From 752f980d1cc45d4cd617675722feedc286739878 Mon Sep 17 00:00:00 2001 From: Christoph Date: Thu, 22 May 2014 10:37:32 +0200 Subject: fix haproxy config if webapp and mx run on the same host the problem was, that both site_mx::haproxy and site_webapp::haproxy declared the same resource. I fixed it by moving that resource to site_haproxy. Since that gets included by both classes, everything works like a charm --- puppet/modules/site_haproxy/manifests/init.pp | 10 ++++++++++ puppet/modules/site_mx/manifests/haproxy.pp | 9 --------- puppet/modules/site_webapp/manifests/haproxy.pp | 8 -------- 3 files changed, 10 insertions(+), 17 deletions(-) diff --git a/puppet/modules/site_haproxy/manifests/init.pp b/puppet/modules/site_haproxy/manifests/init.pp index 1a681373..144d1ed2 100644 --- a/puppet/modules/site_haproxy/manifests/init.pp +++ b/puppet/modules/site_haproxy/manifests/init.pp @@ -1,4 +1,6 @@ class site_haproxy { + $haproxy = hiera('haproxy') + $local_ports = $haproxy['local_ports'] class { 'haproxy': enable => true, @@ -28,5 +30,13 @@ class site_haproxy { order => '90', source => 'puppet:///modules/site_haproxy/haproxy-stats.cfg'; } + + # Template uses $global_options, $defaults_options and $haproxy + concat::fragment { 'leap_haproxy_webapp_couchdb': + target => '/etc/haproxy/haproxy.cfg', + order => '20', + content => template('site_webapp/haproxy_couchdb.cfg.erb'), + } + include site_check_mk::agent::haproxy } diff --git a/puppet/modules/site_mx/manifests/haproxy.pp b/puppet/modules/site_mx/manifests/haproxy.pp index 988eeaf3..4e5675eb 100644 --- a/puppet/modules/site_mx/manifests/haproxy.pp +++ b/puppet/modules/site_mx/manifests/haproxy.pp @@ -2,13 +2,4 @@ class site_mx::haproxy { include site_haproxy - $haproxy = hiera('haproxy') - $local_ports = $haproxy['local_ports'] - - # Template uses $global_options, $defaults_options - concat::fragment { 'leap_haproxy_webapp_couchdb': - target => '/etc/haproxy/haproxy.cfg', - order => '20', - content => template('site_webapp/haproxy_couchdb.cfg.erb'), - } } diff --git a/puppet/modules/site_webapp/manifests/haproxy.pp b/puppet/modules/site_webapp/manifests/haproxy.pp index b69c69da..e956f71f 100644 --- a/puppet/modules/site_webapp/manifests/haproxy.pp +++ b/puppet/modules/site_webapp/manifests/haproxy.pp @@ -2,12 +2,4 @@ class site_webapp::haproxy { include site_haproxy - $haproxy = hiera('haproxy') - - # Template uses $global_options, $defaults_options - concat::fragment { 'leap_haproxy_webapp_couchdb': - target => '/etc/haproxy/haproxy.cfg', - order => '20', - content => template('site_webapp/haproxy_couchdb.cfg.erb'), - } } -- cgit v1.2.3 From 692359e1bb9e5101c3ba882e5b9d3de1c4c63716 Mon Sep 17 00:00:00 2001 From: Christoph Date: Thu, 22 May 2014 10:46:58 +0200 Subject: remove old classes site_mx::haproxy and site_webapp::haproxy only included site_haproxy. They didn't do anything else. So just include site_haproxy in manifests/init.pp and remove the unused classes --- puppet/modules/site_mx/manifests/haproxy.pp | 5 ----- puppet/modules/site_mx/manifests/init.pp | 2 +- puppet/modules/site_webapp/manifests/haproxy.pp | 5 ----- puppet/modules/site_webapp/manifests/init.pp | 2 +- 4 files changed, 2 insertions(+), 12 deletions(-) delete mode 100644 puppet/modules/site_mx/manifests/haproxy.pp delete mode 100644 puppet/modules/site_webapp/manifests/haproxy.pp diff --git a/puppet/modules/site_mx/manifests/haproxy.pp b/puppet/modules/site_mx/manifests/haproxy.pp deleted file mode 100644 index 4e5675eb..00000000 --- a/puppet/modules/site_mx/manifests/haproxy.pp +++ /dev/null @@ -1,5 +0,0 @@ -class site_mx::haproxy { - - include site_haproxy - -} diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 3949c787..c3d38a46 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -10,7 +10,7 @@ class site_mx { include site_postfix::mx - include site_mx::haproxy + include site_haproxy include site_shorewall::mx include site_shorewall::service::smtp include site_mx::couchdb diff --git a/puppet/modules/site_webapp/manifests/haproxy.pp b/puppet/modules/site_webapp/manifests/haproxy.pp deleted file mode 100644 index e956f71f..00000000 --- a/puppet/modules/site_webapp/manifests/haproxy.pp +++ /dev/null @@ -1,5 +0,0 @@ -class site_webapp::haproxy { - - include site_haproxy - -} diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index d02a7261..d6f1d7ae 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -16,7 +16,7 @@ class site_webapp { include site_config::ruby::dev include site_webapp::apache include site_webapp::couchdb - include site_webapp::haproxy + include site_haproxy include site_webapp::cron include site_config::x509::cert include site_config::x509::key -- cgit v1.2.3 From c8025a3b2a13f01fd1be436609855e944f7b625b Mon Sep 17 00:00:00 2001 From: Christoph Date: Sat, 24 May 2014 13:03:41 +0200 Subject: remove unused variable local_ports --- puppet/modules/site_haproxy/manifests/init.pp | 1 - 1 file changed, 1 deletion(-) diff --git a/puppet/modules/site_haproxy/manifests/init.pp b/puppet/modules/site_haproxy/manifests/init.pp index 144d1ed2..304df0bd 100644 --- a/puppet/modules/site_haproxy/manifests/init.pp +++ b/puppet/modules/site_haproxy/manifests/init.pp @@ -1,6 +1,5 @@ class site_haproxy { $haproxy = hiera('haproxy') - $local_ports = $haproxy['local_ports'] class { 'haproxy': enable => true, -- cgit v1.2.3 From 27f0d5731593e3a305dbfb315804294960ad204e Mon Sep 17 00:00:00 2001 From: Christoph Date: Sat, 24 May 2014 13:12:17 +0200 Subject: move haproxy-template to modules/site_haproxy --- puppet/modules/site_haproxy/manifests/init.pp | 4 ++-- .../site_haproxy/templates/haproxy_couchdb.cfg.erb | 23 ++++++++++++++++++++++ .../site_webapp/templates/haproxy_couchdb.cfg.erb | 23 ---------------------- 3 files changed, 25 insertions(+), 25 deletions(-) create mode 100644 puppet/modules/site_haproxy/templates/haproxy_couchdb.cfg.erb delete mode 100644 puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb diff --git a/puppet/modules/site_haproxy/manifests/init.pp