From 9d645a82c7346e8d585c664a82c719647a0d2ffa Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 3 Sep 2015 23:24:43 -0700 Subject: make couchdb.admin.yml only readable by root, make non-admin cron run as webapp user. --- puppet/modules/site_webapp/manifests/couchdb.pp | 16 ++++++++-------- puppet/modules/site_webapp/manifests/cron.pp | 4 ++++ 2 files changed, 12 insertions(+), 8 deletions(-) (limited to 'puppet/modules/site_webapp/manifests') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 1dbc745d..5cf7f953 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -14,29 +14,29 @@ class site_webapp::couchdb { file { '/srv/leap/webapp/config/couchdb.yml': content => template('site_webapp/couchdb.yml.erb'), - owner => leap-webapp, - group => leap-webapp, + owner => 'leap-webapp', + group => 'leap-webapp', mode => '0600', require => Vcsrepo['/srv/leap/webapp']; '/srv/leap/webapp/config/couchdb.admin.yml': content => template('site_webapp/couchdb.admin.yml.erb'), - owner => leap-webapp, - group => leap-webapp, + owner => 'root', + group => 'root', mode => '0600', require => Vcsrepo['/srv/leap/webapp']; '/srv/leap/webapp/log': ensure => directory, - owner => leap-webapp, - group => leap-webapp, + owner => 'leap-webapp', + group => 'leap-webapp', mode => '0755', require => Vcsrepo['/srv/leap/webapp']; '/srv/leap/webapp/log/production.log': ensure => present, - owner => leap-webapp, - group => leap-webapp, + owner => 'leap-webapp', + group => 'leap-webapp', mode => '0666', require => Vcsrepo['/srv/leap/webapp']; } diff --git a/puppet/modules/site_webapp/manifests/cron.pp b/puppet/modules/site_webapp/manifests/cron.pp index d26ee312..7147a0d2 100644 --- a/puppet/modules/site_webapp/manifests/cron.pp +++ b/puppet/modules/site_webapp/manifests/cron.pp @@ -5,12 +5,14 @@ class site_webapp::cron { 'rotate_databases': command => 'cd /srv/leap/webapp && bundle exec rake db:rotate', environment => 'RAILS_ENV=production', + user => 'root', hour => [0,6,12,18], minute => 0; 'delete_tmp_databases': command => 'cd /srv/leap/webapp && bundle exec rake db:deletetmp', environment => 'RAILS_ENV=production', + user => 'root', hour => 1, minute => 1; @@ -19,6 +21,7 @@ class site_webapp::cron { 'remove_expired_sessions': command => 'cd /srv/leap/webapp && bundle exec rake cleanup:sessions', environment => 'RAILS_ENV=production', + user => 'leap-webapp', hour => 2, minute => 30, ensure => absent; @@ -26,6 +29,7 @@ class site_webapp::cron { 'remove_expired_tokens': command => 'cd /srv/leap/webapp && bundle exec rake cleanup:tokens', environment => 'RAILS_ENV=production', + user => 'leap-webapp', hour => 3, minute => 0; } -- cgit v1.2.3 From 8b0910f1caf19884b6b46976b72536ee1f570ed5 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 15 Sep 2015 11:52:20 -0400 Subject: Fix server-status availability to tor hidden services (#7456) Make the server-status information unavailable by putting the vhost on a port that isn't configured as available to the tor hidden-service. Change-Id: Idd3bfefb5b7fc26fb0a8cf48cdf6afc68a4192bb --- puppet/modules/site_webapp/manifests/apache.pp | 3 ++- puppet/modules/site_webapp/manifests/common_vhost.pp | 18 ++++++++++++++++++ puppet/modules/site_webapp/manifests/hidden_service.pp | 10 ++++++++-- 3 files changed, 28 insertions(+), 3 deletions(-) create mode 100644 puppet/modules/site_webapp/manifests/common_vhost.pp (limited to 'puppet/modules/site_webapp/manifests') diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 93e172a0..ddd04a91 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -15,12 +15,13 @@ class site_webapp::apache { include site_apache::module::alias include site_apache::module::expires include site_apache::module::removeip + include site_webapp::common_vhost class { 'passenger': use_munin => false } apache::vhost::file { 'api': - content => template('site_apache/vhosts.d/api.conf.erb') + content => template('site_apache/vhosts.d/api.conf.erb'); } } diff --git a/puppet/modules/site_webapp/manifests/common_vhost.pp b/puppet/modules/site_webapp/manifests/common_vhost.pp new file mode 100644 index 00000000..c57aad57 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/common_vhost.pp @@ -0,0 +1,18 @@ +class site_webapp::common_vhost { + # installs x509 cert + key and common config + # that both nagios + leap webapp use + + include x509::variables + include site_config::x509::commercial::cert + include site_config::x509::commercial::key + include site_config::x509::commercial::ca + + Class['Site_config::X509::Commercial::Key'] ~> Service[apache] + Class['Site_config::X509::Commercial::Cert'] ~> Service[apache] + Class['Site_config::X509::Commercial::Ca'] ~> Service[apache] + + apache::vhost::file { + 'common': + content => template('site_apache/vhosts.d/common.conf.erb') + } +} diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index 16b6e2e7..99a756ca 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -32,12 +32,18 @@ class site_webapp::hidden_service { owner => 'debian-tor', group => 'debian-tor', mode => '0600'; + + '/etc/apache2/mods-enabled/status.conf': + ensure => absent, + notify => Service['apache']; } apache::vhost::file { 'hidden_service': - content => template('site_apache/vhosts.d/hidden_service.conf.erb') + content => template('site_apache/vhosts.d/hidden_service.conf.erb'); + 'server_status': + vhost_source => 'modules/site_webapp/server-status.conf'; } include site_shorewall::tor -} \ No newline at end of file +} -- cgit v1.2.3 From 2b0386bee6525dda705152031d7125bc30b65269 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 7 Oct 2015 10:57:24 +0200 Subject: [bug] Fix removal of webapp apache config file Done by including a service-dependend site_config::remove::webapp class. --- puppet/modules/site_webapp/manifests/init.pp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'puppet/modules/site_webapp/manifests') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index ec94c090..d046b7df 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -1,3 +1,4 @@ +# configure webapp service class site_webapp { tag 'leap_service' $definition_files = hiera('definition_files') @@ -26,6 +27,9 @@ class site_webapp { include site_config::x509::client_ca::ca include site_config::x509::client_ca::key + # remove leftovers from previous installations on webapp nodes + include site_config::remove::webapp + group { 'leap-webapp': ensure => present, allowdupe => false; -- cgit v1.2.3 From 72bec64f52895153612b5e736274266ebc0ab554 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 30 Oct 2015 10:31:17 +0100 Subject: [feat] Add soledad::client class for soledad-sync - Restructure soledad class - Include soledad::client class on webapp nodes - Tested: [unstable.bitmask.net] - Related: #7523 --- puppet/modules/site_webapp/manifests/init.pp | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_webapp/manifests') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index d046b7df..837950a8 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -167,10 +167,8 @@ class site_webapp { # needed for the soledad-sync check which is run on the - # webapp node (#6520) - package { 'python-u1db': - ensure => latest, - } + # webapp node + include soledad::client leap::logfile { 'webapp': } -- cgit v1.2.3 From 20dd8f27004a5dac0ad68113f4b8038cb34bc791 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 5 Nov 2015 21:13:31 +0100 Subject: [bug] [jessie] Load needed modules for apache 2.4 - Related: #6920 --- puppet/modules/site_webapp/manifests/apache.pp | 9 +++++---- puppet/modules/site_webapp/manifests/hidden_service.pp | 8 ++++---- 2 files changed, 9 insertions(+), 8 deletions(-) (limited to 'puppet/modules/site_webapp/manifests') diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index ddd04a91..80c7b29b 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -1,3 +1,4 @@ +# configure apache and passenger to serve the webapp class site_webapp::apache { $web_api = hiera('api') @@ -11,10 +12,10 @@ class site_webapp::apache { $webapp_domain = $webapp['domain'] include site_apache::common - include site_apache::module::headers - include site_apache::module::alias - include site_apache::module::expires - include site_apache::module::removeip + include apache::module::headers + include apache::module::alias + include apache::module::expires + include apache::module::removeip include site_webapp::common_vhost class { 'passenger': use_munin => false } diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index 99a756ca..4cf7a8ca 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -4,10 +4,10 @@ class site_webapp::hidden_service { $tor_domain = "${hidden_service['address']}.onion" include site_apache::common - include site_apache::module::headers - include site_apache::module::alias - include site_apache::module::expires - include site_apache::module::removeip + include apache::module::headers + include apache::module::alias + include apache::module::expires + include apache::module::removeip include tor::daemon tor::daemon::hidden_service { 'webapp': ports => '80 127.0.0.1:80' } -- cgit v1.2.3 From 04269bd8964370aa55cc5a0e47106540a7c335c5 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 24 Nov 2015 21:02:20 -0500 Subject: fix missing apache status module (#7638) Change-Id: I77fa50990b5ae60074c54738e8c19929b486d1d0 --- puppet/modules/site_webapp/manifests/hidden_service.