From 2fd403476e77a545355443667408ba0cf6205fcd Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 12 Feb 2013 13:39:12 -0500 Subject: remove the apt-get autoclean from the initial apt-get update, this just slows things down and I don't see a need for it --- puppet/modules/site_apt/manifests/dist_upgrade.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_apt/manifests/dist_upgrade.pp b/puppet/modules/site_apt/manifests/dist_upgrade.pp index f129dd73..f8ea05fc 100644 --- a/puppet/modules/site_apt/manifests/dist_upgrade.pp +++ b/puppet/modules/site_apt/manifests/dist_upgrade.pp @@ -4,7 +4,7 @@ class site_apt::dist_upgrade { fail ('apt-get is running in background - Please wait until it finishes. Exiting.') } else { exec{'initial_apt_update': - command => '/usr/bin/apt-get update && /usr/bin/apt-get autoclean', + command => '/usr/bin/apt-get update', refreshonly => false, } exec{'initial_apt_dist_upgrade': -- cgit v1.2.3 From 2e03ec8c02a54c407c12964d243ba4ac5de15b99 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 12 Feb 2013 13:45:20 -0500 Subject: switch to using stdlib's standard stages --- puppet/manifests/site.pp | 4 +--- puppet/modules/site_config/manifests/default.pp | 2 +- puppet/modules/site_config/manifests/slow.pp | 2 +- puppet/modules/site_nagios/manifests/server.pp | 2 +- 4 files changed, 4 insertions(+), 6 deletions(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 1ec806d9..c89bc7d1 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,9 +1,7 @@ # set a default exec path Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } -stage { 'initial': - before => Stage['main'], -} +include stdlib import 'common' include site_config::default diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 2191e9a1..77241df5 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -24,7 +24,7 @@ class site_config::default { # configure /etc/hosts class { 'site_config::hosts': - stage => initial, + stage => setup, } package { [ 'etckeeper' ]: diff --git a/puppet/modules/site_config/manifests/slow.pp b/puppet/modules/site_config/manifests/slow.pp index 18b22a9c..94bac88d 100644 --- a/puppet/modules/site_config/manifests/slow.pp +++ b/puppet/modules/site_config/manifests/slow.pp @@ -1,6 +1,6 @@ class site_config::slow { tag 'leap_slow' class { 'site_apt::dist_upgrade': - stage => initial, + stage => setup, } } diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index c98a8a1f..c114a39a 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -2,7 +2,7 @@ class site_nagios::server inherits nagios::base { # First, purge old nagios config (see #1467) class { 'site_nagios::server::purge': - stage => initial + stage => setup } $nagios_hiera=hiera('nagios') -- cgit v1.2.3 From 2acaf6e3aa171e22cc28141027ef1b09f335514b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 12 Feb 2013 14:05:54 -0500 Subject: make sure that apt-get update is run before any package is installed (#1745) --- puppet/manifests/site.pp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index c89bc7d1..8cfa92ef 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,6 +1,10 @@ # set a default exec path Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } +# make sure apt is updated before any packages are installed +include apt::update +Package { require => Exec['apt_updated'] } + include stdlib import 'common' -- cgit v1.2.3 From 21b197953d11d69d14789bc284d72d9c5025dcb4 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 21 Feb 2013 16:11:14 +0100 Subject: linted --- puppet/modules/site_openvpn/manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index e3d2a9af..165ba96e 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -38,7 +38,7 @@ class site_openvpn { # add second IP on given interface file { '/usr/local/bin/leap_add_second_ip.sh': content => "#!/bin/sh -ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface +ip addr show dev ${interface} | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev ${interface} /bin/echo 1 > /proc/sys/net/ipv4/ip_forward ", mode => '0755', @@ -49,7 +49,7 @@ ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr a } cron { 'leap_add_second_ip.sh': - command => "/usr/local/bin/leap_add_second_ip.sh", + command => '/usr/local/bin/leap_add_second_ip.sh', user => 'root', special => 'reboot', } -- cgit v1.2.3 From 081e6f2e55d1536d4c0ebea5dfdc9f08b105c602 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 21 Feb 2013 16:22:26 +0100 Subject: linted --- puppet/modules/site_openvpn/manifests/resolver.pp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index d3963c95..939207bd 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -23,13 +23,17 @@ class site_openvpn::resolver { file { '/etc/unbound/conf.d/vpn_udp_resolver': content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr} allow\n", - owner => root, group => root, mode => '0644', + owner => root, + group => root, + mode => '0644', require => Service['openvpn'], notify => Service['unbound']; '/etc/unbound/conf.d/vpn_tcp_resolver': content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr} allow\n", - owner => root, group => root, mode => '0644', + owner => root, + group => root, + mode => '0644', require => Service['openvpn'], notify => Service['unbound']; } -- cgit v1.2.3 From b0b228edb52dc420c9f688c60af054ac6d0c7473 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 21 Feb 2013 16:33:27 +0100 Subject: linted a bit --- puppet/modules/site_openvpn/manifests/server_config.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index de273b46..436dd272 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -57,7 +57,7 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana $openvpn_configname = $name concat { - "/etc/openvpn/$openvpn_configname.conf": + "/etc/openvpn/${openvpn_configname}.conf": owner => root, group => root, mode => 644, -- cgit v1.2.3 From d669a5fb56acf9101cf677ecbd30bcc47b092cd3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 21 Feb 2013 16:11:36 -0500 Subject: changed submodule url --- .gitmodules | 2 +- puppet/modules/vcsrepo | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitmodules b/.gitmodules index 21966fc3..45763175 100644 --- a/.gitmodules +++ b/.gitmodules @@ -39,7 +39,7 @@ url = git://code.leap.se/puppet_bundler [submodule "puppet/modules/vcsrepo"] path = puppet/modules/vcsrepo - url = git://github.com/puppetlabs/puppetlabs-vcsrepo.git + url = git://labs.riseup.net/module_vcs [submodule "puppet/modules/rubygems"] path = puppet/modules/rubygems url = git://code.leap.se/puppet_rubygems diff --git a/puppet/modules/vcsrepo b/puppet/modules/vcsrepo index 04851c28..4db1120c 160000 --- a/puppet/modules/vcsrepo +++ b/puppet/modules/vcsrepo @@ -1 +1 @@ -Subproject commit 04851c28b12973c679fc9f234fd0f5a193df9d7a +Subproject commit 4db1120c78763f5244dc6c9d2e0d064a6ef363e0 -- cgit v1.2.3 From b63bcc1b9e44c0f0ec7a500538e7ce18bbf48bc2 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Sat, 23 Feb 2013 11:23:35 +0100 Subject: adding angkat family --- puppet/modules/site_tor/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index ceb6fb13..50ab636b 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -15,6 +15,7 @@ class site_tor { address => $address, contact_info => $contact_email, bandwidth_rate => $bandwidth_rate, + my_family => '$2A431444756B0E7228A7918C85A8DACFF7E3B050', } tor::daemon::directory { $::hostname: port => 80 } -- cgit v1.2.3 From b3aca2b0cd35f9cc921d1703a597ddbc91529044 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 26 Feb 2013 15:07:38 -0500 Subject: missed another require => Package['shorewall'] on the file resources in site_shorewall --- puppet/modules/site_shorewall/manifests/eip.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 4e5a5d48..d2bf3c4c 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -12,7 +12,8 @@ class site_shorewall::eip { content => "PARAM - - tcp 1194 PARAM - - udp 1194 ", - notify => Service['shorewall'] + notify => Service['shorewall'], + require => Package['shorewall'] } -- cgit v1.2.3 From cd96f130a304accaf0bbef5f751dc75976f3116e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 26 Feb 2013 15:14:24 -0500 Subject: require that the package unbound be installed before trying to write to its configuration file, this addresses issue #1853 - [vpn1] err: /Stage[main]/Site_openvpn::Resolver/Line[add_tcp_resolver]/Exec[echo 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver' >> '/etc/unbound/unbound.conf']/returns: change from notrun to 0 failed: echo 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver' >> '/etc/unbound/unbound.conf' returned 2 instead of one of [0] at /srv/leap/puppet/modules/common/manifests/defines/line.pp:45 --- puppet/modules/site_openvpn/manifests/resolver.pp | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index 939207bd..26785edb 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -8,16 +8,18 @@ class site_openvpn::resolver { line { 'add_tcp_resolver': - ensure => present, - file => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver', - notify => Service['unbound']; + ensure => present, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver', + notify => Service['unbound'], + require => Package['unbound']; 'add_udp_resolver': - ensure => present, - file => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_udp_resolver', - notify => Service['unbound']; + ensure => present, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_udp_resolver', + notify => Service['unbound'], + require => Package['unbound'] } file { -- cgit v1.2.3 From 5f8b63892ec9d08471a43ac642ed8f291d27c4f5 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Wed, 27 Feb 2013 11:50:59 +0100 Subject: language in the Readme --- README.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index c41e27c7..03e3cb80 100644 --- a/README.md +++ b/README.md @@ -22,10 +22,9 @@ For a minimal test or develop install we recommend a fairly recent computer x86_ You could use Vagrant or KVM to simulate a live deployment. For a live deployment of the platform the amount of required (virtual) servers depends on your needs and which services you want to deploy. -In it's initial release you can deploy Tor, OpenVPN, CouchDB and a webapp to administer your users (billing, help tickets,...). +In it's initial release you can deploy Tor, OpenVPN, CouchDB and a webapp to administer your users (billing, help tickets,…). While you can deploy all services on one server, we stronly recommend to use seperate servers for better security. - Usage ===== @@ -60,7 +59,7 @@ Read LICENSE Known bugs ---------- -* currently none known, there will probably be some around ! +* currently none known, there will probably be some around! Troubleshooting --------------- -- cgit v1.2.3 From ffb88e54c5e4e30fa61ea1009f3eee62f98ab17c Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 27 Feb 2013 23:46:58 -0800 Subject: openvpn -- added support for optional "free" rate-limited service via special client certificates with the FREE prefix in the common name. --- .../files/service-definitions/eip-service.json.erb | 33 +++++++++++----- provider_base/provider.json | 12 ++++++ provider_base/services/openvpn.json | 7 +++- provider_base/services/webapp.json | 4 +- puppet/modules/site_openvpn/manifests/init.pp | 45 ++++++++++++++++++---- .../site_openvpn/manifests/server_config.pp | 18 ++++++++- .../templates/leap_add_second_ip.sh.erb | 11 ++++++ .../modules/site_shorewall/manifests/dnat_rule.pp | 21 +++++++++- .../modules/site_webapp/templates/config.yml.erb | 8 ++++ 9 files changed, 137 insertions(+), 22 deletions(-) create mode 100644 puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb diff --git a/provider_base/files/service-definitions/eip-service.json.erb b/provider_base/files/service-definitions/eip-service.json.erb index 8dc7211d..09b65bbb 100644 --- a/provider_base/files/service-definitions/eip-service.json.erb +++ b/provider_base/files/service-definitions/eip-service.json.erb @@ -6,21 +6,34 @@ words end + def gateway_definition(node) + gateway = {} + gateway["capabilities"] = node.openvpn.pick(:ports, :protocols, :user_ips, :adblock, :filter_dns) + gateway["capabilities"]["transport"] = ["openvpn"] + gateway["host"] = node.domain.full + gateway["cluster"] = underscore(node.openvpn.location) + gateway + end + hsh = {} hsh["serial"] = 1 hsh["version"] = 1 clusters = {} gateways = [] - global.services['openvpn'].node_list.each_node do |node| - next if node.vagrant? - gateway = {} - gateway["capabilities"] = node.openvpn.pick( - :ports, :protocols, :user_ips, :adblock, :filter_dns) - gateway["capabilities"]["transport"] = ["openvpn"] - gateway["ip_address"] = node.openvpn.gateway_address - gateway["host"] = node.domain.full - gateway["cluster"] = underscore(node.openvpn.location) - gateways << gateway + nodes_like_me[:services => 'openvpn'].each_node do |node| + if node.openvpn.gateway_address + gateway = gateway_definition(node) + gateway["ip_address"] = node.openvpn.gateway_address + gateway["capabilities"]["free"] = false + gateways << gateway + end + if node.openvpn.free_gateway_address && node.openvpn.free_gateway_address != "REQUIRED" + gateway = gateway_definition(node) + gateway["ip_address"] = node.openvpn.free_gateway_address + gateway["capabilities"]["free"] = true + gateway["capabilities"]["rate_limit"] = node.openvpn.free_rate_limit + gateways << gateway + end clusters[gateway["cluster"]] ||= { "name" => gateway["cluster"], "label" => {"en" => node.openvpn.location} diff --git a/provider_base/provider.json b/provider_base/provider.json index 8ce848f3..14eabdc2 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -13,6 +13,12 @@ "languages": ["en"], "default_language": "en", "enrollment_policy": "open", + "service_levels": [ + {"name": "free", "bandwidth":102400, "storage":50}, + {"name": "basic", "bandwidth":null, "storage":1000}, + {"name": "premium", "bandwidth":null, "storage":10000} + ], + "service_allow_free": false, "ca": { "name": "= global.provider.ca.organization + ' Root CA'", "organization": "= global.provider.name[global.provider.default_language]", @@ -24,6 +30,12 @@ "bit_size": 3248, "digest": "SHA256", "life_span": "1y" + }, + "client_certificates": { + "bit_size": 2024, + "digest": "SHA256", + "life_span": "2m", + "free_prefix": "FREE" } }, "hiera_sync_destination": "/etc/leap" diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 7b67ccb3..e78a02ac 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -7,10 +7,15 @@ }, "openvpn": { "location": "Location Unknown", + "gateway_address": "REQUIRED", + "free_gateway_address": "= openvpn.allow_free ? 'REQUIRED' : nil", "ports": ["80", "443", "53", "1194"], "protocols": ["tcp", "udp"], "filter_dns": false, "adblock": false, - "user_ips": false + "user_ips": false, + "allow_free": "= global.provider.service_allow_free", + "free_prefix": "= global.provider.ca.client_certificates.free_prefix", + "free_rate_limit": "= openvpn.allow_free ? global.provider.service_levels.detect{|level| level['name'] == 'free'}['bandwidth'] : nil" } } diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index e3055c6f..8ede0ecf 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -8,7 +8,9 @@ "favicon": "= file_path 'branding/favicon.ico'", "tail_scss": "= file_path 'branding/tail.scss'", "head_scss": "= file_path 'branding/head.scss'", - "img_dir": "= file_path 'branding/img'" + "img_dir": "= file_path 'branding/img'", + "client_certificates": "= global.provider.ca.client_certificates", + "allow_free": "= global.provider.service_allow_free" }, "definition_files": { "provider": "= file :provider_json_template", diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 165ba96e..0c9f1795 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,9 +1,9 @@ class site_openvpn { tag 'leap_service' + # parse hiera config $ip_address = hiera('ip_address') $interface = getvar("interface_${ip_address}") - #$gateway_address = hiera('gateway_address') $openvpn_config = hiera('openvpn') $openvpn_gateway_address = $openvpn_config['gateway_address'] $openvpn_tcp_network_prefix = '10.1.0' @@ -12,6 +12,10 @@ class site_openvpn { $openvpn_udp_network_prefix = '10.2.0' $openvpn_udp_netmask = '255.255.248.0' $openvpn_udp_cidr = '21' + $openvpn_allow_free = $openvpn_config['allow_free'] + $openvpn_free_gateway_address = $openvpn_config['free_gateway_address'] + $openvpn_free_rate_limit = $openvpn_config['free_rate_limit'] + $openvpn_free_prefix = $openvpn_config['free_prefix'] $x509_config = hiera('x509') # deploy ca + server keys @@ -26,22 +30,47 @@ class site_openvpn { push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"", management => '127.0.0.1 1000' } + site_openvpn::server_config { 'udp_config': port => '1194', proto => 'udp', + local => $openvpn_gateway_address, server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}", push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"", - local => $openvpn_gateway_address, management => '127.0.0.1 1001' } + if $openvpn_allow_free { + site_openvpn::server_config { 'free_tcp_config': + port => '1194', + proto => 'tcp', + local => $openvpn_free_gateway_address, + tls_remote => "\"${openvpn_free_prefix}\"", + shaper => $openvpn_free_rate_limit, + server => "${openvpn_tcp_network_prefix}.0 ${openvpn_tcp_netmask}", + push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"", + management => '127.0.0.1 1002' + } + site_openvpn::server_config { 'free_udp_config': + port => '1194', + proto => 'udp', + local => $openvpn_free_gateway_address, + tls_remote => "\"${openvpn_free_prefix}\"", + shaper => $openvpn_free_rate_limit, + server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}", + push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"", + management => '127.0.0.1 1003' + } + } else { + tidy { "/etc/openvpn/free_tcp_config.conf": } + tidy { "/etc/openvpn/free_udp_config.conf": } + } + # add second IP on given interface - file { '/usr/local/bin/leap_add_second_ip.sh': - content => "#!/bin/sh -ip addr show dev ${interface} | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev ${interface} -/bin/echo 1 > /proc/sys/net/ipv4/ip_forward -", - mode => '0755', + file { + '/usr/local/bin/leap_add_second_ip.sh': + content => template('site_openvpn/leap_add_second_ip.sh.erb'), + mode => '0755'; } exec { '/usr/local/bin/leap_add_second_ip.sh': diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 436dd272..1f42400a 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -52,7 +52,9 @@ # note: the default is BF-CBC (blowfish) # -define site_openvpn::server_config ($port, $proto, $local, $server, $push, $management ) { +define site_openvpn::server_config( + $port, $proto, $local, $server, $push, + $management, $tls_remote = undef, $shaper = undef) { $openvpn_configname = $name @@ -66,6 +68,20 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana notify => Service['openvpn']; } + # special options for the "free" gateway daemons + if $shaper != undef { + openvpn::option { + "shaper $openvpn_configname": + key => 'shaper', + value => $shaper, + server => $openvpn_configname; + "tls-remote $openvpn_configname": + key => 'tls-remote', + value => $tls_remote, + server => $openvpn_configname; + } + } + openvpn::option { "ca $openvpn_configname": key => 'ca', diff --git a/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb b/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb new file mode 100644 index 00000000..40866116 --- /dev/null +++ b/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb @@ -0,0 +1,11 @@ +#!/bin/sh + +ip addr show dev <%= @interface %> | grep -q <%= @openvpn_gateway_address %>/24 || + ip addr add <%= @openvpn_gateway_address %>/24 dev <%= @interface %> + +<% if @openvpn_allow_free %> +ip addr show dev <%= @interface %> | grep -q <%= @openvpn_free_gateway_address %>/24 || + ip addr add <%= @openvpn_free_gateway_address %>/24 dev <%= @interface %> +<% end %> + +/bin/echo 1 > /proc/sys/net/ipv4/ip_forward diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp index 68f480d8..0b4370df 100644 --- a/puppet/modules/site_shorewall/manifests/dnat_rule.pp +++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp @@ -11,7 +11,6 @@ define site_shorewall::dnat_rule { destinationport => $port, order => 100; } - shorewall::rule { "dnat_udp_port_$port": action => 'DNAT', @@ -21,5 +20,25 @@ define site_shorewall::dnat_rule { destinationport => $port, order => 100; } + if $site_openvpn::openvpn_allow_free { + shorewall::rule { + "dnat_free_tcp_port_$port": + action => 'DNAT', + source => 'net', + destination => "\$FW:${site_openvpn::openvpn_free_gateway_address}:1194", + proto => 'tcp', + destinationport => $port, + order => 100; + } + shorewall::rule { + "dnat_free_udp_port_$port": + action => 'DNAT', + source => 'net', + destination => "\$FW:${site_openvpn::openvpn_free_gateway_address}:1194", + proto => 'udp', + destinationport => $port, + order => 100; + } + } } } diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 9cf85f0c..cd67d1fd 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -1,5 +1,13 @@ +<%- cert_options = @webapp['client_certificates'] -%> production: admins: [admin] domain: <%= @provider_domain %> client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %> client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %> + +cert_options: + client_cert_lifespan: <%= cert_options['life_span'].to_i %> + client_cert_bit_size: <%= cert_options['bit_size'].to_i %> + client_cert_hash: <%= cert_options['digest'] %> + free_certs_enabled: <%= @webapp['allow_free'].inspect %> + free_cert_prefix: "<%= cert_options['free_prefix'] %>" -- cgit v1.2.3 From 08c6032837e2f1c4c504976074c456e04202c64a Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 5 Mar 2013 13:11:10 -0800 Subject: change json comment to '//' --- provider_base/services/webapp.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 8ede0ecf..ea79d7c4 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -2,8 +2,8 @@ "webapp": { "modules": ["user", "billing", "help"], "couchdb_hosts": "= hostnames nodes[:services => :couchdb][:local => local]", - # NOTE: this is bad, but pending a fix to https://leap.se/code/issues/1163 - # before we can use user "webapp" + // NOTE: this is bad, but pending a fix to https://leap.se/code/issues/1163 + // before we can use user "webapp" "couchdb_user": "= global.services[:couchdb].couch.users[:admin]", "favicon": "= file_path 'branding/favicon.ico'", "tail_scss": "= file_path 'branding/tail.scss'", -- cgit v1.2.3 From 97a17c393f454a32f601db5b6522dd425f325ff3 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 14:58:51 +0100 Subject: automatic update of submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index dcb8a082..b915a67c 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit dcb8a082ac842b0660819ea61f9448c4e373746e +Subproject commit b915a67c6e7e3b1b75400dbbd4a9ac961c8eb032 -- cgit v1.2.3 From 77c8025aebe3a7b83fc128be6e0abe511f9f0888 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 16:36:54 +0100 Subject: increase Exec timeout for dist_upgrade --- puppet/modules/site_apt/manifests/dist_upgrade.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_apt/manifests/dist_upgrade.pp b/puppet/modules/site_apt/manifests/dist_upgrade.pp index f8ea05fc..91301efd 100644 --- a/puppet/modules/site_apt/manifests/dist_upgrade.pp +++ b/puppet/modules/site_apt/manifests/dist_upgrade.pp @@ -1,6 +1,6 @@ class site_apt::dist_upgrade { - if $::apt_running == 'true' { + if $::apt_running == 'true' { fail ('apt-get is running in background - Please wait until it finishes. Exiting.') } else { exec{'initial_apt_update': @@ -10,6 +10,7 @@ class site_apt::dist_upgrade { exec{'initial_apt_dist_upgrade': command => "/usr/bin/apt-get -q -y -o 'DPkg::Options::=--force-confold' dist-upgrade", refreshonly => false, + timeout => 1200, } } } -- cgit v1.2.3 From 402bb92da08b0c0a46be643963a87576e558b589 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 8 Mar 2013 23:07:13 -0800 Subject: node environment: switch from production=true to environment=production. requires latest leap_cli --- provider_base/common.json | 3 +-- provider_base/services/ca.json | 2 +- provider_base/tags/development.json | 3 +++ provider_base/tags/local.json | 2 +- provider_base/tags/production.json | 2 +- 5 files changed, 7 insertions(+), 5 deletions(-) create mode 100644 provider_base/tags/development.json diff --git a/provider_base/common.json b/provider_base/common.json index e674edb6..dc59b88e 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -1,5 +1,6 @@ { "ip_address": null, + "environment": null, "services": [], "tags": [], "domain": { @@ -24,8 +25,6 @@ "key": "= x509.use ? file(:node_x509_key, :missing => 'x509 key for node $node. Run `leap cert update`') : nil", "ca_cert": "= try_file :ca_cert" }, - "local": false, - "production": false, "service_type": "internal_service", "development": { "site_config": true diff --git a/provider_base/services/ca.json b/provider_base/services/ca.json index 3fb8bf6c..64866ddc 100644 --- a/provider_base/services/ca.json +++ b/provider_base/services/ca.json @@ -1,6 +1,6 @@ { "ca_daemon": { - "couchdb_hosts": "= hostnames nodes[:services => :couchdb][:local => local]", + "couchdb_hosts": "= hostnames nodes_like_me[:services => :couchdb]", "couchdb_user": "= global.services[:couchdb].couch.users[:ca_daemon]" }, "service_type": "internal_service", diff --git a/provider_base/tags/development.json b/provider_base/tags/development.json new file mode 100644 index 00000000..caf18e9d --- /dev/null +++ b/provider_base/tags/development.json @@ -0,0 +1,3 @@ +{ + "environment": "development" +} \ No newline at end of file diff --git a/provider_base/tags/local.json b/provider_base/tags/local.json index 9cb16602..48312b33 100644 --- a/provider_base/tags/local.json +++ b/provider_base/tags/local.json @@ -1,3 +1,3 @@ { - "local": true + "environment": "local" } \ No newline at end of file diff --git a/provider_base/tags/production.json b/provider_base/tags/production.json index b35c0650..ea17498f 100644 --- a/provider_base/tags/production.json +++ b/provider_base/tags/production.json @@ -1,3 +1,3 @@ { - "production": true + "environment": "production" } \ No newline at end of file -- cgit v1.2.3 From f76ab4429aeb5db67b384bfa103b13caaaa09900 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 8 Mar 2013 23:07:29 -0800 Subject: couch - explicitly configure couch port --- provider_base/services/couchdb.json | 1 + 1 file changed, 1 insertion(+) diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json index 1c8005c2..ac84eeb2 100644 --- a/provider_base/services/couchdb.json +++ b/provider_base/services/couchdb.json @@ -4,6 +4,7 @@ "use": true }, "couch": { + "port": 5984, "users": { "admin": { "username": "admin", -- cgit v1.2.3 From 057420e9ceabf61d71642ab7d78a8e54d1d74ba3 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 9 Mar 2013 11:57:26 +0100 Subject: use site_couchdb::bigcouch --- puppet/manifests/site.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 8cfa92ef..193a93e1 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -21,7 +21,7 @@ if 'openvpn' in $services { } if 'couchdb' in $services { - include site_couchdb + include site_couchdb::bigcouch } if 'webapp' in $services { -- cgit v1.2.3 From 82d894e5ac82752e88b193acd015e4544141eae1 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 9 Mar 2013 21:14:31 +0100 Subject: couchdb init file moved to couchdb module --- puppet/modules/site_couchdb/files/couchdb | 160 --------------------- puppet/modules/site_couchdb/manifests/configure.pp | 6 - 2 files changed, 166 deletions(-) delete mode 100755 puppet/modules/site_couchdb/files/couchdb diff --git a/puppet/modules/site_couchdb/files/couchdb b/puppet/modules/site_couchdb/files/couchdb deleted file mode 100755 index ccdfe716..00000000 --- a/puppet/modules/site_couchdb/files/couchdb +++ /dev/null @@ -1,160 +0,0 @@ -#!/bin/sh -e - -# Licensed under the Apache License, Version 2.0 (the "License"); you may not -# use this file except in compliance with the License. You may obtain a copy of -# the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations under -# the License. - -### BEGIN INIT INFO -# Provides: couchdb -# Required-Start: $local_fs $remote_fs -# Required-Stop: $local_fs $remote_fs -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Apache CouchDB init script -# Description: Apache CouchDB init script for the database server. -### END INIT INFO - -SCRIPT_OK=0 -SCRIPT_ERROR=1 - -DESCRIPTION="database server" -NAME=couchdb -SCRIPT_NAME=`basename $0` -COUCHDB=/usr/bin/couchdb -CONFIGURATION_FILE=/etc/default/couchdb -RUN_DIR=/var/run/couchdb -LSB_LIBRARY=/lib/lsb/init-functions - -if test ! -x $COUCHDB; then - exit $SCRIPT_ERROR -fi - -if test -r $CONFIGURATION_FILE; then - . $CONFIGURATION_FILE -fi - -log_daemon_msg () { - # Dummy function to be replaced by LSB library. - - echo $@ -} - -log_end_msg () { - # Dummy function to be replaced by LSB library. - - if test "$1" != "0"; then - echo "Error with $DESCRIPTION: $NAME" - fi - return $1 -} - -if test -r $LSB_LIBRARY; then - . $LSB_LIBRARY -fi - -run_command () { - command="$1" - if test -n "$COUCHDB_OPTIONS"; then - command="$command $COUCHDB_OPTIONS" - fi - if test -n "$COUCHDB_USER"; then - if su $COUCHDB_USER -c "$command"; then - return $SCRIPT_OK - else - return $SCRIPT_ERROR - fi - else - if $command; then - return $SCRIPT_OK - else - return $SCRIPT_ERROR - fi - fi -} - -start_couchdb () { - # Start Apache CouchDB as a background process. - - mkdir -p "$RUN_DIR" - chown -R "$COUCHDB_USER" "$RUN_DIR" - command="$COUCHDB -b" - if test -n "$COUCHDB_STDOUT_FILE"; then - command="$command -o $COUCHDB_STDOUT_FILE" - fi - if test -n "$COUCHDB_STDERR_FILE"; then - command="$command -e $COUCHDB_STDERR_FILE" - fi - if test -n "$COUCHDB_RESPAWN_TIMEOUT"; then - command="$command -r $COUCHDB_RESPAWN_TIMEOUT" - fi - run_command "$command" > /dev/null -} - -stop_couchdb () { - # Stop the running Apache CouchDB process. - - run_command "$COUCHDB -d" > /dev/null - pkill -u couchdb - # always return true even if no remaining couchdb procs got killed - /bin/true -} - -display_status () { - # Display the status of the running Apache CouchDB process. - - run_command "$COUCHDB -s" -} - -parse_script_option_list () { - # Parse arguments passed to the script and take appropriate action. - - case "$1" in - start) - log_daemon_msg "Starting $DESCRIPTION" $NAME - if start_couchdb; then - log_end_msg $SCRIPT_OK - else - log_end_msg $SCRIPT_ERROR - fi - ;; - stop) - log_daemon_msg "Stopping $DESCRIPTION" $NAME - if stop_couchdb; then - log_end_msg $SCRIPT_OK - else - log_end_msg $SCRIPT_ERROR - fi - ;; - restart|force-reload) - log_daemon_msg "Restarting $DESCRIPTION" $NAME - if stop_couchdb; then - if start_couchdb; then - log_end_msg $SCRIPT_OK - else - log_end_msg $SCRIPT_ERROR - fi - else - log_end_msg $SCRIPT_ERROR - fi - ;; - status) - display_status - ;; - *) - cat << EOF >&2 -Usage: $SCRIPT_NAME {start|stop|restart|force-reload|status} -EOF - exit $SCRIPT_ERROR - ;; - esac -} - -parse_script_option_list $@ diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp index 333511b5..c921ad6a 100644 --- a/puppet/modules/site_couchdb/manifests/configure.pp +++ b/puppet/modules/site_couchdb/manifests/configure.pp @@ -1,11 +1,5 @@ class site_couchdb::configure { - file { '/etc/init.d/couchdb': - source => 'puppet:///modules/site_couchdb/couchdb', - mode => '0755', - owner => 'root', - group => 'root', - } file { '/etc/couchdb/local.d/admin.ini': content => "[admins] -- cgit v1.2.3 From 113b44d8ee21e4d9b7a678005f2536f2046ef1b2 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 10 Mar 2013 15:47:31 +0100 Subject: use parameterized couchdb class instead of calling site_couchdb::bigcouch directly --- puppet/manifests/site.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 193a93e1..f55e6925 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -21,7 +21,9 @@ if 'openvpn' in $services { } if 'couchdb' in $services { - include site_couchdb::bigcouch + class {'site_couchdb': + bigcouch => true + } } if 'webapp' in $services { -- cgit v1.2.3 From 0af4cb352017db95606f64f69b316d360bf2675d Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 10 Mar 2013 15:50:43 +0100 Subject: increase timeout for initial_apt_update to 6 min --- puppet/modules/site_apt/manifests/dist_upgrade.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_apt/manifests/dist_upgrade.pp b/puppet/modules/site_apt/manifests/dist_upgrade.pp index 91301efd..08de31bb 100644 --- a/puppet/modules/site_apt/manifests/dist_upgrade.pp +++ b/puppet/modules/site_apt/manifests/dist_upgrade.pp @@ -6,6 +6,7 @@ class site_apt::dist_upgrade { exec{'initial_apt_update': command => '/usr/bin/apt-get update', refreshonly => false, + timeout => 360, } exec{'initial_apt_dist_upgrade': command => "/usr/bin/apt-get -q -y -o 'DPkg::Options::=--force-confold' dist-upgrade", -- cgit v1.2.3 From 0ae8194ef3a3f8065ff455b4daddc0d62c105ace Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 10 Mar 2013 15:55:35 +0100 Subject: futon is enabled by default on bigcouch in default.ini we need to find another way to disable futon, it won't work disabling it here --- puppet/modules/site_couchdb/files/local.ini | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_couchdb/files/local.ini b/puppet/modules/site_couchdb/files/local.ini index b3376cbb..22aa0177 100644 --- a/puppet/modules/site_couchdb/files/local.ini +++ b/puppet/modules/site_couchdb/files/local.ini @@ -28,8 +28,10 @@ [httpd_global_handlers] ;_google = {couch_httpd_proxy, handle_proxy_req, <<"http://www.google.com">>} +# futon is enabled by default on bigcouch in default.ini +# we need to find another way to disable futon, it won't work disabling it here # enable futon -_utils = {couch_httpd_misc_handlers, handle_utils_dir_req, "/usr/share/couchdb/www"} +#_utils = {couch_httpd_misc_handlers, handle_utils_dir_req, "/usr/share/couchdb/www"} # disable futon #_utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Welcome, Futon is disabled!">>} -- cgit v1.2.3 From 46f1b83431cff1c30e7cda9bc99505d35f37f309 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 10 Mar 2013 16:10:39 +0100 Subject: site_couchdb::configure moved to couchdb --- puppet/modules/site_couchdb/manifests/configure.pp | 21 --------------------- 1 file changed, 21 deletions(-) delete mode 100644 puppet/modules/site_couchdb/manifests/configure.pp diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp deleted file mode 100644 index c921ad6a..00000000 --- a/puppet/modules/site_couchdb/manifests/configure.pp +++ /dev/null @@ -1,21 +0,0 @@ -class site_couchdb::configure { - - - file { '/etc/couchdb/local.d/admin.ini': - content => "[admins] -admin = $site_couchdb::couchdb_admin_pw -", - mode => '0600', - owner => 'couchdb', - group => 'couchdb', - notify => Service[couchdb] - } - - - exec { '/etc/init.d/couchdb restart; sleep 6': - path => ['/bin', '/usr/bin',], - subscribe => File['/etc/couchdb/local.d/admin.ini', - '/etc/couchdb/local.ini'], - refreshonly => true - } -} -- cgit v1.2.3 From 0f5e0b0e5102deab700d25ca4fd4845f15db8529 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 10 Mar 2013 16:13:03 +0100 Subject: use bigcouch in site_couchdb --- puppet/modules/site_couchdb/manifests/init.pp | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 9ecde5e6..35470b5d 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,6 +1,5 @@ -class site_couchdb { +class site_couchdb ( $bigcouch = false ) { tag 'leap_service' - include couchdb $x509 = hiera('x509') $key = $x509['key'] @@ -17,20 +16,18 @@ class site_couchdb { $couchdb_ca_daemon_user = $couchdb_ca_daemon['username'] $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password'] - Package ['couchdb'] - -> File['/etc/init.d/couchdb'] - -> File['/etc/couchdb/local.ini'] - -> File['/etc/couchdb/local.d/admin.ini'] - -> File['/etc/couchdb/couchdb.netrc'] + class {'couchdb': + bigcouch => $bigcouch, + admin_pw => $couchdb_admin_pw + } + + Service ['couchdb'] -> Couchdb::Create_db['users'] -> Couchdb::Create_db['client_certificates'] -> Couchdb::Add_user[$couchdb_webapp_user] -> Couchdb::Add_user[$couchdb_ca_daemon_user] -> Site_couchdb::Apache_ssl_proxy['apache_ssl_proxy'] - include site_couchdb::configure - include couchdb::deploy_config - site_couchdb::apache_ssl_proxy { 'apache_ssl_proxy': key => $key, cert => $cert -- cgit v1.2.3 From daef6834ad05d8516afc784b5e0cb42ecb84db92 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 10 Mar 2013 16:14:02 +0100 Subject: automatic update of submodule stdlib --- puppet/modules/stdlib | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/stdlib b/puppet/modules/stdlib index 2df66c04..095a5a01 160000 --- a/puppet/modules/stdlib +++ b/puppet/modules/stdlib @@ -1 +1 @@ -Subproject commit 2df66c041109ecca1099bf3977657572cc32ad24 +Subproject commit 095a5a01d5a7c7e3d95a71846220545080f7581c -- cgit v1.2.3 From 73b1d0d7e8f359ff48eab1918282eb8cd2f9afb0 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 10 Mar 2013 16:14:32 +0100 Subject: automatic update of submodule apache --- puppet/modules/apache | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/apache b/puppet/modules/apache index 077d4d15..dafb060f 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit 077d4d1508b9ff3355f73ff8597991043b3ba5d9 +Subproject commit dafb060fc57957dbe9e5e90698537e781cebeaf6 -- cgit v1.2.3 From 9532c5947c97f7fbfec686f4e3477b71b2a9800e Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 10 Mar 2013 16:15:50 +0100 Subject: automatic update of submodule apache --- puppet/modules/apache | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/apache b/puppet/modules/apache index 077d4d15..dafb060f 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit 077d4d1508b9ff3355f73ff8597991043b3ba5d9 +Subproject commit dafb060fc57957dbe9e5e90698537e781cebeaf6 -- cgit v1.2.3 From 0ffc583488ee044be30ea5bf7fae751505419a9b Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 10 Mar 2013 16:16:08 +0100 Subject: automatic update of submodule stdlib --- puppet/modules/stdlib | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/stdlib b/puppet/modules/stdlib index 2df66c04..095a5a01 160000 --- a/puppet/modules/stdlib +++ b/puppet/modules/stdlib @@ -1 +1 @@ -Subproject commit 2df66c041109ecca1099bf3977657572cc32ad24 +Subproject commit 095a5a01d5a7c7e3d95a71846220545080f7581c -- cgit v1.2.3 From 9ea188c22774607bd6914334daa3d303c041d9a4 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 10 Mar 2013 17:21:01 +0100 Subject: added bigcouch:cookie to services/couchdb.json --- provider_base/services/couchdb.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json index 1c8005c2..e7668286 100644 --- a/provider_base/services/couchdb.json +++ b/provider_base/services/couchdb.json @@ -4,6 +4,9 @@ "use": true }, "couch": { + "bigcouch": { + "cookie": "= secret :bigcouch_cookie" + }, "users": { "admin": { "username": "admin", -- cgit v1.2.3 From 01941d905a71a2088ec080703f4e5430dec7a2ec Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 10 Mar 2013 17:29:12 +0100 Subject: pass couchdb cookie to class couchdb --- puppet/modules/site_couchdb/manifests/init.pp | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 35470b5d..419e4122 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -15,10 +15,13 @@ class site_couchdb ( $bigcouch = false ) { $couchdb_ca_daemon = $couchdb_users['ca_daemon'] $couchdb_ca_daemon_user = $couchdb_ca_daemon['username'] $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password'] + $bigcouch_config = $couchdb_config['bigcouch'] + $bigcouch_cookie = $bigcouch_config['cookie'] class {'couchdb': - bigcouch => $bigcouch, - admin_pw => $couchdb_admin_pw + bigcouch => $bigcouch, + admin_pw => $couchdb_admin_pw, + bigcouch_cookie => $bigcouch_cookie } Service ['couchdb'] -- cgit v1.2.3 From 5b582c647fc598222ccaa68046ea55832e1145c4 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 12 Mar 2013 14:33:52 +0100 Subject: automatic update of submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index b915a67c..546350d6 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit b915a67c6e7e3b1b75400dbbd4a9ac961c8eb032 +Subproject commit 546350d6f6e83e9ea22db79d07bdc38c694fbcdb -- cgit v1.2.3 From 91877ee952ed89107f800309c23c34e84fc3fd90 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 12 Mar 2013 16:10:06 +0100 Subject: automatic update of submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 546350d6..7c9462a0 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 546350d6f6e83e9ea22db79d07bdc38c694fbcdb +Subproject commit 7c9462a0fab1c6e499b62caa2093dedfa9c8adc8 -- cgit v1.2.3 From 9c1c97b2e2e5b2f361bebe991d7229d271773e24 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 12 Mar 2013 23:54:28 +0100 Subject: enable leap deb package repository and leap apt key on all hosts --- puppet/manifests/site.pp | 2 + puppet/modules/site_apt/files/keys/leap_key.asc | 63 +++++++++++++++++++++++++ puppet/modules/site_apt/manifests/init.pp | 3 ++ puppet/modules/site_apt/manifests/leap_repo.pp | 6 +++ 4 files changed, 74 insertions(+) create mode 100644 puppet/modules/site_apt/files/keys/leap_key.asc create mode 100644 puppet/modules/site_apt/manifests/leap_repo.pp diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index f55e6925..10ea40c6 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,6 +1,8 @@ # set a default exec path Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } +$custom_key_dir = 'puppet:///modules/site_apt/keys' + # make sure apt is updated before any packages are installed include apt::update Package { require => Exec['apt_updated'] } diff --git a/puppet/modules/site_apt/files/keys/leap_key.asc b/puppet/modules/site_apt/files/keys/leap_key.asc new file mode 100644 index 00000000..b69251f0 --- /dev/null +++ b/puppet/modules/site_apt/files/keys/leap_key.asc @@ -0,0 +1,63 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.11 (GNU/Linux) + +mQINBFESwt0BEAC2CR+XgW04DVwT427v2T4+qz+O/xGOwQcalVaSOUuguYgf29en +Apb6mUqROOTuJWN1nw1lvXiA6iFxg6DjDUhsp6j54X7GAAAjZ9QuavPgcsractsJ +LRz9WSWqDjOAYsb4B5pwmSPAKYtmRAxLVzdxUsuHs2HxRO4VWnaNJQEBj7j7zuGs +gvSJBSq9Vici6cGI9c1fsWyKsnp7R6M54mmQRbsCg2+G/N0hqOz0HE6ZlJKVKaZq +uTrPxGWFuU3mAUpzFLa6Wj8DSUYiWZ/xrqiFdbB4t1HM3vlKB9LEg93DEuG/8Q0T +g2KS0lEWxequBXyE6+jklDNqJeyHmfgkuAfFlkNYa5870XT87MzGE/hS40lbmhQV +HHlwxMkAiERMc0Ys+OfgUJMbIDQBNRFg3Q/bjajFoVBgBoKFp7C22zgoJkUNT+7H +Yv/t6zeDlIzNhgYms5d0gEiAeLauwju36BmwUsbQHwejWKP8pADRZL1bTj0E+rRU +M4FFNh9D2XTFFKaaNubub8tUmo+ZUIEEKfPhNHK9wS/bsFyPv9y3HLe2b3NYGFK5 ++Hznqg8N0H+29I7zLx7VpOh3iRN3Lbxv9dMmukVJtw8Rq/Udprd3Z5p8oCisFo+k +nY+J+IgNjC0eniN8rkkl/4rIN5fvvOR8YCts50hL1fAy3dd/MKExz+QTXQARAQAB +tClMRUFQIGFyY2hpdmUgc2lnbmluZyBrZXkgPHN5c2RldkBsZWFwLnNlPokCHAQQ +AQoABgUCURPzwAAKCRBIWxL6IY6B65FzEACn1Q+9dcLig6yCRPGF8d5qdnWYquts +fLc/W8P9uFCo4bLFhy+BlalZVhOSPt2KMBCApoW0fAc5aXOWjxEmtFOvziPtJ0N7 +uJj7y8XLk1//v7QXDJNYotiO82b9XTmF2G9URhxe/YU7mgx1cRW9X2h6LOG4VCIw +Bd00wM9vV984f50hpftdyjCcWTO9WoSus7dOL457DhcX7uX89AGUJLC9RTiaDtIL +/G/VEM8pIx5zW6Q2TwUXndVsNqyG5s0J0908KNyp5IPI66M07rR939JVAL8HXMxY +KdA9pxkKzPSThx8yWZknJoINsUhrd5ijfiA6kM7HJlJF1SnwyHSSs3KydKHj5zN2 +n3oGGT0bjZiXZHShsWa5mjEvCJ7oqwtcCdo8thW128LY2/0h3JkSsYdgdsJjGJbG +76nYjCIZYa6the4+QI8HM2WG5nrZL4B/EnYHK2lDdeVy/ynu96YhC4mdk566Vcqs +RrWJgRxImkSbxp3f6SAOsLwOdmrs52wCoEpAYPMbu79jb2G7JbR4uDB0i/pXCp+c +aleyKb4ve2EjHAY/VPF5BXKaQh3JIvGKVEZIv5ospoosr78UHBk60RMMzDSlOFso +BcB6Plpqoq4lI/4Zh8M1+eDjAOnOKwQanS4Hv7O2PqldGBUAXS3m6OI2Kvv3VqnM +X0GOB2sX4Ox8UYkCPQQTAQoAJwUCURLC3QIbAwUJAeEzgAULCQgHAwUVCgkICwUW +AgMBAAIeAQIXgAAKCRAeNKGCjiB5AZBiD/wJwUVZjfNeWdpKrYy9HtZExtTcU/94 +3lgRUNinUuLPFU4i2s+hR3h5fzXR15nUD+IBJlXlzLV2G/IjXYPTp4a0gqHpWULa +b5Stu7AzFiO42/RWUAzWD1Fyh6SuZ3FDERvheid8s4SXoe6y4cJ5ErfSlJS6qqku +8ss8mS8lM1Mp+lc9wYTWQ+8hmSUivAZb9WLEljFxhvEnvAKPwD18o7+S9GABFwYs +xflQvKZHguaOVqBEksry+vu8okWNrg3Ll3dDQEeahr7nrLrHe8gqONJgOE9jjxRv +bJmGtIUTyGqgWZZzBfQXL/6uXL23bWkYZDkQNhfsm+colAV8gpj+/E3q/uMXwqz1 +bv06K/LsK3NHzBNE57kJHEhg9K3Uw2Wx5qwFMU1GDxsB3P9p+TyqAboEZAB2irTR +y9k8peFB7wwf0sW3Eg78XFsfy4gyV619VnBR+PbfOpKqFFXAodF1mFiIrPeefaVp +F9fiQ5Owt0sJjDaJnYT83ksAO2Aj+VsY3UjnDrGFaiV8Neit9y/8W8DqmZ3EZEF/ +M3iS0yDjqqt9ACFD+jkGlKYsyHv7gbpTq0yi6u/kRXHUTIvVwFL9M6Z6AUcG8gzo +qbKhXGfWKEq0lN5HAjJ//V9ro3DekFd0A+NQOlFV6XtspZwphVdtW1WS078HmVlw +F5dbD8pcfT/RjbkCDQRREsLdARAA3Frw+j6H9McEIi/gjiGwvxnIdGc8McWchnFp +OWvdhTW9056v+y22DoKbULjT8k+8GzuRQ0xp4VwCC1rX3UExwceczzGs+tSKuIGm +g1ELygsaOZHdQBNLGPvn+TZNGlaYXPlQo7m8YhXGHwgQrdKyjcFD5xnOHxe981LT +q+IQ6jVYhho7/Qik9rVE1XHxoOfYvnNZJD0cFdf9OcX47YoqmM4sZYPMoOmKoVQT +sAAQ527wz742Bd6SpuhqBpdEw6YiCYxEoo5kBY3IhP3L5OTS4tzhOkdf1xlhWSnC +FE7NkPcK6o+r6qCcUqRGV9jRwI97JlPKegEHYWvLD4Sk31pWi8NZ0toU/nqRvxbh +htHxuNf3jeAAzxQBhGVi0C/IBr4vqyFqmEHr9JxIa3DTV8w/a0Y4hX2bczL9Y1cB +6n8qOA68aAn+xerJcSOroTIJh83D/7OguexGGYoZBDvX6dWguf8udFPeYpJvkT6T +SYF9U0JpVTtlCNutjScUO2uaV9+uDqACngwqbzBTjL8UucAleVcFfOi48yepnOd1 +1YFYxbw+/BcqLNhi1eP2AaGxIgXbR88tF9OC0SXaCH+1Z1bbalOmQNYstOv9BbsH +vW7mPgX2xhyoDkVRWaNAQoDLbnJr4gi9cD8/kQMzdlGOzt2ist/+xueblXJs5TOO +80Rw+AEAEQEAAYkCJQQYAQoADwUCURLC3QIbDAUJAeEzgAAKCRAeNKGCjiB5AdMq +D/9SXulJq6Q4U7aN6o7TLMU2MgqeWqtBqwTNIisBoSJjXq9Od4iN2S5Akwo/ZQO0 +1nRNPPc9yjwidgb7wCUFDNglUDuGS2nXaQ0XAO83qHMOsORN2S93dO6xVRX2Chhz +l9bUr1WIQcM+lIs/LZCX2rvKlsFYmZQHX/ibhQs7T01RXajwJqwxyXyVPL+kPNeo +wva4ZUf6rzdqKZLfFgyJyGdHI18bF6lahgHdN2OOawEeU2K+MlluR3ZahoyN4u1M +qijf6snmfd0++EIqDHwYPn70F4JPdMhyuVpYBVyVtsgHy9W5fS+zSj+vX+qj6MBX +dFBs+a9nr8GZJO4BUP2mtyNgmEfUVQefSHnq+0OlGPZG4raxTEqJfp2KTRCGB4hI +zYWO1g1cOBeXxFfXJdkX8LoKbP5s2Kzn9sAK6BxmazOvSNpuimCDNvKjR00iKNS4 +Dxix2FBXQU/4pVpGHjXTQP6RqeTrAedXvpgCHWP1UIlswIQecGmQcJ/hRZjd+0vl +cjfCYhZHr7N96Da6Cy8v2fZiZHaSAt7T2oIZ9X3gEh/kOlLDcuIdvMHUfojn0MrP +Ce1AqOHyQQqhkVylvZpS0PdE0VW3PmJ98uKfX2FVAOTUD4Rw3n9Ew7bfM249HuP4 +JOXi/Skp4sBB/xgrtV1u+E+BW0SS/BOiwfrI4xUy+MrWuw== +=4STg +-----END PGP PUBLIC KEY BLOCK----- diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 80c6fbde..1f8456b2 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -2,6 +2,9 @@ class site_apt { include ::apt + # enable http://deb.leap.se debian package repository + include site_apt::leap_repo + apt::apt_conf { '90disable-pdiffs': content => 'Acquire::PDiffs "false";'; } diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp new file mode 100644 index 00000000..7b2128cd --- /dev/null +++ b/puppet/modules/site_apt/manifests/leap_repo.pp @@ -0,0 +1,6 @@ +class site_apt::leap_repo { + apt::sources_list {'leap.list': + content => "deb http://deb.leap.se/debian $::lsbdistcodename main" + } + +} -- cgit v1.2.3 From e29cd9b4f4d26afd28b31c5b225eb1bac3416ed0 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 13 Mar 2013 10:35:15 +0100 Subject: automatic update of submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 7c9462a0..f6f1af54 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 7c9462a0fab1c6e499b62caa2093dedfa9c8adc8 +Subproject commit f6f1af547d4be89cc9b3ac03eb9ab23ba41ee7a7 -- cgit v1.2.3 From 65afb3a013fedd7c2d5eef15ac879a41c51de8e0 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 13 Mar 2013 10:56:24 +0100 Subject: install apt key before apt-get update --- puppet/modules/site_apt/manifests/leap_repo.