From 82d894e5ac82752e88b193acd015e4544141eae1 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 9 Mar 2013 21:14:31 +0100 Subject: couchdb init file moved to couchdb module --- puppet/modules/site_couchdb/files/couchdb | 160 --------------------- puppet/modules/site_couchdb/manifests/configure.pp | 6 - 2 files changed, 166 deletions(-) delete mode 100755 puppet/modules/site_couchdb/files/couchdb (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/files/couchdb b/puppet/modules/site_couchdb/files/couchdb deleted file mode 100755 index ccdfe716..00000000 --- a/puppet/modules/site_couchdb/files/couchdb +++ /dev/null @@ -1,160 +0,0 @@ -#!/bin/sh -e - -# Licensed under the Apache License, Version 2.0 (the "License"); you may not -# use this file except in compliance with the License. You may obtain a copy of -# the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations under -# the License. - -### BEGIN INIT INFO -# Provides: couchdb -# Required-Start: $local_fs $remote_fs -# Required-Stop: $local_fs $remote_fs -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Apache CouchDB init script -# Description: Apache CouchDB init script for the database server. -### END INIT INFO - -SCRIPT_OK=0 -SCRIPT_ERROR=1 - -DESCRIPTION="database server" -NAME=couchdb -SCRIPT_NAME=`basename $0` -COUCHDB=/usr/bin/couchdb -CONFIGURATION_FILE=/etc/default/couchdb -RUN_DIR=/var/run/couchdb -LSB_LIBRARY=/lib/lsb/init-functions - -if test ! -x $COUCHDB; then - exit $SCRIPT_ERROR -fi - -if test -r $CONFIGURATION_FILE; then - . $CONFIGURATION_FILE -fi - -log_daemon_msg () { - # Dummy function to be replaced by LSB library. - - echo $@ -} - -log_end_msg () { - # Dummy function to be replaced by LSB library. - - if test "$1" != "0"; then - echo "Error with $DESCRIPTION: $NAME" - fi - return $1 -} - -if test -r $LSB_LIBRARY; then - . $LSB_LIBRARY -fi - -run_command () { - command="$1" - if test -n "$COUCHDB_OPTIONS"; then - command="$command $COUCHDB_OPTIONS" - fi - if test -n "$COUCHDB_USER"; then - if su $COUCHDB_USER -c "$command"; then - return $SCRIPT_OK - else - return $SCRIPT_ERROR - fi - else - if $command; then - return $SCRIPT_OK - else - return $SCRIPT_ERROR - fi - fi -} - -start_couchdb () { - # Start Apache CouchDB as a background process. - - mkdir -p "$RUN_DIR" - chown -R "$COUCHDB_USER" "$RUN_DIR" - command="$COUCHDB -b" - if test -n "$COUCHDB_STDOUT_FILE"; then - command="$command -o $COUCHDB_STDOUT_FILE" - fi - if test -n "$COUCHDB_STDERR_FILE"; then - command="$command -e $COUCHDB_STDERR_FILE" - fi - if test -n "$COUCHDB_RESPAWN_TIMEOUT"; then - command="$command -r $COUCHDB_RESPAWN_TIMEOUT" - fi - run_command "$command" > /dev/null -} - -stop_couchdb () { - # Stop the running Apache CouchDB process. - - run_command "$COUCHDB -d" > /dev/null - pkill -u couchdb - # always return true even if no remaining couchdb procs got killed - /bin/true -} - -display_status () { - # Display the status of the running Apache CouchDB process. - - run_command "$COUCHDB -s" -} - -parse_script_option_list () { - # Parse arguments passed to the script and take appropriate action. - - case "$1" in - start) - log_daemon_msg "Starting $DESCRIPTION" $NAME - if start_couchdb; then - log_end_msg $SCRIPT_OK - else - log_end_msg $SCRIPT_ERROR - fi - ;; - stop) - log_daemon_msg "Stopping $DESCRIPTION" $NAME - if stop_couchdb; then - log_end_msg $SCRIPT_OK - else - log_end_msg $SCRIPT_ERROR - fi - ;; - restart|force-reload) - log_daemon_msg "Restarting $DESCRIPTION" $NAME - if stop_couchdb; then - if start_couchdb; then - log_end_msg $SCRIPT_OK - else - log_end_msg $SCRIPT_ERROR - fi - else - log_end_msg $SCRIPT_ERROR - fi - ;; - status) - display_status - ;; - *) - cat << EOF >&2 -Usage: $SCRIPT_NAME {start|stop|restart|force-reload|status} -EOF - exit $SCRIPT_ERROR - ;; - esac -} - -parse_script_option_list $@ diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp index 333511b5..c921ad6a 100644 --- a/puppet/modules/site_couchdb/manifests/configure.pp +++ b/puppet/modules/site_couchdb/manifests/configure.pp @@ -1,11 +1,5 @@ class site_couchdb::configure { - file { '/etc/init.d/couchdb': - source => 'puppet:///modules/site_couchdb/couchdb', - mode => '0755', - owner => 'root', - group => 'root', - } file { '/etc/couchdb/local.d/admin.ini': content => "[admins] -- cgit v1.2.3 From 0ae8194ef3a3f8065ff455b4daddc0d62c105ace Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 10 Mar 2013 15:55:35 +0100 Subject: futon is enabled by default on bigcouch in default.ini we need to find another way to disable futon, it won't work disabling it here --- puppet/modules/site_couchdb/files/local.ini | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/files/local.ini b/puppet/modules/site_couchdb/files/local.ini index b3376cbb..22aa0177 100644 --- a/puppet/modules/site_couchdb/files/local.ini +++ b/puppet/modules/site_couchdb/files/local.ini @@ -28,8 +28,10 @@ [httpd_global_handlers] ;_google = {couch_httpd_proxy, handle_proxy_req, <<"http://www.google.com">>} +# futon is enabled by default on bigcouch in default.ini +# we need to find another way to disable futon, it won't work disabling it here # enable futon -_utils = {couch_httpd_misc_handlers, handle_utils_dir_req, "/usr/share/couchdb/www"} +#_utils = {couch_httpd_misc_handlers, handle_utils_dir_req, "/usr/share/couchdb/www"} # disable futon #_utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Welcome, Futon is disabled!">>} -- cgit v1.2.3 From 46f1b83431cff1c30e7cda9bc99505d35f37f309 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 10 Mar 2013 16:10:39 +0100 Subject: site_couchdb::configure moved to couchdb --- puppet/modules/site_couchdb/manifests/configure.pp | 21 --------------------- 1 file changed, 21 deletions(-) delete mode 100644 puppet/modules/site_couchdb/manifests/configure.pp (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp deleted file mode 100644 index c921ad6a..00000000 --- a/puppet/modules/site_couchdb/manifests/configure.pp +++ /dev/null @@ -1,21 +0,0 @@ -class site_couchdb::configure { - - - file { '/etc/couchdb/local.d/admin.ini': - content => "[admins] -admin = $site_couchdb::couchdb_admin_pw -", - mode => '0600', - owner => 'couchdb', - group => 'couchdb', - notify => Service[couchdb] - } - - - exec { '/etc/init.d/couchdb restart; sleep 6': - path => ['/bin', '/usr/bin',], - subscribe => File['/etc/couchdb/local.d/admin.ini', - '/etc/couchdb/local.ini'], - refreshonly => true - } -} -- cgit v1.2.3 From 0f5e0b0e5102deab700d25ca4fd4845f15db8529 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 10 Mar 2013 16:13:03 +0100 Subject: use bigcouch in site_couchdb --- puppet/modules/site_couchdb/manifests/init.pp | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 9ecde5e6..35470b5d 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,6 +1,5 @@ -class site_couchdb { +class site_couchdb ( $bigcouch = false ) { tag 'leap_service' - include couchdb $x509 = hiera('x509') $key = $x509['key'] @@ -17,20 +16,18 @@ class site_couchdb { $couchdb_ca_daemon_user = $couchdb_ca_daemon['username'] $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password'] - Package ['couchdb'] - -> File['/etc/init.d/couchdb'] - -> File['/etc/couchdb/local.ini'] - -> File['/etc/couchdb/local.d/admin.ini'] - -> File['/etc/couchdb/couchdb.netrc'] + class {'couchdb': + bigcouch => $bigcouch, + admin_pw => $couchdb_admin_pw + } + + Service ['couchdb'] -> Couchdb::Create_db['users'] -> Couchdb::Create_db['client_certificates'] -> Couchdb::Add_user[$couchdb_webapp_user] -> Couchdb::Add_user[$couchdb_ca_daemon_user] -> Site_couchdb::Apache_ssl_proxy['apache_ssl_proxy'] - include site_couchdb::configure - include couchdb::deploy_config - site_couchdb::apache_ssl_proxy { 'apache_ssl_proxy': key => $key, cert => $cert -- cgit v1.2.3 From 01941d905a71a2088ec080703f4e5430dec7a2ec Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 10 Mar 2013 17:29:12 +0100 Subject: pass couchdb cookie to class couchdb --- puppet/modules/site_couchdb/manifests/init.pp | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 35470b5d..419e4122 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -15,10 +15,13 @@ class site_couchdb ( $bigcouch = false ) { $couchdb_ca_daemon = $couchdb_users['ca_daemon'] $couchdb_ca_daemon_user = $couchdb_ca_daemon['username'] $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password'] + $bigcouch_config = $couchdb_config['bigcouch'] + $bigcouch_cookie = $bigcouch_config['cookie'] class {'couchdb': - bigcouch => $bigcouch, - admin_pw => $couchdb_admin_pw + bigcouch => $bigcouch, + admin_pw => $couchdb_admin_pw, + bigcouch_cookie => $bigcouch_cookie } Service ['couchdb'] -- cgit v1.2.3 From cd5394748dd83d3fa5c8a67dc6123e3b02034c2e Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 14 Mar 2013 19:10:49 +0100 Subject: include cloudant package repo for bigcouch server --- puppet/modules/site_couchdb/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 419e4122..25956938 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -23,6 +23,7 @@ class site_couchdb ( $bigcouch = false ) { admin_pw => $couchdb_admin_pw, bigcouch_cookie => $bigcouch_cookie } + include couchdb::bigcouch::package::cloudant Service ['couchdb'] -> Couchdb::Create_db['users'] -- cgit v1.2.3 From d4b45da9a521a6faf17f9ba7742bcee897a503cc Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 14 Mar 2013 13:58:06 -0400 Subject: remove apache ssl proxy in preparation of replacing it with a stunnel setup This presents us with an interesting problem of deprecation. We need to manage the removal of something that we previously installed in any released code. How long we carry the puppet code that removes raises some interesting questions: do we require that someone who deployed version 1 (where the apache ssl proxy was deployed) of the platform upgrade first to version 2 (where we remove the apache ssl proxy) before they upgrade to version 3 (where the apache ssl proxy removal is no longer present) -- or do we allow people to skip versions? --- .../site_couchdb/manifests/apache_ssl_proxy.pp | 30 +++++++--------------- puppet/modules/site_couchdb/manifests/init.pp | 7 ++--- 2 files changed, 11 insertions(+), 26 deletions(-) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp index 7739473e..536dd8db 100644 --- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp +++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp @@ -1,25 +1,13 @@ -define site_couchdb::apache_ssl_proxy ($key, $cert) { +class site_couchdb::apache_ssl_proxy { - $apache_no_default_site = true - include apache - apache::module { - 'proxy': ensure => present; - 'proxy_http': ensure => present; - 'rewrite': ensure => present; - 'ssl': ensure => present; - } - apache::vhost::file { 'couchdb_proxy': } +# This is here to disable the previously configured apache ssl proxy +# we were using this, but have switched to stunnel instead. +# +# Unfortunately, the current apache shared module doesn't handle +# ensure=>absent, so this is going to be done the crude way, and will only +# work for debian+derivitives, which is fine for now, but not good for the +# future - x509::key { - 'leap_couchdb': - content => $key, - notify => Service[apache]; - } - - x509::cert { - 'leap_couchdb': - content => $cert, - notify => Service[apache]; - } + package { 'apache2': ensure => absent } } diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 25956938..6f648c51 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -30,12 +30,9 @@ class site_couchdb ( $bigcouch = false ) { -> Couchdb::Create_db['client_certificates'] -> Couchdb::Add_user[$couchdb_webapp_user] -> Couchdb::Add_user[$couchdb_ca_daemon_user] - -> Site_couchdb::Apache_ssl_proxy['apache_ssl_proxy'] - site_couchdb::apache_ssl_proxy { 'apache_ssl_proxy': - key => $key, - cert => $cert - } + # this is here to disable and remove the proxy + include site_couchdb::apache_ssl_proxy couchdb::query::setup { 'localhost': user => $couchdb_admin_user, -- cgit v1.2.3 From 42a040ac79e1c92d12b6bb9661bbf05ace44d622 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 14 Mar 2013 18:22:15 -0400 Subject: add couchdb stunnel server --- puppet/modules/site_couchdb/manifests/init.pp | 8 +++++ puppet/modules/site_couchdb/manifests/stunnel.pp | 42 ++++++++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 puppet/modules/site_couchdb/manifests/stunnel.pp (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 6f648c51..d317de65 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -4,6 +4,7 @@ class site_couchdb ( $bigcouch = false ) { $x509 = hiera('x509') $key = $x509['key'] $cert = $x509['cert'] + $ca = $x509['ca_cert'] $couchdb_config = hiera('couch') $couchdb_users = $couchdb_config['users'] $couchdb_admin = $couchdb_users['admin'] @@ -34,6 +35,13 @@ class site_couchdb ( $bigcouch = false ) { # this is here to disable and remove the proxy include site_couchdb::apache_ssl_proxy + # the above apache_ssl_proxy is replaced by the following stunnel + class { 'site_couchdb::stunnel': + key => $key, + cert => $cert, + ca => $ca + } + couchdb::query::setup { 'localhost': user => $couchdb_admin_user, pw => $couchdb_admin_pw diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp new file mode 100644 index 00000000..b4635951 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -0,0 +1,42 @@ +class site_couchdb::stunnel ($key, $cert, $ca) { + + include x509::variables + include site_stunnel + + $cert_name = 'leap_couchdb' + $ca_path = "${x509::variables::certs}/leap_client_ca.crt" + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" + + x509::key { + $cert_name: + content => $key, + notify => Service['stunnel']; + } + + x509::cert { + $cert_name: + content => $cert, + notify => Service['stunnel']; + } + + x509::ca { + $cert_name: + content => $ca, + notify => Service['stunnel']; + } + + stunnel::service { 'couchdb': + accept => '6984', + connect => '127.0.0.1:5984', + client => false, + cafile => $ca_path, + key => $key_path, + cert => $cert_path, + verify => '2', + pid => '/var/run/stunnel4/couchdb.pid', + rndfile => '/var/lib/stunnel4/.rnd', + debuglevel => '4' + } +} + -- cgit v1.2.3 From 6609b3ed4125d1e46ba16b5bc7d7957bcbee6a42 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 17 Mar 2013 22:58:10 -0400 Subject: fix webapp/couchdb stunnel certificate authority --- puppet/modules/site_couchdb/manifests/stunnel.pp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index b4635951..1afe25a4 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -4,9 +4,10 @@ class site_couchdb::stunnel ($key, $cert, $ca) { include site_stunnel $cert_name = 'leap_couchdb' - $ca_path = "${x509::variables::certs}/leap_client_ca.crt" + $ca_name = 'leap_ca' + $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" + $key_path = "${x509::variables::keys}/${cert_name}.key" x509::key { $cert_name: @@ -21,7 +22,7 @@ class site_couchdb::stunnel ($key, $cert, $ca) { } x509::ca { - $cert_name: + $ca_name: content => $ca, notify => Service['stunnel']; } -- cgit v1.2.3 From e0354eda8f1dba999c452caf99c40dcb6f7af33e Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 19 Mar 2013 08:57:35 +0100 Subject: working on stunnel for bigcouch clustering --- puppet/modules/site_couchdb/manifests/stunnel.pp | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 1afe25a4..2133d6da 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -39,5 +39,17 @@ class site_couchdb::stunnel ($key, $cert, $ca) { rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } + stunnel::service { 'bigcouch': + accept => '6984', + connect => '127.0.0.1:5984', + client => false, + cafile => $ca_path, + key => $key_path, + cert => $cert_path, + verify => '2', + pid => '/var/run/stunnel4/couchdb.pid', + rndfile => '/var/lib/stunnel4/.rnd', + debuglevel => '4' + } } -- cgit v1.2.3 From ec2727a1cae91c34233c831ae31277690a8ef3dc Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 19 Mar 2013 15:29:48 +0100 Subject: added bigcouch.conf as incoming stunnel config for bigcouch clustering --- puppet/modules/site_couchdb/manifests/stunnel.pp | 28 +++++++++--------------- 1 file changed, 10 insertions(+), 18 deletions(-) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 2133d6da..d16e09b5 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -9,24 +9,14 @@ class site_couchdb::stunnel ($key, $cert, $ca) { $cert_path = "${x509::variables::certs}/${cert_name}.crt" $key_path = "${x509::variables::keys}/${cert_name}.key" - x509::key { - $cert_name: - content => $key, - notify => Service['stunnel']; - } - - x509::cert { - $cert_name: - content => $cert, - notify => Service['stunnel']; - } - - x509::ca { - $ca_name: - content => $ca, - notify => Service['stunnel']; + class { 'site_stunnel::setup': + cert_name => $cert_name, + key => $key, + cert => $cert, + ca => $ca } + # webapp access stunnel::service { 'couchdb': accept => '6984', connect => '127.0.0.1:5984', @@ -39,9 +29,11 @@ class site_couchdb::stunnel ($key, $cert, $ca) { rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } + + # clustering between bigcouch nodes stunnel::service { 'bigcouch': - accept => '6984', - connect => '127.0.0.1:5984', + accept => '5369', + connect => '127.0.0.1:4369', client => false, cafile => $ca_path, key => $key_path, -- cgit v1.2.3 From d9c9cbb7ae5fde7767ac6b2cbc25936a0045104d Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 19:06:45 +0100 Subject: addded client side of bigcouch cluster protocol stunnel config --- puppet/modules/site_couchdb/manifests/stunnel.pp | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index d16e09b5..2d5cbaa1 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -31,6 +31,8 @@ class site_couchdb::stunnel ($key, $cert, $ca) { } # clustering between bigcouch nodes + + # server stunnel::service { 'bigcouch': accept => '5369', connect => '127.0.0.1:4369', @@ -43,5 +45,19 @@ class site_couchdb::stunnel ($key, $cert, $ca) { rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } + + # clients + $couchdb_stunnel_client_defaults = { + 'connect_port' => '5369', + 'client' => true, + 'cafile' => "${x509::variables::local_CAs}/${ca_name}.crt", + 'key' => "${x509::variables::keys}/${cert_name}.key", + 'cert' => "${x509::variables::certs}/${cert_name}.crt", + 'verify' => '2', + 'rndfile' => '/var/lib/stunnel4/.rnd', + 'debuglevel' => '4' + } + create_resources(site_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) + } -- cgit v1.2.3 From 7a08ff22b0317e77895e4ff52e6f56db70afb8df Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 20:06:47 +0100 Subject: increase stunnel verbosity until everything is running smooth --- puppet/modules/site_couchdb/manifests/stunnel.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 2d5cbaa1..44ddae0b 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -43,7 +43,7 @@ class site_couchdb::stunnel ($key, $cert, $ca) { verify => '2', pid => '/var/run/stunnel4/couchdb.pid', rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '4' + debuglevel => '7' } # clients -- cgit v1.2.3 From 34a44db0de9a7d79ac68e93e79f29dcc32a30c76 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 22:07:25 +0100 Subject: couchdb hosts include site_shorewall::couchdb::bigcouch --- puppet/modules/site_couchdb/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index d317de65..e0f379cd 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -67,4 +67,5 @@ class site_couchdb ( $bigcouch = false ) { } include site_shorewall::couchdb + include site_shorewall::couchdb::bigcouch } -- cgit v1.2.3 From 6e223037a4ca36273984c0ab0f2eb9b81f5f10da Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 22:11:40 +0100 Subject: decrease stunnel debug level --- puppet/modules/site_couchdb/manifests/stunnel.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 44ddae0b..2d5cbaa1 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -43,7 +43,7 @@ class site_couchdb::stunnel ($key, $cert, $ca) { verify => '2', pid => '/var/run/stunnel4/couchdb.pid', rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '7' + debuglevel => '4' } # clients -- cgit v1.2.3 From e9b00c6efb65faa4c0dfa955527fafc2b13889d4 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 22:31:51 +0100 Subject: fix bigcouch stunnel pid name --- puppet/modules/site_couchdb/manifests/stunnel.