $service) { - - notice ('$name $host $ip $service') +define site_nagios::add_service ($hostname, $ip_address, $service) { case $service { 'openvpn': { - $check_command = 'check_openvpn!...' + $check_command = 'check_openvpn' $service_description = 'Openvpn' } 'webapp': { - $check_command = 'check_http!...' + $check_command = 'check_http' $service_description = 'Website' } - default: { fail ('unknown service') } + default: { notice ("No Nagios service check for service \"$service\"") } } - nagios_service { $name: - use => 'generic-service', - check_command => $check_command, - service_description => $service_description, - host_name => $host } + if ( $check_command != '' ) { + nagios_service { $name: + use => 'generic-service', + check_command => $check_command, + service_description => $service_description, + host_name => $hostname } + } } diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index df3e00cd..a8ebeaf4 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -13,6 +13,5 @@ class site_nagios::server { #before => Class ['nagios::defaults'] } - create_resources ( site_nagios::add_host, $hosts) - + site_nagios::add_host {$hosts:} } -- cgit v1.2.3 From 3e68650ddea6d9d01c518727894939204a21369c Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 28 Jan 2013 15:27:20 +0100 Subject: automatic update of submodule puppet_nagios --- puppet/modules/nagios | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/nagios b/puppet/modules/nagios index 23e65341..57a1140b 160000 --- a/puppet/modules/nagios +++ b/puppet/modules/nagios @@ -1 +1 @@ -Subproject commit 23e653414cbabed2ca8fd443eedd412ab5756d8c +Subproject commit 57a1140b437a8cfb9cfd5d94a5759b1e3ed86d45 -- cgit v1.2.3 From 4a2091518a9b68e53de556bebd98d992e42b8910 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 28 Jan 2013 15:41:06 +0100 Subject: main nagios config: allow external cmds, debug mode --- .../site_nagios/files/configs/Debian/nagios.cfg | 1273 ++++++++++++++++++++ 1 file changed, 1273 insertions(+) create mode 100644 puppet/modules/site_nagios/files/configs/Debian/nagios.cfg diff --git a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg new file mode 100644 index 00000000..d8062a2f --- /dev/null +++ b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg @@ -0,0 +1,1273 @@ +############################################################################## +# +# NAGIOS.CFG - Sample Main Config File for Nagios +# +# +############################################################################## + + +# LOG FILE +# This is the main log file where service and host events are logged +# for historical purposes. This should be the first option specified +# in the config file!!! + +log_file=/var/log/nagios3/nagios.log + + + +# OBJECT CONFIGURATION FILE(S) +# These are the object configuration files in which you define hosts, +# host groups, contacts, contact groups, services, etc. +# You can split your object definitions across several config files +# if you wish (as shown below), or keep them all in a single config file. +#cfg_file=/etc/nagios3/commands.cfg + +# Puppet-managed configuration files +cfg_dir=/etc/nagios3/conf.d + +# Debian also defaults to using the check commands defined by the debian +# nagios-plugins package +cfg_dir=/etc/nagios-plugins/config + + + +# OBJECT CACHE FILE +# This option determines where object definitions are cached when +# Nagios starts/restarts. The CGIs read object definitions from +# this cache file (rather than looking at the object config files +# directly) in order to prevent inconsistencies that can occur +# when the config files are modified after Nagios starts. + +object_cache_file=/var/cache/nagios3/objects.cache + + + +# PRE-CACHED OBJECT FILE +# This options determines the location of the precached object file. +# If you run Nagios with the -p command line option, it will preprocess +# your object configuration file(s) and write the cached config to this +# file. You can then start Nagios with the -u option to have it read +# object definitions from this precached file, rather than the standard +# object configuration files (see the cfg_file and cfg_dir options above). +# Using a precached object file can speed up the time needed to (re)start +# the Nagios process if you've got a large and/or complex configuration. +# Read the documentation section on optimizing Nagios to find our more +# about how this feature works. + +precached_object_file=/var/lib/nagios3/objects.precache + + + +# RESOURCE FILE +# This is an optional resource file that contains $USERx$ macro +# definitions. Multiple resource files can be specified by using +# multiple resource_file definitions. The CGIs will not attempt to +# read the contents of resource files, so information that is +# considered to be sensitive (usernames, passwords, etc) can be +# defined as macros in this file and restrictive permissions (600) +# can be placed on this file. + +resource_file=/etc/nagios3/private/resource.cfg + + + +# STATUS FILE +# This is where the current status of all monitored services and +# hosts is stored. Its contents are read and processed by the CGIs. +# The contents of the status file are deleted every time Nagios +# restarts. + +status_file=/var/cache/nagios3/status.dat + + + +# STATUS FILE UPDATE INTERVAL +# This option determines the frequency (in seconds) that +# Nagios will periodically dump program, host, and +# service status data. + +status_update_interval=10 + + + +# NAGIOS USER +# This determines the effective user that Nagios should run as. +# You can either supply a username or a UID. + +nagios_user=nagios + + + +# NAGIOS GROUP +# This determines the effective group that Nagios should run as. +# You can either supply a group name or a GID. + +nagios_group=nagios + + + +# EXTERNAL COMMAND OPTION +# This option allows you to specify whether or not Nagios should check +# for external commands (in the command file defined below). By default +# Nagios will *not* check for external commands, just to be on the +# cautious side. If you want to be able to use the CGI command interface +# you will have to enable this. +# Values: 0 = disable commands, 1 = enable commands + +check_external_commands=1 + + + +# EXTERNAL COMMAND CHECK INTERVAL +# This is the interval at which Nagios should check for external commands. +# This value works of the interval_length you specify later. If you leave +# that at its default value of 60 (seconds), a value of 1 here will cause +# Nagios to check for external commands every minute. If you specify a +# number followed by an "s" (i.e. 15s), this will be interpreted to mean +# actual seconds rather than a multiple of the interval_length variable. +# Note: In addition to reading the external command file at regularly +# scheduled intervals, Nagios will also check for external commands after +# event handlers are executed. +# NOTE: Setting this value to -1 causes Nagios to check the external +# command file as often as possible. + +#command_check_interval=15s +command_check_interval=-1 + + + +# EXTERNAL COMMAND FILE +# This is the file that Nagios checks for external command requests. +# It is also where the command CGI will write commands that are submitted +# by users, so it must be writeable by the user that the web server +# is running as (usually 'nobody'). Permissions should be set at the +# directory level instead of on the file, as the file is deleted every +# time its contents are processed. +# Debian Users: In case you didn't read README.Debian yet, _NOW_ is the +# time to do it. + +command_file=/var/lib/nagios3/rw/nagios.cmd + + + +# EXTERNAL COMMAND BUFFER SLOTS +# This settings is used to tweak the number of items or "slots" that +# the Nagios daemon should allocate to the buffer that holds incoming +# external commands before they are processed. As external commands +# are processed by the daemon, they are removed from the buffer. + +external_command_buffer_slots=4096 + + + +# LOCK FILE +# This is the lockfile that Nagios will use to store its PID number +# in when it is running in daemon mode. + +lock_file=/var/run/nagios3/nagios3.pid + + + +# TEMP FILE +# This is a temporary file that is used as scratch space when Nagios +# updates the status log, cleans the comment file, etc. This file +# is created, used, and deleted throughout the time that Nagios is +# running. + +temp_file=/var/cache/nagios3/nagios.tmp + + + +# TEMP PATH +# This is path where Nagios can create temp files for service and +# host check results, etc. + +temp_path=/tmp + + + +# EVENT BROKER OPTIONS +# Controls what (if any) data gets sent to the event broker. +# Values: 0 = Broker nothing +# -1 = Broker everything +# = See documentation + +event_broker_options=-1 + + + +# EVENT BROKER MODULE(S) +# This directive is used to specify an event broker module that should +# by loaded by Nagios at startup. Use multiple directives if you want +# to load more than one module. Arguments that should be passed to +# the module at startup are seperated from the module path by a space. +# +#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING +#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# +# Do NOT overwrite modules while they are being used by Nagios or Nagios +# will crash in a fiery display of SEGFAULT glory. This is a bug/limitation +# either in dlopen(), the kernel, and/or the filesystem. And maybe Nagios... +# +# The correct/safe way of updating a module is by using one of these methods: +# 1. Shutdown Nagios, replace the module file, restart Nagios +# 2. Delete the original module file, move the new module file into place, restart Nagios +# +# Example: +# +# broker_module= [moduleargs] + +#broker_module=/somewhere/module1.o +#broker_module=/somewhere/module2.o arg1 arg2=3 debug=0 + + + +# LOG ROTATION METHOD +# This is the log rotation method that Nagios should use to rotate +# the main log file. Values are as follows.. +# n = None - don't rotate the log +# h = Hourly rotation (top of the hour) +# d = Daily rotation (midnight every day) +# w = Weekly rotation (midnight on Saturday evening) +# m = Monthly rotation (midnight last day of month) + +log_rotation_method=d + + + +# LOG ARCHIVE PATH +# This is the directory where archived (rotated) log files should be +# placed (assuming you've chosen to do log rotation). + +log_archive_path=/var/log/nagios3/archives + + + +# LOGGING OPTIONS +# If you want messages logged to the syslog facility, as well as the +# Nagios log file set this option to 1. If not, set it to 0. + +use_syslog=1 + + + +# NOTIFICATION LOGGING OPTION +# If you don't want notifications to be logged, set this value to 0. +# If notifications should be logged, set the value to 1. + +log_notifications=1 + + + +# SERVICE RETRY LOGGING OPTION +# If you don't want service check retries to be logged, set this value +# to 0. If retries should be logged, set the value to 1. + +log_service_retries=1 + + + +# HOST RETRY LOGGING OPTION +# If you don't want host check retries to be logged, set this value to +# 0. If retries should be logged, set the value to 1. + +log_host_retries=1 + + + +# EVENT HANDLER LOGGING OPTION +# If you don't want host and service event handlers to be logged, set +# this value to 0. If event handlers should be logged, set the value +# to 1. + +log_event_handlers=1 + + + +# INITIAL STATES LOGGING OPTION +# If you want Nagios to log all initial host and service states to +# the main log file (the first time the service or host is checked) +# you can enable this option by setting this value to 1. If you +# are not using an external application that does long term state +# statistics reporting, you do not need to enable this option. In +# this case, set the value to 0. + +log_initial_states=0 + + + +# EXTERNAL COMMANDS LOGGING OPTION +# If you don't want Nagios to log external commands, set this value +# to 0. If external commands should be logged, set this value to 1. +# Note: This option does not include logging of passive service +# checks - see the option below for controlling whether or not +# passive checks are logged. + +log_external_commands=1 + + + +# PASSIVE CHECKS LOGGING OPTION +# If you don't want Nagios to log passive host and service checks, set +# this value to 0. If passive checks should be logged, set +# this value to 1. + +log_passive_checks=1 + + + +# GLOBAL HOST AND SERVICE EVENT HANDLERS +# These options allow you to specify a host and service event handler +# command that is to be run for every host or service state change. +# The global event handler is executed immediately prior to the event +# handler that you have optionally specified in each host or +# service definition. The command argument is the short name of a +# command definition that you define in your host configuration file. +# Read the HTML docs for more information. + +#global_host_event_handler=somecommand +#global_service_event_handler=somecommand + + + +# SERVICE INTER-CHECK DELAY METHOD +# This is the method that Nagios should use when initially +# "spreading out" service checks when it starts monitoring. The +# default is to use smart delay calculation, which will try to +# space all service checks out evenly to minimize CPU load. +# Using the dumb setting will cause all checks to be scheduled +# at the same time (with no delay between them)! This is not a +# good thing for production, but is useful when testing the +# parallelization functionality. +# n = None - don't use any delay between checks +# d = Use a "dumb" delay of 1 second between checks +# s = Use "smart" inter-check delay calculation +# x.xx = Use an inter-check delay of x.xx seconds + +service_inter_check_delay_method=s + + + +# MAXIMUM SERVICE CHECK SPREAD +# This variable determines the timeframe (in minutes) from the +# program start time that an initial check of all services should +# be completed. Default is 30 minutes. + +max_service_check_spread=30 + + + +# SERVICE CHECK INTERLEAVE FACTOR +# This variable determines how service checks are interleaved. +# Interleaving the service checks allows for a more even +# distribution of service checks and reduced load on remote +# hosts. Setting this value to 1 is equivalent to how versions +# of Nagios previous to 0.0.5 did service checks. Set this +# value to s (smart) for automatic calculation of the interleave +# factor unless you have a specific reason to change it. +# s = Use "smart" interleave factor calculation +# x = Use an interleave factor of x, where x is a +# number greater than or equal to 1. + +service_interleave_factor=s + + + +# HOST INTER-CHECK DELAY METHOD +# This is the method that Nagios should use when initially +# "spreading out" host checks when it starts monitoring. The +# default is to use smart delay calculation, which will try to +# space all host checks out evenly to minimize CPU load. +# Using the dumb setting will cause all checks to be scheduled +# at the same time (with no delay between them)! +# n = None - don't use any delay between checks +# d = Use a "dumb" delay of 1 second between checks +# s = Use "smart" inter-check delay calculation +# x.xx = Use an inter-check delay of x.xx seconds + +host_inter_check_delay_method=s + + + +# MAXIMUM HOST CHECK SPREAD +# This variable determines the timeframe (in minutes) from the +# program start time that an initial check of all hosts should +# be completed. Default is 30 minutes. + +max_host_check_spread=30 + + + +# MAXIMUM CONCURRENT SERVICE CHECKS +# This option allows you to specify the maximum number of +# service checks that can be run in parallel at any given time. +# Specifying a value of 1 for this variable essentially prevents +# any service checks from being parallelized. A value of 0 +# will not restrict the number of concurrent checks that are +# being executed. + +max_concurrent_checks=0 + + + +# HOST AND SERVICE CHECK REAPER FREQUENCY +# This is the frequency (in seconds!) that Nagios will process +# the results of host and service checks. + +check_result_reaper_frequency=10 + + + + +# MAX CHECK RESULT REAPER TIME +# This is the max amount of time (in seconds) that a single +# check result reaper event will be allowed to run before +# returning control back to Nagios so it can perform other +# duties. + +max_check_result_reaper_time=30 + + + + +# CHECK RESULT PATH +# This is directory where Nagios stores the results of host and +# service checks that have not yet been processed. +# +# Note: Make sure that only one instance of Nagios has access +# to this directory! + +check_result_path=/var/lib/nagios3/spool/checkresults + + + + +# MAX CHECK RESULT FILE AGE +# This option determines the maximum age (in seconds) which check +# result files are considered to be valid. Files older than this +# threshold will be mercilessly deleted without further processing. + +max_check_result_file_age=3600 + + + + +# CACHED HOST CHECK HORIZON +# This option determines the maximum amount of time (in seconds) +# that the state of a previous host check is considered current. +# Cached host states (from host checks that were performed more +# recently that the timeframe specified by this value) can immensely +# improve performance in regards to the host check logic. +# Too high of a value for this option may result in inaccurate host +# states being used by Nagios, while a lower value may result in a +# performance hit for host checks. Use a value of 0 to disable host +# check caching. + +cached_host_check_horizon=15 + + + +# CACHED SERVICE CHECK HORIZON +# This option determines the maximum amount of time (in seconds) +# that the state of a previous service check is considered current. +# Cached service states (from service checks that were performed more +# recently that the timeframe specified by this value) can immensely +# improve performance in regards to predictive dependency checks. +# Use a value of 0 to disable service check caching. + +cached_service_check_horizon=15 + + + +# ENABLE PREDICTIVE HOST DEPENDENCY CHECKS +# This option determines whether or not Nagios will attempt to execute +# checks of hosts when it predicts that future dependency logic test +# may be needed. These predictive checks can help ensure that your +# host dependency logic works well. +# Values: +# 0 = Disable predictive checks +# 1 = Enable predictive checks (default) + +enable_predictive_host_dependency_checks=1 + + + +# ENABLE PREDICTIVE SERVICE DEPENDENCY CHECKS +# This option determines whether or not