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp index 7b2128cd..81559abd 100644 --- a/puppet/modules/site_apt/manifests/leap_repo.pp +++ b/puppet/modules/site_apt/manifests/leap_repo.pp @@ -1,6 +1,7 @@ class site_apt::leap_repo { apt::sources_list {'leap.list': - content => "deb http://deb.leap.se/debian $::lsbdistcodename main" + content => "deb http://deb.leap.se/debian ${::lsbdistcodename} main", + before => Exec[refresh_apt] } } -- cgit v1.2.3 From 19cb13cf3f71bd9b99bed8c0bc214325460d8459 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 13 Mar 2013 14:26:13 +0100 Subject: automatic update of submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index f6f1af54..f0e4edd5 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit f6f1af547d4be89cc9b3ac03eb9ab23ba41ee7a7 +Subproject commit f0e4edd5861107014ebb53c1ee4897f8e0bde8d8 -- cgit v1.2.3 From 04d9283f30993ce201ccee47bcef3a55239c5ad8 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 14 Mar 2013 11:43:11 +0100 Subject: added cloudants apt key, FP: BAF9 B315 D438 5FB9 B5DE 334B 59E0 1FBD 15BE 8E26 --- .../modules/site_apt/files/keys/cloudant-key.asc | 52 ++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 puppet/modules/site_apt/files/keys/cloudant-key.asc diff --git a/puppet/modules/site_apt/files/keys/cloudant-key.asc b/puppet/modules/site_apt/files/keys/cloudant-key.asc new file mode 100644 index 00000000..99716a3c --- /dev/null +++ b/puppet/modules/site_apt/files/keys/cloudant-key.asc @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.11 (GNU/Linux) + +mQINBFE7fhIBEACrDREcODnhdugNozMeBawOm2irpNCP54yMljST/DOXx1uo3gQw +HnVcQ4lL7lXhbfL6Tp0WhrNYTWbbWHO0DaQbW0GQMHa2BGG0Xm0HPrjr3j55tAcM +NPr0ArDuplq4Py2pwviZiEtQkkn+biH9oV+N3jNO+8+zVHLVU7pHaX6Yd7HAxFM8 +XX+7SeVtplZ7nvSxUREiMNxQb9o0kYNRPS+b0UjiIXHrFO9afl7lTdg/I8AhKWa0 +3jJoY/IRvVopJblISQNGFipR11Lpu5sOHghgz4V8mk/in7JLMmoqSl5DP5VhRII8 +OyADBjaUJD2mkv5cGaevqpB4AId78X9+Y62gFJrGkIHY9uBxIUkRe+leYI4Zz4Bm +D9qBIbEY/kKkblTlC1G7u3qbGQcsbCRVIOnhruCih7vifcP40YwGUk5NmDA5AE78 +OovCGYGp4zMepDTSJxGT3sJOTEbzN09so6C7fQWBeQiiG5Uepp1q+VnaGpT1L4rc +Y6yRbu9dOFj6WzY4W5HtnbalzTIEYy+SIGZqRkJt6jREYLiFfyrpSFIgGoJAs0yx +9M0McXfeOod69TPufB1PeppnBwFcTmYNYxakusQxAebRDPEBZqoEgl0gMmxWbAdI +nxGMWWnSsN/Dj0dXRf1MG/5akOhX2zQcUzBOE2m/Xr5kjDPYFtFxVJDGzQARAQAB +tDNDbG91ZGFudCBQYWNrYWdlIFNpZ25pbmcgS2V5IDxzdXBwb3J0QGNsb3VkYW50 +LmNvbT6JAj4EEwECACgFAlE7fhICGwMFCQHhM4AGCwkIBwMCBhUIAgkKCwQWAgMB +Ah4BAheAAAoJEFngH70Vvo4mciIP/AlqHA/LDtSYfrFwdXifY2ImCMyzYvH40Ko2 +DHCw2qDjvK5UXn1iWuzXidT7DrxOfYoZpzySRP7VGyHxa3VPhOtzLDZSvTpk9ELo +2x2IczUwLC17M0Iis4CpqlxSFIBYGX78pMzvsEyC4TFqUDfXRlye3apjD0iwK0hE +kdP1+TPdJjhWImJm+3TLu45zTw3Ph5dnf5pLQPNhKfBSdku+vRrd35N5hHso9S1y +Z3NrxcQlWnXuqkLIA14gM7qbBFD+el9Y+tZ7ERGYg3s5uNDQRTb0QC8zg/um2+zW +4hHmuRcWY3n8IgHcYUruC1VyrrsFIWWMyLv7SZkAAoSY+jKyESDfYpJQ8jtZ4EF9 +2/gYm4FgZR8j4gWkzHSLGVt/4EIykJZb0yIg/QEovmmHqpy8xYri3goMSl4h7tfF +TOCZLTzTyQ7xONdyEsrvQPhmdtXEgvSo5S7ZU9kkx32OjCoshLLjhtqAipBgEXqb +hElFo1oSyOVoGc7UNh7KNBjWfeP8dNdCbIbIYPMeM0/CVjD60kW5ZEVDuYglT+Rz +enJJvS4Hs+fq8cFNxMB+l64qE7iS+I6RP2bPeQM2aBa2UZNWxUIbXF7bb3zLrCGn +GT8GF1AFRoW3GiDzB7QnLVp8BhIaqFUzbDim+5mFFG8wguxHTiz4snDdQXq2Es6V +UETFsNsluQINBFE7fhIBEADIyLHyBh8AKJKQHksFAPHOyA48ocxgQDpQnqYlQcAK +D8eUbRXciIz4ePBmvjaQmz8wJgWULc04u4i9jK8Jd/Ks+VhEz3AjRBfjvkBaVMog +FMPKaoDn9LVMBSZJ3fcC1DVck1oO8LnFIdktt0zhvzG+pV5b/UTRsVZmwNh1p2dM +4cJswxlksJXYnI9tFA74qiomDCPYM0zpv7TEjX23PZTLqTSHP5aWctx+MIEtdoqp +EsEDL6npvYBRz/tuL41cUWs7CItH131Hyuizo4vGrxgWPnoXIxLmLOOZCMk/kbx0 +XCSvengqYwNgAOlIjewtTw+WJm1gtNQQeKmaXBX7njf2Wz7LI/0KVxttEpKT5/5y +embOGn7My9i7zOc1frMCDivIOTQDBZTzR9o7/6wUJ69DIoFLMlO8UcCK3R7o5VUI +ezx+XYsOAD7D2vKoiD8Se65Vnax2rfFlLP7OQqdem5l2lkHpJzP3lA8qmA2MfJ7V +jsk7eDSyJQjG5c6KBoaFlYGhp/E2kR82cAKVaFIbW3euMM4XK6Mgzy3+DVKfk8mu +AEuHub7plfxM+65yjLNAK6l6IKtY1HfM7F4GFyNSd3mNNcWN7ceIHh8Ur4DeD2Tp +7r3XcWd6/czLYNsw2BAHeVUxnMTCeGN99UZTtHgVq9IJMOCDOPwMSzHFfZ6sNaYL +qQARAQABiQIlBBgBAgAPBQJRO34SAhsMBQkB4TOAAAoJEFngH70Vvo4mpokP/jJJ +2mXdhMVqZCtZhwphJfdxg8nBERzrd6ebXxKbTq1MmSN/fDwLknPabFHUpzk1ADCf +6mh2o0HB+67yMzo1UVtyfPOaHgCE/pWer5ultJM8gOdpBfSWL8jRwU8ZQ4fDu3z8 +AC6zTNq7znOVLEzZPy8U7q5Rt5/6QdQYoTLe6DwlLmkflzWP5VWi/mTGvtu/t5OV +tGZkzBYQ5QAXRXXkKswqkJpQFuW6d1vlYm9+x/+Q1+2kGT+CKbRAkqkf77qVcyJR +1M2JQSs4ko+rLMZzr01sYA+EBD17nxqV8vUdYebNc9Qnk8Aphid1zarUbySgAdnJ +5SLAjLe/6N6IEE9F3uKsPEs87gJrnwrYHRrmu0wAPwA0cMmtgD4Bz7Iiz4CLYPFW +rHpQCA313K+rS/LLfLBL66wIRKcPuYIFR9N03jX9eGR6qtk0b5Zb3YjWOo4V9Q1r +o+g6IB0Us5vH6ISuokq7Bv+8cXhEMVoctL9A8xWN1KDkweZ+7dNWCGV8lUWKy3Hw +ig6hENH6H7J57U8H2v2aZTeUo6e7VDP9gddNKPSEEeoBKfVnWYGoG8mVPQ2PzTgZ +ZO2vwp4c3Ix/kIV3xe+/Opcq1lxYhD7HSre1MB7HOeFmis6tBBjMJPaatZVfzj1v +6Uhz5oUCwcPol8rsp69DvGVUPSHfDwBxurDX71oG +=lEm7 +-----END PGP PUBLIC KEY BLOCK----- -- cgit v1.2.3 From c13bbca2cbf1c458aae32460e758d5e7d8a46183 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 14 Mar 2013 15:35:50 +0100 Subject: automatic update of submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index f0e4edd5..77b80561 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit f0e4edd5861107014ebb53c1ee4897f8e0bde8d8 +Subproject commit 77b80561e187c93f7c48f5ac4136e800702b0cec -- cgit v1.2.3 From e358ef4e33cbf9411d57c11d58657331d7ba8a62 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 14 Mar 2013 18:01:01 +0100 Subject: use custom preferences for couchdb host --- puppet/modules/site_apt/manifests/init.pp | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 1f8456b2..f420b0cc 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -1,6 +1,13 @@ -class site_apt { +class site_apt { - include ::apt + # on couchdb we need to include squeeze in apt preferences, + # so the cloudant package can pull some packages from squeeze + if 'couchdb' in $::services { + $custom_preferences = 'site_apt/preferences.include_squeeze' + } else { + $custom_preferences = '' + } + class {'apt': custom_preferences => $custom_preferences } # enable http://deb.leap.se debian package repository include site_apt::leap_repo -- cgit v1.2.3 From 0984ad1726a9166d7143fcdee5dd000f715e6150 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 14 Mar 2013 18:02:47 +0100 Subject: evalute $services before including site_config::* --- puppet/manifests/site.pp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 10ea40c6..34c19370 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -3,6 +3,10 @@ Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } $custom_key_dir = 'puppet:///modules/site_apt/keys' +# parse services for host +$services=hiera_array('services') +notice("Services for ${fqdn}: ${services}") + # make sure apt is updated before any packages are installed include apt::update Package { require => Exec['apt_updated'] } @@ -13,9 +17,6 @@ import 'common' include site_config::default include site_config::slow -# parse services for host -$services=hiera_array('services') -notice("Services for ${fqdn}: ${services}") # configure eip if 'openvpn' in $services { -- cgit v1.2.3 From 0c61b8e76a4bf813886d4f8458b6002f7d143faa Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 14 Mar 2013 18:27:51 +0100 Subject: added apt preferences template that includes squeeze --- .../site_apt/templates/preferences.include_squeeze | 25 ++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 puppet/modules/site_apt/templates/preferences.include_squeeze diff --git a/puppet/modules/site_apt/templates/preferences.include_squeeze b/puppet/modules/site_apt/templates/preferences.include_squeeze new file mode 100644 index 00000000..d10c2864 --- /dev/null +++ b/puppet/modules/site_apt/templates/preferences.include_squeeze @@ -0,0 +1,25 @@ +Explanation: Debian wheezy +Package: * +Pin: release o=Debian,n=wheezy +Pin-Priority: 990 + +Explanation: Debian wheezy-updates +Package: * +Pin: release o=Debian,n=wheezy-updates +Pin-Priority: 990 + +Explanation: Debian sid +Package: * +Pin: release o=Debian,n=sid +Pin-Priority: 1 + +Explanation: De +Package: * +Pin: release o=Debian,n=squeeze +Pin-Priority: 980 + +Explanation: Debian fallback +Package: * +Pin: release o=Debian +Pin-Priority: -10 + -- cgit v1.2.3 From 3a99b7085c5a6c329adb9277b71f41e0ad9478a4 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 14 Mar 2013 18:28:44 +0100 Subject: pass template() to apt --- puppet/modules/site_apt/manifests/init.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index f420b0cc..de854d58 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -2,8 +2,9 @@ class site_apt { # on couchdb we need to include squeeze in apt preferences, # so the cloudant package can pull some packages from squeeze + # template() must be unquoted ! if 'couchdb' in $::services { - $custom_preferences = 'site_apt/preferences.include_squeeze' + $custom_preferences = template("site_apt/preferences.include_squeeze") } else { $custom_preferences = '' } -- cgit v1.2.3 From cd5394748dd83d3fa5c8a67dc6123e3b02034c2e Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 14 Mar 2013 19:10:49 +0100 Subject: include cloudant package repo for bigcouch server --- puppet/modules/site_couchdb/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 419e4122..25956938 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -23,6 +23,7 @@ class site_couchdb ( $bigcouch = false ) { admin_pw => $couchdb_admin_pw, bigcouch_cookie => $bigcouch_cookie } + include couchdb::bigcouch::package::cloudant Service ['couchdb'] -> Couchdb::Create_db['users'] -- cgit v1.2.3 From 00254ef4fda9b9be88d69df498c3c53c8a6a79da Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 14 Mar 2013 20:34:10 +0100 Subject: automatic update of submodule apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/apt b/puppet/modules/apt index f16a0727..c8a28eb8 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit f16a0727dce187d07389388da8b816f7b520205d +Subproject commit c8a28eb80ec87e65d5cacb2d109d4c0bcbbc76db -- cgit v1.2.3 From 5af58e103fb8a45d095786777909d19e6dabb120 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 14 Mar 2013 22:20:35 +0100 Subject: automatic update of submodule apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/apt b/puppet/modules/apt index c8a28eb8..7e8113b3 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit c8a28eb80ec87e65d5cacb2d109d4c0bcbbc76db +Subproject commit 7e8113b3fcf6f251ca9d5e2f39f43fd024058c97 -- cgit v1.2.3 From 3c5c31e74954ebb7a55c9455809ea55375f273d5 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 14 Mar 2013 13:49:38 -0400 Subject: add shared stunnel module --- .gitmodules | 3 +++ puppet/modules/stunnel | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/stunnel diff --git a/.gitmodules b/.gitmodules index 45763175..b97971fc 100644 --- a/.gitmodules +++ b/.gitmodules @@ -67,3 +67,6 @@ [submodule "puppet/modules/tor"] path = puppet/modules/tor url = git://labs.riseup.net/shared-tor +[submodule "puppet/modules/stunnel"] + path = puppet/modules/stunnel + url = git://labs.riseup.net/shared-stunnel diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel new file mode 160000 index 00000000..03b51fcb --- /dev/null +++ b/puppet/modules/stunnel @@ -0,0 +1 @@ +Subproject commit 03b51fcb718734f4b2ea76c038ffbe9b2b348b1a -- cgit v1.2.3 From d4b45da9a521a6faf17f9ba7742bcee897a503cc Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 14 Mar 2013 13:58:06 -0400 Subject: remove apache ssl proxy in preparation of replacing it with a stunnel setup This presents us with an interesting problem of deprecation. We need to manage the removal of something that we previously installed in any released code. How long we carry the puppet code that removes raises some interesting questions: do we require that someone who deployed version 1 (where the apache ssl proxy was deployed) of the platform upgrade first to version 2 (where we remove the apache ssl proxy) before they upgrade to version 3 (where the apache ssl proxy removal is no longer present) -- or do we allow people to skip versions? --- .../site_apache/files/vhosts.d/couchdb_proxy.conf | 10 -------- .../site_couchdb/manifests/apache_ssl_proxy.pp | 30 +++++++--------------- puppet/modules/site_couchdb/manifests/init.pp | 7 ++--- 3 files changed, 11 insertions(+), 36 deletions(-) delete mode 100644 puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf diff --git a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf deleted file mode 100644 index 0dff2cd6..00000000 --- a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf +++ /dev/null @@ -1,10 +0,0 @@ -Listen 0.0.0.0:6984 - - - SSLEngine On - SSLProxyEngine On - SSLCertificateKeyFile /etc/x509/keys/leap_couchdb.key - SSLCertificateFile /etc/x509/certs/leap_couchdb.crt - ProxyPass / http://127.0.0.1:5984/ - ProxyPassReverse / http://127.0.0.1:5984/ - diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp index 7739473e..536dd8db 100644 --- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp +++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp @@ -1,25 +1,13 @@ -define site_couchdb::apache_ssl_proxy ($key, $cert) { +class site_couchdb::apache_ssl_proxy { - $apache_no_default_site = true - include apache - apache::module { - 'proxy': ensure => present; - 'proxy_http': ensure => present; - 'rewrite': ensure => present; - 'ssl': ensure => present; - } - apache::vhost::file { 'couchdb_proxy': } +# This is here to disable the previously configured apache ssl proxy +# we were using this, but have switched to stunnel instead. +# +# Unfortunately, the current apache shared module doesn't handle +# ensure=>absent, so this is going to be done the crude way, and will only +# work for debian+derivitives, which is fine for now, but not good for the +# future - x509::key { - 'leap_couchdb': - content => $key, - notify => Service[apache]; - } - - x509::cert { - 'leap_couchdb': - content => $cert, - notify => Service[apache]; - } + package { 'apache2': ensure => absent } } diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 25956938..6f648c51 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -30,12 +30,9 @@ class site_couchdb ( $bigcouch = false ) { -> Couchdb::Create_db['client_certificates'] -> Couchdb::Add_user[$couchdb_webapp_user] -> Couchdb::Add_user[$couchdb_ca_daemon_user] - -> Site_couchdb::Apache_ssl_proxy['apache_ssl_proxy'] - site_couchdb::apache_ssl_proxy { 'apache_ssl_proxy': - key => $key, - cert => $cert - } + # this is here to disable and remove the proxy + include site_couchdb::apache_ssl_proxy couchdb::query::setup { 'localhost': user => $couchdb_admin_user, -- cgit v1.2.3 From 8687640aa9ec3591d0f038e40547a7c9c5e59443 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 14 Mar 2013 14:05:23 -0400 Subject: add a basic site_stunnel that takes care of some generic functionality that all stunnel client/servers will need handled (at least in debian and ubuntu) --- puppet/modules/site_stunnel/manifests/init.pp | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 puppet/modules/site_stunnel/manifests/init.pp diff --git a/puppet/modules/site_stunnel/manifests/init.pp b/puppet/modules/site_stunnel/manifests/init.pp new file mode 100644 index 00000000..6ba2c4b8 --- /dev/null +++ b/puppet/modules/site_stunnel/manifests/init.pp @@ -0,0 +1,18 @@ +class site_stunnel { + + # include the generic stunnel module + # increase the number of open files to allow for 800 connections + $stunnel_default_extra = 'ulimit -n 4096' + include stunnel + + # The stunnel.conf provided by the Debian package is broken by default + # so we get rid of it and just define our own. See #549384 + if !defined(File['/etc/stunnel/stunnel.conf']) { + file { + # this file is a broken config installed by the package + '/etc/stunnel/stunnel.conf': + ensure => absent; + } + } +} + -- cgit v1.2.3 From 42a040ac79e1c92d12b6bb9661bbf05ace44d622 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 14 Mar 2013 18:22:15 -0400 Subject: add couchdb stunnel server --- puppet/modules/site_couchdb/manifests/init.pp | 8 +++++ puppet/modules/site_couchdb/manifests/stunnel.pp | 42 ++++++++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 puppet/modules/site_couchdb/manifests/stunnel.pp diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 6f648c51..d317de65 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -4,6 +4,7 @@ class site_couchdb ( $bigcouch = false ) { $x509 = hiera('x509') $key = $x509['key'] $cert = $x509['cert'] + $ca = $x509['ca_cert'] $couchdb_config = hiera('couch') $couchdb_users = $couchdb_config['users'] $couchdb_admin = $couchdb_users['admin'] @@ -34,6 +35,13 @@ class site_couchdb ( $bigcouch = false ) { # this is here to disable and remove the proxy include site_couchdb::apache_ssl_proxy + # the above apache_ssl_proxy is replaced by the following stunnel + class { 'site_couchdb::stunnel': + key => $key, + cert => $cert, + ca => $ca + } + couchdb::query::setup { 'localhost': user => $couchdb_admin_user, pw => $couchdb_admin_pw diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp new file mode 100644 index 00000000..b4635951 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -0,0 +1,42 @@ +class site_couchdb::stunnel ($key, $cert, $ca) { + + include x509::variables + include site_stunnel + + $cert_name = 'leap_couchdb' + $ca_path = "${x509::variables::certs}/leap_client_ca.crt" + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" + + x509::key { + $cert_name: + content => $key, + notify => Service['stunnel']; + } + + x509::cert { + $cert_name: + content => $cert, + notify => Service['stunnel']; + } + + x509::ca { + $cert_name: + content => $ca, + notify => Service['stunnel']; + } + + stunnel::service { 'couchdb': + accept => '6984', + connect => '127.0.0.1:5984', + client => false, + cafile => $ca_path, + key => $key_path, + cert => $cert_path, + verify => '2', + pid => '/var/run/stunnel4/couchdb.pid', + rndfile => '/var/lib/stunnel4/.rnd', + debuglevel => '4' + } +} + -- cgit v1.2.3 From 90c5b205c4764351e6ea707b965c5e6daca1c0b7 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 14 Mar 2013 18:36:40 -0400 Subject: add couchdb stunnel clients --- puppet/modules/site_webapp/manifests/couchdb.pp | 9 +++++ .../site_webapp/manifests/couchdb_stunnel.pp | 42 ++++++++++++++++++++++ .../manifests/couchdb_stunnel/clients.pp | 17 +++++++++ 3 files changed, 68 insertions(+) create mode 100644 puppet/modules/site_webapp/manifests/couchdb_stunnel.pp create mode 100644 puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 6cac666f..26de62ee 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -1,5 +1,9 @@ class site_webapp::couchdb { + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $ca = $x509['ca_cert'] $webapp = hiera('webapp') $couchdb_host = $webapp['couchdb_hosts'] $couchdb_user = $webapp['couchdb_user']['username'] @@ -13,4 +17,9 @@ class site_webapp::couchdb { mode => '0600'; } + class { 'site_webapp::couchdb_stunnel': + key => $key, + cert => $cert, + ca => $ca + } } diff --git a/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp b/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp new file mode 100644 index 00000000..e6657e13 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp @@ -0,0 +1,42 @@ +class site_webapp::couchdb_stunnel ($key, $cert, $ca) { + + include x509::variables + include site_stunnel + + $cert_name = 'leap_couchdb' + $ca_path = "${x509::variables::certs}/leap_client_ca.crt" + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" + + x509::key { + $cert_name: + content => $key, + notify => Service['stunnel']; + } + + x509::cert { + $cert_name: + content => $cert, + notify => Service['stunnel']; + } + + x509::ca { + $cert_name: + content => $ca, + notify => Service['stunnel']; + } + + $couchdb_stunnel_client_defaults = { + 'client' => true, + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, + 'verify' => '2', + 'rndfile' => '/var/lib/stunnel4/.rnd', + 'debuglevel' => '4' + } + + create_resources(site_webapp::couchdb_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) + +} + diff --git a/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp b/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp new file mode 100644 index 00000000..eac43b08 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp @@ -0,0 +1,17 @@ +define site_webapp::couchdb_stunnel::clients + ( $accept_port, $connect, $client, $cafile, $key, $cert, + $verify, $pid = $name, $rndfile, $debuglevel ) { + + stunnel::service { $name: + accept => "127.0.0.1:${accept_port}", + connect => "${connect}:6984", + client => $client, + cafile => $cafile, + key => $key, + cert => $cert, + verify => $verify, + pid => "/var/run/stunnel4/${pid}.pid", + rndfile => $rndfile, + debuglevel => $debuglevel + } + } -- cgit v1.2.3 From 02e99153b1c83e9acd151188d4ce22091475322e Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 15 Mar 2013 09:19:30 +0100 Subject: automatic update of submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 77b80561..988df731 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 77b80561e187c93f7c48f5ac4136e800702b0cec +Subproject commit 988df7312ec9204b62eedadea9ff2504e5cb10f6 -- cgit v1.2.3 From 9daaf13f44148c26251932edfd71965659986197 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 15 Mar 2013 20:48:00 +0100 Subject: automatic update of submodule apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/apt b/puppet/modules/apt index 7e8113b3..6bf7a6ab 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 7e8113b3fcf6f251ca9d5e2f39f43fd024058c97 +Subproject commit 6bf7a6ab5d6e63f75c94f49aa0f12959e954efa8 -- cgit v1.2.3 From 7c5f2117c8edb12304fb1221bc00e07b9734dff6 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 15 Mar 2013 20:59:54 +0100 Subject: automatic update of submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 988df731..a4809d6b 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 988df7312ec9204b62eedadea9ff2504e5cb10f6 +Subproject commit a4809d6b0627431f72de916abee1214418c01c9d -- cgit v1.2.3 From a275999ab39b49afa2bb0c998c58aec424b4a8c0 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 16 Mar 2013 13:57:14 +0100 Subject: pick the first couchdb host for webapp couch config Until we have a proper load balancing setup (see https://leap.se/code/issues/1994) --- puppet/modules/site_webapp/manifests/couchdb.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 6cac666f..9312cdb1 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -1,7 +1,10 @@ class site_webapp::couchdb { $webapp = hiera('webapp') - $couchdb_host = $webapp['couchdb_hosts'] + $couchdb_hosts = $webapp['couchdb_hosts'] + # for now, pick the first couchdb host before we have a working + # load balancing setup (see https://leap.se/code/issues/1994) + $couchdb_host = $couchdb_hosts[0] $couchdb_user = $webapp['couchdb_user']['username'] $couchdb_password = $webapp['couchdb_user']['password'] -- cgit v1.2.3 From 4ec32a1f773918b2c7a42c117fbad110c07df458 Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 16 Mar 2013 23:15:14 -0700 Subject: the development tag now specifies an alternative provider domain. this requires that we use domain.full_suffix instead of provider.domain, whenever possible. --- provider_base/files/service-definitions/provider.json.erb | 2 +- provider_base/services/webapp.json | 4 ++-- provider_base/tags/development.json | 6 +++++- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb index f26f25a2..2ca34548 100644 --- a/provider_base/files/service-definitions/provider.json.erb +++ b/provider_base/files/service-definitions/provider.json.erb @@ -13,7 +13,7 @@ hsh['api_version'] = "1" hsh['api_uri'] = "https://" + api.domain + ':' + api.port - hsh['ca_cert_uri'] = 'https://' + global.provider.domain + '/ca.crt' + hsh['ca_cert_uri'] = 'https://' + domain.full_suffix + '/ca.crt' hsh['ca_cert_fingerprint'] = fingerprint(:ca_cert) generate_json hsh diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index ea79d7c4..5e7260a6 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -29,8 +29,8 @@ "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", "client_ca_cert": "= file_path :client_ca_cert", "client_ca_key": "= file_path :client_ca_key", - "commercial_cert": "= file [:commercial_cert, global.provider.domain]", - "commercial_key": "= file [:commercial_key, global.provider.domain]", + "commercial_cert": "= file [:commercial_cert, domain.full_suffix]", + "commercial_key": "= file [:commercial_key, domain.full_suffix]", "commercial_ca_cert": "= try_file :commercial_ca_cert" } } \ No newline at end of file diff --git a/provider_base/tags/development.json b/provider_base/tags/development.json index caf18e9d..6d4f9e25 100644 --- a/provider_base/tags/development.json +++ b/provider_base/tags/development.json @@ -1,3 +1,7 @@ { - "environment": "development" + "environment": "development", + "domain": { + "full_suffix": "= 'dev.' + global.provider.domain", + "internal_suffix": "= 'dev.' + global.provider.domain_internal" + } } \ No newline at end of file -- cgit v1.2.3 From ad62cfdad04c8f8ed9d6454f716c92e850ac53ba Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 17 Mar 2013 13:15:51 -0700 Subject: added support for "limited" service levels (although vpn is not yet actually rate limited). --- .../files/service-definitions/eip-service.json.erb | 40 +++--- .../files/service-definitions/provider.json.erb | 2 +- provider_base/provider.json | 29 ++-- provider_base/services/openvpn.json | 12 +- provider_base/services/webapp.json | 4 +- provider_base/test/openvpn/client.ovpn.erb | 6 +- puppet/modules/site_openvpn/README | 20 +++ puppet/modules/site_openvpn/manifests/init.pp | 150 +++++++++++++-------- puppet/modules/site_openvpn/manifests/resolver.pp | 90 +++++++++---- .../site_openvpn/manifests/server_config.pp | 9 +- .../site_openvpn/templates/add_gateway_ips.sh.erb | 11 ++ .../templates/leap_add_second_ip.sh.erb | 11 -- .../modules/site_shorewall/manifests/dnat_rule.pp | 40 +++--- puppet/modules/site_shorewall/manifests/eip.pp | 61 +++++---- .../modules/site_webapp/templates/config.yml.erb | 13 +- 15 files changed, 309 insertions(+), 189 deletions(-) create mode 100644 puppet/modules/site_openvpn/README create mode 100644 puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb delete mode 100644 puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb diff --git a/provider_base/files/service-definitions/eip-service.json.erb b/provider_base/files/service-definitions/eip-service.json.erb index 09b65bbb..ca42bef5 100644 --- a/provider_base/files/service-definitions/eip-service.json.erb +++ b/provider_base/files/service-definitions/eip-service.json.erb @@ -6,41 +6,39 @@ words end - def gateway_definition(node) + def add_gateway(node, locations, options={}) + return nil if options[:ip] == 'REQUIRED' gateway = {} gateway["capabilities"] = node.openvpn.pick(:ports, :protocols, :user_ips, :adblock, :filter_dns) gateway["capabilities"]["transport"] = ["openvpn"] gateway["host"] = node.domain.full - gateway["cluster"] = underscore(node.openvpn.location) + gateway["ip_address"] = options[:ip] + gateway["capabilities"]["limited"] = options[:limited] + if node.location + location_name = underscore(node.location.name) + gateway["location"] = location_name + locations[location_name] ||= node.location + end gateway end hsh = {} hsh["serial"] = 1 hsh["version"] = 1 - clusters = {} + locations = {} gateways = [] nodes_like_me[:services => 'openvpn'].each_node do |node| - if node.openvpn.gateway_address - gateway = gateway_definition(node) - gateway["ip_address"] = node.openvpn.gateway_address - gateway["capabilities"]["free"] = false - gateways << gateway - end - if node.openvpn.free_gateway_address && node.openvpn.free_gateway_address != "REQUIRED" - gateway = gateway_definition(node) - gateway["ip_address"] = node.openvpn.free_gateway_address - gateway["capabilities"]["free"] = true - gateway["capabilities"]["rate_limit"] = node.openvpn.free_rate_limit - gateways << gateway + if node.openvpn.allow_limited && node.openvpn.allow_unlimited + gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => false) + gateways << add_gateway(node, locations, :ip => node.openvpn.second_gateway_address, :limited => true) + elsif node.openvpn.allow_unlimited + gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => false) + elsif node.openvpn.allow_limited + gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => true) end - clusters[gateway["cluster"]] ||= { - "name" => gateway["cluster"], - "label" => {"en" => node.openvpn.location} - } end - hsh["gateways"] = gateways - hsh["clusters"] = clusters.values + hsh["gateways"] = gateways.compact + hsh["locations"] = locations hsh["openvpn_configuration"] = { "tls-cipher" => "DHE-RSA-AES128-SHA", "auth" => "SHA1", diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb index 2ca34548..54919898 100644 --- a/provider_base/files/service-definitions/provider.json.erb +++ b/provider_base/files/service-definitions/provider.json.erb @@ -4,7 +4,7 @@ # grab some fields from provider.json hsh = global.provider.pick( :languages, :description, :name, - :enrollment_policy, :default_language, :domain + :enrollment_policy, :default_language, :domain, :service ) # advertise services that are 'user services' diff --git a/provider_base/provider.json b/provider_base/provider.json index 14eabdc2..cf1baac6 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -13,21 +13,31 @@ "languages": ["en"], "default_language": "en", "enrollment_policy": "open", - "service_levels": [ - {"name": "free", "bandwidth":102400, "storage":50}, - {"name": "basic", "bandwidth":null, "storage":1000}, - {"name": "premium", "bandwidth":null, "storage":10000} - ], - "service_allow_free": false, + "service": { + "levels": [ + // bandwidth limit is in Bytes, storage limit is in MB. + {"id": 1, "name": "free", "bandwidth":"limited", "storage":50}, + {"id": 2, "name": "basic", "storage":1000, "rate": ["US$10", "€10"]}, + {"id": 3, "name": "pro", "storage":10000, "rate": ["US$20", "€20"]} + ], + "default_service_level": 1, + "bandwidth_limit": 102400, + "allow_free": "= global.provider.service.levels.select {|l| l['rate'].nil?}.any?", + "allow_paid": "= global.provider.service.levels.select {|l| !l['rate'].nil?}.any?", + "allow_anonymous": "= global.provider.service.levels.select {|l| l['name'] == 'anonymous'}.any?", + "allow_registration": "= global.provider.service.levels.select {|l| l['name'] != 'anonymous'}.any?", + "allow_limited_bandwidth": "= global.provider.service.levels.select {|l| l['bandwidth'] == 'limited'}.any?", + "allow_unlimited_bandwidth": "= global.provider.service.levels.select {|l| l['bandwidth'].nil?}.any?" + }, "ca": { "name": "= global.provider.ca.organization + ' Root CA'", "organization": "= global.provider.name[global.provider.default_language]", - "organizational_unit": "= 'https://' + global.common.domain.full_suffix", + "organizational_unit": "= 'https://' + global.provider.domain", "bit_size": 4096, "digest": "SHA256", "life_span": "10y", "server_certificates": { - "bit_size": 3248, + "bit_size": 2024, "digest": "SHA256", "life_span": "1y" }, @@ -35,7 +45,8 @@ "bit_size": 2024, "digest": "SHA256", "life_span": "2m", - "free_prefix": "FREE" + "limited_prefix": "LIMITED", + "unlimited_prefix": "UNLIMITED" } }, "hiera_sync_destination": "/etc/leap" diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index e78a02ac..5d77f946 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -5,17 +5,19 @@ "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'", "dh": "= file :dh_params, :missing => 'Diffie-Hellman parameters. Run `leap cert dh`'" }, + "location": null, "openvpn": { - "location": "Location Unknown", "gateway_address": "REQUIRED", - "free_gateway_address": "= openvpn.allow_free ? 'REQUIRED' : nil", + "second_gateway_address": "= openvpn.allow_limited && openvpn.allow_unlimited ? 'REQUIRED' : nil", "ports": ["80", "443", "53", "1194"], "protocols": ["tcp", "udp"], "filter_dns": false, "adblock": false, "user_ips": false, - "allow_free": "= global.provider.service_allow_free", - "free_prefix": "= global.provider.ca.client_certificates.free_prefix", - "free_rate_limit": "= openvpn.allow_free ? global.provider.service_levels.detect{|level| level['name'] == 'free'}['bandwidth'] : nil" + "allow_limited": "= global.provider.service.allow_limited_bandwidth", + "allow_unlimited": "= global.provider.service.allow_unlimited_bandwidth", + "limited_prefix": "= global.provider.ca.client_certificates.limited_prefix", + "unlimited_prefix": "= global.provider.ca.client_certificates.unlimited_prefix", + "rate_limit": "= openvpn.allow_limited ? global.provider.service.bandwidth_limit : nil" } } diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 5e7260a6..477d5f17 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -10,7 +10,9 @@ "head_scss": "= file_path 'branding/head.scss'", "img_dir": "= file_path 'branding/img'", "client_certificates": "= global.provider.ca.client_certificates", - "allow_free": "= global.provider.service_allow_free" + "allow_limited_certs": "= global.provider.service.allow_limited_bandwidth", + "allow_unlimited_certs": "= global.provider.service.allow_unlimited_bandwidth", + "allow_anonymous_certs": "= global.provider.service.allow_anonymous" }, "definition_files": { "provider": "= file :provider_json_template", diff --git a/provider_base/test/openvpn/client.ovpn.erb b/provider_base/test/openvpn/client.ovpn.erb index a0bdd307..af183ef4 100644 --- a/provider_base/test/openvpn/client.ovpn.erb +++ b/provider_base/test/openvpn/client.ovpn.erb @@ -18,9 +18,11 @@ tls-cipher DHE-RSA-AES128-SHA -<%= read_file! :test_client_cert -%> +<%# read_file! :test_client_cert -%> +<%= cert -%> -<%= read_file! :test_client_key -%> +<%# read_file! :test_client_key -%> +<%= key -%> diff --git a/puppet/modules/site_openvpn/README b/puppet/modules/site_openvpn/README new file mode 100644 index 00000000..cef5be23 --- /dev/null +++ b/puppet/modules/site_openvpn/README @@ -0,0 +1,20 @@ +Place to look when debugging problems +======================================== + +Log files: + + openvpn: /var/log/syslog + shorewall: /var/log/syslog + shorewall startup: /var/log/shorewall-init.log + +Check NAT masq: + + iptables -t nat --list-rules + +Check interfaces: + + ip addr ls + +Scripts: + + /usr/local/bin/add_gateway_ips.sh \ No newline at end of file diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 0c9f1795..c54bb782 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,84 +1,128 @@ +# +# An openvpn gateway can support three modes: +# +# (1) limited and unlimited +# (2) unlimited only +# (3) limited only +# +# The difference is that 'unlimited' gateways only allow client certs that match the 'unlimited_prefix', +# and 'limited' gateways only allow certs that match the 'limited_prefix'. +# +# We potentially create four openvpn config files (thus four daemons): +# +# (1) unlimited + tcp => tcp_config.conf +# (2) unlimited + udp => udp_config.conf +# (3) limited + tcp => limited_tcp_config.conf +# (4) limited + udp => limited_udp_config.conf +# + class site_openvpn { tag 'leap_service' - # parse hiera config - $ip_address = hiera('ip_address') - $interface = getvar("interface_${ip_address}") - $openvpn_config = hiera('openvpn') - $openvpn_gateway_address = $openvpn_config['gateway_address'] - $openvpn_tcp_network_prefix = '10.1.0' - $openvpn_tcp_netmask = '255.255.248.0' - $openvpn_tcp_cidr = '21' - $openvpn_udp_network_prefix = '10.2.0' - $openvpn_udp_netmask = '255.255.248.0' - $openvpn_udp_cidr = '21' - $openvpn_allow_free = $openvpn_config['allow_free'] - $openvpn_free_gateway_address = $openvpn_config['free_gateway_address'] - $openvpn_free_rate_limit = $openvpn_config['free_rate_limit'] - $openvpn_free_prefix = $openvpn_config['free_prefix'] - $x509_config = hiera('x509') + $openvpn_config = hiera('openvpn') + $x509_config = hiera('x509') + $ip_address = hiera('ip_address') + $interface = getvar("interface_${ip_address}") + $openvpn_ports = $openvpn_config['ports'] + $openvpn_gateway_address = $openvpn_config['gateway_address'] + $openvpn_second_gateway_address = undef + if $openvpn_config['second_gateway_address'] { + $openvpn_second_gateway_address = $openvpn_config['second_gateway_address'] + } + + $openvpn_allow_unlimited = $openvpn_config['allow_unlimited'] + $openvpn_unlimited_prefix = $openvpn_config['unlimited_prefix'] + $openvpn_unlimited_tcp_network_prefix = '10.41.0' + $openvpn_unlimited_tcp_netmask = '255.255.248.0' + $openvpn_unlimited_tcp_cidr = '21' + $openvpn_unlimited_udp_network_prefix = '10.42.0' + $openvpn_unlimited_udp_netmask = '255.255.248.0' + $openvpn_unlimited_udp_cidr = '21' + + $openvpn_allow_limited = $openvpn_config['allow_limited'] + $openvpn_limited_prefix = $openvpn_config['limited_prefix'] + $openvpn_rate_limit = $openvpn_config['rate_limit'] + $openvpn_limited_tcp_network_prefix = '10.43.0' + $openvpn_limited_tcp_netmask = '255.255.248.0' + $openvpn_limited_tcp_cidr = '21' + $openvpn_limited_udp_network_prefix = '10.44.0' + $openvpn_limited_udp_netmask = '255.255.248.0' + $openvpn_limited_udp_cidr = '21' # deploy ca + server keys include site_openvpn::keys - # create 2 openvpn config files, one for tcp, one for udp - site_openvpn::server_config { 'tcp_config': - port => '1194', - proto => 'tcp', - local => $openvpn_gateway_address, - server => "${openvpn_tcp_network_prefix}.0 ${openvpn_tcp_netmask}", - push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"", - management => '127.0.0.1 1000' + if $openvpn_allow_unlimited and $openvpn_allow_limited { + $unlimited_gateway_address = $openvpn_gateway_address + $limited_gateway_address = $openvpn_second_gateway_address + } elsif $openvpn_allow_unlimited { + $unlimited_gateway_address = $openvpn_gateway_address + $limited_gateway_address = undef + } elsif $openvpn_allow_limited { + $unlimited_gateway_address = undef + $limited_gateway_address = $openvpn_gateway_address } - site_openvpn::server_config { 'udp_config': - port => '1194', - proto => 'udp', - local => $openvpn_gateway_address, - server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}", - push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"", - management => '127.0.0.1 1001' + if $openvpn_allow_unlimited { + site_openvpn::server_config { 'tcp_config': + port => '1194', + proto => 'tcp', + local => $unlimited_gateway_address, + tls_remote => "\"${openvpn_unlimited_prefix}\"", + server => "${openvpn_unlimited_tcp_network_prefix}.0 ${openvpn_unlimited_tcp_netmask}", + push => "\"dhcp-option DNS ${openvpn_unlimited_tcp_network_prefix}.1\"", + management => '127.0.0.1 1000' + } + site_openvpn::server_config { 'udp_config': + port => '1194', + proto => 'udp', + local => $unlimited_gateway_address, + tls_remote => "\"${openvpn_unlimited_prefix}\"", + server => "${openvpn_unlimited_udp_network_prefix}.0 ${openvpn_unlimited_udp_netmask}", + push => "\"dhcp-option DNS ${openvpn_unlimited_udp_network_prefix}.1\"", + management => '127.0.0.1 1001' + } + } else { + tidy { "/etc/openvpn/tcp_config.conf": } + tidy { "/etc/openvpn/udp_config.conf": } } - if $openvpn_allow_free { - site_openvpn::server_config { 'free_tcp_config': + if $openvpn_allow_limited { + site_openvpn::server_config { 'limited_tcp_config': port => '1194', proto => 'tcp', - local => $openvpn_free_gateway_address, - tls_remote => "\"${openvpn_free_prefix}\"", - shaper => $openvpn_free_rate_limit, - server => "${openvpn_tcp_network_prefix}.0 ${openvpn_tcp_netmask}", - push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"", + local => $limited_gateway_address, + tls_remote => "\"${openvpn_limited_prefix}\"", + server => "${openvpn_limited_tcp_network_prefix}.0 ${openvpn_limited_tcp_netmask}", + push => "\"dhcp-option DNS ${openvpn_limited_tcp_network_prefix}.1\"", management => '127.0.0.1 1002' } - site_openvpn::server_config { 'free_udp_config': + site_openvpn::server_config { 'limited_udp_config': port => '1194', proto => 'udp', - local => $openvpn_free_gateway_address, - tls_remote => "\"${openvpn_free_prefix}\"", - shaper => $openvpn_free_rate_limit, - server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}", - push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"", + local => $limited_gateway_address, + tls_remote => "\"${openvpn_limited_prefix}\"", + server => "${openvpn_limited_udp_network_prefix}.0 ${openvpn_limited_udp_netmask}", + push => "\"dhcp-option DNS ${openvpn_limited_udp_network_prefix}.1\"", management => '127.0.0.1 1003' } } else { - tidy { "/etc/openvpn/free_tcp_config.conf": } - tidy { "/etc/openvpn/free_udp_config.conf": } + tidy { "/etc/openvpn/limited_tcp_config.conf": } + tidy { "/etc/openvpn/limited_udp_config.conf": } } - # add second IP on given interface file { - '/usr/local/bin/leap_add_second_ip.sh': - content => template('site_openvpn/leap_add_second_ip.sh.erb'), + '/usr/local/bin/add_gateway_ips.sh': + content => template('site_openvpn/add_gateway_ips.sh.erb'), mode => '0755'; } - exec { '/usr/local/bin/leap_add_second_ip.sh': - subscribe => File['/usr/local/bin/leap_add_second_ip.sh'], + exec { '/usr/local/bin/add_gateway_ips.sh': + subscribe => File['/usr/local/bin/add_gateway_ips.sh'], } - cron { 'leap_add_second_ip.sh': - command => '/usr/local/bin/leap_add_second_ip.sh', + cron { 'add_gateway_ips.sh': + command => '/usr/local/bin/add_gateway_ips.sh', user => 'root', special => 'reboot', } diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index 26785edb..dc31767c 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -1,5 +1,53 @@ class site_openvpn::resolver { + if $site_openvpn::openvpn_allow_unlimited { + $ensure_unlimited = 'present' + file { + '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': + content => "interface: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr} allow\n", + owner => root, + group => root, + mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; + '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': + content => "interface: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr} allow\n", + owner => root, + group => root, + mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; + } + } else { + $ensure_unlimited = 'absent' + tidy { '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': } + tidy { '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': } + } + + if $site_openvpn::openvpn_allow_limited { + $ensure_limited = 'present' + file { + '/etc/unbound/conf.d/vpn_limited_udp_resolver': + content => "interface: ${site_openvpn::openvpn_limited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr} allow\n", + owner => root, + group => root, + mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; + '/etc/unbound/conf.d/vpn_limited_tcp_resolver': + content => "interface: ${site_openvpn::openvpn_limited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr} allow\n", + owner => root, + group => root, + mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; + } + } else { + $ensure_limited = 'absent' + tidy { '/etc/unbound/conf.d/vpn_limited_udp_resolver': } + tidy { '/etc/unbound/conf.d/vpn_limited_tcp_resolver': } + } + # this is an unfortunate way to get around the fact that the version of # unbound we are working with does not accept a wildcard include directive # (/etc/unbound/conf.d/*), when it does, these line definitions should @@ -7,36 +55,30 @@ class site_openvpn::resolver { # include: /etc/unbound/conf.d/* line { - 'add_tcp_resolver': - ensure => present, + 'add_unlimited_tcp_resolver': + ensure => $ensure_unlimited, file => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver', + line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_tcp_resolver', notify => Service['unbound'], require => Package['unbound']; - - 'add_udp_resolver': - ensure => present, + 'add_unlimited_udp_resolver': + ensure => $ensure_unlimited, file => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_udp_resolver', + line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_udp_resolver', + notify => Service['unbound'], + require => Package['unbound']; + 'add_limited_tcp_resolver': + ensure => $ensure_limited, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_limited_tcp_resolver', + notify => Service['unbound'], + require => Package['unbound']; + 'add_limited_udp_resolver': + ensure => $ensure_limited, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_limited_udp_resolver', notify => Service['unbound'], require => Package['unbound'] } - file { - '/etc/unbound/conf.d/vpn_udp_resolver': - content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr} allow\n", - owner => root, - group => root, - mode => '0644', - require => Service['openvpn'], - notify => Service['unbound']; - - '/etc/unbound/conf.d/vpn_tcp_resolver': - content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr} allow\n", - owner => root, - group => root, - mode => '0644', - require => Service['openvpn'], - notify => Service['unbound']; - } } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 1f42400a..a2e769e1 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -54,7 +54,7 @@ define site_openvpn::server_config( $port, $proto, $local, $server, $push, - $management, $tls_remote = undef, $shaper = undef) { + $management, $tls_remote = undef) { $openvpn_configname = $name @@ -68,13 +68,8 @@ define site_openvpn::server_config( notify => Service['openvpn']; } - # special options for the "free" gateway daemons - if $shaper != undef { + if $tls_remote != undef { openvpn::option { - "shaper $openvpn_configname": - key => 'shaper', - value => $shaper, - server => $openvpn_configname; "tls-remote $openvpn_configname": key => 'tls-remote', value => $tls_remote, diff --git a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb new file mode 100644 index 00000000..ed06a95e --- /dev/null +++ b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb @@ -0,0 +1,11 @@ +#!/bin/sh + +ip addr show dev <%= @interface %> | grep -q <%= @openvpn_gateway_address %>/24 || + ip addr add <%= @openvpn_gateway_address %>/24 dev <%= @interface %> + +<% if @openvpn_second_gateway_address %> +ip addr show dev <%= @interface %> | grep -q <%= @openvpn_second_gateway_address %>/24 || + ip addr add <%= @openvpn_second_gateway_address %>/24 dev <%= @interface %> +<% end %> + +/bin/echo 1 > /proc/sys/net/ipv4/ip_forward diff --git a/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb b/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb deleted file mode 100644 index 40866116..00000000 --- a/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh - -ip addr show dev <%= @interface %> | grep -q <%= @openvpn_gateway_address %>/24 || - ip addr add <%= @openvpn_gateway_address %>/24 dev <%= @interface %> - -<% if @openvpn_allow_free %> -ip addr show dev <%= @interface %> | grep -q <%= @openvpn_free_gateway_address %>/24 || - ip addr add <%= @openvpn_free_gateway_address %>/24 dev <%= @interface %> -<% end %> - -/bin/echo 1 > /proc/sys/net/ipv4/ip_forward diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp index 0b4370df..e1ea86ec 100644 --- a/puppet/modules/site_shorewall/manifests/dnat_rule.pp +++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp @@ -2,30 +2,32 @@ define site_shorewall::dnat_rule { $port = $name if $port != 1194 { - shorewall::rule { - "dnat_tcp_port_$port": - action => 'DNAT', - source => 'net', - destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194", - proto => 'tcp', - destinationport => $port, - order => 100; - } - shorewall::rule { - "dnat_udp_port_$port": - action => 'DNAT', - source => 'net', - destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194", - proto => 'udp', - destinationport => $port, - order => 100; + if $site_openvpn::openvpn_allow_paid { + shorewall::rule { + "dnat_tcp_port_$port": + action => 'DNAT', + source => 'net', + destination => "\$FW:${site_openvpn::paid_gateway_address}:1194", + proto => 'tcp', + destinationport => $port, + order => 100; + } + shorewall::rule { + "dnat_udp_port_$port": + action => 'DNAT', + source => 'net', + destination => "\$FW:${site_openvpn::paid_gateway_address}:1194", + proto => 'udp', + destinationport => $port, + order => 100; + } } if $site_openvpn::openvpn_allow_free { shorewall::rule { "dnat_free_tcp_port_$port": action => 'DNAT', source => 'net', - destination => "\$FW:${site_openvpn::openvpn_free_gateway_address}:1194", + destination => "\$FW:${site_openvpn::free_gateway_address}:1194", proto => 'tcp', destinationport => $port, order => 100; @@ -34,7 +36,7 @@ define site_shorewall::dnat_rule { "dnat_free_udp_port_$port": action => 'DNAT', source => 'net', - destination => "\$FW:${site_openvpn::openvpn_free_gateway_address}:1194", + destination => "\$FW:${site_openvpn::free_gateway_address}:1194", proto => 'udp', destinationport => $port, order => 100; diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index d2bf3c4c..95c3920e 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -3,10 +3,6 @@ class site_shorewall::eip { include site_shorewall::defaults include site_shorewall::ip_forward - $openvpn_config = hiera('openvpn') - $openvpn_ports = $openvpn_config['ports'] - $openvpn_gateway_address = $site_openvpn::openvpn_gateway_address - # define macro for incoming services file { '/etc/shorewall/macro.leap_eip': content => "PARAM - - tcp 1194 @@ -16,41 +12,45 @@ PARAM - - udp 1194 require => Package['shorewall'] } - shorewall::interface { 'tun0': zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; 'tun1': zone => 'eip', - options => 'tcpflags,blacklist,nosmurfs' + options => 'tcpflags,blacklist,nosmurfs'; + 'tun2': + zone => 'eip', + options => 'tcpflags,blacklist,nosmurfs'; + 'tun3': + zone => 'eip', + options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::zone { + 'eip': + type => 'ipv4'; + } - shorewall::zone {'eip': - type => 'ipv4'; } - - case $::virtual { - 'virtualbox': { - shorewall::masq { - 'eth0_tcp': - interface => 'eth0', - source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}"; - 'eth0_udp': - interface => 'eth0', - source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } - } - default: { - $interface = $site_shorewall::defaults::interface - shorewall::masq { - "${interface}_tcp": - interface => $interface, - source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}"; + if $::virtual == 'virtualbox' { + $interface = 'eth0' + } else { + $interface = $site_shorewall::defaults::interface + } - "${interface}_udp": - interface => $interface, - source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } - } + shorewall::masq { + "${interface}_unlimited_tcp": + interface => $interface, + source => "${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr}"; + "${interface}_unlimited_udp": + interface => $interface, + source => "${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr}"; + "${interface}_limited_tcp": + interface => $interface, + source => "${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr}"; + "${interface}_limited_udp": + interface => $interface, + source => "${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr}"; } shorewall::policy { @@ -70,7 +70,6 @@ PARAM - - udp 1194 } # create dnat rule for each port - #create_resources('site_shorewall::dnat_rule', $openvpn_ports) - site_shorewall::dnat_rule { $openvpn_ports: } + site_shorewall::dnat_rule { $site_openvpn::openvpn_ports: } } diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index cd67d1fd..af778212 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -6,8 +6,11 @@ production: client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %> cert_options: - client_cert_lifespan: <%= cert_options['life_span'].to_i %> - client_cert_bit_size: <%= cert_options['bit_size'].to_i %> - client_cert_hash: <%= cert_options['digest'] %> - free_certs_enabled: <%= @webapp['allow_free'].inspect %> - free_cert_prefix: "<%= cert_options['free_prefix'] %>" + client_cert_lifespan: <%= cert_options['life_span'].to_i %> + client_cert_bit_size: <%= cert_options['bit_size'].to_i %> + client_cert_hash: <%= cert_options['digest'] %> + allow_limited_certs: <%= @webapp['allow_limited_certs'].inspect %> + allow_unlimited_certs: <%= @webapp['allow_unlimited_certs'].inspect %> + allow_anonymous_certs: <%= @webapp['allow_anonymous_certs'].inspect %> + limited_cert_prefix: "<%= cert_options['limited_prefix'] %>" + unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>" -- cgit v1.2.3 From 6609b3ed4125d1e46ba16b5bc7d7957bcbee6a42 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 17 Mar 2013 22:58:10 -0400 Subject: fix webapp/couchdb stunnel certificate authority --- puppet/modules/site_couchdb/manifests/stunnel.pp | 7 ++++--- puppet/modules/site_webapp/manifests/couchdb_stunnel.pp | 7 ++++--- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index b4635951..1afe25a4 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -4,9 +4,10 @@ class site_couchdb::stunnel ($key, $cert, $ca) { include site_stunnel $cert_name = 'leap_couchdb' - $ca_path = "${x509::variables::certs}/leap_client_ca.crt" + $ca_name = 'leap_ca' + $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" + $key_path = "${x509::variables::keys}/${cert_name}.key" x509::key { $cert_name: @@ -21,7 +22,7 @@ class site_couchdb::stunnel ($key, $cert, $ca) { } x509::ca { - $cert_name: + $ca_name: content => $ca, notify => Service['stunnel']; } diff --git a/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp b/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp index e6657e13..325b18ee 100644 --- a/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp +++ b/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp @@ -4,9 +4,10 @@ class site_webapp::couchdb_stunnel ($key, $cert, $ca) { include site_stunnel $cert_name = 'leap_couchdb' - $ca_path = "${x509::variables::certs}/leap_client_ca.crt" + $ca_name = 'leap_ca' + $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" + $key_path = "${x509::variables::keys}/${cert_name}.key" x509::key { $cert_name: @@ -21,7 +22,7 @@ class site_webapp::couchdb_stunnel ($key, $cert, $ca) { } x509::ca { - $cert_name: + $ca_name: content => $ca, notify => Service['stunnel']; } -- cgit v1.2.3 From fbae857865f3e2d61d9e55693c5cce411f7565ca Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 18 Mar 2013 18:24:16 +0100 Subject: Webapp: Use stunnel localhost:5000 for couchdb connection --- puppet/modules/site_webapp/manifests/couchdb.pp | 4 +++- puppet/modules/site_webapp/templates/couchdb.yml.erb | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index b8a4201d..f3488227 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -8,7 +8,9 @@ class site_webapp::couchdb { $couchdb_hosts = $webapp['couchdb_hosts'] # for now, pick the first couchdb host before we have a working # load balancing setup (see https://leap.se/code/issues/1994) - $couchdb_host = $couchdb_hosts[0] + # which is configured through a stunnel connection, reachable + # through localhost:5000 + $couchdb_host = 'localhost' $couchdb_user = $webapp['couchdb_user']['username'] $couchdb_password = $webapp['couchdb_user']['password'] diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb index ee521713..d9ecb4b2 100644 --- a/puppet/modules/site_webapp/templates/couchdb.yml.erb +++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb @@ -1,8 +1,8 @@ production: prefix: "" - protocol: 'https' + protocol: 'http' host: <%= @couchdb_host %> - port: 6984 + port: 5000 username: <%= @couchdb_user %> password: <%= @couchdb_password %> -- cgit v1.2.3 From 1d14c34e7f4456452d289b23eb1d2ebf00de11b2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Mar 2013 14:26:58 -0400 Subject: turn off automatic updates of couchdb design docs (#1979) --- puppet/modules/site_webapp/templates/couchdb.yml.erb | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb index d9ecb4b2..3ae255b0 100644 --- a/puppet/modules/site_webapp/templates/couchdb.yml.erb +++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb @@ -3,6 +3,7 @@ production: protocol: 'http' host: <%= @couchdb_host %> port: 5000 + auto_update_design_doc: false username: <%= @couchdb_user %> password: <%= @couchdb_password %> -- cgit v1.2.3 From 036506d757423241618774a639778fc9be1413cd Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Mar 2013 14:50:14 -0400 Subject: Migrate the couchdb design documents during webapp deploy (#1976) --- puppet/modules/site_webapp/files/migrate_design_documents | 13 +++++++++++++ puppet/modules/site_webapp/manifests/couchdb.pp | 14 +++++++++++++- 2 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_webapp/files/migrate_design_documents diff --git a/puppet/modules/site_webapp/files/migrate_design_documents b/puppet/modules/site_webapp/files/migrate_design_documents new file mode 100644 index 00000000..3441e086 --- /dev/null +++ b/puppet/modules/site_webapp/files/migrate_design_documents @@ -0,0 +1,13 @@ +#!