From 36e5202181452c385b52e183e50166dec6c456d9 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Feb 2014 15:36:12 +0100 Subject: move leap_webapp.conf template to common.conf which is included by the nagios and webapp node (#5096) --- provider_base/services/monitor.json | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'provider_base/services') diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json index c3e2b954..142a4b5e 100644 --- a/provider_base/services/monitor.json +++ b/provider_base/services/monitor.json @@ -2,5 +2,14 @@ "nagios": { "nagiosadmin_pw": "= secret :nagios_admin_password", "hosts": "= nodes_like_me.pick_fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')" + }, + "x509": { + "use": true, + "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", + "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'", + "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'", + "commercial_cert": "= file [:commercial_cert, domain.full_suffix]", + "commercial_key": "= file [:commercial_key, domain.full_suffix]", + "commercial_ca_cert": "= try_file :commercial_ca_cert" } } -- cgit v1.2.3 From 7bfc884008d26cc7dca3b10e0aeef9073f55e5d3 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 12 Feb 2014 17:01:00 +0100 Subject: include monitor node into hosts hash so check-mk-agent can run on monitor host itself via ssh to localhost (requires latest leap_cli) --- provider_base/services/monitor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'provider_base/services') diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json index 5656fe80..7ad0d637 100644 --- a/provider_base/services/monitor.json +++ b/provider_base/services/monitor.json @@ -3,7 +3,7 @@ "nagiosadmin_pw": "= secret :nagios_admin_password", "hosts": "= nodes_like_me[:services => '!monitor'].pick_fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')" }, - "hosts": "= hosts_file(nodes_like_me[:services => '!monitor'])", + "hosts": "= hosts_file(nodes_like_me)", "ssh": { "monitor": { "username": "= Leap::Platform.monitor_username", -- cgit v1.2.3 From 9431d1c9da024f98f5c6eb7cf2eff68b2e3a1926 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 12 Feb 2014 18:43:47 +0100 Subject: include monitor node also into nagios hash so check-mk-agent can run on monitor host itself via ssh to localhost (requires latest leap_cli) --- provider_base/services/monitor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'provider_base/services') diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json index 7ad0d637..82c18745 100644 --- a/provider_base/services/monitor.json +++ b/provider_base/services/monitor.json @@ -1,7 +1,7 @@ { "nagios": { "nagiosadmin_pw": "= secret :nagios_admin_password", - "hosts": "= nodes_like_me[:services => '!monitor'].pick_fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')" + "hosts": "= nodes_like_me.pick_fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')" }, "hosts": "= hosts_file(nodes_like_me)", "ssh": { -- cgit v1.2.3 From 488022986a54f6031d4547701031c7b0017e729c Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 27 Feb 2014 09:04:53 -0800 Subject: fixed horrible bug that caused all environments to use the same couchdb soledad password. --- provider_base/services/soledad.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'provider_base/services') diff --git a/provider_base/services/soledad.json b/provider_base/services/soledad.json index fc349ce1..ed6fbc9f 100644 --- a/provider_base/services/soledad.json +++ b/provider_base/services/soledad.json @@ -2,7 +2,11 @@ "soledad": { "port": 2323, "require_couchdb": "=> assert %(services.include? 'couchdb')", - "couchdb_soledad_user": "= global.services[:couchdb].couch.users[:soledad]" + "couchdb_soledad_user": { + "username": "= global.services[:couchdb].couch.users[:soledad].username", + "password": "= secret :couch_soledad_password", + "salt": "= hex_secret :couch_soledad_password_salt, 128" + } }, "service_type": "public_service" } -- cgit v1.2.3 From f8e01ef3c5cc725a685f03869d8d821176181baa Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 25 Feb 2014 12:04:39 -0800 Subject: new monitor hosts rule: local environment monitors just see local machines, other monitors see the nodes from all environments (except local) --- provider_base/services/monitor.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'provider_base/services') diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json index 82c18745..03f6c6d1 100644 --- a/provider_base/services/monitor.json +++ b/provider_base/services/monitor.json @@ -1,9 +1,9 @@ { "nagios": { "nagiosadmin_pw": "= secret :nagios_admin_password", - "hosts": "= nodes_like_me.pick_fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')" + "hosts": "= (self.environment == 'local' ? nodes_like_me : nodes[:environment => '!local']).pick_fields('domain.internal', 'domain.full_suffix', 'ip_address', 'services', 'openvpn.gateway_address', 'ssh.port')" }, - "hosts": "= hosts_file(nodes_like_me)", + "hosts": "= self.environment == 'local' ? hosts_file(nodes_like_me) : hosts_file(nodes[:environment => '!local'])", "ssh": { "monitor": { "username": "= Leap::Platform.monitor_username", -- cgit v1.2.3 From 8882880d5959f14a7edb94ca95ebcdd15cbc3f51 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 27 Feb 2014 13:27:00 +0100 Subject: provide nagios_test_pw in hiera files --- provider_base/services/couchdb.json | 3 +++ provider_base/services/webapp.json | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) (limited to 'provider_base/services') diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json index 0cb044ef..5f1b5381 100644 --- a/provider_base/services/couchdb.json +++ b/provider_base/services/couchdb.json @@ -48,6 +48,9 @@ "password": "= secret :couch_webapp_password", "salt": "= hex_secret :couch_webapp_password_salt, 128" } + }, + "webapp": { + "nagios_test_pw": "= secret :nagios_test_password" } } } diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 08c7c5b0..b1f03f06 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -15,7 +15,8 @@ "source": "https://leap.se/git/leap_web", "revision": "origin/master" }, - "client_version": "= global.provider.client_version" + "client_version": "= global.provider.client_version", + "nagios_test_pw": "= secret :nagios_test_password" }, "stunnel": { "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)" -- cgit v1.2.3 From 66f44f61c0279cac22f121f14376b99f57fe20aa Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 27 Feb 2014 18:01:10 +0100 Subject: include nagios_test user credentials in webapp hiera files --- provider_base/services/webapp.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'provider_base/services') diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index b1f03f06..d6a1e198 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -16,7 +16,10 @@ "revision": "origin/master" }, "client_version": "= global.provider.client_version", - "nagios_test_pw": "= secret :nagios_test_password" + "nagios_test_user": { + "username": "nagios_test", + "password": "= secret :nagios_test_password" + } }, "stunnel": { "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)" -- cgit v1.2.3 From e8cd9ab2d4480aa7c16d15f5db664fa650d4c655 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 27 Feb 2014 11:57:54 -0800 Subject: fixed more places where passwords were set to the wrong environment. --- provider_base/services/mx.json | 6 +++++- provider_base/services/webapp.json | 12 ++++++++++-- 2 files changed, 15 insertions(+), 3 deletions(-) (limited to 'provider_base/services') diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index d57c3168..7e3f20ba 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -5,7 +5,11 @@ "haproxy": { "servers": "= haproxy_servers(nodes_like_me[:services => :couchdb], stunnel.couch_client)" }, - "couchdb_leap_mx_user": "= global.services[:couchdb].couch.users[:leap_mx]", + "couchdb_leap_mx_user": { + "username": "= global.services[:couchdb].couch.users[:leap_mx].username", + "password": "= secret :couch_leap_mx_password", + "salt": "= hex_secret :couch_leap_mx_password_salt, 128" + }, "mx_nodes": "= nodes['services' => 'mx']['environment' => '!local'].field('ip_address')", "x509": { "use": true, diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 08c7c5b0..8974f851 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -2,7 +2,11 @@ "webapp": { "admins": [], "modules": ["user", "billing", "help"], - "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]", + "couchdb_webapp_user": { + "username": "= global.services[:couchdb].couch.users[:webapp].username", + "password": "= secret :couch_webapp_password", + "salt": "= hex_secret :couch_webapp_password_salt, 128" + }, "customization_dir": "= file_path 'webapp'", "client_certificates": "= global.provider.ca.client_certificates", "allow_limited_certs": "= global.provider.service.allow_limited_bandwidth", @@ -36,7 +40,11 @@ }, "nickserver": { "domain": "= 'nicknym.' + domain.full_suffix", - "couchdb_nickserver_user": "= global.services[:couchdb].couch.users[:nickserver]", + "couchdb_nickserver_user": { + "username": "= global.services[:couchdb].couch.users[:nickserver].username", + "password": "= secret :couch_nickserver_password", + "salt": "= hex_secret :couch_nickserver_password_salt, 128" + }, "port": 6425 }, "dns": { -- cgit v1.2.3 From 18121335c200b86a39f83a7cd240258c40a81f4e Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 14 Mar 2014 17:54:01 -0700 Subject: added support for environment specific providers (e.g. provider.production.json). requires latest leap_cli. --- provider_base/services/openvpn.json | 10 +++++----- provider_base/services/tor.json | 2 +- provider_base/services/webapp.json | 10 +++++----- 3 files changed, 11 insertions(+), 11 deletions(-) (limited to 'provider_base/services') diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 5d77f946..5a87335b 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -14,10 +14,10 @@ "filter_dns": false, "adblock": false, "user_ips": false, - "allow_limited": "= global.provider.service.allow_limited_bandwidth", - "allow_unlimited": "= global.provider.service.allow_unlimited_bandwidth", - "limited_prefix": "= global.provider.ca.client_certificates.limited_prefix", - "unlimited_prefix": "= global.provider.ca.client_certificates.unlimited_prefix", - "rate_limit": "= openvpn.allow_limited ? global.provider.service.bandwidth_limit : nil" + "allow_limited": "= provider.service.allow_limited_bandwidth", + "allow_unlimited": "= provider.service.allow_unlimited_bandwidth", + "limited_prefix": "= provider.ca.client_certificates.limited_prefix", + "unlimited_prefix": "= provider.ca.client_certificates.unlimited_prefix", + "rate_limit": "= openvpn.allow_limited ? provider.service.bandwidth_limit : nil" } } diff --git a/provider_base/services/tor.json b/provider_base/services/tor.json