Nagios will attempt to execute +# checks of service when it predicts that future dependency logic test +# may be needed. These predictive checks can help ensure that your +# service dependency logic works well. +# Values: +# 0 = Disable predictive checks +# 1 = Enable predictive checks (default) + +enable_predictive_service_dependency_checks=1 + + + +# SOFT STATE DEPENDENCIES +# This option determines whether or not Nagios will use soft state +# information when checking host and service dependencies. Normally +# Nagios will only use the latest hard host or service state when +# checking dependencies. If you want it to use the latest state (regardless +# of whether its a soft or hard state type), enable this option. +# Values: +# 0 = Don't use soft state dependencies (default) +# 1 = Use soft state dependencies + +soft_state_dependencies=0 + + + +# TIME CHANGE ADJUSTMENT THRESHOLDS +# These options determine when Nagios will react to detected changes +# in system time (either forward or backwards). + +#time_change_threshold=900 + + + +# AUTO-RESCHEDULING OPTION +# This option determines whether or not Nagios will attempt to +# automatically reschedule active host and service checks to +# "smooth" them out over time. This can help balance the load on +# the monitoring server. +# WARNING: THIS IS AN EXPERIMENTAL FEATURE - IT CAN DEGRADE +# PERFORMANCE, RATHER THAN INCREASE IT, IF USED IMPROPERLY + +auto_reschedule_checks=0 + + + +# AUTO-RESCHEDULING INTERVAL +# This option determines how often (in seconds) Nagios will +# attempt to automatically reschedule checks. This option only +# has an effect if the auto_reschedule_checks option is enabled. +# Default is 30 seconds. +# WARNING: THIS IS AN EXPERIMENTAL FEATURE - IT CAN DEGRADE +# PERFORMANCE, RATHER THAN INCREASE IT, IF USED IMPROPERLY + +auto_rescheduling_interval=30 + + + +# AUTO-RESCHEDULING WINDOW +# This option determines the "window" of time (in seconds) that +# Nagios will look at when automatically rescheduling checks. +# Only host and service checks that occur in the next X seconds +# (determined by this variable) will be rescheduled. This option +# only has an effect if the auto_reschedule_checks option is +# enabled. Default is 180 seconds (3 minutes). +# WARNING: THIS IS AN EXPERIMENTAL FEATURE - IT CAN DEGRADE +# PERFORMANCE, RATHER THAN INCREASE IT, IF USED IMPROPERLY + +auto_rescheduling_window=180 + + + +# SLEEP TIME +# This is the number of seconds to sleep between checking for system +# events and service checks that need to be run. + +sleep_time=0.25 + + + +# TIMEOUT VALUES +# These options control how much time Nagios will allow various +# types of commands to execute before killing them off. Options +# are available for controlling maximum time allotted for +# service checks, host checks, event handlers, notifications, the +# ocsp command, and performance data commands. All values are in +# seconds. + +service_check_timeout=60 +host_check_timeout=30 +event_handler_timeout=30 +notification_timeout=30 +ocsp_timeout=5 +perfdata_timeout=5 + + + +# RETAIN STATE INFORMATION +# This setting determines whether or not Nagios will save state +# information for services and hosts before it shuts down. Upon +# startup Nagios will reload all saved service and host state +# information before starting to monitor. This is useful for +# maintaining long-term data on state statistics, etc, but will +# slow Nagios down a bit when it (re)starts. Since its only +# a one-time penalty, I think its well worth the additional +# startup delay. + +retain_state_information=1 + + + +# STATE RETENTION FILE +# This is the file that Nagios should use to store host and +# service state information before it shuts down. The state +# information in this file is also read immediately prior to +# starting to monitor the network when Nagios is restarted. +# This file is used only if the preserve_state_information +# variable is set to 1. + +state_retention_file=/var/lib/nagios3/retention.dat + + + +# RETENTION DATA UPDATE INTERVAL +# This setting determines how often (in minutes) that Nagios +# will automatically save retention data during normal operation. +# If you set this value to 0, Nagios will not save retention +# data at regular interval, but it will still save retention +# data before shutting down or restarting. If you have disabled +# state retention, this option has no effect. + +retention_update_interval=60 + + + +# USE RETAINED PROGRAM STATE +# This setting determines whether or not Nagios will set +# program status variables based on the values saved in the +# retention file. If you want to use retained program status +# information, set this value to 1. If not, set this value +# to 0. + +use_retained_program_state=1 + + + +# USE RETAINED SCHEDULING INFO +# This setting determines whether or not Nagios will retain +# the scheduling info (next check time) for hosts and services +# based on the values saved in the retention file. If you +# If you want to use retained scheduling info, set this +# value to 1. If not, set this value to 0. + +use_retained_scheduling_info=1 + + + +# RETAINED ATTRIBUTE MASKS (ADVANCED FEATURE) +# The following variables are used to specify specific host and +# service attributes that should *not* be retained by Nagios during +# program restarts. +# +# The values of the masks are bitwise ANDs of values specified +# by the "MODATTR_" definitions found in include/common.h. +# For example, if you do not want the current enabled/disabled state +# of flap detection and event handlers for hosts to be retained, you +# would use a value of 24 for the host attribute mask... +# MODATTR_EVENT_HANDLER_ENABLED (8) + MODATTR_FLAP_DETECTION_ENABLED (16) = 24 + +# This mask determines what host attributes are not retained +retained_host_attribute_mask=0 + +# This mask determines what service attributes are not retained +retained_service_attribute_mask=0 + +# These two masks determine what process attributes are not retained. +# There are two masks, because some process attributes have host and service +# options. For example, you can disable active host checks, but leave active +# service checks enabled. +retained_process_host_attribute_mask=0 +retained_process_service_attribute_mask=0 + +# These two masks determine what contact attributes are not retained. +# There are two masks, because some contact attributes have host and +# service options. For example, you can disable host notifications for +# a contact, but leave service notifications enabled for them. +retained_contact_host_attribute_mask=0 +retained_contact_service_attribute_mask=0 + + + +# INTERVAL LENGTH +# This is the seconds per unit interval as used in the +# host/contact/service configuration files. Setting this to 60 means +# that each interval is one minute long (60 seconds). Other settings +# have not been tested much, so your mileage is likely to vary... + +interval_length=60 + + + +# AGGRESSIVE HOST CHECKING OPTION +# If you don't want to turn on aggressive host checking features, set +# this value to 0 (the default). Otherwise set this value to 1 to +# enable the aggressive check option. Read the docs for more info +# on what aggressive host check is or check out the source code in +# base/checks.c + +use_aggressive_host_checking=0 + + + +# SERVICE CHECK EXECUTION OPTION +# This determines whether or not Nagios will actively execute +# service checks when it initially starts. If this option is +# disabled, checks are not actively made, but Nagios can still +# receive and process passive check results that come in. Unless +# you're implementing redundant hosts or have a special need for +# disabling the execution of service checks, leave this enabled! +# Values: 1 = enable checks, 0 = disable checks + +execute_service_checks=1 + + + +# PASSIVE SERVICE CHECK ACCEPTANCE OPTION +# This determines whether or not Nagios will accept passive +# service checks results when it initially (re)starts. +# Values: 1 = accept passive checks, 0 = reject passive checks + +accept_passive_service_checks=1 + + + +# HOST CHECK EXECUTION OPTION +# This determines whether or not Nagios will actively execute +# host checks when it initially starts. If this option is +# disabled, checks are not actively made, but Nagios can still +# receive and process passive check results that come in. Unless +# you're implementing redundant hosts or have a special need for +# disabling the execution of host checks, leave this enabled! +# Values: 1 = enable checks, 0 = disable checks + +execute_host_checks=1 + + + +# PASSIVE HOST CHECK ACCEPTANCE OPTION +# This determines whether or not Nagios will accept passive +# host checks results when it initially (re)starts. +# Values: 1 = accept passive checks, 0 = reject passive checks + +accept_passive_host_checks=1 + + + +# NOTIFICATIONS OPTION +# This determines whether or not Nagios will sent out any host or +# service notifications when it is initially (re)started. +# Values: 1 = enable notifications, 0 = disable notifications + +enable_notifications=1 + + + +# EVENT HANDLER USE OPTION +# This determines whether or not Nagios will run any host or +# service event handlers when it is initially (re)started. Unless +# you're implementing redundant hosts, leave this option enabled. +# Values: 1 = enable event handlers, 0 = disable event handlers + +enable_event_handlers=1 + + + +# PROCESS PERFORMANCE DATA OPTION +# This determines whether or not Nagios will process performance +# data returned from service and host checks. If this option is +# enabled, host performance data will be processed using the +# host_perfdata_command (defined below) and service performance +# data will be processed using the service_perfdata_command (also +# defined below). Read the HTML docs for more information on +# performance data. +# Values: 1 = process performance data, 0 = do not process performance data + +process_performance_data=0 + + + +# HOST AND SERVICE PERFORMANCE DATA PROCESSING COMMANDS +# These commands are run after every host and service check is +# performed. These commands are executed only if the +# enable_performance_data option (above) is set to 1. The command +# argument is the short name of a command definition that you +# define in your host configuration file. Read the HTML docs for +# more information on performance data. + +#host_perfdata_command=process-host-perfdata +#service_perfdata_command=process-service-perfdata + + + +# HOST AND SERVICE PERFORMANCE DATA FILES +# These files are used to store host and service performance data. +# Performance data is only written to these files if the +# enable_performance_data option (above) is set to 1. + +#host_perfdata_file=/tmp/host-perfdata +#service_perfdata_file=/tmp/service-perfdata + + + +# HOST AND SERVICE PERFORMANCE DATA FILE TEMPLATES +# These options determine what data is written (and how) to the +# performance data files. The templates may contain macros, special +# characters (\t for tab, \r for carriage return, \n for newline) +# and plain text. A newline is automatically added after each write +# to the performance data file. Some examples of what you can do are +# shown below. + +#host_perfdata_file_template=[HOSTPERFDATA]\t$TIMET$\t$HOSTNAME$\t$HOSTEXECUTIONTIME$\t$HOSTOUTPUT$\t$HOSTPERFDATA$ +#service_perfdata_file_template=[SERVICEPERFDATA]\t$TIMET$\t$HOSTNAME$\t$SERVICEDESC$\t$SERVICEEXECUTIONTIME$\t$SERVICELATENCY$\t$SERVICEOUTPUT$\t$SERVICEPERFDATA$ + + + +# HOST AND SERVICE PERFORMANCE DATA FILE MODES +# This option determines whether or not the host and service +# performance data files are opened in write ("w") or append ("a") +# mode. If you want to use named pipes, you should use the special +# pipe ("p") mode which avoid blocking at startup, otherwise you will +# likely want the defult append ("a") mode. + +#host_perfdata_file_mode=a +#service_perfdata_file_mode=a + + + +# HOST AND SERVICE PERFORMANCE DATA FILE PROCESSING INTERVAL +# These options determine how often (in seconds) the host and service +# performance data files are processed using the commands defined +# below. A value of 0 indicates the files should not be periodically +# processed. + +#host_perfdata_file_processing_interval=0 +#service_perfdata_file_processing_interval=0 + + + +# HOST AND SERVICE PERFORMANCE DATA FILE PROCESSING COMMANDS +# These commands are used to periodically process the host and +# service performance data files. The interval at which the +# processing occurs is determined by the options above. + +#host_perfdata_file_processing_command=process-host-perfdata-file +#service_perfdata_file_processing_command=process-service-perfdata-file + + + +# OBSESS OVER SERVICE CHECKS OPTION +# This determines whether or not Nagios will obsess over service +# checks and run the ocsp_command defined below. Unless you're +# planning on implementing distributed monitoring, do not enable +# this option. Read the HTML docs for more information on +# implementing distributed monitoring. +# Values: 1 = obsess over services, 0 = do not obsess (default) + +obsess_over_services=0 + + + +# OBSESSIVE COMPULSIVE SERVICE PROCESSOR COMMAND +# This is the command that is run for every service check that is +# processed by Nagios. This command is executed only if the +# obsess_over_services option (above) is set to 1. The command +# argument is the short name of a command definition that you +# define in your host configuration file. Read the HTML docs for +# more information on implementing distributed monitoring. + +#ocsp_command=somecommand + + + +# OBSESS OVER HOST CHECKS OPTION +# This determines whether or not Nagios will obsess over host +# checks and run the ochp_command defined below. Unless you're +# planning on implementing distributed monitoring, do not enable +# this option. Read the HTML docs for more information on +# implementing distributed monitoring. +# Values: 1 = obsess over hosts, 0 = do not obsess (default) + +obsess_over_hosts=0 + + + +# OBSESSIVE COMPULSIVE HOST PROCESSOR COMMAND +# This is the command that is run for every host check that is +# processed by Nagios. This command is executed only if the +# obsess_over_hosts option (above) is set to 1. The command +# argument is the short name of a command definition that you +# define in your host configuration file. Read the HTML docs for +# more information on implementing distributed monitoring. + +#ochp_command=somecommand + + + +# TRANSLATE PASSIVE HOST CHECKS OPTION +# This determines whether or not Nagios will translate +# DOWN/UNREACHABLE passive host check results into their proper +# state for this instance of Nagios. This option is useful +# if you have distributed or failover monitoring setup. In +# these cases your other Nagios servers probably have a different +# "view" of the network, with regards to the parent/child relationship +# of hosts. If a distributed monitoring server thinks a host +# is DOWN, it may actually be UNREACHABLE from the point of +# this Nagios instance. Enabling this option will tell Nagios +# to translate any DOWN or UNREACHABLE host states it receives +# passively into the correct state from the view of this server. +# Values: 1 = perform translation, 0 = do not translate (default) + +translate_passive_host_checks=0 + + + +# PASSIVE HOST CHECKS ARE SOFT OPTION +# This determines whether or not Nagios will treat passive host +# checks as being HARD or SOFT. By default, a passive host check +# result will put a host into a HARD state type. This can be changed +# by enabling this option. +# Values: 0 = passive checks are HARD, 1 = passive checks are SOFT + +passive_host_checks_are_soft=0 + + + +# ORPHANED HOST/SERVICE CHECK OPTIONS +# These options determine whether or not Nagios will periodically +# check for orphaned host service checks. Since service checks are +# not rescheduled until the results of their previous execution +# instance are processed, there exists a possibility that some +# checks may never get rescheduled. A similar situation exists for +# host checks, although the exact scheduling details differ a bit +# from service checks. Orphaned checks seem to be a rare +# problem and should not happen under normal circumstances. +# If you have problems with service checks never getting +# rescheduled, make sure you have orphaned service checks enabled. +# Values: 1 = enable checks, 0 = disable checks + +check_for_orphaned_services=1 +check_for_orphaned_hosts=1 + + + +# SERVICE FRESHNESS CHECK OPTION +# This option determines whether or not Nagios will periodically +# check the "freshness" of service results. Enabling this option +# is useful for ensuring passive checks are received in a timely +# manner. +# Values: 1 = enabled freshness checking, 0 = disable freshness checking + +check_service_freshness=1 + + + +# SERVICE FRESHNESS CHECK INTERVAL +# This setting determines how often (in seconds) Nagios will +# check the "freshness" of service check results. If you have +# disabled service freshness checking, this option has no effect. + +service_freshness_check_interval=60 + + + +# HOST FRESHNESS CHECK OPTION +# This option determines whether or not Nagios will periodically +# check the "freshness" of host results. Enabling this option +# is useful for ensuring passive checks are received in a timely +# manner. +# Values: 1 = enabled freshness checking, 0 = disable freshness checking + +check_host_freshness=0 + + + +# HOST FRESHNESS CHECK INTERVAL +# This setting determines how often (in seconds) Nagios will +# check the "freshness" of host check results. If you have +# disabled host freshness checking, this option has no effect. + +host_freshness_check_interval=60 + + + + +# ADDITIONAL FRESHNESS THRESHOLD LATENCY +# This setting determines the number of seconds that Nagios +# will add to any host and service freshness thresholds that +# it calculates (those not explicitly specified by the user). + +additional_freshness_latency=15 + + + + +# FLAP DETECTION OPTION +# This option determines whether or not Nagios will try +# and detect hosts and services that are "flapping". +# Flapping occurs when a host or service changes between +# states too frequently. When Nagios detects that a +# host or service is flapping, it will temporarily suppress +# notifications for that host/service until it stops +# flapping. Flap detection is very experimental, so read +# the HTML documentation before enabling this feature! +# Values: 1 = enable flap detection +# 0 = disable flap detection (default) + +enable_flap_detection=1 + + + +# FLAP DETECTION THRESHOLDS FOR HOSTS AND SERVICES +# Read the HTML documentation on flap detection for +# an explanation of what this option does. This option +# has no effect if flap detection is disabled. + +low_service_flap_threshold=5.0 +high_service_flap_threshold=20.0 +low_host_flap_threshold=5.0 +high_host_flap_threshold=20.0 + + + +# DATE FORMAT OPTION +# This option determines how short dates are displayed. Valid options +# include: +# us (MM-DD-YYYY HH:MM:SS) +# euro (DD-MM-YYYY HH:MM:SS) +# iso8601 (YYYY-MM-DD HH:MM:SS) +# strict-iso8601 (YYYY-MM-DDTHH:MM:SS) +# + +date_format=iso8601 + + + + +# TIMEZONE OFFSET +# This option is used to override the default timezone that this +# instance of Nagios runs in. If not specified, Nagios will use +# the system configured timezone. +# +# NOTE: In order to display the correct timezone in the CGIs, you +# will also need to alter the Apache directives for the CGI path +# to include your timezone. Example: +# +# +# SetEnv TZ "Australia/Brisbane" +# ... +# + +#use_timezone=US/Mountain +#use_timezone=Australia/Brisbane + + + + +# P1.PL FILE LOCATION +# This value determines where the p1.pl perl script (used by the +# embedded Perl interpreter) is located. If you didn't compile +# Nagios with embedded Perl support, this option has no effect. + +p1_file=/usr/lib/nagios3/p1.pl + + + +# EMBEDDED PERL INTERPRETER OPTION +# This option determines whether or not the embedded Perl interpreter +# will be enabled during runtime. This option has no effect if Nagios +# has not been compiled with support for embedded Perl. +# Values: 0 = disable interpreter, 1 = enable interpreter + +enable_embedded_perl=1 + + + +# EMBEDDED PERL USAGE OPTION +# This option determines whether or not Nagios will process Perl plugins +# and scripts with the embedded Perl interpreter if the plugins/scripts +# do not explicitly indicate whether or not it is okay to do so. Read +# the HTML documentation on the embedded Perl interpreter for more +# information on how this option works. + +use_embedded_perl_implicitly=1 + + + +# ILLEGAL OBJECT NAME CHARACTERS +# This option allows you to specify illegal characters that cannot +# be used in host names, service descriptions, or names of other +# object types. + +illegal_object_name_chars=`~!