/bin/sh + +cd /srv/leap-webapp + +# use admin credentials +mv config/couchdb.yml.admin config/couchdb.yml + +# needs to be run twice +/usr/bin/bundle exec rake couchrest:migrate +/usr/bin/bundle exec rake couchrest:migrate + +# use user credentials and remove admin credentials +mv config/couchdb.yml.webapp config/couchdb.yml diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index f3488227..095cdb9d 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -20,6 +20,12 @@ class site_webapp::couchdb { owner => leap-webapp, group => leap-webapp, mode => '0600'; + + '/usr/local/sbin/migrate_design_documents': + source => 'puppet:///modules/site_webapp/migrate_design_documents', + owner => root, + group => root, + mode => '0744'; } class { 'site_webapp::couchdb_stunnel': @@ -27,4 +33,10 @@ class site_webapp::couchdb { cert => $cert, ca => $ca } -} + + exec { 'migrate_design_documents': + cwd => '/srv/leap-webapp', + commmand => '/usr/local/sbin/migrate_design_documents', + require => Exec['bundler_update'], + notify => Service['apache']; + } -- cgit v1.2.3 From 5e29e380df9b1ace765ea31254c3fb6e9e0e0cb4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 17 Mar 2013 22:57:27 -0400 Subject: add haproxy submodule --- .gitmodules | 3 +++ puppet/modules/haproxy | 1 + 2 files changed, 4 insertions(+) create mode 160000 puppet/modules/haproxy diff --git a/.gitmodules b/.gitmodules index b97971fc..88858054 100644 --- a/.gitmodules +++ b/.gitmodules @@ -70,3 +70,6 @@ [submodule "puppet/modules/stunnel"] path = puppet/modules/stunnel url = git://labs.riseup.net/shared-stunnel +[submodule "puppet/modules/haproxy"] + path = puppet/modules/haproxy + url = git://code.leap.se/puppet_haproxy diff --git a/puppet/modules/haproxy b/puppet/modules/haproxy new file mode 160000 index 00000000..967e0097 --- /dev/null +++ b/puppet/modules/haproxy @@ -0,0 +1 @@ +Subproject commit 967e0097f9447d6c73eeb99ef4b0df2a941820c3 -- cgit v1.2.3 From 7c7ca311ff00c5cddaee892c173354a69f4e59e4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Mar 2013 16:07:00 -0400 Subject: add some generic haproxy defaults --- puppet/modules/site_haproxy/manifests/init.pp | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 puppet/modules/site_haproxy/manifests/init.pp diff --git a/puppet/modules/site_haproxy/manifests/init.pp b/puppet/modules/site_haproxy/manifests/init.pp new file mode 100644 index 00000000..7cb10ab2 --- /dev/null +++ b/puppet/modules/site_haproxy/manifests/init.pp @@ -0,0 +1,25 @@ +class site_haproxy { + + class { 'haproxy': + enable => true, + manage_service => true, + global_options => { + 'log' => '127.0.0.1 local0', + 'maxconn' => '4096', + 'stats' => 'socket /var/run/haproxy.sock user haproxy group haproxy', + 'chroot' => '/usr/share/haproxy', + 'user' => 'haproxy', + 'group' => 'haproxy', + 'daemon' => '' + }, + defaults_options => { + 'log' => 'global', + 'retries' => '3', + 'option' => 'redispatch', + 'contimeout' => '5000', + 'clitimeout' => '50000', + 'srvtimeout' => '50000' + } + } + +} -- cgit v1.2.3 From f1b405b503a76526551ac0110cad8798de46dfd8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Mar 2013 16:09:34 -0400 Subject: configure site_webapp::haproxy to ship a haproxy config::fragment to setup the haproxy listener 'bigcouch-in'. This haproxy listener is configured to listen on port 4096 (arbitrarily chosen) and balance across the locally configured stunnels to the bigcouch instances It may be that we will need some additional haproxy options for handling persistence, cookies, or other HTTP headers, I'm unsure as of this moment --- puppet/modules/site_webapp/manifests/haproxy.pp | 14 ++++++++++++++ puppet/modules/site_webapp/manifests/init.pp | 1 + .../site_webapp/templates/haproxy_couchdb.cfg.erb | 16 ++++++++++++++++ 3 files changed, 31 insertions(+) create mode 100644 puppet/modules/site_webapp/manifests/haproxy.pp create mode 100644 puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb diff --git a/puppet/modules/site_webapp/manifests/haproxy.pp b/puppet/modules/site_webapp/manifests/haproxy.pp new file mode 100644 index 00000000..4a7e3c25 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/haproxy.pp @@ -0,0 +1,14 @@ +class site_webapp::haproxy { + + include site_haproxy + + $haproxy = hiera('haproxy') + $local_ports = $haproxy['local_ports'] + + # Template uses $global_options, $defaults_options + concat::fragment { 'leap_haproxy_webapp_couchdb': + target => '/etc/haproxy/haproxy.cfg', + order => '20', + content => template('site_webapp/haproxy_couchdb.cfg.erb'), + } +} diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index e8134521..ec70a68d 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -17,6 +17,7 @@ class site_webapp { include site_webapp::apache include site_webapp::couchdb include site_webapp::client_ca + include site_webapp::haproxy group { 'leap-webapp': ensure => present, diff --git a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb new file mode 100644 index 00000000..a9bdb923 --- /dev/null +++ b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb @@ -0,0 +1,16 @@ + +listen bigcouch-in + mode http + balance roundrobin + + option httplog + option dontlognull + option tcplog + + bind localhost:4096 +<% for port in @local_ports -%> + server couchdb_<%=port%> localhost:<%=port%> +<% end -%> + + + -- cgit v1.2.3 From fe8085f670eb3bca10c5bb0d9890e00a0d9c59d9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Mar 2013 16:37:56 -0400 Subject: configure webapp haproxy couchdb connection --- puppet/modules/site_webapp/manifests/couchdb.pp | 6 ++---- puppet/modules/site_webapp/templates/couchdb.yml.erb | 2 +- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 095cdb9d..820cc1d2 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -6,11 +6,9 @@ class site_webapp::couchdb { $ca = $x509['ca_cert'] $webapp = hiera('webapp') $couchdb_hosts = $webapp['couchdb_hosts'] - # for now, pick the first couchdb host before we have a working - # load balancing setup (see https://leap.se/code/issues/1994) - # which is configured through a stunnel connection, reachable - # through localhost:5000 + # haproxy listener on port localhost:4096, see site_webapp::haproxy $couchdb_host = 'localhost' + $couchdb_port = '4096' $couchdb_user = $webapp['couchdb_user']['username'] $couchdb_password = $webapp['couchdb_user']['password'] diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb index 3ae255b0..4855abd8 100644 --- a/puppet/modules/site_webapp/templates/couchdb.yml.erb +++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb @@ -2,7 +2,7 @@ production: prefix: "" protocol: 'http' host: <%= @couchdb_host %> - port: 5000 + port: <%= @couchdb_port %> auto_update_design_doc: false username: <%= @couchdb_user %> password: <%= @couchdb_password %> -- cgit v1.2.3 From b5018da40c68058ed47286e276ccfbe02b135e8d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Mar 2013 16:59:46 -0400 Subject: fix missing closing curly brace --- puppet/modules/site_webapp/manifests/couchdb.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 820cc1d2..1d847ca1 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -38,3 +38,4 @@ class site_webapp::couchdb { require => Exec['bundler_update'], notify => Service['apache']; } +} -- cgit v1.2.3 From 01434dcd78746f530f218a7ed8ed37b7b1d5ce71 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Mar 2013 17:04:06 -0400 Subject: fix spelling of 'command' parameter --- puppet/modules/site_webapp/manifests/couchdb.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 1d847ca1..760706aa 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -34,7 +34,7 @@ class site_webapp::couchdb { exec { 'migrate_design_documents': cwd => '/srv/leap-webapp', - commmand => '/usr/local/sbin/migrate_design_documents', + command => '/usr/local/sbin/migrate_design_documents', require => Exec['bundler_update'], notify => Service['apache']; } -- cgit v1.2.3 From 9c1c74c359f80cf0e61b62befee0ec5cc04ab4c3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Mar 2013 17:41:37 -0400 Subject: create a separate couchdb.yml.admin that contains the couchdb admin privileges, putting the unprivileged ones in as user webapp in couchdb.yml. This allows us to migrate the couchdb design docs on deployment, but use an unprivileged user the remainder of the time --- provider_base/services/webapp.json | 5 ++-- puppet/modules/site_webapp/manifests/couchdb.pp | 30 ++++++++++++++-------- .../site_webapp/templates/couchdb.yml.admin.erb | 9 +++++++ .../modules/site_webapp/templates/couchdb.yml.erb | 4 +-- 4 files changed, 32 insertions(+), 16 deletions(-) create mode 100644 puppet/modules/site_webapp/templates/couchdb.yml.admin.erb diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 477d5f17..0288a0cd 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -2,9 +2,8 @@ "webapp": { "modules": ["user", "billing", "help"], "couchdb_hosts": "= hostnames nodes[:services => :couchdb][:local => local]", - // NOTE: this is bad, but pending a fix to https://leap.se/code/issues/1163 - // before we can use user "webapp" - "couchdb_user": "= global.services[:couchdb].couch.users[:admin]", + "couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]", + "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]", "favicon": "= file_path 'branding/favicon.ico'", "tail_scss": "= file_path 'branding/tail.scss'", "head_scss": "= file_path 'branding/head.scss'", diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 760706aa..e89880fe 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -1,19 +1,27 @@ class site_webapp::couchdb { - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $ca = $x509['ca_cert'] - $webapp = hiera('webapp') - $couchdb_hosts = $webapp['couchdb_hosts'] + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $ca = $x509['ca_cert'] + $webapp = hiera('webapp') + $couchdb_hosts = $webapp['couchdb_hosts'] # haproxy listener on port localhost:4096, see site_webapp::haproxy - $couchdb_host = 'localhost' - $couchdb_port = '4096' - $couchdb_user = $webapp['couchdb_user']['username'] - $couchdb_password = $webapp['couchdb_user']['password'] + $couchdb_host = 'localhost' + $couchdb_port = '4096' + $couchdb_admin_user = $webapp['couchdb_admin_user']['username'] + $couchdb_admin_password = $webapp['couchdb_admin_user']['password'] + $couchdb_webapp_user = $webapp['couchdb_webapp_user']['username'] + $couchdb_webapp_password = $webapp['couchdb_webapp_user']['password'] file { - '/srv/leap-webapp/config/couchdb.yml': + '/srv/leap-webapp/config/couchdb.yml.admin': + content => template('site_webapp/couchdb.yml.admin.erb'), + owner => leap-webapp, + group => leap-webapp, + mode => '0600'; + + '/srv/leap-webapp/config/couchdb.yml.webapp': content => template('site_webapp/couchdb.yml.erb'), owner => leap-webapp, group => leap-webapp, diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb b/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb new file mode 100644 index 00000000..a0921add --- /dev/null +++ b/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb @@ -0,0 +1,9 @@ +production: + prefix: "" + protocol: 'http' + host: <%= @couchdb_host %> + port: <%= @couchdb_port %> + auto_update_design_doc: false + username: <%= @couchdb_admin_user %> + password: <%= @couchdb_admin_password %> + diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb index 4855abd8..2bef0af5 100644 --- a/puppet/modules/site_webapp/templates/couchdb.yml.erb +++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb @@ -4,6 +4,6 @@ production: host: <%= @couchdb_host %> port: <%= @couchdb_port %> auto_update_design_doc: false - username: <%= @couchdb_user %> - password: <%= @couchdb_password %> + username: <%= @couchdb_webapp_user %> + password: <%= @couchdb_webapp_password %> -- cgit v1.2.3 From e69e40e55abcd3d86e1a12ce214bb64851961e13 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Mar 2013 17:57:03 -0400 Subject: cp instead of mv for the couchdb configuration file if we move, then we need to re-create the file on the next deploy --- puppet/modules/site_webapp/files/migrate_design_documents | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_webapp/files/migrate_design_documents b/puppet/modules/site_webapp/files/migrate_design_documents index 3441e086..88d4b8d9 100644 --- a/puppet/modules/site_webapp/files/migrate_design_documents +++ b/puppet/modules/site_webapp/files/migrate_design_documents @@ -3,11 +3,11 @@ cd /srv/leap-webapp # use admin credentials -mv config/couchdb.yml.admin config/couchdb.yml +cp config/couchdb.yml.admin config/couchdb.yml # needs to be run twice /usr/bin/bundle exec rake couchrest:migrate /usr/bin/bundle exec rake couchrest:migrate # use user credentials and remove admin credentials -mv config/couchdb.yml.webapp config/couchdb.yml +cp config/couchdb.yml.webapp config/couchdb.yml -- cgit v1.2.3 From 92ea0355de872a502d552d89ed88729b9b4fbaa2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Mar 2013 18:20:33 -0400 Subject: add webapp secret token that pulls from hiera a 'secret' --- provider_base/services/webapp.json | 3 ++- puppet/modules/site_webapp/manifests/init.pp | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 0288a0cd..69c015a6 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -11,7 +11,8 @@ "client_certificates": "= global.provider.ca.client_certificates", "allow_limited_certs": "= global.provider.service.allow_limited_bandwidth", "allow_unlimited_certs": "= global.provider.service.allow_unlimited_bandwidth", - "allow_anonymous_certs": "= global.provider.service.allow_anonymous" + "allow_anonymous_certs": "= global.provider.service.allow_anonymous", + "secret_token": "= secret :webapp_secret_token" }, "definition_files": { "provider": "= file :provider_json_template", diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index ec70a68d..1e6abe42 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -6,6 +6,7 @@ class site_webapp { $node_domain = hiera('domain') $provider_domain = $node_domain['full_suffix'] $webapp = hiera('webapp') + $secret_token = $webapp['secret_token'] Class[Ruby] -> Class[rubygems] -> Class[bundler::install] @@ -111,6 +112,11 @@ class site_webapp { owner => leap-webapp, group => leap-webapp, mode => '0600'; + + '/srv/leap-webapp/config/initializers/secret_token.rb': + content => "LeapWeb::Application.config.secret_token = '${secret_token}'\n", + owner => leap-webapp, group => leap-webapp, mode => '0644', + notify => Service['apache']; } include site_shorewall::webapp -- cgit v1.2.3 From ffda76a47c7f9d5766325d8cdf13d289430456eb Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 28 Mar 2013 10:01:32 -0700 Subject: added stunnel_server --- provider_base/services/couchdb.json | 3 +++ provider_base/services/webapp.json | 7 ++++++- puppet/modules/site_webapp/manifests/couchdb.pp | 1 - 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json index c3502c6b..0c407316 100644 --- a/provider_base/services/couchdb.json +++ b/provider_base/services/couchdb.json @@ -3,6 +3,9 @@ "x509": { "use": true }, + "stunnel": { + "couch_server": "= stunnel_server(couch.port)" + }, "couch": { "port": 5984, "bigcouch": { diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 69c015a6..895aa6e3 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -1,7 +1,6 @@ { "webapp": { "modules": ["user", "billing", "help"], - "couchdb_hosts": "= hostnames nodes[:services => :couchdb][:local => local]", "couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]", "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]", "favicon": "= file_path 'branding/favicon.ico'", @@ -14,6 +13,12 @@ "allow_anonymous_certs": "= global.provider.service.allow_anonymous", "secret_token": "= secret :webapp_secret_token" }, + "stunnel": { + "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)" + }, + "haproxy": { + "local_ports": "= stunnel.couch_client.field(:accept_port)" + }, "definition_files": { "provider": "= file :provider_json_template", "eip_service": "= file :eip_service_json_template" diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index e89880fe..ef61aeb6 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -5,7 +5,6 @@ class site_webapp::couchdb { $cert = $x509['cert'] $ca = $x509['ca_cert'] $webapp = hiera('webapp') - $couchdb_hosts = $webapp['couchdb_hosts'] # haproxy listener on port localhost:4096, see site_webapp::haproxy $couchdb_host = 'localhost' $couchdb_port = '4096' -- cgit v1.2.3 From b7ba05040f9f1266d14947f1612fa54060dd37cb Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 29 Mar 2013 14:39:26 -0700 Subject: fixed site_openvpn bug with redefined variable. --- puppet/modules/site_openvpn/manifests/init.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index c54bb782..1ae3fb02 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -25,9 +25,10 @@ class site_openvpn { $interface = getvar("interface_${ip_address}") $openvpn_ports = $openvpn_config['ports'] $openvpn_gateway_address = $openvpn_config['gateway_address'] - $openvpn_second_gateway_address = undef if $openvpn_config['second_gateway_address'] { $openvpn_second_gateway_address = $openvpn_config['second_gateway_address'] + } else { + $openvpn_second_gateway_address = undef } $openvpn_allow_unlimited = $openvpn_config['allow_unlimited'] -- cgit v1.2.3 From e6b981902c2b20eed9a0f3d279df7be9405745b0 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 20:22:57 -0400 Subject: automatic update of submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index a4809d6b..66d918dd 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit a4809d6b0627431f72de916abee1214418c01c9d +Subproject commit 66d918ddb6454fd4a30baed9b49baad98e274243 -- cgit v1.2.3 From 1d192ab5d42ae4c4c7fdc23b026728d860f14b04 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 1 Apr 2013 00:05:24 -0700 Subject: added bin/puppet_command --- bin/puppet_command | 183 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 183 insertions(+) create mode 100755 bin/puppet_command diff --git a/bin/puppet_command b/bin/puppet_command new file mode 100755 index 00000000..672a3699 --- /dev/null +++ b/bin/puppet_command @@ -0,0 +1,183 @@ +#!/usr/bin/ruby + +# +# This is a wrapper script around the puppet command used by the LEAP platform. +# +# We do this in order to make it faster and easier to control puppet remotely +# (exit codes, lockfile, multiple manifests, etc) +# + +$puppet_bin = '/usr/bin/puppet' +$puppet_directory = '/srv/leap' +$puppet_parameters = '--color=false --detailed-exitcodes --libdir=puppet/lib --confdir=puppet' +$site_manifest = 'puppet/manifests/site.pp' +$setup_manifest = 'puppet/manifests/setup.pp' + +def main + @commands = [] + loop do + case ARGV[0] + when 'apply' then ARGV.shift; @commands << 'apply' + when 'set_hostname' then ARGV.shift; @commands << 'set_hostname' + when '--verbosity' then ARGV.shift; @verbosity = ARGV.shift.to_i + when '--force' then ARGV.shift; remove_lockfile + when '--tags' then ARGV.shift; @tags = ARGV.shift + when /^-/ then usage("Unknown option: #{ARGV[0].inspect}") + else break + end + end + usage("No command given") unless @commands.any? + with_lockfile do + @commands.each do |command| + self.send(command) + end + end +end + +def puts(str) + $stdout.puts str + $stdout.flush +end + +def apply + exit_code = puppet_apply do |line| + puts line + end + puts "Puppet apply complete (#{exitcode_description(exit_code)})." +end + +def set_hostname + exit_code = puppet_apply(:manifest => $setup_manifest, :tags => '') do |line| + # todo: how to suppress this? + # dnsdomainname: Name or service not known + # warning: Could not retrieve fact fqdn + if line !~ /Finished catalog run/ || @verbosity > 2 + puts line + end + end + if exit_code == 2 + puts "Hostname updated." + elsif exit_code == 4 || exit_code == 6 + puts "ERROR: could not update hostname." + elsif exit_code == 0 && @verbosity > 1 + puts "No change to hostname." + end +end + +# +# each line of output is yielded. the exit code is returned. +# +def puppet_apply(options={}, &block) + options = {:verbosity => @verbosity, :tags => @tags}.merge(options) + manifest = options[:manifest] || $site_manifest + Dir.chdir($puppet_directory) do + return run("#{$puppet_bin} apply #{custom_parameters(options)} #{$puppet_parameters} #{manifest}", &block) + end +end + +def custom_parameters(options) + params = [] + if options[:tags] && options[:tags].chars.any? + params << "--tags #{options[:tags]}" + end + if options[:verbosity] + case options[:verbosity] + when 3 then params << '--verbose' + when 4 then params << '--verbose --debug' + when 5 then params << '--verbose --debug --trace' + end + end + params.join(' ') +end + +def exitcode_description(code) + case code + when 0 then "no changes" + when 1 then "failed" + when 2 then "changes made" + when 4 then "failed" + when 6 then "changes and failures" + else code + end +end + +def usage(s) + $stderr.puts(s) + $stderr.puts + $stderr.puts("Usage: #{File.basename($0)} COMMAND [OPTIONS]") + $stderr.puts + $stderr.puts("COMMAND may be one or more of: + set_hostname -- set the hostname of this server + apply -- apply puppet manifests") + $stderr.puts + $stderr.puts("OPTIONS may be one or more of: + --verbosity VERB -- set the verbosity level 0..5 + --tags TAGS -- set the tags to pass through to puppet + --force -- run even when lockfile is present") + exit(2) +end + +## +## Simple lock file +## + +require 'fileutils' +DEFAULT_LOCKFILE = '/tmp/puppet.lock' + +def remove_lockfile(lock_file_path=DEFAULT_LOCKFILE) + FileUtils.remove_file(lock_file_path, true) +end + +def with_lockfile(lock_file_path=DEFAULT_LOCKFILE) + begin + File.open(lock_file_path, File::CREAT | File::EXCL | File::WRONLY) do |o| + o.write(Process.pid) + end + yield + remove_lockfile + rescue Errno::EEXIST + puts("ERROR: the lock file '#{lock_file_path}' already exists. Wait a minute for the process to die, or run with --force to ignore. Bailing out.") + exit(1) + rescue IOError => exc + puts("ERROR: problem with lock file '#{lock_file_path}' (#{exc}). Bailing out.") + exit(1) + end +end + +## +## simple pass through process runner (to ensure output is not buffered and return exit code) +## this only works under ruby 1.9 +## + +require "pty" + +def run(cmd) + puts cmd if @verbosity >= 3 + PTY.spawn("#{cmd}") do |output, input, pid| + begin + while line = output.gets do + yield line + #$stdout.puts line + #$stdout.flush + end + rescue Errno::EIO + end + Process.wait(pid) # only works in ruby 1.9, required to capture the exit status. + end + status = $?.exitstatus + #yield status if block_given? + return status +rescue PTY::ChildExited +end + +## +## RUN MAIN +## + +Signal.trap("EXIT") do + remove_lockfile # clean up the lockfile when process is terminated. + # this will remove the lockfile if ^C killed the process + # but only after the child puppet process is also dead (I think). +end + +main() \ No newline at end of file -- cgit v1.2.3 From 3c41a81f1a3e1757ea6b9bda7e1a98dce624ec1d Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 1 Apr 2013 00:05:42 -0700 Subject: added setup.pp --- puppet/manifests/setup.pp | 4 ++++ puppet/modules/site_config/manifests/hosts.pp | 5 ++--- 2 files changed, 6 insertions(+), 3 deletions(-) create mode 100644 puppet/manifests/setup.pp diff --git a/puppet/manifests/setup.pp b/puppet/manifests/setup.pp new file mode 100644 index 00000000..b45c8b4c --- /dev/null +++ b/puppet/manifests/setup.pp @@ -0,0 +1,4 @@ +# +# this is applied before each run of site.pp +# +include site_config::hosts \ No newline at end of file diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index 6c00f3b6..81795f7d 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -1,9 +1,8 @@ class site_config::hosts() { - $hosts = hiera('hosts','') $hostname = hiera('name') - - $domain_public = $site_config::default::domain_hash['full_suffix'] + $domain_hash = hiera('domain') + $domain_public = $domain_hash['full_suffix'] file { "/etc/hostname": ensure => present, -- cgit v1.2.3 From 5bd90fd23c34874fa32880e27105b4bea130ec3b Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 18 Mar 2013 23:25:20 +0100 Subject: added stunnel config for bigcouch communication --- provider_base/services/couchdb.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json index 0c407316..41f9695f 100644 --- a/provider_base/services/couchdb.json +++ b/provider_base/services/couchdb.json @@ -4,11 +4,13 @@ "use": true }, "stunnel": { - "couch_server": "= stunnel_server(couch.port)" + "couch_server": "= stunnel_server(couch.port)", + "bigcouch_replication_server": "= stunnel_server(couch.bigcouch.port)" }, "couch": { "port": 5984, "bigcouch": { + "port": 4369, "cookie": "= secret :bigcouch_cookie" }, "users": { -- cgit v1.2.3 From e0354eda8f1dba999c452caf99c40dcb6f7af33e Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 19 Mar 2013 08:57:35 +0100 Subject: working on stunnel for bigcouch clustering --- puppet/modules/site_couchdb/manifests/stunnel.pp | 12 ++++++++++++ puppet/modules/site_shorewall/manifests/couchdb.pp | 16 +++++++++++++++- 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 1afe25a4..2133d6da 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -39,5 +39,17 @@ class site_couchdb::stunnel ($key, $cert, $ca) { rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } + stunnel::service { 'bigcouch': + accept => '6984', + connect => '127.0.0.1:5984', + client => false, + cafile => $ca_path, + key => $key_path, + cert => $cert_path, + verify => '2', + pid => '/var/run/stunnel4/couchdb.pid', + rndfile => '/var/lib/stunnel4/.rnd', + debuglevel => '4' + } } diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp index 9fa59569..5fa1861b 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -3,10 +3,13 @@ class site_shorewall::couchdb { include site_shorewall::defaults $couchdb_port = '6984' + # Erlang Port Mapper daemon, used for communication between + # bigcouch cluster nodes + $portmapper_port = '5369' # define macro for incoming services file { '/etc/shorewall/macro.leap_couchdb': - content => "PARAM - - tcp $couchdb_port", + content => "PARAM - - tcp $couchdb_port $portmapper_port", notify => Service['shorewall'], require => Package['shorewall'] } @@ -20,4 +23,15 @@ class site_shorewall::couchdb { order => 200; } + shorewall::rule { + 'dnat-bigcouch-clustering-to-stunnel': + destination => "net:${::ipaddress}:8080", + destinationport => $portmapper_port, + source => '$FW', + proto => 'tcp', + order => 200, + action => 'DNAT'; + } + + } -- cgit v1.2.3 From cc082541980df1062cb5b2d10f4980cf8b6664c9 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 19 Mar 2013 13:54:40 +0100 Subject: moved generic stunnel config from site_webapp to site_stunnel --- puppet/modules/site_stunnel/manifests/clients.pp | 32 ++++++++++++++++ puppet/modules/site_stunnel/manifests/setup.pp | 30 +++++++++++++++ puppet/modules/site_webapp/manifests/couchdb.pp | 21 +++++++++-- .../site_webapp/manifests/couchdb_stunnel.pp | 43 ---------------------- .../manifests/couchdb_stunnel/clients.pp | 17 --------- 5 files changed, 79 insertions(+), 64 deletions(-) create mode 100644 puppet/modules/site_stunnel/manifests/clients.pp create mode 100644 puppet/modules/site_stunnel/manifests/setup.pp delete mode 100644 puppet/modules/site_webapp/manifests/couchdb_stunnel.pp delete mode 100644 puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp new file mode 100644 index 00000000..28ed6d3c --- /dev/null +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -0,0 +1,32 @@ +define site_stunnel::clients ( + $accept_port, + $connect, + $client = true, + $cafile, + $key, + $cert, + $verify = '2', + $pid = $name, + $rndfile = '/var/lib/stunnel4/.rnd', + $debuglevel = '4' ) { + + $couchdb_stunnel_client_defaults = { + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, + } + + + stunnel::service { $name: + accept => "127.0.0.1:${accept_port}", + connect => "${connect}:6984", + client => $client, + cafile => $cafile, + key => $key, + cert => $cert, + verify => $verify, + pid => "/var/run/stunnel4/${pid}.pid", + rndfile => $rndfile, + debuglevel => $debuglevel + } + } diff --git a/puppet/modules/site_stunnel/manifests/setup.pp b/puppet/modules/site_stunnel/manifests/setup.pp new file mode 100644 index 00000000..a6384a6e --- /dev/null +++ b/puppet/modules/site_stunnel/manifests/setup.pp @@ -0,0 +1,30 @@ +class site_stunnel::setup ($cert_name, $key, $cert, $ca) { + + include x509::variables + include site_stunnel + + $ca_name = 'leap_ca' + $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" + + x509::key { + $cert_name: + content => $key, + notify => Service['stunnel']; + } + + x509::cert { + $cert_name: + content => $cert, + notify => Service['stunnel']; + } + + x509::ca { + $ca_name: + content => $ca, + notify => Service['stunnel']; + } + +} + diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index ef61aeb6..e45691c1 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -33,10 +33,11 @@ class site_webapp::couchdb { mode => '0744'; } - class { 'site_webapp::couchdb_stunnel': - key => $key, - cert => $cert, - ca => $ca + class { 'site_stunnel::setup': + cert_name => 'leap_couchdb', + key => $key, + cert => $cert, + ca => $ca } exec { 'migrate_design_documents': @@ -45,4 +46,16 @@ class site_webapp::couchdb { require => Exec['bundler_update'], notify => Service['apache']; } + + $couchdb_stunnel_client_defaults = { + 'client' => true, + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, + 'verify' => '2', + 'rndfile' => '/var/lib/stunnel4/.rnd', + 'debuglevel' => '4' + } + + create_resources(site_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) } diff --git a/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp b/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp deleted file mode 100644 index 325b18ee..00000000 --- a/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp +++ /dev/null @@ -1,43 +0,0 @@ -class site_webapp::couchdb_stunnel ($key, $cert, $ca) { - - include x509::variables - include site_stunnel - - $cert_name = 'leap_couchdb' - $ca_name = 'leap_ca' - $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" - $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" - - x509::key { - $cert_name: - content => $key, - notify => Service['stunnel']; - } - - x509::cert { - $cert_name: - content => $cert, - notify => Service['stunnel']; - } - - x509::ca { - $ca_name: - content => $ca, - notify => Service['stunnel']; - } - - $couchdb_stunnel_client_defaults = { - 'client' => true, - 'cafile' => $ca_path, - 'key' => $key_path, - 'cert' => $cert_path, - 'verify' => '2', - 'rndfile' => '/var/lib/stunnel4/.rnd', - 'debuglevel' => '4' - } - - create_resources(site_webapp::couchdb_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) - -} - diff --git a/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp b/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp deleted file mode 100644 index eac43b08..00000000 --- a/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp +++ /dev/null @@ -1,17 +0,0 @@ -define site_webapp::couchdb_stunnel::clients - ( $accept_port, $connect, $client, $cafile, $key, $cert, - $verify, $pid = $name, $rndfile, $debuglevel ) { - - stunnel::service { $name: - accept => "127.0.0.1:${accept_port}", - connect => "${connect}:6984", - client => $client, - cafile => $cafile, - key => $key, - cert => $cert, - verify => $verify, - pid => "/var/run/stunnel4/${pid}.pid", - rndfile => $rndfile, - debuglevel => $debuglevel - } - } -- cgit v1.2.3 From 4b2aa1020d07d0ab25f907fbc6c76a3d78a6a84e Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 19 Mar 2013 15:11:54 +0100 Subject: shorewall couchdb config: get open ports right --- puppet/modules/site_shorewall/manifests/couchdb.pp | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp index 5fa1861b..f1784a38 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -9,7 +9,7 @@ class site_shorewall::couchdb { # define macro for incoming services file { '/etc/shorewall/macro.leap_couchdb': - content => "PARAM - - tcp $couchdb_port $portmapper_port", + content => "PARAM - - tcp ${couchdb_port},${portmapper_port}", notify => Service['shorewall'], require => Package['shorewall'] } @@ -23,15 +23,15 @@ class site_shorewall::couchdb { order => 200; } - shorewall::rule { - 'dnat-bigcouch-clustering-to-stunnel': - destination => "net:${::ipaddress}:8080", - destinationport => $portmapper_port, - source => '$FW', - proto => 'tcp', - order => 200, - action => 'DNAT'; - } + #shorewall::rule { + # 'dnat-bigcouch-clustering-to-stunnel': + # destination => "net:${::ipaddress}:8080", + # destinationport => $portmapper_port, + # source => '$FW', + # proto => 'tcp', + # order => 200, + # action => 'DNAT'; + #} } -- cgit v1.2.3 From 4669a64cb8e63a67825a35513b51b4e1f2a4ec5d Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 19 Mar 2013 15:14:35 +0100 Subject: moving generic stunnel config from site_webapp to site_stunnel now working --- puppet/modules/site_stunnel/manifests/clients.pp | 31 +++++++++--------------- puppet/modules/site_stunnel/manifests/setup.pp | 6 ----- puppet/modules/site_webapp/manifests/couchdb.pp | 8 +++--- 3 files changed, 16 insertions(+), 29 deletions(-) diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp index 28ed6d3c..9f8aeaff 100644 --- a/puppet/modules/site_stunnel/manifests/clients.pp +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -10,23 +10,16 @@ define site_stunnel::clients ( $rndfile = '/var/lib/stunnel4/.rnd', $debuglevel = '4' ) { - $couchdb_stunnel_client_defaults = { - 'cafile' => $ca_path, - 'key' => $key_path, - 'cert' => $cert_path, - } - - - stunnel::service { $name: - accept => "127.0.0.1:${accept_port}", - connect => "${connect}:6984", - client => $client, - cafile => $cafile, - key => $key, - cert => $cert, - verify => $verify, - pid => "/var/run/stunnel4/${pid}.pid", - rndfile => $rndfile, - debuglevel => $debuglevel - } + stunnel::service { $name: + accept => "127.0.0.1:${accept_port}", + connect => "${connect}:6984", + client => $client, + cafile => $cafile, + key => $key, + cert => $cert, + verify => $verify, + pid => "/var/run/stunnel4/${pid}.pid", + rndfile => $rndfile, + debuglevel => $debuglevel } +} diff --git a/puppet/modules/site_stunnel/manifests/setup.pp b/puppet/modules/site_stunnel/manifests/setup.pp index a6384a6e..7ec2378f 100644 --- a/puppet/modules/site_stunnel/manifests/setup.pp +++ b/puppet/modules/site_stunnel/manifests/setup.pp @@ -1,13 +1,7 @@ class site_stunnel::setup ($cert_name, $key, $cert, $ca) { - include x509::variables include site_stunnel - $ca_name = 'leap_ca' - $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" - $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" - x509::key { $cert_name: content => $key, diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index e45691c1..48a95c8d 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -34,7 +34,7 @@ class site_webapp::couchdb { } class { 'site_stunnel::setup': - cert_name => 'leap_couchdb', + cert_name => $cert_name, key => $key, cert => $cert, ca => $ca @@ -49,9 +49,9 @@ class site_webapp::couchdb { $couchdb_stunnel_client_defaults = { 'client' => true, - 'cafile' => $ca_path, - 'key' => $key_path, - 'cert' => $cert_path, + 'cafile' => "${x509::variables::local_CAs}/${ca_name}.crt", + 'key' => "${x509::variables::keys}/${cert_name}.key", + 'cert' => "${x509::variables::certs}/${cert_name}.crt", 'verify' => '2', 'rndfile' => '/var/lib/stunnel4/.rnd', 'debuglevel' => '4' -- cgit v1.2.3 From ec2727a1cae91c34233c831ae31277690a8ef3dc Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 19 Mar 2013 15:29:48 +0100 Subject: added bigcouch.conf as incoming stunnel config for bigcouch clustering --- puppet/modules/site_couchdb/manifests/stunnel.pp | 28 +++++++++--------------- 1 file changed, 10 insertions(+), 18 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 2133d6da..d16e09b5 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -9,24 +9,14 @@ class site_couchdb::stunnel ($key, $cert, $ca) { $cert_path = "${x509::variables::certs}/${cert_name}.crt" $key_path = "${x509::variables::keys}/${cert_name}.key" - x509::key { - $cert_name: - content => $key, - notify => Service['stunnel']; - } - - x509::cert { - $cert_name: - content => $cert, - notify => Service['stunnel']; - } - - x509::ca { - $ca_name: - content => $ca, - notify => Service['stunnel']; + class { 'site_stunnel::setup': + cert_name => $cert_name, + key => $key, + cert => $cert, + ca => $ca } + # webapp access stunnel::service { 'couchdb': accept => '6984', connect => '127.0.0.1:5984', @@ -39,9 +29,11 @@ class site_couchdb::stunnel ($key, $cert, $ca) { rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } + + # clustering between bigcouch nodes stunnel::service { 'bigcouch': - accept => '6984', - connect => '127.0.0.1:5984', + accept => '5369', + connect => '127.0.0.1:4369', client => false, cafile => $ca_path, key => $key_path, -- cgit v1.2.3 From bb0f29e2d7ae2db57257eb4d1a20616c5c834a4e Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 19:06:07 +0100 Subject: make site_stunnel::clients connect_port configurable --- puppet/modules/site_stunnel/manifests/clients.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp index 9f8aeaff..b23c7bc6 100644 --- a/puppet/modules/site_stunnel/manifests/clients.pp +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -1,5 +1,6 @@ define site_stunnel::clients ( $accept_port, + $connect_port, $connect, $client = true, $cafile, @@ -12,7 +13,7 @@ define site_stunnel::clients ( stunnel::service { $name: accept => "127.0.0.1:${accept_port}", - connect => "${connect}:6984", + connect => "${connect}:${connect_port}", client => $client, cafile => $cafile, key => $key, -- cgit v1.2.3 From d9c9cbb7ae5fde7767ac6b2cbc25936a0045104d Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 19:06:45 +0100 Subject: addded client side of bigcouch cluster protocol stunnel config --- puppet/modules/site_couchdb/manifests/stunnel.pp | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index d16e09b5..2d5cbaa1 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -31,6 +31,8 @@ class site_couchdb::stunnel ($key, $cert, $ca) { } # clustering between bigcouch nodes + + # server stunnel::service { 'bigcouch': accept => '5369', connect => '127.0.0.1:4369', @@ -43,5 +45,19 @@ class site_couchdb::stunnel ($key, $cert, $ca) { rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } + + # clients + $couchdb_stunnel_client_defaults = { + 'connect_port' => '5369', + 'client' => true, + 'cafile' => "${x509::variables::local_CAs}/${ca_name}.crt", + 'key' => "${x509::variables::keys}/${cert_name}.key", + 'cert' => "${x509::variables::certs}/${cert_name}.crt", + 'verify' => '2', + 'rndfile' => '/var/lib/stunnel4/.rnd', + 'debuglevel' => '4' + } + create_resources(site_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) + } -- cgit v1.2.3 From af141e738c8b90a11ff8009e2eed602b168e4fc3 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 19:28:48 +0100 Subject: add stunnel hiera values to provider_base/services/couchdb.json for bigcouch cluster protocol --- provider_base/services/couchdb.json | 1 + 1 file changed, 1 insertion(+) diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json index 41f9695f..7b649da9 100644 --- a/provider_base/services/couchdb.json +++ b/provider_base/services/couchdb.json @@ -7,6 +7,7 @@ "couch_server": "= stunnel_server(couch.port)", "bigcouch_replication_server": "= stunnel_server(couch.bigcouch.port)" }, + "stunnel": "= nextport = 4000; nodes_like_me[:services => :couchdb].values.inject({}) {|hsh, node| hsh[node.name + node.couch.bigcouch.port.to_s] = {'accept_port' => nextport.to_s, 'connect' => node.domain.full }; nextport+=1; hsh}", "couch": { "port": 5984, "bigcouch": { -- cgit v1.2.3 From 7a08ff22b0317e77895e4ff52e6f56db70afb8df Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 20:06:47 +0100 Subject: increase stunnel verbosity until everything is running smooth --- puppet/modules/site_couchdb/manifests/stunnel.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 2d5cbaa1..44ddae0b 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -43,7 +43,7 @@ class site_couchdb::stunnel ($key, $cert, $ca) { verify => '2', pid => '/var/run/stunnel4/couchdb.pid', rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '4' + debuglevel => '7' } # clients -- cgit v1.2.3 From 6f422863966a7e361f1c52be33a50e55bb39b9ff Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 20:28:08 +0100 Subject: updated shorewall dnat hiera values for bigcouch cluster protocol --- provider_base/services/couchdb.json | 1 - 1 file changed, 1 deletion(-) diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json index 7b649da9..41f9695f 100644 --- a/provider_base/services/couchdb.json +++ b/provider_base/services/couchdb.json @@ -7,7 +7,6 @@ "couch_server": "= stunnel_server(couch.port)", "bigcouch_replication_server": "= stunnel_server(couch.bigcouch.port)" }, - "stunnel": "= nextport = 4000; nodes_like_me[:services => :couchdb].values.inject({}) {|hsh, node| hsh[node.name + node.couch.bigcouch.port.to_s] = {'accept_port' => nextport.to_s, 'connect' => node.domain.full }; nextport+=1; hsh}", "couch": { "port": 5984, "bigcouch": { -- cgit v1.2.3 From fbcc9e9a93816374e1b53b561df4b9d2a59ae7b8 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 22:01:41 +0100 Subject: added site_shorewall::dnat to configure DNAT rules --- puppet/modules/site_shorewall/manifests/dnat.pp | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/dnat.pp diff --git a/puppet/modules/site_shorewall/manifests/dnat.pp b/puppet/modules/site_shorewall/manifests/dnat.pp new file mode 100644 index 00000000..5992c91f --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/dnat.pp @@ -0,0 +1,19 @@ +define site_shorewall::dnat ( + $source, + $destination, + $proto, + $destinationport, + $originaldest ) { + + + shorewall::rule { + "dnat_${name}_${destinationport}": + source => $source, + destination => $destination, + destinationport => $destinationport, + originaldest => $originaldest, + proto => $proto, + order => 200, + action => 'DNAT'; + } +} -- cgit v1.2.3 From 40f32a207957293dd7c9a85df3bcccd340e16522 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 22:02:55 +0100 Subject: added site_shorewall::couchdb::bigcouch bigcouch cluster protocol communicate via the fqdn of the neighbor hosts. So we need to bend all requests to :4369 to localhost:400x (which is the entry of an stunnel connection to the other neighbor) --- puppet/modules/site_shorewall/manifests/couchdb.pp | 11 ----------- puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp | 7 +++++++ 2 files changed, 7 insertions(+), 11 deletions(-) create mode 100644 puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp index f1784a38..a448dd42 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -23,15 +23,4 @@ class site_shorewall::couchdb { order => 200; } - #shorewall::rule { - # 'dnat-bigcouch-clustering-to-stunnel': - # destination => "net:${::ipaddress}:8080", - # destinationport => $portmapper_port, - # source => '$FW', - # proto => 'tcp', - # order => 200, - # action => 'DNAT'; - #} - - } diff --git a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp new file mode 100644 index 00000000..f96ef87b --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp @@ -0,0 +1,7 @@ +class site_shorewall::couchdb::bigcouch inherits site_shorewall::couchdb { + + include site_shorewall::defaults + + create_resources(site_shorewall::dnat, hiera('shorewall_dnat')) + +} -- cgit v1.2.3 From 34a44db0de9a7d79ac68e93e79f29dcc32a30c76 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 22:07:25 +0100 Subject: couchdb hosts include site_shorewall::couchdb::bigcouch --- puppet/modules/site_couchdb/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index d317de65..e0f379cd 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -67,4 +67,5 @@ class site_couchdb ( $bigcouch = false ) { } include site_shorewall::couchdb + include site_shorewall::couchdb::bigcouch } -- cgit v1.2.3 From 6e223037a4ca36273984c0ab0f2eb9b81f5f10da Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 22:11:40 +0100 Subject: decrease stunnel debug level --- puppet/modules/site_couchdb/manifests/stunnel.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 44ddae0b..2d5cbaa1 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -43,7 +43,7 @@ class site_couchdb::stunnel ($key, $cert, $ca) { verify => '2', pid => '/var/run/stunnel4/couchdb.pid', rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '7' + debuglevel => '4' } # clients -- cgit v1.2.3 From 63e6b8633e07045751011c0218f9e6891e25cca5 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 22:17:55 +0100 Subject: provide stunnel connect_port to site_webapp:couchdb --- puppet/modules/site_webapp/manifests/couchdb.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 48a95c8d..ffc4454b 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -48,6 +48,7 @@ class site_webapp::couchdb { } $couchdb_stunnel_client_defaults = { + 'connect_port' => '6984', 'client' => true, 'cafile' => "${x509::variables::local_CAs}/${ca_name}.crt", 'key' => "${x509::variables::keys}/${cert_name}.key", -- cgit v1.2.3 From e9b00c6efb65faa4c0dfa955527fafc2b13889d4 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 22:31:51 +0100 Subject: fix bigcouch stunnel pid name --- puppet/modules/site_couchdb/manifests/stunnel.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 2d5cbaa1..f5001051 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -25,7 +25,7 @@ class site_couchdb::stunnel ($key, $cert, $ca) { key => $key_path, cert => $cert_path, verify => '2', - pid => '/var/run/stunnel4/couchdb.pid', + pid => '/var/run/stunnel4/bigcouch.pid', rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } -- cgit v1.2.3 From eac4d82da1675d839fcdc2360df5929e41322c2d Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 21 Mar 2013 14:03:07 +0100 Subject: start erlang vm on dedicated port so firewalling is easier --- puppet/modules/site_shorewall/manifests/couchdb.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp index a448dd42..04b608e2 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -7,9 +7,12 @@ class site_shorewall::couchdb { # bigcouch cluster nodes $portmapper_port = '5369' + # see http://stackoverflow.com/questions/8459949/bigcouch-cluster-connection-issue#comment10467603_8463814 + $erlang_vm_port = '9001' + # define macro for incoming services file { '/etc/shorewall/macro.leap_couchdb': - content => "PARAM - - tcp ${couchdb_port},${portmapper_port}", + content => "PARAM - - tcp ${couchdb_port},${portmapper_port},${erlang_vm_port}", notify => Service['shorewall'], require => Package['shorewall'] } -- cgit v1.2.3 From 50cbfca55b99c0e284aff23c8f779499f4af1f4a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 26 Mar 2013 13:52:22 -0400 Subject: remove duplicate 'include site_stunnel' this already exists in class site_stunnel::setup which is instantiated in this class --- puppet/modules/site_couchdb/manifests/stunnel.pp | 1 - 1 file changed, 1 deletion(-) diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index f5001051..9e1bad49 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -1,7 +1,6 @@ class site_couchdb::stunnel ($key, $cert, $ca) { include x509::variables - include site_stunnel $cert_name = 'leap_couchdb' $ca_name = 'leap_ca' -- cgit v1.2.3 From 8b75721b7941c8ab6b7dc05101e80a121dcb0849 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 12:09:45 -0400 Subject: shorewall: add couch_server stunnel port to macro.leap_couchdb, this is necessary for the stunnel to communicate --- puppet/modules/site_shorewall/manifests/couchdb.pp | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp index 04b608e2..6a8c2cf2 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -2,7 +2,10 @@ class site_shorewall::couchdb { include site_shorewall::defaults - $couchdb_port = '6984' + $stunnel = hiera('stunnel') + $couch_server = $stunnel['couch_server'] + $couch_stunnel_port = $couch_server['accept'] + # Erlang Port Mapper daemon, used for communication between # bigcouch cluster nodes $portmapper_port = '5369' @@ -12,12 +15,11 @@ class site_shorewall::couchdb { # define macro for incoming services file { '/etc/shorewall/macro.leap_couchdb': - content => "PARAM - - tcp ${couchdb_port},${portmapper_port},${erlang_vm_port}", + content => "PARAM - - tcp ${couch_stunnel_port},${portmapper_port},${erlang_vm_port}", notify => Service['shorewall'], require => Package['shorewall'] } - shorewall::rule { 'net2fw-couchdb': source => 'net', -- cgit v1.2.3 From ebc6b4f0e8f8c29b02b284d60402faaddbe2f6a3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 12:10:33 -0400 Subject: lint so default options are together --- puppet/modules/site_stunnel/manifests/clients.