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 2d5cbaa1..f5001051 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -25,7 +25,7 @@ class site_couchdb::stunnel ($key, $cert, $ca) { key => $key_path, cert => $cert_path, verify => '2', - pid => '/var/run/stunnel4/couchdb.pid', + pid => '/var/run/stunnel4/bigcouch.pid', rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } -- cgit v1.2.3 From 50cbfca55b99c0e284aff23c8f779499f4af1f4a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 26 Mar 2013 13:52:22 -0400 Subject: remove duplicate 'include site_stunnel' this already exists in class site_stunnel::setup which is instantiated in this class --- puppet/modules/site_couchdb/manifests/stunnel.pp | 1 - 1 file changed, 1 deletion(-) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index f5001051..9e1bad49 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -1,7 +1,6 @@ class site_couchdb::stunnel ($key, $cert, $ca) { include x509::variables - include site_stunnel $cert_name = 'leap_couchdb' $ca_name = 'leap_ca' -- cgit v1.2.3 From dd459efb1063de6c11f9f11583290c6a0891436a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 12:22:52 -0400 Subject: replace long-form variables with shorter ones remove unnecessary bigcouch_replication_client_default values (verify, rndfile, debuglevel) --- puppet/modules/site_couchdb/manifests/stunnel.pp | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 9e1bad49..a49b51b9 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -49,12 +49,9 @@ class site_couchdb::stunnel ($key, $cert, $ca) { $couchdb_stunnel_client_defaults = { 'connect_port' => '5369', 'client' => true, - 'cafile' => "${x509::variables::local_CAs}/${ca_name}.crt", - 'key' => "${x509::variables::keys}/${cert_name}.key", - 'cert' => "${x509::variables::certs}/${cert_name}.crt", - 'verify' => '2', - 'rndfile' => '/var/lib/stunnel4/.rnd', - 'debuglevel' => '4' + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, } create_resources(site_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) -- cgit v1.2.3 From baf3ed5b6db4e8af052564864d8c3e426cf5d9d0 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 12:32:42 -0400 Subject: switch to using stunnel_client and stunnel_server leap_cli macros add bigcouch_replication_clients to couchdb.json change site_couchdb/manifests/stunnel to use stunnel_client and stunnel_server generated hiera values to setup the stunnels for the couch_server connections, and the bigcouch_replication_server and bigcouch_replication_clients tunnels instead of using hard-coded ips and ports. also change the pid names to be more consistent with what the tunnels are and are named --- puppet/modules/site_couchdb/manifests/stunnel.pp | 41 +++++++++++++++--------- 1 file changed, 26 insertions(+), 15 deletions(-) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index a49b51b9..1eb79293 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -1,13 +1,26 @@ class site_couchdb::stunnel ($key, $cert, $ca) { - include x509::variables + $stunnel = hiera('stunnel') + + $couch_server = $stunnel['couch_server'] + $couch_server_accept = $couch_server['accept'] + $couch_server_connect = $couch_server['connect'] + + $bigcouch_replication_server = $stunnel['bigcouch_replication_server'] + $bigcouch_replication_server_accept = $bigcouch_replication_server['accept'] + $bigcouch_replication_server_connect = $bigcouch_replication_server['connect'] + $bigcouch_replication_clients = $stunnel['bigcouch_replication_clients'] + + include x509::variables $cert_name = 'leap_couchdb' $ca_name = 'leap_ca' $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" $cert_path = "${x509::variables::certs}/${cert_name}.crt" $key_path = "${x509::variables::keys}/${cert_name}.key" + # basic setup: ensure cert, key, ca files are in place, and some generic + # stunnel things are done class { 'site_stunnel::setup': cert_name => $cert_name, key => $key, @@ -15,45 +28,43 @@ class site_couchdb::stunnel ($key, $cert, $ca) { ca => $ca } - # webapp access - stunnel::service { 'couchdb': - accept => '6984', - connect => '127.0.0.1:5984', + # setup a stunnel server for the webapp to connect to couchdb + stunnel::service { 'couch_server': + accept => $couch_server_accept, + connect => $couch_server_connect, client => false, cafile => $ca_path, key => $key_path, cert => $cert_path, verify => '2', - pid => '/var/run/stunnel4/bigcouch.pid', + pid => '/var/run/stunnel4/couchserver.pid', rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } - # clustering between bigcouch nodes + # setup stunnels for bigcouch clustering between each bigcouchdb node # server - stunnel::service { 'bigcouch': - accept => '5369', - connect => '127.0.0.1:4369', + stunnel::service { 'bigcouch_replication_server': + accept => $bigcouch_replication_server_accept, + connect => $bigcouch_replication_server_connect, client => false, cafile => $ca_path, key => $key_path, cert => $cert_path, verify => '2', - pid => '/var/run/stunnel4/couchdb.pid', + pid => '/var/run/stunnel4/bigcouchreplication_server.pid', rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } # clients - $couchdb_stunnel_client_defaults = { - 'connect_port' => '5369', + $bigcouch_replication_client_defaults = { 'client' => true, 'cafile' => $ca_path, 'key' => $key_path, 'cert' => $cert_path, } - create_resources(site_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) + create_resources(site_stunnel::clients, $bigcouch_replication_clients, $bigcouch_replication_client_defaults) } - -- cgit v1.2.3 From 264e63967d9247e42662182aec771fbfb81e8e8e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Apr 