$%^&*|'"<>?,()= + + + +# ILLEGAL MACRO OUTPUT CHARACTERS +# This option allows you to specify illegal characters that are +# stripped from macros before being used in notifications, event +# handlers, etc. This DOES NOT affect macros used in service or +# host check commands. +# The following macros are stripped of the characters you specify: +# $HOSTOUTPUT$ +# $HOSTPERFDATA$ +# $HOSTACKAUTHOR$ +# $HOSTACKCOMMENT$ +# $SERVICEOUTPUT$ +# $SERVICEPERFDATA$ +# $SERVICEACKAUTHOR$ +# $SERVICEACKCOMMENT$ + +illegal_macro_output_chars=`~$&|'"<> + + + +# REGULAR EXPRESSION MATCHING +# This option controls whether or not regular expression matching +# takes place in the object config files. Regular expression +# matching is used to match host, hostgroup, service, and service +# group names/descriptions in some fields of various object types. +# Values: 1 = enable regexp matching, 0 = disable regexp matching + +use_regexp_matching=0 + + + +# "TRUE" REGULAR EXPRESSION MATCHING +# This option controls whether or not "true" regular expression +# matching takes place in the object config files. This option +# only has an effect if regular expression matching is enabled +# (see above). If this option is DISABLED, regular expression +# matching only occurs if a string contains wildcard characters +# (* and ?). If the option is ENABLED, regexp matching occurs +# all the time (which can be annoying). +# Values: 1 = enable true matching, 0 = disable true matching + +use_true_regexp_matching=0 + + + +# ADMINISTRATOR EMAIL/PAGER ADDRESSES +# The email and pager address of a global administrator (likely you). +# Nagios never uses these values itself, but you can access them by +# using the $ADMINEMAIL$ and $ADMINPAGER$ macros in your notification +# commands. + +admin_email=root@localhost +admin_pager=pageroot@localhost + + + +# DAEMON CORE DUMP OPTION +# This option determines whether or not Nagios is allowed to create +# a core dump when it runs as a daemon. Note that it is generally +# considered bad form to allow this, but it may be useful for +# debugging purposes. Enabling this option doesn't guarantee that +# a core file will be produced, but that's just life... +# Values: 1 - Allow core dumps +# 0 - Do not allow core dumps (default) + +daemon_dumps_core=0 + + + +# LARGE INSTALLATION TWEAKS OPTION +# This option determines whether or not Nagios will take some shortcuts +# which can save on memory and CPU usage in large Nagios installations. +# Read the documentation for more information on the benefits/tradeoffs +# of enabling this option. +# Values: 1 - Enabled tweaks +# 0 - Disable tweaks (default) + +use_large_installation_tweaks=0 + + + +# ENABLE ENVIRONMENT MACROS +# This option determines whether or not Nagios will make all standard +# macros available as environment variables when host/service checks +# and system commands (event handlers, notifications, etc.) are +# executed. Enabling this option can cause performance issues in +# large installations, as it will consume a bit more memory and (more +# importantly) consume more CPU. +# Values: 1 - Enable environment variable macros (default) +# 0 - Disable environment variable macros + +enable_environment_macros=1 + + + +# CHILD PROCESS MEMORY OPTION +# This option determines whether or not Nagios will free memory in +# child processes (processed used to execute system commands and host/ +# service checks). If you specify a value here, it will override +# program defaults. +# Value: 1 - Free memory in child processes +# 0 - Do not free memory in child processes + +#free_child_process_memory=1 + + + +# CHILD PROCESS FORKING BEHAVIOR +# This option determines how Nagios will fork child processes +# (used to execute system commands and host/service checks). Normally +# child processes are fork()ed twice, which provides a very high level +# of isolation from problems. Fork()ing once is probably enough and will +# save a great deal on CPU usage (in large installs), so you might +# want to consider using this. If you specify a value here, it will +# program defaults. +# Value: 1 - Child processes fork() twice +# 0 - Child processes fork() just once + +#child_processes_fork_twice=1 + + + +# DEBUG LEVEL +# This option determines how much (if any) debugging information will +# be written to the debug file. OR values together to log multiple +# types of information. +# Values: +# -1 = Everything +# 0 = Nothing +# 1 = Functions +# 2 = Configuration +# 4 = Process information +# 8 = Scheduled events +# 16 = Host/service checks +# 32 = Notifications +# 64 = Event broker +# 128 = External commands +# 256 = Commands +# 512 = Scheduled downtime +# 1024 = Comments +# 2048 = Macros + +debug_level=-1 + + + +# DEBUG VERBOSITY +# This option determines how verbose the debug log out will be. +# Values: 0 = Brief output +# 1 = More detailed +# 2 = Very detailed + +debug_verbosity=1 + + + +# DEBUG FILE +# This option determines where Nagios should write debugging information. + +debug_file=/var/lib/nagios3/nagios.debug + + + +# MAX DEBUG FILE SIZE +# This option determines the maximum size (in bytes) of the debug file. If +# the file grows larger than this size, it will be renamed with a .old +# extension. If a file already exists with a .old extension it will +# automatically be deleted. This helps ensure your disk space usage doesn't +# get out of control when debugging Nagios. + +max_debug_file_size=1000000 + + -- cgit v1.2.3 From f8e3cf9aa8362c5ec36d3b0d33477898a2fd5c0c Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 28 Jan 2013 16:14:26 +0100 Subject: deploy openvpn check --- puppet/modules/site_nagios/manifests/add_service.pp | 2 +- puppet/modules/site_nagios/manifests/server.pp | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_nagios/manifests/add_service.pp b/puppet/modules/site_nagios/manifests/add_service.pp index 1a69e068..a1f99cc9 100644 --- a/puppet/modules/site_nagios/manifests/add_service.pp +++ b/puppet/modules/site_nagios/manifests/add_service.pp @@ -2,7 +2,7 @@ define site_nagios::add_service ($hostname, $ip_address, $service) { case $service { 'openvpn': { - $check_command = 'check_openvpn' + $check_command = "check_openvpn_server_ip_port!$ip_address!1194" $service_description = 'Openvpn' } 'webapp': { diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index a8ebeaf4..fe3ab542 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -13,5 +13,13 @@ class site_nagios::server { #before => Class ['nagios::defaults'] } + # deploy serverside plugins + file { '/usr/lib/nagios/plugins/check_openvpn_server.pl': + source => 'puppet:///modules/nagios/plugins/check_openvpn_server.pl', + mode => '0755', + owner => 'nagios', + group => 'nagios', + } + site_nagios::add_host {$hosts:} } -- cgit v1.2.3 From 8164205e06ecd9e1c68b788425cb4f71129b1061 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 28 Jan 2013 16:15:33 +0100 Subject: don't deploy openvpn check until we fix #1546 --- puppet/modules/site_nagios/manifests/add_service.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_nagios/manifests/add_service.pp b/puppet/modules/site_nagios/manifests/add_service.pp index a1f99cc9..d8293b42 100644 --- a/puppet/modules/site_nagios/manifests/add_service.pp +++ b/puppet/modules/site_nagios/manifests/add_service.pp @@ -1,10 +1,10 @@ define site_nagios::add_service ($hostname, $ip_address, $service) { case $service { - 'openvpn': { - $check_command = "check_openvpn_server_ip_port!$ip_address!1194" - $service_description = 'Openvpn' - } + #'openvpn': { + # $check_command = "check_openvpn_server_ip_port!$ip_address!1194" + # $service_description = 'Openvpn' + #} 'webapp': { $check_command = 'check_http' $service_description = 'Website' -- cgit v1.2.3 From f34cecba90941f3e4acbe88cab6ce0b5a76b8ce2 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 28 Jan 2013 16:21:11 +0100 Subject: use check_https for website --- puppet/modules/site_nagios/manifests/add_service.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_nagios/manifests/add_service.pp b/puppet/modules/site_nagios/manifests/add_service.pp index d8293b42..5b282ac4 100644 --- a/puppet/modules/site_nagios/manifests/add_service.pp +++ b/puppet/modules/site_nagios/manifests/add_service.pp @@ -6,7 +6,7 @@ define site_nagios::add_service ($hostname, $ip_address, $service) { # $service_description = 'Openvpn' #} 'webapp': { - $check_command = 'check_http' + $check_command = 'check_https' $service_description = 'Website' } default: { notice ("No Nagios service check for service \"$service\"") } -- cgit v1.2.3 From 76375b224bd621ab2238fa49207ca928892cd6f5 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 28 Jan 2013 16:59:18 +0100 Subject: disabled notice about nagios services not deployed --- puppet/modules/site_nagios/manifests/add_service.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_nagios/manifests/add_service.pp b/puppet/modules/site_nagios/manifests/add_service.pp index 5b282ac4..25babd18 100644 --- a/puppet/modules/site_nagios/manifests/add_service.pp +++ b/puppet/modules/site_nagios/manifests/add_service.pp @@ -1,6 +1,7 @@ define site_nagios::add_service ($hostname, $ip_address, $service) { case $service { + # don't deploy until we fix 1546 #'openvpn': { # $check_command = "check_openvpn_server_ip_port!$ip_address!1194" # $service_description = 'Openvpn' @@ -9,7 +10,9 @@ define site_nagios::add_service ($hostname, $ip_address, $service) { $check_command = 'check_https' $service_description = 'Website' } - default: { notice ("No Nagios service check for service \"$service\"") } + default: { + #notice ("No Nagios service check for service \"$service\"") + } } if ( $check_command != '' ) { -- cgit v1.2.3 From 349c58f668e419595ff3aff902948e7901e88d55 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 28 Jan 2013 21:45:09 +0100 Subject: update services/monitoring.json to include openvpn_gateway_address --- provider_base/services/monitor.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json index 0a44ded1..09972308 100644 --- a/provider_base/services/monitor.json +++ b/provider_base/services/monitor.json @@ -1,6 +1,6 @@ { "nagios": { "nagiosadmin_pw": "= secret :nagios_admin_password", - "hosts": "= nodes['production' => true].fields('domain.full', 'ip_address', 'services')" + "hosts": "= nodes['production' => true].fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')" } -} \ No newline at end of file +} -- cgit v1.2.3 From 5380b3add3c1cd9c016905d0c339744fc9f2be98 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 28 Jan 2013 22:03:23 +0100 Subject: re-add nagios service check openvpn --- puppet/modules/site_nagios/manifests/add_host.pp | 14 ++++++++------ puppet/modules/site_nagios/manifests/add_service.pp | 11 ++++++----- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/puppet/modules/site_nagios/manifests/add_host.pp b/puppet/modules/site_nagios/manifests/add_host.pp index d5aac67c..498552b5 100644 --- a/puppet/modules/site_nagios/manifests/add_host.pp +++ b/puppet/modules/site_nagios/manifests/add_host.pp @@ -1,8 +1,9 @@ define site_nagios::add_host { - $nagios_host = $name - $nagios_hostname = $name['domain_full'] - $nagios_ip = $name['ip_address'] - $nagios_services = $name['services'] + $nagios_host = $name + $nagios_hostname = $name['domain_internal'] + $nagios_ip = $name['ip_address'] + $nagios_services = $name['services'] + $nagios_openvpn_gw = $name['openvpn_gateway_address'] # Add Nagios host nagios_host { $nagios_hostname: @@ -15,8 +16,9 @@ define site_nagios::add_host { # First, we need to turn the serice array into hash, using a "hash template" # see https://github.com/ashak/puppet-resource-looping $nagios_service_hashpart = { - 'hostname' => $nagios_hostname, - 'ip_address' => $nagios_ip, + 'hostname' => $nagios_hostname, + 'ip_address' => $nagios_ip, + 'openvpn_gw' => $nagios_openvpn_gw, } $dynamic_parameters = { 'service' => '%s' diff --git a/puppet/modules/site_nagios/manifests/add_service.pp b/puppet/modules/site_nagios/manifests/add_service.pp index 25babd18..280cb010 100644 --- a/puppet/modules/site_nagios/manifests/add_service.pp +++ b/puppet/modules/site_nagios/manifests/add_service.pp @@ -1,11 +1,12 @@ -define site_nagios::add_service ($hostname, $ip_address, $service) { +define site_nagios::add_service ( + $hostname, $ip_address, $openvpn_gw = '', $service) { case $service { # don't deploy until we fix 1546 - #'openvpn': { - # $check_command = "check_openvpn_server_ip_port!$ip_address!1194" - # $service_description = 'Openvpn' - #} + 'openvpn': { + $check_command = "check_openvpn_server_ip_port!$openvpn_gw!1194" + $service_description = 'Openvpn' + } 'webapp': { $check_command = 'check_https' $service_description = 'Website' -- cgit v1.2.3 From 39cd7faddb030dbf4f789ff5964e5c96201c64dc Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 28 Jan 2013 22:33:25 +0100 Subject: set nagiosadmin htpasswd --- puppet/modules/site_nagios/manifests/server.pp | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index fe3ab542..7c17fe82 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -1,7 +1,7 @@ -class site_nagios::server { +class site_nagios::server inherits nagios::base { $nagios_hiera=hiera('nagios') - $nagiosadmin_pw = $nagios_hiera['nagiosadmin_pw'] + $nagiosadmin_pw = htpasswd_sha1($nagios_hiera['nagiosadmin_pw']) $hosts = $nagios_hiera['hosts'] include nagios::defaults @@ -13,6 +13,13 @@ class site_nagios::server { #before => Class ['nagios::defaults'] } + File ['nagios_htpasswd'] { + source => undef, + content => "nagiosadmin:$nagiosadmin_pw", + mode => '0640', + } + + # deploy serverside plugins file { '/usr/lib/nagios/plugins/check_openvpn_server.pl': source => 'puppet:///modules/nagios/plugins/check_openvpn_server.pl', -- cgit v1.2.3 From dd39a69c717cb01b604e8df84217288cc8133fa1 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 29 Jan 2013 11:29:14 +0100 Subject: automatic update of submodule puppet_apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/apt b/puppet/modules/apt index 507d5448..92d2d7be 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 507d5448c85904d6471e829d3afe00cff89e7520 +Subproject commit 92d2d7be5f99920c67245d02c1ce76288967db62 -- cgit v1.2.3 From be81edd7aa5e35c9bd79cd77946e6e7d17288bee Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 29 Jan 2013 16:36:29 +0100 Subject: apt-get update + dist-upgrade in initial stage --- puppet/modules/site_apt/manifests/dist_upgrade.pp | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/puppet/modules/site_apt/manifests/dist_upgrade.pp b/puppet/modules/site_apt/manifests/dist_upgrade.pp index 87a2fc00..f129dd73 100644 --- a/puppet/modules/site_apt/manifests/dist_upgrade.pp +++ b/puppet/modules/site_apt/manifests/dist_upgrade.pp @@ -1,11 +1,15 @@ -class site_apt::dist_upgrade inherits apt::dist_upgrade { +class site_apt::dist_upgrade { if $::apt_running == 'true' { fail ('apt-get is running in background - Please wait until it finishes. Exiting.') + } else { + exec{'initial_apt_update': + command => '/usr/bin/apt-get update && /usr/bin/apt-get autoclean', + refreshonly => false, + } + exec{'initial_apt_dist_upgrade': + command => "/usr/bin/apt-get -q -y -o 'DPkg::Options::=--force-confold' dist-upgrade", + refreshonly => false, + } } - # ensue dist-upgrade on every puppetrun - Exec['apt_dist-upgrade']{ - refreshonly => false, - } - } -- cgit v1.2.3 From d0bec7ba086aadefba3655509db6c5b25b116bfb Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 29 Jan 2013 16:39:23 +0100 Subject: run stage declaration moved to site.pp --- puppet/manifests/site.pp | 6 +++++- puppet/modules/site_config/manifests/init.pp | 6 +----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 1a76e3bd..33566f0c 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,6 +1,10 @@ # set a default exec path Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } +stage { 'initial': + before => Stage['main'], +} + node 'default' { # prerequisites import 'common' @@ -11,7 +15,7 @@ node 'default' { # include some basic classes include site_config } else { - notice ('NOT applying site_config') + notice ('NOT applying site_config') } # parse services for host diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp index c27074ed..f0ce9856 100644 --- a/puppet/modules/site_config/manifests/init.pp +++ b/puppet/modules/site_config/manifests/init.pp @@ -17,12 +17,8 @@ class site_config { # configure caching, local resolver include site_config::caching_resolver - - # configure /etc/hosts - stage { 'initial': - before => Stage['main'], - } + # configure /etc/hosts class { 'site_config::hosts': stage => initial, } -- cgit v1.2.3 From 3f8c8b8f4b02dd1948d931945ab673e15f0e5089 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 29 Jan 2013 17:01:47 +0100 Subject: start shorewall on deploy (fixes #1122) --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 57dc17e9..7de1510c 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -1,7 +1,7 @@ class site_shorewall::eip { # be safe for development - $shorewall_startup='0' + if ( $::virtual == 'virtualbox') { $shorewall_startup='0' } include site_shorewall::defaults -- cgit v1.2.3 From 4cc4237b1184b89b7c491267f8ddbc13067730b4 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 29 Jan 2013 17:02:13 +0100 Subject: fix deprecation warnings in site_config --- puppet/modules/site_config/manifests/hosts.pp | 2 +- puppet/modules/site_config/manifests/resolvconf.