From 3c5c31e74954ebb7a55c9455809ea55375f273d5 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 14 Mar 2013 13:49:38 -0400 Subject: add shared stunnel module --- .gitmodules | 3 +++ puppet/modules/stunnel | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/stunnel diff --git a/.gitmodules b/.gitmodules index 45763175..b97971fc 100644 --- a/.gitmodules +++ b/.gitmodules @@ -67,3 +67,6 @@ [submodule "puppet/modules/tor"] path = puppet/modules/tor url = git://labs.riseup.net/shared-tor +[submodule "puppet/modules/stunnel"] + path = puppet/modules/stunnel + url = git://labs.riseup.net/shared-stunnel diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel new file mode 160000 index 00000000..03b51fcb --- /dev/null +++ b/puppet/modules/stunnel @@ -0,0 +1 @@ +Subproject commit 03b51fcb718734f4b2ea76c038ffbe9b2b348b1a -- cgit v1.2.3 From d4b45da9a521a6faf17f9ba7742bcee897a503cc Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 14 Mar 2013 13:58:06 -0400 Subject: remove apache ssl proxy in preparation of replacing it with a stunnel setup This presents us with an interesting problem of deprecation. We need to manage the removal of something that we previously installed in any released code. How long we carry the puppet code that removes raises some interesting questions: do we require that someone who deployed version 1 (where the apache ssl proxy was deployed) of the platform upgrade first to version 2 (where we remove the apache ssl proxy) before they upgrade to version 3 (where the apache ssl proxy removal is no longer present) -- or do we allow people to skip versions? --- .../site_apache/files/vhosts.d/couchdb_proxy.conf | 10 -------- .../site_couchdb/manifests/apache_ssl_proxy.pp | 30 +++++++--------------- puppet/modules/site_couchdb/manifests/init.pp | 7 ++--- 3 files changed, 11 insertions(+), 36 deletions(-) delete mode 100644 puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf diff --git a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf deleted file mode 100644 index 0dff2cd6..00000000 --- a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf +++ /dev/null @@ -1,10 +0,0 @@ -Listen 0.0.0.0:6984 - - - SSLEngine On - SSLProxyEngine On - SSLCertificateKeyFile /etc/x509/keys/leap_couchdb.key - SSLCertificateFile /etc/x509/certs/leap_couchdb.crt - ProxyPass / http://127.0.0.1:5984/ - ProxyPassReverse / http://127.0.0.1:5984/ - diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp index 7739473e..536dd8db 100644 --- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp +++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp @@ -1,25 +1,13 @@ -define site_couchdb::apache_ssl_proxy ($key, $cert) { +class site_couchdb::apache_ssl_proxy { - $apache_no_default_site = true - include apache - apache::module { - 'proxy': ensure => present; - 'proxy_http': ensure => present; - 'rewrite': ensure => present; - 'ssl': ensure => present; - } - apache::vhost::file { 'couchdb_proxy': } +# This is here to disable the previously configured apache ssl proxy +# we were using this, but have switched to stunnel instead. +# +# Unfortunately, the current apache shared module doesn't handle +# ensure=>absent, so this is going to be done the crude way, and will only +# work for debian+derivitives, which is fine for now, but not good for the +# future - x509::key { - 'leap_couchdb': - content => $key, - notify => Service[apache]; - } - - x509::cert { - 'leap_couchdb': - content => $cert, - notify => Service[apache]; - } + package { 'apache2': ensure => absent } } diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 25956938..6f648c51 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -30,12 +30,9 @@ class site_couchdb ( $bigcouch = false ) { -> Couchdb::Create_db['client_certificates'] -> Couchdb::Add_user[$couchdb_webapp_user] -> Couchdb::Add_user[$couchdb_ca_daemon_user] - -> Site_couchdb::Apache_ssl_proxy['apache_ssl_proxy'] - site_couchdb::apache_ssl_proxy { 'apache_ssl_proxy': - key => $key, - cert => $cert - } + # this is here to disable and remove the proxy + include site_couchdb::apache_ssl_proxy couchdb::query::setup { 'localhost': user => $couchdb_admin_user, -- cgit v1.2.3 From 8687640aa9ec3591d0f038e40547a7c9c5e59443 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 14 Mar 2013 14:05:23 -0400 Subject: add a basic site_stunnel that takes care of some generic functionality that all stunnel client/servers will need handled (at least in debian and ubuntu) --- puppet/modules/site_stunnel/manifests/init.pp | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 puppet/modules/site_stunnel/manifests/init.pp diff --git a/puppet/modules/site_stunnel/manifests/init.pp b/puppet/modules/site_stunnel/manifests/init.pp new file mode 100644 index 00000000..6ba2c4b8 --- /dev/null +++ b/puppet/modules/site_stunnel/manifests/init.pp @@ -0,0 +1,18 @@ +class site_stunnel { + + # include the generic stunnel module + # increase the number of open files to allow for 800 connections + $stunnel_default_extra = 'ulimit -n 4096' + include stunnel + + # The stunnel.conf provided by the Debian package is broken by default + # so we get rid of it and just define