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp index b23c7bc6..ed766e1a 100644 --- a/puppet/modules/site_stunnel/manifests/clients.pp +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -2,10 +2,10 @@ define site_stunnel::clients ( $accept_port, $connect_port, $connect, - $client = true, $cafile, $key, $cert, + $client = true, $verify = '2', $pid = $name, $rndfile = '/var/lib/stunnel4/.rnd', -- cgit v1.2.3 From fa65ec5b35433ecc643aa240db4c42e60dac6af9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 12:16:54 -0400 Subject: remove unnecessary class inheritance --- puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp index f96ef87b..2afdea87 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp @@ -1,4 +1,4 @@ -class site_shorewall::couchdb::bigcouch inherits site_shorewall::couchdb { +class site_shorewall::couchdb::bigcouch { include site_shorewall::defaults -- cgit v1.2.3 From 6714ff4ae1a53b6b3eda66f13c2212c3ba285bf3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 12:19:46 -0400 Subject: refactor couch_client stunnel to use new stunnel_client leap_cli macro re-order variables to be more consistant --- puppet/modules/site_webapp/manifests/couchdb.pp | 32 +++++++++++++++---------- 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index ffc4454b..e956fd54 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -1,9 +1,5 @@ class site_webapp::couchdb { - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $ca = $x509['ca_cert'] $webapp = hiera('webapp') # haproxy listener on port localhost:4096, see site_webapp::haproxy $couchdb_host = 'localhost' @@ -13,6 +9,21 @@ class site_webapp::couchdb { $couchdb_webapp_user = $webapp['couchdb_webapp_user']['username'] $couchdb_webapp_password = $webapp['couchdb_webapp_user']['password'] + $stunnel = hiera('stunnel') + $couch_client = $stunnel['couch_client'] + $couch_client_connect = $couch_client['connect'] + + include x509::variable + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $ca = $x509['ca_cert'] + $cert_name = 'leap_couchdb' + $ca_name = 'leap_ca' + $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" + file { '/srv/leap-webapp/config/couchdb.yml.admin': content => template('site_webapp/couchdb.yml.admin.erb'), @@ -48,15 +59,12 @@ class site_webapp::couchdb { } $couchdb_stunnel_client_defaults = { - 'connect_port' => '6984', + 'connect_port' => $couch_client_connect, 'client' => true, - 'cafile' => "${x509::variables::local_CAs}/${ca_name}.crt", - 'key' => "${x509::variables::keys}/${cert_name}.key", - 'cert' => "${x509::variables::certs}/${cert_name}.crt", - 'verify' => '2', - 'rndfile' => '/var/lib/stunnel4/.rnd', - 'debuglevel' => '4' + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, } - create_resources(site_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) + create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults) } -- cgit v1.2.3 From dd459efb1063de6c11f9f11583290c6a0891436a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 12:22:52 -0400 Subject: replace long-form variables with shorter ones remove unnecessary bigcouch_replication_client_default values (verify, rndfile, debuglevel) --- puppet/modules/site_couchdb/manifests/stunnel.pp | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 9e1bad49..a49b51b9 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -49,12 +49,9 @@ class site_couchdb::stunnel ($key, $cert, $ca) { $couchdb_stunnel_client_defaults = { 'connect_port' => '5369', 'client' => true, - 'cafile' => "${x509::variables::local_CAs}/${ca_name}.crt", - 'key' => "${x509::variables::keys}/${cert_name}.key", - 'cert' => "${x509::variables::certs}/${cert_name}.crt", - 'verify' => '2', - 'rndfile' => '/var/lib/stunnel4/.rnd', - 'debuglevel' => '4' + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, } create_resources(site_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) -- cgit v1.2.3 From baf3ed5b6db4e8af052564864d8c3e426cf5d9d0 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 12:32:42 -0400 Subject: switch to using stunnel_client and stunnel_server leap_cli macros add bigcouch_replication_clients to couchdb.json change site_couchdb/manifests/stunnel to use stunnel_client and stunnel_server generated hiera values to setup the stunnels for the couch_server connections, and the bigcouch_replication_server and bigcouch_replication_clients tunnels instead of using hard-coded ips and ports. also change the pid names to be more consistent with what the tunnels are and are named --- provider_base/services/couchdb.json | 3 +- puppet/modules/site_couchdb/manifests/stunnel.pp | 41 +++++++++++++++--------- 2 files changed, 28 insertions(+), 16 deletions(-) diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json index 41f9695f..c00f08cd 100644 --- a/provider_base/services/couchdb.json +++ b/provider_base/services/couchdb.json @@ -5,7 +5,8 @@ }, "stunnel": { "couch_server": "= stunnel_server(couch.port)", - "bigcouch_replication_server": "= stunnel_server(couch.bigcouch.port)" + "bigcouch_replication_server": "= stunnel_server(couch.bigcouch.port)", + "bigcouch_replication_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.port)" }, "couch": { "port": 5984, diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index a49b51b9..1eb79293 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -1,13 +1,26 @@ class site_couchdb::stunnel ($key, $cert, $ca) { - include x509::variables + $stunnel = hiera('stunnel') + + $couch_server = $stunnel['couch_server'] + $couch_server_accept = $couch_server['accept'] + $couch_server_connect = $couch_server['connect'] + + $bigcouch_replication_server = $stunnel['bigcouch_replication_server'] + $bigcouch_replication_server_accept = $bigcouch_replication_server['accept'] + $bigcouch_replication_server_connect = $bigcouch_replication_server['connect'] + $bigcouch_replication_clients = $stunnel['bigcouch_replication_clients'] + + include x509::variables $cert_name = 'leap_couchdb' $ca_name = 'leap_ca' $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" $cert_path = "${x509::variables::certs}/${cert_name}.crt" $key_path = "${x509::variables::keys}/${cert_name}.key" + # basic setup: ensure cert, key, ca files are in place, and some generic + # stunnel things are done class { 'site_stunnel::setup': cert_name => $cert_name, key => $key, @@ -15,45 +28,43 @@ class site_couchdb::stunnel ($key, $cert, $ca) { ca => $ca } - # webapp access - stunnel::service { 'couchdb': - accept => '6984', - connect => '127.0.0.1:5984', + # setup a stunnel server for the webapp to connect to couchdb + stunnel::service { 'couch_server': + accept => $couch_server_accept, + connect => $couch_server_connect, client => false, cafile => $ca_path, key => $key_path, cert => $cert_path, verify => '2', - pid => '/var/run/stunnel4/bigcouch.pid', + pid => '/var/run/stunnel4/couchserver.pid', rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } - # clustering between bigcouch nodes + # setup stunnels for bigcouch clustering between each bigcouchdb node # server - stunnel::service { 'bigcouch': - accept => '5369', - connect => '127.0.0.1:4369', + stunnel::service { 'bigcouch_replication_server': + accept => $bigcouch_replication_server_accept, + connect => $bigcouch_replication_server_connect, client => false, cafile => $ca_path, key => $key_path, cert => $cert_path, verify => '2', - pid => '/var/run/stunnel4/couchdb.pid', + pid => '/var/run/stunnel4/bigcouchreplication_server.pid', rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } # clients - $couchdb_stunnel_client_defaults = { - 'connect_port' => '5369', + $bigcouch_replication_client_defaults = { 'client' => true, 'cafile' => $ca_path, 'key' => $key_path, 'cert' => $cert_path, } - create_resources(site_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) + create_resources(site_stunnel::clients, $bigcouch_replication_clients, $bigcouch_replication_client_defaults) } - -- cgit v1.2.3 From 128c8ddfd4969a9b9b525cb4f4a34b1e98c2fe76 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 12:39:36 -0400 Subject: shorewall: create a macro for the bigcouch replication server stunnel to enable these connections pulling bigcouch_replication_clients, bigcouch_replication_server_port from hiera create site_shorewall::couchdb::dnat and create_resources to properly setup DNAT for bigcouch_replication_clients --- .../site_shorewall/manifests/couchdb/bigcouch.pp | 30 +++++++++++++++++++++- .../site_shorewall/manifests/couchdb/dnat.pp | 21 +++++++++++++++ 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_shorewall/manifests/couchdb/dnat.pp diff --git a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp index 2afdea87..a0d63d15 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp @@ -2,6 +2,34 @@ class site_shorewall::couchdb::bigcouch { include site_shorewall::defaults - create_resources(site_shorewall::dnat, hiera('shorewall_dnat')) + $stunnel = hiera('stunnel') + $bigcouch_replication_clients = $stunnel['bigcouch_replication_clients'] + + $bigcouch_replication_server = $stunnel['bigcouch_replication_server'] + $bigcouch_replication_server_port = $bigcouch_replication_server['accept'] + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_bigcouch': + content => "PARAM - - tcp ${bigcouch_replication_server_port}", + notify => Service['shorewall'], + require => Package['shorewall'] + } + + shorewall::rule { + 'net2fw-bigcouch': + source => 'net', + destination => '$FW', + action => 'leap_bigcouch(ACCEPT)', + order => 300; + } + + $bigcouch_shorewall_dnat_defaults = { + 'source' => '$FW', + 'proto' => 'tcp', + 'destinationport' => '4369', + } + + create_resources(site_shorewall::couchdb::dnat, $bigcouch_replication_clients, $bigcouch_shorewall_dnat_defaults) } + diff --git a/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp b/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp new file mode 100644 index 00000000..85cea9d5 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp @@ -0,0 +1,21 @@ +define site_shorewall::couchdb::dnat ( + $source, + $connect, + $connect_port, + $accept_port, + $proto, + $destinationport ) +{ + + + shorewall::rule { + "dnat_${name}_${destinationport}": + source => $source, + destination => "\$FW:127.0.0.1:${accept_port}", + destinationport => $destinationport, + originaldest => $connect, + proto => $proto, + order => 200, + action => 'DNAT'; + } +} -- cgit v1.2.3 From c849ef699d6426b3161f901eea625247cdefbef5 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 2 Apr 2013 16:41:06 -0400 Subject: fix variable curly braces --- puppet/modules/site_config/manifests/hosts.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index 81795f7d..1e1590f5 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -9,7 +9,7 @@ class site_config::hosts() { content => $hostname } - exec { "/bin/hostname $hostname": + exec { "/bin/hostname ${hostname}": subscribe => [ File['/etc/hostname'], File['/etc/hosts'] ], refreshonly => true; } -- cgit v1.2.3 From ee1555bd9091e1ffe66e54856d2bde72d50a7e60 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 2 Apr 2013 16:55:12 -0400 Subject: firewall: remove no longer needed epmd port --- puppet/modules/site_shorewall/manifests/couchdb.pp | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp index 6a8c2cf2..1ef91bb0 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -6,16 +6,12 @@ class site_shorewall::couchdb { $couch_server = $stunnel['couch_server'] $couch_stunnel_port = $couch_server['accept'] - # Erlang Port Mapper daemon, used for communication between - # bigcouch cluster nodes - $portmapper_port = '5369' - # see http://stackoverflow.com/questions/8459949/bigcouch-cluster-connection-issue#comment10467603_8463814 $erlang_vm_port = '9001' # define macro for incoming services file { '/etc/shorewall/macro.leap_couchdb': - content => "PARAM - - tcp ${couch_stunnel_port},${portmapper_port},${erlang_vm_port}", + content => "PARAM - - tcp ${couch_stunnel_port},${erlang_vm_port}", notify => Service['shorewall'], require => Package['shorewall'] } -- cgit v1.2.3 From 0227e03513f38cfae4a041ba6740b425fdc21198 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 2 Apr 2013 17:09:22 -0400 Subject: replace hard-coded port number with hiera determined one, manipulated to remove the 'ip:' from the beginning in bigcouch replication client stunnels --- puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp index a0d63d15..85272657 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp @@ -7,6 +7,7 @@ class site_shorewall::couchdb::bigcouch { $bigcouch_replication_server = $stunnel['bigcouch_replication_server'] $bigcouch_replication_server_port = $bigcouch_replication_server['accept'] + $bigcouch_replication_connect = $bigcouch_replication_server['connect'] # define macro for incoming services file { '/etc/shorewall/macro.leap_bigcouch': @@ -26,7 +27,7 @@ class site_shorewall::couchdb::bigcouch { $bigcouch_shorewall_dnat_defaults = { 'source' => '$FW', 'proto' => 'tcp', - 'destinationport' => '4369', + 'destinationport' => regsubst($bigcouch_replication_connect, '^([0-9.]+:)([0-9]+)$', '\2') } create_resources(site_shorewall::couchdb::dnat, $bigcouch_replication_clients, $bigcouch_shorewall_dnat_defaults) -- cgit v1.2.3 From 1750bec7032e90ddbe43da35eb5f49066187d1d4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 2 Apr 2013 17:43:43 -0400 Subject: shorewall: re-order dnat rule variables to match configuration file order --- puppet/modules/site_shorewall/manifests/couchdb/dnat.pp | 6 +++--- puppet/modules/site_shorewall/manifests/dnat.pp | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp b/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp index 85cea9d5..f1bc9acf 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp @@ -10,12 +10,12 @@ define site_shorewall::couchdb::dnat ( shorewall::rule { "dnat_${name}_${destinationport}": + action => 'DNAT', source => $source, destination => "\$FW:127.0.0.1:${accept_port}", + proto => $proto, destinationport => $destinationport, originaldest => $connect, - proto => $proto, - order => 200, - action => 'DNAT'; + order => 200 } } diff --git a/puppet/modules/site_shorewall/manifests/dnat.pp b/puppet/modules/site_shorewall/manifests/dnat.pp index 5992c91f..a73294cc 100644 --- a/puppet/modules/site_shorewall/manifests/dnat.pp +++ b/puppet/modules/site_shorewall/manifests/dnat.pp @@ -8,12 +8,12 @@ define site_shorewall::dnat ( shorewall::rule { "dnat_${name}_${destinationport}": + action => 'DNAT', source => $source, destination => $destination, + proto => $proto, destinationport => $destinationport, originaldest => $originaldest, - proto => $proto, - order => 200, - action => 'DNAT'; + order => 200 } } -- cgit v1.2.3 From 4ed5d33f33c488a6a6d5f6a5e8f57b74ecd53a7d Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 2 Apr 2013 15:38:44 -0700 Subject: added password salt to services/couchdb.json (requires latest leap_cli) --- provider_base/services/couchdb.json | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json index 0c407316..e60f4e0f 100644 --- a/provider_base/services/couchdb.json +++ b/provider_base/services/couchdb.json @@ -14,15 +14,18 @@ "users": { "admin": { "username": "admin", - "password": "= secret :couch_admin_password" + "password": "= secret :couch_admin_password", + "salt": "= hex_secret :couch_admin_password_salt, 128" }, "webapp": { "username": "webapp", - "password": "= secret :couch_webapp_password" + "password": "= secret :couch_webapp_password", + "salt": "= hex_secret :couch_webapp_password_salt, 128" }, "ca_daemon": { "username": "ca_daemon", - "password": "= secret :couch_ca_daemon_password" + "password": "= secret :couch_ca_daemon_password", + "salt": "= hex_secret :couch_ca_daemon_password_salt, 128" } } } -- cgit v1.2.3 From 82db11a2efdd0d543b56c99a80cad4ffd90d5ba9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 3 Apr 2013 14:16:10 -0400 Subject: switch stunnel module to our version which has been modified for 2.7 parameterized classes and qualified variables update our stunnel class instantiation to be parameterized --- .gitmodules | 2 +- puppet/modules/site_stunnel/manifests/init.pp | 3 +-- puppet/modules/stunnel | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/.gitmodules b/.gitmodules index 88858054..717ae5ed 100644 --- a/.gitmodules +++ b/.gitmodules @@ -69,7 +69,7 @@ url = git://labs.riseup.net/shared-tor [submodule "puppet/modules/stunnel"] path = puppet/modules/stunnel - url = git://labs.riseup.net/shared-stunnel + url = git://code.leap.se/puppet_stunnel [submodule "puppet/modules/haproxy"] path = puppet/modules/haproxy url = git://code.leap.se/puppet_haproxy diff --git a/puppet/modules/site_stunnel/manifests/init.pp b/puppet/modules/site_stunnel/manifests/init.pp index 6ba2c4b8..c7d6acc6 100644 --- a/puppet/modules/site_stunnel/manifests/init.pp +++ b/puppet/modules/site_stunnel/manifests/init.pp @@ -2,8 +2,7 @@ class site_stunnel { # include the generic stunnel module # increase the number of open files to allow for 800 connections - $stunnel_default_extra = 'ulimit -n 4096' - include stunnel + class { 'stunnel': default_extra => 'ulimit -n 4096' } # The stunnel.conf provided by the Debian package is broken by default # so we get rid of it and just define our own. See #549384 diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index 03b51fcb..b53d5742 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit 03b51fcb718734f4b2ea76c038ffbe9b2b348b1a +Subproject commit b53d574250598178af298c59be957693eaaddb22 -- cgit v1.2.3 From 710e4dd1826f4c98c787108a048fd679cc990d67 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 3 Apr 2013 11:20:57 -0700 Subject: added contacts.english for when you need a descriptive contact rather than an email address contact. --- provider_base/provider.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/provider_base/provider.json b/provider_base/provider.json index cf1baac6..e698b5dd 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -8,7 +8,8 @@ "en": "REQUIRED" }, "contacts": { - "default": "REQUIRED" + "default": "REQUIRED", + "english": "= contacts.default.split('@').join(' at the domain ')" }, "languages": ["en"], "default_language": "en", -- cgit v1.2.3 From 705890760c7153efc987fdf6eab7d5a90cf98158 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 3 Apr 2013 11:22:34 -0700 Subject: minor fix to puppet_command (--verbose no longer required, added default --tags) --- bin/puppet_command | 54 +++++++++++++++++++++++++++++++----------------------- 1 file changed, 31 insertions(+), 23 deletions(-) diff --git a/bin/puppet_command b/bin/puppet_command index 672a3699..a6cd5a69 100755 --- a/bin/puppet_command +++ b/bin/puppet_command @@ -7,14 +7,31 @@ # (exit codes, lockfile, multiple manifests, etc) # -$puppet_bin = '/usr/bin/puppet' -$puppet_directory = '/srv/leap' -$puppet_parameters = '--color=false --detailed-exitcodes --libdir=puppet/lib --confdir=puppet' -$site_manifest = 'puppet/manifests/site.pp' -$setup_manifest = 'puppet/manifests/setup.pp' +PUPPET_BIN = '/usr/bin/puppet' +PUPPET_DIRECTORY = '/srv/leap' +PUPPET_PARAMETERS = '--color=false --detailed-exitcodes --libdir=puppet/lib --confdir=puppet' +SITE_MANIFEST = 'puppet/manifests/site.pp' +SETUP_MANIFEST = 'puppet/manifests/setup.pp' +DEFAULT_TAGS = 'leap_base,leap_service' def main + process_command_line_arguments + with_lockfile do + @commands.each do |command| + self.send(command) + end + end +end + +def puts(str) + $stdout.puts str + $stdout.flush +end + +def process_command_line_arguments @commands = [] + @verbosity = 1 + @tags = DEFAULT_TAGS loop do case ARGV[0] when 'apply' then ARGV.shift; @commands << 'apply' @@ -27,16 +44,6 @@ def main end end usage("No command given") unless @commands.any? - with_lockfile do - @commands.each do |command| - self.send(command) - end - end -end - -def puts(str) - $stdout.puts str - $stdout.flush end def apply @@ -47,11 +54,12 @@ def apply end def set_hostname - exit_code = puppet_apply(:manifest => $setup_manifest, :tags => '') do |line| - # todo: how to suppress this? - # dnsdomainname: Name or service not known - # warning: Could not retrieve fact fqdn - if line !~ /Finished catalog run/ || @verbosity > 2 + exit_code = puppet_apply(:manifest => SETUP_MANIFEST, :tags => '') do |line| + # todo: replace setup.pp with https://github.com/lutter/ruby-augeas + # or try this: http://www.puppetcookbook.com/posts/override-a-facter-fact.html + if (line !~ /Finished catalog run/ || @verbosity > 2) && + (line !~ /dnsdomainname: Name or service not known/) && + (line !~ /warning: Could not retrieve fact fqdn/) puts line end end @@ -69,9 +77,9 @@ end # def puppet_apply(options={}, &block) options = {:verbosity => @verbosity, :tags => @tags}.merge(options) - manifest = options[:manifest] || $site_manifest - Dir.chdir($puppet_directory) do - return run("#{$puppet_bin} apply #{custom_parameters(options)} #{$puppet_parameters} #{manifest}", &block) + manifest = options[:manifest] || SITE_MANIFEST + Dir.chdir(PUPPET_DIRECTORY) do + return run("#{PUPPET_BIN} apply #{custom_parameters(options)} #{PUPPET_PARAMETERS} #{manifest}", &block) end end -- cgit v1.2.3 From e1aa287ee60d39cc55a1b31da59652898eb21b5c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 3 Apr 2013 15:03:54 -0400 Subject: automatic update to stunnel module --- puppet/modules/stunnel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index b53d5742..75d387fc 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit b53d574250598178af298c59be957693eaaddb22 +Subproject commit 75d387fc8aff12232fdeae2efbbfccdd91f94656 -- cgit v1.2.3 From 264e63967d9247e42662182aec771fbfb81e8e8e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Apr 2013 11:27:59 -0400 Subject: rename the bigcouch_replication_[server,client] to be the more accurately, and shorter named epmd (erlang port mapper daemon) --- provider_base/services/couchdb.json | 4 ++-- puppet/modules/site_couchdb/manifests/stunnel.pp | 20 ++++++++++---------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json index ce46e3bb..111baf08 100644 --- a/provider_base/services/couchdb.json +++ b/provider_base/services/couchdb.json @@ -5,8 +5,8 @@ }, "stunnel": { "couch_server": "= stunnel_server(couch.port)", - "bigcouch_replication_server": "= stunnel_server(couch.bigcouch.port)", - "bigcouch_replication_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.port)" + "epmd_server": "= stunnel_server(couch.bigcouch.port)", + "epmd_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.port)" }, "couch": { "port": 5984, diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 1eb79293..40b8f450 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -6,11 +6,11 @@ class site_couchdb::stunnel ($key, $cert, $ca) { $couch_server_accept = $couch_server['accept'] $couch_server_connect = $couch_server['connect'] - $bigcouch_replication_server = $stunnel['bigcouch_replication_server'] - $bigcouch_replication_server_accept = $bigcouch_replication_server['accept'] - $bigcouch_replication_server_connect = $bigcouch_replication_server['connect'] + $epmd_server = $stunnel['epmd_server'] + $epmd_server_accept = $epmd_server['accept'] + $epmd_server_connect = $epmd_server['connect'] - $bigcouch_replication_clients = $stunnel['bigcouch_replication_clients'] + $epmd_clients = $stunnel['epmd_clients'] include x509::variables $cert_name = 'leap_couchdb' @@ -45,26 +45,26 @@ class site_couchdb::stunnel ($key, $cert, $ca) { # setup stunnels for bigcouch clustering between each bigcouchdb node # server - stunnel::service { 'bigcouch_replication_server': - accept => $bigcouch_replication_server_accept, - connect => $bigcouch_replication_server_connect, + stunnel::service { 'epmd_server': + accept => $epmd_server_accept, + connect => $epmd_server_connect, client => false, cafile => $ca_path, key => $key_path, cert => $cert_path, verify => '2', - pid => '/var/run/stunnel4/bigcouchreplication_server.pid', + pid => '/var/run/stunnel4/epmd_server.pid', rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } # clients - $bigcouch_replication_client_defaults = { + $epmd_client_defaults = { 'client' => true, 'cafile' => $ca_path, 'key' => $key_path, 'cert' => $cert_path, } - create_resources(site_stunnel::clients, $bigcouch_replication_clients, $bigcouch_replication_client_defaults) + create_resources(site_stunnel::clients, $epmd_clients, $epmd_client_defaults) } -- cgit v1.2.3 From e530f0c1d1a0a26bd277b70197b1f26871d92b1b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Apr 2013 11:40:12 -0400 Subject: rename bigcouch.port to more accurate bigcouch.epmd_port --- provider_base/services/couchdb.json | 6 +++--- .../modules/site_shorewall/manifests/couchdb/bigcouch.pp | 16 ++++++++-------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json index 111baf08..3ef4c213 100644 --- a/provider_base/services/couchdb.json +++ b/provider_base/services/couchdb.json @@ -5,13 +5,13 @@ }, "stunnel": { "couch_server": "= stunnel_server(couch.port)", - "epmd_server": "= stunnel_server(couch.bigcouch.port)", - "epmd_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.port)" + "epmd_server": "= stunnel_server(couch.bigcouch.epmd_port)", + "epmd_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.epmd_port)", }, "couch": { "port": 5984, "bigcouch": { - "port": 4369, + "epmd_port": 4369, "cookie": "= secret :bigcouch_cookie" }, "users": { diff --git a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp index 85272657..a8320df8 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp @@ -3,15 +3,15 @@ class site_shorewall::couchdb::bigcouch { include site_shorewall::defaults $stunnel = hiera('stunnel') - $bigcouch_replication_clients = $stunnel['bigcouch_replication_clients'] + $epmd_clients = $stunnel['epmd_clients'] - $bigcouch_replication_server = $stunnel['bigcouch_replication_server'] - $bigcouch_replication_server_port = $bigcouch_replication_server['accept'] - $bigcouch_replication_connect = $bigcouch_replication_server['connect'] + $epmd_server = $stunnel['epmd_server'] + $epmd_server_port = $epmd_server['accept'] + $epmd_server_connect = $epmd_server['connect'] # define macro for incoming services file { '/etc/shorewall/macro.leap_bigcouch': - content => "PARAM - - tcp ${bigcouch_replication_server_port}", + content => "PARAM - - tcp ${epmd_server_port}", notify => Service['shorewall'], require => Package['shorewall'] } @@ -24,13 +24,13 @@ class site_shorewall::couchdb::bigcouch { order => 300; } - $bigcouch_shorewall_dnat_defaults = { + $epmd_shorewall_dnat_defaults = { 'source' => '$FW', 'proto' => 'tcp', - 'destinationport' => regsubst($bigcouch_replication_connect, '^([0-9.]+:)([0-9]+)$', '\2') + 'destinationport' => regsubst($epmd_server_connect, '^([0-9.]+:)([0-9]+)$', '\2') } - create_resources(site_shorewall::couchdb::dnat, $bigcouch_replication_clients, $bigcouch_shorewall_dnat_defaults) + create_resources(site_shorewall::couchdb::dnat, $epmd_clients, $epmd_shorewall_dnat_defaults) } -- cgit v1.2.3 From c228491af3929e07766903c3ce29a06fab86ad63 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Apr 2013 12:08:55 -0400 Subject: remove the apache_ssl_proxy cleanup --- puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp | 13 ------------- puppet/modules/site_couchdb/manifests/init.pp | 6 ++---- 2 files changed, 2 insertions(+), 17 deletions(-) delete mode 100644 puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp deleted file mode 100644 index 536dd8db..00000000 --- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp +++ /dev/null @@ -1,13 +0,0 @@ -class site_couchdb::apache_ssl_proxy { - -# This is here to disable the previously configured apache ssl proxy -# we were using this, but have switched to stunnel instead. -# -# Unfortunately, the current apache shared module doesn't handle -# ensure=>absent, so this is going to be done the crude way, and will only -# work for debian+derivitives, which is fine for now, but not good for the -# future - - package { 'apache2': ensure => absent } - -} diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index e0f379cd..0fc951c2 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -5,6 +5,7 @@ class site_couchdb ( $bigcouch = false ) { $key = $x509['key'] $cert = $x509['cert'] $ca = $x509['ca_cert'] + $couchdb_config = hiera('couch') $couchdb_users = $couchdb_config['users'] $couchdb_admin = $couchdb_users['admin'] @@ -16,6 +17,7 @@ class site_couchdb ( $bigcouch = false ) { $couchdb_ca_daemon = $couchdb_users['ca_daemon'] $couchdb_ca_daemon_user = $couchdb_ca_daemon['username'] $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password'] + $bigcouch_config = $couchdb_config['bigcouch'] $bigcouch_cookie = $bigcouch_config['cookie'] @@ -32,10 +34,6 @@ class site_couchdb ( $bigcouch = false ) { -> Couchdb::Add_user[$couchdb_webapp_user] -> Couchdb::Add_user[$couchdb_ca_daemon_user] - # this is here to disable and remove the proxy - include site_couchdb::apache_ssl_proxy - - # the above apache_ssl_proxy is replaced by the following stunnel class { 'site_couchdb::stunnel': key => $key, cert => $cert, -- cgit v1.2.3 From 2c53c5023b925cb596e3f450f194482eade1fbeb Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Apr 2013 12:50:30 -0400 Subject: add Erlang Distributed Node Protocol Port json entry under bigcouch setup ednp_server and ednp_client stunnels update couchdb puppet submodule to support configurable ednp_port parameter and general module cleanup pass ednp_port to couchdb setup so that it is configured in the vm.args template clarify in comments the difference between the epmd and ednp ports remove hard-coded erlang_vm_port variable and instead setup shorewall to allow for the stunnel connection only setup dnat rules for the ednp client connections --- provider_base/services/couchdb.json | 3 ++ puppet/modules/couchdb | 2 +- puppet/modules/site_couchdb/manifests/init.pp | 7 ++-- puppet/modules/site_couchdb/manifests/stunnel.pp | 41 +++++++++++++++++++--- puppet/modules/site_shorewall/manifests/couchdb.pp | 5 +-- .../site_shorewall/manifests/couchdb/bigcouch.pp | 21 +++++++++-- 6 files changed, 65 insertions(+), 14 deletions(-) diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json index 3ef4c213..22578a70 100644 --- a/provider_base/services/couchdb.json +++ b/provider_base/services/couchdb.json @@ -7,11 +7,14 @@ "couch_server": "= stunnel_server(couch.port)", "epmd_server": "= stunnel_server(couch.bigcouch.epmd_port)", "epmd_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.epmd_port)", + "ednp_server": "= stunnel_server(couch.bigcouch.ednp_port)", + "ednp_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.ednp_port)" }, "couch": { "port": 5984, "bigcouch": { "epmd_port": 4369, + "ednp_port": 9002, "cookie": "= secret :bigcouch_cookie" }, "users": { diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 66d918dd..b49a787a 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 66d918ddb6454fd4a30baed9b49baad98e274243 +Subproject commit b49a787a2961129a969cfecd1eec1df588aaacac diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 0fc951c2..9ffa4122 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -21,10 +21,13 @@ class site_couchdb ( $bigcouch = false ) { $bigcouch_config = $couchdb_config['bigcouch'] $bigcouch_cookie = $bigcouch_config['cookie'] - class {'couchdb': + $ednp_port = $bigcouch_config['ednp_port'] + + class { 'couchdb': bigcouch => $bigcouch, admin_pw => $couchdb_admin_pw, - bigcouch_cookie => $bigcouch_cookie + bigcouch_cookie => $bigcouch_cookie, + ednp_port => $ednp_port } include couchdb::bigcouch::package::cloudant diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 40b8f450..ebd01e4e 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -6,12 +6,18 @@ class site_couchdb::stunnel ($key, $cert, $ca) { $couch_server_accept = $couch_server['accept'] $couch_server_connect = $couch_server['connect'] + # Erlang Port Mapper Daemon (epmd) stunnel server/clients $epmd_server = $stunnel['epmd_server'] $epmd_server_accept = $epmd_server['accept'] $epmd_server_connect = $epmd_server['connect'] - $epmd_clients = $stunnel['epmd_clients'] + # Erlang Distributed Node Protocol (ednp) stunnel server/clients + $ednp_server = $stunnel['ednp_server'] + $ednp_server_accept = $ednp_server['accept'] + $ednp_server_connect = $ednp_server['connect'] + $ednp_clients = $stunnel['ednp_clients'] + include x509::variables $cert_name = 'leap_couchdb' $ca_name = 'leap_ca' @@ -43,8 +49,8 @@ class site_couchdb::stunnel ($key, $cert, $ca) { } - # setup stunnels for bigcouch clustering between each bigcouchdb node - # server + # setup stunnel server for Erlang Port Mapper Daemon (epmd), necessary for + # bigcouch clustering between each bigcouchdb node stunnel::service { 'epmd_server': accept => $epmd_server_accept, connect => $epmd_server_connect, @@ -58,7 +64,8 @@ class site_couchdb::stunnel ($key, $cert, $ca) { debuglevel => '4' } - # clients + # setup stunnel clients for Erlang Port Mapper Daemon (epmd) to connect + # to the above epmd stunnel server. $epmd_client_defaults = { 'client' => true, 'cafile' => $ca_path, @@ -67,4 +74,30 @@ class site_couchdb::stunnel ($key, $cert, $ca) { } create_resources(site_stunnel::clients, $epmd_clients, $epmd_client_defaults) + + # setup stunnel server for Erlang Distributed Node Protocol (ednp), necessary + # for bigcouch clustering between each bigcouchdb node + stunnel::service { 'ednp_server': + accept => $ednp_server_accept, + connect => $ednp_server_connect, + client => false, + cafile => $ca_path, + key => $key_path, + cert => $cert_path, + verify => '2', + pid => '/var/run/stunnel4/ednp_server.pid', + rndfile => '/var/lib/stunnel4/.rnd', + debuglevel => '4' + } + + # setup stunnel clients for Erlang Distributed Node Protocol (ednp) to connect + # to the above ednp stunnel server. + $ednp_client_defaults = { + 'client' => true, + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, + } + + create_resources(site_stunnel::clients, $ednp_clients, $ednp_client_defaults) } diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp index 1ef91bb0..73bed62b 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -6,12 +6,9 @@ class site_shorewall::couchdb { $couch_server = $stunnel['couch_server'] $couch_stunnel_port = $couch_server['accept'] - # see http://stackoverflow.com/questions/8459949/bigcouch-cluster-connection-issue#comment10467603_8463814 - $erlang_vm_port = '9001' - # define macro for incoming services file { '/etc/shorewall/macro.leap_couchdb': - content => "PARAM - - tcp ${couch_stunnel_port},${erlang_vm_port}", + content => "PARAM - - tcp ${couch_stunnel_port}", notify => Service['shorewall'], require => Package['shorewall'] } diff --git a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp index a8320df8..20740650 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp @@ -3,15 +3,22 @@ class site_shorewall::couchdb::bigcouch { include site_shorewall::defaults $stunnel = hiera('stunnel') - $epmd_clients = $stunnel['epmd_clients'] + # Erlang Port Mapper Daemon (epmd) stunnel server/clients + $epmd_clients = $stunnel['epmd_clients'] $epmd_server = $stunnel['epmd_server'] $epmd_server_port = $epmd_server['accept'] $epmd_server_connect = $epmd_server['connect'] + # Erlang Distributed Node Protocol (ednp) stunnel server/clients + $ednp_clients = $stunnel['ednp_clients'] + $ednp_server = $stunnel['ednp_server'] + $ednp_server_port = $ednp_server['accept'] + $ednp_server_connect = $ednp_server['connect'] + # define macro for incoming services file { '/etc/shorewall/macro.leap_bigcouch': - content => "PARAM - - tcp ${epmd_server_port}", + content => "PARAM - - tcp ${epmd_server_port},${ednp_server_port}", notify => Service['shorewall'], require => Package['shorewall'] } @@ -24,13 +31,21 @@ class site_shorewall::couchdb::bigcouch { order => 300; } + # setup DNAT rules for each epmd $epmd_shorewall_dnat_defaults = { 'source' => '$FW', 'proto' => 'tcp', 'destinationport' => regsubst($epmd_server_connect, '^([0-9.]+:)([0-9]+)$', '\2') } - create_resources(site_shorewall::couchdb::dnat, $epmd_clients, $epmd_shorewall_dnat_defaults) + # setup DNAT rules for each ednp + $ednp_shorewall_dnat_defaults = { + 'source' => '$FW', + 'proto' => 'tcp', + 'destinationport' => regsubst($ednp_server_connect, '^([0-9.]+:)([0-9]+)$', '\2') + } + create_resources(site_shorewall::couchdb::dnat, $ednp_clients, $ednp_shorewall_dnat_defaults) + } -- cgit v1.2.3 From 5c44ec03fb9940d2801e6c7765084725656d1ce9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Apr 2013 15:24:23 -0400 Subject: update submodule to get fix for syntax error --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index b49a787a..6b537bb7 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit b49a787a2961129a969cfecd1eec1df588aaacac +Subproject commit 6b537bb77dbfaa754b88e64041ecd57e7f7544a9 -- cgit v1.2.3 From c4397077adb35cf5ec05976e2918bacdd3960703 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Apr 2013 15:31:04 -0400 Subject: pass $ca_name to stunnel::setup - this eliminates a dynamic scoped variable lookup, and warning --- puppet/modules/site_couchdb/manifests/stunnel.pp | 1 + puppet/modules/site_stunnel/manifests/setup.pp | 2 +- puppet/modules/site_webapp/manifests/couchdb.pp | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index ebd01e4e..d982013e 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -31,6 +31,7 @@ class site_couchdb::stunnel ($key, $cert, $ca) { cert_name => $cert_name, key => $key, cert => $cert, + ca_name => $ca_name, ca => $ca } diff --git a/puppet/modules/site_stunnel/manifests/setup.pp b/puppet/modules/site_stunnel/manifests/setup.pp index 7ec2378f..92eeb425 100644 --- a/puppet/modules/site_stunnel/manifests/setup.pp +++ b/puppet/modules/site_stunnel/manifests/setup.pp @@ -1,4 +1,4 @@ -class site_stunnel::setup ($cert_name, $key, $cert, $ca) { +class site_stunnel::setup ($cert_name, $key, $cert, $ca_name, $ca) { include site_stunnel diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index e956fd54..8dfe6e12 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -48,6 +48,7 @@ class site_webapp::couchdb { cert_name => $cert_name, key => $key, cert => $cert, + ca_name => $ca_name ca => $ca } -- cgit v1.2.3 From 78cd7a3a6e098448efa9e8623d1bc5c81d7a393a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Apr 2013 15:40:04 -0400 Subject: fix missing comma --- puppet/modules/site_webapp/manifests/couchdb.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 8dfe6e12..50c6f9d7 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -48,7 +48,7 @@ class site_webapp::couchdb { cert_name => $cert_name, key => $key, cert => $cert, - ca_name => $ca_name + ca_name => $ca_name, ca => $ca } -- cgit v1.2.3 From 61ee35e9210bc771f059ebf227512668c21b62b5 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Apr 2013 16:42:17 -0400 Subject: make sure the couchdb.yml permissions are set properly --- puppet/modules/site_webapp/files/migrate_design_documents | 3 +++ puppet/modules/site_webapp/manifests/couchdb.pp | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_webapp/files/migrate_design_documents b/puppet/modules/site_webapp/files/migrate_design_documents index 88d4b8d9..fa28e5ee 100644 --- a/puppet/modules/site_webapp/files/migrate_design_documents +++ b/puppet/modules/site_webapp/files/migrate_design_documents @@ -4,6 +4,7 @@ cd /srv/leap-webapp # use admin credentials cp config/couchdb.yml.admin config/couchdb.yml +chown leap-webapp:leap-webapp config/couchdb.yml # needs to be run twice /usr/bin/bundle exec rake couchrest:migrate @@ -11,3 +12,5 @@ cp config/couchdb.yml.admin config/couchdb.yml # use user credentials and remove admin credentials cp config/couchdb.yml.webapp config/couchdb.yml +chown leap-webapp:leap-webapp config/couchdb.yml + diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 50c6f9d7..6fe144a4 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -27,8 +27,8 @@ class site_webapp::couchdb { file { '/srv/leap-webapp/config/couchdb.yml.admin': content => template('site_webapp/couchdb.yml.admin.erb'), - owner => leap-webapp, - group => leap-webapp, + owner => root, + group => root, mode => '0600'; '/srv/leap-webapp/config/couchdb.yml.webapp': -- cgit v1.2.3 From a115e1c2e48adaa5f53777b63c25814e536e1e5a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Apr 2013 16:42:33 -0400 Subject: fix typo in x509::variables --- puppet/modules/site_webapp/manifests/couchdb.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 6fe144a4..ebb0d72a 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -13,7 +13,7 @@ class site_webapp::couchdb { $couch_client = $stunnel['couch_client'] $couch_client_connect = $couch_client['connect'] - include x509::variable + include x509::variables $x509 = hiera('x509') $key = $x509['key'] $cert = $x509['cert'] -- cgit v1.2.3 From dc6cd0ecd31a03e5093cdd9bb6dd1cad576199a2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Apr 2013 16:43:04 -0400 Subject: set permissions on the rails production.log, otherwise passenger complains about this in the apache log file --- puppet/modules/site_webapp/manifests/couchdb.pp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index ebb0d72a..f6203552 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -37,6 +37,11 @@ class site_webapp::couchdb { group => leap-webapp, mode => '0600'; + '/srv/leap-webapp/logs/production.log': + owner => leap-webapp, + group => leap-webapp, + mode => '0660'; + '/usr/local/sbin/migrate_design_documents': source => 'puppet:///modules/site_webapp/migrate_design_documents', owner => root, -- cgit v1.2.3 From 5e7faed43cf72e2546334da432fcd90e0d558502 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 9 Apr 2013 13:58:15 -0400 Subject: update deprecated haproxy configuration options, set values a little lower --- puppet/modules/site_haproxy/manifests/init.pp | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/puppet/modules/site_haproxy/manifests/init.pp b/puppet/modules/site_haproxy/manifests/init.pp index 7cb10ab2..602e26be 100644 --- a/puppet/modules/site_haproxy/manifests/init.pp +++ b/puppet/modules/site_haproxy/manifests/init.pp @@ -13,12 +13,12 @@ class site_haproxy { 'daemon' => '' }, defaults_options => { - 'log' => 'global', - 'retries' => '3', - 'option' => 'redispatch', - 'contimeout' => '5000', - 'clitimeout' => '50000', - 'srvtimeout' => '50000' + 'log' => 'global', + 'retries' => '3', + 'option' => 'redispatch', + 'timeout connect' => '4000', + 'timeout client' => '20000', + 'timeout server' => '20000' } } -- cgit v1.2.3 From 994c0212e86c60fa0f83c379308618b901d240c1 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 9 Apr 2013 14:04:25 -0400 Subject: add a httpchk line to haproxy to properly test if the couchdb is available add the useful http-server-close option set check option on the servers, with a 3 second interval, a one second fastinter (for flapping) and a one second downinter. Set the number of checks for failure to be one (so it will take 3 seconds for a node to fail out) and 2 checks to come back --- puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb index a9bdb923..f08161ee 100644 --- a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb +++ b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb @@ -2,14 +2,14 @@ listen bigcouch-in mode http balance roundrobin - option httplog option dontlognull - option tcplog - + option httpchk GET / + option http-server-close + bind localhost:4096 <% for port in @local_ports -%> - server couchdb_<%=port%> localhost:<%=port%> + server couchdb_<%=port%> localhost:<%=port%> check inter 3000 fastinter 1000 downinter 1000 rise 2 fall 1 <% end -%> -- cgit v1.2.3 From 7cb8deafbb02d42c6cd4af4b19d9d269e3d4bf42 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 9 Apr 2013 14:53:44 -0400 Subject: make sure the production environment is used for the migrations --- puppet/modules/site_webapp/files/migrate_design_documents | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_webapp/files/migrate_design_documents b/puppet/modules/site_webapp/files/migrate_design_documents index fa28e5ee..88eb2e25 100644 --- a/puppet/modules/site_webapp/files/migrate_design_documents +++ b/puppet/modules/site_webapp/files/migrate_design_documents @@ -7,8 +7,8 @@ cp config/couchdb.yml.admin config/couchdb.yml chown leap-webapp:leap-webapp config/couchdb.yml # needs to be run twice -/usr/bin/bundle exec rake couchrest:migrate -/usr/bin/bundle exec rake couchrest:migrate +RAILS_ENV=production /usr/bin/bundle exec rake couchrest:migrate +RAILS_ENV=production /usr/bin/bundle exec rake couchrest:migrate # use user credentials and remove admin credentials cp config/couchdb.yml.webapp config/couchdb.yml -- cgit v1.2.3 From 92f565f349266f7c5adfc88b31d0d2902431efa4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 10 Apr 2013 12:27:39 -0400 Subject: clean up ca_daemon things, it is not used any longer because it has been included in the web app (#1978) remove site_ca_daemon module and configuration in site.pp as well as the provider_base/services/ca.json --- provider_base/services/ca.json | 11 --- puppet/manifests/site.pp | 4 - puppet/modules/site_ca_daemon/manifests/apache.pp | 62 ------------- puppet/modules/site_ca_daemon/manifests/couchdb.pp | 16 ---- puppet/modules/site_ca_daemon/manifests/init.pp | 103 --------------------- .../site_ca_daemon/templates/leap_ca.yaml.erb | 31 ------- 6 files changed, 227 deletions(-) delete mode 100644 provider_base/services/ca.json delete mode 100644 puppet/modules/site_ca_daemon/manifests/apache.pp delete mode 100644 puppet/modules/site_ca_daemon/manifests/couchdb.pp delete mode 100644 puppet/modules/site_ca_daemon/manifests/init.pp delete mode 100644 puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb diff --git a/provider_base/services/ca.json b/provider_base/services/ca.json deleted file mode 100644 index 64866ddc..00000000 --- a/provider_base/services/ca.