b/puppet/modules/site_haproxy/manifests/init.pp index 304df0bd..6bcf3f5c 100644 --- a/puppet/modules/site_haproxy/manifests/init.pp +++ b/puppet/modules/site_haproxy/manifests/init.pp @@ -30,11 +30,11 @@ class site_haproxy { source => 'puppet:///modules/site_haproxy/haproxy-stats.cfg'; } - # Template uses $global_options, $defaults_options and $haproxy + # Template uses $haproxy concat::fragment { 'leap_haproxy_webapp_couchdb': target => '/etc/haproxy/haproxy.cfg', order => '20', - content => template('site_webapp/haproxy_couchdb.cfg.erb'), + content => template('site_haproxy/haproxy_couchdb.cfg.erb'), } include site_check_mk::agent::haproxy diff --git a/puppet/modules/site_haproxy/templates/haproxy_couchdb.cfg.erb b/puppet/modules/site_haproxy/templates/haproxy_couchdb.cfg.erb new file mode 100644 index 00000000..1fa01b96 --- /dev/null +++ b/puppet/modules/site_haproxy/templates/haproxy_couchdb.cfg.erb @@ -0,0 +1,23 @@ + +listen bigcouch-in + mode http + balance roundrobin + option httplog + option dontlognull + option httpchk GET / # health check using simple get to root + option http-server-close # use client keep-alive, but close server connection. + option allbackups # balance among all backups, not just one. + + bind localhost:4096 + + default-server inter 3000 fastinter 1000 downinter 1000 rise 2 fall 1 + +<%- if @haproxy['servers'] -%> +<%- @haproxy['servers'].sort.each do |name,server| -%> +<%- backup = server['backup'] ? 'backup' : '' -%> + # <%=name%> + server couchdb_<%=server['port']%> <%=server['host']%>:<%=server['port']%> <%=backup%> weight <%=server['weight']%> check + +<%- end -%> +<%- end -%> + diff --git a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb deleted file mode 100644 index 1fa01b96..00000000 --- a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb +++ /dev/null @@ -1,23 +0,0 @@ - -listen bigcouch-in - mode http - balance roundrobin - option httplog - option dontlognull - option httpchk GET / # health check using simple get to root - option http-server-close # use client keep-alive, but close server connection. - option allbackups # balance among all backups, not just one. - - bind localhost:4096 - - default-server inter 3000 fastinter 1000 downinter 1000 rise 2 fall 1 - -<%- if @haproxy['servers'] -%> -<%- @haproxy['servers'].sort.each do |name,server| -%> -<%- backup = server['backup'] ? 'backup' : '' -%> - # <%=name%> - server couchdb_<%=server['port']%> <%=server['host']%>:<%=server['port']%> <%=backup%> weight <%=server['weight']%> check - -<%- end -%> -<%- end -%> - -- cgit v1.2.3 From 3290e4b6c0655616c1a4374595af3a2eb95c85d8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 May 2014 14:06:39 -0400 Subject: clarify comments in site_sshd::authorized_keys Change-Id: I679dfe8dff90b7c86ab0ffff43e13958f1ec2c99 --- puppet/modules/site_sshd/manifests/authorized_keys.pp | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp index f36fe20f..90a33d8d 100644 --- a/puppet/modules/site_sshd/manifests/authorized_keys.pp +++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp @@ -1,7 +1,17 @@ define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') { - # We use a custom define here to deploy the authorized_keys file - # cause puppet doesn't allow purgin before populating this file - # (see https://tickets.puppetlabs.com/browse/PUP-1174) + # We want to purge unmanaged keys from the authorized_keys file so that only + # keys added in the provider are valid. Any manually added keys will be + # overridden. + # + # In order to do this, we have to use a custom define to deploy the + # authorized_keys file because puppet's internal resource doesn't allow + # purging before populating this file. + # + # See the following for more information: + # https://tickets.puppetlabs.com/browse/PUP-1174 + # https://leap.se/code/issues/2990 + # https://leap.se/code/issues/3010 + # # This line allows default homedir based on $title variable. # If $home is empty, the default is used. $homedir = $home ? {'' => "/home/${title}", default => $home} -- cgit v1.2.3 From 120cbfd46b79cfec36c17ae6deb7fc51f9094594 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 May 2014 15:11:45 -0400 Subject: Switch away from site_config::sshd and instead just include site_sshd The existing site_config::sshd had a non-functioning 'include sshd' line in it that was not doing what was expected (this was supposed to include the sshd module, but due to scoping was including itself). It seemed better to eliminate some of the unused pieces and consolidate into one config location. Change-Id: I79dd904e696ca646180a09abbb03b5361dfc8ab9 --- puppet/modules/site_config/manifests/default.pp | 2 +- puppet/modules/site_config/manifests/sshd.pp | 9 --------- puppet/modules/site_sshd/manifests/init.pp | 1 + 3 files changed, 2 insertions(+), 10 deletions(-) delete mode 100644 puppet/modules/site_config/manifests/sshd.pp diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index c7352857..dfdffe03 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -18,7 +18,7 @@ class site_config::default { include site_config::sysctl # configure ssh and include ssh-keys - include site_config::sshd + include site_sshd # include classes for special environments # i.e. openstack/aws nodes, vagrant nodes diff --git a/puppet/modules/site_config/manifests/sshd.pp b/puppet/modules/site_config/manifests/sshd.pp deleted file mode 100644 index 8ff337a0..00000000 --- a/puppet/modules/site_config/manifests/sshd.pp +++ /dev/null @@ -1,9 +0,0 @@ -class site_config::sshd { - # configure sshd - include sshd - include site_sshd - # no need for configuring authorized_keys as leap_cli cares for that - #$ssh_pubkeys=hiera_hash('ssh_pubkeys') - #notice($ssh_pubkeys) - #create_resources('site_sshd::ssh_key', $ssh_pubkeys) -} diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index d9bc1d51..e81780ef 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -22,6 +22,7 @@ class site_sshd { group => root, mode => '0644', content => template('site_sshd/ssh_known_hosts.erb'); + '/etc/ssh/ssh_config': owner => root, group => root, -- cgit v1.2.3 From 8116e736d3d89c0b58c2d98097d646dc8a7b06d3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 May 2014 19:44:35 -0400 Subject: Update sshd submodule to get necessary fixes to enable us to change sshd port Change-Id: I3b6a87c9d6a2c349392e5bc98a68b800645fde92 --- puppet/modules/sshd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/sshd b/puppet/modules/sshd index 1eabfe1b..5c23b332 160000 --- a/puppet/modules/sshd +++ b/puppet/modules/sshd @@ -1 +1 @@ -Subproject commit 1eabfe1b590f6663c2558f949408a08fc5f58fa6 +Subproject commit 5c23b33200fc6229ada7f4e13672b5da0d4bdd8e -- cgit v1.2.3 From 382d1cb4aea6e4a2e6fb101346e46bb8a01dbc10 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 May 2014 19:45:00 -0400 Subject: Add missing scope to top-level sshd class, passing necessary parameters for configuration (#3108) Change-Id: I4f94a47d47a40bfc6835359e7781707f96e91db0 --- puppet/modules/site_sshd/manifests/init.pp | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index e81780ef..400c21ea 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -1,5 +1,5 @@ class site_sshd { - $ssh = hiera_hash('ssh') + $ssh = hiera_hash('ssh') $hosts = hiera('hosts', '') ## @@ -24,9 +24,9 @@ class site_sshd { content => template('site_sshd/ssh_known_hosts.erb'); '/etc/ssh/ssh_config': - owner => root, - group => root, - mode => '0644', + owner => root, + group => root, + mode => '0644', content => template('site_sshd/ssh_config.erb'); } @@ -47,4 +47,16 @@ class site_sshd { ensure => absent } } + + ## + ## SSHD SERVER CONFIGURATION + ## + class { '::sshd': + manage_nagios => 'no', + ports => $ssh['port'], + use_pam => 'yes', + hardened_ssl => 'yes', + print_motd => 'no', + manage_client => false + } } -- cgit v1.2.3 From 09916946f8eb0ab17689255fd626a52ef1808e6a Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 2 Jun 2014 11:03:56 -0700 Subject: fix unbound: configs in /etc/unbound/unbound.conf.d contained a syntax error and were missing .conf suffix --- puppet/modules/site_openvpn/manifests/resolver.pp | 24 +++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index c1367a33..cea0153a 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -3,15 +3,15 @@ class site_openvpn::resolver { if $site_openvpn::openvpn_allow_unlimited { $ensure_unlimited = 'present' file { - '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver': - content => "interface: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr} allow\n", + '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver.conf': + content => "server:\n\tinterface: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.1\n\taccess-control: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr} allow\n", owner => root, group => root, mode => '0644', require => [ Class['site_config::caching_resolver'], Service['openvpn'] ], notify => Service['unbound']; - '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver': - content => "interface: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr} allow\n", + '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver.conf': + content => "server:\n\tinterface: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.1\n\taccess-control: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr} allow\n", owner => root, group => root, mode => '0644', @@ -20,22 +20,22 @@ class site_openvpn::resolver { } } else { $ensure_unlimited = 'absent' - tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver': } - tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver': } + tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver.conf': } + tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver.conf': } } if $site_openvpn::openvpn_allow_limited { $ensure_limited = 'present' file { - '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver': - content => "interface: ${site_openvpn::openvpn_limited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr} allow\n", + '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver.conf': + content => "server:\n\tinterface: ${site_openvpn::openvpn_limited_udp_network_prefix}.1\n\taccess-control: ${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr} allow\n", owner => root, group => root, mode => '0644', require => [ Class['site_config::caching_resolver'], Service['openvpn'] ], notify => Service['unbound']; - '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver': - content => "interface: ${site_openvpn::openvpn_limited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr} allow\n", + '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver.conf': + content => "server\n\tinterface: ${site_openvpn::openvpn_limited_tcp_network_prefix}.1\n\taccess-control: ${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr} allow\n", owner => root, group => root, mode => '0644', @@ -44,7 +44,7 @@ class site_openvpn::resolver { } } else { $ensure_limited = 'absent' - tidy { '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver': } - tidy { '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver': } + tidy { '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver.conf': } + tidy { '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver.conf': } } } -- cgit v1.2.3 From 24f0cc3c64aab59db436e0827ba24ec08023100a Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 24 May 2014 01:35:54 -0700 Subject: added support for /provider.json served from static site. --- platform.rb | 2 +- .../files/service-definitions/provider.json.erb | 2 +- provider_base/services/static.json | 9 ++++++++- puppet/modules/site_static/manifests/domain.pp | 3 ++- puppet/modules/site_static/manifests/init.pp | 18 ++++++++++++++++++ puppet/modules/site_static/templates/apache.conf.erb | 14 ++++++++++++++ 6 files changed, 44 insertions(+), 4 deletions(-) diff --git a/platform.rb b/platform.rb index d36cb3af..cd0cbde0 100644 --- a/platform.rb +++ b/platform.rb @@ -5,7 +5,7 @@ Leap::Platform.define do self.version = "0.5.2" - self.compatible_cli = "1.5.0".."1.99" + self.compatible_cli = "1.5.5".."1.99" # # the facter facts that should be gathered diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb index be8ae484..2d0a5886 100644 --- a/provider_base/files/service-definitions/provider.json.erb +++ b/provider_base/files/service-definitions/provider.json.erb @@ -7,7 +7,7 @@ hsh['domain'] = domain.full_suffix # advertise services that are 'user services' and for which there are actually nodes - hsh['services'] ||= global.services[:service_type => :user_service].field(:name).select do |service| + hsh['services'] ||= global.env(environment).services[:service_type => :user_service].field(:name).select do |service| nodes_like_me[:services => service].any? end diff --git a/provider_base/services/static.json b/provider_base/services/static.json index d9155a84..3bbc1240 100644 --- a/provider_base/services/static.json +++ b/provider_base/services/static.json @@ -1,6 +1,13 @@ { "static": { - "formats": "=> (self.static.domains||{}).values.collect{|d| (d.locations||{}).values.collect{|l|l['format']}}.flatten.uniq" + "formats": "=> (self.static.domains||{}).values.collect{|d| (d.locations||{}).values.collect{|l|l['format']}}.flatten.uniq", + // include a copy of provider.json in case any of the configured domains happens to match provider.domain + "bootstrap_files": { + "domain": "= provider.domain", + "enabled": "= (self.static.domains||{})[provider.domain] ? true : false", + "provider_json": "=> static.bootstrap_files.enabled ? try{nodes_like_me[:services => 'webapp'].values.first.definition_files['provider']} : nil", + "client_version": "= static.bootstrap_files.enabled ? provider.client_version : nil" + } }, "service_type": "public_service" } \ No newline at end of file diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp index 8af2230f..0f54a975 100644 --- a/puppet/modules/site_static/manifests/domain.pp +++ b/puppet/modules/site_static/manifests/domain.pp @@ -3,7 +3,8 @@ define site_static::domain ( $ca_cert, $key, $cert, - $tls_only) { + $tls_only, + $aliases) { $domain = $name $base_dir = '/srv/static' diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 4f6d895f..6b2cc1f3 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -3,6 +3,24 @@ class site_static { $static = hiera('static') $domains = $static['domains'] $formats = $static['formats'] + $bootstrap = $static['bootstrap_files'] + + if $bootstrap['enabled'] { + $bootstrap_domain = $bootstrap['domain'] + $bootstrap_client = $bootstrap['client_version'] + file { '/srv/leap/provider.json': + content => $bootstrap['provider_json'], + owner => 'www-data', + group => 'www-data', + mode => '0444'; + } + # It is important to always touch provider.json: the client needs to check x-min-client-version header, + # but this is only sent when the file has been modified (otherwise 304 is sent by apache). The problem + # is that changing min client version won't alter the content of provider.json, so we must touch it. + exec { '/bin/touch /srv/leap/provider.json': + require => File['/srv/leap/provider.json']; + } + } if (member($formats, 'amber')) { include site_config::ruby::dev diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index 2abe1a98..b694d44c 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -16,11 +16,16 @@ end end document_root = document_root.gsub(%r{^/|/$}, '') + bootstrap_domain = scope.lookupvar('site_static::bootstrap_domain') + bootstrap_client = scope.lookupvar('site_static::bootstrap_client') -%> ServerName <%= @domain %> ServerAlias www.<%= @domain %> +<%- @aliases && @aliases.each do |domain_alias| -%> + ServerAlias <%= domain_alias %> +<%- end -%> RewriteEngine On RewriteRule ^.*$ https://<%= @domain -%>%{REQUEST_URI} [R=permanent,L] @@ -28,6 +33,9 @@ ServerName <%= @domain %> ServerAlias www.<%= @domain %> +<%- @aliases && @aliases.each do |domain_alias| -%> + ServerAlias <%= domain_alias %> +<%- end -%> #RewriteLog "/var/log/apache2/rewrite.log" #RewriteLogLevel 3 @@ -62,6 +70,12 @@ Order deny,allow Allow from all + <%- if ([@aliases]+[@domain]).flatten.include?(bootstrap_domain) -%> + Alias /provider.json /srv/leap/provider.json + + Header set X-Minimum-Client-Version <%= bootstrap_client['min'] %> + + <%- end -%> <%- else -%> AliasMatch ^/[a-z]{2}/<%=path%>(/.+|/|)$ "/<%=directory%>/$1" Alias /<%=path%> "/<%=directory%>/" -- cgit v1.2.3 From 55327fd72621e5c678e5f9ba923bc348ca840463 Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 1 Jun 2014 14:14:03 -0700 Subject: added templatewlv function (allows passing local variables to templates) --- puppet/modules/templatewlv/Modulefile | 11 ++++++ puppet/modules/templatewlv/README.md | 21 +++++++++++ .../lib/puppet/parser/functions/templatewlv.rb | 41 ++++++++++++++++++++++ .../lib/puppet/parser/templatewrapperwlv.rb | 39 ++++++++++++++++++++ 4 files changed, 112 insertions(+) create mode 100644 puppet/modules/templatewlv/Modulefile create mode 100644 puppet/modules/templatewlv/README.md create mode 100644 puppet/modules/templatewlv/lib/puppet/parser/functions/templatewlv.rb create mode 100644 puppet/modules/templatewlv/lib/puppet/parser/templatewrapperwlv.rb diff --git a/puppet/modules/templatewlv/Modulefile b/puppet/modules/templatewlv/Modulefile new file mode 100644 index 00000000..8007a070 --- /dev/null +++ b/puppet/modules/templatewlv/Modulefile @@ -0,0 +1,11 @@ +name 'duritong-templatewlv' +version '0.0.1' +source 'https://github.com/duritong/puppet-templatewlv.git' +author 'duritong' +license 'Apache License, Version 2.0' +summary 'Template With Local Variables' +description 'Pass local variables to templates' +project_page 'https://github.com/duritong/puppet-templatewlv' + +## Add dependencies, if any: +# dependency 'username/name', '>= 1.2.0' diff --git a/puppet/modules/templatewlv/README.md b/puppet/modules/templatewlv/README.md new file mode 100644 index 00000000..5ab01e45 --- /dev/null +++ b/puppet/modules/templatewlv/README.md @@ -0,0 +1,21 @@ +# templatewlv + +## Template With Local Variables + +A wrapper around