From bb4dd153bbf1174a95017d0046ea9e1320fd81a9 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 23 Feb 2017 11:05:46 +0100 Subject: Linted couchdb.pp --- puppet/modules/site_webapp/manifests/couchdb.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_webapp/manifests') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 71450370..175255af 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -1,3 +1,4 @@ +# Configures webapp couchdb config class site_webapp::couchdb { $webapp = hiera('webapp') @@ -22,8 +23,8 @@ class site_webapp::couchdb { # couchdb.admin.yml is a symlink to prevent the vcsrepo resource # from changing its user permissions every time. '/srv/leap/webapp/config/couchdb.admin.yml': - ensure => 'link', - target => '/etc/leap/couchdb.admin.yml', + ensure => 'link', + target => '/etc/leap/couchdb.admin.yml', require => Vcsrepo['/srv/leap/webapp']; '/etc/leap/couchdb.admin.yml': -- cgit v1.2.3 From cce9af1fce42c29bf062cccfc46ef356d83a6328 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 23 Feb 2017 11:42:47 +0100 Subject: [8144] Remove Haproxy We used haproxy because we had multiple bigcouch nodes but now with a single couchdb node this is not needed anymore. - Resolves: #8144 --- puppet/modules/site_webapp/manifests/couchdb.pp | 4 ++-- puppet/modules/site_webapp/manifests/init.pp | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) (limited to 'puppet/modules/site_webapp/manifests') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 175255af..ffe364c6 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -2,9 +2,9 @@ class site_webapp::couchdb { $webapp = hiera('webapp') - # haproxy listener on port localhost:4096, see site_webapp::haproxy + # stunnel endpoint on port localhost:4000 $couchdb_host = 'localhost' - $couchdb_port = '4096' + $couchdb_port = '4000' $couchdb_webapp_user = $webapp['couchdb_webapp_user']['username'] $couchdb_webapp_password = $webapp['couchdb_webapp_user']['password'] $couchdb_admin_user = $webapp['couchdb_admin_user']['username'] diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 83cf99a9..1ae80012 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -19,7 +19,6 @@ class site_webapp { include ::site_config::ruby::dev include ::site_webapp::apache include ::site_webapp::couchdb - include ::site_haproxy include ::site_webapp::cron include ::site_config::default include ::site_config::x509::cert @@ -106,7 +105,9 @@ class site_webapp { '/srv/leap/webapp/public/ca.crt': ensure => link, require => Vcsrepo['/srv/leap/webapp'], + # lint:ignore:variable_is_lowercase target => "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt"; + # lint:endignore "/srv/leap/webapp/public/${api_version}": ensure => directory, -- cgit v1.2.3 From 8c1c4c102936dd779c74d615763e7adef7033ec1 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 15 Mar 2017 00:56:47 +0100 Subject: Direct connection when couch runs locally --- puppet/modules/site_webapp/manifests/couchdb.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_webapp/manifests') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index ffe364c6..e1947048 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -4,7 +4,7 @@ class site_webapp::couchdb { $webapp = hiera('webapp') # stunnel endpoint on port localhost:4000 $couchdb_host = 'localhost' - $couchdb_port = '4000' + $couchdb_port = $webapp['couchdb_port'] $couchdb_webapp_user = $webapp['couchdb_webapp_user']['username'] $couchdb_webapp_password = $webapp['couchdb_webapp_user']['password'] $couchdb_admin_user = $webapp['couchdb_admin_user']['username'] -- cgit v1.2.3 From 44f20f7c3907d500adde0edc87c90b2cd339acea Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 22 Mar 2017 10:10:16 +0100 Subject: webapp: add secret_key_base to config This replaces the secret_token from rails 4.1 on. Both are used for securing cookies in the browser. The secret_key_base will also encrypt the cookies while the token will only sign them. Keeping the token in there for now allows us to migrate existing sessions / cookies to the new secrets. We can remove it in the next version once all providers have run with secret_key_base for a while. --- puppet/modules/site_webapp/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules/site_webapp/manifests') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 1ae80012..deb8e8c8 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -10,6 +10,7 @@ class site_webapp { $provider_domain = $node_domain['full_suffix'] $webapp = hiera('webapp') $api_version = $webapp['api_version'] + $secret_key_base = $webapp['secret_key_base'] $secret_token = $webapp['secret_token'] $tor = hiera('tor', false) $sources = hiera('sources') -- cgit v1.2.3 From c393af8fd5321b8ddf547aed22f833899e56e20e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 24 Apr 2017 12:08:10 -0400 Subject: Lint --- .../modules/site_webapp/manifests/hidden_service.pp | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'puppet/modules/site_webapp/manifests') diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index d2662b65..81d431cd 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -15,18 +15,18 @@ class site_webapp::hidden_service { file { '/var/lib/tor/webapp/': - ensure => directory, - owner => 'debian-tor', - group => 'debian-tor', - mode => '2700'; + ensure => directory, + owner => 'debian-tor', + group => 'debian-tor', + mode => '2700'; '/var/lib/tor/webapp/private_key': - ensure => present, - source => "/srv/leap/files/nodes/${::hostname}/tor.key", - owner => 'debian-tor', - group => 'debian-tor', - mode => '0600', - notify => Service['tor']; + ensure => present, + source => "/srv/leap/files/nodes/${::hostname}/tor.key", + owner => 'debian-tor', + group => 'debian-tor', + mode => '0600', + notify => Service['tor']; '/var/lib/tor/webapp/hostname': ensure => present, -- cgit v1.2.3 From ada9645de11d75701db8202f34de5c26a2b749c2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 24 Apr 2017 14:38:32 -0400 Subject: Add single-hop hidden service capability. This cuts the number of hops for a tor onion service from 6 to 3, speeding it up considerably. This removes the anonymity aspect of the service, so it must be enabled intentionally, knowing that the server's location no longer is hidden. --- puppet/modules/site_webapp/manifests/hidden_service.