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "ca_daemon": { - "couchdb_hosts": "= hostnames nodes_like_me[:services => :couchdb]", - "couchdb_user": "= global.services[:couchdb].couch.users[:ca_daemon]" - }, - "service_type": "internal_service", - "x509": { - "use": true, - "ca_key": "= file(:ca_key, :missing => 'CA key. Run `leap cert ca` to create the Certificate Authority.')" - } -} diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 34c19370..f1b02aca 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -33,10 +33,6 @@ if 'webapp' in $services { include site_webapp } -if 'ca' in $services { - include site_ca_daemon -} - if 'monitor' in $services { include site_nagios } diff --git a/puppet/modules/site_ca_daemon/manifests/apache.pp b/puppet/modules/site_ca_daemon/manifests/apache.pp deleted file mode 100644 index ab6b08fd..00000000 --- a/puppet/modules/site_ca_daemon/manifests/apache.pp +++ /dev/null @@ -1,62 +0,0 @@ -class site_ca_daemon::apache { - - $api_domain = hiera('api_domain') - $x509 = hiera('x509') - $commercial_key = $x509['commercial_key'] - $commercial_cert = $x509['commercial_cert'] - $commercial_root = $x509['commercial_ca_cert'] - $api_key = $x509['key'] - $api_cert = $x509['cert'] - $api_root = $x509['ca_cert'] - - $apache_no_default_site = true - include apache::ssl - - apache::module { - 'alias': ensure => present; - 'rewrite': ensure => present; - 'headers': ensure => present; - } - - class { 'passenger': use_munin => false } - - apache::vhost::file { - 'leap_ca_daemon': - content => template('site_apache/vhosts.d/leap_ca_daemon.conf.erb') - } - - apache::vhost::file { - 'api': - content => template('site_apache/vhosts.d/api.conf.erb') - } - - x509::key { - 'leap_ca_daemon': - content => $commercial_key, - notify => Service[apache]; - - 'leap_api': - content => $api_key, - notify => Service[apache]; - } - - x509::cert { - 'leap_ca_daemon': - content => $commercial_cert, - notify => Service[apache]; - - 'leap_api': - content => $api_cert, - notify => Service[apache]; - } - - x509::ca { - 'leap_ca_daemon': - content => $commercial_root, - notify => Service[apache]; - - 'leap_api': - content => $api_root, - notify => Service[apache]; - } -} diff --git a/puppet/modules/site_ca_daemon/manifests/couchdb.pp b/puppet/modules/site_ca_daemon/manifests/couchdb.pp deleted file mode 100644 index f446a05b..00000000 --- a/puppet/modules/site_ca_daemon/manifests/couchdb.pp +++ /dev/null @@ -1,16 +0,0 @@ -class site_ca_daemon::couchdb { - - $ca = hiera('ca_daemon') - $couchdb_host = $ca['couchdb_hosts'] - $couchdb_user = $ca['couchdb_user']['username'] - $couchdb_password = $ca['couchdb_user']['password'] - - file { - '/etc/leap/leap_ca.yaml': - content => template('site_ca_daemon/leap_ca.yaml.erb'), - owner => leap_ca_daemon, - group => leap_ca_daemon, - mode => '0600'; - } - -} diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp deleted file mode 100644 index 8ba9c506..00000000 --- a/puppet/modules/site_ca_daemon/manifests/init.pp +++ /dev/null @@ -1,103 +0,0 @@ -class site_ca_daemon { - tag 'leap_service' - #$definition_files = hiera('definition_files') - #$provider = $definition_files['provider'] - #$eip_service = $definition_files['eip_service'] - $x509 = hiera('x509') - - Class[Ruby] -> Class[rubygems] -> Class[bundler::install] - - class { 'ruby': ruby_version => '1.9.3' } - - class { 'bundler::install': install_method => 'package' } - - include rubygems - #include site_ca_daemon::apache - include site_ca_daemon::couchdb - - group { 'leap_ca_daemon': - ensure => present, - allowdupe => false; - } - - user { 'leap_ca_daemon': - ensure => present, - allowdupe => false, - gid => 'leap_ca_daemon', - home => '/srv/leap_ca_daemon', - require => [ Group['leap_ca_daemon'] ]; - } - - - x509::key { - 'leap_ca_daemon': - content => $x509['ca_key']; - #notify => Service['leap_ca_daemon']; <== no service yet for leap_ca_daemon - } - - x509::cert { - 'leap_ca_daemon': - content => $x509['ca_cert']; - #notify => Service['leap_ca_daemon']; <== no service yet for leap_ca_daemon - } - - # - # Does CA need a server key/cert? I think not now. - # - # x509::key { - # 'server': - # content => $x509['key']; - # } - # - # x509::cert { - # 'server': - # content => $x509['cert']; - # } - - # x509::ca { - # 'leap_ca_daemon': - # content => $x509['ca_cert']; - # } - - - file { '/srv/leap_ca_daemon': - ensure => directory, - owner => 'leap_ca_daemon', - group => 'leap_ca_daemon', - require => User['leap_ca_daemon']; - } - - vcsrepo { '/srv/leap_ca_daemon': - ensure => present, - revision => 'origin/master', - provider => git, - source => 'git://code.leap.se/leap_ca', - owner => 'leap_ca_daemon', - group => 'leap_ca_daemon', - require => [ User['leap_ca_daemon'], Group['leap_ca_daemon'] ], - notify => Exec['bundler_update'] - } - - exec { 'bundler_update': - cwd => '/srv/leap_ca_daemon', - command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install"', - unless => '/usr/bin/bundle check', - timeout => 600, - require => [ Class['bundler::install'], Vcsrepo['/srv/leap_ca_daemon'] ]; - } - - file { '/usr/local/bin/leap_ca_daemon': - ensure => link, - target => '/srv/leap_ca_daemon/bin/leap_ca_daemon', - } - - file { '/etc/cron.hourly/leap_ca': - ensure => present, - content => "#/bin/sh\n/srv/leap_ca_daemon/bin/leap_ca_daemon --run-once > /dev/null", - owner => 'root', - group => 0, - mode => '0755', - } - - -} diff --git a/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb b/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb deleted file mode 100644 index e0b95278..00000000 --- a/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb +++ /dev/null @@ -1,31 +0,0 @@ -# -# Default configuration options for LEAP Certificate Authority Daemon -# - -# -# Certificate Authority -# -ca_key_path: "/etc/x509/keys/leap_ca_daemon.key" -ca_key_password: nil -ca_cert_path: "/etc/x509/certs/leap_ca_daemon.crt" - -# -# Certificate pool -# -max_pool_size: 100 -client_cert_lifespan: 2 -client_cert_bit_size: 2024 -client_cert_hash: "SHA256" - -# -# Database -# -db_name: "client_certificates" -couch_connection: - protocol: "https" - host: <%= couchdb_host %> - port: 6984 - username: <%= couchdb_user %> - password: <%= couchdb_password %> - prefix: "" - suffix: "" -- cgit v1.2.3 From 830f2408fa210016fdef855da8b3fd28421bff32 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 11 Apr 2013 17:45:57 +0200 Subject: webapp: use admin creds for now, until we fixed couchdb user permissions --- puppet/modules/site_webapp/files/migrate_design_documents | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_webapp/files/migrate_design_documents b/puppet/modules/site_webapp/files/migrate_design_documents index 88eb2e25..4a818950 100644 --- a/puppet/modules/site_webapp/files/migrate_design_documents +++ b/puppet/modules/site_webapp/files/migrate_design_documents @@ -10,7 +10,7 @@ chown leap-webapp:leap-webapp config/couchdb.yml RAILS_ENV=production /usr/bin/bundle exec rake couchrest:migrate RAILS_ENV=production /usr/bin/bundle exec rake couchrest:migrate -# use user credentials and remove admin credentials -cp config/couchdb.yml.webapp config/couchdb.yml +# use admin creds for now, until we fixed couchdb user permissions +cp config/couchdb.yml.admin config/couchdb.yml chown leap-webapp:leap-webapp config/couchdb.yml -- cgit v1.2.3 From 75053a203834ee70e527ba20c8dbad69b5620b04 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 16 Apr 2013 11:59:27 -0400 Subject: update haproxy submodule to get version parameter possibility --- puppet/modules/haproxy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/haproxy b/puppet/modules/haproxy index 967e0097..b398f3cb 160000 --- a/puppet/modules/haproxy +++ b/puppet/modules/haproxy @@ -1 +1 @@ -Subproject commit 967e0097f9447d6c73eeb99ef4b0df2a941820c3 +Subproject commit b398f3cb0a67d1170d0564a3f03977f9a08c2b6c -- cgit v1.2.3 From 9a6026af4f781d081274eb2884e0662dfdd54a07 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 16 Apr 2013 12:26:24 -0400 Subject: pass version to haproxy so that the leap package will be installed this package is a newer version than the one in debian, and as of this writing haproxy is scheduled to be removed from wheezy, also it has hardened flags enabled --- puppet/modules/site_haproxy/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_haproxy/manifests/init.pp b/puppet/modules/site_haproxy/manifests/init.pp index 602e26be..ace88a7b 100644 --- a/puppet/modules/site_haproxy/manifests/init.pp +++ b/puppet/modules/site_haproxy/manifests/init.pp @@ -2,6 +2,7 @@ class site_haproxy { class { 'haproxy': enable => true, + version => '1.4.23-0.1~leap60+1', manage_service => true, global_options => { 'log' => '127.0.0.1 local0', -- cgit v1.2.3 From 7b6882212da16b7f3e778919f6c8c018c6d1111b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 16 Apr 2013 13:58:43 -0400 Subject: move secret token into the config.yaml --- puppet/modules/site_webapp/manifests/init.pp | 8 ++------ puppet/modules/site_webapp/templates/config.yml.erb | 1 + 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 1e6abe42..636a156d 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -111,12 +111,8 @@ class site_webapp { content => template('site_webapp/config.yml.erb'), owner => leap-webapp, group => leap-webapp, - mode => '0600'; - - '/srv/leap-webapp/config/initializers/secret_token.rb': - content => "LeapWeb::Application.config.secret_token = '${secret_token}'\n", - owner => leap-webapp, group => leap-webapp, mode => '0644', - notify => Service['apache']; + mode => '0600', + notify => Service['apache']; } include site_shorewall::webapp diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index af778212..83348d94 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -4,6 +4,7 @@ production: domain: <%= @provider_domain %> client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %> client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %> + secret_token: "<%= @secret_token %>" cert_options: client_cert_lifespan: <%= cert_options['life_span'].to_i %> -- cgit v1.2.3 From 9f9ea1670bc319f8c5cecff0ae02b2d342615e62 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 17 Apr 2013 11:24:54 -0400 Subject: rename fallback apt source list so it will be more obvious when it is paired with the primary.list --- puppet/modules/site_apt/manifests/init.pp | 4 ++-- puppet/modules/site_apt/templates/fallback.list | 3 --- puppet/modules/site_apt/templates/secondary.list | 3 +++ 3 files changed, 5 insertions(+), 5 deletions(-) delete mode 100644 puppet/modules/site_apt/templates/fallback.list create mode 100644 puppet/modules/site_apt/templates/secondary.list diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index de854d58..c5f37014 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -19,8 +19,8 @@ class site_apt { include ::apt::unattended_upgrades - apt::sources_list { 'fallback.list.disabled': - content => template('site_apt/fallback.list'); + apt::sources_list { 'secondary.list.disabled': + content => template('site_apt/secondary.list'); } } diff --git a/puppet/modules/site_apt/templates/fallback.list b/puppet/modules/site_apt/templates/fallback.list deleted file mode 100644 index 41334b0b..00000000 --- a/puppet/modules/site_apt/templates/fallback.list +++ /dev/null @@ -1,3 +0,0 @@ -# basic -deb http://ftp.debian.org/debian/ <%= lsbdistcodename %> main contrib non-free - diff --git a/puppet/modules/site_apt/templates/secondary.list b/puppet/modules/site_apt/templates/secondary.list new file mode 100644 index 00000000..41334b0b --- /dev/null +++ b/puppet/modules/site_apt/templates/secondary.list @@ -0,0 +1,3 @@ +# basic +deb http://ftp.debian.org/debian/ <%= lsbdistcodename %> main contrib non-free + -- cgit v1.2.3 From 0ad85d0afa39817b07e0f774c7437d1ca9fd5fd6 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 17 Apr 2013 18:08:02 -0400 Subject: update apache module to new 2.7 style --- puppet/modules/apache | 2 +- puppet/modules/site_webapp/manifests/apache.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/apache b/puppet/modules/apache index dafb060f..6844258b 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit dafb060fc57957dbe9e5e90698537e781cebeaf6 +Subproject commit 6844258b567b5065f5488a12f3f18208ff36ecb0 diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 554b9147..103e4f35 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -12,7 +12,7 @@ class site_webapp::apache { $api_cert = $x509['cert'] $api_root = $x509['ca_cert'] - $apache_no_default_site = true + class { '::apache': no_default_site => true } include apache::ssl apache::module { -- cgit v1.2.3 From 1d29e7ad92d4197fed3812add3ad195800f53281 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 18 Apr 2013 01:10:16 -0700 Subject: webapp: removed "Alias /1" from apache config --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 1 - puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 3 +-- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index cdfcbd68..20d3dc9a 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -22,7 +22,6 @@ Listen 0.0.0.0:<%= api_port %> RequestHeader set X_FORWARDED_PROTO 'https' DocumentRoot /srv/leap-webapp/public - Alias /1 /srv/leap-webapp/public # Check for maintenance file and redirect all requests RewriteEngine On diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 4928cdd6..2ccc4418 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -22,7 +22,6 @@ RequestHeader set X_FORWARDED_PROTO 'https' DocumentRoot /srv/leap-webapp/public - Alias /1 /srv/leap-webapp/public RewriteEngine On # Check for maintenance file and redirect all requests @@ -40,7 +39,7 @@ <% if (defined? @services) and (services.is_a? Array) and (@services.include? 'monitor') -%> PassengerEnabled off - AllowOverride all + AllowOverride all <% end -%> -- cgit v1.2.3 From 8485b9340b96c16f47d6de145ceca0d7838d2fdd Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 18 Apr 2013 10:27:55 -0700 Subject: provider.json 'domain' entry should match the domain suffix of the node. --- provider_base/files/service-definitions/provider.json.erb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb index 54919898..bc93fac5 100644 --- a/provider_base/files/service-definitions/provider.json.erb +++ b/provider_base/files/service-definitions/provider.json.erb @@ -4,9 +4,11 @@ # grab some fields from provider.json hsh = global.provider.pick( :languages, :description, :name, - :enrollment_policy, :default_language, :domain, :service + :enrollment_policy, :default_language, :service ) + hsh['domain'] = domain.full_suffix + # advertise services that are 'user services' hsh['services'] = global.services[:service_type => :user_service].field(:name) -- cgit v1.2.3 From aa9d9d8516981d08b0b6e230d290c22834dee8d0 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 18 Apr 2013 17:19:32 -0400 Subject: update apache module to take the 'ssl' parameter, and pass it to the class, this eliminates a potential variable lookup ordering problem (#2273) --- puppet/modules/apache | 2 +- puppet/modules/site_webapp/manifests/apache.pp | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/puppet/modules/apache b/puppet/modules/apache index 6844258b..688f0779 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit 6844258b567b5065f5488a12f3f18208ff36ecb0 +Subproject commit 688f07793a72ba4453f6663b6d19fe6388ba382f diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 103e4f35..8b340160 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -12,8 +12,7 @@ class site_webapp::apache { $api_cert = $x509['cert'] $api_root = $x509['ca_cert'] - class { '::apache': no_default_site => true } - include apache::ssl + class { '::apache': no_default_site => true, ssl => true } apache::module { 'alias': ensure => present; -- cgit v1.2.3 From 14dae1c1f5e2f12a37c6a4e71a89ef2f6a784712 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 22 Apr 2013 15:36:45 -0700 Subject: webapp -- fixed bug in configuration --- puppet/modules/site_webapp/templates/config.yml.erb | 2 -- 1 file changed, 2 deletions(-) diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 83348d94..df562cd9 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -5,8 +5,6 @@ production: client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %> client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %> secret_token: "<%= @secret_token %>" - -cert_options: client_cert_lifespan: <%= cert_options['life_span'].to_i %> client_cert_bit_size: <%= cert_options['bit_size'].to_i %> client_cert_hash: <%= cert_options['digest'] %> -- cgit v1.2.3 From 5323c8c48df57dae61cb73a1b8df5b39736f5a89 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 23 Apr 2013 11:52:16 -0400 Subject: fix mode for webapp production.log (#2300) --- puppet/modules/site_webapp/manifests/couchdb.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index f6203552..840bb12e 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -40,7 +40,7 @@ class site_webapp::couchdb { '/srv/leap-webapp/logs/production.log': owner => leap-webapp, group => leap-webapp, - mode => '0660'; + mode => '0666'; '/usr/local/sbin/migrate_design_documents': source => 'puppet:///modules/site_webapp/migrate_design_documents', -- cgit v1.2.3 From 0d821e158b78365c59d148267a569f3ce2d82e47 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 23 Apr 2013 12:01:43 -0400 Subject: move generic couchdb host configuration from bitmask into the provider base (#2016) --- provider_base/services/webapp.json | 1 + 1 file changed, 1 insertion(+) diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 895aa6e3..29ed6110 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -1,6 +1,7 @@ { "webapp": { "modules": ["user", "billing", "help"], + "couchdb_hosts": "= hostnames nodes_like_me[:services => :couchdb]", "couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]", "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]", "favicon": "= file_path 'branding/favicon.ico'", -- cgit v1.2.3 From 285236312c9e787767b742feb320ff0e7816a985 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 23 Apr 2013 12:08:56 -0400 Subject: remove no longer used json key couchdb_hosts --- provider_base/services/webapp.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 29ed6110..f87b0833 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -1,7 +1,6 @@ { "webapp": { "modules": ["user", "billing", "help"], - "couchdb_hosts": "= hostnames nodes_like_me[:services => :couchdb]", "couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]", "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]", "favicon": "= file_path 'branding/favicon.ico'", @@ -41,4 +40,4 @@ "commercial_key": "= file [:commercial_key, domain.full_suffix]", "commercial_ca_cert": "= try_file :commercial_ca_cert" } -} \ No newline at end of file +} -- cgit v1.2.3 From 17774818485d9fe6db95f10fcc1f7815cee4510f Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 23 Apr 2013 23:32:29 +0200 Subject: automatic update of submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 6b537bb7..321278b3 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 6b537bb77dbfaa754b88e64041ecd57e7f7544a9 +Subproject commit 321278b3805ce74b6869ec070e083c8a91849d6f -- cgit v1.2.3 From 4d01724ff48a990f70f81779936840824c78ca6e Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Apr 2013 00:32:18 +0200 Subject: Use pre-salted+hashed user pw for couchdb (Feature #2324) --- puppet/modules/site_couchdb/manifests/init.pp | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 9ffa4122..de9b715c 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -11,12 +11,15 @@ class site_couchdb ( $bigcouch = false ) { $couchdb_admin = $couchdb_users['admin'] $couchdb_admin_user = $couchdb_admin['username'] $couchdb_admin_pw = $couchdb_admin['password'] + $couchdb_admin_salt = $couchdb_admin['salt'] $couchdb_webapp = $couchdb_users['webapp'] $couchdb_webapp_user = $couchdb_webapp['username'] $couchdb_webapp_pw = $couchdb_webapp['password'] + $couchdb_webapp_salt = $couchdb_webapp['salt'] $couchdb_ca_daemon = $couchdb_users['ca_daemon'] $couchdb_ca_daemon_user = $couchdb_ca_daemon['username'] $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password'] + $couchdb_ca_daemon_salt = $couchdb_ca_daemon['salt'] $bigcouch_config = $couchdb_config['bigcouch'] $bigcouch_cookie = $bigcouch_config['cookie'] @@ -45,18 +48,20 @@ class site_couchdb ( $bigcouch = false ) { couchdb::query::setup { 'localhost': user => $couchdb_admin_user, - pw => $couchdb_admin_pw + pw => $couchdb_admin_pw, } # Populate couchdb couchdb::add_user { $couchdb_webapp_user: roles => '["certs"]', - pw => $couchdb_webapp_pw + pw => $couchdb_webapp_pw, + salt => $couchdb_webapp_salt } couchdb::add_user { $couchdb_ca_daemon_user: roles => '["certs"]', - pw => $couchdb_ca_daemon_pw + pw => $couchdb_ca_daemon_pw, + salt => $couchdb_ca_daemon_salt } couchdb::create_db { 'users': -- cgit v1.2.3 From 1589e8dfa7e364c1d884100fa752bcc388c3589d Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Apr 2013 00:33:08 +0200 Subject: automatic update of submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 321278b3..ec9d3c46 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 321278b3805ce74b6869ec070e083c8a91849d6f +Subproject commit ec9d3c4629586caa910323c7cd5ffe769843ad42 -- cgit v1.2.3 From 8322444051739f276c4cb19aa7d6addcad287782 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Apr 2013 15:16:18 +0200 Subject: automatic update of submodule stdlib --- puppet/modules/stdlib | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/stdlib b/puppet/modules/stdlib index 095a5a01..66e0fa8f 160000 --- a/puppet/modules/stdlib +++ b/puppet/modules/stdlib @@ -1 +1 @@ -Subproject commit 095a5a01d5a7c7e3d95a71846220545080f7581c +Subproject commit 66e0fa8f1bc5062e9d753598ad17602c378a2994 -- cgit v1.2.3 From 3ced5ec963311c45cf359803727bd18fe6e23b69 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Apr 2013 15:53:05 +0200 Subject: updated needed couchdb users and DBs --- provider_base/services/couchdb.json | 8 ++++---- puppet/modules/site_couchdb/manifests/init.pp | 26 +++++++++++++------------- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json index 22578a70..43a6c650 100644 --- a/provider_base/services/couchdb.json +++ b/provider_base/services/couchdb.json @@ -28,10 +28,10 @@ "password": "= secret :couch_webapp_password", "salt": "= hex_secret :couch_webapp_password_salt, 128" }, - "ca_daemon": { - "username": "ca_daemon", - "password": "= secret :couch_ca_daemon_password", - "salt": "= hex_secret :couch_ca_daemon_password_salt, 128" + "soledad": { + "username": "soledad", + "password": "= secret :couch_soledad_password", + "salt": "= hex_secret :couch_soledad_password_salt, 128" } } } diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index de9b715c..6cf8e209 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -16,10 +16,10 @@ class site_couchdb ( $bigcouch = false ) { $couchdb_webapp_user = $couchdb_webapp['username'] $couchdb_webapp_pw = $couchdb_webapp['password'] $couchdb_webapp_salt = $couchdb_webapp['salt'] - $couchdb_ca_daemon = $couchdb_users['ca_daemon'] - $couchdb_ca_daemon_user = $couchdb_ca_daemon['username'] - $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password'] - $couchdb_ca_daemon_salt = $couchdb_ca_daemon['salt'] + $couchdb_soledad = $couchdb_users['soledad'] + $couchdb_soledad_user = $couchdb_soledad['username'] + $couchdb_soledad_pw = $couchdb_soledad['password'] + $couchdb_soledad_salt = $couchdb_soledad['salt'] $bigcouch_config = $couchdb_config['bigcouch'] $bigcouch_cookie = $bigcouch_config['cookie'] @@ -36,9 +36,9 @@ class site_couchdb ( $bigcouch = false ) { Service ['couchdb'] -> Couchdb::Create_db['users'] - -> Couchdb::Create_db['client_certificates'] + -> Couchdb::Create_db['tokens'] -> Couchdb::Add_user[$couchdb_webapp_user] - -> Couchdb::Add_user[$couchdb_ca_daemon_user] + -> Couchdb::Add_user[$couchdb_soledad_user] class { 'site_couchdb::stunnel': key => $key, @@ -53,23 +53,23 @@ class site_couchdb ( $bigcouch = false ) { # Populate couchdb couchdb::add_user { $couchdb_webapp_user: - roles => '["certs"]', + roles => '["auth"]', pw => $couchdb_webapp_pw, salt => $couchdb_webapp_salt } - couchdb::add_user { $couchdb_ca_daemon_user: - roles => '["certs"]', - pw => $couchdb_ca_daemon_pw, - salt => $couchdb_ca_daemon_salt + couchdb::add_user { $couchdb_soledad_user: + roles => '["auth"]', + pw => $couchdb_soledad_pw, + salt => $couchdb_soledad_salt } couchdb::create_db { 'users': readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }" } - couchdb::create_db { 'client_certificates': - readers => "{ \"names\": [], \"roles\": [\"certs\"] }" + couchdb::create_db { 'tokens': + readers => "{ \"names\": [], \"roles\": [\"auth\"] }" } include site_shorewall::couchdb -- cgit v1.2.3 From b3572aed530b0834d58e75c83ef1eb670d1824e3 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Apr 2013 16:50:19 +0200 Subject: Use pre-salted+hashed admin pw for couchdb (Feature #1941) --- puppet/modules/site_couchdb/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 6cf8e209..5e26b837 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -29,6 +29,7 @@ class site_couchdb ( $bigcouch = false ) { class { 'couchdb': bigcouch => $bigcouch, admin_pw => $couchdb_admin_pw, + admin_salt => $couchdb_admin_salt, bigcouch_cookie => $bigcouch_cookie, ednp_port => $ednp_port } -- cgit v1.2.3 From 6f1bfbcca5de5620a3ad9c3076776073b5d7aa20 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Apr 2013 16:50:43 +0200 Subject: automatic update of submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index ec9d3c46..7b6c9a29 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit ec9d3c4629586caa910323c7cd5ffe769843ad42 +Subproject commit 7b6c9a29b1333ce733dd5d7c0dadd7f90513b261 -- cgit v1.2.3 From 037d002bc3e29e8c88018b1a80a96bab0cc354b7 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Apr 2013 17:15:36 +0200 Subject: couchdb.yml.admin is changed on every puppetrun from leap-webapp to root --- puppet/modules/site_webapp/manifests/couchdb.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 840bb12e..2062a267 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -27,8 +27,8 @@ class site_webapp::couchdb { file { '/srv/leap-webapp/config/couchdb.yml.admin': content => template('site_webapp/couchdb.yml.admin.erb'), - owner => root, - group => root, + owner => leap_webapp, + group => leap_webapp, mode => '0600'; '/srv/leap-webapp/config/couchdb.yml.webapp': -- cgit v1.2.3 From ae7b1d3b68c2e2e295967cb638413627bfbe0734 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Apr 2013 17:22:17 +0200 Subject: user leap-webapp instead of leap_webapp --- puppet/modules/site_webapp/manifests/couchdb.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 2062a267..1dd346fd 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -27,8 +27,8 @@ class site_webapp::couchdb { file { '/srv/leap-webapp/config/couchdb.yml.admin': content => template('site_webapp/couchdb.yml.admin.erb'), - owner => leap_webapp, - group => leap_webapp, + owner => leap-webapp, + group => leap-webapp, mode => '0600'; '/srv/leap-webapp/config/couchdb.yml.webapp': -- cgit v1.2.3 From 2bd18fcad2e1446388948ed0b98232d93564b8ad Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Apr 2013 18:23:41 +0200 Subject: take out plain couchdb setup, always deploy bigcouch (Feature #2176) --- puppet/manifests/site.pp | 4 +--- puppet/modules/site_couchdb/manifests/init.pp | 4 ++-- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index f1b02aca..2d41d45f 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -24,9 +24,7 @@ if 'openvpn' in $services { } if 'couchdb' in $services { - class {'site_couchdb': - bigcouch => true - } + include site_couchdb } if 'webapp' in $services { diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 5e26b837..9f4824b4 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,4 +1,4 @@ -class site_couchdb ( $bigcouch = false ) { +class site_couchdb { tag 'leap_service' $x509 = hiera('x509') @@ -27,7 +27,7 @@ class site_couchdb ( $bigcouch = false ) { $ednp_port = $bigcouch_config['ednp_port'] class { 'couchdb': - bigcouch => $bigcouch, + bigcouch => true, admin_pw => $couchdb_admin_pw, admin_salt => $couchdb_admin_salt, bigcouch_cookie => $bigcouch_cookie, -- cgit v1.2.3 From 4ed2bb37ea8283f79aecca8b78e80b141e9eff50 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 24 Apr 2013 18:04:48 -0700 Subject: provider base - service definitions are now versioned (requires new leap_cli) --- .../files/service-definitions/eip-service.json.erb | 48 ---------------------- .../service-definitions/v1/eip-service.json.erb | 48 ++++++++++++++++++++++ provider_base/services/webapp.json | 5 ++- puppet/modules/site_webapp/manifests/init.pp | 7 +++- 4 files changed, 57 insertions(+), 51 deletions(-) delete mode 100644 provider_base/files/service-definitions/eip-service.json.erb create mode 100644 provider_base/files/service-definitions/v1/eip-service.json.erb diff --git a/provider_base/files/service-definitions/eip-service.json.erb b/provider_base/files/service-definitions/eip-service.json.erb deleted file mode 100644 index ca42bef5..00000000 --- a/provider_base/files/service-definitions/eip-service.json.erb +++ /dev/null @@ -1,48 +0,0 @@ -<%= - def underscore(words) - words = words.to_s.dup - words.downcase! - words.gsub! /[^a-z]/, '_' - words - end - - def add_gateway(node, locations, options={}) - return nil if options[:ip] == 'REQUIRED' - gateway = {} - gateway["capabilities"] = node.openvpn.pick(:ports, :protocols, :user_ips, :adblock, :filter_dns) - gateway["capabilities"]["transport"] = ["openvpn"] - gateway["host"] = node.domain.full - gateway["ip_address"] = options[:ip] - gateway["capabilities"]["limited"] = options[:limited] - if node.location - location_name = underscore(node.location.name) - gateway["location"] = location_name - locations[location_name] ||= node.location - end - gateway - end - - hsh = {} - hsh["serial"] = 1 - hsh["version"] = 1 - locations = {} - gateways = [] - nodes_like_me[:services => 'openvpn'].each_node do |node| - if node.openvpn.allow_limited && node.openvpn.allow_unlimited - gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => false) - gateways << add_gateway(node, locations, :ip => node.openvpn.second_gateway_address, :limited => true) - elsif node.openvpn.allow_unlimited - gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => false) - elsif node.openvpn.allow_limited - gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => true) - end - end - hsh["gateways"] = gateways.compact - hsh["locations"] = locations - hsh["openvpn_configuration"] = { - "tls-cipher" => "DHE-RSA-AES128-SHA", - "auth" => "SHA1", - "cipher" => "AES-128-CBC" - } - generate_json hsh -%> \ No newline at end of file diff --git a/provider_base/files/service-definitions/v1/eip-service.json.erb b/provider_base/files/service-definitions/v1/eip-service.json.erb new file mode 100644 index 00000000..ca42bef5 --- /dev/null +++ b/provider_base/files/service-definitions/v1/eip-service.json.erb @@ -0,0 +1,48 @@ +<%= + def underscore(words) + words = words.to_s.dup + words.downcase! + words.gsub! /[^a-z]/, '_' + words + end + + def add_gateway(node, locations, options={}) + return nil if options[:ip] == 'REQUIRED' + gateway = {} + gateway["capabilities"] = node.openvpn.pick(:ports, :protocols, :user_ips, :adblock, :filter_dns) + gateway["capabilities"]["transport"] = ["openvpn"] + gateway["host"] = node.domain.full + gateway["ip_address"] = options[:ip] + gateway["capabilities"]["limited"] = options[:limited] + if node.location + location_name = underscore(node.location.name) + gateway["location"] = location_name + locations[location_name] ||= node.location + end + gateway + end + + hsh = {} + hsh["serial"] = 1 + hsh["version"] = 1 + locations = {} + gateways = [] + nodes_like_me[:services => 'openvpn'].each_node do |node| + if node.openvpn.allow_limited && node.openvpn.allow_unlimited + gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => false) + gateways << add_gateway(node, locations, :ip => node.openvpn.second_gateway_address, :limited => true) + elsif node.openvpn.allow_unlimited + gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => false) + elsif node.openvpn.allow_limited + gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => true) + end + end + hsh["gateways"] = gateways.compact + hsh["locations"] = locations + hsh["openvpn_configuration"] = { + "tls-cipher" => "DHE-RSA-AES128-SHA", + "auth" => "SHA1", + "cipher" => "AES-128-CBC" + } + generate_json hsh +%> \ No newline at end of file diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index f87b0833..e4926ba7 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -11,7 +11,8 @@ "allow_limited_certs": "= global.provider.service.allow_limited_bandwidth", "allow_unlimited_certs": "= global.provider.service.allow_unlimited_bandwidth", "allow_anonymous_certs": "= global.provider.service.allow_anonymous", - "secret_token": "= secret :webapp_secret_token" + "secret_token": "= secret :webapp_secret_token", + "api_version": 1 }, "stunnel": { "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)" @@ -21,7 +22,7 @@ }, "definition_files": { "provider": "= file :provider_json_template", - "eip_service": "= file :eip_service_json_template" + "eip_service": "= file [:eip_service_json_template, 'v'+webapp.api_version.to_s]" }, "service_type": "public_service", "api": { diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 636a156d..8b5bb0e3 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -6,6 +6,7 @@ class site_webapp { $node_domain = hiera('domain') $provider_domain = $node_domain['full_suffix'] $webapp = hiera('webapp') + $api_version = $webapp['api_version'] $secret_token = $webapp['secret_token'] Class[Ruby] -> Class[rubygems] -> Class[bundler::install] @@ -83,7 +84,11 @@ class site_webapp { ensure => directory, owner => leap-webapp, group => leap-webapp, mode => '0755'; - '/srv/leap-webapp/public/config/eip-service.json': + "/srv/leap-webapp/public/config/${api_version}": + ensure => directory, + owner => leap-webapp, group => leap-webapp, mode => '0755'; + + "/srv/leap-webapp/public/config/${api_version}/eip-service.json": content => $eip_service, owner => leap-webapp, group => leap-webapp, mode => '0644'; } -- cgit v1.2.3 From 27cb083212a74c94ed069ce9ef3dfc7593e85524 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 25 Apr 2013 14:35:48 -0400 Subject: update apache submodule to fix #2279 --- puppet/modules/apache | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/apache b/puppet/modules/apache index 688f0779..090e59ad 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit 688f07793a72ba4453f6663b6d19fe6388ba382f +Subproject commit 090e59ad1fcba01e868237a83cadf9254cf09d3e -- cgit v1.2.3 From 1c61472a0c0c14351993574f2673a6a3a3c75371 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Apr 2013 12:28:19 +0200 Subject: Revert "webapp: use admin creds for now, until we fixed couchdb user permissions" This reverts commit 830f2408fa210016fdef855da8b3fd28421bff32. --- puppet/modules/site_webapp/files/migrate_design_documents | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_webapp/files/migrate_design_documents b/puppet/modules/site_webapp/files/migrate_design_documents index 4a818950..88eb2e25 100644 --- a/puppet/modules/site_webapp/files/migrate_design_documents +++ b/puppet/modules/site_webapp/files/migrate_design_documents @@ -10,7 +10,7 @@ chown leap-webapp:leap-webapp config/couchdb.yml RAILS_ENV=production /usr/bin/bundle exec rake couchrest:migrate RAILS_ENV=production /usr/bin/bundle exec rake couchrest:migrate -# use admin creds for now, until we fixed couchdb user permissions -cp config/couchdb.yml.admin config/couchdb.yml +# use user credentials and remove admin credentials +cp config/couchdb.yml.webapp config/couchdb.yml chown leap-webapp:leap-webapp config/couchdb.yml -- cgit v1.2.3 From 8e5716518b361aceac5c2cc5433148edf8785d89 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 30 Apr 2013 17:17:54 -0400 Subject: setup a site_config::params class that can be used to set some common variables that are used in different places to start with we setup the $interface variable, based on logic as defined in #2213 change the various places that were looking up this value to use site_config::params::interface instead --- puppet/modules/site_config/manifests/params.pp | 25 ++++++++++++++++++++++ puppet/modules/site_openvpn/manifests/init.pp | 2 -- .../site_openvpn/templates/add_gateway_ips.sh.erb | 8 +++---- .../modules/site_shorewall/manifests/defaults.pp | 14 +++--------- puppet/modules/site_shorewall/manifests/eip.pp | 7 ++---- 5 files changed, 34 insertions(+), 22 deletions(-) create mode 100644 puppet/modules/site_config/manifests/params.pp diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp new file mode 100644 index 00000000..237ee454 --- /dev/null +++ b/puppet/modules/site_config/manifests/params.pp @@ -0,0 +1,25 @@ +class site_config::params { + + $ip_address = hiera('ip_address') + $ip_address_interface = getvar("interface_${ip_address}") + $ec2_local_ipv4_interface = getvar("interface_${::ec2_local_ipv4}") + + if $::virtual == 'virtualbox' { + $interface = [ 'eth0', 'eth1' ] + } + elsif hiera('interface','') != '' { + $interface = hiera('interface') + } + elsif $ip_address_interface != '' { + $interface = $ip_address_interface + } + elsif $ec2_local_ipv4_interface != '' { + $interface = $ec2_local_ipv4_interface + } + elsif $::interfaces =~ /eth0/ { + $interface = eth0 + } + else { + fail("unable to determine a valid interface, please set a valid interface for this node in nodes/${::hostname}.json") + } +} diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 1ae3fb02..9bfffa6f 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -21,8 +21,6 @@ class site_openvpn { $openvpn_config = hiera('openvpn') $x509_config = hiera('x509') - $ip_address = hiera('ip_address') - $interface = getvar("interface_${ip_address}") $openvpn_ports = $openvpn_config['ports'] $openvpn_gateway_address = $openvpn_config['gateway_address'] if $openvpn_config['second_gateway_address'] { diff --git a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb index ed06a95e..05f3d16b 100644 --- a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb +++ b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb @@ -1,11 +1,11 @@ #!/bin/sh -ip addr show dev <%= @interface %> | grep -q <%= @openvpn_gateway_address %>/24 || - ip addr add <%= @openvpn_gateway_address %>/24 dev <%= @interface %> +ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_gateway_address %>/24 || + ip addr add <%= @openvpn_gateway_address %>/24 dev <%= scope.lookupvar('site_config::params::interface') %> <% if @openvpn_second_gateway_address %> -ip addr show dev <%= @interface %> | grep -q <%= @openvpn_second_gateway_address %>/24 || - ip addr add <%= @openvpn_second_gateway_address %>/24 dev <%= @interface %> +ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_second_gateway_address %>/24 || + ip addr add <%= @openvpn_second_gateway_address %>/24 dev <%= scope.lookupvar('site_config::params::interface') %> <% end %> /bin/echo 1 > /proc/sys/net/ipv4/ip_forward diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index d5639a90..c62c9307 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -1,17 +1,10 @@ class site_shorewall::defaults { include shorewall + include site_config::params # be safe for development #if ( $::virtual == 'virtualbox') { $shorewall_startup='0' } - $ip_address = hiera('ip_address') - # a special case for vagrant interfaces - $interface = $::virtual ? { - virtualbox => [ 'eth0', 'eth1' ], - default => getvar("interface_${ip_address}") - } - - # If you want logging: shorewall::params { 'LOG': value => 'debug'; @@ -19,14 +12,13 @@ class site_shorewall::defaults { shorewall::zone {'net': type => 'ipv4'; } - # define interfaces - shorewall::interface { $interface: + shorewall::interface { $site_config::params::interface: zone => 'net', options => 'tcpflags,blacklist,nosmurfs'; } - shorewall::routestopped { $interface: } + shorewall::routestopped { $site_config::params::interface: } shorewall::policy { 'fw-to-all': diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 95c3920e..2f84d45c 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -1,6 +1,7 @@ class site_shorewall::eip { include site_shorewall::defaults + include site_config::params include site_shorewall::ip_forward # define macro for incoming services @@ -32,11 +33,7 @@ PARAM - - udp 1194 type => 'ipv4'; } - if $::virtual == 'virtualbox' { - $interface = 'eth0' - } else { - $interface = $site_shorewall::defaults::interface - } + $interface = $site_config::params::interface shorewall::masq { "${interface}_unlimited_tcp": -- cgit v1.2.3 From b54161a12561c5983f6bc5215f764a1f46a4bd1f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 30 Apr 2013 17:18:19 -0400 Subject: minor spacing changes --- puppet/modules/site_shorewall/manifests/eip.pp | 30 +++++++++++++------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 2f84d45c..8a986d28 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -7,8 +7,8 @@ class site_shorewall::eip { # define macro for incoming services file { '/etc/shorewall/macro.leap_eip': content => "PARAM - - tcp 1194 -PARAM - - udp 1194 -", + PARAM - - udp 1194 + ", notify => Service['shorewall'], require => Package['shorewall'] } @@ -37,17 +37,17 @@ PARAM - - udp 1194 shorewall::masq { "${interface}_unlimited_tcp": - interface => $interface, - source => "${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr}"; + interface => $interface, + source => "${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr}"; "${interface}_unlimited_udp": - interface => $interface, - source => "${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr}"; + interface => $interface, + source => "${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr}"; "${interface}_limited_tcp": - interface => $interface, - source => "${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr}"; + interface => $interface, + source => "${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr}"; "${interface}_limited_udp": - interface => $interface, - source => "${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr}"; + interface => $interface, + source => "${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr}"; } shorewall::policy { @@ -59,11 +59,11 @@ PARAM - - udp 1194 } shorewall::rule { - 'net2fw-openvpn': - source => 'net', - destination => '$FW', - action => 'leap_eip(ACCEPT)', - order => 200; + 'net2fw-openvpn': + source => 'net', + destination => '$FW', + action => 'leap_eip(ACCEPT)', + order => 200; } # create dnat rule for each port -- cgit v1.2.3 From c8e427c39285a0ac8750c1b9bbf247533bbce519 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 30 Apr 2013 14:25:45 -0700 Subject: added soledad-service.json --- provider_base/common.json | 3 ++- .../service-definitions/v1/eip-service.json.erb | 2 +- .../v1/soledad-service.json.erb | 29 ++++++++++++++++++++++ provider_base/services/soledad.json | 6 +++++ provider_base/services/webapp.json | 3 ++- puppet/modules/site_webapp/manifests/init.pp | 11 +++++--- 6 files changed, 48 insertions(+), 6 deletions(-) create mode 100644 provider_base/files/service-definitions/v1/soledad-service.json.erb create mode 100644 provider_base/services/soledad.json diff --git a/provider_base/common.json b/provider_base/common.json index dc59b88e..e89fce7e 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -29,5 +29,6 @@ "development": { "site_config": true }, - "name": "common" + "name": "common", + "location": null } diff --git a/provider_base/files/service-definitions/v1/eip-service.json.erb b/provider_base/files/service-definitions/v1/eip-service.json.erb index ca42bef5..9ee489de 100644 --- a/provider_base/files/service-definitions/v1/eip-service.json.erb +++ b/provider_base/files/service-definitions/v1/eip-service.json.erb @@ -14,7 +14,7 @@ gateway["host"] = node.domain.full gateway["ip_address"] = options[:ip] gateway["capabilities"]["limited"] = options[:limited] - if node.location + if node['location'] location_name = underscore(node.location.name) gateway["location"] = location_name locations[location_name] ||= node.location diff --git a/provider_base/files/service-definitions/v1/soledad-service.json.erb b/provider_base/files/service-definitions/v1/soledad-service.json.erb new file mode 100644 index 00000000..4d345930 --- /dev/null +++ b/provider_base/files/service-definitions/v1/soledad-service.json.erb @@ -0,0 +1,29 @@ +<%= + def underscore(words) + words = words.to_s.dup + words.downcase! + words.gsub! /[^a-z]/, '_' + words + end + + hsh = {} + hsh["serial"] = 1 + hsh["version"] = 1 + locations = {} + hosts = {} + nodes_like_me[:services => 'soledad'].each_node do |node| + host = {} + host["hostname"] = node.domain.full + host["ip_address"] = node.ip_address + host["port"] = node.soledad.port + if node['location'] + location_name = underscore(node.location.name) + host["location"] = location_name + locations[location_name] ||= node.location + end + hosts[node.name] = host + end + hsh["hosts"] = hosts + hsh["locations"] = locations + generate_json hsh +%> \ No newline at end of file diff --git a/provider_base/services/soledad.json b/provider_base/services/soledad.json new file mode 100644 index 00000000..10657563 --- /dev/null +++ b/provider_base/services/soledad.json @@ -0,0 +1,6 @@ +{ + "service_type": "public_service", + "soledad": { + "port": 1111 + } +} \ No newline at end of file diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index e4926ba7..4b2f7c26 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -22,7 +22,8 @@ }, "definition_files": { "provider": "= file :provider_json_template", - "eip_service": "= file [:eip_service_json_template, 'v'+webapp.api_version.to_s]" + "eip_service": "= file [:eip_service_json_template, 'v'+webapp.api_version.to_s]", + "soledad_service": "= file [:soledad_service_json_template, 'v'+webapp.api_version.to_s]" }, "service_type": "public_service", "api": { diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 8b5bb0e3..8e0aa11c 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -3,6 +3,7 @@ class site_webapp { $definition_files = hiera('definition_files') $provider = $definition_files['provider'] $eip_service = $definition_files['eip_service'] + $soledad_service = $definition_files['soledad_service'] $node_domain = hiera('domain') $provider_domain = $node_domain['full_suffix'] $webapp = hiera('webapp') @@ -80,17 +81,21 @@ class site_webapp { ensure => link, target => '/usr/local/share/ca-certificates/leap_api.crt'; - '/srv/leap-webapp/public/config': + "/srv/leap-webapp/public/${api_version}": ensure => directory, owner => leap-webapp, group => leap-webapp, mode => '0755'; - "/srv/leap-webapp/public/config/${api_version}": + "/srv/leap-webapp/public/${api_version}/config/": ensure => directory, owner => leap-webapp, group => leap-webapp, mode => '0755'; - "/srv/leap-webapp/public/config/${api_version}/eip-service.json": + "/srv/leap-webapp/public/${api_version}/config/eip-service.json": content => $eip_service, owner => leap-webapp, group => leap-webapp, mode => '0644'; + + "/srv/leap-webapp/public/${api_version}/config/soledad-service.json": + content => $soledad_service, + owner => leap-webapp, group => leap-webapp, mode => '0644'; } try::file { -- cgit v1.2.3 From 8087a374429c1b1be5a766e6e89cdeb02de292a3 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 2 May 2013 14:01:35 -0700 Subject: fixed dnat_rules --- puppet/modules/site_shorewall/manifests/dnat_rule.pp | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp index e1ea86ec..aa298408 100644 --- a/puppet/modules/site_shorewall/manifests/dnat_rule.pp +++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp @@ -2,12 +2,12 @@ define site_shorewall::dnat_rule { $port = $name if $port != 1194 { - if $site_openvpn::openvpn_allow_paid { + if $site_openvpn::openvpn_allow_unlimited { shorewall::rule { "dnat_tcp_port_$port": action => 'DNAT', source => 'net', - destination => "\$FW:${site_openvpn::paid_gateway_address}:1194", + destination => "\$FW:${site_openvpn::unlimited_gateway_address}:1194", proto => 'tcp', destinationport => $port, order => 100; @@ -16,18 +16,18 @@ define site_shorewall::dnat_rule { "dnat_udp_port_$port": action => 'DNAT', source => 'net', - destination => "\$FW:${site_openvpn::paid_gateway_address}:1194", + destination => "\$FW:${site_openvpn::unlimited_gateway_address}:1194", proto => 'udp', destinationport => $port, order => 100; } } - if $site_openvpn::openvpn_allow_free { + if $site_openvpn::openvpn_allow_limited { shorewall::rule { "dnat_free_tcp_port_$port": action => 'DNAT', source => 'net', - destination => "\$FW:${site_openvpn::free_gateway_address}:1194", + destination => "\$FW:${site_openvpn::limited_gateway_address}:1194", proto => 'tcp', destinationport => $port, order => 100; @@ -36,7 +36,7 @@ define site_shorewall::dnat_rule { "dnat_free_udp_port_$port": action => 'DNAT', source => 'net', - destination => "\$FW:${site_openvpn::free_gateway_address}:1194", + destination => "\$FW:${site_openvpn::limited_gateway_address}:1194", proto => 'udp', destinationport => $port, order => 100; -- cgit v1.2.3 From 4132a1b857c79670ef457ae7e11b77b6ff2c477b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 9 May 2013 17:16:48 -0400 Subject: the leap platform repo should track 'stable' --- puppet/modules/site_apt/manifests/leap_repo.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp index 81559abd..9d967841 100644 --- a/puppet/modules/site_apt/manifests/leap_repo.pp +++ b/puppet/modules/site_apt/manifests/leap_repo.pp @@ -1,6 +1,6 @@ class site_apt::leap_repo { - apt::sources_list {'leap.list': - content => "deb http://deb.leap.se/debian ${::lsbdistcodename} main", + apt::sources_list { 'leap.list': + content => 'deb http://deb.leap.se/debian stable main', before => Exec[refresh_apt] } -- cgit v1.2.3 From b3d1c6c58838b0c4f368bc42493ac3bae280b5af Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 14 May 2013 12:23:20 -0700 Subject: added smtp-service.json, requires latest leap_cli --- .../service-definitions/v1/smtp-service.json.erb | 29 ++++++++++++++++++++++ provider_base/services/webapp.json | 3 ++- puppet/modules/site_webapp/manifests/init.pp | 5 ++++ 3 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 provider_base/files/service-definitions/v1/smtp-service.json.erb diff --git a/provider_base/files/service-definitions/v1/smtp-service.json.erb b/provider_base/files/service-definitions/v1/smtp-service.json.erb new file mode 100644 index 00000000..68d4bbab --- /dev/null +++ b/provider_base/files/service-definitions/v1/smtp-service.json.erb @@ -0,0 +1,29 @@ +<%= + def underscore(words) + words = words.to_s.dup + words.downcase! + words.gsub! /[^a-z]/, '_' + words + end + + hsh = {} + hsh["serial"] = 1 + hsh["version"] = 1 + locations = {} + hosts = {} + nodes_like_me[:services => 'mx'].each_node do |node| + host = {} + host["hostname"] = node.domain.full + host["ip_address"] = node.ip_address + host["port"] = 25 # hard coded for now, later node.smtp.port + if node['location'] + location_name = underscore(node.location.name) + host["location"] = location_name + locations[location_name] ||= node.location + end + hosts[node.name] = host + end + hsh["hosts"] = hosts + hsh["locations"] = locations + generate_json hsh +%> \ No newline at end of file diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 4b2f7c26..1fe5cf7b 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -23,7 +23,8 @@ "definition_files": { "provider": "= file :provider_json_template", "eip_service": "= file [:eip_service_json_template, 'v'+webapp.api_version.to_s]", - "soledad_service": "= file [:soledad_service_json_template, 'v'+webapp.api_version.to_s]" + "soledad_service": "= file [:soledad_service_json_template, 'v'+webapp.api_version.to_s]", + "smtp_service": "= file [:smtp_service_json_template, 'v'+webapp.api_version.to_s]" }, "service_type": "public_service", "api": { diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 8e0aa11c..5c084a0c 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -4,6 +4,7 @@ class site_webapp { $provider = $definition_files['provider'] $eip_service = $definition_files['eip_service'] $soledad_service = $definition_files['soledad_service'] + $smtp_service = $definition_files['smtp_service'] $node_domain = hiera('domain') $provider_domain = $node_domain['full_suffix'] $webapp = hiera('webapp') @@ -96,6 +97,10 @@ class site_webapp { "/srv/leap-webapp/public/${api_version}/config/soledad-service.json": content => $soledad_service, owner => leap-webapp, group => leap-webapp, mode => '0644'; + + "/srv/leap-webapp/public/${api_version}/config/smtp-service.json": + content => $smtp_service, + owner => leap-webapp, group => leap-webapp, mode => '0644'; } try::file { -- cgit v1.2.3 From 0f6d2ebd6467d1c793d1907d677ca374a1efe477 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 11 May 2013 14:05:14 -0400 Subject: special casing for pistoncloud/openstack/ec2 --- puppet/modules/site_openvpn/manifests/init.pp | 33 ++++++++++++++++---------- puppet/modules/site_shorewall/manifests/eip.pp | 16 ++++++++----- 2 files changed, 30 insertions(+), 19 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 9bfffa6f..685871bd 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -22,11 +22,16 @@ class site_openvpn { $openvpn_config = hiera('openvpn') $x509_config = hiera('x509') $openvpn_ports = $openvpn_config['ports'] - $openvpn_gateway_address = $openvpn_config['gateway_address'] - if $openvpn_config['second_gateway_address'] { - $openvpn_second_gateway_address = $openvpn_config['second_gateway_address'] + + if $::ec2_instance_id { + $openvpn_gateway_address = $::ipaddress } else { - $openvpn_second_gateway_address = undef + $openvpn_gateway_address = $openvpn_config['gateway_address'] + if $openvpn_config['second_gateway_address'] { + $openvpn_second_gateway_address = $openvpn_config['second_gateway_address'] + } else { + $openvpn_second_gateway_address = undef + } } $openvpn_allow_unlimited = $openvpn_config['allow_unlimited'] @@ -38,15 +43,17 @@ class site_openvpn { $openvpn_unlimited_udp_netmask = '255.255.248.0' $openvpn_unlimited_udp_cidr = '21' - $openvpn_allow_limited = $openvpn_config['allow_limited'] - $openvpn_limited_prefix = $openvpn_config['limited_prefix'] - $openvpn_rate_limit = $openvpn_config['rate_limit'] - $openvpn_limited_tcp_network_prefix = '10.43.0' - $openvpn_limited_tcp_netmask = '255.255.248.0' - $openvpn_limited_tcp_cidr = '21' - $openvpn_limited_udp_network_prefix = '10.44.0' - $openvpn_limited_udp_netmask = '255.255.248.0' - $openvpn_limited_udp_cidr = '21' + if !$::ec2_instance_id { + $openvpn_allow_limited = $openvpn_config['allow_limited'] + $openvpn_limited_prefix = $openvpn_config['limited_prefix'] + $openvpn_rate_limit = $openvpn_config['rate_limit'] + $openvpn_limited_tcp_network_prefix = '10.43.0' + $openvpn_limited_tcp_netmask = '255.255.248.0' + $openvpn_limited_tcp_cidr = '21' + $openvpn_limited_udp_network_prefix = '10.44.0' + $openvpn_limited_udp_netmask = '255.255.248.0' + $openvpn_limited_udp_cidr = '21' + } # deploy ca + server keys include site_openvpn::keys diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 8a986d28..7109b770 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -42,12 +42,16 @@ class site_shorewall::eip { "${interface}_unlimited_udp": interface => $interface, source => "${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr}"; - "${interface}_limited_tcp": - interface => $interface, - source => "${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr}"; - "${interface}_limited_udp": - interface => $interface, - source => "${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr}"; + } + if ! $::ec2_instance_id { + shorewall::masq { + "${interface}_limited_tcp": + interface => $interface, + source => "${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr}"; + "${interface}_limited_udp": + interface => $interface, + source => "${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr}"; + } } shorewall::policy { -- cgit v1.2.3 From f82d5b5c7004b01565bbeace598d1716f72c1b2f Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 17 May 2013 11:53:10 -0700 Subject: minor - webapp api port should be integer, not string. --- provider_base/files/service-definitions/provider.json.erb | 2 +- provider_base/services/webapp.