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index 80619e33..a5f1b105 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -3,7 +3,7 @@ class site_config::hosts() { $hosts = hiera('hosts','') $hostname = hiera('name') - $domain_public = $domain_hash['full_suffix'] + $domain_public = $site_config::domain_hash['full_suffix'] file { "/etc/hostname": ensure => present, diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index adecb838..b803f17e 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -11,7 +11,7 @@ class site_config::resolvconf { ensure => absent; } - $domain_public = $domain_hash['full_suffix'] + $domain_public = $site_config::domain_hash['full_suffix'] # 127.0.0.1: caching-only local bind # 87.118.100.175: http://server.privacyfoundation.de -- cgit v1.2.3 From 64a3ec6ac5a064800a32170c2e8d058ab8b7dd62 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 29 Jan 2013 18:57:56 +0100 Subject: Purge nagios config files on every run (Feature #1544) --- puppet/modules/site_nagios/manifests/server.pp | 5 +++++ puppet/modules/site_nagios/manifests/server/purge.pp | 7 +++++++ 2 files changed, 12 insertions(+) create mode 100644 puppet/modules/site_nagios/manifests/server/purge.pp diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 7c17fe82..5e2f832b 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -1,5 +1,10 @@ class site_nagios::server inherits nagios::base { + # First, purge old nagios config (see #1467) + class { 'site_nagios::server::purge': + stage => initial + } + $nagios_hiera=hiera('nagios') $nagiosadmin_pw = htpasswd_sha1($nagios_hiera['nagiosadmin_pw']) $hosts = $nagios_hiera['hosts'] diff --git a/puppet/modules/site_nagios/manifests/server/purge.pp b/puppet/modules/site_nagios/manifests/server/purge.pp new file mode 100644 index 00000000..66c27dd5 --- /dev/null +++ b/puppet/modules/site_nagios/manifests/server/purge.pp @@ -0,0 +1,7 @@ +class site_nagios::server::purge { + exec {'purge_conf.d': + command => '/bin/rm -rf /etc/nagios3/conf.d', + onlyif => 'test -e /etc/nagios3/conf.d' + } + +} -- cgit v1.2.3 From 6ebc2b495d9ea920770823cd08ae4eb881b684f7 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 27 Jan 2013 20:23:52 -0500 Subject: add a new fact that provides a fact for each configured ip address, telling you which interface has it (essentially the inverse of the ipaddress_${interface} fact). Switch the hiera lookups of the $interface, which was pulling from the .json to pull instead from the above fact, see #1547 and #1548 --- puppet/modules/site_config/lib/facter/ip_interface.rb | 13 +++++++++++++ puppet/modules/site_openvpn/manifests/init.pp | 2 +- puppet/modules/site_shorewall/manifests/eip.pp | 3 ++- 3 files changed, 16 insertions(+), 2 deletions(-) create mode 100644 puppet/modules/site_config/lib/facter/ip_interface.rb diff --git a/puppet/modules/site_config/lib/facter/ip_interface.rb b/puppet/modules/site_config/lib/facter/ip_interface.rb new file mode 100644 index 00000000..2a4a6b50 --- /dev/null +++ b/puppet/modules/site_config/lib/facter/ip_interface.rb @@ -0,0 +1,13 @@ +require 'facter/util/ip' + +Facter::Util::IP.get_interfaces.each do |interface| + ip = Facter.value("ipaddress_#{interface}") + if ip != nil + Facter.add(ip + "_interface" ) do + setcode do + interface + end + end + end +end + diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 4606179c..a9fa8b2b 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,7 +1,7 @@ class site_openvpn { # parse hiera config $ip_address = hiera('ip_address') - $interface = hiera('interface') + $interface = getvar("$::{ip_address}_interface") #$gateway_address = hiera('gateway_address') $openvpn_config = hiera('openvpn') $openvpn_gateway_address = $openvpn_config['gateway_address'] diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 7de1510c..35912dfe 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,7 +5,8 @@ class site_shorewall::eip { include site_shorewall::defaults - $interface = hiera('interface') + $ip_address = hiera('ip_address') + $interface = getvar("$::{ip_address}_interface") $ssh_config = hiera('ssh') $ssh_port = $ssh_config['port'] $openvpn_config = hiera('openvpn') -- cgit v1.2.3 From bdf7beb1594b480bd438625b33f27403d2ab5959 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 27 Jan 2013 20:24:29 -0500 Subject: enclose the variables in curly braces, as recommended by puppet-lint --- puppet/modules/site_openvpn/manifests/init.pp | 8 ++++---- puppet/modules/site_shorewall/manifests/eip.pp | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index a9fa8b2b..4e13bb5d 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -21,15 +21,15 @@ class site_openvpn { port => '1194', proto => 'tcp', local => $openvpn_gateway_address, - server => "$openvpn_tcp_network_prefix.0 $openvpn_tcp_netmask", - push => "\"dhcp-option DNS $openvpn_tcp_network_prefix.1\"", + server => "${openvpn_tcp_network_prefix.0} ${openvpn_tcp_netmask}", + push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"", management => '127.0.0.1 1000' } site_openvpn::server_config { 'udp_config': port => '1194', proto => 'udp', - server => "$openvpn_udp_network_prefix.0 $openvpn_udp_netmask", - push => "\"dhcp-option DNS $openvpn_udp_network_prefix.1\"", + server => "${openvpn_udp_network_prefix.0} ${openvpn_udp_netmask}", + push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"", local => $openvpn_gateway_address, management => '127.0.0.1 1001' } diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 35912dfe..a3f6ee54 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -43,11 +43,11 @@ PARAM - - udp 1194 shorewall::masq { "${interface}_tcp": interface => $interface, - source => "$site_openvpn::openvpn_tcp_network_prefix.0/$site_openvpn::openvpn_tcp_cidr"; } + source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}"; } shorewall::masq { "${interface}_udp": interface => $interface, - source => "$site_openvpn::openvpn_udp_network_prefix.0/$site_openvpn::openvpn_udp_cidr"; } + source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } shorewall::policy { 'eip-to-all': -- cgit v1.2.3 From 7480df63974459e733a6733994adc19ac464be6a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 27 Jan 2013 20:47:01 -0500 Subject: create a special case for vagrant machines that need to have both interfaces in the net zone so we dont lock ourselves out during deploy, but also are able to access the internet --- puppet/modules/site_shorewall/manifests/eip.pp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index a3f6ee54..067b2f83 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -6,7 +6,11 @@ class site_shorewall::eip { include site_shorewall::defaults $ip_address = hiera('ip_address') - $interface = getvar("$::{ip_address}_interface") + # a special case for vagrant interfaces + $interface = $::virtual ? { + virtualbox => ['eth0', 'eth1'], + default => getvar("$::{ip_address}_interface") + } $ssh_config = hiera('ssh') $ssh_port = $ssh_config['port'] $openvpn_config = hiera('openvpn') -- cgit v1.2.3 From 4afce540c645bb0e472312db726141c3ab18f065 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 29 Jan 2013 11:36:08 -0500 Subject: it seems facts cannot start with numbers --- puppet/modules/site_config/lib/facter/ip_interface.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_config/lib/facter/ip_interface.rb b/puppet/modules/site_config/lib/facter/ip_interface.rb index 2a4a6b50..45764bfc 100644 --- a/puppet/modules/site_config/lib/facter/ip_interface.rb +++ b/puppet/modules/site_config/lib/facter/ip_interface.rb @@ -3,7 +3,7 @@ require 'facter/util/ip' Facter::Util::IP.get_interfaces.each do |interface| ip = Facter.value("ipaddress_#{interface}") if ip != nil - Facter.add(ip + "_interface" ) do + Facter.add("interface_" + ip ) do setcode do interface end -- cgit v1.2.3 From d6b334a20dcf495ea0b9cb7247c0e20d478dbbba Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 29 Jan 2013 11:37:42 -0500 Subject: fix syntax error from enclosing variables in curly --- puppet/modules/site_openvpn/manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 4e13bb5d..b4c573e7 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -21,14 +21,14 @@ class site_openvpn { port => '1194', proto => 'tcp', local => $openvpn_gateway_address, - server => "${openvpn_tcp_network_prefix.0} ${openvpn_tcp_netmask}", + server => "${openvpn_tcp_network_prefix}.0 ${openvpn_tcp_netmask}", push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"", management => '127.0.0.1 1000' } site_openvpn::server_config { 'udp_config': port => '1194', proto => 'udp', - server => "${openvpn_udp_network_prefix.0} ${openvpn_udp_netmask}", + server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}", push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"", local => $openvpn_gateway_address, management => '127.0.0.1 1001' -- cgit v1.2.3 From 0e1f5ab91e7a613da7ec15495f05386a98626b08 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 29 Jan 2013 11:54:53 -0500 Subject: fix variable scoping --- puppet/modules/site_openvpn/manifests/init.pp | 2 +- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index b4c573e7..d777aa81 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,7 +1,7 @@ class site_openvpn { # parse hiera config $ip_address = hiera('ip_address') - $interface = getvar("$::{ip_address}_interface") + $interface = getvar("${ip_address}_interface") #$gateway_address = hiera('gateway_address') $openvpn_config = hiera('openvpn') $openvpn_gateway_address = $openvpn_config['gateway_address'] diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 067b2f83..d5d7ff19 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -9,7 +9,7 @@ class site_shorewall::eip { # a special case for vagrant interfaces $interface = $::virtual ? { virtualbox => ['eth0', 'eth1'], - default => getvar("$::{ip_address}_interface") + default => getvar("${ip_address}_interface") } $ssh_config = hiera('ssh') $ssh_port = $ssh_config['port'] -- cgit v1.2.3 From e83842af0eff8e7754f79100c786f0dc235eba75 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 29 Jan 2013 13:15:38 -0500 Subject: setup special casing for vagrant/virtualbox --- puppet/modules/site_shorewall/manifests/eip.pp | 50 ++++++++++++++++---------- 1 file changed, 32 insertions(+), 18 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index d5d7ff19..b2d165db 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -8,7 +8,7 @@ class site_shorewall::eip { $ip_address = hiera('ip_address') # a special case for vagrant interfaces $interface = $::virtual ? { - virtualbox => ['eth0', 'eth1'], + virtualbox => [ 'eth0', 'eth1' ], default => getvar("${ip_address}_interface") } $ssh_config = hiera('ssh') @@ -30,28 +30,42 @@ PARAM - - udp 1194 options => 'tcpflags,blacklist,nosmurfs'; } - shorewall::interface {'tun0': - zone => 'eip', - options => 'tcpflags,blacklist,nosmurfs'; } - shorewall::interface {'tun1': - zone => 'eip', - options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::interface { + 'tun0': + zone => 'eip', + options => 'tcpflags,blacklist,nosmurfs'; + 'tun1': + zone => 'eip', + options => 'tcpflags,blacklist,nosmurfs' + } shorewall::zone {'eip': type => 'ipv4'; } - shorewall::routestopped { $interface: - interface => $interface; } - - - shorewall::masq { "${interface}_tcp": - interface => $interface, - source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}"; } - - shorewall::masq { "${interface}_udp": - interface => $interface, - source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } + shorewall::routestopped { $interface: } + + case $::virtual { + 'virtualbox': { + shorewall::masq { + 'eth0_tcp': + interface => 'eth0', + source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}"; + 'eth0_udp': + interface => 'eth0', + source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } + } + default: { + shorewall::masq { + "${interface}_tcp": + interface => $interface, + source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}"; + + "${interface}_udp": + interface => $interface, + source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } + } + } shorewall::policy { 'eip-to-all': -- cgit v1.2.3 From a3edca1924353a797fffd8fb8506d8be86d930d3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 29 Jan 2013 13:20:05 -0500 Subject: fix variable name for re-ordered fact --- puppet/modules/site_openvpn/manifests/init.pp | 2 +- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index d777aa81..0ddb01ae 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,7 +1,7 @@ class site_openvpn { # parse hiera config $ip_address = hiera('ip_address') - $interface = getvar("${ip_address}_interface") + $interface = getvar("interface_${ip_address}") #$gateway_address = hiera('gateway_address') $openvpn_config = hiera('openvpn') $openvpn_gateway_address = $openvpn_config['gateway_address'] diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index b2d165db..09dfece6 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -9,7 +9,7 @@ class site_shorewall::eip { # a special case for vagrant interfaces $interface = $::virtual ? { virtualbox => [ 'eth0', 'eth1' ], - default => getvar("${ip_address}_interface") + default => getvar("interface_${ip_address}") } $ssh_config = hiera('ssh') $ssh_port = $ssh_config['port'] -- cgit v1.2.3 From fd72a5e2a5f044003544602ebfa59dbaac685324 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 29 Jan 2013 19:47:55 +0100 Subject: automatic update of submodule puppet_couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index b598e7d2..dcb8a082 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit b598e7d2a4be7ee863ae70450a73bfcda381634e +Subproject commit dcb8a082ac842b0660819ea61f9448c4e373746e -- cgit v1.2.3 From 93054f283f7f6e4e04fa9ddf901158654a62e9df Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 29 Jan 2013 15:17:28 -0500 Subject: eliminate dynamic lookup deprecation warnings for site_couchdb::apache_ssl_proxy --- puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp index 02aae0c3..7739473e 100644 --- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp +++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp @@ -12,13 +12,13 @@ define site_couchdb::apache_ssl_proxy ($key, $cert) { x509::key { 'leap_couchdb': - content => $x509['key'], + content => $key, notify => Service[apache]; } x509::cert { 'leap_couchdb': - content => $x509['cert'], + content => $cert, notify => Service[apache]; } -- cgit v1.2.3 From a48160a4861dcfffb661bcbf8783ecdb84cbf3e6 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 29 Jan 2013 13:00:40 -0800 Subject: added support for client ca cert in site openvpn. --- puppet/modules/site_openvpn/manifests/keys.pp | 6 ++++++ puppet/modules/site_openvpn/manifests/server_config.pp | 4 ++++ 2 files changed, 10 insertions(+) diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index 4c43ec05..78902676 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -12,6 +12,12 @@ class site_openvpn::keys { notify => Service[openvpn]; } + x509::ca { + 'leap_client_ca': + content => $site_openvpn::x509_config['client_ca_cert'], + notify => Service[openvpn]; + } + x509::ca { 'leap_openvpn': content => $site_openvpn::x509_config['ca_cert'], diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index c4f64225..da40529c 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -67,6 +67,10 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana } openvpn::option { + "ca $openvpn_configname": + key => 'ca', + value => '/usr/local/share/ca-certificates/leap_client_ca.crt', + server => $openvpn_configname; "ca $openvpn_configname": key => 'ca', value => '/usr/local/share/ca-certificates/leap_openvpn.crt', -- cgit v1.2.3 From b3f1d297973694f9aef9a7ab3d87799fc644f464 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 29 Jan 2013 16:38:39 -0500 Subject: test the $webapp['img_dir'] variable to see if it is undef or not, the default in the json is ~ (nil), which ends up being undef in puppet (closes #1575) --- puppet/modules/site_webapp/manifests/init.pp | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 717a9477..c7d918ae 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -84,10 +84,14 @@ class site_webapp { '/srv/leap-webapp/app/assets/stylesheets/head.scss': ensure => 'link', target => $webapp['head_scss']; + } - '/srv/leap-webapp/public/img': - ensure => 'link', - target => $webapp['img_dir']; + if $webapp['img_dir'] != undef { + file { + '/srv/leap-webapp/public/img': + ensure => 'link', + target => $webapp['img_dir']; + } } file { -- cgit v1.2.3 From d61c7bc52dd86132a96d80d498dd63f1582417be Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 30 Jan 2013 15:16:19 +0100 Subject: linted --- puppet/modules/site_openvpn/manifests/server_config.