From af606967d39227390f5ef8403c64d693c1dfd76d Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 23 Sep 2014 14:48:48 -0700 Subject: couch: for neighbors, use 'couch.mode' instead of 'couch.master' (which might be false even for multimaster). closes #6064 --- provider_base/services/_couchdb_multimaster.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'provider_base') diff --git a/provider_base/services/_couchdb_multimaster.json b/provider_base/services/_couchdb_multimaster.json index 8c433188..0f340e00 100644 --- a/provider_base/services/_couchdb_multimaster.json +++ b/provider_base/services/_couchdb_multimaster.json @@ -8,8 +8,8 @@ "ednp_server": "= stunnel_server(couch.bigcouch.ednp_port)" }, "clients": { - "epmd_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], couch.bigcouch.epmd_port)", - "ednp_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], couch.bigcouch.ednp_port)" + "epmd_clients": "= stunnel_client(nodes_like_me['services' => 'couchdb']['couch.mode' => 'multimaster'], couch.bigcouch.epmd_port)", + "ednp_clients": "= stunnel_client(nodes_like_me['services' => 'couchdb']['couch.mode' => 'multimaster'], couch.bigcouch.ednp_port)" } }, "couch": { @@ -18,7 +18,7 @@ "epmd_port": 4369, "ednp_port": 9002, "cookie": "= secret :bigcouch_cookie", - "neighbors": "= nodes_like_me['services' => 'couchdb']['couch.master' => true].exclude(self).field('domain.full')" + "neighbors": "= nodes_like_me['services' => 'couchdb']['couch.mode' => 'multimaster'].exclude(self).field('domain.full')" } } } -- cgit v1.2.3 From 027c20e2b8f779086d1480048152fe06d044b216 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 7 Oct 2014 13:55:58 +0200 Subject: every environment is defined as nagios hostsgroup (#5216) Change-Id: I6508ce0d06b37a1c5601a0e981a59f7fda47f76a --- provider_base/services/monitor.json | 1 + 1 file changed, 1 insertion(+) (limited to 'provider_base') diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json index c24724bf..56ca015b 100644 --- a/provider_base/services/monitor.json +++ b/provider_base/services/monitor.json @@ -1,6 +1,7 @@ { "nagios": { "nagiosadmin_pw": "= secret :nagios_admin_password", + "domains_internal": "= global.tags.field('domain.internal_suffix').compact.uniq", "hosts": "= (self.environment == 'local' ? nodes_like_me : nodes[:environment => '!local']).pick_fields('domain.internal', 'domain.full_suffix', 'ip_address', 'services', 'openvpn.gateway_address', 'ssh.port')" }, "hosts": "= self.environment == 'local' ? hosts_file(nodes_like_me) : hosts_file(nodes[:environment => '!local'])", -- cgit v1.2.3 From 4faf77c2527312b85d836600c01c0d2d9f0b460e Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 20 Oct 2014 14:27:53 -0700 Subject: bumped default server certificate bit size to 4096 --- provider_base/provider.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'provider_base') diff --git a/provider_base/provider.json b/provider_base/provider.json index 743964ee..4f71c7d5 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -44,7 +44,7 @@ "digest": "SHA256", "life_span": "10y", "server_certificates": { - "bit_size": 2048, + "bit_size": 4096, "digest": "SHA256", "life_span": "1y" }, -- cgit v1.2.3 From 51a1e1c6db33ed2868ec74728f854237e3dfd86a Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 21 Oct 2014 15:14:23 -0700 Subject: update platform to take advantage of new platform.rb. requires leap_cli 1.6 --- provider_base/common.json | 4 ++++ provider_base/lib/macros/files.rb | 2 +- provider_base/provider.json | 1 - 3 files changed, 5 insertions(+), 2 deletions(-) (limited to 'provider_base') diff --git a/provider_base/common.json b/provider_base/common.json index 87af2152..649db0d9 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -46,5 +46,9 @@ "stunnel": { "clients": {}, "servers": {} + }, + "platform": { + "version": "= Leap::Platform.version.to_s", + "major_version": "= Leap::Platform.major_version" } } diff --git a/provider_base/lib/macros/files.rb b/provider_base/lib/macros/files.rb index 0a491325..b3ba4a06 100644 --- a/provider_base/lib/macros/files.rb +++ b/provider_base/lib/macros/files.rb @@ -71,7 +71,7 @@ module LeapCli end relative_path = Path.relative_path(actual_path) @node.file_paths << relative_path - @node.manager.provider.hiera_sync_destination + '/' + relative_path + File.join(Leap::Platform.files_dir, relative_path) end end diff --git a/provider_base/provider.json b/provider_base/provider.json index 4f71c7d5..9ef0f76a 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -56,7 +56,6 @@ "unlimited_prefix": "UNLIMITED" } }, - "hiera_sync_destination": "/etc/leap", "client_version": { "min": "0.5", "max": null -- cgit v1.2.3 From d3e24760b33d6ae20f153d3c144d7d443fb0b69e Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 29 Oct 2014 15:20:54 -0700 Subject: added webapp.forbidden_usernames property to allow configuration of usernames to block. --- provider_base/services/webapp.json | 1 + 1 file changed, 1 insertion(+) (limited to 'provider_base') diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 3af0dade..44b5fa14 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -1,6 +1,7 @@ { "webapp": { "admins": [], + "forbidden_usernames": ["admin", "administrator", "arin-admin", "certmaster", "contact", "info", "maildrop", "postmaster", "ssladmin", "www-data"], "domain": "= domain.full_suffix", "modules": ["user", "billing", "help"], "couchdb_webapp_user": { -- cgit v1.2.3 From 1d4670f8b9b4c1f3d4cd8017a3f6145ccdd41312 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 31 Oct 2014 00:01:57 -0700 Subject: add support for property tor.key --- provider_base/lib/macros.rb | 1 + provider_base/lib/macros/files.rb | 14 ++++++- provider_base/lib/macros/keys.rb | 78 +++++++++++++++++++++++++++++++++++++++ provider_base/services/tor.json | 9 ++++- 4 files changed, 99 insertions(+), 3 deletions(-) create mode 100644 provider_base/lib/macros/keys.rb (limited to 'provider_base') diff --git a/provider_base/lib/macros.rb b/provider_base/lib/macros.rb index 854b92b5..ecc3e6ba 100644 --- a/provider_base/lib/macros.rb +++ b/provider_base/lib/macros.rb @@ -9,6 +9,7 @@ require_relative 'macros/core' require_relative 'macros/files' require_relative 'macros/haproxy' require_relative 'macros/hosts' +require_relative 'macros/keys' require_relative 'macros/nodes' require_relative 'macros/secrets' require_relative 'macros/stunnel' diff --git a/provider_base/lib/macros/files.rb b/provider_base/lib/macros/files.rb index b3ba4a06..958958bc 100644 --- a/provider_base/lib/macros/files.rb +++ b/provider_base/lib/macros/files.rb @@ -48,13 +48,22 @@ module LeapCli # * if the path does not exist locally, but exists in provider_base, then the default file from # provider_base is copied locally. this is required for rsync to work correctly. # - def file_path(path) + def file_path(path, options={}) if path.is_a? Symbol path = [path, @node.name] + elsif path.is_a? String + # ensure it prefixed with files/ + unless path =~ /^files\// + path = "files/" + path + end end actual_path = Path.find_file(path) if actual_path.nil? - Util::log 2, :skipping, "file_path(\"#{path}\") because there is no such file." + if options[:missing] + raise FileMissing.new(Path.named_path(path), options) + else + Util::log 2, :skipping, "file_path(\"#{path}\") because there is no such file." + end nil else if actual_path =~ /^#{Regexp.escape(Path.provider_base)}/ @@ -70,6 +79,7 @@ module LeapCli actual_path += '/' # ensure directories end with /, important for building rsync command end relative_path = Path.relative_path(actual_path) + relative_path.sub!(/^files\//, '') # remove "files/" prefix @node.file_paths << relative_path File.join(Leap::Platform.files_dir, relative_path) end diff --git a/provider_base/lib/macros/keys.rb b/provider_base/lib/macros/keys.rb new file mode 100644 index 00000000..0d46acb5 --- /dev/null +++ b/provider_base/lib/macros/keys.rb @@ -0,0 +1,78 @@ +# encoding: utf-8 + +# +# Macro for dealing with cryptographic keys +# + +module LeapCli + module Macro + + # + # return the path to the tor public key + # generating key if it is missing + # + def tor_public_key_path(path_name, key_type) + path = file_path(path_name) + if path.nil? + generate_tor_key(key_type) + end + return path + end + + # + # return the path to the tor private key + # generating key if it is missing + # + def tor_private_key_path(path_name, key_type) + path = file_path(path_name) + if path.nil? + generate_tor_key(key_type) + end + return path + end + + # + # on the command line an onion address can be created + # from an rsa public key using this: + # + # base64 -d < ./pubkey | sha1sum | awk '{print $1}' | + # perl -e '$l=<>; chomp $l; print pack("H*", $l)' | + # python -c 'import base64, sys; t=sys.stdin.read(); print base64.b32encode(t[:10]).lower()' + # + # path_name is the named path of the tor public key. + # + def onion_address(path_name) + require 'base32' + require 'base64' + require 'openssl' + path = Path.find_file([path_name, self.name]) + if path && File.exists?