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb index bc93fac5..d17aae96 100644 --- a/provider_base/files/service-definitions/provider.json.erb +++ b/provider_base/files/service-definitions/provider.json.erb @@ -13,7 +13,7 @@ hsh['services'] = global.services[:service_type => :user_service].field(:name) hsh['api_version'] = "1" - hsh['api_uri'] = "https://" + api.domain + ':' + api.port + hsh['api_uri'] = ["https://", api.domain, ':', api.port].join hsh['ca_cert_uri'] = 'https://' + domain.full_suffix + '/ca.crt' hsh['ca_cert_fingerprint'] = fingerprint(:ca_cert) diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 1fe5cf7b..5f0bdc9e 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -29,7 +29,7 @@ "service_type": "public_service", "api": { "domain": "= 'api.' + domain.full_suffix", - "port": "4430" + "port": 4430 }, "dns": { "aliases": "= [domain.full, api.domain]" -- cgit v1.2.3 From 450fb19a4df8f4740dcf077b585dbd77c096d133 Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 18 May 2013 17:13:05 -0700 Subject: added module site_nickserver --- provider_base/services/webapp.json | 7 +- puppet/manifests/site.pp | 1 + puppet/modules/site_config/manifests/ruby.pp | 14 +++ puppet/modules/site_nickserver/manifests/init.pp | 120 +++++++++++++++++++++ .../site_nickserver/templates/nickserver.yml.erb | 7 ++ puppet/modules/site_webapp/manifests/init.pp | 8 +- 6 files changed, 149 insertions(+), 8 deletions(-) create mode 100644 puppet/modules/site_config/manifests/ruby.pp create mode 100644 puppet/modules/site_nickserver/manifests/init.pp create mode 100644 puppet/modules/site_nickserver/templates/nickserver.yml.erb diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 5f0bdc9e..3dd9bebe 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -31,8 +31,13 @@ "domain": "= 'api.' + domain.full_suffix", "port": 4430 }, + "nickserver": { + "domain": "= 'nicknym.' + domain.full_suffix", + "port": 6425, + "couchdb_user": "= global.services[:couchdb].couch.users[:admin]" + }, "dns": { - "aliases": "= [domain.full, api.domain]" + "aliases": "= [domain.full, api.domain, nickserver.domain]" }, "x509": { "use": true, diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 2d41d45f..22172584 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -29,6 +29,7 @@ if 'couchdb' in $services { if 'webapp' in $services { include site_webapp + include site_nickserver } if 'monitor' in $services { diff --git a/puppet/modules/site_config/manifests/ruby.pp b/puppet/modules/site_config/manifests/ruby.pp new file mode 100644 index 00000000..2a720114 --- /dev/null +++ b/puppet/modules/site_config/manifests/ruby.pp @@ -0,0 +1,14 @@ +class site_config::ruby { + Class[Ruby] -> Class[rubygems] -> Class[bundler::install] + class { '::ruby': ruby_version => '1.9.3' } + class { 'bundler::install': install_method => 'package' } + include rubygems +} + + +# +# Ruby settings common to all servers +# +# Why this way? So that other classes can do 'include site_ruby' without creating redeclaration errors. +# See https://puppetlabs.com/blog/modeling-class-composition-with-parameterized-classes/ +# diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp new file mode 100644 index 00000000..4a80d8fd --- /dev/null +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -0,0 +1,120 @@ +# +# TODO: currently, this is dependent on the HAProxy stuff that is in site_webapp. +# it would be good to factor that out into a site_haproxy, so that nickserver could be applied independently. +# + +class site_nickserver { + tag 'leap_service' + include site_config::ruby + + # + # VARIABLES + # + + $nickserver = hiera('nickserver') + $nickserver_port = $nickserver['port'] + $couchdb_user = $nickserver['couchdb_user']['username'] + $couchdb_password = $nickserver['couchdb_user']['password'] + $couchdb_host = 'localhost' # couchdb is available on localhost via haproxy, which is bound to 4096. + $couchdb_port = '4096' # See site_webapp/templates/haproxy_couchdb.cfg.erg + + # + # USER AND GROUP + # + + group { 'nickserver': + ensure => present, + allowdupe => false; + } + user { 'nickserver': + ensure => present, + allowdupe => false, + gid => 'nickserver', + groups => 'ssl-cert', + home => '/srv/leap/nickserver', + require => Group['nickserver']; + } + + # + # NICKSERVER CODE + # + + #file { '/srv/leap/nickserver': + # ensure => directory, + # owner => 'nickserver', + # group => 'nickserver', + # require => User['nickserver']; + #} + vcsrepo { '/srv/leap/nickserver': + ensure => present, + revision => 'origin/master', + provider => git, + source => 'git://code.leap.se/nickserver', + owner => 'nickserver', + group => 'nickserver', + require => [ User['nickserver'], Group['nickserver'] ], + notify => Exec['nickserver_bundler_update']; + } + exec { 'nickserver_bundler_update': + cwd => '/srv/leap/nickserver', + command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle"', + unless => '/usr/bin/bundle check', + user => 'nickserver', + timeout => 600, + require => [ Class['bundler::install'], Vcsrepo['/srv/leap/nickserver'] ], + notify => Service['nickserver']; + } + + # + # NICKSERVER CONFIG + # + + file { '/etc/leap/nickserver.yml': + content => template('site_nickserver/nickserver.yml.erb'), + owner => nickserver, + group => nickserver, + mode => '0600', + notify => Service['nickserver']; + } + + # + # NICKSERVER DAEMON + # + + file { + '/usr/bin/nickserver': + ensure => link, + target => '/srv/leap/nickserver/bin/nickserver', + require => Vcsrepo['/srv/leap/nickserver']; + '/etc/init.d/nickserver': + owner => root, group => 0, mode => '0755', + source => '/srv/leap/nickserver/dist/debian-init-script', + require => Vcsrepo['/srv/leap/nickserver']; + } + + service { 'nickserver': + ensure => running, + enable => true, + hasrestart => true, + hasstatus => true, + require => File['/etc/init.d/nickserver']; + } + + # + # FIREWALL + # + + file { '/etc/shorewall/macro.nickserver': + content => "PARAM - - tcp $nickserver_port", + notify => Service['shorewall'], + require => Package['shorewall']; + } + + shorewall::rule { 'net2fw-nickserver': + source => 'net', + destination => '$FW', + action => 'nickserver(ACCEPT)', + order => 200; + } + +} \ No newline at end of file diff --git a/puppet/modules/site_nickserver/templates/nickserver.yml.erb b/puppet/modules/site_nickserver/templates/nickserver.yml.erb new file mode 100644 index 00000000..ec1c22ed --- /dev/null +++ b/puppet/modules/site_nickserver/templates/nickserver.yml.erb @@ -0,0 +1,7 @@ +couch_host: <%= @couchdb_host %> +couch_port: <%= @couchdb_port %> +couch_database: 'users' +couch_user: <%= @couchdb_user %> +couch_password: <%= @couchdb_password %> +hkp_url: 'https://hkps.pool.sks-keyservers.net:/pks/lookup' +port: <%= @nickserver_port %> diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 5c084a0c..80b7c271 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -11,13 +11,7 @@ class site_webapp { $api_version = $webapp['api_version'] $secret_token = $webapp['secret_token'] - Class[Ruby] -> Class[rubygems] -> Class[bundler::install] - - class { 'ruby': ruby_version => '1.9.3' } - - class { 'bundler::install': install_method => 'package' } - - include rubygems + include site_config::ruby include site_webapp::apache include site_webapp::couchdb include site_webapp::client_ca -- cgit v1.2.3 From b3cd7fc827d51007053ae1077cda2a2fc78a48dc Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 18 May 2013 22:55:34 -0700 Subject: nickserver - ensure libssl-dev is installed before EventMachine gem is installed. --- puppet/modules/site_nickserver/manifests/init.pp | 12 +++++------- puppet/modules/site_nickserver/templates/nickserver.yml.erb | 3 +++ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index 4a80d8fd..03af4acb 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -39,12 +39,10 @@ class site_nickserver { # NICKSERVER CODE # - #file { '/srv/leap/nickserver': - # ensure => directory, - # owner => 'nickserver', - # group => 'nickserver', - # require => User['nickserver']; - #} + # libssl-dev must be installed before eventmachine gem in order to support TLS + package { + 'libssl-dev': ensure => installed; + } vcsrepo { '/srv/leap/nickserver': ensure => present, revision => 'origin/master', @@ -61,7 +59,7 @@ class site_nickserver { unless => '/usr/bin/bundle check', user => 'nickserver', timeout => 600, - require => [ Class['bundler::install'], Vcsrepo['/srv/leap/nickserver'] ], + require => [ Class['bundler::install'], Vcsrepo['/srv/leap/nickserver'], Package['libssl-dev'] ], notify => Service['nickserver']; } diff --git a/puppet/modules/site_nickserver/templates/nickserver.yml.erb b/puppet/modules/site_nickserver/templates/nickserver.yml.erb index ec1c22ed..b6e0b3bf 100644 --- a/puppet/modules/site_nickserver/templates/nickserver.yml.erb +++ b/puppet/modules/site_nickserver/templates/nickserver.yml.erb @@ -5,3 +5,6 @@ couch_user: <%= @couchdb_user %> couch_password: <%= @couchdb_password %> hkp_url: 'https://hkps.pool.sks-keyservers.net:/pks/lookup' port: <%= @nickserver_port %> +pid_file: '/var/run/nickserver' +user: 'nickserver' +log_file: '/var/log/nickserver.log' -- cgit v1.2.3 From 379c6ff12c28a10dac4518c5cd2143ce11a39f85 Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 19 May 2013 12:41:01 -0700 Subject: updated apache submodule --- puppet/modules/apache | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/apache b/puppet/modules/apache index 090e59ad..c3e92a9b 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit 090e59ad1fcba01e868237a83cadf9254cf09d3e +Subproject commit c3e92a9b3cb02f1546b6b1570f10a968d380005c -- cgit v1.2.3 From c591f65a555a20bd6bc3a2171cffb55283dd9d0c Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 21 May 2013 13:14:02 -0700 Subject: only advertise services that are actually deployed (in public provider.json) --- provider_base/files/service-definitions/provider.json.erb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb index d17aae96..5552c423 100644 --- a/provider_base/files/service-definitions/provider.json.erb +++ b/provider_base/files/service-definitions/provider.json.erb @@ -9,8 +9,10 @@ hsh['domain'] = domain.full_suffix - # advertise services that are 'user services' - hsh['services'] = global.services[:service_type => :user_service].field(:name) + # advertise services that are 'user services' and for which there are actually nodes + hsh['services'] = global.services[:service_type => :user_service].field(:name).select do |service| + nodes_like_me[:services => service].any? + end hsh['api_version'] = "1" hsh['api_uri'] = ["https://", api.domain, ':', api.port].join -- cgit v1.2.3 From aafeaecb26fbb05284558114332a89439261637b Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 21 May 2013 13:17:25 -0700 Subject: nickserver - added support for apache reverse proxy frontend to handle the TLS. --- puppet/modules/site_nickserver/manifests/init.pp | 54 ++++++++++++++++++++-- .../templates/nickserver-proxy.conf.erb | 23 +++++++++ .../site_nickserver/templates/nickserver.yml.erb | 27 +++++++---- 3 files changed, 90 insertions(+), 14 deletions(-) create mode 100644 puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index 03af4acb..7dfa2603 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -1,6 +1,10 @@ # -# TODO: currently, this is dependent on the HAProxy stuff that is in site_webapp. -# it would be good to factor that out into a site_haproxy, so that nickserver could be applied independently. +# TODO: currently, this is dependent on some things that are set up in site_webapp +# +# (1) HAProxy -> couchdb +# (2) Apache +# +# It would be good in the future to make nickserver installable independently of site_webapp. # class site_nickserver { @@ -12,12 +16,23 @@ class site_nickserver { # $nickserver = hiera('nickserver') - $nickserver_port = $nickserver['port'] + $nickserver_port = $nickserver['port'] # the port that public connects to (should be 6425) + $nickserver_local_port = '64250' # the port that nickserver is actually running on + $nickserver_domain = $nickserver['domain'] + $couchdb_user = $nickserver['couchdb_user']['username'] $couchdb_password = $nickserver['couchdb_user']['password'] $couchdb_host = 'localhost' # couchdb is available on localhost via haproxy, which is bound to 4096. $couchdb_port = '4096' # See site_webapp/templates/haproxy_couchdb.cfg.erg + # temporarily for now: + $domain = hiera('domain') + $address_domain = $domain['full_suffix'] + $x509 = hiera('x509') + $x509_key = $x509['key'] + $x509_cert = $x509['cert'] + $x509_ca = $x509['ca_cert'] + # # USER AND GROUP # @@ -30,16 +45,16 @@ class site_nickserver { ensure => present, allowdupe => false, gid => 'nickserver', - groups => 'ssl-cert', home => '/srv/leap/nickserver', require => Group['nickserver']; } # # NICKSERVER CODE + # NOTE: in order to support TLS, libssl-dev must be installed before EventMachine gem + # is built/installed. # - # libssl-dev must be installed before eventmachine gem in order to support TLS package { 'libssl-dev': ensure => installed; } @@ -100,6 +115,7 @@ class site_nickserver { # # FIREWALL + # poke a hole in the firewall to allow nickserver requests # file { '/etc/shorewall/macro.nickserver': @@ -115,4 +131,32 @@ class site_nickserver { order => 200; } + # + # APACHE REVERSE PROXY + # nickserver doesn't speak TLS natively, let Apache handle that. + # + + apache::module { + 'proxy': ensure => present; + 'proxy_http': ensure => present + } + + apache::vhost::file { + 'nickserver': content => template('site_nickserver/nickserver-proxy.conf.erb') + } + + x509::key { 'nickserver': + content => $x509_key, + notify => Service[apache]; + } + + x509::cert { 'nickserver': + content => $x509_cert, + notify => Service[apache]; + } + + x509::ca { 'nickserver': + content => $x509_ca, + notify => Service[apache]; + } } \ No newline at end of file diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb new file mode 100644 index 00000000..67896cd3 --- /dev/null +++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb @@ -0,0 +1,23 @@ +# +# Apache reverse proxy configuration for the Nickserver +# + +Listen 0.0.0.0:<%= @nickserver_port -%> + +> + ServerName <%= @nickserver_domain %> + ServerAlias <%= @address_domain %> + + SSLEngine on + SSLProtocol -all +SSLv3 +TLSv1 + SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLHonorCipherOrder on + + SSLCACertificatePath /etc/ssl/certs + SSLCertificateChainFile /etc/ssl/certs/nickserver.pem + SSLCertificateKeyFile /etc/x509/keys/nickserver.key + SSLCertificateFile /etc/x509/certs/nickserver.crt + + ProxyPass / http://localhost:<%= @nickserver_local_port %>/ + ProxyPreserveHost On # preserve Host header in HTTP request + diff --git a/puppet/modules/site_nickserver/templates/nickserver.yml.erb b/puppet/modules/site_nickserver/templates/nickserver.yml.erb index b6e0b3bf..7aab5605 100644 --- a/puppet/modules/site_nickserver/templates/nickserver.yml.erb +++ b/puppet/modules/site_nickserver/templates/nickserver.yml.erb @@ -1,10 +1,19 @@ -couch_host: <%= @couchdb_host %> +# +# configuration for nickserver. +# + +domain: "<%= @address_domain %>" + +couch_host: "<%= @couchdb_host %>" couch_port: <%= @couchdb_port %> -couch_database: 'users' -couch_user: <%= @couchdb_user %> -couch_password: <%= @couchdb_password %> -hkp_url: 'https://hkps.pool.sks-keyservers.net:/pks/lookup' -port: <%= @nickserver_port %> -pid_file: '/var/run/nickserver' -user: 'nickserver' -log_file: '/var/log/nickserver.log' +couch_database: "users" +couch_user: "<%= @couchdb_user %>" +couch_password: "<%= @couchdb_password %>" + +hkp_url: "https://hkps.pool.sks-keyservers.net:/pks/lookup" + +user: "nickserver" +port: <%= @nickserver_local_port %> +pid_file: "/var/run/nickserver" +log_file: "/var/log/nickserver.log" + -- cgit v1.2.3 From 264fa32a719d77b15e623cc3fc4574fd04837716 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 21 May 2013 17:42:40 -0400 Subject: change paths for leap webapp to be under /srv/leap/webapp from /srv/leap-webapp --- .../site_apache/templates/vhosts.d/api.conf.erb | 2 +- .../templates/vhosts.d/leap_webapp.conf.erb | 2 +- .../site_webapp/files/migrate_design_documents | 2 +- puppet/modules/site_webapp/manifests/couchdb.pp | 8 ++--- puppet/modules/site_webapp/manifests/init.pp | 36 +++++++++++----------- 5 files changed, 25 insertions(+), 25 deletions(-) diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 20d3dc9a..ae894cd4 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -21,7 +21,7 @@ Listen 0.0.0.0:<%= api_port %> RequestHeader set X_FORWARDED_PROTO 'https' - DocumentRoot /srv/leap-webapp/public + DocumentRoot /srv/leap/webapp/public # Check for maintenance file and redirect all requests RewriteEngine On diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 2ccc4418..3055a7bb 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -21,7 +21,7 @@ RequestHeader set X_FORWARDED_PROTO 'https' - DocumentRoot /srv/leap-webapp/public + DocumentRoot /srv/leap/webapp/public RewriteEngine On # Check for maintenance file and redirect all requests diff --git a/puppet/modules/site_webapp/files/migrate_design_documents b/puppet/modules/site_webapp/files/migrate_design_documents index 88eb2e25..6e24aa5b 100644 --- a/puppet/modules/site_webapp/files/migrate_design_documents +++ b/puppet/modules/site_webapp/files/migrate_design_documents @@ -1,6 +1,6 @@ #!/bin/sh -cd /srv/leap-webapp +cd /srv/leap/webapp # use admin credentials cp config/couchdb.yml.admin config/couchdb.yml diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 1dd346fd..7a3839c8 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -25,19 +25,19 @@ class site_webapp::couchdb { $key_path = "${x509::variables::keys}/${cert_name}.key" file { - '/srv/leap-webapp/config/couchdb.yml.admin': + '/srv/leap/webapp/config/couchdb.yml.admin': content => template('site_webapp/couchdb.yml.admin.erb'), owner => leap-webapp, group => leap-webapp, mode => '0600'; - '/srv/leap-webapp/config/couchdb.yml.webapp': + '/srv/leap/webapp/config/couchdb.yml.webapp': content => template('site_webapp/couchdb.yml.erb'), owner => leap-webapp, group => leap-webapp, mode => '0600'; - '/srv/leap-webapp/logs/production.log': + '/srv/leap/webapp/logs/production.log': owner => leap-webapp, group => leap-webapp, mode => '0666'; @@ -58,7 +58,7 @@ class site_webapp::couchdb { } exec { 'migrate_design_documents': - cwd => '/srv/leap-webapp', + cwd => '/srv/leap/webapp', command => '/usr/local/sbin/migrate_design_documents', require => Exec['bundler_update'], notify => Service['apache']; diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 5c084a0c..f7a4b598 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -33,18 +33,18 @@ class site_webapp { allowdupe => false, gid => 'leap-webapp', groups => 'ssl-cert', - home => '/srv/leap-webapp', + home => '/srv/leap/webapp', require => [ Group['leap-webapp'] ]; } - file { '/srv/leap-webapp': + file { '/srv/leap/webapp': ensure => directory, owner => 'leap-webapp', group => 'leap-webapp', require => User['leap-webapp']; } - vcsrepo { '/srv/leap-webapp': + vcsrepo { '/srv/leap/webapp': ensure => present, revision => 'origin/master', provider => git, @@ -56,17 +56,17 @@ class site_webapp { } exec { 'bundler_update': - cwd => '/srv/leap-webapp', + cwd => '/srv/leap/webapp', command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle"', unless => '/usr/bin/bundle check', user => 'leap-webapp', timeout => 600, - require => [ Class['bundler::install'], Vcsrepo['/srv/leap-webapp'] ], + require => [ Class['bundler::install'], Vcsrepo['/srv/leap/webapp'] ], notify => Service['apache']; } exec { 'compile_assets': - cwd => '/srv/leap-webapp', + cwd => '/srv/leap/webapp', command => '/bin/bash -c "/usr/bin/bundle exec rake assets:precompile"', user => 'leap-webapp', require => Exec['bundler_update'], @@ -74,55 +74,55 @@ class site_webapp { } file { - '/srv/leap-webapp/public/provider.json': + '/srv/leap/webapp/public/provider.json': content => $provider, owner => leap-webapp, group => leap-webapp, mode => '0644'; - '/srv/leap-webapp/public/ca.crt': + '/srv/leap/webapp/public/ca.crt': ensure => link, target => '/usr/local/share/ca-certificates/leap_api.crt'; - "/srv/leap-webapp/public/${api_version}": + "/srv/leap/webapp/public/${api_version}": ensure => directory, owner => leap-webapp, group => leap-webapp, mode => '0755'; - "/srv/leap-webapp/public/${api_version}/config/": + "/srv/leap/webapp/public/${api_version}/config/": ensure => directory, owner => leap-webapp, group => leap-webapp, mode => '0755'; - "/srv/leap-webapp/public/${api_version}/config/eip-service.json": + "/srv/leap/webapp/public/${api_version}/config/eip-service.json": content => $eip_service, owner => leap-webapp, group => leap-webapp, mode => '0644'; - "/srv/leap-webapp/public/${api_version}/config/soledad-service.json": + "/srv/leap/webapp/public/${api_version}/config/soledad-service.json": content => $soledad_service, owner => leap-webapp, group => leap-webapp, mode => '0644'; - "/srv/leap-webapp/public/${api_version}/config/smtp-service.json": + "/srv/leap/webapp/public/${api_version}/config/smtp-service.json": content => $smtp_service, owner => leap-webapp, group => leap-webapp, mode => '0644'; } try::file { - '/srv/leap-webapp/public/favicon.ico': + '/srv/leap/webapp/public/favicon.ico': ensure => 'link', target => $webapp['favicon']; - '/srv/leap-webapp/app/assets/stylesheets/tail.scss': + '/srv/leap/webapp/app/assets/stylesheets/tail.scss': ensure => 'link', target => $webapp['tail_scss']; - '/srv/leap-webapp/app/assets/stylesheets/head.scss': + '/srv/leap/webapp/app/assets/stylesheets/head.scss': ensure => 'link', target => $webapp['head_scss']; - '/srv/leap-webapp/public/img': + '/srv/leap/webapp/public/img': ensure => 'link', target => $webapp['img_dir']; } file { - '/srv/leap-webapp/config/config.yml': + '/srv/leap/webapp/config/config.yml': content => template('site_webapp/config.yml.erb'), owner => leap-webapp, group => leap-webapp, -- cgit v1.2.3 From 92b90bc4507f412497c3128f0817bd24e2628b1b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 22 May 2013 12:53:47 -0400 Subject: add force => true parameter to webapp vcsrepo checkout this should have been added to d669a5fb56acf9101cf677ecbd30bcc47b092cd3 resolve #1722 after the vcsrepo module was updated to handle this, but it wasn't. --- puppet/modules/site_webapp/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index f7a4b598..aac48188 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -46,6 +46,7 @@ class site_webapp { vcsrepo { '/srv/leap/webapp': ensure => present, + force => true, revision => 'origin/master', provider => git, source => 'git://code.leap.se/leap_web', -- cgit v1.2.3 From e0b591b063d3c49012a4266ee837737758f58dc2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 22 May 2013 12:56:43 -0400 Subject: add requirements to the try::file resources normally a file resource would automatically require the parent directory first, but try::file doesn't do this so it has errors if /srv/leap/webapp doesn't exist yet: for example: - [web1] err: /Stage[main]/Site_webapp/Try::File[/srv/leap/webapp/public/img]/Exec[restore_/srv/leap/webapp/public/img]/returns: change from notrun to 0 failed: Working directory '/srv/leap/webapp/public' does not exist that was 'tried' before the vcsrepo was done which would have resolved that problem. This makes sure that the vcsrepo is done first --- puppet/modules/site_webapp/manifests/init.pp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index aac48188..b01141ae 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -106,19 +106,23 @@ class site_webapp { try::file { '/srv/leap/webapp/public/favicon.ico': - ensure => 'link', - target => $webapp['favicon']; + ensure => 'link', + require => Vcsrepo['/srv/leap/webapp'], + target => $webapp['favicon']; '/srv/leap/webapp/app/assets/stylesheets/tail.scss': ensure => 'link', + require => Vcsrepo['/srv/leap/webapp'], target => $webapp['tail_scss']; '/srv/leap/webapp/app/assets/stylesheets/head.scss': ensure => 'link', + require => Vcsrepo['/srv/leap/webapp'], target => $webapp['head_scss']; '/srv/leap/webapp/public/img': ensure => 'link', + require => Vcsrepo['/srv/leap/webapp'], target => $webapp['img_dir']; } -- cgit v1.2.3 From a386d3862a581d502b9611bc9af0e144ac29e4f9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 22 May 2013 15:07:08 -0400 Subject: add missing require => on the vcsrepo which could cause these resources to fail --- puppet/modules/site_webapp/manifests/couchdb.pp | 9 +++++--- puppet/modules/site_webapp/manifests/init.pp | 29 +++++++++++++++++-------- 2 files changed, 26 insertions(+), 12 deletions(-) diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 1dd346fd..7858dbfd 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -29,18 +29,21 @@ class site_webapp::couchdb { content => template('site_webapp/couchdb.yml.admin.erb'), owner => leap-webapp, group => leap-webapp, - mode => '0600'; + mode => '0600', + require => Vcsrepo['/srv/leap/webapp']; '/srv/leap-webapp/config/couchdb.yml.webapp': content => template('site_webapp/couchdb.yml.erb'), owner => leap-webapp, group => leap-webapp, - mode => '0600'; + mode => '0600', + require => Vcsrepo['/srv/leap/webapp']; '/srv/leap-webapp/logs/production.log': owner => leap-webapp, group => leap-webapp, - mode => '0666'; + mode => '0666', + require => Vcsrepo['/srv/leap/webapp']; '/usr/local/sbin/migrate_design_documents': source => 'puppet:///modules/site_webapp/migrate_design_documents', diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 80b7c271..92cf4b25 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -70,30 +70,37 @@ class site_webapp { file { '/srv/leap-webapp/public/provider.json': content => $provider, + require => Vcsrepo['/srv/leap/webapp'], owner => leap-webapp, group => leap-webapp, mode => '0644'; '/srv/leap-webapp/public/ca.crt': ensure => link, + require => Vcsrepo['/srv/leap/webapp'], target => '/usr/local/share/ca-certificates/leap_api.crt'; "/srv/leap-webapp/public/${api_version}": ensure => directory, + require => Vcsrepo['/srv/leap/webapp'], owner => leap-webapp, group => leap-webapp, mode => '0755'; "/srv/leap-webapp/public/${api_version}/config/": ensure => directory, + require => Vcsrepo['/srv/leap/webapp'], owner => leap-webapp, group => leap-webapp, mode => '0755'; "/srv/leap-webapp/public/${api_version}/config/eip-service.json": content => $eip_service, + require => Vcsrepo['/srv/leap/webapp'], owner => leap-webapp, group => leap-webapp, mode => '0644'; "/srv/leap-webapp/public/${api_version}/config/soledad-service.json": content => $soledad_service, + require => Vcsrepo['/srv/leap/webapp'], owner => leap-webapp, group => leap-webapp, mode => '0644'; "/srv/leap-webapp/public/${api_version}/config/smtp-service.json": content => $smtp_service, + require => Vcsrepo['/srv/leap/webapp'], owner => leap-webapp, group => leap-webapp, mode => '0644'; } @@ -102,17 +109,20 @@ class site_webapp { ensure => 'link', target => $webapp['favicon']; - '/srv/leap-webapp/app/assets/stylesheets/tail.scss': - ensure => 'link', - target => $webapp['tail_scss']; + '/srv/leap/webapp/app/assets/stylesheets/tail.scss': + ensure => 'link', + require => Vcsrepo['/srv/leap/webapp'], + target => $webapp['tail_scss']; - '/srv/leap-webapp/app/assets/stylesheets/head.scss': - ensure => 'link', - target => $webapp['head_scss']; + '/srv/leap/webapp/app/assets/stylesheets/head.scss': + ensure => 'link', + require => Vcsrepo['/srv/leap/webapp'], + target => $webapp['head_scss']; - '/srv/leap-webapp/public/img': - ensure => 'link', - target => $webapp['img_dir']; + '/srv/leap/webapp/public/img': + ensure => 'link', + require => Vcsrepo['/srv/leap/webapp'], + target => $webapp['img_dir']; } file { @@ -121,6 +131,7 @@ class site_webapp { owner => leap-webapp, group => leap-webapp, mode => '0600', + require => Vcsrepo['/srv/leap/webapp'], notify => Service['apache']; } -- cgit v1.2.3 From 79d5bba4674185b9db06f40b4976ce447bfb2f38 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 22 May 2013 15:05:52 -0400 Subject: pass any require => parameters that are in the try::file resource so dependencies can be satisfied Change-Id: I10d3ebe6a3009ebe01e578ea582d00dc930689ed --- puppet/modules/try/manifests/file.pp | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/puppet/modules/try/manifests/file.pp b/puppet/modules/try/manifests/file.pp index 406c0b7a..47a8c269 100644 --- a/puppet/modules/try/manifests/file.pp +++ b/puppet/modules/try/manifests/file.pp @@ -18,7 +18,10 @@ define try::file ( file { "$name": ensure => $ensure, target => $target, - require => Exec["check_${name}"], + require => $require ? { + undef => Exec["check_${name}"], + default => [ $require, Exec["check_${name}"] ] + }, loglevel => info; } } @@ -37,6 +40,10 @@ define try::file ( exec { "restore_${name}": command => $command, cwd => $file_dirname, + require => $require ? { + undef => undef, + default => [ $require ] + }, loglevel => info; } } else { @@ -44,6 +51,10 @@ define try::file ( unless => "/usr/bin/test -e '${target}'", command => $command, cwd => $file_dirname, + require => $require ? { + undef => undef, + default => [ $require ] + }, loglevel => info; } } -- cgit v1.2.3 From f96d049c407110fb471199ee73c47db8b7cd474a Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 23 May 2013 22:42:56 +0200 Subject: Install git before vcsrepo call (Feature #2510) --- puppet/modules/site_config/manifests/default.pp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 77241df5..7758a69d 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -33,4 +33,7 @@ class site_config::default { # include basic shorewall config include site_shorewall::defaults + + Class['git'] -> Vcsrepo<||> + } -- cgit v1.2.3 From ddb899b650e63c5557370fb7a3b2c3bfd14b1ce7 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 23 May 2013 18:51:13 +0200 Subject: added couch.bigcouch.neighbors to provider_base/services/couchdb.json --- provider_base/services/couchdb.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json index 43a6c650..ba07733c 100644 --- a/provider_base/services/couchdb.json +++ b/provider_base/services/couchdb.json @@ -15,7 +15,8 @@ "bigcouch": { "epmd_port": 4369, "ednp_port": 9002, - "cookie": "= secret :bigcouch_cookie" + "cookie": "= secret :bigcouch_cookie", + "neighbors": "= nodes_like_me[:services => :couchdb].exclude(self).field('domain.full')" }, "users": { "admin": { -- cgit v1.2.3 From 064195792e264a125b9bd75ff931552af054ecf9 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 23 May 2013 18:53:17 +0200 Subject: include site_couchdb::bigcouch::add_nodes in site_couchdb/manifests/init.pp --- puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp | 5 +++++ puppet/modules/site_couchdb/manifests/init.pp | 9 +++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp diff --git a/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp b/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp new file mode 100644 index 00000000..241a4914 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp @@ -0,0 +1,5 @@ +class site_couchdb::bigcouch::add_nodes { + # loop through neighbors array and add nodes + $nodes = $::site_couchdb::bigcouch_config['neighbors'] + couchdb::bigcouch::add_node { $nodes: } +} diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 9f4824b4..802f3224 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -33,9 +33,12 @@ class site_couchdb { bigcouch_cookie => $bigcouch_cookie, ednp_port => $ednp_port } - include couchdb::bigcouch::package::cloudant - Service ['couchdb'] + class { 'couchdb::bigcouch::package::cloudant': } + + Class ['couchdb::bigcouch::package::cloudant'] + -> Service ['couchdb'] + -> Class ['site_couchdb::bigcouch::add_nodes'] -> Couchdb::Create_db['users'] -> Couchdb::Create_db['tokens'] -> Couchdb::Add_user[$couchdb_webapp_user] @@ -47,6 +50,8 @@ class site_couchdb { ca => $ca } + class { 'site_couchdb::bigcouch::add_nodes': } + couchdb::query::setup { 'localhost': user => $couchdb_admin_user, pw => $couchdb_admin_pw, -- cgit v1.2.3 From fed63320dc026f8ea1e0f0de250c8008f6f71b7e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 23 May 2013 18:06:00 -0400 Subject: update couchdb submodule to get couchdb::bigcouch::add_node and couchdb::bigcouch::query --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 7b6c9a29..20deb065 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 7b6c9a29b1333ce733dd5d7c0dadd7f90513b261 +Subproject commit 20deb0652ccfe105eddec6ba2ad32b8d633705f6 -- cgit v1.2.3 From e7b927d607e1e3bb02cfb8910d69df5254af5f35 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 26 May 2013 17:11:15 -0400 Subject: update apt submodule, necessary for wheezy release; update apache module to get bugfix Change-Id: I1f5f42bb3b62a5b86de38aed31fdb073626b10af --- puppet/modules/apache | 2 +- puppet/modules/apt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/apache b/puppet/modules/apache index c3e92a9b..090e59ad 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit c3e92a9b3cb02f1546b6b1570f10a968d380005c +Subproject commit 090e59ad1fcba01e868237a83cadf9254cf09d3e diff --git a/puppet/modules/apt b/puppet/modules/apt index 6bf7a6ab..61a2f489 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 6bf7a6ab5d6e63f75c94f49aa0f12959e954efa8 +Subproject commit 61a2f4894898baa98dbaaba7b69b7198864ca04a -- cgit v1.2.3 From a39f9981e7227b8e4668937a7bf0f658e1fbe8bd Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 27 May 2013 13:58:25 -0700 Subject: common.json - default all nodes to be 'enabled' --- provider_base/common.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/provider_base/common.json b/provider_base/common.json index e89fce7e..d3ae84ff 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -30,5 +30,6 @@ "site_config": true }, "name": "common", - "location": null + "location": null, + "enabled": true } -- cgit v1.2.3 From c92d3ac0780e813a5440c5e475bfdba5de5a0447 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 30 May 2013 17:06:14 -0700 Subject: site_sshd -- added xterm title, optional support for mosh --- provider_base/common.json | 6 +++- puppet/modules/site_config/manifests/sshd.pp | 2 +- puppet/modules/site_sshd/files/xterm-title.sh | 8 +++++ puppet/modules/site_sshd/manifests/init.pp | 42 ++++++++++++++++++++++++++- 4 files changed, 55 insertions(+), 3 deletions(-) create mode 100644 puppet/modules/site_sshd/files/xterm-title.sh diff --git a/provider_base/common.json b/provider_base/common.json index d3ae84ff..ade409a6 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -16,7 +16,11 @@ "ssh": { "authorized_keys": "= file :authorized_keys", "known_hosts": "=> known_hosts_file", - "port": 22 + "port": 22, + "mosh": { + "ports": "60000:61000", + "enabled": false + } }, "hosts": "=> hosts_file", "x509": { diff --git a/puppet/modules/site_config/manifests/sshd.pp b/puppet/modules/site_config/manifests/sshd.pp index 944dbce2..8ff337a0 100644 --- a/puppet/modules/site_config/manifests/sshd.pp +++ b/puppet/modules/site_config/manifests/sshd.pp @@ -2,7 +2,7 @@ class site_config::sshd { # configure sshd include sshd include site_sshd - # no need for configuring authorized_keys as leap_cli cares for that + # no need for configuring authorized_keys as leap_cli cares for that #$ssh_pubkeys=hiera_hash('ssh_pubkeys') #notice($ssh_pubkeys) #create_resources('site_sshd::ssh_key', $ssh_pubkeys) diff --git a/puppet/modules/site_sshd/files/xterm-title.sh b/puppet/modules/site_sshd/files/xterm-title.sh new file mode 100644 index 00000000..3cff0e3a --- /dev/null +++ b/puppet/modules/site_sshd/files/xterm-title.sh @@ -0,0 +1,8 @@ +# If this is an xterm set the title to user@host:dir +case "$TERM" in +xterm*|rxvt*) + PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD}\007"' + ;; +*) + ;; +esac diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index 630e9bdf..c1c4d3b3 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -1 +1,41 @@ -class site_sshd {} +class site_sshd { + $ssh = hiera_hash('ssh') + + ## + ## XTERM TITLE + ## + + file {'/etc/profile.d/xterm-title.sh': + source => "puppet://$server/modules/site_sshd/xterm-title.sh", + owner => root, group => 0, mode => 0644; + } + + ## + ## OPTIONAL MOSH SUPPORT + ## + + $mosh = $ssh['mosh'] + $mosh_ports = $mosh['ports'] + if $ssh['mosh']['enabled'] { + $mosh_ensure = present + } else { + $mosh_ensure = absent + } + + package { 'mosh': + ensure => $mosh_ensure; + } + file { '/etc/shorewall/macro.mosh': + ensure => $mosh_ensure, + content => "PARAM - - udp $mosh_ports", + notify => Service['shorewall'], + require => Package['shorewall']; + } + shorewall::rule { 'net2fw-mosh': + ensure => $mosh_ensure, + source => 'net', + destination => '$FW', + action => 'mosh(ACCEPT)', + order => 200; + } +} -- cgit v1.2.3 From d74f2370b45136fa18144f25c761f7d4939790e2 Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 2 Jun 2013 23:42:52 -0700 Subject: added platform.rb configuration file. --- platform.rb | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 platform.rb diff --git a/platform.rb b/platform.rb new file mode 100644 index 00000000..18b5e291 --- /dev/null +++ b/platform.rb @@ -0,0 +1,76 @@ +# +# These are variables defined by this leap_platform and used by leap_cli. +# + +Leap::Platform.define do + self.version = "1.0.0" + self.compatible_cli = "1.0".."1.99" + + # + # the facter facts that should be gathered + # + self.facts = ["ec2_local_ipv4"] + + # + # the named paths for this platform + # + self.paths = { + # directories + :hiera_dir => 'hiera', + :files_dir => 'files', + :nodes_dir => 'nodes', + :services_dir => 'services', + :tags_dir => 'tags', + :node_files_dir => 'files/nodes/#{arg}', + + # input config files + :common_config => 'common.json', + :provider_config => 'provider.json', + :secrets_config => 'secrets.json', + :node_config => 'nodes/#{arg}.json', + :service_config => 'services/#{arg}.json', + :tag_config => 'tags/#{arg}.json', + + # input templates + :provider_json_template => 'files/service-definitions/provider.json.erb', + :eip_service_json_template => 'files/service-definitions/#{arg}/eip-service.json.erb', + :soledad_service_json_template => 'files/service-definitions/#{arg}/soledad-service.json.erb', + :smtp_service_json_template => 'files/service-definitions/#{arg}/smtp-service.json.erb', + + # output files + :user_ssh => 'users/#{arg}/#{arg}_ssh.pub', + :user_pgp => 'users/#{arg}/#{arg}_pgp.pub', + :known_hosts => 'files/ssh/known_hosts', + :authorized_keys => 'files/ssh/authorized_keys', + :ca_key => 'files/ca/ca.key', + :ca_cert => 'files/ca/ca.crt', + :client_ca_key => 'files/ca/client_ca.key', + :client_ca_cert => 'files/ca/client_ca.crt', + :dh_params => 'files/ca/dh.pem', + :commercial_key => 'files/cert/#{arg}.key', + :commercial_csr => 'files/cert/#{arg}.csr', + :commercial_cert => 'files/cert/#{arg}.crt', + :commercial_ca_cert => 'files/cert/commercial_ca.crt', + :vagrantfile => 'test/Vagrantfile', + + # node output files + :hiera => 'hiera/#{arg}.yaml', + :node_ssh_pub_key => 'files/nodes/#{arg}/#{arg}_ssh.pub', + :node_x509_key => 'files/nodes/#{arg}/#{arg}.key', + :node_x509_cert => 'files/nodes/#{arg}/#{arg}.crt', + + # testing files + :test_client_key => 'test/cert/client.key', + :test_client_cert => 'test/cert/client.crt', + :test_openvpn_config => 'test/openvpn/#{arg}.ovpn', + :test_client_openvpn_template => 'test/openvpn/client.ovpn.erb' + } + + # + # the files that need to get renamed when a node is renamed + # + self.node_files = [ + :node_config, :hiera, :node_x509_cert, :node_x509_key, :node_ssh_pub_key + ] +end + -- cgit v1.2.3 From 907c4fb87f2b1a6c9fdb02ba2bd6017d2019762b Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 4 Jun 2013 22:45:01 -0700 Subject: add support for client-side collection of facter facts. --- platform.rb | 5 +++-- provider_base/files/service-definitions/provider.json.erb | 2 +- provider_base/files/service-definitions/v1/eip-service.json.erb | 2 +- provider_base/files/service-definitions/v1/smtp-service.json.erb | 2 +- provider_base/files/service-definitions/v1/soledad-service.json.erb | 2 +- 5 files changed, 7 insertions(+), 6 deletions(-) diff --git a/platform.rb b/platform.rb index 18b5e291..19563ae8 100644 --- a/platform.rb +++ b/platform.rb @@ -3,8 +3,8 @@ # Leap::Platform.define do - self.version = "1.0.0" - self.compatible_cli = "1.0".."1.99" + self.version = "1.1.0" + self.compatible_cli = "1.1".."1.99" # # the facter facts that should be gathered @@ -38,6 +38,7 @@ Leap::Platform.define do :smtp_service_json_template => 'files/service-definitions/#{arg}/smtp-service.json.erb', # output files + :facts => 'facts.json', :user_ssh => 'users/#{arg}/#{arg}_ssh.pub', :user_pgp => 'users/#{arg}/#{arg}_pgp.pub', :known_hosts => 'files/ssh/known_hosts', diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb index 5552c423..8dbf7365 100644 --- a/provider_base/files/service-definitions/provider.json.erb +++ b/provider_base/files/service-definitions/provider.json.erb @@ -20,5 +20,5 @@ hsh['ca_cert_uri'] = 'https://' + domain.full_suffix + '/ca.crt' hsh['ca_cert_fingerprint'] = fingerprint(:ca_cert) - generate_json hsh + JSON.sorted_generate hsh %> \ No newline at end of file diff --git a/provider_base/files/service-definitions/v1/eip-service.json.erb b/provider_base/files/service-definitions/v1/eip-service.json.erb index 9ee489de..feaea25b 100644 --- a/provider_base/files/service-definitions/v1/eip-service.json.erb +++ b/provider_base/files/service-definitions/v1/eip-service.json.erb @@ -44,5 +44,5 @@ "auth" => "SHA1", "cipher" => "AES-128-CBC" } - generate_json hsh + JSON.sorted_generate hsh %> \ No newline at end of file diff --git a/provider_base/files/service-definitions/v1/smtp-service.json.erb b/provider_base/files/service-definitions/v1/smtp-service.json.erb index 68d4bbab..60129f5f 100644 --- a/provider_base/files/service-definitions/v1/smtp-service.json.erb +++ b/provider_base/files/service-definitions/v1/smtp-service.json.erb @@ -25,5 +25,5 @@ end hsh["hosts"] = hosts hsh["locations"] = locations - generate_json hsh + JSON.sorted_generate hsh %> \ No newline at end of file diff --git a/provider_base/files/service-definitions/v1/soledad-service.json.erb b/provider_base/files/service-definitions/v1/soledad-service.json.erb index 4d345930..0cd1c927 100644 --- a/provider_base/files/service-definitions/v1/soledad-service.json.erb +++ b/provider_base/files/service-definitions/v1/soledad-service.json.erb @@ -25,5 +25,5 @@ end hsh["hosts"] = hosts hsh["locations"] = locations - generate_json hsh + JSON.sorted_generate hsh %> \ No newline at end of file -- cgit v1.2.3 From 6bcc3f1ff91111c9138213463f8af79e57d83501 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 26 May 2013 16:08:08 -0400 Subject: Fixes #2669 - stop services array from being reported smashed together Change-Id: I74dfe1941eb338a89be994ac9e1b61739601d9db --- puppet/manifests/site.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 22172584..9e3d0232 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -4,7 +4,7 @@ Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } $custom_key_dir = 'puppet:///modules/site_apt/keys' # parse services for host -$services=hiera_array('services') +$services=join(hiera_array('services'), ' ') notice("Services for ${fqdn}: ${services}") # make sure apt is updated before any packages are installed -- cgit v1.2.3 From 14bd8cf734fec65d4f1e16bfe64710008bdac174 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 2 Jun 2013 17:44:35 -0400 Subject: lint hosts.pp Change-Id: If10470978ee31a398e0b88d8d98552c93d4706a2 --- puppet/modules/site_config/manifests/hosts.pp | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index 1e1590f5..83a1040d 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -1,11 +1,11 @@ class site_config::hosts() { - $hosts = hiera('hosts','') - $hostname = hiera('name') - $domain_hash = hiera('domain') + $hosts = hiera('hosts','') + $hostname = hiera('name') + $domain_hash = hiera('domain') $domain_public = $domain_hash['full_suffix'] - file { "/etc/hostname": - ensure => present, + file { '/etc/hostname': + ensure => present, content => $hostname } @@ -16,6 +16,8 @@ class site_config::hosts() { file { '/etc/hosts': content => template('site_config/hosts'), - mode => '0644', owner => root, group => root; + mode => '0644', + owner => root, + group => root; } } -- cgit v1.2.3 From 400dde54f3950ad01d716b664d2ed1a236b8ca42 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 11 Jun 2013 15:00:36 -0400 Subject: add a class site_config::shell for shell-related configurations setup a /etc/profile.d configuration snippet to put /srv/leap/bin in the $PATH (#2122) Change-Id: I0afb5232375e6c6d9f692a97243023c710265d54 --- puppet/modules/site_config/manifests/default.pp | 2 ++ puppet/modules/site_config/manifests/shell.pp | 10 ++++++++++ 2 files changed, 12 insertions(+) create mode 100644 puppet/modules/site_config/manifests/shell.pp diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 7758a69d..cfb46130 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -36,4 +36,6 @@ class site_config::default { Class['git'] -> Vcsrepo<||> + # include basic shell config + include site_config::shell } diff --git a/puppet/modules/site_config/manifests/shell.pp b/puppet/modules/site_config/manifests/shell.pp new file mode 100644 index 00000000..b1a65389 --- /dev/null +++ b/puppet/modules/site_config/manifests/shell.pp @@ -0,0 +1,10 @@ +class site_config::shell { + + file { + '/etc/profile.d/leap_path.sh': + content => 'PATH=$PATH:/srv/leap/bin', + mode => '0644', + owner => root, + group => root; + } +} -- cgit v1.2.3 From 95d0c71fa4017a7908ccda0adae8057e2115cc42 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 11 Jun 2013 16:33:03 -0700 Subject: use hiera hashes for source data for /etc/hosts --- puppet/modules/site_config/templates/hosts | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts index 00cc6a79..c2522367 100644 --- a/puppet/modules/site_config/templates/hosts +++ b/puppet/modules/site_config/templates/hosts @@ -1,10 +1,12 @@ # This file is managed by puppet, any changes will be overwritten! 127.0.0.1 localhost -127.0.1.1 <%= hostname %>.<%= @domain_public %> <%= hostname %> +127.0.1.1 <%= @hostname %>.<%= @domain_public %> <%= @hostname %> -<%- if hosts.to_s != '' then -%> -<%= hosts %> +<%- if @hosts then -%> +<% @hosts.each do |name, props| -%> +<%= props["ip_address"] %> <%= props["domain_full"] %>, <%= props["domain_internal"] %>, <%= name %> +<% end -%> <% end -%> # The following lines are desirable for IPv6 capable hosts -- cgit v1.2.3 From 722ff7da46de4e656b3a110a65b9ccaa57f82898 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 11 Jun 2013 23:22:57 -0700 Subject: /etc/hosts must not have commas!! --- puppet/modules/site_config/templates/hosts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts index c2522367..2c784b05 100644 --- a/puppet/modules/site_config/templates/hosts +++ b/puppet/modules/site_config/templates/hosts @@ -5,7 +5,7 @@ <%- if @hosts then -%> <% @hosts.each do |name, props| -%> -<%= props["ip_address"] %> <%= props["domain_full"] %>, <%= props["domain_internal"] %>, <%= name %> +<%= props["ip_address"] %> <%= props["domain_full"] %> <%= props["domain_internal"] %> <%= name %> <% end -%> <% end -%> -- cgit v1.2.3 From d10240be7ac7116e86cee32f5b8d5b90768e7094 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 12 Jun 2013 14:01:24 -0400 Subject: webapp should be available over http so a proper redirect can be done to https without this rule, one just gets a 'site is unavailable' result Change-Id: I27b80a0044e9fe4e87e607412c8d0a089d4866a6 --- puppet/modules/site_shorewall/manifests/webapp.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_shorewall/manifests/webapp.pp b/puppet/modules/site_shorewall/manifests/webapp.pp index d12bbc8f..a8d2aa5b 100644 --- a/puppet/modules/site_shorewall/manifests/webapp.pp +++ b/puppet/modules/site_shorewall/manifests/webapp.pp @@ -2,5 +2,6 @@ class site_shorewall::webapp { include site_shorewall::defaults include site_shorewall::service::https + include site_shorewall::service::http include site_shorewall::service::webapp_api } -- cgit v1.2.3 From 8c038fea91adc87adf9e408c16e2f0ec9838e3d2 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 12 Jun 2013 11:34:43 -0700 Subject: temp hack: deploy the webapp as couch user 'admin' --- provider_base/services/webapp.