puppet's template function. See +[the templating docs](http://docs.puppetlabs.com/guides/templating.html) for +the basic functionality. + +Additionally, you can pass a hash, as the last argument, which will be turned into +local variables and available to the template itself. This will allow you to define +variables in a template and pass them down to a template you include in the current +template. An example: + + scope.function_templatewlv(['sub_template', { 'local_var' => 'value' }]) + +Note that if multiple templates are specified, their output is all +concatenated and returned as the output of the function. + +# Who - License + +duritong - Apache License, Version 2.0 diff --git a/puppet/modules/templatewlv/lib/puppet/parser/functions/templatewlv.rb b/puppet/modules/templatewlv/lib/puppet/parser/functions/templatewlv.rb new file mode 100644 index 00000000..c9579e2c --- /dev/null +++ b/puppet/modules/templatewlv/lib/puppet/parser/functions/templatewlv.rb @@ -0,0 +1,41 @@ +require File.join(File.dirname(__FILE__),'../templatewrapperwlv') +Puppet::Parser::Functions::newfunction(:templatewlv, :type => :rvalue, :arity => -2, :doc => + "A wrapper around puppet's template function. See + [the templating docs](http://docs.puppetlabs.com/guides/templating.html) for + the basic functionality. + + Additionally, you can pass a hash, as the last argument, which will be turned into + local variables and available to the template itself. This will allow you to define + variables in a template and pass them down to a template you include in the current + template. An example: + + scope.function_templatewlv(['sub_template', { 'local_var' => 'value' }]) + + Note that if multiple templates are specified, their output is all + concatenated and returned as the output of the function.") do |vals| + + if vals.last.is_a?(Hash) + local_vars = vals.last + local_vals = vals[0..-2] + else + local_vars = {} + local_vals = vals + end + + result = nil + local_vals.collect do |file| + # Use a wrapper, so the template can't get access to the full + # Scope object. + debug "Retrieving template #{file}" + + wrapper = Puppet::Parser::TemplateWrapperWlv.new(self,local_vars) + wrapper.file = file + begin + wrapper.result + rescue => detail + info = detail.backtrace.first.split(':') + raise Puppet::ParseError, + "Failed to parse template #{file}:\n Filepath: #{info[0]}\n Line: #{info[1]}\n Detail: #{detail}\n" + end + end.join("") +end diff --git a/puppet/modules/templatewlv/lib/puppet/parser/templatewrapperwlv.rb b/puppet/modules/templatewlv/lib/puppet/parser/templatewrapperwlv.rb new file mode 100644 index 00000000..f1753e18 --- /dev/null +++ b/puppet/modules/templatewlv/lib/puppet/parser/templatewrapperwlv.rb @@ -0,0 +1,39 @@ +# A wrapper for templates, that allows you to additionally define +# local variables +class Puppet::Parser::TemplateWrapperWlv < Puppet::Parser::TemplateWrapper + attr_reader :local_vars + def initialize(scope, local_vars) + super(scope) + @local_vars = local_vars + end + + # Should return true if a variable is defined, false if it is not + def has_variable?(name) + super(name) || local_vars.keys.include?(name.to_s) + end + + def method_missing(name, *args) + if local_vars.keys.include?(n=name.to_s) + local_vars[n] + else + super(name, *args) + end + end + + def result(string = nil) + # Expose all the variables in our scope as instance variables of the + # current object, making it possible to access them without conflict + # to the regular methods. + benchmark(:debug, "Bound local template variables for #{@__file__}") do + local_vars.each do |name, value| + if name.kind_of?(String) + realname = name.gsub(/[^\w]/, "_") + else + realname = name + end + instance_variable_set("@#{realname}", value) + end + end + super(string) + end +end -- cgit v1.2.3 From 4e3d168d103fea6476694997275c4df4821535f3 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 30 May 2014 14:52:26 -0700 Subject: static site: added rack support, added custom apache config --- provider_base/services/static.json | 2 +- .../site_apt/manifests/preferences/passenger.pp | 10 ++++ puppet/modules/site_static/manifests/domain.pp | 14 ++--- puppet/modules/site_static/manifests/init.pp | 19 ++++++- puppet/modules/site_static/manifests/location.pp | 8 +++ puppet/modules/site_static/templates/amber.erb | 15 ++++++ .../modules/site_static/templates/apache.conf.erb | 60 +++++++++++----------- puppet/modules/site_static/templates/rack.erb | 22 ++++++++ 8 files changed, 107 insertions(+), 43 deletions(-) create mode 100644 puppet/modules/site_apt/manifests/preferences/passenger.pp create mode 100644 puppet/modules/site_static/templates/amber.erb create mode 100644 puppet/modules/site_static/templates/rack.erb diff --git a/provider_base/services/static.json b/provider_base/services/static.json index 3bbc1240..c8ca5b1a 100644 --- a/provider_base/services/static.json +++ b/provider_base/services/static.json @@ -1,6 +1,6 @@ { "static": { - "formats": "=> (self.static.domains||{}).values.collect{|d| (d.locations||{}).values.collect{|l|l['format']}}.flatten.uniq", + "formats": "=> try{static.domains.values.collect{|d| try{d.locations.values.collect{|l|l.format}} }.flatten.compact.uniq} || []", // include a copy of provider.json in case any of the configured domains happens to match provider.domain "bootstrap_files": { "domain": "= provider.domain", diff --git a/puppet/modules/site_apt/manifests/preferences/passenger.pp b/puppet/modules/site_apt/manifests/preferences/passenger.pp new file mode 100644 index 00000000..af501b6b --- /dev/null +++ b/puppet/modules/site_apt/manifests/preferences/passenger.pp @@ -0,0 +1,10 @@ +class site_apt::preferences::passenger { + + apt::preferences_snippet { 'passenger': + package => 'libapache2-mod-passenger', + release => "${::lsbdistcodename}-backports", + priority => 999, + require => [Package['apache'], Class['ruby']]; + } + +} diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp index 0f54a975..6941b1a3 100644 --- a/puppet/modules/site_static/manifests/domain.pp +++ b/puppet/modules/site_static/manifests/domain.pp @@ -1,10 +1,11 @@ define site_static::domain ( - $locations, $ca_cert, $key, $cert, - $tls_only, - $aliases) { + $tls_only=true, + $locations=undef, + $aliases=undef, + $apache_config=undef) { $domain = $name $base_dir = '/srv/static' @@ -15,13 +16,6 @@ define site_static::domain ( x509::key { $domain: content => $key } x509::ca { "${domain}_ca": content => $ca_cert } - class { '::apache': no_default_site => true, ssl => true } - include site_apache::module::headers - include site_apache::module::alias - include site_apache::module::expires - include site_apache::module::removeip - include site_apache::module::rewrite - apache::vhost::file { $domain: content => template('site_static/apache.conf.erb') } diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 6b2cc1f3..6e347d35 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -11,8 +11,8 @@ class site_static { file { '/srv/leap/provider.json': content => $bootstrap['provider_json'], owner => 'www-data', - group => 'www-data', - mode => '0444'; + group => 'www-data', + mode => '0444'; } # It is important to always touch provider.json: the client needs to check x-min-client-version header, # but this is only sent when the file has been modified (otherwise 304 is sent by apache). The problem @@ -22,6 +22,21 @@ class site_static { } } + class { '::apache': no_default_site => true, ssl => true } + include site_apache::module::headers + include site_apache::module::alias + include site_apache::module::expires + include site_apache::module::removeip + include site_apache::module::rewrite + + if (member($formats, 'rack')) { + include site_apt::preferences::passenger + class { 'passenger': + use_munin => false, + require => Class['site_apt::preferences::passenger'] + } + } + if (member($formats, 'amber')) { include site_config::ruby::dev rubygems::gem{'amber-0.3.0': } diff --git a/puppet/modules/site_static/manifests/location.pp b/puppet/modules/site_static/manifests/location.pp index 1ba6807e..9c749b00 100644 --- a/puppet/modules/site_static/manifests/location.pp +++ b/puppet/modules/site_static/manifests/location.pp @@ -2,6 +2,14 @@ define site_static::location($path, $format, $source) { $file_path = "/srv/static/${name}" + if $format == undef { + fail("static_site location `${path}` is missing `format` field.") + } + + if ! member(['amber','rack'], $format) { + fail("Could not understand static_site location format `${format}`.") + } + if ($format == 'amber') { exec {"amber_build_${name}": cwd => $file_path, diff --git a/puppet/modules/site_static/templates/amber.erb b/puppet/modules/site_static/templates/amber.erb new file mode 100644 index 00000000..17dc2ad6 --- /dev/null +++ b/puppet/modules/site_static/templates/amber.erb @@ -0,0 +1,15 @@ +<%- if @location_path == '' -%> + /"> + AllowOverride FileInfo Indexes Options=All,MultiViews + Order deny,allow + Allow from all + +<%- else -%> + AliasMatch ^/[a-z]{2}/<%=@location_path%>(/.+|/|)$ "<%=@directory%>/$1" + Alias /<%=@location_path%> "<%=@directory%>/" + /"> + AllowOverride FileInfo Indexes Options=All,MultiViews + Order deny,allow + Allow from all + +<%- end -%> diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index b694d44c..b23c1bf9 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -2,20 +2,23 @@ ## ## An apache config for static websites. ## + def location_directory(name, location) - if location['format'] == 'amber' + if ['amber', 'rack'].include?(location['format']) File.join(@base_dir, name, 'public') else File.join(@base_dir, name) end end - document_root = '/var/www' - @locations.each do |name, location| - if location['path'] == '/' - document_root = location_directory(name, location) + + @document_root = begin + root = '/var/www' + @locations && @locations.each do |name, location| + root = location_directory(name, location) if location['path'] == '/' end + root.gsub(%r{^/|/$}, '') end - document_root = document_root.gsub(%r{^/|/$}, '') + bootstrap_domain = scope.lookupvar('site_static::bootstrap_domain') bootstrap_client = scope.lookupvar('site_static::bootstrap_client') -%> @@ -26,8 +29,10 @@ <%- @aliases && @aliases.each do |domain_alias| -%> ServerAlias <%= domain_alias %> <%- end -%> +<%- if @tls_only -%> RewriteEngine On RewriteRule ^.*$ https://<%= @domain -%>%{REQUEST_URI} [R=permanent,L] +<%- end -%> @@ -46,8 +51,12 @@ SSLCompression off SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" +<%- if @tls_only -%> Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" +<%- end -%> Header set X-Frame-Options "deny" + Header always unset X-Powered-By + Header always unset X-Runtime SSLCertificateKeyFile /etc/x509/keys/<%= @domain %>.key SSLCertificateFile /etc/x509/certs/<%= @domain %>.crt @@ -55,37 +64,28 @@ RequestHeader set X_FORWARDED_PROTO 'https' - DocumentRoot "/<%= document_root %>/" + DocumentRoot "/<%= @document_root %>/" AccessFileName .htaccess -<%- @locations.each do |name, location| -%> - <%- path = location['path'].gsub(%r{^/|/$}, '') -%> - <%- directory = location_directory(name, location) -%> - ## - ## <%= name %> - ## - <%- if path == '' -%> - /"> - AllowOverride FileInfo Indexes Options=All,MultiViews - Order deny,allow - Allow from all - - <%- if ([@aliases]+[@domain]).flatten.include?(bootstrap_domain) -%> +<%- if ([@aliases]+[@domain]).flatten.include?(bootstrap_domain) -%> Alias /provider.json /srv/leap/provider.json Header set X-Minimum-Client-Version <%= bootstrap_client['min'] %> - <%- end -%> - <%- else -%> - AliasMatch ^/[a-z]{2}/<%=path%>(/.