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index da40529c..68387a90 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -143,7 +143,7 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana server => $openvpn_configname; "server $openvpn_configname": key => 'server', - value => "$server", + value => $server, server => $openvpn_configname; "status $openvpn_configname": key => 'status', -- cgit v1.2.3 From 6b3dafcb8c18ac31a1d11be661c255ec458d6078 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 30 Jan 2013 15:40:58 +0100 Subject: start shorewall on vagrant nodes too (#1467) --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 09dfece6..de81aa1d 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -1,7 +1,7 @@ class site_shorewall::eip { # be safe for development - if ( $::virtual == 'virtualbox') { $shorewall_startup='0' } + #if ( $::virtual == 'virtualbox') { $shorewall_startup='0' } include site_shorewall::defaults -- cgit v1.2.3 From 50bb4b8b4d3f71b2916acbbefca92df9fdc53e68 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 30 Jan 2013 10:32:15 -0500 Subject: provide a fall-back apt.sources.d entry that is disabled by default (#1348) This file will have the .disabled removed by the apt wrapper when the apt-get update fails --- puppet/modules/site_apt/manifests/init.pp | 5 +++++ puppet/modules/site_apt/templates/fallback.list | 3 +++ 2 files changed, 8 insertions(+) create mode 100644 puppet/modules/site_apt/templates/fallback.list diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 99bcce4f..beef6fa5 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -8,4 +8,9 @@ class site_apt { } include ::apt::unattended_upgrades + + apt::sources_list { 'fallback.list.disabled': + content => template('site_apt/fallback.list'); + } + } diff --git a/puppet/modules/site_apt/templates/fallback.list b/puppet/modules/site_apt/templates/fallback.list new file mode 100644 index 00000000..fa6d041f --- /dev/null +++ b/puppet/modules/site_apt/templates/fallback.list @@ -0,0 +1,3 @@ +# basic +deb http://ftp.debian.org/debian/ <%= codename %> <%= repos %> + -- cgit v1.2.3 From 0c0abf8496260f9e0f4c6e655af850396f203afe Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 30 Jan 2013 16:53:58 +0100 Subject: automatic update of submodule puppet_apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/apt b/puppet/modules/apt index 92d2d7be..6c135ea7 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 92d2d7be5f99920c67245d02c1ce76288967db62 +Subproject commit 6c135ea7bc2ae9951154cf5471801469e3e3d581 -- cgit v1.2.3 From 09649211f3c4b9ffd08af15deabe5916cf78df72 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 30 Jan 2013 11:19:20 -0500 Subject: codename is unavailable in the site_apt module, but $::lsbdistcodename is fine here --- puppet/modules/site_apt/templates/fallback.list | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_apt/templates/fallback.list b/puppet/modules/site_apt/templates/fallback.list index fa6d041f..41334b0b 100644 --- a/puppet/modules/site_apt/templates/fallback.list +++ b/puppet/modules/site_apt/templates/fallback.list @@ -1,3 +1,3 @@ # basic -deb http://ftp.debian.org/debian/ <%= codename %> <%= repos %> +deb http://ftp.debian.org/debian/ <%= lsbdistcodename %> main contrib non-free -- cgit v1.2.3 From ab9a292f41139c5c5e36de87e03236e29dd27e23 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 31 Jan 2013 11:09:20 +0100 Subject: puppet tags: site_config::default and site_config::slow --- puppet/manifests/site.pp | 66 ++++++++++------------ puppet/modules/site_config/manifests/default.pp | 28 +++++++++ puppet/modules/site_config/manifests/hosts.pp | 2 +- puppet/modules/site_config/manifests/init.pp | 29 ---------- puppet/modules/site_config/manifests/resolvconf.pp | 2 +- puppet/modules/site_config/manifests/slow.pp | 6 ++ 6 files changed, 65 insertions(+), 68 deletions(-) create mode 100644 puppet/modules/site_config/manifests/default.pp delete mode 100644 puppet/modules/site_config/manifests/init.pp create mode 100644 puppet/modules/site_config/manifests/slow.pp diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 33566f0c..146b373e 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -5,41 +5,33 @@ stage { 'initial': before => Stage['main'], } -node 'default' { - # prerequisites - import 'common' - include concat::setup - - $development = hiera('development') - if $development['site_config'] == true { - # include some basic classes - include site_config - } else { - notice ('NOT applying site_config') - } - - # parse services for host - $services=hiera_array('services') - notice("Services for $fqdn: $services") - - # configure eip - if 'openvpn' in $services { - include site_openvpn - } - - if 'couchdb' in $services { - include site_couchdb - } - - if 'webapp' in $services { - include site_webapp - } - - if 'ca' in $services { - include site_ca_daemon - } - - if 'monitor' in $services { - include site_nagios::server - } +# prerequisites +import 'common' +include concat::setup +include site_config::default +include site_config::slow + +# parse services for host +$services=hiera_array('services') +notice("Services for ${fqdn}: ${services}") + +# configure eip +if 'openvpn' in $services { + include site_openvpn +} + +if 'couchdb' in $services { + include site_couchdb +} + +if 'webapp' in $services { + include site_webapp +} + +if 'ca' in $services { + include site_ca_daemon +} + +if 'monitor' in $services { + include site_nagios::server } diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp new file mode 100644 index 00000000..0605604b --- /dev/null +++ b/puppet/modules/site_config/manifests/default.pp @@ -0,0 +1,28 @@ +class site_config::default { + tag 'default' + + $domain_hash = hiera('domain') + + # default class, used by all hosts + + include lsb, git + + # configure apt + include site_apt + + + # configure ssh and include ssh-keys + include site_config::sshd + + # configure /etc/resolv.conf + include site_config::resolvconf + + # configure caching, local resolver + include site_config::caching_resolver + + # configure /etc/hosts + class { 'site_config::hosts': + stage => initial, + } + +} diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index a5f1b105..6c00f3b6 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -3,7 +3,7 @@ class site_config::hosts() { $hosts = hiera('hosts','') $hostname = hiera('name') - $domain_public = $site_config::domain_hash['full_suffix'] + $domain_public = $site_config::default::domain_hash['full_suffix'] file { "/etc/hostname": ensure => present, diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp deleted file mode 100644 index f0ce9856..00000000 --- a/puppet/modules/site_config/manifests/init.pp +++ /dev/null @@ -1,29 +0,0 @@ -class site_config { - $domain_hash = hiera('domain') - - # default class, used by all hosts - - include lsb, git - - # configure apt - include site_apt - - - # configure ssh and include ssh-keys - include site_config::sshd - - # configure /etc/resolv.conf - include site_config::resolvconf - - # configure caching, local resolver - include site_config::caching_resolver - - # configure /etc/hosts - class { 'site_config::hosts': - stage => initial, - } - - class { 'site_apt::dist_upgrade': - stage => initial, - } -} diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index b803f17e..d73f0b78 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -11,7 +11,7 @@ class site_config::resolvconf { ensure => absent; } - $domain_public = $site_config::domain_hash['full_suffix'] + $domain_public = $site_config::default::domain_hash['full_suffix'] # 127.0.0.1: caching-only local bind # 87.118.100.175: http://server.privacyfoundation.de diff --git a/puppet/modules/site_config/manifests/slow.pp b/puppet/modules/site_config/manifests/slow.pp new file mode 100644 index 00000000..a4a9f19f --- /dev/null +++ b/puppet/modules/site_config/manifests/slow.pp @@ -0,0 +1,6 @@ +class site_config::slow { + + class { 'site_apt::dist_upgrade': + stage => initial, + } +} -- cgit v1.2.3 From ced1717ae310c5b24fffd041c8af38b016d90ed4 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 31 Jan 2013 11:40:41 +0100 Subject: include site_nagios so every subclass inherits tag 'service' --- puppet/manifests/site.pp | 2 +- puppet/modules/site_nagios/manifests/init.pp | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_nagios/manifests/init.pp diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 146b373e..d422bef7 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -33,5 +33,5 @@ if 'ca' in $services { } if 'monitor' in $services { - include site_nagios::server + include site_nagios } diff --git a/puppet/modules/site_nagios/manifests/init.pp b/puppet/modules/site_nagios/manifests/init.pp new file mode 100644 index 00000000..57da3011 --- /dev/null +++ b/puppet/modules/site_nagios/manifests/init.pp @@ -0,0 +1,4 @@ +class site_nagios { + tag 'service' + include site_nagios::server +} -- cgit v1.2.3 From 5addc36a364186d53d13304182d6f41b30f6a890 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 31 Jan 2013 11:41:13 +0100 Subject: just purge the nagios3/conf.d content, not the dir itself --- puppet/modules/site_nagios/manifests/server/purge.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_nagios/manifests/server/purge.pp b/puppet/modules/site_nagios/manifests/server/purge.pp index 66c27dd5..39735cd3 100644 --- a/puppet/modules/site_nagios/manifests/server/purge.pp +++ b/puppet/modules/site_nagios/manifests/server/purge.pp @@ -1,6 +1,6 @@ class site_nagios::server::purge { exec {'purge_conf.d': - command => '/bin/rm -rf /etc/nagios3/conf.d', + command => '/bin/rm -rf /etc/nagios3/conf.d/*', onlyif => 'test -e /etc/nagios3/conf.d' } -- cgit v1.2.3 From 42aef6df0091f8879d83860efd3c08a6d8e26bdf Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 31 Jan 2013 11:42:58 +0100 Subject: changed tag default to 'base' --- puppet/modules/site_config/manifests/default.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 0605604b..577970ca 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -1,5 +1,5 @@ class site_config::default { - tag 'default' + tag 'base' $domain_hash = hiera('domain') -- cgit v1.2.3 From dda36946d405301d9123bb455753650920d0756a Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 31 Jan 2013 11:52:32 +0100 Subject: tag 'service' for all service classes --- puppet/modules/site_ca_daemon/manifests/init.pp | 2 +- puppet/modules/site_couchdb/manifests/init.pp | 2 +- puppet/modules/site_openvpn/manifests/init.pp | 1 + puppet/modules/site_webapp/manifests/init.pp | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp index 4ec5b00b..c00a22c8 100644 --- a/puppet/modules/site_ca_daemon/manifests/init.pp +++ b/puppet/modules/site_ca_daemon/manifests/init.pp @@ -1,5 +1,5 @@ class site_ca_daemon { - + tag 'service' #$definition_files = hiera('definition_files') #$provider = $definition_files['provider'] #$eip_service = $definition_files['eip_service'] diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 04f2ca1a..632df799 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,5 +1,5 @@ class site_couchdb { - + tag 'service' include couchdb $x509 = hiera('x509') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 0ddb01ae..df4277cd 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,4 +1,5 @@ class site_openvpn { + tag 'service' # parse hiera config $ip_address = hiera('ip_address') $interface = getvar("interface_${ip_address}") diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index c7d918ae..d1951dcd 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -1,5 +1,5 @@ class site_webapp { - + tag 'service' $definition_files = hiera('definition_files') $provider = $definition_files['provider'] $eip_service = $definition_files['eip_service'] -- cgit v1.2.3 From 3c3ed940466eabf9cb56a47614133b5bc90d4ad7 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 31 Jan 2013 04:31:54 -0800 Subject: added /etc/openvpn/ca_bundle.pem in order to allow multiple CA certs to be used. --- provider_base/test/openvpn/client.ovpn.erb | 6 ++-- puppet/modules/site_openvpn/manifests/keys.pp | 33 +++++++++++++++++----- .../site_openvpn/manifests/server_config.pp | 6 +--- 3 files changed, 29 insertions(+), 16 deletions(-) diff --git a/provider_base/test/openvpn/client.ovpn.erb b/provider_base/test/openvpn/client.ovpn.erb index 96cb7177..a0bdd307 100644 --- a/provider_base/test/openvpn/client.ovpn.erb +++ b/provider_base/test/openvpn/client.ovpn.erb @@ -9,10 +9,8 @@ auth SHA1 cipher AES-128-CBC tls-cipher DHE-RSA-AES128-SHA -<% manager.services['openvpn'].node_list.each_node do |node| -%> -<% unless node.local -%> -<%= "remote #{node.openvpn.gateway_address} 1194 udp"%> -<% end -%> +<% vpn_nodes.each_node do |node| -%> +<%= "remote #{node.openvpn.gateway_address} 1194 udp"%> <% end -%> diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index 78902676..f3c5b423 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -13,13 +13,7 @@ class site_openvpn::keys { } x509::ca { - 'leap_client_ca': - content => $site_openvpn::x509_config['client_ca_cert'], - notify => Service[openvpn]; - } - - x509::ca { - 'leap_openvpn': + 'leap_ca': content => $site_openvpn::x509_config['ca_cert'], notify => Service[openvpn]; } @@ -29,4 +23,29 @@ class site_openvpn::keys { mode => '0644', } + # + # CA bundle -- we want to have the possibility of allowing multiple CAs. + # For now, the reason is to transition to using client CA. In the future, + # we will want to be able to smoothly phase out one CA and phase in another. + # I tried "--capath" for this, but it did not work. + # + + concat { + '/etc/openvpn/ca_bundle.pem': + owner => root, + group => root, + mode => 644, + warn => true, + notify => Service['openvpn']; + } + + concat::fragment { + 'client_ca_cert': + content => $site_openvpn::x509_config['client_ca_cert'], + target => '/etc/openvpn/ca_bundle.pem'; + 'ca_cert': + content => $site_openvpn::x509_config['ca_cert'], + target => '/etc/openvpn/ca_bundle.pem'; + } + } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 68387a90..de273b46 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -69,11 +69,7 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana openvpn::option { "ca $openvpn_configname": key => 'ca', - value => '/usr/local/share/ca-certificates/leap_client_ca.crt', - server => $openvpn_configname; - "ca $openvpn_configname": - key => 'ca', - value => '/usr/local/share/ca-certificates/leap_openvpn.crt', + value => '/etc/openvpn/ca_bundle.pem', server => $openvpn_configname; "cert $openvpn_configname": key => 'cert', -- cgit v1.2.3 From 24829044b9726f5eb9a8a0ac09f94152b943f9e4 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 31 Jan 2013 14:54:05 +0100 Subject: install etckeeper on all nodes --- puppet/modules/site_config/manifests/default.pp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 577970ca..699eb4dd 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -25,4 +25,7 @@ class site_config::default { stage => initial, } + package { [ 'etckeeper' ]: + ensure => installed, + } } -- cgit v1.2.3 From e6fe80f9460b8bc013068e1dda8be6230b8d60a4 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 31 Jan 2013 19:09:19 +0100 Subject: tag 'base' is a bad idea because it invokes apache::base as well --- puppet/modules/site_ca_daemon/manifests/init.pp | 2 +- puppet/modules/site_config/manifests/default.pp | 2 +- puppet/modules/site_config/manifests/slow.pp | 2 +- puppet/modules/site_couchdb/manifests/init.pp | 2 +- puppet/modules/site_nagios/manifests/init.pp | 2 +- puppet/modules/site_openvpn/manifests/init.pp | 2 +- puppet/modules/site_webapp/manifests/init.pp | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp index c00a22c8..86e186bb 100644 --- a/puppet/modules/site_ca_daemon/manifests/init.pp +++ b/puppet/modules/site_ca_daemon/manifests/init.pp @@ -1,5 +1,5 @@ class site_ca_daemon { - tag 'service' + tag 'leap_service' #$definition_files = hiera('definition_files') #$provider = $definition_files['provider'] #$eip_service = $definition_files['eip_service'] diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 699eb4dd..14b389e8 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -1,5 +1,5 @@ class site_config::default { - tag 'base' + tag 'leap_base' $domain_hash = hiera('domain') diff --git a/puppet/modules/site_config/manifests/slow.pp b/puppet/modules/site_config/manifests/slow.pp index a4a9f19f..18b22a9c 100644 --- a/puppet/modules/site_config/manifests/slow.pp +++ b/puppet/modules/site_config/manifests/slow.pp @@ -1,5 +1,5 @@ class site_config::slow { - + tag 'leap_slow' class { 'site_apt::dist_upgrade': stage => initial, } diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 632df799..1789dd55 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,5 +1,5 @@ class site_couchdb { - tag 'service' + tag 'leap_service' include couchdb $x509 = hiera('x509') diff --git a/puppet/modules/site_nagios/manifests/init.pp b/puppet/modules/site_nagios/manifests/init.pp index 57da3011..cab32905 100644 --- a/puppet/modules/site_nagios/manifests/init.pp +++ b/puppet/modules/site_nagios/manifests/init.pp @@ -1,4 +1,4 @@ class site_nagios { - tag 'service' + tag 'leap_service' include site_nagios::server } diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index df4277cd..e3d2a9af 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,5 +1,5 @@ class site_openvpn { - tag 'service' + tag 'leap_service' # parse hiera config $ip_address = hiera('ip_address') $interface = getvar("interface_${ip_address}") diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index d1951dcd..592241c1 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -1,5 +1,5 @@ class site_webapp { - tag 'service' + tag 'leap_service' $definition_files = hiera('definition_files') $provider = $definition_files['provider'] $eip_service = $definition_files['eip_service'] -- cgit v1.2.3 From c4805af340ae63e9129696e0c96f9896417eb9c4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 31 Jan 2013 15:58:16 -0500 Subject: install an apache Directory override block to disable passenger for nagios, if the node is a monitor node --- puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 8c820788..4928cdd6 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -36,5 +36,12 @@ PassengerAllowEncodedSlashes on PassengerFriendlyErrorPages off SetEnv TMPDIR /var/tmp + + <% if (defined? @services) and (services.is_a? Array) and (@services.include? 