From 42a040ac79e1c92d12b6bb9661bbf05ace44d622 Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@riseup.net>
Date: Thu, 14 Mar 2013 18:22:15 -0400
Subject: add couchdb stunnel server

---
 puppet/modules/site_couchdb/manifests/init.pp    |  8 +++++
 puppet/modules/site_couchdb/manifests/stunnel.pp | 42 ++++++++++++++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 puppet/modules/site_couchdb/manifests/stunnel.pp

(limited to 'puppet/modules/site_couchdb')

diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp
index 6f648c51..d317de65 100644
--- a/puppet/modules/site_couchdb/manifests/init.pp
+++ b/puppet/modules/site_couchdb/manifests/init.pp
@@ -4,6 +4,7 @@ class site_couchdb ( $bigcouch = false ) {
   $x509                   = hiera('x509')
   $key                    = $x509['key']
   $cert                   = $x509['cert']
+  $ca                     = $x509['ca_cert']
   $couchdb_config         = hiera('couch')
   $couchdb_users          = $couchdb_config['users']
   $couchdb_admin          = $couchdb_users['admin']
@@ -34,6 +35,13 @@ class site_couchdb ( $bigcouch = false ) {
   # this is here to disable and remove the proxy
   include site_couchdb::apache_ssl_proxy
 
+  # the above apache_ssl_proxy is replaced by the following stunnel
+  class { 'site_couchdb::stunnel':
+    key  => $key,
+    cert => $cert,
+    ca   => $ca
+  }
+
   couchdb::query::setup { 'localhost':
     user  => $couchdb_admin_user,
     pw    => $couchdb_admin_pw
diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp
new file mode 100644
index 00000000..b4635951
--- /dev/null
+++ b/puppet/modules/site_couchdb/manifests/stunnel.pp
@@ -0,0 +1,42 @@
+class site_couchdb::stunnel ($key, $cert, $ca) {
+
+  include x509::variables
+  include site_stunnel
+
+  $cert_name = 'leap_couchdb'
+  $ca_path = "${x509::variables::certs}/leap_client_ca.crt"
+  $cert_path = "${x509::variables::certs}/${cert_name}.crt"
+  $key_path = "${x509::variables::keys}/${cert_name}.key"
+
+  x509::key {
+    $cert_name:
+      content => $key,
+      notify  => Service['stunnel'];
+  }
+
+  x509::cert {
+    $cert_name:
+      content => $cert,
+      notify  => Service['stunnel'];
+  }
+
+  x509::ca {
+    $cert_name:
+      content => $ca,
+      notify  => Service['stunnel'];
+  }
+
+  stunnel::service { 'couchdb':
+    accept     => '6984',
+    connect    => '127.0.0.1:5984',
+    client     => false,
+    cafile     => $ca_path,
+    key        => $key_path,
+    cert       => $cert_path,
+    verify     => '2',
+    pid        => '/var/run/stunnel4/couchdb.pid',
+    rndfile    => '/var/lib/stunnel4/.rnd',
+    debuglevel => '4'
+  }
+}
+
-- 
cgit v1.2.3