From 2fd403476e77a545355443667408ba0cf6205fcd Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 12 Feb 2013 13:39:12 -0500 Subject: remove the apt-get autoclean from the initial apt-get update, this just slows things down and I don't see a need for it --- puppet/modules/site_apt/manifests/dist_upgrade.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/dist_upgrade.pp b/puppet/modules/site_apt/manifests/dist_upgrade.pp index f129dd73..f8ea05fc 100644 --- a/puppet/modules/site_apt/manifests/dist_upgrade.pp +++ b/puppet/modules/site_apt/manifests/dist_upgrade.pp @@ -4,7 +4,7 @@ class site_apt::dist_upgrade { fail ('apt-get is running in background - Please wait until it finishes. Exiting.') } else { exec{'initial_apt_update': - command => '/usr/bin/apt-get update && /usr/bin/apt-get autoclean', + command => '/usr/bin/apt-get update', refreshonly => false, } exec{'initial_apt_dist_upgrade': -- cgit v1.2.3 From 2e03ec8c02a54c407c12964d243ba4ac5de15b99 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 12 Feb 2013 13:45:20 -0500 Subject: switch to using stdlib's standard stages --- puppet/modules/site_config/manifests/default.pp | 2 +- puppet/modules/site_config/manifests/slow.pp | 2 +- puppet/modules/site_nagios/manifests/server.pp | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 2191e9a1..77241df5 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -24,7 +24,7 @@ class site_config::default { # configure /etc/hosts class { 'site_config::hosts': - stage => initial, + stage => setup, } package { [ 'etckeeper' ]: diff --git a/puppet/modules/site_config/manifests/slow.pp b/puppet/modules/site_config/manifests/slow.pp index 18b22a9c..94bac88d 100644 --- a/puppet/modules/site_config/manifests/slow.pp +++ b/puppet/modules/site_config/manifests/slow.pp @@ -1,6 +1,6 @@ class site_config::slow { tag 'leap_slow' class { 'site_apt::dist_upgrade': - stage => initial, + stage => setup, } } diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index c98a8a1f..c114a39a 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -2,7 +2,7 @@ class site_nagios::server inherits nagios::base { # First, purge old nagios config (see #1467) class { 'site_nagios::server::purge': - stage => initial + stage => setup } $nagios_hiera=hiera('nagios') -- cgit v1.2.3 From 21b197953d11d69d14789bc284d72d9c5025dcb4 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 21 Feb 2013 16:11:14 +0100 Subject: linted --- puppet/modules/site_openvpn/manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index e3d2a9af..165ba96e 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -38,7 +38,7 @@ class site_openvpn { # add second IP on given interface file { '/usr/local/bin/leap_add_second_ip.sh': content => "#!/bin/sh -ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface +ip addr show dev ${interface} | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev ${interface} /bin/echo 1 > /proc/sys/net/ipv4/ip_forward ", mode => '0755', @@ -49,7 +49,7 @@ ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr a } cron { 'leap_add_second_ip.sh': - command => "/usr/local/bin/leap_add_second_ip.sh", + command => '/usr/local/bin/leap_add_second_ip.sh', user => 'root', special => 'reboot', } -- cgit v1.2.3 From 081e6f2e55d1536d4c0ebea5dfdc9f08b105c602 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 21 Feb 2013 16:22:26 +0100 Subject: linted --- puppet/modules/site_openvpn/manifests/resolver.pp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index d3963c95..939207bd 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -23,13 +23,17 @@ class site_openvpn::resolver { file { '/etc/unbound/conf.d/vpn_udp_resolver': content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr} allow\n", - owner => root, group => root, mode => '0644', + owner => root, + group => root, + mode => '0644', require => Service['openvpn'], notify => Service['unbound']; '/etc/unbound/conf.d/vpn_tcp_resolver': content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr} allow\n", - owner => root, group => root, mode => '0644', + owner => root, + group => root, + mode => '0644', require => Service['openvpn'], notify => Service['unbound']; } -- cgit v1.2.3 From b0b228edb52dc420c9f688c60af054ac6d0c7473 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 21 Feb 2013 16:33:27 +0100 Subject: linted a bit --- puppet/modules/site_openvpn/manifests/server_config.