'monitor') -%> + + PassengerEnabled off + AllowOverride all + + <% end -%> -- cgit v1.2.3 From 5a825f7f6045cea00d94bcebf339c8e2dff5b067 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 31 Jan 2013 18:31:02 -0500 Subject: update the x509 submodule to get non-root application access to key file enhancement put the leap-webapp user in the 'ssl-cert' group pass group => 'leap-webapp' to the leap_client_ca.key so the application can access it --- puppet/modules/site_webapp/manifests/client_ca.pp | 1 + puppet/modules/site_webapp/manifests/init.pp | 1 + puppet/modules/x509 | 2 +- 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_webapp/manifests/client_ca.pp b/puppet/modules/site_webapp/manifests/client_ca.pp index 53c49d69..0d9b15d6 100644 --- a/puppet/modules/site_webapp/manifests/client_ca.pp +++ b/puppet/modules/site_webapp/manifests/client_ca.pp @@ -13,6 +13,7 @@ class site_webapp::client_ca { x509::key { 'leap_client_ca': source => $x509['client_ca_key'], + group => 'leap-webapp', notify => Service[apache]; } diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 592241c1..d59cebba 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -27,6 +27,7 @@ class site_webapp { ensure => present, allowdupe => false, gid => 'leap-webapp', + groups => 'ssl-cert', home => '/srv/leap-webapp', require => [ Group['leap-webapp'] ]; } diff --git a/puppet/modules/x509 b/puppet/modules/x509 index d7a252b7..456212d1 160000 --- a/puppet/modules/x509 +++ b/puppet/modules/x509 @@ -1 +1 @@ -Subproject commit d7a252b77db843e800ed9fc92a56d5214f432026 +Subproject commit 456212d16e55e1299c2d9bfcc7965b40e0318cb4 -- cgit v1.2.3 From e8edd253d1a27d7ed95c690282bc8cf579baa158 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 1 Feb 2013 11:14:35 +0100 Subject: disable nagios debug mode (Feature #1551) --- puppet/modules/site_nagios/files/configs/Debian/nagios.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg index d8062a2f..753d1610 100644 --- a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg +++ b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg @@ -1240,7 +1240,7 @@ enable_environment_macros=1 # 1024 = Comments # 2048 = Macros -debug_level=-1 +debug_level=0 -- cgit v1.2.3 From ddb46b60b591b35249f5820b9cf751a80d93d386 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 1 Feb 2013 16:05:11 +0100 Subject: automatic update of submodule puppet_apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/apt b/puppet/modules/apt index 6c135ea7..f16a0727 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 6c135ea7bc2ae9951154cf5471801469e3e3d581 +Subproject commit f16a0727dce187d07389388da8b816f7b520205d -- cgit v1.2.3 From a059418a7690b38c1ccc1e32e57c297e70396dac Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 1 Feb 2013 11:23:22 -0500 Subject: update x509 submodule to get key owner enhancement --- puppet/modules/x509 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/x509 b/puppet/modules/x509 index 456212d1..19254a38 160000 --- a/puppet/modules/x509 +++ b/puppet/modules/x509 @@ -1 +1 @@ -Subproject commit 456212d16e55e1299c2d9bfcc7965b40e0318cb4 +Subproject commit 19254a38c1c372ae7912ea9f15500b9b1cbffe81 -- cgit v1.2.3 From 0ab18bc91fa84df2c457ca1ea43ebebc65e5bb2b Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 1 Feb 2013 21:46:06 +0100 Subject: moved concat::setup to site_config::default Because in site.pp it didn't get the tag "leap_base" and would not be declared with leap cli's default puppet tags. Fixes: parent directory /var/lib/puppet/concat does not exist (Feature#1625) --- puppet/manifests/site.pp | 2 -- puppet/modules/site_config/manifests/default.pp | 2 ++ 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index d422bef7..53b452d1 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -5,9 +5,7 @@ stage { 'initial': before => Stage['main'], } -# prerequisites import 'common' -include concat::setup include site_config::default include site_config::slow diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 14b389e8..c65c0799 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -3,6 +3,8 @@ class site_config::default { $domain_hash = hiera('domain') + include concat::setup + # default class, used by all hosts include lsb, git -- cgit v1.2.3 From 3b32d321b131723bbd830945ef4176d7d37b6e3c Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 3 Feb 2013 17:47:02 +0100 Subject: Increase Exec[bundler_update] timeout Exec[bundler_update] can take a really long time, increasing timeout from 300s (default) to 600s fixes Increase command timeout for Exec[bundler_update] (Feature #1643) --- puppet/modules/site_ca_daemon/manifests/init.pp | 1 + puppet/modules/site_webapp/manifests/init.pp | 1 + 2 files changed, 2 insertions(+) diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp index 86e186bb..8ba9c506 100644 --- a/puppet/modules/site_ca_daemon/manifests/init.pp +++ b/puppet/modules/site_ca_daemon/manifests/init.pp @@ -82,6 +82,7 @@ class site_ca_daemon { cwd => '/srv/leap_ca_daemon', command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install"', unless => '/usr/bin/bundle check', + timeout => 600, require => [ Class['bundler::install'], Vcsrepo['/srv/leap_ca_daemon'] ]; } diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index d59cebba..24c258dc 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -54,6 +54,7 @@ class site_webapp { cwd => '/srv/leap-webapp', command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install"', unless => '/usr/bin/bundle check', + timeout => 600, require => [ Class['bundler::install'], Vcsrepo['/srv/leap-webapp'] ]; } -- cgit v1.2.3 From 07cc737f655c9fc0afe50e9850963120114ee18e Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 4 Feb 2013 17:26:56 +0100 Subject: compile assets for webapp, fixes #1628 --- puppet/modules/site_webapp/manifests/init.pp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 24c258dc..ff5a3611 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -55,7 +55,15 @@ class site_webapp { command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install"', unless => '/usr/bin/bundle check', timeout => 600, - require => [ Class['bundler::install'], Vcsrepo['/srv/leap-webapp'] ]; + require => [ Class['bundler::install'], Vcsrepo['/srv/leap-webapp'] ], + notify => Service['apache']; + } + + exec { 'compile_assets': + cwd => '/srv/leap-webapp', + command => '/bin/bash -c "/usr/bin/bundle exec rake assets:precompile"', + require => Exec['bundler_update'], + notify => Service['apache']; } file { -- cgit v1.2.3 From 97c5451b0f8b63b4884a9560c0a796f931d059e3 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Feb 2013 10:56:38 +0100 Subject: added submodule tor --- .gitmodules | 3 +++ puppet/modules/tor | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/tor diff --git a/.gitmodules b/.gitmodules index 75fc99f0..21966fc3 100644 --- a/.gitmodules +++ b/.gitmodules @@ -64,3 +64,6 @@ [submodule "puppet/modules/nagios"] path = puppet/modules/nagios url = git://code.leap.se/puppet_nagios +[submodule "puppet/modules/tor"] + path = puppet/modules/tor + url = git://labs.riseup.net/shared-tor diff --git a/puppet/modules/tor b/puppet/modules/tor new file mode 160000 index 00000000..a780e840 --- /dev/null +++ b/puppet/modules/tor @@ -0,0 +1 @@ +Subproject commit a780e84001177f10a86a7bf824589c0553f513a0 -- cgit v1.2.3 From ab25692d3b8aaf3e71ec3546d1ea9d85f26f7b63 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Feb 2013 18:11:21 +0100 Subject: Restructuring site_shorewall site_shorewall::defaults can be used on every host, it configures a basic firewall, which blocks everything from outside except ping + ssh, and allows outgoing traffic for http, git, dns. --- .../modules/site_shorewall/manifests/defaults.pp | 59 +++++++++++++++--- puppet/modules/site_shorewall/manifests/eip.pp | 71 +++------------------- .../modules/site_shorewall/manifests/ip_forward.pp | 10 +++ puppet/modules/site_shorewall/manifests/sshd.pp | 23 +++++++ 4 files changed, 92 insertions(+), 71 deletions(-) create mode 100644 puppet/modules/site_shorewall/manifests/ip_forward.pp create mode 100644 puppet/modules/site_shorewall/manifests/sshd.pp diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index d5f60ec6..7992406b 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -1,6 +1,17 @@ class site_shorewall::defaults { include shorewall + # be safe for development + #if ( $::virtual == 'virtualbox') { $shorewall_startup='0' } + + $ip_address = hiera('ip_address') + # a special case for vagrant interfaces + $interface = $::virtual ? { + virtualbox => [ 'eth0', 'eth1' ], + default => getvar("interface_${ip_address}") + } + + # If you want logging: shorewall::params { 'LOG': value => 'debug'; @@ -8,14 +19,48 @@ class site_shorewall::defaults { shorewall::zone {'net': type => 'ipv4'; } - include augeas - augeas { 'enable_ip_forwarding': - changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Service[shorewall], - require => Class[augeas]; + # define interfaces + shorewall::interface { $interface: + zone => 'net', + options => 'tcpflags,blacklist,nosmurfs'; + } + + shorewall::routestopped { $interface: } + + shorewall::policy { + 'all-to-all': + sourcezone => 'all', + destinationzone => 'all', + policy => 'DROP', + order => 200; + } + + shorewall::rule { + # ping party + 'all2all-ping': + source => 'all', + destination => 'all', + action => 'Ping(ACCEPT)', + order => 200; + + # server to outside + 'fw2all-http': + source => '$FW', + destination => 'all', + action => 'HTTP(ACCEPT)', + order => 200; + 'fw2all-DNS': + source => '$FW', + destination => 'all', + action => 'DNS(ACCEPT)', + order => 200; + 'fw2all-git': + source => '$FW', + destination => 'all', + action => 'Git(ACCEPT)', + order => 200; } + include site_shorewall::sshd } diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index de81aa1d..a6209327 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -1,35 +1,21 @@ class site_shorewall::eip { - # be safe for development - #if ( $::virtual == 'virtualbox') { $shorewall_startup='0' } - include site_shorewall::defaults + include site_shorewall::ip_forward - $ip_address = hiera('ip_address') - # a special case for vagrant interfaces - $interface = $::virtual ? { - virtualbox => [ 'eth0', 'eth1' ], - default => getvar("interface_${ip_address}") - } - $ssh_config = hiera('ssh') - $ssh_port = $ssh_config['port'] $openvpn_config = hiera('openvpn') $openvpn_ports = $openvpn_config['ports'] $openvpn_gateway_address = $site_openvpn::openvpn_gateway_address # define macro for incoming services file { '/etc/shorewall/macro.leap_eip': - content => "PARAM - - tcp 1194,$ssh_port + content => "PARAM - - tcp 1194 PARAM - - udp 1194 -", } - - - # define interfaces - shorewall::interface { $interface: - zone => 'net', - options => 'tcpflags,blacklist,nosmurfs'; +", + notify => Service['shorewall'] } + shorewall::interface { 'tun0': zone => 'eip', @@ -40,11 +26,9 @@ PARAM - - udp 1194 } - shorewall::zone {'eip': + shorewall::zone {'eip': type => 'ipv4'; } - shorewall::routestopped { $interface: } - case $::virtual { 'virtualbox': { shorewall::masq { @@ -56,6 +40,7 @@ PARAM - - udp 1194 source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } } default: { + $interface = $site_shorewall::defaults::interface shorewall::masq { "${interface}_tcp": interface => $interface, @@ -78,56 +63,14 @@ PARAM - - udp 1194 destinationzone => 'all', policy => 'ACCEPT', order => 100; - 'all-to-all': - sourcezone => 'all', - destinationzone => 'all', - policy => 'DROP', - order => 200; } shorewall::rule { - # ping party - 'all2all-ping': - source => 'all', - destination => 'all', - action => 'Ping(ACCEPT)', - order => 200; - - # outside to server - 'net2fw-ssh': - source => 'net', - destination => '$FW', - action => 'SSH(ACCEPT)', - order => 200; 'net2fw-openvpn': source => 'net', destination => '$FW', action => 'leap_eip(ACCEPT)', order => 200; - - # server to outside - 'fw2all-http': - source => '$FW', - destination => 'all', - action => 'HTTP(ACCEPT)', - order => 200; - 'fw2all-DNS': - source => '$FW', - destination => 'all', - action => 'DNS(ACCEPT)', - order => 200; - 'fw2all-git': - source => '$FW', - destination => 'all', - action => 'Git(ACCEPT)', - order => 200; - - # Webfrontend is running on another server - #'eip2fw-https': - # source => 'eip', - # destination => '$FW', - # action => 'HTTPS(ACCEPT)', - # order => 200; } # create dnat rule for each port diff --git a/puppet/modules/site_shorewall/manifests/ip_forward.pp b/puppet/modules/site_shorewall/manifests/ip_forward.pp new file mode 100644 index 00000000..d09d4fd1 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/ip_forward.pp @@ -0,0 +1,10 @@ +class site_shorewall::ip_forward { + include augeas + augeas { 'enable_ip_forwarding': + changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall], + require => Class[augeas]; + } +} diff --git a/puppet/modules/site_shorewall/manifests/sshd.pp b/puppet/modules/site_shorewall/manifests/sshd.pp new file mode 100644 index 00000000..2cf4fd56 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/sshd.pp @@ -0,0 +1,23 @@ +class site_shorewall::sshd { + + $ssh_config = hiera('ssh') + $ssh_port = $ssh_config['port'] + + include shorewall + + # define macro for incoming sshd + file { '/etc/shorewall/macro.leap_sshd': + content => "PARAM - - tcp $ssh_port", + notify => Service['shorewall'] + } + + + shorewall::rule { + # outside to server + 'net2fw-ssh': + source => 'net', + destination => '$FW', + action => 'leap_sshd(ACCEPT)', + order => 200; + } +} -- cgit v1.2.3 From 07afa7bd4c7dcb941e3984d4fccc1169baf03448 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Feb 2013 23:33:51 +0100 Subject: allow all outgoing traffic --- .../modules/site_shorewall/manifests/defaults.pp | 22 +++++----------------- 1 file changed, 5 insertions(+), 17 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index 7992406b..d5639a90 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -29,6 +29,11 @@ class site_shorewall::defaults { shorewall::routestopped { $interface: } shorewall::policy { + 'fw-to-all': + sourcezone => 'fw', + destinationzone => 'all', + policy => 'ACCEPT', + order => 100; 'all-to-all': sourcezone => 'all', destinationzone => 'all', @@ -43,23 +48,6 @@ class site_shorewall::defaults { destination => 'all', action => 'Ping(ACCEPT)', order => 200; - - # server to outside - 'fw2all-http': - source => '$FW', - destination => 'all', - action => 'HTTP(ACCEPT)', - order => 200; - 'fw2all-DNS': - source => '$FW', - destination => 'all', - action => 'DNS(ACCEPT)', - order => 200; - 'fw2all-git': - source => '$FW', - destination => 'all', - action => 'Git(ACCEPT)', - order => 200; } include site_shorewall::sshd -- cgit v1.2.3 From 18a2f385ff1f56f493db5302f5ae51173a65cd86 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Feb 2013 23:34:29 +0100 Subject: configure shorewall for couchdb, tor, webapp --- puppet/modules/site_shorewall/manifests/couchdb.pp | 22 +++++++++++++++++++++ puppet/modules/site_shorewall/manifests/tor.pp | 23 ++++++++++++++++++++++ puppet/modules/site_shorewall/manifests/webapp.pp | 13 ++++++++++++ 3 files changed, 58 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/couchdb.pp create mode 100644 puppet/modules/site_shorewall/manifests/tor.pp create mode 100644 puppet/modules/site_shorewall/manifests/webapp.pp diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp new file mode 100644 index 00000000..1b7f791d --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -0,0 +1,22 @@ +class site_shorewall::couchdb { + + include site_shorewall::defaults + + $couchdb_port = '6984' + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_couchdb': + content => "PARAM - - tcp $couchdb_port", + notify => Service['shorewall'] + } + + + shorewall::rule { + 'net2fw-couchdb': + source => 'net', + destination => '$FW', + action => 'leap_couchdb(ACCEPT)', + order => 200; + } + +} diff --git a/puppet/modules/site_shorewall/manifests/tor.pp b/puppet/modules/site_shorewall/manifests/tor.pp new file mode 100644 index 00000000..d04adeac --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/tor.pp @@ -0,0 +1,23 @@ +class site_shorewall::tor { + + include site_shorewall::defaults + include site_shorewall::ip_forward + + $tor_port = '9001' + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_tor': + content => "PARAM - - tcp $tor_port ", + notify => Service['shorewall'] + } + + + shorewall::rule { + 'net2fw-tor': + source => 'net', + destination => '$FW', + action => 'leap_tor(ACCEPT)', + order => 200; + } + +} diff --git a/puppet/modules/site_shorewall/manifests/webapp.pp b/puppet/modules/site_shorewall/manifests/webapp.pp new file mode 100644 index 00000000..ff9b7646 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/webapp.pp @@ -0,0 +1,13 @@ +class site_shorewall::webapp { + + include site_shorewall::defaults + + shorewall::rule { + 'net2fw-https': + source => 'net', + destination => '$FW', + action => 'HTTPS(ACCEPT)', + order => 200; + } + +} -- cgit v1.2.3 From 726a652b31ef6c1c2b4b93ec38398d70ba496f8c Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Feb 2013 23:35:25 +0100 Subject: site_config::default : include site_shorewall::defaults --- puppet/modules/site_config/manifests/default.pp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index c65c0799..2191e9a1 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -30,4 +30,7 @@ class site_config::default { package { [ 'etckeeper' ]: ensure => installed, } + + # include basic shorewall config + include site_shorewall::defaults } -- cgit v1.2.3 From 68b6e843aa852cdb71fdec4f741150e4daddaac9 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Feb 2013 23:36:24 +0100 Subject: include shorewall config for webapp and couchdb --- puppet/modules/site_couchdb/manifests/init.pp | 2 ++ puppet/modules/site_webapp/manifests/init.pp | 2 ++ 2 files changed, 4 insertions(+) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 1789dd55..9ecde5e6 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -59,4 +59,6 @@ class site_couchdb { couchdb::create_db { 'client_certificates': readers => "{ \"names\": [], \"roles\": [\"certs\"] }" } + + include site_shorewall::couchdb } diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index ff5a3611..f0d6c90a 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -112,4 +112,6 @@ class site_webapp { mode => '0600'; } + include site_shorewall::webapp + } -- cgit v1.2.3 From 0f47539146baa793a17739ede0137312d333bb9e Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Feb 2013 23:37:32 +0100 Subject: nagios: don't check openvpn, check cmd doesn't work --- puppet/modules/site_nagios/manifests/add_service.pp | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/puppet/modules/site_nagios/manifests/add_service.pp b/puppet/modules/site_nagios/manifests/add_service.pp index 280cb010..6ef3cbf5 100644 --- a/puppet/modules/site_nagios/manifests/add_service.pp +++ b/puppet/modules/site_nagios/manifests/add_service.pp @@ -2,14 +2,9 @@ define site_nagios::add_service ( $hostname, $ip_address, $openvpn_gw = '', $service) { case $service { - # don't deploy until we fix 1546 - 'openvpn': { - $check_command = "check_openvpn_server_ip_port!