From 1da37fd05328976894035176faed6811d003dd4c Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 27 Jan 2015 22:10:06 +0100 Subject: provide apt.url key that can be customized in provider.json Change-Id: Ic8bcca7fde25b4eb540aab8cc4114748b9b2cfd7 --- provider_base/common.json | 3 +++ provider_base/provider.json | 3 +++ 2 files changed, 6 insertions(+) (limited to 'provider_base') diff --git a/provider_base/common.json b/provider_base/common.json index 649db0d9..c25f59b4 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -50,5 +50,8 @@ "platform": { "version": "= Leap::Platform.version.to_s", "major_version": "= Leap::Platform.major_version" + }, + "apt": { + "url": "= provider.apt.url" } } diff --git a/provider_base/provider.json b/provider_base/provider.json index 77437935..d66a01c4 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -59,5 +59,8 @@ "client_version": { "min": "0.5", "max": null + }, + "apt": { + "url": "http://http.debian.net/debian/" } } -- cgit v1.2.3 From 1b3455a697ae74b34f28f4960bf0a274e27a1ee8 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 27 Jan 2015 22:40:08 +0100 Subject: provide way to customize all three apt sources urls (basic, security, backports) Change-Id: I5542b320bb1edb52c63350b5e4fd2af681991fb5 --- provider_base/common.json | 6 +++++- provider_base/provider.json | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) (limited to 'provider_base') diff --git a/provider_base/common.json b/provider_base/common.json index c25f59b4..cc4d2557 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -52,6 +52,10 @@ "major_version": "= Leap::Platform.major_version" }, "apt": { - "url": "= provider.apt.url" + "url": { + "basic": "= provider.apt.url.basic", + "security": "= provider.apt.url.security", + "backports": "= provider.apt.url.backports" + } } } diff --git a/provider_base/provider.json b/provider_base/provider.json index d66a01c4..84d033c5 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -61,6 +61,10 @@ "max": null }, "apt": { - "url": "http://http.debian.net/debian/" + "url": { + "basic": "http://http.debian.net/debian/", + "security": "http://security.debian.org/", + "backports": "http://http.debian.net/debian/" + } } } -- cgit v1.2.3 From 50d1839a5776dbb1c672e0c6083f709da67dc3b3 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 28 Jan 2015 22:22:31 -0800 Subject: update default provider.json to use the (now) correct expiration time format. requires new leap_cli. --- provider_base/provider.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'provider_base') diff --git a/provider_base/provider.json b/provider_base/provider.json index 84d033c5..a60411b1 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -42,16 +42,16 @@ "organizational_unit": "= 'https://' + provider.domain", "bit_size": 4096, "digest": "SHA256", - "life_span": "10y", + "life_span": "10 years", "server_certificates": { "bit_size": 4096, "digest": "SHA256", - "life_span": "1y" + "life_span": "1 years" }, "client_certificates": { "bit_size": 2048, "digest": "SHA256", - "life_span": "2m", + "life_span": "2 months", "limited_prefix": "LIMITED", "unlimited_prefix": "UNLIMITED" } -- cgit v1.2.3 From aed223ad42635370bdbc1b239ed43a1330698c5e Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 4 Feb 2015 14:03:31 -0800 Subject: consolidate sources into common.json --- provider_base/common.json | 35 ++++++++++++++++++++++++++++++----- provider_base/provider.json | 7 ------- provider_base/services/webapp.json | 4 ---- 3 files changed, 30 insertions(+), 16 deletions(-) (limited to 'provider_base') diff --git a/provider_base/common.json b/provider_base/common.json index cc4d2557..95ffa8d2 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -51,11 +51,36 @@ "version": "= Leap::Platform.version.to_s", "major_version": "= Leap::Platform.major_version" }, - "apt": { - "url": { - "basic": "= provider.apt.url.basic", - "security": "= provider.apt.url.security", - "backports": "= provider.apt.url.backports" + "sources": { + "apt": { + "basic": "http://http.debian.net/debian/", + "security": "http://security.debian.org/", + "backports": "http://http.debian.net/debian/" + }, + "leap-mx": { + "type": "apt", + "package": "leap-mx", + "revision": "latest" + }, + "nickserver": { + "type": "git", + "source": "https://leap.se/git/nickserver", + "revision": "origin/master" + }, + "soledad": { + "type": "apt", + "package": "soledad-server", + "revision": "latest" + }, + "tapicero": { + "type": "git", + "source": "https://leap.se/git/tapicero", + "revision": "origin/version/0.6" + }, + "webapp": { + "type": "git", + "source": "https://leap.se/git/leap_web", + "revision": "origin/version/0.6" } } } diff --git a/provider_base/provider.json b/provider_base/provider.json index a60411b1..f8d2715f 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -59,12 +59,5 @@ "client_version": { "min": "0.5", "max": null - }, - "apt": { - "url": { - "basic": "http://http.debian.net/debian/", - "security": "http://security.debian.org/", - "backports": "http://http.debian.net/debian/" - } } } diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 67744f99..e80a758a 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -20,10 +20,6 @@ "secret_token": "= secret :webapp_secret_token", "api_version": 1, "secure": false, - "git": { - "source": "https://leap.se/git/leap_web", - "revision": "origin/version/0.6" - }, "client_version": "= provider.client_version", "nagios_test_user": { "username": "nagios_test", -- cgit v1.2.3 From 1555cfa158c26ced05300402bbbce08081d62f7b Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 4 Feb 2015 15:42:26 -0800 Subject: upgrade to tapicero 0.6.1, to remove auth in process list (closes #6697) --- provider_base/common.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'provider_base') diff --git a/provider_base/common.json b/provider_base/common.json index 95ffa8d2..74c09efe 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -75,7 +75,7 @@ "tapicero": { "type": "git", "source": "https://leap.se/git/tapicero", - "revision": "origin/version/0.6" + "revision": "origin/version/0.6.1" }, "webapp": { "type": "git", -- cgit v1.2.3 From b08c796bb09d8345b971674f5957fcc11510c60a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 3 Mar 2015 16:55:53 -0500 Subject: pin client version to >=0.7 (#6743) Change-Id: I66f12a04bf92fbda77284665bc1186b10f4c2e15 --- provider_base/provider.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'provider_base') diff --git a/provider_base/provider.json b/provider_base/provider.json index f8d2715f..60ad2a9e 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -57,7 +57,7 @@ } }, "client_version": { - "min": "0.5", + "min": "0.7", "max": null } } -- cgit v1.2.3 From 96882181d7cdcdf2c10918c007ae15dfd566410a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 5 Mar 2015 12:59:34 -0500 Subject: change default MTU to 1400 (#6745) Change-Id: Ia4b93776c6ae316b47f6e0b8e2763aa6fa9cab92 --- provider_base/services/openvpn.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'provider_base') diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 11cb0dc2..127f5890 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -25,7 +25,7 @@ "cipher": "AES-128-CBC", "keepalive": "10 30", "tun-ipv6": true, - "fragment": 1500 + "fragment": 1400 } }, "obfsproxy": { -- cgit v1.2.3 From 5398a55d0b7b60a321b08454885134e3297311b3 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 18 Mar 2015 12:27:26 -0700 Subject: pin webapp to version/0.6.1 --- provider_base/common.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'provider_base') diff --git a/provider_base/common.json b/provider_base/common.json index 74c09efe..6ad8a2e6 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -80,7 +80,7 @@ "webapp": { "type": "git", "source": "https://leap.se/git/leap_web", - "revision": "origin/version/0.6" + "revision": "origin/version/0.6.1" } } } -- cgit v1.2.3 From 3172444652af71bd771609d6b80258e70cc82ce9 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 19 Mar 2015 13:44:45 -0700 Subject: don't set a lower --fragment by default yet (not compatible with android client) --- provider_base/services/openvpn.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'provider_base') diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 127f5890..11cb0dc2 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -25,7 +25,7 @@ "cipher": "AES-128-CBC", "keepalive": "10 30", "tun-ipv6": true, - "fragment": 1400 + "fragment": 1500 } }, "obfsproxy": { -- cgit v1.2.3 From b64940c1de7cf42acef018ca2fbf5beff4f48e80 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 30 Mar 2015 22:33:05 -0700 Subject: added support for rotating couchdb databases. --- provider_base/services/webapp.json | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'provider_base') diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index e80a758a..b0646579 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -4,11 +4,8 @@ "forbidden_usernames": ["admin", "administrator", "arin-admin", "certmaster", "contact", "info", "maildrop", "postmaster", "ssladmin", "www-data"], "domain": "= domain.full_suffix", "modules": ["user", "billing", "help"], - "couchdb_webapp_user": { - "username": "= global.services[:couchdb].couch.users[:webapp].username", - "password": "= secret :couch_webapp_password", - "salt": "= hex_secret :couch_webapp_password_salt, 128" - }, + "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]", + "couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]", "customization_dir": "= file_path 'webapp'", "client_certificates": "= provider.ca.client_certificates", "allow_limited_certs": "= provider.service.allow_limited_bandwidth", -- cgit v1.2.3 From 1f3a09047dbc0b411fc78233301f8440957ee6b8 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 30 Mar 2015 22:33:39 -0700 Subject: set platform version 0.7 --- provider_base/common.