2013 11:27:59 -0400 Subject: rename the bigcouch_replication_[server,client] to be the more accurately, and shorter named epmd (erlang port mapper daemon) --- puppet/modules/site_couchdb/manifests/stunnel.pp | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 1eb79293..40b8f450 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -6,11 +6,11 @@ class site_couchdb::stunnel ($key, $cert, $ca) { $couch_server_accept = $couch_server['accept'] $couch_server_connect = $couch_server['connect'] - $bigcouch_replication_server = $stunnel['bigcouch_replication_server'] - $bigcouch_replication_server_accept = $bigcouch_replication_server['accept'] - $bigcouch_replication_server_connect = $bigcouch_replication_server['connect'] + $epmd_server = $stunnel['epmd_server'] + $epmd_server_accept = $epmd_server['accept'] + $epmd_server_connect = $epmd_server['connect'] - $bigcouch_replication_clients = $stunnel['bigcouch_replication_clients'] + $epmd_clients = $stunnel['epmd_clients'] include x509::variables $cert_name = 'leap_couchdb' @@ -45,26 +45,26 @@ class site_couchdb::stunnel ($key, $cert, $ca) { # setup stunnels for bigcouch clustering between each bigcouchdb node # server - stunnel::service { 'bigcouch_replication_server': - accept => $bigcouch_replication_server_accept, - connect => $bigcouch_replication_server_connect, + stunnel::service { 'epmd_server': + accept => $epmd_server_accept, + connect => $epmd_server_connect, client => false, cafile => $ca_path, key => $key_path, cert => $cert_path, verify => '2', - pid => '/var/run/stunnel4/bigcouchreplication_server.pid', + pid => '/var/run/stunnel4/epmd_server.pid', rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } # clients - $bigcouch_replication_client_defaults = { + $epmd_client_defaults = { 'client' => true, 'cafile' => $ca_path, 'key' => $key_path, 'cert' => $cert_path, } - create_resources(site_stunnel::clients, $bigcouch_replication_clients, $bigcouch_replication_client_defaults) + create_resources(site_stunnel::clients, $epmd_clients, $epmd_client_defaults) } -- cgit v1.2.3 From c228491af3929e07766903c3ce29a06fab86ad63 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Apr 2013 12:08:55 -0400 Subject: remove the apache_ssl_proxy cleanup --- puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp | 13 ------------- puppet/modules/site_couchdb/manifests/init.pp | 6 ++---- 2 files changed, 2 insertions(+), 17 deletions(-) delete mode 100644 puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp deleted file mode 100644 index 536dd8db..00000000 --- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp +++ /dev/null @@ -1,13 +0,0 @@ -class site_couchdb::apache_ssl_proxy { - -# This is here to disable the previously configured apache ssl proxy -# we were using this, but have switched to stunnel instead. -# -# Unfortunately, the current apache shared module doesn't handle -# ensure=>absent, so this is going to be done the crude way, and will only -# work for debian+derivitives, which is fine for now, but not good for the -# future - - package { 'apache2': ensure => absent } - -} diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index e0f379cd..0fc951c2 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -5,6 +5,7 @@ class site_couchdb ( $bigcouch = false ) { $key = $x509['key'] $cert = $x509['cert'] $ca = $x509['ca_cert'] + $couchdb_config = hiera('couch') $couchdb_users = $couchdb_config['users'] $couchdb_admin = $couchdb_users['admin'] @@ -16,6 +17,7 @@ class site_couchdb ( $bigcouch = false ) { $couchdb_ca_daemon = $couchdb_users['ca_daemon'] $couchdb_ca_daemon_user = $couchdb_ca_daemon['username'] $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password'] + $bigcouch_config = $couchdb_config['bigcouch'] $bigcouch_cookie = $bigcouch_config['cookie'] @@ -32,10 +34,6 @@ class site_couchdb ( $bigcouch = false ) { -> Couchdb::Add_user[$couchdb_webapp_user] -> Couchdb::Add_user[$couchdb_ca_daemon_user] - # this is here to disable and remove the proxy - include site_couchdb::apache_ssl_proxy - - # the above apache_ssl_proxy is replaced by the following stunnel class { 'site_couchdb::stunnel': key => $key, cert => $cert, -- cgit v1.2.3 From 2c53c5023b925cb596e3f450f194482eade1fbeb Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Apr 2013 12:50:30 -0400 Subject: add Erlang Distributed Node Protocol Port json entry under bigcouch setup ednp_server and ednp_client stunnels update couchdb puppet submodule to support configurable ednp_port parameter and general module cleanup pass ednp_port to couchdb setup so that it is configured in the vm.args template clarify in comments the difference between the epmd and ednp ports remove hard-coded erlang_vm_port variable and instead setup shorewall to allow for the stunnel connection only setup dnat rules for the ednp client connections --- puppet/modules/site_couchdb/manifests/init.pp | 7 ++-- puppet/modules/site_couchdb/manifests/stunnel.pp | 41 +++++++++++++++++++++--- 2 files changed, 42 insertions(+), 6 deletions(-) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 0fc951c2..9ffa4122 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -21,10 +21,13 @@ class site_couchdb ( $bigcouch = false ) { $bigcouch_config = $couchdb_config['bigcouch'] $bigcouch_cookie = $bigcouch_config['cookie'] - class {'couchdb': + $ednp_port = $bigcouch_config['ednp_port'] + + class { 'couchdb': bigcouch => $bigcouch, admin_pw => $couchdb_admin_pw, - bigcouch_cookie => $bigcouch_cookie + bigcouch_cookie => $bigcouch_cookie, + ednp_port => $ednp_port } include couchdb::bigcouch::package::cloudant diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 40b8f450..ebd01e4e 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -6,12 +6,18 @@ class site_couchdb::stunnel ($key, $cert, $ca) { $couch_server_accept = $couch_server['accept'] $couch_server_connect = $couch_server['connect'] + # Erlang Port Mapper Daemon (epmd) stunnel server/clients $epmd_server = $stunnel['epmd_server'] $epmd_server_accept = $epmd_server['accept'] $epmd_server_connect = $epmd_server['connect'] - $epmd_clients = $stunnel['epmd_clients'] + # Erlang Distributed Node Protocol (ednp) stunnel server/clients + $ednp_server = $stunnel['ednp_server'] + $ednp_server_accept = $ednp_server['accept'] + $ednp_server_connect = $ednp_server['connect'] + $ednp_clients = $stunnel['ednp_clients'] + include x509::variables $cert_name = 'leap_couchdb' $ca_name = 'leap_ca' @@ -43,8 +49,8 @@ class site_couchdb::stunnel ($key, $cert, $ca) { } - # setup stunnels for bigcouch clustering between each bigcouchdb node - # server + # setup stunnel server for Erlang Port Mapper Daemon (epmd), necessary for + # bigcouch clustering between each bigcouchdb node stunnel::service { 'epmd_server': accept => $epmd_server_accept, connect => $epmd_server_connect, @@ -58,7 +64,8 @@ class site_couchdb::stunnel ($key, $cert, $ca) { debuglevel => '4' } - # clients + # setup stunnel clients for Erlang Port Mapper Daemon (epmd) to connect + # to the above epmd stunnel server. $epmd_client_defaults = { 'client' => true, 'cafile' => $ca_path, @@ -67,4 +74,30 @@ class site_couchdb::stunnel ($key, $cert, $ca) { } create_resources(site_stunnel::clients, $epmd_clients, $epmd_client_defaults) + + # setup stunnel server for Erlang Distributed Node Protocol (ednp), necessary + # for bigcouch clustering between each bigcouchdb node + stunnel::service { 'ednp_server': + accept => $ednp_server_accept, + connect => $ednp_server_connect, + client => false, + cafile => $ca_path, + key => $key_path, + cert => $cert_path, + verify => '2', + pid => '/var/run/stunnel4/ednp_server.pid', + rndfile => '/var/lib/stunnel4/.rnd', + debuglevel => '4' + } + + # setup stunnel clients for Erlang Distributed Node Protocol (ednp) to connect + # to the above ednp stunnel server. + $ednp_client_defaults = { + 'client' => true, + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, + } + + create_resources(site_stunnel::clients, $ednp_clients, $ednp_client_defaults) } -- cgit v1.2.3 From c4397077adb35cf5ec05976e2918bacdd3960703 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Apr 2013 15:31:04 -0400 Subject: pass $ca_name to stunnel::setup - this eliminates a dynamic scoped variable lookup, and warning --- puppet/modules/site_couchdb/manifests/stunnel.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index ebd01e4e..d982013e 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -31,6 +31,7 @@ class site_couchdb::stunnel ($key, $cert, $ca) { cert_name => $cert_name, key => $key, cert => $cert, + ca_name => $ca_name, ca => $ca } -- cgit v1.2.3 From 4d01724ff48a990f70f81779936840824c78ca6e Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Apr 2013 00:32:18 +0200 Subject: Use pre-salted+hashed user pw for couchdb (Feature #2324) --- puppet/modules/site_couchdb/manifests/init.pp | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 9ffa4122..de9b715c 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -11,12 +11,15 @@ class site_couchdb ( $bigcouch = false ) { $couchdb_admin = $couchdb_users['admin'] $couchdb_admin_user = $couchdb_admin['username'] $couchdb_admin_pw = $couchdb_admin['password'] + $couchdb_admin_salt = $couchdb_admin['salt'] $couchdb_webapp = $couchdb_users['webapp'] $couchdb_webapp_user = $couchdb_webapp['username'] $couchdb_webapp_pw = $couchdb_webapp['password'] + $couchdb_webapp_salt = $couchdb_webapp['salt'] $couchdb_ca_daemon = $couchdb_users['ca_daemon'] $couchdb_ca_daemon_user = $couchdb_ca_daemon['username'] $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password'] + $couchdb_ca_daemon_salt = $couchdb_ca_daemon['salt'] $bigcouch_config = $couchdb_config['bigcouch'] $bigcouch_cookie = $bigcouch_config['cookie'] @@ -45,18 +48,20 @@ class site_couchdb ( $bigcouch = false ) { couchdb::query::setup { 'localhost': user => $couchdb_admin_user, - pw => $couchdb_admin_pw + pw => $couchdb_admin_pw, } # Populate couchdb couchdb::add_user { $couchdb_webapp_user: roles => '["certs"]', - pw => $couchdb_webapp_pw + pw => $couchdb_webapp_pw, + salt => $couchdb_webapp_salt } couchdb::add_user { $couchdb_ca_daemon_user: roles => '["certs"]', - pw => $couchdb_ca_daemon_pw + pw => $couchdb_ca_daemon_pw, + salt => $couchdb_ca_daemon_salt } couchdb::create_db { 'users': -- cgit v1.2.3 From 3ced5ec963311c45cf359803727bd18fe6e23b69 