$openvpn_gw!1194" - $service_description = 'Openvpn' - } 'webapp': { - $check_command = 'check_https' - $service_description = 'Website' + $check_command = 'check_https_cert' + $service_description = 'Website Certificate' } default: { #notice ("No Nagios service check for service \"$service\"") -- cgit v1.2.3 From 370476dc632aa8ec87fb4c9c0fa36b030186ebd8 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Feb 2013 23:57:38 +0100 Subject: tor service defaults --- provider_base/services/tor.json | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 provider_base/services/tor.json diff --git a/provider_base/services/tor.json b/provider_base/services/tor.json new file mode 100644 index 00000000..10806084 --- /dev/null +++ b/provider_base/services/tor.json @@ -0,0 +1,5 @@ +{ + "tor" : { + "bandwidth_rate" : 6550 + } +} -- cgit v1.2.3 From 4642e8a0780f1eb6ba14fdf1f2966101dab993f7 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Feb 2013 23:58:17 +0100 Subject: add basic tor service --- puppet/manifests/site.pp | 4 ++++ puppet/modules/site_tor/manifests/init.pp | 20 ++++++++++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 puppet/modules/site_tor/manifests/init.pp diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 53b452d1..1ec806d9 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -33,3 +33,7 @@ if 'ca' in $services { if 'monitor' in $services { include site_nagios } + +if 'tor' in $services { + include site_tor +} diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp new file mode 100644 index 00000000..a854a163 --- /dev/null +++ b/puppet/modules/site_tor/manifests/init.pp @@ -0,0 +1,20 @@ +class site_tor { + tag 'leap_service' + + $tor = hiera('tor') + $bandwidth_rate = $tor['bandwidth_rate'] + + $contact_email = hiera('contact_email') + + class { 'tor::daemon': } + tor::daemon::relay { $::hostname: + port => 9001, + #listen_addresses => '', + contact_info => $contact_email, + bandwidth_rate => $bandwidth_rate, + } + tor::daemon::directory { $::hostname: port => 80 } + + include site_shorewall::tor + +} -- cgit v1.2.3 From 27094aa7aa3abf7f8dc0148a8a76ed3fdbf34add Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Feb 2013 23:58:43 +0100 Subject: allow port 80 to tor server --- puppet/modules/site_shorewall/manifests/tor.pp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/puppet/modules/site_shorewall/manifests/tor.pp b/puppet/modules/site_shorewall/manifests/tor.pp index d04adeac..a72d9dfc 100644 --- a/puppet/modules/site_shorewall/manifests/tor.pp +++ b/puppet/modules/site_shorewall/manifests/tor.pp @@ -18,6 +18,11 @@ class site_shorewall::tor { destination => '$FW', action => 'leap_tor(ACCEPT)', order => 200; + 'net2fw-http': + source => 'net', + destination => '$FW', + action => 'HTTP(ACCEPT)', + order => 200; } } -- cgit v1.2.3 From dbdbb33ce52cf04798763d488e63acc5a26980f9 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Feb 2013 23:59:17 +0100 Subject: allow outgoing traffic moved to site_shorewall::defaults --- puppet/modules/site_shorewall/manifests/eip.pp | 5 ----- 1 file changed, 5 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index a6209327..4e5a5d48 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -58,11 +58,6 @@ PARAM - - udp 1194 destinationzone => 'all', policy => 'ACCEPT', order => 100; - 'fw-to-all': - sourcezone => '$FW', - destinationzone => 'all', - policy => 'ACCEPT', - order => 100; } shorewall::rule { -- cgit v1.2.3 From c82b7c8a74ea0154ece5686eac43cab90af77b96 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Feb 2013 00:33:07 +0100 Subject: configure exit policies --- puppet/modules/site_tor/manifests/exit_policy.pp | 8 ++++++++ puppet/modules/site_tor/manifests/init.pp | 9 ++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_tor/manifests/exit_policy.pp diff --git a/puppet/modules/site_tor/manifests/exit_policy.pp b/puppet/modules/site_tor/manifests/exit_policy.pp new file mode 100644 index 00000000..f2d2d38f --- /dev/null +++ b/puppet/modules/site_tor/manifests/exit_policy.pp @@ -0,0 +1,8 @@ +class site_tor::exit_policy { + # exaple policy to allow ssh + tor::daemon::exit_policy { 'ssh_exit_policy': + accept => '*:22', + reject => '*:*'; + } +} + diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index a854a163..7c25b0e9 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -3,6 +3,7 @@ class site_tor { $tor = hiera('tor') $bandwidth_rate = $tor['bandwidth_rate'] + $tor_type = $tor['type'] $contact_email = hiera('contact_email') @@ -13,8 +14,14 @@ class site_tor { contact_info => $contact_email, bandwidth_rate => $bandwidth_rate, } - tor::daemon::directory { $::hostname: port => 80 } + + # we configure the directory later + #tor::daemon::directory { $::hostname: port => 80 } include site_shorewall::tor + if ( $tor_type == 'exit' ) { + include site_tor::exit_policy + } + } -- cgit v1.2.3 From 08720568f7c00373560379e44695b881fff18af1 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Feb 2013 11:48:29 +0100 Subject: working tor relay --- puppet/modules/site_tor/manifests/disable_exit.pp | 7 +++++++ puppet/modules/site_tor/manifests/exit_policy.pp | 8 -------- puppet/modules/site_tor/manifests/init.pp | 10 +++++----- 3 files changed, 12 insertions(+), 13 deletions(-) create mode 100644 puppet/modules/site_tor/manifests/disable_exit.pp delete mode 100644 puppet/modules/site_tor/manifests/exit_policy.pp diff --git a/puppet/modules/site_tor/manifests/disable_exit.pp b/puppet/modules/site_tor/manifests/disable_exit.pp new file mode 100644 index 00000000..73016646 --- /dev/null +++ b/puppet/modules/site_tor/manifests/disable_exit.pp @@ -0,0 +1,7 @@ +class site_tor::disable_exit { + tor::daemon::exit_policy { + 'no_exit_at_all': + reject => '*:*'; + } +} + diff --git a/puppet/modules/site_tor/manifests/exit_policy.pp b/puppet/modules/site_tor/manifests/exit_policy.pp deleted file mode 100644 index f2d2d38f..00000000 --- a/puppet/modules/site_tor/manifests/exit_policy.pp +++ /dev/null @@ -1,8 +0,0 @@ -class site_tor::exit_policy { - # exaple policy to allow ssh - tor::daemon::exit_policy { 'ssh_exit_policy': - accept => '*:22', - reject => '*:*'; - } -} - diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index 7c25b0e9..654337c7 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -6,22 +6,22 @@ class site_tor { $tor_type = $tor['type'] $contact_email = hiera('contact_email') + $address = hiera('ip_address') class { 'tor::daemon': } tor::daemon::relay { $::hostname: port => 9001, - #listen_addresses => '', + address => $address, contact_info => $contact_email, bandwidth_rate => $bandwidth_rate, } - # we configure the directory later - #tor::daemon::directory { $::hostname: port => 80 } + tor::daemon::directory { $::hostname: port => 80 } include site_shorewall::tor - if ( $tor_type == 'exit' ) { - include site_tor::exit_policy + if ( $tor_type != 'exit' ) { + include site_tor::disable_exit } } -- cgit v1.2.3 From 173b2dc3ecbdab2cacede4e50f6fa3f5daa3c683 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Feb 2013 12:32:02 +0100 Subject: configure tor relay nickname --- puppet/modules/site_tor/manifests/init.pp | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index 654337c7..dc16f91a 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -1,15 +1,16 @@ class site_tor { tag 'leap_service' - $tor = hiera('tor') + $tor = hiera('tor') $bandwidth_rate = $tor['bandwidth_rate'] - $tor_type = $tor['type'] + $tor_type = $tor['type'] + $nickname = $tor['nickname'] - $contact_email = hiera('contact_email') - $address = hiera('ip_address') + $contact_email = hiera('contact_email') + $address = hiera('ip_address') class { 'tor::daemon': } - tor::daemon::relay { $::hostname: + tor::daemon::relay { $nickname: port => 9001, address => $address, contact_info => $contact_email, -- cgit v1.2.3 From 84b02911502331b4bf1b298fab2577424d7ef534 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 8 Feb 2013 17:20:42 +0100 Subject: couchdb: disable futon (Feature #1121) --- puppet/modules/site_couchdb/files/local.ini | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_couchdb/files/local.ini b/puppet/modules/site_couchdb/files/local.ini index 485c9a29..4003bfcd 100644 --- a/puppet/modules/site_couchdb/files/local.ini +++ b/puppet/modules/site_couchdb/files/local.ini @@ -27,6 +27,7 @@ [httpd_global_handlers] ;_google = {couch_httpd_proxy, handle_proxy_req, <<"http://www.google.com">>} +_utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Welcome, Futon is disabled!">>} [couch_httpd_auth] ; If you set this to true, you should also uncomment the WWW-Authenticate line -- cgit v1.2.3 From c43bb848ab337ba59b34cdf7e754203935128eb7 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 8 Feb 2013 19:03:53 +0100 Subject: updated README, added LICENSE --- LICENSE | 674 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ README.md | 97 +++------ 2 files changed, 700 insertions(+), 71 deletions(-) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 00000000..94a9ed02 --- /dev/null +++ b/LICENSE @@ -0,0 +1,674 @@ + GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + Copyright (C) + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +. diff --git a/README.md b/README.md index b7f07e27..c41e27c7 100644 --- a/README.md +++ b/README.md @@ -5,124 +5,79 @@ Leap Platform What is it? =========== -The LEAP Provider Platform is the server-side part of the LEAP Encryption Access Project that is run by service providers. It consists of a set of complementary packages and recipes to automate the maintenance of LEAP services in a hardened GNU/Linux environment. LEAP makes it easy and straightforward for service providers and ISPs to deploy a secure communications platform for their users. +The LEAP Provider Platform is the server-side part of the LEAP Encryption Access Project that is run by service providers. It consists of a set of complementary modules and recipes to automate the maintenance of LEAP services in a hardened GNU/Linux environment. LEAP makes it easy and straightforward for service providers and ISPs to deploy a secure communications platform for their users. The LEAP Platform is essentially a git repository of puppet recipes, with a few scripts to help with bootstrapping and deployment. A service provider who wants to deploy LEAP services will clone or fork this repository, edit the main configuration file to specify which services should run on which hosts, and run scripts to deploy this configuration. Documentation ============= -Most of the current documentation can be found in Readme files of the different pieces. Eventually this will be consolidated on the website https://leap.se +Most of the current documentation can be found in Readme files of the different pieces. This will be consolidated on the website https://leap.se soon. Requirements ============ This highly depends on your (expected) user base. -For a minimal test or develop install we recommend a fairly recent computer x86_64 with hardware virtualization features (AMD-V or VT-x) with plenty of RAM. You could use Vagrant or KVM to simulate a live deployment. +For a minimal test or develop install we recommend a fairly recent computer x86_64 with hardware virtualization features (AMD-V or VT-x) with plenty of RAM. +You could use Vagrant or KVM to simulate a live deployment. For a live deployment of the platform the amount of required (virtual) servers depends on your needs and which services you want to deploy. -In it's initial release you can deploy OpenVPN, CouchDB and a webapp to administer your users (billing, help tickets,...). +In it's initial release you can deploy Tor, OpenVPN, CouchDB and a webapp to administer your users (billing, help tickets,...). While you can deploy all services on one server, we stronly recommend to use seperate servers for better security. -To get started you will need to have git, ruby1.8, rails, rubygems, bundler, ruby1.8-dev, libgpgme-ruby. +Usage +===== -Installation -============ - -Create a working directory --------------------------- - - mkdir ~/Leap - cd ~/Leap - -Install leap_cli ----------------- - - git clone git://code.leap.se/leap_cli - cd leap_cli - -See also README.md for installation hints, but this should work in most cases: - - bundle - rake build - rake install - leap help - this should provide you with the help output of the leap command-line tool - -Install leap_platform ---------------------- - - cd ~/Leap - git clone git://code.leap.se/leap_platform - cd leap_platform - -Right now, use the develop branch - - git checkout develop +As mentioned above, Leap Platform are the server-side Puppet manifests, for deploying a service provider, you need the leap command line interface, +available here: https://github.com/leapcode/leap_cli -Initialize Submodules +We strongly recommend to follow the `Quick Start` Documentaion which can be found on the website https://leap.se - git submodule update --init -Configuration -============= - -Create config file templates ----------------------------- +Clone leap_platform and its submodules +-------------------------------------- - cd ~/Leap - leap init-provider vagrant_test - cd vagrant_test + git checkout develop -Configure ---------- +Initialize Submodules: -Edit following files: - - * common.json - * nodes/.json - change to be the hostname of the server hosting couchdb - * nodes/.json - change to be the hostname of the server hosting the webapp - * nodes/.json - change to be the hostname of the server hosting the VPN server - - leap add-user --self - leap compile + git submodule update --init -Initialize and deploy nodes ---------------------------- - -For every server you configured do: - - leap init-node SERVERNAME - leap -v 2 deploy SERVERNAME More Information ----------------- -For more information about the LEAP Encryption Access Project, please visit the website https://leap.se which also lists contact data. +================ +For more information about the LEAP Encryption Access Project, please visit the website https://leap.se which also lists contact data. -Following needs to be written: Copyright/License ----------------- Read LICENSE + Known bugs ---------- +* currently none known, there will probably be some around ! + Troubleshooting --------------- +Visit https://leap.se/en/development for contact possibilities. + Changelog --------- For a changelog of the current branch: - cd ~/Leap - git log + git log Authors and Credits ------------------ -a file manifest +See contributors: + + git shortlog -es --all -- cgit v1.2.3 From 49fc7e085f635c906b32adfc41a207939be2cf39 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 8 Feb 2013 19:40:56 -0800 Subject: make monitor service include the nodes that are of a similar type (e.g. production or local). --- provider_base/common.json | 3 ++- provider_base/services/monitor.json | 2 +- provider_base/tags/production.json | 3 +++ 3 files changed, 6 insertions(+), 2 deletions(-) create mode 100644 provider_base/tags/production.json diff --git a/provider_base/common.json b/provider_base/common.json index 8ffe8cd4..8e4dc6e7 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -25,8 +25,9 @@ "ca_cert": "= try_file :ca_cert" }, "local": false, + "production": false, "service_type": "internal_service", "development": { - "site_config": true + "site_config": true } } diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json index 09972308..f5e4d922 100644 --- a/provider_base/services/monitor.json +++ b/provider_base/services/monitor.json @@ -1,6 +1,6 @@ { "nagios": { "nagiosadmin_pw": "= secret :nagios_admin_password", - "hosts": "= nodes['production' => true].fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')" + "hosts": "= nodes_like_me.fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')" } } diff --git a/provider_base/tags/production.json b/provider_base/tags/production.json new file mode 100644 index 00000000..b35c0650 --- /dev/null +++ b/provider_base/tags/production.json @@ -0,0 +1,3 @@ +{ + "production": true +} \ No newline at end of file -- cgit v1.2.3 From 57adb7f3d527ecd4d3a41b6a1935b93c8266a688 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 8 Feb 2013 21:50:59 -0800 Subject: minor changes to default json: give common a name, add contacts.default --- provider_base/common.json | 5 +++-- provider_base/provider.json | 5 ++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/provider_base/common.json b/provider_base/common.json index 8e4dc6e7..e674edb6 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -4,7 +4,7 @@ "tags": [], "domain": { "full_suffix": "= global.provider.domain", - "internal_suffix": "= global.provider.internal_domain", + "internal_suffix": "= global.provider.domain_internal", "full": "= node.name + '.' + domain.full_suffix", "internal": "= node.name + '.' + domain.internal_suffix", "name": "= node.name + '.' + (dns.public ? domain.full_suffix : domain.internal_suffix)" @@ -29,5 +29,6 @@ "service_type": "internal_service", "development": { "site_config": true - } + }, + "name": "common" } diff --git a/provider_base/provider.json b/provider_base/provider.json index b659d47b..0eae1f87 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -1,12 +1,15 @@ { "domain": "REQUIRED", - "internal_domain": "= domain.sub(/\\..*$/,'.i')", + "domain_internal": "= domain.sub(/\\..