(path) + public_key_str = File.readlines(path).grep(/^[^-]/).join + public_key = Base64.decode64(public_key_str) + sha1sum_string = Digest::SHA1.new.hexdigest(public_key) + sha1sum_binary = [sha1sum_string].pack('H*') + Base32.encode(sha1sum_binary.slice(0,10)).downcase + else + LeapCli.log :warning, 'Tor public key file "%s" does not exist' % tor_public_key_path + end + end + + private + + def generate_tor_key(key_type) + if key_type == 'RSA' + require 'certificate_authority' + keypair = CertificateAuthority::MemoryKeyMaterial.new + bit_size = 1024 + LeapCli.log :generating, "%s bit RSA Tor key" % bit_size do + keypair.generate_key(bit_size) + LeapCli::Util.write_file! [:node_tor_priv_key, self.name], keypair.private_key.to_pem + LeapCli::Util.write_file! [:node_tor_pub_key, self.name], keypair.public_key.to_pem + end + else + LeapCli.bail! 'tor.key.type of %s is not yet supported' % key_type + end + end + + end +end diff --git a/provider_base/services/tor.json b/provider_base/services/tor.json index fc365a19..87fb9682 100644 --- a/provider_base/services/tor.json +++ b/provider_base/services/tor.json @@ -3,6 +3,13 @@ "bandwidth_rate": 6550, "contacts": "= [provider.contacts['tor'] || provider.contacts.default].flatten", "nickname": "= (self.name + secret(:tor_family)).sub('_','')[0..18]", - "family": "= nodes[:services => 'tor'][:environment => '!local'].field('tor.nickname').join(',')" + "family": "= nodes[:services => 'tor'][:environment => '!local'].field('tor.nickname').join(',')", + "hidden_service": null, + "key": { + "type": "RSA", + "public": "= tor_public_key_path(:node_tor_pub_key, tor.key.type) if tor.hidden_service", + "private": "= tor_private_key_path(:node_tor_priv_key, tor.key.type) if tor.hidden_service", + "address": "= onion_address(:node_tor_pub_key) if tor.hidden_service" + } } } -- cgit v1.2.3 From 90b672ed58982b232b1c96febcd9736ae5fc4faf Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 4 Nov 2014 12:25:54 -0800 Subject: tor - to activate hidden service, now set tor.hidden_service.active = true --- provider_base/lib/macros/keys.rb | 8 ++++++-- provider_base/services/tor.json | 12 ++++++------ 2 files changed, 12 insertions(+), 8 deletions(-) (limited to 'provider_base') diff --git a/provider_base/lib/macros/keys.rb b/provider_base/lib/macros/keys.rb index 0d46acb5..ea4c3df2 100644 --- a/provider_base/lib/macros/keys.rb +++ b/provider_base/lib/macros/keys.rb @@ -15,8 +15,10 @@ module LeapCli path = file_path(path_name) if path.nil? generate_tor_key(key_type) + file_path(path_name) + else + path end - return path end # @@ -27,8 +29,10 @@ module LeapCli path = file_path(path_name) if path.nil? generate_tor_key(key_type) + file_path(path_name) + else + path end - return path end # diff --git a/provider_base/services/tor.json b/provider_base/services/tor.json index 87fb9682..55d3d2ee 100644 --- a/provider_base/services/tor.json +++ b/provider_base/services/tor.json @@ -4,12 +4,12 @@ "contacts": "= [provider.contacts['tor'] || provider.contacts.default].flatten", "nickname": "= (self.name + secret(:tor_family)).sub('_','')[0..18]", "family": "= nodes[:services => 'tor'][:environment => '!local'].field('tor.nickname').join(',')", - "hidden_service": null, - "key": { - "type": "RSA", - "public": "= tor_public_key_path(:node_tor_pub_key, tor.key.type) if tor.hidden_service", - "private": "= tor_private_key_path(:node_tor_priv_key, tor.key.type) if tor.hidden_service", - "address": "= onion_address(:node_tor_pub_key) if tor.hidden_service" + "hidden_service": { + "active": null, + "key_type": "RSA", + "public_key": "= tor_public_key_path(:node_tor_pub_key, tor.hidden_service.key_type) if