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules/site_webapp/manifests') diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index 4cf7a8ca..efdefd8e 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -8,6 +8,7 @@ class site_webapp::hidden_service { include apache::module::alias include apache::module::expires include apache::module::removeip + include apache::module::status include tor::daemon tor::daemon::hidden_service { 'webapp': ports => '80 127.0.0.1:80' } -- cgit v1.2.3 From fe560e3769cb04c03de7ba2a2d40cb3040365156 Mon Sep 17 00:00:00 2001 From: Micah Date: Mon, 4 Jan 2016 16:05:09 -0500 Subject: Fix status module invocation for hidden service enabled webapps (#7776) Change-Id: I101e4c9791102123d4334e1b84a48dacea99ac52 --- puppet/modules/site_webapp/manifests/hidden_service.pp | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'puppet/modules/site_webapp/manifests') diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index efdefd8e..12eb1793 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -8,8 +8,7 @@ class site_webapp::hidden_service { include apache::module::alias include apache::module::expires include apache::module::removeip - include apache::module::status - + include tor::daemon tor::daemon::hidden_service { 'webapp': ports => '80 127.0.0.1:80' } @@ -33,12 +32,13 @@ class site_webapp::hidden_service { owner => 'debian-tor', group => 'debian-tor', mode => '0600'; - - '/etc/apache2/mods-enabled/status.conf': - ensure => absent, - notify => Service['apache']; } + # it is necessary to zero out the config of the status module + # because we are configuring our own version that is unavailable + # over the hidden service (see: #7456 and #7776) + apache::module { 'status': ensure => present, conf_content => ' ' } + apache::vhost::file { 'hidden_service': content => template('site_apache/vhosts.d/hidden_service.conf.erb'); -- cgit v1.2.3 From 150579fb14716892cc3e4d7d9c0f81b30d56f03a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 13 Apr 2015 23:16:00 +0200 Subject: restructured site.pp, now only one class gets included in site.pp per service (Bug #6851) Also, moved global Exec{} defaults to site.pp Change-Id: I9ae91b77afde944d2f1312613b9d9030e32239dd --- puppet/modules/site_webapp/manifests/init.pp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet/modules/site_webapp/manifests') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 837950a8..4f3147e7 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -21,11 +21,13 @@ class site_webapp { include site_webapp::couchdb include site_haproxy include site_webapp::cron + include site_config::default include site_config::x509::cert include site_config::x509::key include site_config::x509::ca include site_config::x509::client_ca::ca include site_config::x509::client_ca::key + include site_nickserver # remove leftovers from previous installations on webapp nodes include site_config::remove::webapp -- cgit v1.2.3 From 3dabb02d43f2a65890085734032c9678dee5b830 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Tue, 2 Feb 2016 19:37:02 +0100 Subject: don't deploy bundler debug to servers --- puppet/modules/site_webapp/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_webapp/manifests') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 4f3147e7..15925aba 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -60,7 +60,7 @@ class site_webapp { exec { 'bundler_update': cwd => '/srv/leap/webapp', - command => '/bin/bash -c "/usr/bin/bundle check --path vendor/bundle || /usr/bin/bundle install --path vendor/bundle --without test development"', + command => '/bin/bash -c "/usr/bin/bundle check --path vendor/bundle || /usr/bin/bundle install --path vendor/bundle --without test development debug"', unless => '/usr/bin/bundle check --path vendor/bundle', user => 'leap-webapp', timeout => 600, -- cgit v1.2.3 From e7ccdeb6c98ceb6b6afcb09a31d79faba63edbad Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 4 Mar 2016 14:59:33 -0800 Subject: move the location of couchdb.admin.yml so that it does not need to have its ownership reset on each deploy. --- puppet/modules/site_webapp/manifests/couchdb.pp | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_webapp/manifests') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 5cf7f953..c13052eb 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -19,12 +19,18 @@ class site_webapp::couchdb { mode => '0600', require => Vcsrepo['/srv/leap/webapp']; + # couchdb.admin.yml is a symlink to prevent the vcsrepo resource + # from changing its user permissions every time. '/srv/leap/webapp/config/couchdb.admin.yml': + ensure => 'link', + target => '/srv/leap/couchdb/couchdb.admin.yml', + require => Vcsrepo['/srv/leap/webapp']; + + '/srv/leap/couchdb/couchdb.admin.yml': content => template('site_webapp/couchdb.admin.yml.erb'), owner => 'root', group => 'root', - mode => '0600', - require => Vcsrepo['/srv/leap/webapp']; + mode => '0600'; '/srv/leap/webapp/log': ensure => directory, -- cgit v1.2.3 From 3ea675a94c73b4376c6df46d56933253d0911bc9 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 4 Mar 2016 16:03:41 -0800 Subject: ensure /var/leap/couchdb exists before creating files there. --- puppet/modules/site_webapp/manifests/couchdb.