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 3dd9bebe..ad32bb61 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -2,7 +2,8 @@ "webapp": { "modules": ["user", "billing", "help"], "couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]", - "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]", +// "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]", + "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:admin]", "favicon": "= file_path 'branding/favicon.ico'", "tail_scss": "= file_path 'branding/tail.scss'", "head_scss": "= file_path 'branding/head.scss'", -- cgit v1.2.3 From 086439b2676a763d4414ea3f2ef80fb0daaba088 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 12 Jun 2013 14:45:31 -0400 Subject: update apache submodule to get ssl no_default_site fix. I previously accidentally reverted this change Change-Id: Iebc041cf6fb54b79d75eeabd27410ad953b8e340 --- puppet/modules/apache | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/apache b/puppet/modules/apache index 090e59ad..c3e92a9b 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit 090e59ad1fcba01e868237a83cadf9254cf09d3e +Subproject commit c3e92a9b3cb02f1546b6b1570f10a968d380005c -- cgit v1.2.3 From 03cb737490a12813b63801bbf9198e7e4a91a37b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 13 Jun 2013 16:54:56 -0400 Subject: install the leap-keyring package, after the leap apt source has been added and apt has been refreshed Change-Id: I485420c4ea50f8c3f6699b9b8073dc6c67b7a353 --- puppet/modules/site_apt/manifests/leap_repo.pp | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp index 9d967841..6b3d9919 100644 --- a/puppet/modules/site_apt/manifests/leap_repo.pp +++ b/puppet/modules/site_apt/manifests/leap_repo.pp @@ -4,4 +4,11 @@ class site_apt::leap_repo { before => Exec[refresh_apt] } + package { 'leap-keyring': + ensure => latest + } + + # We wont be able to install the leap-keyring package unless the leap apt + # source has been added and apt has been refreshed + Exec['refresh_apt'] -> Package['leap-keyring'] } -- cgit v1.2.3 From 8ee0d3af919b169e1cb096a777beff68dbeb61d3 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 14 Jun 2013 20:47:46 +0200 Subject: automatic update of submodule stunnel --- puppet/modules/stunnel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index 75d387fc..1a12adc9 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit 75d387fc8aff12232fdeae2efbbfccdd91f94656 +Subproject commit 1a12adc97d70224a0e750c6ab8a41073ced72d2b -- cgit v1.2.3 From 1f0aebf8a2edbf576b4d94c4f210b132b7b6084e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 18 Jun 2013 16:02:03 -0400 Subject: The way we were testing if $services had a particular word in it is not very good. If we search for the word 'tor' we will find it when the variable contains "monitor". This commit makes the regular expression more specific based on the word boundaries. Change-Id: I4dcd80db7322cabc3f71b77fabf7eacd83b4d572 --- puppet/manifests/site.pp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 9e3d0232..f0319bc2 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -19,23 +19,23 @@ include site_config::slow # configure eip -if 'openvpn' in $services { +if $services =~ /\bopenvpn\b/ { include site_openvpn } -if 'couchdb' in $services { +if $services =~ /\bcouchdb\b/ { include site_couchdb } -if 'webapp' in $services { +if $services =~ /\bwebapp\b/ { include site_webapp include site_nickserver } -if 'monitor' in $services { +if $services =~ /\bmonitor\b/ { include site_nagios } -if 'tor' in $services { +if $services =~ /\btor\b/ { include site_tor } -- cgit v1.2.3 From e66040d2180546541bd075ebc40548f3c8de87f4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 18 Jun 2013 16:02:03 -0400 Subject: The way we were testing if $services had a particular word in it is not very good. If we search for the word 'tor' we will find it when the variable contains "monitor". This commit makes the regular expression more specific based on the word boundaries. Change-Id: I4dcd80db7322cabc3f71b77fabf7eacd83b4d572 --- puppet/manifests/site.pp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 9e3d0232..f0319bc2 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -19,23 +19,23 @@ include site_config::slow # configure eip -if 'openvpn' in $services { +if $services =~ /\bopenvpn\b/ { include site_openvpn } -if 'couchdb' in $services { +if $services =~ /\bcouchdb\b/ { include site_couchdb } -if 'webapp' in $services { +if $services =~ /\bwebapp\b/ { include site_webapp include site_nickserver } -if 'monitor' in $services { +if $services =~ /\bmonitor\b/ { include site_nagios } -if 'tor' in $services { +if $services =~ /\btor\b/ { include site_tor } -- cgit v1.2.3 From d9614163ed327fc17d27ac623dfd639ce00a43ce Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 19 Jun 2013 13:41:23 -0400 Subject: disable dhclient from modifying the /etc/resolv.conf file on openstack/amazon instances The dhclient in these environments is quite aggressive and overwrites the nameservers we've deliberately chosen to use with google's nameservers. This commit attempts to fix that. The dhclient methodology for altering these things is particularly unpleasant. We effectively redefine the functions that mess with this file to be noops in the /etc/dhcp/dhclient-enter-hooks.d directory and then we are forced to restart dhclient by shipping a script that tries to determine the correct PID and arguments that it was running as before killing and restarting it with the same arguments. See debian bugs #681698, #712796 for further discussion about how to make this less difficult Change-Id: I51cf40cf98eaddcefd8180e157b6e3ca824173f0 --- puppet/modules/site_config/manifests/default.pp | 6 ++++- puppet/modules/site_config/manifests/dhclient.pp | 30 ++++++++++++++++++++++ .../site_config/templates/reload_dhclient.erb | 13 ++++++++++ 3 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_config/manifests/dhclient.pp create mode 100644 puppet/modules/site_config/templates/reload_dhclient.erb diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index cfb46130..5518ea56 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -12,10 +12,14 @@ class site_config::default { # configure apt include site_apt - # configure ssh and include ssh-keys include site_config::sshd + # fix dhclient from changing resolver information + if $::ec2_instance_id { + include site_config::dhclient + } + # configure /etc/resolv.conf include site_config::resolvconf diff --git a/puppet/modules/site_config/manifests/dhclient.pp b/puppet/modules/site_config/manifests/dhclient.pp new file mode 100644 index 00000000..7ac0caf3 --- /dev/null +++ b/puppet/modules/site_config/manifests/dhclient.pp @@ -0,0 +1,30 @@ +class site_config::dhclient { + + # Unfortunately, there does not seem to be a way to reload the dhclient.conf + # config file, or a convenient way to disable the modifications to + # /etc/resolv.conf. So the following makes the functions involved noops and + # ships a script to kill and restart dhclient. See the debian bugs: + # #681698, #712796 + + include site_config::params + + file { '/usr/local/sbin/reload_dhclient': + owner => 0, + group => 0, + mode => '0755', + content => template('site_config/reload_dhclient.erb'); + } + + exec { 'reload_dhclient': + refreshonly => true, + command => '/usr/local/sbin/reload_dhclient'; + } + + file { '/etc/dhcp/dhclient-enter-hooks.d/disable_resolvconf': + content => 'make_resolv_conf() { : ; } ; set_hostname() { : ; }', + mode => '0644', + owner => 'root', + group => 'root', + notify => Exec['reload_dhclient']; + } +} diff --git a/puppet/modules/site_config/templates/reload_dhclient.erb b/puppet/modules/site_config/templates/reload_dhclient.erb new file mode 100644 index 00000000..882c985a --- /dev/null +++ b/puppet/modules/site_config/templates/reload_dhclient.erb @@ -0,0 +1,13 @@ +#!/bin/sh + +# Get the PID +PIDFILE='/var/run/dhclient.<%= scope.lookupvar('site_config::params::interface') %>.pid + +# Capture how dhclient is currently running so we can relaunch it +dhclient=`/bin/ps --no-headers --pid $(cat $PIDFILE) -f | /usr/bin/awk '{for(i=8;i<=NF;++i) printf("%s ", $i) }'` + +# Kill the current dhclient +/usr/bin/pkill -F $PIDFILE + +# Restart dhclient with the arguments it had previously +$dhclient -- cgit v1.2.3 From e085e66f0f1c045b0282f738f4501e7a1d2fd301 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 20 Jun 2013 12:03:34 -0400 Subject: We need to have a newer facter installed in order to get an updated fact for piston cloud This moves the apt configuration into the setup.pp run, so we can get the backport source added early which will enable us to install the latest facter from the backports repository. Change-Id: I8ccf1a0445dea72f1b94be08484f33e648439ec1 --- puppet/manifests/setup.pp | 11 ++++++++++- puppet/modules/site_apt/manifests/init.pp | 5 +++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/puppet/manifests/setup.pp b/puppet/manifests/setup.pp index b45c8b4c..6adb1948 100644 --- a/puppet/manifests/setup.pp +++ b/puppet/manifests/setup.pp @@ -1,4 +1,13 @@ # # this is applied before each run of site.pp # -include site_config::hosts \ No newline at end of file +$services = '' +include site_config::hosts + +include site_apt + +package { 'facter': + ensure => latest, + require => Exec['refresh_apt'] +} + diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index c5f37014..c33b7a84 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -23,4 +23,9 @@ class site_apt { content => template('site_apt/secondary.list'); } + apt::preferences_snippet { 'facter': + release => "${::lsbdistcodename}-backports", + priority => 999 + } + } -- cgit v1.2.3 From 303d557830e2fa245331fa97b95351ddacd70b61 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 20 Jun 2013 15:58:24 -0400 Subject: update apt submodule to fix dynamic lookup of $custom_preferences Change-Id: I2c8588d8e4623d5b3c910ba5a9e68441b02ba886 --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/apt b/puppet/modules/apt index 61a2f489..88bfe5fb 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 61a2f4894898baa98dbaaba7b69b7198864ca04a +Subproject commit 88bfe5fbab79b23a3f1d19c6283bdb2efd28598e -- cgit v1.2.3 From f2f4b3cfc2ad70e649da42ef82cca7c2e1d73096 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Jun 2013 00:02:19 +0200 Subject: Install all packages after refresh_apt (Feature #2971) --- puppet/modules/site_apt/manifests/init.pp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index c33b7a84..0da7f3be 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -28,4 +28,12 @@ class site_apt { priority => 999 } + # All packages should be installed _after_ refresh_apt is called, + # which does an apt-get update. + # There is one exception: + # The creation of sources.list depends on the lsb package + + File['/etc/apt/preferences'] -> + Exec['refresh_apt'] + Package <| ( title != 'lsb' ) |> } -- cgit v1.2.3 From e61c7dfe1aa0ba4b5fc5fef2fd64d9fb2f1d2784 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Jun 2013 17:38:13 +0200 Subject: updated apt submodule, remove unnecessary before dependency on the /etc/apt/preferences file in unattended_upgrades.pp --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/apt b/puppet/modules/apt index 61a2f489..f11e3d47 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 61a2f4894898baa98dbaaba7b69b7198864ca04a +Subproject commit f11e3d475345059220402a44a97da491c85d2b5a -- cgit v1.2.3 From 8579e89110c3df333ec3bb63154bba2c57a848a9 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Jun 2013 18:12:46 +0200 Subject: include global variable for apt config, include Exec[] defaults --- puppet/manifests/setup.pp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/puppet/manifests/setup.pp b/puppet/manifests/setup.pp index 6adb1948..112782d8 100644 --- a/puppet/manifests/setup.pp +++ b/puppet/manifests/setup.pp @@ -2,6 +2,10 @@ # this is applied before each run of site.pp # $services = '' + +Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } +$custom_key_dir = 'puppet:///modules/site_apt/keys' + include site_config::hosts include site_apt -- cgit v1.2.3 From ad48e4616e438c94122b144009f54651408387aa Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 25 Jun 2013 12:23:19 -0400 Subject: fix preferences description for Debian squeeze Change-Id: I30ca424bd9b89b3e95532e325828982e8e513fc7 --- puppet/modules/site_apt/templates/preferences.include_squeeze | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_apt/templates/preferences.include_squeeze b/puppet/modules/site_apt/templates/preferences.include_squeeze index d10c2864..d6d36b60 100644 --- a/puppet/modules/site_apt/templates/preferences.include_squeeze +++ b/puppet/modules/site_apt/templates/preferences.include_squeeze @@ -13,7 +13,7 @@ Package: * Pin: release o=Debian,n=sid Pin-Priority: 1 -Explanation: De +Explanation: Debian squeeze Package: * Pin: release o=Debian,n=squeeze Pin-Priority: 980 -- cgit v1.2.3 From 89ad90073b5289da62eed74c8794e2911672081f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 25 Jun 2013 15:51:37 -0400 Subject: fix for #2986 - the services variable is no longer an array Change-Id: Ia6fc60c0c1fdfa50e1d6d981699c1d8010df63fc --- puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 3055a7bb..4b051699 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -36,7 +36,7 @@ PassengerFriendlyErrorPages off SetEnv TMPDIR /var/tmp - <% if (defined? @services) and (services.is_a? Array) and (@services.include? 'monitor') -%> + <% if (defined? @services) and (@services.include? 'monitor') -%> PassengerEnabled off AllowOverride all -- cgit v1.2.3 From 157fb1237d66c4eae83fa2c685745da9e20bca72 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 25 Jun 2013 17:32:56 -0700 Subject: add hash for authorized_keys to common.json --- platform.rb | 4 ++-- provider_base/common.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/platform.rb b/platform.rb index 19563ae8..9f63b4ca 100644 --- a/platform.rb +++ b/platform.rb @@ -3,8 +3,8 @@ # Leap::Platform.define do - self.version = "1.1.0" - self.compatible_cli = "1.1".."1.99" + self.version = "1.1.2" + self.compatible_cli = "1.1.2".."1.99" # # the facter facts that should be gathered diff --git a/provider_base/common.json b/provider_base/common.json index ade409a6..2313bd8b 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -14,7 +14,7 @@ "public": "= service_type != 'internal_service'" }, "ssh": { - "authorized_keys": "= file :authorized_keys", + "authorized_keys": "= authorized_keys", "known_hosts": "=> known_hosts_file", "port": 22, "mosh": { -- cgit v1.2.3 From 4b5b54d031344aa7a7b86254c820e391a4d4d762 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 25 Jun 2013 17:05:11 -0400 Subject: update the apt submodule in order to get the fix for unattended_upgrades (#2984) and the custom_key_dir as a class parameter remove the global variable from setup.pp and site.pp and instead pass it into the apt class declaration as a parameter Change-Id: I24806f2fd22b5a066b951c5f76f3dd748481b5b6 --- puppet/manifests/setup.pp | 1 - puppet/manifests/site.pp | 2 -- puppet/modules/apt | 2 +- puppet/modules/site_apt/manifests/init.pp | 5 ++++- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/puppet/manifests/setup.pp b/puppet/manifests/setup.pp index 112782d8..80e7ffc2 100644 --- a/puppet/manifests/setup.pp +++ b/puppet/manifests/setup.pp @@ -4,7 +4,6 @@ $services = '' Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } -$custom_key_dir = 'puppet:///modules/site_apt/keys' include site_config::hosts diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index f0319bc2..08cbbb9e 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,8 +1,6 @@ # set a default exec path Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } -$custom_key_dir = 'puppet:///modules/site_apt/keys' - # parse services for host $services=join(hiera_array('services'), ' ') notice("Services for ${fqdn}: ${services}") diff --git a/puppet/modules/apt b/puppet/modules/apt index f11e3d47..1a72a996 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit f11e3d475345059220402a44a97da491c85d2b5a +Subproject commit 1a72a99693c1d77bfe891546408f88264fca98ee diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 0da7f3be..8821c110 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -8,7 +8,10 @@ class site_apt { } else { $custom_preferences = '' } - class {'apt': custom_preferences => $custom_preferences } + class { 'apt': + custom_preferences => $custom_preferences, + custom_key_dir => 'puppet:///modules/site_apt/keys' + } # enable http://deb.leap.se debian package repository include site_apt::leap_repo -- cgit v1.2.3 From e6bd481933bd4104fb7839703c88de971559d3db Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 27 Jun 2013 10:52:54 +0200 Subject: added site_sshd::authorized_keys --- puppet/modules/site_sshd/manifests/authorized_keys.pp | 6 ++++++ puppet/modules/site_sshd/manifests/authorized_keys/key.pp | 8 ++++++++ puppet/modules/site_sshd/manifests/init.pp | 3 +++ puppet/modules/site_sshd/manifests/ssh_key.pp | 3 --- 4 files changed, 17 insertions(+), 3 deletions(-) create mode 100644 puppet/modules/site_sshd/manifests/authorized_keys.pp create mode 100644 puppet/modules/site_sshd/manifests/authorized_keys/key.pp delete mode 100644 puppet/modules/site_sshd/manifests/ssh_key.pp diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp new file mode 100644 index 00000000..edd6e3c4 --- /dev/null +++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp @@ -0,0 +1,6 @@ +class site_sshd::authorized_keys { + tag 'leap_authorized_keys' + + create_resources(site_sshd::authorized_keys::key, $site_sshd::ssh_authorized_keys) + +} diff --git a/puppet/modules/site_sshd/manifests/authorized_keys/key.pp b/puppet/modules/site_sshd/manifests/authorized_keys/key.pp new file mode 100644 index 00000000..56271cdc --- /dev/null +++ b/puppet/modules/site_sshd/manifests/authorized_keys/key.pp @@ -0,0 +1,8 @@ +define site_sshd::authorized_keys::key ($key, $type) { + ssh_authorized_key { + $name: + type => $type, + user => 'root', + key => $key + } +} diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index c1c4d3b3..714c0c5a 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -1,5 +1,8 @@ class site_sshd { $ssh = hiera_hash('ssh') + $ssh_authorized_keys = $ssh['authorized_keys'] + + include site_sshd::authorized_keys ## ## XTERM TITLE diff --git a/puppet/modules/site_sshd/manifests/ssh_key.pp b/puppet/modules/site_sshd/manifests/ssh_key.pp deleted file mode 100644 index b47b2ebd..00000000 --- a/puppet/modules/site_sshd/manifests/ssh_key.pp +++ /dev/null @@ -1,3 +0,0 @@ -define site_sshd::ssh_key($key) { - # ... todo: deploy ssh_key -} -- cgit v1.2.3 From 3b6f11a60778d5cb3ae265980e4e4870bf065de2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 28 Jun 2013 12:11:32 -0400 Subject: modularize and standardize site_sshd: . move the setting of the xterm title to site_config::shell . change the xterm file resource to use standard source lines, switch to single quotes, quote mode, and line up parameters . move the mosh pieces into a site_ssh::mosh class and only include it if the right mosh variable is enabled, passing into the class the necessary hiera parameters . lint the site_ssh::mosh resources . change the authorized_keys class to accept the key parameter which is passed in from the main ssh class (but allow for out of scope variable lookup when the tag is passed) Change-Id: Ieec5a3932de9bad1b98633032b28f88e91e46604 --- puppet/modules/site_config/files/xterm-title.sh | 8 +++++ puppet/modules/site_config/manifests/shell.pp | 12 +++++++ puppet/modules/site_sshd/files/xterm-title.sh | 8 ----- .../modules/site_sshd/manifests/authorized_keys.pp | 4 +-- puppet/modules/site_sshd/manifests/init.pp | 41 ++++++++-------------- puppet/modules/site_sshd/manifests/mosh.pp | 21 +++++++++++ 6 files changed, 57 insertions(+), 37 deletions(-) create mode 100644 puppet/modules/site_config/files/xterm-title.sh delete mode 100644 puppet/modules/site_sshd/files/xterm-title.sh create mode 100644 puppet/modules/site_sshd/manifests/mosh.pp diff --git a/puppet/modules/site_config/files/xterm-title.sh b/puppet/modules/site_config/files/xterm-title.sh new file mode 100644 index 00000000..3cff0e3a --- /dev/null +++ b/puppet/modules/site_config/files/xterm-title.sh @@ -0,0 +1,8 @@ +# If this is an xterm set the title to user@host:dir +case "$TERM" in +xterm*|rxvt*) + PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD}\007"' + ;; +*) + ;; +esac diff --git a/puppet/modules/site_config/manifests/shell.pp b/puppet/modules/site_config/manifests/shell.pp index b1a65389..5b8c025d 100644 --- a/puppet/modules/site_config/manifests/shell.pp +++ b/puppet/modules/site_config/manifests/shell.pp @@ -7,4 +7,16 @@ class site_config::shell { owner => root, group => root; } + + ## + ## XTERM TITLE + ## + + file { '/etc/profile.d/xterm-title.sh': + source => 'puppet:///modules/site_config/xterm-title.sh', + owner => root, + group => 0, + mode => '0644'; + } + } diff --git a/puppet/modules/site_sshd/files/xterm-title.sh b/puppet/modules/site_sshd/files/xterm-title.sh deleted file mode 100644 index 3cff0e3a..00000000 --- a/puppet/modules/site_sshd/files/xterm-title.sh +++ /dev/null @@ -1,8 +0,0 @@ -# If this is an xterm set the title to user@host:dir -case "$TERM" in -xterm*|rxvt*) - PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD}\007"' - ;; -*) - ;; -esac diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp index edd6e3c4..8e0c15ac 100644 --- a/puppet/modules/site_sshd/manifests/authorized_keys.pp +++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp @@ -1,6 +1,6 @@ -class site_sshd::authorized_keys { +class site_sshd::authorized_keys ( $keys = $site_sshd::authorized_keys ) { tag 'leap_authorized_keys' - create_resources(site_sshd::authorized_keys::key, $site_sshd::ssh_authorized_keys) + create_resources(site_sshd::authorized_keys::key, $keys) } diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index 714c0c5a..905d5c9b 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -1,16 +1,14 @@ class site_sshd { $ssh = hiera_hash('ssh') - $ssh_authorized_keys = $ssh['authorized_keys'] - - include site_sshd::authorized_keys ## - ## XTERM TITLE + ## SETUP AUTHORIZED KEYS ## - file {'/etc/profile.d/xterm-title.sh': - source => "puppet://$server/modules/site_sshd/xterm-title.sh", - owner => root, group => 0, mode => 0644; + $authorized_keys = $ssh['authorized_keys'] + + class { 'site_sshd::authorized_keys': + keys => $authorized_keys } ## @@ -18,27 +16,16 @@ class site_sshd { ## $mosh = $ssh['mosh'] - $mosh_ports = $mosh['ports'] - if $ssh['mosh']['enabled'] { - $mosh_ensure = present - } else { - $mosh_ensure = absent - } - package { 'mosh': - ensure => $mosh_ensure; - } - file { '/etc/shorewall/macro.mosh': - ensure => $mosh_ensure, - content => "PARAM - - udp $mosh_ports", - notify => Service['shorewall'], - require => Package['shorewall']; + if $mosh['enabled'] { + class { 'site_sshd::mosh': + ensure => present, + ports => $mosh['ports'] + } } - shorewall::rule { 'net2fw-mosh': - ensure => $mosh_ensure, - source => 'net', - destination => '$FW', - action => 'mosh(ACCEPT)', - order => 200; + else { + class { 'site_sshd::mosh': + ensure => absent + } } } diff --git a/puppet/modules/site_sshd/manifests/mosh.pp b/puppet/modules/site_sshd/manifests/mosh.pp new file mode 100644 index 00000000..49f56ca0 --- /dev/null +++ b/puppet/modules/site_sshd/manifests/mosh.pp @@ -0,0 +1,21 @@ +class site_sshd::mosh ( $ensure = present, $ports = '60000-61000' ) { + + package { 'mosh': + ensure => $ensure + } + + file { '/etc/shorewall/macro.mosh': + ensure => $ensure, + content => "PARAM - - udp ${ports}", + notify => Service['shorewall'], + require => Package['shorewall']; + } + + shorewall::rule { 'net2fw-mosh': + ensure => $ensure, + source => 'net', + destination => '$FW', + action => 'mosh(ACCEPT)', + order => 200; + } +} -- cgit v1.2.3 From 6c34c73f7e4c5203321547b699c6eaba9de8e2fe Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 27 Jun 2013 10:52:54 +0200 Subject: switch to own define for managing ssh keys The problem with puppet's built-in ssh_authorized_key is that you can purge unmanaged keys in a authorized_keys file. see https://leap.se/code/issues/3010 for details. Conflicts: puppet/modules/site_sshd/manifests/authorized_keys.pp Change-Id: I640bf7ebc0f0f7fb19cc46feb4cb2702d6561a9b --- .../modules/site_sshd/manifests/authorized_keys.pp | 23 +++++++++++++++++----- .../site_sshd/manifests/authorized_keys/key.pp | 8 -------- .../site_sshd/manifests/deploy_authorized_keys.pp | 9 +++++++++ puppet/modules/site_sshd/manifests/init.pp | 2 +- .../site_sshd/templates/authorized_keys.erb | 6 ++++++ 5 files changed, 34 insertions(+), 14 deletions(-) delete mode 100644 puppet/modules/site_sshd/manifests/authorized_keys/key.pp create mode 100644 puppet/modules/site_sshd/manifests/deploy_authorized_keys.pp create mode 100644 puppet/modules/site_sshd/templates/authorized_keys.erb diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp index 8e0c15ac..c18f691c 100644 --- a/puppet/modules/site_sshd/manifests/authorized_keys.pp +++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp @@ -1,6 +1,19 @@ -class site_sshd::authorized_keys ( $keys = $site_sshd::authorized_keys ) { - tag 'leap_authorized_keys' - - create_resources(site_sshd::authorized_keys::key, $keys) - +define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') { + # This line allows default homedir based on $title variable. + # If $home is empty, the default is used. + $homedir = $home ? {'' => "/home/${title}", default => $home} + file { + "${homedir}/.ssh": + ensure => 'directory', + owner => $title, + group => $title, + mode => '0700'; + "${homedir}/.ssh/authorized_keys": + ensure => $ensure, + owner => $ensure ? {'present' => $title, default => undef }, + group => $ensure ? {'present' => $title, default => undef }, + mode => '0600', + require => File["${homedir}/.ssh"], + content => template('site_sshd/authorized_keys.erb'); + } } diff --git a/puppet/modules/site_sshd/manifests/authorized_keys/key.pp b/puppet/modules/site_sshd/manifests/authorized_keys/key.pp deleted file mode 100644 index 56271cdc..00000000 --- a/puppet/modules/site_sshd/manifests/authorized_keys/key.pp +++ /dev/null @@ -1,8 +0,0 @@ -define site_sshd::authorized_keys::key ($key, $type) { - ssh_authorized_key { - $name: - type => $type, - user => 'root', - key => $key - } -} diff --git a/puppet/modules/site_sshd/manifests/deploy_authorized_keys.pp b/puppet/modules/site_sshd/manifests/deploy_authorized_keys.pp new file mode 100644 index 00000000..97ca058f --- /dev/null +++ b/puppet/modules/site_sshd/manifests/deploy_authorized_keys.pp @@ -0,0 +1,9 @@ +class site_sshd::deploy_authorized_keys ( $keys ) { + tag 'leap_authorized_keys' + + site_sshd::authorized_keys {'root': + keys => $keys, + home => '/root' + } + +} diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index 905d5c9b..90dd2d0e 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -7,7 +7,7 @@ class site_sshd { $authorized_keys = $ssh['authorized_keys'] - class { 'site_sshd::authorized_keys': + class { 'site_sshd::deploy_authorized_keys': keys => $authorized_keys } diff --git a/puppet/modules/site_sshd/templates/authorized_keys.erb b/puppet/modules/site_sshd/templates/authorized_keys.erb new file mode 100644 index 00000000..3c65e8ab --- /dev/null +++ b/puppet/modules/site_sshd/templates/authorized_keys.erb @@ -0,0 +1,6 @@ +# NOTICE: This file is autogenerated by Puppet +# all manually added keys will be overridden + +<% keys.sort.each do |user, hash| -%> +<%=hash['type']-%> <%=hash['key']%> <%=user%> +<% end -%> -- cgit v1.2.3 From 1d91ef608855059dbb7938dbd59adf2f70220139 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 30 Jun 2013 19:35:32 -0400 Subject: Fix 'Failed to call refresh: /usr/local/sbin/reload_dhclient returned 2 instead of one of [0]' by putting in the missing closing single quote. Change-Id: I86feb5d06dd25e28ea67da0b5627e7be4174e01e --- puppet/modules/site_config/templates/reload_dhclient.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_config/templates/reload_dhclient.erb b/puppet/modules/site_config/templates/reload_dhclient.erb index 882c985a..075828b7 100644 --- a/puppet/modules/site_config/templates/reload_dhclient.erb +++ b/puppet/modules/site_config/templates/reload_dhclient.erb @@ -1,7 +1,7 @@ #!/bin/sh # Get the PID -PIDFILE='/var/run/dhclient.<%= scope.lookupvar('site_config::params::interface') %>.pid +PIDFILE='/var/run/dhclient.<%= scope.lookupvar('site_config::params::interface') %>.pid' # Capture how dhclient is currently running so we can relaunch it dhclient=`/bin/ps --no-headers --pid $(cat $PIDFILE) -f | /usr/bin/awk '{for(i=8;i<=NF;++i) printf("%s ", $i) }'` -- cgit v1.2.3 From 9a522267068a1bcede55ba388d526ddc263d155f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 28 Jun 2013 11:28:13 -0400 Subject: restart stunnels if /etc/hosts is changed (#3031) Due to the fact that /etc/hosts is modified in the early stage setup.pp run and the stunnel service is not deployed on an initial puppet run, we cannot simply override the Service['stunnel'] but instead need to trigger a restart through an exec calling the init script that first tests to see if it is present. Change-Id: I6bf5dfece9ecbdb8319747774185dec50d5a55f6 --- puppet/modules/site_config/manifests/hosts.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index 83a1040d..ccedf036 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -14,6 +14,17 @@ class site_config::hosts() { refreshonly => true; } + # we depend on reliable hostnames from /etc/hosts for the stunnel services + # so restart stunnel service when /etc/hosts is modified + # because this is done in an early stage, the stunnel module may not + # have been deployed and will not be available for overriding, so + # this is handled in an unorthodox manner + exec { '/etc/init.d/stunnel4 restart': + subscribe => File['/etc/hosts'], + refreshonly => true, + onlyif => 'test -f /etc/init.d/stunnel4'; + } + file { '/etc/hosts': content => template('site_config/hosts'), mode => '0644', -- cgit v1.2.3 From 57b2c01c42cc47901bc39504bd5e776a7e3a9c6d Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 2 Jul 2013 16:44:56 +0200 Subject: deleted bind9 purging, it was only needed for the transition from bind to unbound --- puppet/modules/site_config/manifests/resolvconf.pp | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index d73f0b78..271c5043 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -1,16 +1,5 @@ class site_config::resolvconf { - # bind9 purging can be taken out after some time - package { 'bind9': - ensure => absent, - } - file { '/etc/default/bind9': - ensure => absent; - } - file { '/etc/bind/named.conf.options': - ensure => absent; - } - $domain_public = $site_config::default::domain_hash['full_suffix'] # 127.0.0.1: caching-only local bind -- cgit v1.2.3 From 0d6694a0ee00be0f35b18025d86883cf3d4e4a7d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 2 Jul 2013 12:44:44 -0400 Subject: create a site_config subclass for package installation and removal add packages that we want to make sure are installed remove packages that were found on vagrant and PC installations that have no business being there Change-Id: I4887a327ca89eb60945ad817a75ff199859824d3 --- .../modules/site_config/manifests/base_packages.pp | 28 ++++++++++++++++++++++ puppet/modules/site_config/manifests/default.pp | 5 ++-- 2 files changed, 30 insertions(+), 3 deletions(-) create mode 100644 puppet/modules/site_config/manifests/base_packages.pp diff --git a/puppet/modules/site_config/manifests/base_packages.pp b/puppet/modules/site_config/manifests/base_packages.pp new file mode 100644 index 00000000..3d40f7a2 --- /dev/null +++ b/puppet/modules/site_config/manifests/base_packages.pp @@ -0,0 +1,28 @@ +class site_config::base_packages { + + # base set of packages that we want to have installed everywhere + package { [ 'etckeeper', 'screen', 'less' ]: + ensure => installed, + } + + # base set of packages that we want to remove everywhere + package { [ 'acpi', 'acpid', 'acpi-support-base', 'eject', 'ftp', + 'laptop-detect', 'lpr', 'nfs-common', 'nfs-kernel-server', + 'portmap', 'pppconfig', 'pppoe', 'pump', 'qstat', 'rpcbind', + 'samba-common', 'samba-common-bin', 'smbclient', 'tcl8.5', + 'tk8.5', 'os-prober', 'unzip', 'xauth', 'x11-common', + 'x11-utils', 'xterm' ]: + ensure => absent; + } + + if $::virtual == 'virtualbox' { + $virtualbox_ensure = present + } else { + $virtualbox_ensure = absent + } + + package { [ 'build-essential', 'fontconfig-config', 'g++', 'g++-4.7', 'gcc', + 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: + ensure => $virtualbox_ensure + } +} diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 5518ea56..00eee9d0 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -31,9 +31,8 @@ class site_config::default { stage => setup, } - package { [ 'etckeeper' ]: - ensure => installed, - } + # install/remove base packages + include site_config::base_packages # include basic shorewall config include site_shorewall::defaults -- cgit v1.2.3 From e30c2d434993892a0cdbafc68848778101cdf8f6 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 2 Jul 2013 16:45:16 -0400 Subject: update stunnel submodule to fix refresh bug #3013 Change-Id: I9ed218d9353c05b34d34c363a6a3f10d54b3a60a --- puppet/modules/stunnel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index 1a12adc9..fc1589a5 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit 1a12adc97d70224a0e750c6ab8a41073ced72d2b +Subproject commit fc1589a5f09d80f58d730d4e1f6a8058483f61fc -- cgit v1.2.3 From 373002ee2b7b5373a1ab2f3a1f289bd722ec0d91 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 2 Jul 2013 16:45:16 -0400 Subject: update stunnel submodule to fix refresh bug #3013 Change-Id: I9ed218d9353c05b34d34c363a6a3f10d54b3a60a --- puppet/modules/stunnel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index 1a12adc9..fc1589a5 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit 1a12adc97d70224a0e750c6ab8a41073ced72d2b +Subproject commit fc1589a5f09d80f58d730d4e1f6a8058483f61fc -- cgit v1.2.3 From 506c70eb951b7aa18d009fc4fc77ce2f20a6ffe8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 3 Jul 2013 11:39:17 -0400 Subject: Update README to guide a user through a basic understanding, and where to go next to get started or report problems Change-Id: I254e73db7bdbf181bd993d2e9d73e864a62d1112 --- README.md | 67 +++++++++++++++++++++++++-------------------------------------- 1 file changed, 27 insertions(+), 40 deletions(-) diff --git a/README.md b/README.md index 03e3cb80..5e9600cd 100644 --- a/README.md +++ b/README.md @@ -5,43 +5,39 @@ Leap Platform What is it? =========== -The LEAP Provider Platform is the server-side part of the LEAP Encryption Access Project that is run by service providers. It consists of a set of complementary modules and recipes to automate the maintenance of LEAP services in a hardened GNU/Linux environment. LEAP makes it easy and straightforward for service providers and ISPs to deploy a secure communications platform for their users. +The LEAP Platform is set of complementary packages and server recipes to automate the maintenance of LEAP services in a hardened Debian environment. Its goal is to make it as painless as possible for sysadmins to deploy and maintain a service provider’s infrastructure for secure communication. These recipes define an abstract service provider. It is a set of Puppet modules designed to work together to provide to sysadmins everything they need to manage a service provider infrastructure that provides secure communication services. -The LEAP Platform is essentially a git repository of puppet recipes, with a few scripts to help with bootstrapping and deployment. A service provider who wants to deploy LEAP services will clone or fork this repository, edit the main configuration file to specify which services should run on which hosts, and run scripts to deploy this configuration. +As these recipes consist of abstract definitions, in order to configure settings for a particular service provider a system administrator has to obtain the leap command-line interface and create a provider instance. The details of how to get started are contained in the `Quick Start` documentation as detailed below. -Documentation -============= -Most of the current documentation can be found in Readme files of the different pieces. This will be consolidated on the website https://leap.se soon. +Getting started +=============== -Requirements -============ +It is highly recommended that you start by reading the overview of the Leap Platform on the website (https://leap.se/docs/platform) and then begin with the `Quick Start` guide (https://leap.se/docs/platform/quick-start) to walk through a test environment setup to get familiar with how things work before deploying to live servers. -This highly depends on your (expected) user base. -For a minimal test or develop install we recommend a fairly recent computer x86_64 with hardware virtualization features (AMD-V or VT-x) with plenty of RAM. -You could use Vagrant or KVM to simulate a live deployment. +An offline copy of this documentation is contained in the `doc` subdirectory. For more current updates to the documentation, visit the website. -For a live deployment of the platform the amount of required (virtual) servers depends on your needs and which services you want to deploy. -In it's initial release you can deploy Tor, OpenVPN, CouchDB and a webapp to administer your users (billing, help tickets,…). -While you can deploy all services on one server, we stronly recommend to use seperate servers for better security. +Requirements +------------ -Usage -===== +For a minimal test or develop install we recommend a fairly recent computer x86_64 with hardware virtualization features (AMD-V or VT-x) with plenty of RAM. If you follow the `Quick Start` documentation we will walk you through using Vagrant to setup a test deployment. -As mentioned above, Leap Platform are the server-side Puppet manifests, for deploying a service provider, you need the leap command line interface, -available here: https://github.com/leapcode/leap_cli +For a live deployment of the platform the amount of required (virtual) servers depends on your needs and which services you want to deploy. At the moment, the Leap Platform supports servers with a base Debian Wheezy installation. -We strongly recommend to follow the `Quick Start` Documentaion which can be found on the website https://leap.se +While you can deploy all services on one server, we stronly recommend to use seperate servers for better security. -Clone leap_platform and its submodules --------------------------------------- +Troubleshooting +=============== - git checkout develop +If you have a problem, we are interested in fixing it! The best way for us to solve your problem is if you provide to us the complete log of what you did, and the output that was produced. Please don't cut out what appears to be useless information and only include the error that you received, instead copy and paste the complete log so that we can better determine the overall situation. -Initialize Submodules: +Visit https://leap.se/en/development for contact possibilities. - git submodule update --init +Known bugs +---------- + +* Please read the section in the documentation about Known Issues (https://leap.se/docs/known-issues) More Information @@ -49,23 +45,6 @@ More Information For more information about the LEAP Encryption Access Project, please visit the website https://leap.se which also lists contact data. - -Copyright/License ------------------ - -Read LICENSE - - -Known bugs ----------- - -* currently none known, there will probably be some around! - -Troubleshooting ---------------- - -Visit https://leap.se/en/development for contact possibilities. - Changelog --------- @@ -80,3 +59,11 @@ See contributors: git shortlog -es --all + +Copyright/License +----------------- + +Read LICENSE + + + -- cgit v1.2.3 From 76824412771cdeaf4b62fcd711e2f722bd32e08f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 3 Jul 2013 11:45:03 -0400 Subject: Copy the current state of the platform documentation into the doc directory. Originally I thought it would be better to add the leap_doc git repository as a submodule, but I decided against that: . it requires that the user has to start off by initializing submodules, something that the leap_cli does for you . it would result in more up-to-date documentation than was targeted for this release . it would result in an unfortunate directory structure (doc/doc/platform). For these reasons it seemed to me better to put a snapshot of our current platform documentation into the doc directory right before release. This just means a step in our release process of refreshing these docs once we have reviewed them and updated the known-issues for this release. Change-Id: Ib395ea30553772fd195dd50315f026a2576feedd --- README.md | 14 ++- doc/commands.md | 285 ++++++++++++++++++++++++++++++++++++++++++++++++ doc/config.md | 229 ++++++++++++++++++++++++++++++++++++++ doc/en.md | 77 +++++++++++++ doc/guide.md | 257 +++++++++++++++++++++++++++++++++++++++++++ doc/known-issues.md | 64 +++++++++++ doc/quick-start.md | 245 +++++++++++++++++++++++++++++++++++++++++ doc/service-diagram.odg | Bin 0 -> 12131 bytes doc/service-diagram.png | Bin 0 -> 25988 bytes doc/under-the-hood.md | 37 +++++++ 10 files changed, 1203 insertions(+), 5 deletions(-) create mode 100644 doc/commands.md create mode 100644 doc/config.md create mode 100644 doc/en.md create mode 100644 doc/guide.md create mode 100644 doc/known-issues.md create mode 100644 doc/quick-start.md create mode 100644 doc/service-diagram.odg create mode 100644 doc/service-diagram.png create mode 100644 doc/under-the-hood.md diff --git a/README.md b/README.md index 5e9600cd..890008f5 100644 --- a/README.md +++ b/README.md @@ -30,14 +30,18 @@ While you can deploy all services on one server, we stronly recommend to use sep Troubleshooting =============== -If you have a problem, we are interested in fixing it! The best way for us to solve your problem is if you provide to us the complete log of what you did, and the output that was produced. Please don't cut out what appears to be useless information and only include the error that you received, instead copy and paste the complete log so that we can better determine the overall situation. +If you have a problem, we are interested in fixing it! -Visit https://leap.se/en/development for contact possibilities. +If you have a problem, be sure to have a look at the Known Issues section of the documentation to see if your issue is detailed there. -Known bugs ----------- +If not, the best way for us to solve your problem is if you provide to us the complete log of what you did, and the output that was produced. Please don't cut out what appears to be useless information and only include the error that you received, instead copy and paste the complete log so that we can better determine the overall situation. If you can run the same command that produced the error with a raised verbosity level (such as -v2), that provides us with more useful debugging information. -* Please read the section in the documentation about Known Issues (https://leap.se/docs/known-issues) +Visit https://leap.se/development for contact possibilities. + +Known Issues +------------ + +* Please read the section in the documentation about Known Issues (https://leap.se/docs/platform/known-issues) More Information diff --git a/doc/commands.md b/doc/commands.md new file mode 100644 index 00000000..b176541f --- /dev/null +++ b/doc/commands.md @@ -0,0 +1,285 @@ +@title = 'Command Line Reference' + +The command "leap" can be used to manage a bevy of servers running the LEAP platform from the comfort of your own home. + + +# Global Options + +* `--log FILE` +Override default log file +Default Value: None + +* `-v|--verbose LEVEL` +Verbosity level 0..2 +Default Value: 1 + +* `--help` +Show this message + +* `--version` +Display version number and exit + +* `--yes` +Skip prompts and assume "yes" + + +# leap add-user USERNAME + +Adds a new trusted sysadmin + + + +**Options** + +* `--pgp-pub-key arg` +OpenPGP public key file for this new user +Default Value: None + +* `--ssh-pub-key arg` +SSH public key file for this new user +Default Value: None + +* `--self` +lets you choose among your public keys + + +# leap cert + +Manage X.509 certificates + + + +## leap cert ca + +Creates two Certificate Authorities (one for validating servers and one for validating clients). + +See see what values are used in the generation of the certificates (like name and key size), run `leap inspect provider` and look for the "ca" property. To see the details of the created certs, run `leap inspect `. + +## leap cert csr + +Creates a CSR for use in buying a commercial X.509 certificate. + +The CSR created is for the for the provider's primary domain. The properties used for this CSR come from `provider.ca.server_certificates`. + +## leap cert dh + +Creates a Diffie-Hellman parameter file. + + + +## leap cert update + +Creates or renews a X.509 certificate/key pair for a single node or all nodes, but only if needed. + +This command will a generate new certificate for a node if some value in the node has changed that is included in the certificate (like hostname or IP address), or if the old certificate will be expiring soon. Sometimes, you might want to force the generation of a new certificate, such as in the cases where you have changed a CA parameter for server certificates, like bit size or digest hash. In this case, use --force. If is empty, this command will apply to all nodes. + +**Options** + +* `--force` +Always generate new certificates + + +# leap clean + +Removes all files generated with the "compile" command. + + + +# leap compile + +Compiles node configuration files into hiera files used for deployment. + + + +# leap deploy FILTER + +Apply recipes to a node or set of nodes. + +The FILTER can be the name of a node, service, or tag. + +**Options** + +* `--tags TAG[,TAG]` +Specify tags to pass through to puppet (overriding the default). +Default Value: leap_base,leap_service + +* `--fast` +Makes the deploy command faster by skipping some slow steps. A "fast" deploy can be used safely if you recently completed a normal deploy. + + +# leap help command + +Shows a list of commands or help for one command + +Gets help for the application or its commands. Can also list the commands in a way helpful to creating a bash-style completion function + +**Options** + +* `-c` +List commands one per line, to assist with shell completion + + +# leap inspect FILE + +Prints details about a file. Alternately, the argument FILE can be the name of a node, service or tag. + + + +# leap list [FILTER] + +List nodes and their classifications + +Prints out a listing of nodes, services, or tags. If present, the FILTER can be a list of names of nodes, services, or tags. If the name is prefixed with +, this acts like an AND condition. For example: + +`leap list node1 node2` matches all nodes named "node1" OR "node2" + +`leap list openvpn +local` matches all nodes with service "openvpn" AND tag "local" + +**Options** + +* `--print arg` +What attributes to print (optional) +Default Value: None + + +# leap local + +Manage local virtual machines. + +This command provides a convient way to manage Vagrant-based virtual machines. If FILTER argument is missing, the command runs on all local virtual machines. The Vagrantfile is automatically generated in 'test/Vagrantfile'. If you want to run vagrant commands manually, cd to 'test'. + +## leap local destroy [FILTER] + +Destroys the virtual machine(s), reclaiming the disk space + + + +## leap local reset [FILTER] + +Resets virtual machine(s) to the last saved snapshot + + + +## leap local save [FILTER] + +Saves the current state of the virtual machine as a new snapshot + + + +## leap local start [FILTER] + +Starts up the virtual machine(s) + + + +## leap local status [FILTER] + +Print the status of local virtual machine(s) + + + +## leap local stop [FILTER] + +Shuts down the virtual machine(s) + + + +# leap new DIRECTORY + +Creates a new provider instance in the specified directory, creating it if necessary. + + + +**Options** + +* `--contacts arg` +Default email address contacts. +Default Value: None + +* `--domain arg` +The primary domain of the provider. +Default Value: None + +* `--name arg` +The name of the provider. +Default Value: None + +* `--platform arg` +File path of the leap_platform directory. +Default Value: None + + +# leap node + +Node management + + + +## leap node add NAME [SEED] + +Create a new configuration file for a node named NAME. + +If specified, the optional argument SEED can be used to seed values in the node configuration file. + +The format is property_name:value. + +For example: `leap node add web1 ip_address:1.2.3.4 services:webapp`. + +To set nested properties, property name can contain '.', like so: `leap node add web1 ssh.port:44` + +Separeate multiple values for a single property with a comma, like so: `leap node add mynode services:webapp,dns` + +**Options** + +* `--local` +Make a local testing node (by automatically assigning the next available local IP address). Local nodes are run as virtual machines on your computer. + + +## leap node init FILTER + +Bootstraps a node or nodes, setting up SSH keys and installing prerequisite packages + +This command prepares a server to be used with the LEAP Platform by saving the server's SSH host key, copying the authorized_keys file, and installing packages that are required for deploying. Node init must be run before deploying to a server, and the server must be running and available via the network. This command only needs to be run once, but there is no harm in running it multiple times. + +**Options** + +* `--echo` +If set, passwords are visible as you type them (default is hidden) + + +## leap node mv OLD_NAME NEW_NAME + +Renames a node file, and all its related files. + + + +## leap node rm NAME + +Removes all the files related to the node named NAME. + + + +# leap ssh NAME + +Log in to the specified node with an interactive shell. + + + +# leap test + +Run tests. + + + +## leap test init + +Creates files needed to run tests. + + + +## leap test run + +Run tests. + + +Default Command: run diff --git a/doc/config.md b/doc/config.md new file mode 100644 index 00000000..d0b1f6a7 --- /dev/null +++ b/doc/config.md @@ -0,0 +1,229 @@ +@title = "Configuration Files" + +Leapfile +------------------------------------------- + +A `Leapfile` defines options for the `leap` command and lives at the root of your provider directory. `Leapfile` is evaluated as ruby, so you can include whatever weird logic you want in this file. In particular, there are several variables you can set that modify the behavior of leap. For example: + + @platform_directory_path = '../leap_platform' + @log = '/var/log/leap.log' + +Additionally, you can create a `~/.leaprc` file that is loaded after `Leapfile` and is evaluated the same way. + +Platform options: + +* `@platform_directory_path` (required). This must be set to the path where `leap_platform` lives. The path may be relative. +* `@platform_branch`. If set, a check is preformed before running any command to ensure that the currently checked out branch of `leap_platform` matches the value set for `@platform_branch`. This is useful if you have a stable branch of your provider that you want to ensure runs off the master branch of `leap_platform`. +* `@allow_production_deploy`. By default, you can only deploy to production nodes if the current branch is 'master' or if the provider directory is not a git repository. This option allows you to override this behavior. + +Vagrant options: + +* `@vagrant_network`. Allows you to override the default network used for local nodes. It should include a netmask like `@vagrant_network = '10.0.0.0/24'`. +* `@custom_vagrant_vm_line`. Insert arbitrary text into the auto-generated Vagrantfile. For example, `@custom_vagrant_vm_line = "config.vm.boot_mode = :gui"`. + +Logging options: + +* `@log`. If set, all command invocation and results are logged to the specified file. This is the same as the switch `--log FILE`, except that the command line switch will override the value in the Leapfile. + + +Configuration files +------------------------------------------- + +All configuration files, other than `Leapfile`, are in the JSON format. For example: + + { + "key1": "value1", + "key2": "value2" + } + +Keys should match `/[a-z0-9_]/` + +Unlike traditional JSON, comments are allowed. If the first non-whitespace characters are `//` then the line is treated as a comment. + + // this is a comment + { + // this is a comment + "key": "value" // this is an error + } + +Options in the configuration files might be nested hashes, arrays, numbers, strings, or boolean. Numbers and boolean values should **not** be quoted. For example: + + { + "openvpn": { + "ip_address": "1.1.1.1", + "protocols": ["tcp", "udp"], + "ports": [80, 53], + "options": { + "public_ip": false, + "adblock": true + } + } + } + +If the value string is prefixed with an '=' character, the result is evaluated as ruby. For example: + + { + "domain": { + "public": "domain.org" + } + "api_domain": "= 'api.' + domain.public" + } + +In this case, the property "api_domain" will be set to "api.domain.org". So long as you do not create unresolvable circular dependencies, you can reference other properties in evaluated ruby that are themselves evaluated ruby. + +See "Macros" below for information on the special macros available to the evaluated ruby. + +TIP: In rare cases, you might want to force the evaluation of a value to happen in a later pass after most of the other properties have been evaluated. To do this, prefix the value string with "=>" instead of "=". + +Node inheritance +---------------------------------------- + +Every node inherits from common.json and also any of the services or tags attached to the node. Additionally, the `leap_platform` contains a directory `provider_base` that defines the default values for tags, services and common.json. + +Suppose you have a node configuration for `bitmask/nodes/willamette.json` like so: + + { + "services": "webapp", + "tags": ["production", "northwest-us"], + "ip_address": "1.1.1.1" + } + +This node will have hostname "willamette" and it will inherit from the following files (in this order): + +1. common.json + - load defaults: `provider_base/common.json` + - load provider: `bitmask/common.json` +2. service "webapp" + - load defaults: `provider_base/services/webapp.json` + - load provider: `bitmask/services/webapp.json` +3. tag "production" + - load defaults: `provider_base/tags/production.json` + - load provider: `bitmask/tags/production.json` +4. tag "northwest-us" + - load: `bitmask/tags/northwest-us.json` +5. finally, load node "willamette" + - load: `bitmask/nodes/willamette.json` + +The `provider_base` directory is under the `leap_platform` specified in the file `Leapfile`. + +To see all the variables a node has inherited, you could run `leap inspect willamette`. + +Common configuration options +---------------------------------------- + +You can use the command `leap inspect` to see what options are available for a provider, node, service, or tag configuration. For example: + +* `leap inspect common` -- show the options inherited by all nodes. +* `leap inspect --base common` -- show the common.json from `provider_base` without the local `common.json` inheritance applied. +* `leap inspect webapp` -- show all the options available for the service `webapp`. + +Here are some of the more important options you should be aware of: + +* `ip_address` -- Required for all nodes, no default. +* `ssh.port` -- The SSH port you want the node's OpenSSH server to bind to. This is also the default when trying to connect to a node, but if the node currently has OpenSSH running on a different port then run deploy with `--port` to override the `ssh.port` configuration value. +* `mosh.enabled` -- If set to `true`, then mosh will be installed on the server. The default is `false`. + +Macros +---------------------------------------- + +When using evaluated ruby in a JSON configuration file, there are several special macros that are available. These are evaluated in the context of a node (available as the variable `self`). + +The following methods are available to the evaluated ruby: + +`variable.variable` + + > Any variable defined or inherited by a particular node configuration is available by just referencing it using either hash notation or object field notation (e.g. `['domain']['public']` or `domain.public`). Circular references are not allowed, but otherwise it is OK to nest evaluated values in other evaluated values. If a value has not been defined, the hash notation will return nil but the field notation will raise an exception. Properties of services, tags, and the global provider can all be referenced the same way. For example, `global.services['openvpn'].x509.dh`. + +`nodes` + + > A hash of all nodes. This list can be filtered. + +`nodes_like_me` + + > A hash of nodes that have the same deployment tags as the current node (e.g. 