tor.hidden_service.active", + "private_key": "= tor_private_key_path(:node_tor_priv_key, tor.hidden_service.key_type) if tor.hidden_service.active", + "address": "= onion_address(:node_tor_pub_key) if tor.hidden_service.active" } } } -- cgit v1.2.3 From b9d2030beb890e8dccbbe42bfcc430a2c2702a92 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 10 Nov 2014 20:43:24 -0800 Subject: openvpn - support customizing --fragment, and set default to 1400 --- provider_base/files/service-definitions/v1/eip-service.json.erb | 4 ++++ provider_base/services/openvpn.json | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) (limited to 'provider_base') diff --git a/provider_base/files/service-definitions/v1/eip-service.json.erb b/provider_base/files/service-definitions/v1/eip-service.json.erb index 3b8976fd..0ecd002a 100644 --- a/provider_base/files/service-definitions/v1/eip-service.json.erb +++ b/provider_base/files/service-definitions/v1/eip-service.json.erb @@ -42,6 +42,10 @@ end configuration = node.openvpn.configuration end + configuration = configuration.dup + if configuration['fragment'] && configuration['fragment'] == 1500 + configuration.delete('fragment') + end hsh["gateways"] = gateways.compact hsh["locations"] = locations hsh["openvpn_configuration"] = configuration diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 1906244c..127f5890 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -24,7 +24,8 @@ "auth": "SHA1", "cipher": "AES-128-CBC", "keepalive": "10 30", - "tun-ipv6": true + "tun-ipv6": true, + "fragment": 1400 } }, "obfsproxy": { -- cgit v1.2.3 From e18853b16969cb164613003edfab9a5b5800e099 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 10 Nov 2014 20:56:38 -0800 Subject: change default openvpn fragment size back to 1500 so we don't break backward compatibility with older clients --- provider_base/services/openvpn.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'provider_base') diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 127f5890..11cb0dc2 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -25,7 +25,7 @@ "cipher": "AES-128-CBC", "keepalive": "10 30", "tun-ipv6": true, - "fragment": 1400 + "fragment": 1500 } }, "obfsproxy": { -- cgit v1.2.3 From 95d30570f681ba2f43bbe7ffe344b92439be1ae9 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 24 Nov 2014 12:11:32 -0800 Subject: fixed bug when there is no vpn service --- .../files/service-definitions/v1/eip-service.json.erb | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'provider_base') diff --git a/provider_base/files/service-definitions/v1/eip-service.json.erb b/provider_base/files/service-definitions/v1/eip-service.json.erb index 0ecd002a..4bd220df 100644 --- a/provider_base/files/service-definitions/v1/eip-service.json.erb +++ b/provider_base/files/service-definitions/v1/eip-service.json.erb @@ -42,12 +42,14 @@ end configuration = node.openvpn.configuration end - configuration = configuration.dup - if configuration['fragment'] && configuration['fragment'] == 1500 - configuration.delete('fragment') + if gateways.any? + configuration = configuration.dup + if configuration['fragment'] && configuration['fragment'] == 1500 + configuration.delete('fragment') + end + hsh["gateways"] = gateways.compact + hsh["locations"] = locations + hsh["openvpn_configuration"] = configuration end - hsh["gateways"] = gateways.compact - hsh["locations"] = locations - hsh["openvpn_configuration"] = configuration JSON.sorted_generate hsh %> \ No newline at end of file -- cgit v1.2.3 From de51b83384d97a67cdbdf1992ba9ad771a292c5d Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 24 Nov 2014 14:17:43 -0800 Subject: bind webapp to version/0.6 branch --- provider_base/services/webapp.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'provider_base') diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 44b5fa14..67744f99 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -22,7 +22,7 @@ "secure": false, "git": { "source": "https://leap.se/git/leap_web", - "revision": "origin/master" + "revision": "origin/version/0.6" }, "client_version": "= provider.client_version", "nagios_test_user": { -- cgit v1.2.3