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'provider_base') diff --git a/provider_base/common.json b/provider_base/common.json index 6ad8a2e6..4a5406a0 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -75,12 +75,12 @@ "tapicero": { "type": "git", "source": "https://leap.se/git/tapicero", - "revision": "origin/version/0.6.1" + "revision": "origin/version/0.7" }, "webapp": { "type": "git", "source": "https://leap.se/git/leap_web", - "revision": "origin/version/0.6.1" + "revision": "origin/version/0.7" } } } -- cgit v1.2.3 From eb803597301c077dd7bdbc8f31e67123be72ed07 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 21 Apr 2015 15:26:33 -0700 Subject: block username 'vmail' --- provider_base/services/webapp.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'provider_base') diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index b0646579..e5aed0fd 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -1,7 +1,7 @@ { "webapp": { "admins": [], - "forbidden_usernames": ["admin", "administrator", "arin-admin", "certmaster", "contact", "info", "maildrop", "postmaster", "ssladmin", "www-data"], + "forbidden_usernames": ["admin", "administrator", "arin-admin", "certmaster", "contact", "info", "maildrop", "postmaster", "ssladmin", "www-data", "vmail"], "domain": "= domain.full_suffix", "modules": ["user", "billing", "help"], "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]", -- cgit v1.2.3 From 6c52774056af7a54cb07704dc25415df7ff06737 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 30 Apr 2015 00:46:21 -0700 Subject: added a bunch more forbidden usernames --- provider_base/services/webapp.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'provider_base') diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index e5aed0fd..941f4f61 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -1,7 +1,14 @@ { "webapp": { "admins": [], - "forbidden_usernames": ["admin", "administrator", "arin-admin", "certmaster", "contact", "info", "maildrop", "postmaster", "ssladmin", "www-data", "vmail"], + "forbidden_usernames": [ + "admin", "admins", "administrator", "administrators", "arin-admin", + "certmaster", "contact", "email", "help", "help-desk", "help-ticket", + "help-tickets", "help_desk", "help_ticket", "help_tickets", "helpdesk", + "helpticket", "helptickets", "info", "mail", "maildrop", "noreply", + "owner", "owners", "postmaster", "reply", "robot", "ssladmin", "staff", + "support", "tech-support", "tech_support", "techsupport", "ticket", + "tickets", "vmail", "www-data"], "domain": "= domain.full_suffix", "modules": ["user", "billing", "help"], "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]", -- cgit v1.2.3 From 81e4dde40f8ad483df0c6ba87da1a3ba480eb7f4 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 5 May 2015 15:22:21 -0700 Subject: much faster secret generation (now they only get generated when needed) --- provider_base/lib/macros/secrets.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'provider_base') diff --git a/provider_base/lib/macros/secrets.rb b/provider_base/lib/macros/secrets.rb index 51bf3971..8d1feb55 100644 --- a/provider_base/lib/macros/secrets.rb +++ b/provider_base/lib/macros/secrets.rb @@ -13,17 +13,17 @@ module LeapCli # +length+ is the character length of the generated password. # def secret(name, length=32) - @manager.secrets.set(name, Util::Secret.generate(length), @node[:environment]) + manager.secrets.set(name, @node.environment) { Util::Secret.generate(length) } end # inserts a base32 encoded secret def base32_secret(name, length=20) - @manager.secrets.set(name, Base32.encode(Util::Secret.generate(length)), @node[:environment]) + manager.secrets.set(name, @node.environment) { Base32.encode(Util::Secret.generate(length)) } end # Picks a random obfsproxy port from given range def rand_range(name, range) - @manager.secrets.set(name, rand(range), @node[:environment]) + manager.secrets.set(name, @node.environment) { rand(range) } end # @@ -32,7 +32,7 @@ module LeapCli # +bit_length+ is the bits in the secret, (ie length of resulting hex string will be