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Apr 2013 15:53:05 +0200 Subject: updated needed couchdb users and DBs --- puppet/modules/site_couchdb/manifests/init.pp | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index de9b715c..6cf8e209 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -16,10 +16,10 @@ class site_couchdb ( $bigcouch = false ) { $couchdb_webapp_user = $couchdb_webapp['username'] $couchdb_webapp_pw = $couchdb_webapp['password'] $couchdb_webapp_salt = $couchdb_webapp['salt'] - $couchdb_ca_daemon = $couchdb_users['ca_daemon'] - $couchdb_ca_daemon_user = $couchdb_ca_daemon['username'] - $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password'] - $couchdb_ca_daemon_salt = $couchdb_ca_daemon['salt'] + $couchdb_soledad = $couchdb_users['soledad'] + $couchdb_soledad_user = $couchdb_soledad['username'] + $couchdb_soledad_pw = $couchdb_soledad['password'] + $couchdb_soledad_salt = $couchdb_soledad['salt'] $bigcouch_config = $couchdb_config['bigcouch'] $bigcouch_cookie = $bigcouch_config['cookie'] @@ -36,9 +36,9 @@ class site_couchdb ( $bigcouch = false ) { Service ['couchdb'] -> Couchdb::Create_db['users'] - -> Couchdb::Create_db['client_certificates'] + -> Couchdb::Create_db['tokens'] -> Couchdb::Add_user[$couchdb_webapp_user] - -> Couchdb::Add_user[$couchdb_ca_daemon_user] + -> Couchdb::Add_user[$couchdb_soledad_user] class { 'site_couchdb::stunnel': key => $key, @@ -53,23 +53,23 @@ class site_couchdb ( $bigcouch = false ) { # Populate couchdb couchdb::add_user { $couchdb_webapp_user: - roles => '["certs"]', + roles => '["auth"]', pw => $couchdb_webapp_pw, salt => $couchdb_webapp_salt } - couchdb::add_user { $couchdb_ca_daemon_user: - roles => '["certs"]', - pw => $couchdb_ca_daemon_pw, - salt => $couchdb_ca_daemon_salt + couchdb::add_user { $couchdb_soledad_user: + roles => '["auth"]', + pw => $couchdb_soledad_pw, + salt => $couchdb_soledad_salt } couchdb::create_db { 'users': readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }" } - couchdb::create_db { 'client_certificates': - readers => "{ \"names\": [], \"roles\": [\"certs\"] }" + couchdb::create_db { 'tokens': + readers => "{ \"names\": [], \"roles\": [\"auth\"] }" } include site_shorewall::couchdb -- cgit v1.2.3 From b3572aed530b0834d58e75c83ef1eb670d1824e3 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Apr 2013 16:50:19 +0200 Subject: Use pre-salted+hashed admin pw for couchdb (Feature #1941) --- puppet/modules/site_couchdb/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 6cf8e209..5e26b837 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -29,6 +29,7 @@ class site_couchdb ( $bigcouch = false ) { class { 'couchdb': bigcouch => $bigcouch, admin_pw => $couchdb_admin_pw, + admin_salt => $couchdb_admin_salt, bigcouch_cookie => $bigcouch_cookie, ednp_port => $ednp_port } -- cgit v1.2.3 From 2bd18fcad2e1446388948ed0b98232d93564b8ad Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Apr 2013 18:23:41 +0200 Subject: take out plain couchdb setup, always deploy bigcouch (Feature #2176) --- puppet/modules/site_couchdb/manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 5e26b837..9f4824b4 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,4 +1,4 @@ -class site_couchdb ( $bigcouch = false ) { +class site_couchdb { tag 'leap_service' $x509 = hiera('x509') @@ -27,7 +27,7 @@ class site_couchdb ( $bigcouch = false ) { $ednp_port = $bigcouch_config['ednp_port'] class { 'couchdb': - bigcouch => $bigcouch, + bigcouch => true, admin_pw => $couchdb_admin_pw, admin_salt => $couchdb_admin_salt, bigcouch_cookie => $bigcouch_cookie, -- cgit v1.2.3 From 064195792e264a125b9bd75ff931552af054ecf9 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 23 May 2013 18:53:17 +0200 Subject: include site_couchdb::bigcouch::add_nodes in site_couchdb/manifests/init.pp --- puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp | 5 +++++ puppet/modules/site_couchdb/manifests/init.pp | 9 +++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp b/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp new file mode 100644 index 00000000..241a4914 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp @@ -0,0 +1,5 @@ +class site_couchdb::bigcouch::add_nodes { + # loop through neighbors array and add nodes + $nodes = $::site_couchdb::bigcouch_config['neighbors'] + couchdb::bigcouch::add_node { $nodes: } +} diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 9f4824b4..802f3224 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -33,9 +33,12 @@ class site_couchdb { bigcouch_cookie => $bigcouch_cookie, ednp_port => $ednp_port } - include couchdb::bigcouch::package::cloudant - Service ['couchdb'] + class { 'couchdb::bigcouch::package::cloudant': } + + Class ['couchdb::bigcouch::package::cloudant'] + -> Service ['couchdb'] + -> Class ['site_couchdb::bigcouch::add_nodes'] -> Couchdb::Create_db['users'] -> Couchdb::Create_db['tokens'] -> Couchdb::Add_user[$couchdb_webapp_user] @@ -47,6 +50,8 @@ class site_couchdb { ca => $ca } + class { 'site_couchdb::bigcouch::add_nodes': } + couchdb::query::setup { 'localhost': user => $couchdb_admin_user, pw => $couchdb_admin_pw, -- cgit v1.2.3