index 9173b8d4..ed75285c 100644 --- a/provider_base/services/tor.json +++ b/provider_base/services/tor.json @@ -1,6 +1,6 @@ { "tor": { "bandwidth_rate": 6550, - "contacts": "= global.provider.contacts['tor'] || global.provider.contacts.default" + "contacts": "= provider.contacts['tor'] || provider.contacts.default" } } diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index f7abdffd..29c0cbf9 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -8,10 +8,10 @@ "salt": "= hex_secret :couch_webapp_password_salt, 128" }, "customization_dir": "= file_path 'webapp'", - "client_certificates": "= global.provider.ca.client_certificates", - "allow_limited_certs": "= global.provider.service.allow_limited_bandwidth", - "allow_unlimited_certs": "= global.provider.service.allow_unlimited_bandwidth", - "allow_anonymous_certs": "= global.provider.service.allow_anonymous", + "client_certificates": "= provider.ca.client_certificates", + "allow_limited_certs": "= provider.service.allow_limited_bandwidth", + "allow_unlimited_certs": "= provider.service.allow_unlimited_bandwidth", + "allow_anonymous_certs": "= provider.service.allow_anonymous", "secret_token": "= secret :webapp_secret_token", "api_version": 1, "secure": false, @@ -19,7 +19,7 @@ "source": "https://leap.se/git/leap_web", "revision": "origin/master" }, - "client_version": "= global.provider.client_version", + "client_version": "= provider.client_version", "nagios_test_user": { "username": "nagios_test", "password": "= secret :nagios_test_password" -- cgit v1.2.3 From 222fd1568d7af9ea953a4d6179578da5994ea1fd Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 20 Mar 2014 13:10:44 -0700 Subject: allow ability to customize openvpn security stuff: tls-cipher, auth, and cipher config options. --- provider_base/services/openvpn.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'provider_base/services') diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 5a87335b..e5b97ed9 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -18,6 +18,11 @@ "allow_unlimited": "= provider.service.allow_unlimited_bandwidth", "limited_prefix": "= provider.ca.client_certificates.limited_prefix", "unlimited_prefix": "= provider.ca.client_certificates.unlimited_prefix", - "rate_limit": "= openvpn.allow_limited ? provider.service.bandwidth_limit : nil" + "rate_limit": "= openvpn.allow_limited ? provider.service.bandwidth_limit : nil", + "configuration": { + "tls-cipher": "TLS-DHE-RSA-WITH-AES-128-CBC-SHA", + "auth": "SHA1", + "cipher": "AES-128-CBC" + } } } -- cgit v1.2.3 From 482c3d5a77d05043f5276d4f19168d2b777d3ef0 Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 23 Mar 2014 16:11:32 -0700 Subject: modules/site_static: part 1 - amber --- provider_base/services/static.json | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 provider_base/services/static.json (limited to 'provider_base/services') diff --git a/provider_base/services/static.json b/provider_base/services/static.json new file mode 100644 index 00000000..d9155a84 --- /dev/null +++ b/provider_base/services/static.json @@ -0,0 +1,6 @@ +{ + "static": { + "formats": "=> (self.static.domains||{}).values.collect{|d| (d.locations||{}).values.collect{|l|l['format']}}.flatten.uniq" + }, + "service_type": "public_service" +} \ No newline at end of file -- cgit v1.2.3 From 1906f13a7df02522bcd83a3c25101555870b5279 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 1 Apr 2014 15:28:54 -0400 Subject: Include all the ips that are allowed to send mail through the relay in the mynetworks parameter. Previously we only allowed other mx servers to relay to each other, but this prevents system mail from non-mx nodes from getting out. Fixes "Helo command rejected: You are not in domain bitmask.net (in reply to RCPT TO command))" (#5343) Change-Id: I5e204958cb235808eedc3a1724fb2dc6c7a5b73b --- provider_base/services/mx.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'provider_base/services') diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index 7e3f20ba..0d1ec877 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -10,7 +10,7 @@ "password": "= secret :couch_leap_mx_password", "salt": "= hex_secret :couch_leap_mx_password_salt, 128" }, - "mx_nodes": "= nodes['services' => 'mx']['environment' => '!local'].field('ip_address')", + "mynetworks": "= nodes['environment' => '!local'].field('ip_address')", "x509": { "use": true, "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", -- cgit v1.2.3 From 0e6c5cad63c038c0719ac409bb3cf02b8019f7ad Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 1 Apr 2014 16:40:23 -0400 Subject: Fix for Openstack/Amazon special case needing to allow ec2_public_ipv4 in mynetworks (#5427) Change-Id: Iee954f8cacd852f8c7c598c68a8793a3523c0132 --- provider_base/services/mx.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'provider_base/services') diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index 0d1ec877..731dee9a 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -10,7 +10,7 @@ "password": "= secret :couch_leap_mx_password", "salt": "= hex_secret :couch_leap_mx_password_salt, 128" }, - "mynetworks": "= nodes['environment' => '!local'].field('ip_address')", + "mynetworks": "= nodes['environment' => '!local'].map{|name, n| [n.ip_address, (global.facts[name]||{})['ec2_public_ipv4']]}.flatten.compact.uniq", "x509": { "use": true, "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", -- cgit v1.2.3