bit_length/4) # def hex_secret(name, bit_length=128) - @manager.secrets.set(name, Util::Secret.generate_hex(bit_length), @node[:environment]) + manager.secrets.set(name, @node.environment) { Util::Secret.generate_hex(bit_length) } end end -- cgit v1.2.3 From 55f1d27098365c772c23526c111fd9b20f34e645 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 5 May 2015 15:24:09 -0700 Subject: take advantage of improved environment binding in leap_cli (requires v 1.7.1) --- provider_base/files/service-definitions/provider.json.erb | 2 +- provider_base/lib/macros/nodes.rb | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'provider_base') diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb index 2d0a5886..be8ae484 100644 --- a/provider_base/files/service-definitions/provider.json.erb +++ b/provider_base/files/service-definitions/provider.json.erb @@ -7,7 +7,7 @@ hsh['domain'] = domain.full_suffix # advertise services that are 'user services' and for which there are actually nodes - hsh['services'] ||= global.env(environment).services[:service_type => :user_service].field(:name).select do |service| + hsh['services'] ||= global.services[:service_type => :user_service].field(:name).select do |service| nodes_like_me[:services => service].any? end diff --git a/provider_base/lib/macros/nodes.rb b/provider_base/lib/macros/nodes.rb index 0c6668a0..8b961cbc 100644 --- a/provider_base/lib/macros/nodes.rb +++ b/provider_base/lib/macros/nodes.rb @@ -15,10 +15,10 @@ module LeapCli end # - # grab an environment appropriate provider + # simple alias for global.provider # def provider - global.env(@node.environment).provider + global.provider end # -- cgit v1.2.3 From 27833d50d8f26dd23ca7483ae6e6f2f255841454 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 5 May 2015 15:24:36 -0700 Subject: improved `leap cert csr` error message --- provider_base/common.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'provider_base') diff --git a/provider_base/common.json b/provider_base/common.json index 4a5406a0..547acc80 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -29,8 +29,8 @@ "cert": "= x509.use ? file(:node_x509_cert, :missing => 'x509 certificate for node $node. Run `leap cert update`') : nil", "key": "= x509.use ? file(:node_x509_key, :missing => 'x509 key for node $node. Run `leap cert update`') : nil", "ca_cert": "= try_file :ca_cert", - "commercial_cert": "= x509.use_commercial ? file([:commercial_cert, try{webapp.domain}||domain.full_suffix], :missing => 'commercial x509 certificate for node $node. Add file $file, or run `leap cert csr` to generate a temporary self-signed cert and CSR you can use to purchase a real cert.') : nil", - "commercial_key": "= x509.use_commercial ? file([:commercial_key, try{webapp.domain}||domain.full_suffix], :missing => 'commercial x509 certificate for node $node. Add file $file, or run `leap cert csr` to generate a temporary self-signed cert and CSR you can use to purchase a real cert.') : nil", + "commercial_cert": "= x509.use_commercial ? file([:commercial_cert, try{webapp.domain}||domain.full_suffix], :missing => 'commercial x509 certificate for node $node. Add file $file, or run `leap cert csr --domain %s` to generate a temporary self-signed cert and CSR you can use to purchase a real cert.' % (try{webapp.domain}||domain.full_suffix)) : nil", + "commercial_key": "= x509.use_commercial ? file([:commercial_key, try{webapp.domain}||domain.full_suffix], :missing => 'commercial x509 certificate for node $node. Add file $file, or run `leap cert csr --domain %s` to generate a temporary self-signed cert and CSR you can use to purchase a real cert.' % (try{webapp.domain}||domain.full_suffix)) : nil", "commercial_ca_cert": "= x509.use_commercial ? try_file(:commercial_ca_cert) : nil" }, "service_type": "internal_service", -- cgit v1.2.3 From 05f4ab41911375ac037cb85bbdb9ad7916f6a4ec Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 5 May 2015 12:08:40 -0400 Subject: Change http.debian.net to now official name: httpredir.debian.org (#6932) Change-Id: I1e411ef3ffa2ef7fdcae90081f530f44023a96b6 --- provider_base/common.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'provider_base') diff --git a/provider_base/common.json b/provider_base/common.json index 547acc80..c7be5cf4 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -53,9 +53,9 @@ }, "sources": { "apt": { - "basic": "http://http.debian.net/debian/", + "basic": "http://httpredir.debian.org/debian/", "security": "http://security.debian.org/", - "backports": "http://http.debian.net/debian/" + "backports": "http://httpredir.debian.org/debian/" }, "leap-mx": { "type": "apt", -- cgit v1.2.3