our own. See #549384 + if !defined(File['/etc/stunnel/stunnel.conf']) { + file { + # this file is a broken config installed by the package + '/etc/stunnel/stunnel.conf': + ensure => absent; + } + } +} + -- cgit v1.2.3 From 42a040ac79e1c92d12b6bb9661bbf05ace44d622 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 14 Mar 2013 18:22:15 -0400 Subject: add couchdb stunnel server --- puppet/modules/site_couchdb/manifests/init.pp | 8 +++++ puppet/modules/site_couchdb/manifests/stunnel.pp | 42 ++++++++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 puppet/modules/site_couchdb/manifests/stunnel.pp diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 6f648c51..d317de65 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -4,6 +4,7 @@ class site_couchdb ( $bigcouch = false ) { $x509 = hiera('x509') $key = $x509['key'] $cert = $x509['cert'] + $ca = $x509['ca_cert'] $couchdb_config = hiera('couch') $couchdb_users = $couchdb_config['users'] $couchdb_admin = $couchdb_users['admin'] @@ -34,6 +35,13 @@ class site_couchdb ( $bigcouch = false ) { # this is here to disable and remove the proxy include site_couchdb::apache_ssl_proxy + # the above apache_ssl_proxy is replaced by the following stunnel + class { 'site_couchdb::stunnel': + key => $key, + cert => $cert, + ca => $ca + } + couchdb::query::setup { 'localhost': user => $couchdb_admin_user, pw => $couchdb_admin_pw diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp new file mode 100644 index 00000000..b4635951 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -0,0 +1,42 @@ +class site_couchdb::stunnel ($key, $cert, $ca) { + + include x509::variables + include site_stunnel + + $cert_name = 'leap_couchdb' + $ca_path = "${x509::variables::certs}/leap_client_ca.crt" + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" + + x509::key { + $cert_name: + content => $key, + notify => Service['stunnel']; + } + + x509::cert { + $cert_name: + content => $cert, + notify => Service['stunnel']; + } + + x509::ca { + $cert_name: + content => $ca, + notify => Service['stunnel']; + } + + stunnel::service { 'couchdb': + accept => '6984', + connect => '127.0.0.1:5984', + client => false, + cafile => $ca_path, + key => $key_path, + cert => $cert_path, + verify => '2', + pid => '/var/run/stunnel4/couchdb.pid', + rndfile => '/var/lib/stunnel4/.rnd', + debuglevel => '4' + } +} + -- cgit v1.2.3 From 90c5b205c4764351e6ea707b965c5e6daca1c0b7 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 14 Mar 2013 18:36:40 -0400 Subject: add couchdb stunnel clients --- puppet/modules/site_webapp/manifests/couchdb.pp | 9 +++++ .../site_webapp/manifests/couchdb_stunnel.pp | 42 ++++++++++++++++++++++ .../manifests/couchdb_stunnel/clients.pp | 17 +++++++++ 3 files changed, 68 insertions(+) create mode 100644 puppet/modules/site_webapp/manifests/couchdb_stunnel.pp create mode 100644 puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 6cac666f..26de62ee 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -1,5 +1,9 @@ class site_webapp::couchdb { + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $ca = $x509['ca_cert'] $webapp = hiera('webapp') $couchdb_host = $webapp['couchdb_hosts'] $couchdb_user = $webapp['couchdb_user']['username'] @@ -13,4 +17,9 @@ class site_webapp::couchdb { mode => '0600'; } + class { 'site_webapp::couchdb_stunnel': + key => $key, + cert => $cert, + ca => $ca + } } diff --git a/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp b/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp new file mode 100644 index 00000000..e6657e13 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp @@ -0,0 +1,42 @@ +class site_webapp::couchdb_stunnel ($key, $cert, $ca) { + + include x509::variables + include site_stunnel + + $cert_name = 'leap_couchdb' + $ca_path = "${x509::variables::certs}/leap_client_ca.crt" + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" + + x509::key { + $cert_name: + content => $key, + notify => Service['stunnel']; + } + + x509::cert { + $cert_name: + content => $cert, + notify => Service['stunnel']; + } + + x509::ca { + $cert_name: + content => $ca, + notify => Service['stunnel']; + } + + $couchdb_stunnel_client_defaults = { + 'client' => true, + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, + 'verify' => '2', + 'rndfile' => '/var/lib/stunnel4/.rnd', + 'debuglevel' => '4' + } + + create_resources(site_webapp::couchdb_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) + +} + diff --git a/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp b/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp new file mode 100644 index 00000000..eac43b08 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp @@ -0,0 +1,17 @@ +define site_webapp::couchdb_stunnel::clients + ( $accept_port, $connect, $client, $cafile, $key, $cert, + $verify, $pid = $name, $rndfile, $debuglevel ) { + + stunnel::service { $name: + accept => "127.0.0.1:${accept_port}", + connect => "${connect}:6984", + client => $client, + cafile => $cafile, + key => $key, + cert => $cert, + verify => $verify, + pid => "/var/run/stunnel4/${pid}.pid", + rndfile => $rndfile, + debuglevel => $debuglevel + } + } -- cgit v1.2.3