*$/,'.i')", "name": { "en": "REQUIRED" }, "description": { "en": "REQUIRED" }, + "contacts": { + "default": "REQUIRED" + }, "languages": ["en"], "default_language": "en", "enrollment_policy": "open", -- cgit v1.2.3 From 6e3d87d88578447aa4358aabdf270df2082b422d Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 8 Feb 2013 23:11:15 -0800 Subject: changed contact_email to tor.contacts --- provider_base/services/tor.json | 7 ++++--- puppet/modules/site_tor/manifests/init.pp | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/provider_base/services/tor.json b/provider_base/services/tor.json index 10806084..9173b8d4 100644 --- a/provider_base/services/tor.json +++ b/provider_base/services/tor.json @@ -1,5 +1,6 @@ { - "tor" : { - "bandwidth_rate" : 6550 - } + "tor": { + "bandwidth_rate": 6550, + "contacts": "= global.provider.contacts['tor'] || global.provider.contacts.default" + } } diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index dc16f91a..ceb6fb13 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -5,8 +5,8 @@ class site_tor { $bandwidth_rate = $tor['bandwidth_rate'] $tor_type = $tor['type'] $nickname = $tor['nickname'] + $contact_email = $tor['contacts'] - $contact_email = hiera('contact_email') $address = hiera('ip_address') class { 'tor::daemon': } -- cgit v1.2.3 From bda22dea464eddeb9a8be4e8513a8e4d1d3cbe8d Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 9 Feb 2013 14:10:35 +0100 Subject: re-enabling futon (see #1121) --- puppet/modules/site_couchdb/files/local.ini | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_couchdb/files/local.ini b/puppet/modules/site_couchdb/files/local.ini index 4003bfcd..b3376cbb 100644 --- a/puppet/modules/site_couchdb/files/local.ini +++ b/puppet/modules/site_couchdb/files/local.ini @@ -27,7 +27,11 @@ [httpd_global_handlers] ;_google = {couch_httpd_proxy, handle_proxy_req, <<"http://www.google.com">>} -_utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Welcome, Futon is disabled!">>} + +# enable futon +_utils = {couch_httpd_misc_handlers, handle_utils_dir_req, "/usr/share/couchdb/www"} +# disable futon +#_utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Welcome, Futon is disabled!">>} [couch_httpd_auth] ; If you set this to true, you should also uncomment the WWW-Authenticate line -- cgit v1.2.3 From 5c0d817778b57b253c7443145fa928547f48e9f5 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 9 Feb 2013 15:05:16 +0100 Subject: site_shorewall::monitor: allow port 80 + 443 --- puppet/modules/site_nagios/manifests/server.pp | 1 + puppet/modules/site_shorewall/manifests/monitor.pp | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/monitor.pp diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 5e2f832b..c98a8a1f 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -34,4 +34,5 @@ class site_nagios::server inherits nagios::base { } site_nagios::add_host {$hosts:} + include site_shorewall::monitor } diff --git a/puppet/modules/site_shorewall/manifests/monitor.pp b/puppet/modules/site_shorewall/manifests/monitor.pp new file mode 100644 index 00000000..af9f8bfe --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/monitor.pp @@ -0,0 +1,18 @@ +class site_shorewall::monitor { + + include site_shorewall::defaults + + shorewall::rule { + 'net2fw-https': + source => 'net', + destination => '$FW', + action => 'HTTPS(ACCEPT)', + order => 200; + 'net2fw-http': + source => 'net', + destination => '$FW', + action => 'HTTP(ACCEPT)', + order => 200; + } + +} -- cgit v1.2.3 From 1a2789d084c3c2beccb97726b8799cb194a634fd Mon Sep 17 00:00:00 2001 From: Azul Date: Sat, 9 Feb 2013 20:17:48 +0100 Subject: run bundler and rake assets:precompile as normal user otherwise the generated files will be owned by root and the bundle will be inside roots /home/max --- puppet/modules/site_webapp/manifests/init.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index f0d6c90a..46cc0ed6 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -52,8 +52,9 @@ class site_webapp { exec { 'bundler_update': cwd => '/srv/leap-webapp', - command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install"', + command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle"', unless => '/usr/bin/bundle check', + user => 'leap-webapp', timeout => 600, require => [ Class['bundler::install'], Vcsrepo['/srv/leap-webapp'] ], notify => Service['apache']; @@ -62,6 +63,7 @@ class site_webapp { exec { 'compile_assets': cwd => '/srv/leap-webapp', command => '/bin/bash -c "/usr/bin/bundle exec rake assets:precompile"', + user => 'leap-webapp', require => Exec['bundler_update'], notify => Service['apache']; } -- cgit v1.2.3 From 3cdd7f5f02c237da0f8a3f3eb898982883fd9b97 Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 10 Feb 2013 12:28:26 -0800 Subject: vagrant configuration move to Leapfile --- provider_base/provider.json | 3 --- 1 file changed, 3 deletions(-) diff --git a/provider_base/provider.json b/provider_base/provider.json index 0eae1f87..8ce848f3 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -26,8 +26,5 @@ "life_span": "1y" } }, - "vagrant":{ - "network":"10.5.5.0/24" - }, "hiera_sync_destination": "/etc/leap" } -- cgit v1.2.3 From 7680ed13b47561ab0bf96bdb63c3aff3f022ee0d Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 10 Feb 2013 23:39:04 -0800 Subject: added 'try' module --- puppet/modules/try/README.md | 13 +++++++++ puppet/modules/try/manifests/file.pp | 51 ++++++++++++++++++++++++++++++++++++ puppet/modules/try/manifests/init.pp | 3 +++ 3 files changed, 67 insertions(+) create mode 100644 puppet/modules/try/README.md create mode 100644 puppet/modules/try/manifests/file.pp create mode 100644 puppet/modules/try/manifests/init.pp diff --git a/puppet/modules/try/README.md b/puppet/modules/try/README.md new file mode 100644 index 00000000..3888661e --- /dev/null +++ b/puppet/modules/try/README.md @@ -0,0 +1,13 @@ +This module provides a "try" wrapper around common resource types. + +For example: + + try::file { + '/path/to/file': + ensure => 'link', + target => $target; + } + +This will work just like `file`, but will silently fail if `$target` is undefined or the file does not exist. + +So far, only `file` type with symlinks works. diff --git a/puppet/modules/try/manifests/file.pp b/puppet/modules/try/manifests/file.pp new file mode 100644 index 00000000..406c0b7a --- /dev/null +++ b/puppet/modules/try/manifests/file.pp @@ -0,0 +1,51 @@ +# +# like built-in type "file", but gets gracefully ignored if the target does not exist or is undefined. +# +# /bin/true and /usr/bin/test are hardcoded to their paths in debian. +# + +define try::file ( + $ensure = undef, + $target = undef, + $restore = true) { + + if $target != undef { + exec { "check_${name}": + command => "/bin/true", + onlyif => "/usr/bin/test -e '${target}'", + loglevel => info; + } + file { "$name": + ensure => $ensure, + target => $target, + require => Exec["check_${name}"], + loglevel => info; + } + } + + # + # if the target does not exist (or is undef), and the file happens to be in a git repo, + # then restore the file to its original state. + # + if $target == undef or $restore { + $file_basename = basename($name) + $file_dirname = dirname($name) + $command = "git rev-parse && unlink '${name}'; git checkout -- '${file_basename}' && chown --reference='${file_dirname}' '${name}'; true" + debug($command) + + if $target == undef { + exec { "restore_${name}": + command => $command, + cwd => $file_dirname, + loglevel => info; + } + } else { + exec { "restore_${name}": + unless => "/usr/bin/test -e '${target}'", + command => $command, + cwd => $file_dirname, + loglevel => info; + } + } + } +} diff --git a/puppet/modules/try/manifests/init.pp b/puppet/modules/try/manifests/init.pp new file mode 100644 index 00000000..1d2108c9 --- /dev/null +++ b/puppet/modules/try/manifests/init.pp @@ -0,0 +1,3 @@ +class try { + +} -- cgit v1.2.3 From 708a7e39af9a337ae38f491e7ca1892dd70002c1 Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 10 Feb 2013 23:39:27 -0800 Subject: set webapp module to use try::file where appropriate --- puppet/modules/site_webapp/manifests/init.pp | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index f0d6c90a..cdec1b6a 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -82,7 +82,9 @@ class site_webapp { '/srv/leap-webapp/public/config/eip-service.json': content => $eip_service, owner => leap-webapp, group => leap-webapp, mode => '0644'; + } + try::file { '/srv/leap-webapp/public/favicon.ico': ensure => 'link', target => $webapp['favicon']; @@ -94,14 +96,10 @@ class site_webapp { '/srv/leap-webapp/app/assets/stylesheets/head.scss': ensure => 'link', target => $webapp['head_scss']; - } - if $webapp['img_dir'] != undef { - file { - '/srv/leap-webapp/public/img': - ensure => 'link', - target => $webapp['img_dir']; - } + '/srv/leap-webapp/public/img': + ensure => 'link', + target => $webapp['img_dir']; } file { -- cgit v1.2.3 From b754c9f3412441c58e90fa57dc236fab74cee167 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 11 Feb 2013 15:20:05 +0100 Subject: duplicate shortwall service definitions now inclduded from services/* --- puppet/modules/site_shorewall/manifests/monitor.pp | 14 ++------------ puppet/modules/site_shorewall/manifests/service/http.pp | 13 +++++++++++++ puppet/modules/site_shorewall/manifests/service/https.pp | 12 ++++++++++++ puppet/modules/site_shorewall/manifests/tor.pp | 6 +----- puppet/modules/site_shorewall/manifests/webapp.pp | 10 +--------- 5 files changed, 29 insertions(+), 26 deletions(-) create mode 100644 puppet/modules/site_shorewall/manifests/service/http.pp create mode 100644 puppet/modules/site_shorewall/manifests/service/https.pp diff --git a/puppet/modules/site_shorewall/manifests/monitor.pp b/puppet/modules/site_shorewall/manifests/monitor.pp index af9f8bfe..f4ed4f7c 100644 --- a/puppet/modules/site_shorewall/manifests/monitor.pp +++ b/puppet/modules/site_shorewall/manifests/monitor.pp @@ -1,18 +1,8 @@ class site_shorewall::monitor { include site_shorewall::defaults + include site_shorewall::service::http + include site_shorewall::service::https - shorewall::rule { - 'net2fw-https': - source => 'net', - destination => '$FW', - action => 'HTTPS(ACCEPT)', - order => 200; - 'net2fw-http': - source => 'net', - destination => '$FW', - action => 'HTTP(ACCEPT)', - order => 200; - } } diff --git a/puppet/modules/site_shorewall/manifests/service/http.pp b/puppet/modules/site_shorewall/manifests/service/http.pp new file mode 100644 index 00000000..74b874d5 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/service/http.pp @@ -0,0 +1,13 @@ +class site_shorewall::service::http { + + include site_shorewall::defaults + + shorewall::rule { + 'net2fw-http': + source => 'net', + destination => '$FW', + action => 'HTTP(ACCEPT)', + order => 200; + } + +} diff --git a/puppet/modules/site_shorewall/manifests/service/https.pp b/puppet/modules/site_shorewall/manifests/service/https.pp new file mode 100644 index 00000000..4a8b119c --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/service/https.pp @@ -0,0 +1,12 @@ +class site_shorewall::service::https { + + include site_shorewall::defaults + + shorewall::rule { + 'net2fw-https': + source => 'net', + destination => '$FW', + action => 'HTTPS(ACCEPT)', + order => 200; + } +} diff --git a/puppet/modules/site_shorewall/manifests/tor.pp b/puppet/modules/site_shorewall/manifests/tor.pp index a72d9dfc..8fe21ee6 100644 --- a/puppet/modules/site_shorewall/manifests/tor.pp +++ b/puppet/modules/site_shorewall/manifests/tor.pp @@ -18,11 +18,7 @@ class site_shorewall::tor { destination => '$FW', action => 'leap_tor(ACCEPT)', order => 200; - 'net2fw-http': - source => 'net', - destination => '$FW', - action => 'HTTP(ACCEPT)', - order => 200; } + include site_shorewall::service::http } diff --git a/puppet/modules/site_shorewall/manifests/webapp.pp b/puppet/modules/site_shorewall/manifests/webapp.pp index ff9b7646..31a65b1b 100644 --- a/puppet/modules/site_shorewall/manifests/webapp.pp +++ b/puppet/modules/site_shorewall/manifests/webapp.pp @@ -1,13 +1,5 @@ class site_shorewall::webapp { include site_shorewall::defaults - - shorewall::rule { - 'net2fw-https': - source => 'net', - destination => '$FW', - action => 'HTTPS(ACCEPT)', - order => 200; - } - + include site_shorewall::service::https } -- cgit v1.2.3 From 102af94df02decef888bac09748dbac6773dedd6 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 12 Feb 2013 13:26:42 +0100 Subject: fixed shorewall is blocking api port (Bug #1735) --- .../site_shorewall/manifests/service/webapp_api.pp | 21 +++++++++++++++++++++ puppet/modules/site_shorewall/manifests/webapp.pp | 1 + 2 files changed, 22 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/service/webapp_api.pp diff --git a/puppet/modules/site_shorewall/manifests/service/webapp_api.pp b/puppet/modules/site_shorewall/manifests/service/webapp_api.pp new file mode 100644 index 00000000..9d4296e5 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/service/webapp_api.pp @@ -0,0 +1,21 @@ +class site_shorewall::service::webapp_api { + + $api = hiera('api') + $api_port = $api['port'] + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_webapp_api': + content => "PARAM - - tcp $api_port ", + notify => Service['shorewall'] + } + + + shorewall::rule { + 'net2fw-webapp_api': + source => 'net', + destination => '$FW', + action => 'leap_webapp_api(ACCEPT)', + order => 200; + } + +} diff --git a/puppet/modules/site_shorewall/manifests/webapp.pp b/puppet/modules/site_shorewall/manifests/webapp.pp index 31a65b1b..d12bbc8f 100644 --- a/puppet/modules/site_shorewall/manifests/webapp.pp +++ b/puppet/modules/site_shorewall/manifests/webapp.pp @@ -2,4 +2,5 @@ class site_shorewall::webapp { include site_shorewall::defaults include site_shorewall::service::https + include site_shorewall::service::webapp_api } -- cgit v1.2.3 From 2a1dbb22ed96b1cc39014e6166f5795e81b829df Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 12 Feb 2013 13:10:54 -0500 Subject: update shorewall submodule to get fix for augeas package dependency problem --- puppet/modules/shorewall | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/shorewall b/puppet/modules/shorewall index 614ee152..e4a54e30 160000 --- a/puppet/modules/shorewall +++ b/puppet/modules/shorewall @@ -1 +1 @@ -Subproject commit 614ee152c39bbc66c82a52022e2c05aa7856cd4b +Subproject commit e4a54e30bf2ad7fa45c73cc544e1da4524a287a4 -- cgit v1.2.3 From 1b01713860db2cb0df080874b31c0ba898323c35 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 12 Feb 2013 13:11:34 -0500 Subject: remove unused commented-out line --- puppet/modules/site_apt/manifests/init.pp | 1 - 1 file changed, 1 deletion(-) diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index beef6fa5..80c6fbde 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -1,7 +1,6 @@ class site_apt { include ::apt - #include site_apt::dist_upgrade apt::apt_conf { '90disable-pdiffs': content => 'Acquire::PDiffs "false";'; -- cgit v1.2.3 From aab5906b79a43fbcedab819a05b25bef7a2757c8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 12 Feb 2013 13:12:27 -0500 Subject: file resources that make changes to shorewall need to make sure that shorewall is installed first (#1741) --- puppet/modules/site_shorewall/manifests/couchdb.pp | 3 ++- puppet/modules/site_shorewall/manifests/ip_forward.pp | 2 +- puppet/modules/site_shorewall/manifests/sshd.pp | 3 ++- puppet/modules/site_shorewall/manifests/tor.pp | 3 ++- 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp index 1b7f791d..9fa59569 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -7,7 +7,8 @@ class site_shorewall::couchdb { # define macro for incoming services file { '/etc/shorewall/macro.leap_couchdb': content => "PARAM - - tcp $couchdb_port", - notify => Service['shorewall'] + notify => Service['shorewall'], + require => Package['shorewall'] } diff --git a/puppet/modules/site_shorewall/manifests/ip_forward.pp b/puppet/modules/site_shorewall/manifests/ip_forward.pp index d09d4fd1..d53ee8a5 100644 --- a/puppet/modules/site_shorewall/manifests/ip_forward.pp +++ b/puppet/modules/site_shorewall/manifests/ip_forward.pp @@ -5,6 +5,6 @@ class site_shorewall::ip_forward { lens => 'Shellvars.lns', incl => '/etc/shorewall/shorewall.conf', notify => Service[shorewall], - require => Class[augeas]; + require => [ Class[augeas], Package[shorewall] ]; } } diff --git a/puppet/modules/site_shorewall/manifests/sshd.pp b/puppet/modules/site_shorewall/manifests/sshd.pp index 2cf4fd56..a8e09e42 100644 --- a/puppet/modules/site_shorewall/manifests/sshd.pp +++ b/puppet/modules/site_shorewall/manifests/sshd.pp @@ -8,7 +8,8 @@ class site_shorewall::sshd { # define macro for incoming sshd file { '/etc/shorewall/macro.leap_sshd': content => "PARAM - - tcp $ssh_port", - notify => Service['shorewall'] + notify => Service['shorewall'], + require => Package['shorewall'] } diff --git a/puppet/modules/site_shorewall/manifests/tor.pp b/puppet/modules/site_shorewall/manifests/tor.pp index 8fe21ee6..f35af985 100644 --- a/puppet/modules/site_shorewall/manifests/tor.pp +++ b/puppet/modules/site_shorewall/manifests/tor.pp @@ -8,7 +8,8 @@ class site_shorewall::tor { # define macro for incoming services file { '/etc/shorewall/macro.leap_tor': content => "PARAM - - tcp $tor_port ", - notify => Service['shorewall'] + notify => Service['shorewall'], + require => Package['shorewall'] } -- cgit v1.2.3 From ba2b83b19f951322e85f64bf010764a49ee9f2f4 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 12 Feb 2013 10:54:04 -0800 Subject: temporarily make the webapp use the admin couchdb user. waiting on https://leap.se/code/issues/1163 --- provider_base/services/webapp.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index c9e4c532..e3055c6f 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -2,7 +2,9 @@ "webapp": { "modules": ["user", "billing", "help"], "couchdb_hosts": "= hostnames nodes[:services => :couchdb][:local => local]", - "couchdb_user": "= global.services[:couchdb].couch.users[:webapp]", + # NOTE: this is bad, but pending a fix to https://leap.se/code/issues/1163 + # before we can use user "webapp" + "couchdb_user": "= global.services[:couchdb].couch.users[:admin]", "favicon": "= file_path 'branding/favicon.ico'", "tail_scss": "= file_path 'branding/tail.scss'", "head_scss": "= file_path 'branding/head.scss'", -- cgit v1.2.3 From 2e5eec3856b58aaff0a2049599a6455e6ff91122 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 12 Feb 2013 13:31:55 -0500 Subject: missed one require => Package['shorewall'] on of the file resources in site_shorewall --- puppet/modules/site_shorewall/manifests/service/webapp_api.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/service/webapp_api.pp b/puppet/modules/site_shorewall/manifests/service/webapp_api.pp index 9d4296e5..0c6c824d 100644 --- a/puppet/modules/site_shorewall/manifests/service/webapp_api.pp +++ b/puppet/modules/site_shorewall/manifests/service/webapp_api.pp @@ -6,7 +6,8 @@ class site_shorewall::service::webapp_api { # define macro for incoming services file { '/etc/shorewall/macro.leap_webapp_api': content => "PARAM - - tcp $api_port ", - notify => Service['shorewall'] + notify => Service['shorewall'], + require => Package['shorewall'] } -- cgit v1.2.3