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_webapp/manifests') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index c13052eb..223604a9 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -30,7 +30,8 @@ class site_webapp::couchdb { content => template('site_webapp/couchdb.admin.yml.erb'), owner => 'root', group => 'root', - mode => '0600'; + mode => '0600', + require => File['/srv/leap/couchdb']; '/srv/leap/webapp/log': ensure => directory, -- cgit v1.2.3 From 0ec326f27feecda1357ca7ba8b1c09ef2567a481 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 4 Mar 2016 22:50:25 -0800 Subject: fix location of couchdb.admin.yml --- puppet/modules/site_webapp/manifests/couchdb.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'puppet/modules/site_webapp/manifests') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 223604a9..71450370 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -23,15 +23,15 @@ class site_webapp::couchdb { # from changing its user permissions every time. '/srv/leap/webapp/config/couchdb.admin.yml': ensure => 'link', - target => '/srv/leap/couchdb/couchdb.admin.yml', + target => '/etc/leap/couchdb.admin.yml', require => Vcsrepo['/srv/leap/webapp']; - '/srv/leap/couchdb/couchdb.admin.yml': + '/etc/leap/couchdb.admin.yml': content => template('site_webapp/couchdb.admin.yml.erb'), owner => 'root', group => 'root', mode => '0600', - require => File['/srv/leap/couchdb']; + require => File['/etc/leap']; '/srv/leap/webapp/log': ensure => directory, -- cgit v1.2.3 From ee6cad0750e853b3ac210d17b79471772bfae2a5 Mon Sep 17 00:00:00 2001 From: Micah Date: Fri, 11 Mar 2016 12:16:42 -0500 Subject: fix tor-related jessie deprecation problems (#7962) Change-Id: If493b8a1f06a786df36a28aa1fc592e270eba639 --- puppet/modules/site_webapp/manifests/hidden_service.pp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_webapp/manifests') diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index 12eb1793..72a2ce95 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -10,7 +10,7 @@ class site_webapp::hidden_service { include apache::module::removeip include tor::daemon - tor::daemon::hidden_service { 'webapp': ports => '80 127.0.0.1:80' } + tor::daemon::hidden_service { 'webapp': ports => [ '80 127.0.0.1:80'] } file { '/var/lib/tor/webapp/': @@ -38,7 +38,9 @@ class site_webapp::hidden_service { # because we are configuring our own version that is unavailable # over the hidden service (see: #7456 and #7776) apache::module { 'status': ensure => present, conf_content => ' ' } - + # the access_compat module is required to enable Allow directives + apache::module { 'access_compat': ensure => present } + apache::vhost::file { 'hidden_service': content => template('site_apache/vhosts.d/hidden_service.conf.erb'); -- cgit v1.2.3 From 8370875d608ebddae09fcd05741bb77e0e31c122 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 18 Apr 2016 18:28:29 +0200 Subject: [style] more manual linting for custom manifests --- puppet/modules/site_webapp/manifests/cron.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_webapp/manifests') diff --git a/puppet/modules/site_webapp/manifests/cron.pp b/puppet/modules/site_webapp/manifests/cron.pp index 7147a0d2..70b9da04 100644 --- a/puppet/modules/site_webapp/manifests/cron.pp +++ b/puppet/modules/site_webapp/manifests/cron.pp @@ -1,3 +1,4 @@ +# setup webapp cronjobs class site_webapp::cron { # cron tasks that need to be performed to cleanup the database @@ -19,12 +20,12 @@ class site_webapp::cron { # there is no longer a need to remove expired sessions, since the database # will get destroyed. 'remove_expired_sessions': + ensure => absent, command => 'cd /srv/leap/webapp && bundle exec rake cleanup:sessions', environment => 'RAILS_ENV=production', user => 'leap-webapp', hour => 2, - minute => 30, - ensure => absent; + minute => 30; 'remove_expired_tokens': command => 'cd /srv/leap/webapp && bundle exec rake cleanup:tokens', -- cgit v1.2.3