+|/|)$ "/<%=directory%>/$1" - Alias /<%=path%> "/<%=directory%>/" - /"> - AllowOverride FileInfo Indexes Options=All,MultiViews - Order deny,allow - Allow from all - - <%- end -%> +<%- end -%> + +<%- if @apache_config -%> +<%= @apache_config %> +<%- end -%> +<%- @locations && @locations.each do |name, location| -%> +<%- location_path = location['path'].gsub(%r{^/|/$}, '') -%> +<%- directory = location_directory(name, location) -%> +<%- local_vars = {'location_path'=>location_path, 'directory'=>directory, 'location'=>location, 'name'=>name} -%> + ## + ## <%= name %> (<%= location['format'] %>) + ## +<%= scope.function_templatewlv([File.join(File.dirname(__FILE__), location['format']) + '.erb', local_vars]) %> <%- end -%> diff --git a/puppet/modules/site_static/templates/rack.erb b/puppet/modules/site_static/templates/rack.erb new file mode 100644 index 00000000..3e22e750 --- /dev/null +++ b/puppet/modules/site_static/templates/rack.erb @@ -0,0 +1,22 @@ + #PassengerLogLevel 1 + #RackEnv production + #PassengerFriendlyErrorPages on +<%- if @location_path == '' -%> + "> + Order deny,allow + Allow from all + Options -MultiViews + +<%- else -%> + Alias /<%=@location_path%> "<%=@directory%>" + > + RackBaseURI /<%=@location_path%> + PassengerBaseURI /<%=@location_path%> + PassengerAppRoot "<%=File.dirname(@directory)%>" + + "> + Order deny,allow + Allow from all + Options -MultiViews + +<%- end -%> -- cgit v1.2.3 From 2b3b9243e7d0301f877b35246a809c50196e038c Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 1 Jun 2014 22:22:45 -0700 Subject: work around hiera's inability to escape '%' by using ':percent:' --- puppet/modules/site_static/templates/apache.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index b23c1bf9..a16d51f4 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -75,7 +75,7 @@ <%- end -%> <%- if @apache_config -%> -<%= @apache_config %> +<%= @apache_config.gsub(':percent:','%') %> <%- end -%> <%- @locations && @locations.each do |name, location| -%> -- cgit v1.2.3 From 0c4c0ab6863c4c1cf59d0e999c7ba7bd41d3546c Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 1 Jun 2014 23:21:12 -0700 Subject: remove superfluous RackBaseURI directive --- puppet/modules/site_static/templates/rack.erb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/puppet/modules/site_static/templates/rack.erb b/puppet/modules/site_static/templates/rack.erb index 3e22e750..aae91f1c 100644 --- a/puppet/modules/site_static/templates/rack.erb +++ b/puppet/modules/site_static/templates/rack.erb @@ -1,5 +1,5 @@ #PassengerLogLevel 1 - #RackEnv production + #PassengerAppEnv production #PassengerFriendlyErrorPages on <%- if @location_path == '' -%> "> @@ -10,7 +10,6 @@ <%- else -%> Alias /<%=@location_path%> "<%=@directory%>" > - RackBaseURI /<%=@location_path%> PassengerBaseURI /<%=@location_path%> PassengerAppRoot "<%=File.dirname(@directory)%>" -- cgit v1.2.3 From 455422ddd5152679eb8df5554e371dbcf2c28f27 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 2 Jun 2014 12:02:29 -0700 Subject: static site: better message for wrong location type. --- puppet/modules/site_static/manifests/location.pp | 6 ++++-- puppet/modules/site_static/templates/apache.conf.erb | 4 +++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_static/manifests/location.pp b/puppet/modules/site_static/manifests/location.pp index 9c749b00..ce2af9af 100644 --- a/puppet/modules/site_static/manifests/location.pp +++ b/puppet/modules/site_static/manifests/location.pp @@ -1,13 +1,15 @@ define site_static::location($path, $format, $source) { $file_path = "/srv/static/${name}" + $allowed_formats = ['amber','rack'] if $format == undef { fail("static_site location `${path}` is missing `format` field.") } - if ! member(['amber','rack'], $format) { - fail("Could not understand static_site location format `${format}`.") + if ! member($allowed_formats, $format) { + $formats_str = join($allowed_formats, ', ') + fail("Unsupported static_site location format `${format}`. Supported formats include ${formats_str}.") } if ($format == 'amber') { diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index a16d51f4..07ac481d 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -82,10 +82,12 @@ <%- location_path = location['path'].gsub(%r{^/|/$}, '') -%> <%- directory = location_directory(name, location) -%> <%- local_vars = {'location_path'=>location_path, 'directory'=>directory, 'location'=>location, 'name'=>name} -%> +<%- template_path = File.join(File.dirname(__FILE__), location['format']) + '.erb' -%> +<%- break unless File.exists?(template_path) -%> ## ## <%= name %> (<%= location['format'] %>) ## -<%= scope.function_templatewlv([File.join(File.dirname(__FILE__), location['format']) + '.erb', local_vars]) %> +<%= scope.function_templatewlv([template_path, local_vars]) %> <%- end -%> -- cgit v1.2.3 From a590f5f3ca1eb21f761c40979b3c87c0f5310018 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 2 Jun 2014 13:01:21 -0700 Subject: static site: gracefully handle static sites that are not configured. --- provider_base/services/static.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provider_base/services/static.json b/provider_base/services/static.json index c8ca5b1a..d9f52b36 100644 --- a/provider_base/services/static.json +++ b/provider_base/services/static.json @@ -4,7 +4,7 @@ // include a copy of provider.json in case any of the configured domains happens to match provider.domain "bootstrap_files": { "domain": "= provider.domain", - "enabled": "= (self.static.domains||{})[provider.domain] ? true : false", + "enabled": "= !! try{static.domains[provider.domain]}", "provider_json": "=> static.bootstrap_files.enabled ? try{nodes_like_me[:services => 'webapp'].values.first.definition_files['provider']} : nil", "client_version": "= static.bootstrap_files.enabled ? provider.client_version : nil" } -- cgit v1.2.3 From 2f9f76682c02770f47922435f815177ceec15fd9 Mon Sep 17 00:00:00 2001 From: Christoph Date: Tue, 3 Jun 2014 15:48:35 +0200 Subject: move hiera from site.pp to site_config::setup the problem was following: if a host has the webapp service, the template for /etc/hosts adds some stuff. But setup.pp did not ask hiera about the services so "/srv/leap/bin/puppet_command set_hostname" always resets the hostname. Since that gets triggered every time you run "leap deploy" the hostname changes, some services restart, then the hostname changes back and the services restart again. The solution