'production' or 'local'). + +`global.services` + + > A hash of all services, e.g. `global.services['openvpn']` would return the "openvpn" service. + +`global.tags` + + > A hash of all tags, e.g. `global.tags['production']` would return the "production" tag. + + `global.provider` + + > Can be used to access variables defined in `provider.json`, e.g. `global.provider.contacts.default`. + +`file(filename)` + + > Inserts the full contents of the file. If the file is an erb template, it is rendered. The filename can either be one of the pre-defined file symbols, or it can be a path relative to the "files" directory in your provider instance. E.g, `file :ca_cert` or `files 'ca/ca.crt'`. + +`file_path(filename)` + + > Ensures that the file will get rsynced to the node as an individual file. The value returned by `file_path` is the full path where this file will ultimately live when deploy to the node. e.g. `file_path :ca_cert` or `file_path 'branding/images/logo.png'`. + +`secret(:symbol)` + + > Returns the value of a secret in secrets.json (or creates it if necessary). E.g. `secret :couch_admin_password` + +`hosts_file` + + > Returns a data structure that puppet will use to generate /etc/hosts. Care is taken to use the local IP of other hosts when needed. + +`known_hosts_file` + + > Returns the lines needed in a SSH `known_hosts` file. + +`stunnel_client(node_list, port, options={})` + + > Returns a stunnel configuration data structure for the client side. Argument `node_list` is an `ObjectList` of nodes running stunnel servers. Argument `port` is the real port of the ultimate service running on the servers that the client wants to connect to. + +`stunnel_server(port)` + + > Generates a stunnel server entry. The `port` is the real port targeted service. + +Hash tables +----------------------------------------- + +The macros `nodes`, `nodes_like_me`, `global.services`, and `global.tags` all return a hash table of configuration objects (either nodes, services, or tags). There are several ways to filter and process these hash tables: + +Access an element by name: + + nodes['vpn1'] # returns node named 'vpn1' + global.services['openvpn'] # returns service named 'openvpn' + +Create a new hash table by applying filters: + + nodes[:public_dns => true] # all nodes where public_dns == true + nodes[:services => 'openvpn', :services => 'tor'] # openvpn OR tor + nodes[:services => 'openvpn'][:tags => 'production'] # openvpn AND production + nodes[:name => "!bob"] # all nodes that are NOT named "bob" + +Create an array of values by selecting a single field: + + nodes.field('location.name') + ==> ['seattle', 'istanbul'] + +Create an array of hashes by selecting multiple fields: + + nodes.fields('domain.full', 'ip_address') + ==> [ + {'domain_full' => 'red.bitmask.net', 'ip_address' => '1.1.1.1'}, + {'domain_full' => 'blue.bitmask.net', 'ip_address' => '1.1.1.2'}, + ] + +Create a new hash table of hashes, with only certain fields: + + nodes.pick_fields('domain.full', 'ip_address') + ==> { + "red" => {'domain_full' => 'red.bitmask.net', 'ip_address' => '1.1.1.1'}, + "blue => {'domain_full' => 'blue.bitmask.net', 'ip_address' => '1.1.1.2'}, + } + +With `pick_fields`, if there is only one field, it will generate a simple hash table: + + nodes.pick_fields('ip_address') + ==> { + "red" => '1.1.1.1', + "blue => '1.1.1.2', + } diff --git a/doc/en.md b/doc/en.md new file mode 100644 index 00000000..bdae4630 --- /dev/null +++ b/doc/en.md @@ -0,0 +1,77 @@ +@title = 'LEAP Platform for Service Providers' +@nav_title = 'Provider Platform' +@summary = 'Software platform to automate the process of running a communication service provider.' +@toc = true + +The *LEAP Platform* is set of complementary packages and server recipes to automate the maintenance of LEAP services in a hardened Debian environment. Its goal is to make it as painless as possible for sysadmins to deploy and maintain a service provider's infrastructure for secure communication. + +The LEAP Platform consists of three parts, detailed below: + +1. The platform recipes. +2. The provider instance. +3. The `leap` command line tool. + +The platform recipes +-------------------- + +The LEAP platform recipes define an abstract service provider. It is a set of [Puppet](https://puppetlabs.com/puppet/puppet-open-source/) modules designed to work together to provide to sysadmins everything they need to manage a service provider infrastructure that provides secure communication services. + +LEAP maintains a repository of platform recipes, which typically do not need to be modified, although it can be forked and merged as desired. Most service providers using the LEAP platform can use the same set of platform recipes. + +As these recipes consist in abstract definitions, in order to configure settings for a particular service provider a system administrator has to create a provider instance (see below). + +LEAP's platform recipes are distributed as a git repository: `git://leap.se/leap_platform.git` + +The provider instance +--------------------- + +A provider instance is a directory tree (typically tracked in git) containing all the configurations for a service provider's infrastructure. A provider instance primarily consists of: + +* A pointer to the platform recipes. +* A global configuration file for the provider. +* A configuration file for each server (node) in the provider's infrastructure. +* Additional files, such as certificates and keys. + +A minimal provider instance directory looks like this: + + └── bitmask # provider instance directory. + ├── Leapfile # settings for the `leap` command line tool. + ├── provider.json # global settings of the provider. + ├── common.json # settings common to all nodes. + ├── nodes/ # a directory for node configurations. + ├── files/ # keys, certificates, and other files. + └── users/ # public key information for privileged sysadmins. + + +A provider instance directory contains everything needed to manage all the servers that compose a provider's infrastructure. Because of this, any versioning tool and development work-flow can be used to manage your provider instance. + +The `leap` command line tool +---------------------------- + +The `leap` [command line tool](commands) is used by sysadmins to manage everything about a service provider's infrastructure. Except when creating an new provider instance, `leap` is run from within the directory tree of a provider instance. + +The `leap` command line has many capabilities, including: + +* Create, initialize, and deploy nodes. +* Manage keys and certificates. +* Query information about the node configurations. + +Traditional system configuration automation systems, like [Puppet](https://puppetlabs.com/puppet/puppet-open-source/) or [Chef](http://www.opscode.com/chef/), deploy changes to servers using a pull method. Each server pulls a manifest from a central master server and uses this to alter the state of the server. + +Instead, the `leap` tool uses a masterless push method: The sysadmin runs `leap deploy` from the provider instance directory on their desktop machine to push the changes out to every server (or a subset of servers). LEAP still uses Puppet, but there is no central master server that each node must pull from. + +One other significant difference between LEAP and typical system automation is how interactions among servers are handled. Rather than store a central database of information about each server that can be queried when a recipe is applied, the `leap` command compiles static representation of all the information a particular server will need in order to apply the recipes. In compiling this static representation, `leap` can use arbitrary programming logic to query and manipulate information about other servers. + +These two approaches, masterless push and pre-compiled static configuration, allow the sysadmin to manage a set of LEAP servers using traditional software development techniques of branching and merging, to more easily create local testing environments using virtual servers, and to deploy without the added complexity and failure potential of a master server. + +The `leap` command line tool is distributed as a git repository: `git://leap.se/leap_cli`. It can be installed with `sudo gem install leap_cli`. + +Getting started +---------------------------------- + +We recommend reading the platform documentation in the following order: + +1. [Quick start tutorial](platform/quick-start). +2. [Platform Guide](platform/guide). +3. [Configuration format](platform/config). +4. The `leap` [command reference](platform/commands). diff --git a/doc/guide.md b/doc/guide.md new file mode 100644 index 00000000..dae392e5 --- /dev/null +++ b/doc/guide.md @@ -0,0 +1,257 @@ +@title = "LEAP Platform Guide" +@nav_title = "Guide" + +Services +================================ + +Every node has one or more services that determines the node's function within your provider's infrastructure. + +When adding a new node to your provider, you should ask yourself four questions: + +* **many or few?** Some services benefit from having many nodes, while some services are best run on only one or two nodes. +* **required or optional?** Some services are required, while others can be left out. +* **who does the node communicate with?** Some services communicate very heavily with other particular services. Nodes running these services should be close together. +* **public or private?** Some services communicate with the public internet, while others only need to communicate with other nodes in the infrastructure. + +Brief overview of the services: + +![services diagram](service-diagram.png) + +* **webapp**: The web application. Runs both webapp control panel for users and admins as well as the REST API that the client uses. Needs to communicate heavily with `couchdb` nodes. You need at least one, good to have two for redundancy. The webapp does not get a lot of traffic, so you will not need many. +* **couchdb**: The database for users and user data. You can get away with just one, but for proper redundancy you should have at least three. Communicates heavily with `webapp` and `mx` nodes. +* **soledad**: Handles the data syncing with clients. Typically combined with `couchdb` service, since it communicates heavily with couchdb. (not currently in stable release) +* **mx**: Incoming and outgoing MX servers. Communicates with the public internet, clients, and `couchdb` nodes. (not currently in stable release) +* **openvpn**: OpenVPN gateway for clients. You need at least one, but want as many as needed to support the bandwidth your users are doing. The `openvpn` nodes are autonomous and don't need to communicate with any other nodes. Often combined with `tor` service. + +Not pictured: + +* **monitor**: Internal service to monitor all the other nodes. Currently, you can have zero or one `monitor` nodes. +* **tor**: Sets up a tor exit node, unconnected to any other service. +* **dns**: Not yet implemented. + +Locations +================================ + +All nodes should have a `location.name` specified, and optionally additional information about the location, like the time zone. This location information is used for two things: + +* Determine which nodes can, or must, communicate with one another via a local network. The way some virtualization environments work, like OpenStack, requires that nodes communicate via the local network if they are on the same network. +* Allows the client to prefer connections to nodes that are closer in physical proximity to the user. This is particularly important for OpenVPN nodes. + +The location stanza in a node's config file looks like this: + + { + "location": { + "id": "ankara", + "name": "Ankara", + "country_code": "TR", + "timezone": "+2", + "hemisphere": "N" + } + } + +The fields: + +* `id`: An internal handle to use for this location. If two nodes have match `location.id`, then they are treated as being on a local network with one another. This value defaults to downcase and underscore of `location.name`. +* `name`: Can be anything, might be displayed to the user in the client if they choose to manually select a gateway. +* `country_code`: The [ISO 3166-1](https://en.wikipedia.org/wiki/ISO_3166-1) two letter country code. +* `timezone`: The timezone expressed as an offset from UTC (in standard time, not daylight savings). You can look up the timezone using this [handy map](http://www.timeanddate.com/time/map/). +* `hemisphere`: This should be "S" for all servers in South America, Africa, or Australia. Otherwise, this should be "N". + +These location options are very imprecise, but good enough for most usage. The client often does not know its own location precisely either. Instead, the client makes an educated guess at location based on the OS's timezone and locale. + +If you have multiple nodes in a single location, it is best to use a tag for the location. For example: + +`tags/ankara.json`: + + { + "location": { + "name": "Ankara", + "country_code": "TR", + "timezone": "+2", + "hemisphere": "N" + } + } + +`nodes/vpngateway.json`: + + { + "services": "openvpn", + "tags": ["production", "ankara"], + "ip_address": "1.1.1.1", + "openvpn": { + "gateway_address": "1.1.1.2" + } + } + +Unless you are using OpenStack or AWS, setting `location` for nodes is not required. It is, however, highly recommended. + +Working with SSH +================================ + +Whenever the `leap` command nees to push changes to a node or gather information from a node, it tunnels this command over SSH. Another way to put this: the security of your servers rests entirely on SSH. Because of this, it is important that you understand how `leap` uses SSH. + +SSH related files +------------------------------- + +Assuming your provider directory is called 'provider': + +* `provider/nodes/crow/crow_ssh.pub` -- The public SSH host key for node 'crow'. +* `provider/users/alice/alice_ssh.pub` -- The public SSH user key for user 'alice'. Anyone with the private key that corresponds to this public key will have root access to all nodes. +* `provider/files/ssh/known_hosts` -- An autogenerated known_hosts, built from combining `provider/nodes/*/*_ssh.pub`. You must not edit this file directly. If you need to change it, remove or change one of the files that is used to generate `known_hosts` and then run `leap compile`. +* `provider/files/ssh/authorized_keys` -- An autogenerated list of all the user SSH keys with root access to the notes. It is created from `provider/users/*/*_ssh.pub`. You must not edit this file directly. If you need to change it, remove or change one of the files that is used to generate `authorized_keys` and then run `leap compile`. + +All of these files should be committed to source control. + +If you rename, remove, or add a node with `leap node [mv|add|rm]` the SSH key files and the `known_hosts` file will get properly updated. + +SSH and local nodes +----------------------------- + +Local nodes are run as Vagrant virtual machines. The `leap` command handles SSH slightly differently for these nodes. + +Basically, all the SSH security is turned off for local nodes. Since local nodes only exist for a short time on your computer and can't be reached from the internet, this is not a problem. + +Specifically, for local nodes: + +1. `known_hosts` is never updated with local node keys, since the SSH public key of a local node is different for each user. +2. `leap` entirely skips the checking of host keys when connecting with a local node. +3. `leap` adds the public Vagrant SSH key to the list of SSH keys for a user. The public Vagrant SSH key is a shared and insecure key that has root access to most Vagrant virtual machines. + +When SSH host key changes +------------------------------- + +If the host key for a node has changed, you will get an error "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED". + +To fix this, you need to remove the file `files/nodes/stompy/stompy_ssh.pub` and run `leap node init stompy`, where the node's name is 'stompy'. **Only do this if you are ABSOLUTELY CERTAIN that the node's SSH host key has changed**. + +Changing the SSH port +-------------------------------- + +Suppose you have a node `blinky` that has SSH listening on port 22 and you want to make it port 2200. + +First, modify the configuration for `blinky` to specify the variable `ssh.port` as 2200. Usually, this is done in `common.json` or in a tag file. + +For example, you could put this in `tags/production.json`: + + { + "ssh": { + "port": 2200 + } + } + +Run `leap compile` and open `hiera/blinky.yaml` to confirm that `ssh.port` is set to 2200. The port number must be specified as a number, not a string (no quotes). + +Then, you need to deploy this change so that SSH will bind to 2200. You cannot simply run `leap deploy blinky` because this command will default to using the variable `ssh.port` which is now `2200` but SSH on the node is still bound to 22. + +So, you manually override the port in the deploy command, using the old port: + + leap deploy --port 22 blinky + +Afterwards, SSH on `blinky` should be listening on port 2200 and you can just run `leap deploy blinky` from then on. + +X.509 Certificates +================================ + +Configuration options +------------------------------------------- + +The `ca` option in provider.json provides settings used when generating CAs and certificates. The defaults are as follows: + + "ca": { + "name": "= global.provider.ca.organization + ' Root CA'", + "organization": "= global.provider.name", + "organizational_unit": "= 'https://' + global.provider.name", + "bit_size": 4096, + "digest": "SHA256", + "life_span": "10y", + "server_certificates": { + "bit_size": 2024, + "digest": "SHA256", + "life_span": "1y" + }, + "client_certificates": { + "bit_size": 2024, + "digest": "SHA256", + "life_span": "2m", + "limited_prefix": "LIMITED", + "unlimited_prefix": "UNLIMITED" + } + } + +To see what values are used for your provider, run `leap inspect provider.json`. You can modify the defaults as you wish by adding the values to provider.json. + +NOTE: A certificate `bit_size` greater than 2024 will probably not be recognized by most commercial CAs. + +Certificate Authorities +----------------------------------------- + +There are three x.509 certificate authorities (CA) associated with your provider: + +1. **Commercial CA:** It is strongly recommended that you purchase a commercial cert for your primary domain. The goal of platform is to not depend on the commercial CA system, but it does increase security and usability if you purchase a certificate. The cert for the commercial CA must live at `files/cert/commercial_ca.crt`. +2. **Server CA:** This is a self-signed CA responsible for signing all the **server** certificates. The private key lives at `files/ca/ca.key` and the public cert lives at `files/ca/ca.crt`. The key is very sensitive information and must be kept private. The public cert is distributed publicly. +3. **Client CA:** This is a self-signed CA responsible for signing all the **client** certificates. The private key lives at `files/ca/client_ca.key` and the public cert lives at `files/ca/client_ca.crt`. Neither file is distribute publicly. It is not a big deal if the private key for the client CA is compromised, you can just generate a new one and re-deploy. + +To generate both the Server CA and the Client CA, run the command: + + leap cert ca + +Server certificates +----------------------------------- + +Most every server in your service provider will have a x.509 certificate, generated by the `leap` command using the Server CA. Whenever you modify any settings of a node that might affect it's certificate (like changing the IP address, hostname, or settings in provider.json), you can magically regenerate all the certs that need to be regenerated with this command: + + leap cert update + +Run `leap help cert update` for notes on usage options. + +Because the server certificates are generated locally on your personal machine, the private key for the Server CA need never be put on any server. It is up to you to keep this file secure. + +Client certificates +-------------------------------- + +Every leap client gets its own time-limited client certificate. This cert is use to connect to the OpenVPN gateway (and probably other things in the future). It is generated on the fly by the webapp using the Client CA. + +To make this work, the private key of the Client CA is made available to the webapp. This might seem bad, but compromise of the Client CA simply allows the attacker to use the OpenVPN gateways without paying. In the future, we plan to add a command to automatically regenerate the Client CA periodically. + +There are two types of client certificates: limited and unlimited. A client using a limited cert will have its bandwidth limited to the rate specified by `provider.service.bandwidth_limit` (in Bytes per second). An unlimited cert is given to the user if they authenticate and the user's service level matches one configured in `provider.service.levels` without bandwidth limits. Otherwise, the user is given a limited client cert. + +Commercial certificates +----------------------------------- + +We strongly recommend that you use a commercial signed server certificate for your primary domain (in other words, a certificate with a common name matching whatever you have configured for `provider.domain`). This provides several benefits: + +1. When users visit your website, they don't get a scary notice that something is wrong. +2. When a user runs the LEAP client, selecting your service provider will not cause a warning message. +3. When other providers first discover your provider, they are more likely to trust your provider key if it is fetched over a commercially verified link. + +The LEAP platform is designed so that it assumes you are using a commercial cert for the primary domain of your provider, but all other servers are assumed to use non-commercial certs signed by the Server CA you create. + +To generate a CSR, run: + + leap cert csr + +This command will generate the CSR and private key matching `provider.domain` (you can change the domain with `--domain=DOMAIN` switch). It also generates a server certificate signed with the Server CA. You should delete this certificate and replace it with a real one once it is created by your commercial CA. + +The related commercial cert files are: + + files/ + certs/ + domain.org.crt # Server certificate for domain.org, obtained by commercial CA. + domain.org.csr # Certificate signing request + domain.org.key # Private key for you certificate + commercial_ca.crt # The CA cert obtained from the commercial CA. + +The private key file is extremely sensitive and care should be taken with its provenance. + +If your commercial CA has a chained CA cert, you should be OK if you just put the **last** cert in the chain into the `commercial_ca.crt` file. This only works if the other CAs in the chain have certs in the debian package `ca-certificates`, which is the case for almost all CAs. + +Facts +============================== + +There are a few cases when we must gather internal data from a node before we can successfully deploy to other nodes. This is what `facts.json` is for. It stores a snapshot of certain facts about each node, as needed. Entries in `facts.json` are updated automatically when you initialize, rename, or remove a node. To manually force a full update of `facts.json`, run: + + leap facts update FILTER + +Run `leap help facts update` for more information. + +The file `facts.json` should be committed to source control. You might not have a `facts.json` if one is not required for your provider. diff --git a/doc/known-issues.md b/doc/known-issues.md new file mode 100644 index 00000000..abd28084 --- /dev/null +++ b/doc/known-issues.md @@ -0,0 +1,64 @@ +@title = 'Leap Platform Release Notes' +@nav_title = 'Known issues' +@summary = 'Known issues in the Leap Platform.' +@toc = true + +Here you can find documentation about known issues and potential work-arounds in the current Leap Platform release. + +0.2.2 +===== + +In this release the following issues are known, work-arounds are noted when available. + +General Issues +-------------- + +. This release does *not* anonymize your logs (see: https://leap.se/code/issues/1897) + +. This release does *not* setup email relaying, so admins will not receive important email notifications. Email service will be part of the next release (see: https://leap.se/code/issues/1683 https://leap.se/code/issues/1905) + +. Your openvpn gateway address will be added on the /24 network, and is not configurable in this release (see: https://leap.se/code/issues/1863) + +. You must not add a node with an underscore in the name, you also cannot use a hyphen for a vagrant node (see: https://leap.se/code/issues/3087) + +. The nagios website check reports success when the webapp is not functioning but apache is up (see: https://leap.se/code/issues/1629) + +User setup and ssh +------------------ + +. if you aren't using a single ssh key, but have different ones, you will need to define the following at the top of your ~/.ssh/config: + HostName + IdentityFile + + (see: https://leap.se/code/issues/2946 and https://leap.se/code/issues/3002) + +. If the ssh host key changes, you need to run node init again (see: https://leap.se/en/docs/platform/guide#Working.with.SSH) + +. At the moment, only ECDSA ssh host keys are supported. If you get the following error: `= FAILED ssh-keyscan: no hostkey alg (must be missing an ecdsa public host key)` then you should confirm that you have the following line defined in your server's /etc/ssh/sshd_config: +HostKey /etc/ssh/ssh_host_ecdsa_key and that file exists. If you made a change to your sshd_config, then you need to run `/etc/init.d/ssh restart` (see: https://leap.se/code/issues/2373) + +. To remove an admin's access to your servers, please remove the directory for that user under the `users/` subdirectory in your provider directory and then remove that user's ssh keys from files/ssh/authorized_keys. When finished you *must* run a `leap deploy` to update that information on the servers (see: https://leap.se/code/issues/1863) + +. At the moment, it is only possible to add an admin who will have access to all LEAP servers (see: https://leap.se/code/issues/2280) + +. leap add-user --self allows only one key - if you run that command twice with different keys, you will just replace the key with the second key. To add a second key, add it manually to files/ssh/authorized_keys (see: https://leap.se/code/issues/866) + +Deploying +--------- + +. If you have any errors during a run, please try to deploy again as this often solves non-deterministic issues that were not uncovered in our testing. Please re-deploy with `leap -v2 deploy` to get more verbose logs and capture the complete output to provide to us for debugging. + +. If when deploying your debian mirror fails for some reason, network anomoly or the mirror itself is out of date, then platform deployment will not succeed properly. Check the mirror is up and try to deploy again when it is resolved (see: https://leap.se/code/issues/1091) + +. Deployment gives 'error: in `%`: too few arguments (ArgumentError)' - this is because you attempted to do a deploy before initializing a node, please initialize the node first and then do a deploy afterwards (see: https://leap.se/code/issues/2550) + +. This release has no ability to custom configure apt sources or proxies (see: https://leap.se/code/issues/1971) + +. When running a deploy at a verbosity level of 2 and above, you will notice puppet deprecation warnings, these are known and we are working on fixing them + +Special Environments +-------------------- + +. When deploying to OpenStack release "nova" or newer, you will need to do an initial deploy, then when it has finished run `leap facts update` and then deploy again (see: https://leap.se/code/issues/3020) + +. It is not possible to actually use the EIP openvpn server on vagrant nodes (see: https://leap.se/code/issues/2401) diff --git a/doc/quick-start.md b/doc/quick-start.md new file mode 100644 index 00000000..5ba28f8d --- /dev/null +++ b/doc/quick-start.md @@ -0,0 +1,245 @@ +@title = 'LEAP Platform Quick Start' +@nav_title = 'Quick Start' + +This tutorial walks you through the initial process of creating and deploying a service provider running the [LEAP platform](platform). First examples aim to build a provider in a virtual environment, and in the end running in real hardware is targeted. + +First, a few definitions: + +* **node:** A server that is part of the service provider's infrastructure. All nodes are running the Debian GNU/Linux operating system. +* **sysadmin:** This is you. +* **sysadmin machine:** Your desktop or laptop computer that you use to control the nodes. This machine can be running any variant of Unix, Linux, or Mac OS (however, only Debian derivatives are supported at the moment). + +All the commands in this tutorial are run on your sysadmin machine. In order to complete the tutorial, the sysadmin machine must: + +* Be a real machine with virtualization support in the CPU (VT-x or AMD-V). In other words, not a virtual machine. +* Have at least 4gb of RAM. +* Have a fast internet connection (because you will be downloading a lot of big files, like virtual machine images). + +Install prerequisites +-------------------------------- + +*Debian & Ubuntu* + +Install core prerequisites: + + sudo apt-get install git ruby ruby-dev rsync openssh-client openssl rake make + +Install Vagrant in order to be able to test with local virtual machines (typically optional, but required for this tutorial): + + sudo apt-get install vagrant virtualbox + + + +Install leap +--------------------- + + + +Install `leap` command from source: + + git clone git://leap.se/leap_cli.git + cd leap_cli + rake build + +Then, install as root user (recommended): + + sudo rake install + +Or, install as unprivileged user: + + rake install + # watch out for the directory leap is installed to, then i.e. + sudo ln -s ~/.gem/ruby/1.9.1/bin/leap /usr/local/bin/leap + +With both methods, you can use now /usr/local/bin/leap, which in most cases will be in your $PATH. + + +Create a provider instance +--------------------------------------- + +A provider instance is a directory tree, usually stored in git, that contains everything you need to manage an infrastructure for a service provider. In this case, we create one for bitmask.net and call the instance directory 'bitmask'. + + mkdir -p ~/leap/bitmask + +Now, we will initialize this directory to make it a provider instance. Your provider instance will need to know where it can find local copy of the git repository leap_platform, which holds the puppet recipes you will need to manage your servers. Typically, you will not need to modify leap_platform. + + cd ~/leap/bitmask + leap new . + +The `leap new` command will ask you for several required values: + +* domain: The primary domain name of your service provider. In this tutorial, we will be using "bitmask.net". +* name: The name of your service provider. +* contact emails: A comma separated list of email addresses that should be used for important service provider contacts (for things like postmaster aliases, Tor contact emails, etc). +* platform: The directory where you have a copy of the `leap_platform` git repository checked out. If it doesn't exist, it will be downloaded for you. + +You may want to poke around and see what is in the files we just created. For example: + + cat provider.json + +Optionally, commit your provider directory using the version control software you fancy. For example: + + git init + git add . + git commit -m "initial commit" + +Now add yourself as a privileged sysadmin who will have access to deploy to servers: + + leap add-user --self + +NOTE: in most cases, `leap` must be run from within a provider instance directory tree (e.g. ~/leap/bitmask). + +Now generate required X509 certificates and keys: + + leap cert ca + leap cert csr + +To see details about the keys and certs that the prior two commands created, you can use `leap inspect` like so: + + leap inspect files/ca/ca.crt + + +Edit provider.json configuration +-------------------------------------- + +There are a few required settings in provider.json. At a minimum, you must have: + + { + "domain": "bitmask.net", + "name": "Bitmask", + "contacts": { + "default": "email1@domain.org, email2@domain.org" + } + } + +For a full list of possible settings, you can use `leap inspect` to see how provider.json is evaluated after including the inherited defaults: + + leap inspect provider.json + +Create nodes +--------------------- + +A "node" is a server that is part of your infrastructure. Every node can have one or more services associated with it. Some nodes are "local" and used only for testing. These local nodes exist only as virtual machines on your computer and cannot be accessed from outside (see `leap help local` for more information). + +Create a local node, with the service "webapp": + + leap node add --local web1 services:webapp + +This created a node configuration file in `nodes/web1.json`, but it did not create the virtual machine. In order to test our node "web1", we need to first spin up a virtual machine. The next command will probably take a very long time, because it will need to download a VM image (about 700mb). + + leap local start + +Now that the virtual machine for web1 is running, you need to initialize it and then deploy the recipes to it. You only need to initialize a node once, but there is no harm in doing it multiple times. These commands will take a while to run the first time, as it needs to update the package cache on the new virtual machine. + + leap node init web1 + leap deploy web1 + +That is it, you should now have your first running node. However, the LEAP web application requires a database to run, so let's add a "couchdb" node: + + leap node add --local db1 services:couchdb + leap local start + leap node init db1 + leap deploy db1 + +Access the web application +-------------------------------------------- + +You should now have two local virtual machines running, one for the web application and one for the database. In order to connect to the web application in your browser, you need to point your domain at the IP address of the web application node (named web1 in this example). + +There are a lot of different ways to do this, but one easy way is to modify your `/etc/hosts` file. First, find the IP address of the webapp node: + + leap list webapp --print ip_address + +Then modify `/etc/hosts` like so: + + 10.5.5.47 DOMAIN + +Replacing 'DOMAIN' with whatever you specified as the `domain` in the `leap new` command. + +Next, you can connect to the web application either using a web browser or via the API using the LEAP client. To use a browser, connect to https://DOMAIN. Your browser will complain about an untrusted cert, but for now just bypass this. From there, you should be able to register a new user and login. + +What is going on here? +-------------------------------------------- + +First, some background terminology: + +* **puppet**: Puppet is a system for automating deployment and management of servers (called nodes). +* **hiera files**: In puppet, you can use something called a 'hiera file' to seed a node with a few configuration values. In LEAP, we go all out and put *every* configuration value needed for a node in the hiera file, and automatically compile a custom hiera file for each node. + +When you run `leap deploy`, a bunch of things happen, in this order: + +1. **Compile hiera files**: The hiera configuration file for each node is compiled in YAML format and saved in the directory `hiera`. The source material for this hiera file consists of all the JSON configuration files imported or inherited by the node's JSON config file. +* **Copy required files to node**: All the files needed for puppet to run are rsync'ed to each node. This includes the entire leap_platform directory, as well as the node's hiera file and other files needed by puppet to set up the node (keys, binary files, etc). +* **Puppet is run**: Once the node is ready, leap connects to the node via ssh and runs `puppet apply`. Puppet is applied locally on the node, without a daemon or puppetmaster. + +You can run `leap -v2 deploy` to see exactly what commands are being executed. + + + +Additional commands +------------------------------------------- + +Here are a few useful commands you can run on your new local nodes: + +* `leap ssh web1` -- SSH into node web1 (requires `leap node init web1` first). +* `leap list` -- list all nodes. +* `leap list --print ip_address` -- list a particular attribute of all nodes. +* `leap local reset web1` -- return web1 to a pristine state. +* `leap local stop` -- stop all local virtual machines. +* `leap local status` -- get the running state of all the local virtual machines. +* `leap cert update` -- generate new certificates if needed. + +See the full command reference for more information. + +Node filters +------------------------------------------- + +Many of the `leap` commands take a "node filter". You can use a node filter to target a command at one or more nodes. + +A node filter consists of one or more keywords, with an optional "+" before each keyword. + +* keywords can be a node name, a service type, or a tag. +* the "+" before the keyword constructs an AND condition +* otherwise, multiple keywords together construct an OR condition + +Examples: + +* `leap list openvpn` -- list all nodes with service openvpn. +* `leap list openvpn +production` -- only nodes of service type openvpn AND tag production. +* `leap deploy webapp openvpn` -- deploy to all webapp OR openvpn nodes. +* `leap node init vpn1` -- just init the node named vpn1. + +Running on real hardware +----------------------------------- + +The steps required to initialize and deploy to nodes on the public internet are basically the same as we have seen so far for local testing nodes. There are a few key differences: + +* Obviously, you will need to acquire a real or virtual machine that you can SSH into remotely. +* When creating the node configuration, you should give it the tag "production" if the node is to be used in your production infrastructure. +* When creating the node configuration, you need to specify the IP address of the node. + +For example: + + leap node add db1 tags:production services:couchdb ip_address:4.4.4.4 + +Also, running `leap node init NODE_NAME` on a real server will prompt you to verify the fingerprint of the SSH host key and to provide the root password of the server NODE_NAME. You should only need to do this once. + +What's next +----------------------------------- + +Read the [LEAP platform guide](guide) to learn about planning and securing your infrastructure. + diff --git a/doc/service-diagram.odg b/doc/service-diagram.odg new file mode 100644 index 00000000..09265c2d Binary files /dev/null and b/doc/service-diagram.odg differ diff --git a/doc/service-diagram.png b/doc/service-diagram.png new file mode 100644 index 00000000..85e62436 Binary files /dev/null and b/doc/service-diagram.png differ diff --git a/doc/under-the-hood.md b/doc/under-the-hood.md new file mode 100644 index 00000000..080a153e --- /dev/null +++ b/doc/under-the-hood.md @@ -0,0 +1,37 @@ +@title = "Under the hood" + +This page contains various details on the how the platform is implemented. You can safely ignore this page, although it may be useful if you plan to make modifications to the platform. + +Puppet Details +====================================== + +Run stages +---------- + +We use two run stages for resource ordering: + +* initial: configure hostname, apt-get update + apt-get dist-upgrade +* main: everything else + +Stage initial is run before stage main. + +see http://docs.puppetlabs.com/puppet/2.7/reference/lang_run_stages.html for run stage documentation. + +Tags +---- + +Tags are beeing used to deploy different classes. + +* leap_base: site_config::default (configure hostname + resolver, sshd, ) +* leap_slow: site_config::slow (slow: apt-get update, apt-get dist-upgrade) +* leap_service: cofigure platform service (openvpn, couchdb, etc.) + +You can pass any combination of tags, i.e. use + +* "--tags leap_base,leap_slow,leap_service" (DEFAULT): Deploy all +* "--tags leap_service": Only deploy service(s) (useful for debugging/development) +* "--tags leap_base": Only deploy basic configuration (again, useful for debugging/development) + +See http://docs.puppetlabs.com/puppet/2.7/reference/lang_tags.html for puppet tag usage. + + -- cgit v1.2.3 From c989c8dcf03af62381ce7477aa8613f692641934 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 4 Jul 2013 12:32:42 -0700 Subject: remove stupid bandwidth limit from default provider.json --- provider_base/provider.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provider_base/provider.json b/provider_base/provider.json index e698b5dd..b6a7af21 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -17,7 +17,7 @@ "service": { "levels": [ // bandwidth limit is in Bytes, storage limit is in MB. - {"id": 1, "name": "free", "bandwidth":"limited", "storage":50}, + {"id": 1, "name": "free", "storage":50}, {"id": 2, "name": "basic", "storage":1000, "rate": ["US$10", "€10"]}, {"id": 3, "name": "pro", "storage":10000, "rate": ["US$20", "€20"]} ], -- cgit v1.2.3 From 8d71649f1dcfcae30ec278e31bc7fc4d7dede80f Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 4 Jul 2013 12:35:24 -0700 Subject: couchdb.json should not set service_type, since internal_service is the default. --- provider_base/services/couchdb.json | 1 - 1 file changed, 1 deletion(-) diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json index ba07733c..a26579c8 100644 --- a/provider_base/services/couchdb.json +++ b/provider_base/services/couchdb.json @@ -1,5 +1,4 @@ { - "service_type": "internal_service", "x509": { "use": true }, -- cgit v1.2.3 From 47dd8cde0316256e0d2d1037787fdf539a3f8975 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 4 Jul 2013 12:36:22 -0700 Subject: make sure webapps have the full domain suffix as an alias (fixes problems generating zone file). --- provider_base/services/webapp.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index ad32bb61..93396ec7 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -38,7 +38,7 @@ "couchdb_user": "= global.services[:couchdb].couch.users[:admin]" }, "dns": { - "aliases": "= [domain.full, api.domain, nickserver.domain]" + "aliases": "= [domain.full_suffix, domain.full, api.domain, nickserver.domain]" }, "x509": { "use": true, -- cgit v1.2.3 From 7cbc4d41e35fec9dc0192cc3caf11803b562c06d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Jul 2013 16:35:51 -0400 Subject: more robust openvpn restarting this ensures that an actual restart is run on the service when config files are added or removed, instead of relying on the status parameter of the initscript, which can be confused if config files are removed out from under it Change-Id: I1c69fff26933338b707acf7dc4593547f32f92e3 --- puppet/modules/site_openvpn/manifests/init.pp | 9 +++++++++ puppet/modules/site_openvpn/manifests/server_config.pp | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 685871bd..4f900623 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -127,6 +127,13 @@ class site_openvpn { subscribe => File['/usr/local/bin/add_gateway_ips.sh'], } + exec { 'restart_openvpn': + command => '/etc/init.d/openvpn restart', + refreshonly => true, + subscribe => File['/etc/openvpn'], + require => [ Package['openvpn'], File['/etc/openvpn'] ]; + } + cron { 'add_gateway_ips.sh': command => '/usr/local/bin/add_gateway_ips.sh', user => 'root', @@ -142,6 +149,7 @@ class site_openvpn { 'openvpn': ensure => installed; } + service { 'openvpn': ensure => running, @@ -153,6 +161,7 @@ class site_openvpn { file { '/etc/openvpn': ensure => directory, + notify => Exec['restart_openvpn'], require => Package['openvpn']; } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index a2e769e1..6106cfbb 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -65,7 +65,7 @@ define site_openvpn::server_config( mode => 644, warn => true, require => File['/etc/openvpn'], - notify => Service['openvpn']; + notify => Exec['restart_openvpn']; } if $tls_remote != undef { -- cgit v1.2.3 From 297f14f0656f80c906cc8bed0faaf5c73b7185c1 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 4 Jul 2013 22:36:56 -0700 Subject: bugfix - properly generate provider.json file. --- provider_base/files/service-definitions/provider.json.erb | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb index 8dbf7365..5d4c63a0 100644 --- a/provider_base/files/service-definitions/provider.json.erb +++ b/provider_base/files/service-definitions/provider.json.erb @@ -1,12 +1,9 @@ <%= - hsh = {} - # grab some fields from provider.json hsh = global.provider.pick( :languages, :description, :name, :enrollment_policy, :default_language, :service ) - hsh['domain'] = domain.full_suffix # advertise services that are 'user services' and for which there are actually nodes @@ -20,5 +17,5 @@ hsh['ca_cert_uri'] = 'https://' + domain.full_suffix + '/ca.crt' hsh['ca_cert_fingerprint'] = fingerprint(:ca_cert) - JSON.sorted_generate hsh + hsh.dump_json %> \ No newline at end of file -- cgit v1.2.3 From 672154a8322901b86c9882854234eae53221a38e Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 6 Jul 2013 22:59:50 -0700 Subject: site_webapp -- make bundler not install test-only or development-only gems. --- puppet/modules/site_webapp/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 1dfe6936..e743dc07 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -52,7 +52,7 @@ class site_webapp { exec { 'bundler_update': cwd => '/srv/leap/webapp', - command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle"', + command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle --without test development"', unless => '/usr/bin/bundle check', user => 'leap-webapp', timeout => 600, -- cgit v1.2.3