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_webapp/manifests') diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index 81d431cd..6651df86 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -11,7 +11,10 @@ class site_webapp::hidden_service { include apache::module::removeip include tor::daemon - tor::daemon::hidden_service { 'webapp': ports => [ '80 127.0.0.1:80'] } + tor::daemon::hidden_service { 'webapp': + ports => [ '80 127.0.0.1:80'], + single_hop => $hidden_service['single_hop'] + } file { '/var/lib/tor/webapp/': -- cgit v1.2.3 From 68e9a28da2db4cb494bc19a1aeaa0663cb286414 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 2 May 2017 16:23:20 -0400 Subject: Restructure site_tor to be more clear and re-usable (fixes #8784). This makes a more clear site_tor::relay class that the leap service includes, and a more generic site_tor class that other classes can depend on for setting up the initial install. --- puppet/modules/site_webapp/manifests/hidden_service.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_webapp/manifests') diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index 6651df86..3f3f1d0c 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -10,7 +10,7 @@ class site_webapp::hidden_service { include apache::module::expires include apache::module::removeip - include tor::daemon + include site_tor tor::daemon::hidden_service { 'webapp': ports => [ '80 127.0.0.1:80'], single_hop => $hidden_service['single_hop'] -- cgit v1.2.3 From 96f8af37b4a3bbd9a15651e27f588073c0601299 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 19 Sep 2017 11:54:27 -0700 Subject: Feat: split tor service into three The 'tor' service is now three separate services, 'tor_exit', 'tor_relay', or 'hidden_service'. --- puppet/modules/site_webapp/manifests/hidden_service.pp | 4 ++-- puppet/modules/site_webapp/manifests/init.pp | 6 ++---- 2 files changed, 4 insertions(+), 6 deletions(-) (limited to 'puppet/modules/site_webapp/manifests') diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index 3f3f1d0c..658d62f9 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -2,7 +2,7 @@ class site_webapp::hidden_service { $tor = hiera('tor') $hidden_service = $tor['hidden_service'] - $tor_domain = "${hidden_service['address']}.onion" + $onion_domain = "${hidden_service['address']}.onion" include site_apache::common include apache::module::headers @@ -33,7 +33,7 @@ class site_webapp::hidden_service { '/var/lib/tor/webapp/hostname': ensure => present, - content => "${tor_domain}\n", + content => "${onion_domain}\n", owner => 'debian-tor', group => 'debian-tor', mode => '0600', diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index deb8e8c8..968859bf 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -177,11 +177,9 @@ class site_webapp { notify => Service['apache']; } - if $tor { + if $tor and member($services, 'hidden_service') { $hidden_service = $tor['hidden_service'] - if $hidden_service['active'] { - include ::site_webapp::hidden_service - } + include ::site_webapp::hidden_service } -- cgit v1.2.3 From 5b10def43d134e5735bfcec1237c04cf66e8610b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Sep 2017 15:36:06 -0400 Subject: Feat: Refactor tor services In order to refactor the tor services, we need to split them out into three different services. This adds the hidden service class that is necessary to support the previous commits. Fixes #8864. --- puppet/modules/site_webapp/manifests/hidden_service.pp | 3 ++- puppet/modules/site_webapp/manifests/init.pp | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_webapp/manifests') diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index 658d62f9..1f87da6b 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -1,5 +1,7 @@ # Configure tor hidden service for webapp class site_webapp::hidden_service { + Class['site_tor::hidden_service'] -> Class['site_webapp::hidden_service'] + include site_tor::hidden_service $tor = hiera('tor') $hidden_service = $tor['hidden_service'] $onion_domain = "${hidden_service['address']}.onion" @@ -10,7 +12,6 @@ class site_webapp::hidden_service { include apache::module::expires include apache::module::removeip - include site_tor tor::daemon::hidden_service { 'webapp': ports => [ '80 127.0.0.1:80'], single_hop => $hidden_service['single_hop'] diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 968859bf..605d71b3 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -1,6 +1,7 @@ # configure webapp service class site_webapp { tag 'leap_service' + $services = hiera('services', []) $definition_files = hiera('definition_files') $provider = $definition_files['provider'] $eip_service = $definition_files['eip_service'] @@ -177,7 +178,7 @@ class site_webapp { notify => Service['apache']; } - if $tor and member($services, 'hidden_service') { + if $tor and member($services, 'tor_hidden_service') { $hidden_service = $tor['hidden_service'] include ::site_webapp::hidden_service } -- cgit v1.2.3 From 414e36cf11364a9e581eb260b3267078b6cdda44 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 7 Oct 2017 13:50:55 -0400 Subject: feat: add v3 tor hidden service support Resolves: #8879 --- puppet/modules/site_webapp/manifests/hidden_service.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_webapp/manifests') diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index 1f87da6b..290f9665 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -14,7 +14,8 @@ class site_webapp::hidden_service { tor::daemon::hidden_service { 'webapp': ports => [ '80 127.0.0.1:80'], - single_hop => $hidden_service['single_hop'] + single_hop => $hidden_service['single_hop'], + v3 => $hidden_service['v3'] } file { -- cgit v1.2.3