is to get the hiera data before every run. --- puppet/manifests/site.pp | 3 --- puppet/modules/site_config/manifests/setup.pp | 4 ++++ 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index f8726fa9..1eafec64 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,9 +1,6 @@ # set a default exec path Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } -# parse services for host -$services=join(hiera_array('services', ['']), ' ') -notice("Services for ${fqdn}: ${services}") include site_config::setup include site_config::default diff --git a/puppet/modules/site_config/manifests/setup.pp b/puppet/modules/site_config/manifests/setup.pp index 6d89be86..db22c4d9 100644 --- a/puppet/modules/site_config/manifests/setup.pp +++ b/puppet/modules/site_config/manifests/setup.pp @@ -13,6 +13,10 @@ class site_config::setup { include concat::setup include stdlib + + # parse services for host + $services=join(hiera_array('services', ['']), ' ') + notice("Services for ${fqdn}: ${services}") # configure /etc/hosts class { 'site_config::hosts': stage => setup, -- cgit v1.2.3 From 79295764ebbefd346407b8042bc759552aa46234 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 4 Jun 2014 13:05:56 -0700 Subject: bugfix: actually apply modules based on $services --- puppet/manifests/site.pp | 22 ++++++++++++---------- puppet/modules/site_config/manifests/setup.pp | 2 +- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 1eafec64..9afa5dfd 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,42 +1,44 @@ # set a default exec path Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } - include site_config::setup include site_config::default -# configure eip -if $services =~ /\bopenvpn\b/ { +$services = hiera('services', []) +$services_str = join($services, ', ') +notice("Services for ${fqdn}: ${services_str}") + +if member($services, 'openvpn') { include site_openvpn } -if $services =~ /\bcouchdb\b/ { +if member($services, 'couchdb') { include site_couchdb include tapicero } -if $services =~ /\bwebapp\b/ { +if member($services, 'webapp') { include site_webapp include site_nickserver } -if $services =~ /\bsoledad\b/ { +if member($services, 'soledad') { include soledad::server } -if $services =~ /\bmonitor\b/ { +if member($services, 'monitor') { include site_nagios } -if $services =~ /\btor\b/ { +if member($services, 'tor') { include site_tor } -if $services =~ /\bmx\b/ { +if member($services, 'mx') { include site_mx } -if $services =~ /\bstatic\b/ { +if member($services, 'static') { include site_static } diff --git a/puppet/modules/site_config/manifests/setup.pp b/puppet/modules/site_config/manifests/setup.pp index db22c4d9..01dea723 100644 --- a/puppet/modules/site_config/manifests/setup.pp +++ b/puppet/modules/site_config/manifests/setup.pp @@ -16,7 +16,7 @@ class site_config::setup { # parse services for host $services=join(hiera_array('services', ['']), ' ') - notice("Services for ${fqdn}: ${services}") + # configure /etc/hosts class { 'site_config::hosts': stage => setup, -- cgit v1.2.3 From f991e8a4c877cff1d274fd1cac26488f8c3fda84 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 4 Jun 2014 14:19:55 -0700 Subject: clean up how /etc/hosts is generated so it doesn't require custom behavior depending on the services. --- puppet/modules/site_config/manifests/default.pp | 3 ++- puppet/modules/site_config/manifests/hosts.pp | 16 +++++++++++++--- puppet/modules/site_config/manifests/setup.pp | 5 ----- puppet/modules/site_config/templates/hosts | 3 +-- 4 files changed, 16 insertions(+), 11 deletions(-) diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index dfdffe03..fc2179de 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -1,6 +1,7 @@ class site_config::default { tag 'leap_base' + $services = hiera('services', []) $domain_hash = hiera('domain') include site_config::params @@ -54,7 +55,7 @@ class site_config::default { # set up core leap files and directories include site_config::files - if $::services !~ /\bmx\b/ { + if ! member($services, 'mx') { include site_postfix::satellite } diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index e5d4dd70..6982d37b 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -1,9 +1,19 @@ class site_config::hosts() { $hosts = hiera('hosts', false) + + # calculate all the hostname aliases that might be used $hostname = hiera('name') - $domain_hash = hiera('domain') - $domain_public = $domain_hash['full_suffix'] - $api = hiera('api', '') + $domain_hash = hiera('domain', {}) + $dns = hiera('dns', {}) + if $dns['aliases'] == undef { + $dns_aliases = [] + } else { + $dns_aliases = $dns['aliases'] + } + $my_hostnames = unique(sort(concat( + [$hostname, $domain_hash['full'], $domain_hash['internal']], + $dns_aliases + ))) file { '/etc/hostname': ensure => present, diff --git a/puppet/modules/site_config/manifests/setup.pp b/puppet/modules/site_config/manifests/setup.pp index 01dea723..b09d0413 100644 --- a/puppet/modules/site_config/manifests/setup.pp +++ b/puppet/modules/site_config/manifests/setup.pp @@ -4,7 +4,6 @@ class site_config::setup { # # this is applied before each run of site.pp # - #$services = '' Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } @@ -13,10 +12,6 @@ class site_config::setup { include concat::setup include stdlib - - # parse services for host - $services=join(hiera_array('services', ['']), ' ') - # configure /etc/hosts class { 'site_config::hosts': stage => setup, diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts index bfcabaa5..d557f730 100644 --- a/puppet/modules/site_config/templates/hosts +++ b/puppet/modules/site_config/templates/hosts @@ -1,8 +1,7 @@ # This file is managed by puppet, any changes will be overwritten! 127.0.0.1 localhost -127.0.1.1 <%= @hostname %>.<%= @domain_public %> <%= @hostname %> <% if (defined? @services) and (@services.include? 'webapp') -%><%= @domain_public %> <%= @api['domain'] %><% end -%> - +127.0.1.1 <%= @my_hostnames.join(' ') %> <%- if @hosts then -%> <% @hosts.keys.sort.each do |name| -%> -- cgit v1.2.3