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index de273b46..436dd272 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -57,7 +57,7 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana $openvpn_configname = $name concat { - "/etc/openvpn/$openvpn_configname.conf": + "/etc/openvpn/${openvpn_configname}.conf": owner => root, group => root, mode => 644, -- cgit v1.2.3 From d669a5fb56acf9101cf677ecbd30bcc47b092cd3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 21 Feb 2013 16:11:36 -0500 Subject: changed submodule url --- puppet/modules/vcsrepo | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/vcsrepo b/puppet/modules/vcsrepo index 04851c28..4db1120c 160000 --- a/puppet/modules/vcsrepo +++ b/puppet/modules/vcsrepo @@ -1 +1 @@ -Subproject commit 04851c28b12973c679fc9f234fd0f5a193df9d7a +Subproject commit 4db1120c78763f5244dc6c9d2e0d064a6ef363e0 -- cgit v1.2.3 From b63bcc1b9e44c0f0ec7a500538e7ce18bbf48bc2 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Sat, 23 Feb 2013 11:23:35 +0100 Subject: adding angkat family --- puppet/modules/site_tor/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index ceb6fb13..50ab636b 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -15,6 +15,7 @@ class site_tor { address => $address, contact_info => $contact_email, bandwidth_rate => $bandwidth_rate, + my_family => '$2A431444756B0E7228A7918C85A8DACFF7E3B050', } tor::daemon::directory { $::hostname: port => 80 } -- cgit v1.2.3 From b3aca2b0cd35f9cc921d1703a597ddbc91529044 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 26 Feb 2013 15:07:38 -0500 Subject: missed another require => Package['shorewall'] on the file resources in site_shorewall --- puppet/modules/site_shorewall/manifests/eip.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 4e5a5d48..d2bf3c4c 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -12,7 +12,8 @@ class site_shorewall::eip { content => "PARAM - - tcp 1194 PARAM - - udp 1194 ", - notify => Service['shorewall'] + notify => Service['shorewall'], + require => Package['shorewall'] } -- cgit v1.2.3 From cd96f130a304accaf0bbef5f751dc75976f3116e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 26 Feb 2013 15:14:24 -0500 Subject: require that the package unbound be installed before trying to write to its configuration file, this addresses issue #1853 - [vpn1] err: /Stage[main]/Site_openvpn::Resolver/Line[add_tcp_resolver]/Exec[echo 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver' >> '/etc/unbound/unbound.conf']/returns: change from notrun to 0 failed: echo 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver' >> '/etc/unbound/unbound.conf' returned 2 instead of one of [0] at /srv/leap/puppet/modules/common/manifests/defines/line.pp:45 --- puppet/modules/site_openvpn/manifests/resolver.pp | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index 939207bd..26785edb 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -8,16 +8,18 @@ class site_openvpn::resolver { line { 'add_tcp_resolver': - ensure => present, - file => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver', - notify => Service['unbound']; + ensure => present, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver', + notify => Service['unbound'], + require => Package['unbound']; 'add_udp_resolver': - ensure => present, - file => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_udp_resolver', - notify => Service['unbound']; + ensure => present, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_udp_resolver', + notify => Service['unbound'], + require => Package['unbound'] } file { -- cgit v1.2.3 From ffb88e54c5e4e30fa61ea1009f3eee62f98ab17c Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 27 Feb 2013 23:46:58 -0800 Subject: openvpn -- added support for optional "free" rate-limited service via special client certificates with the FREE prefix in the common name. --- puppet/modules/site_openvpn/manifests/init.pp | 45 ++++++++++++++++++---- .../site_openvpn/manifests/server_config.pp | 18 ++++++++- .../templates/leap_add_second_ip.sh.erb | 11 ++++++ .../modules/site_shorewall/manifests/dnat_rule.pp | 21 +++++++++- .../modules/site_webapp/templates/config.yml.erb | 8 ++++ 5 files changed, 93 insertions(+), 10 deletions(-) create mode 100644 puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb (limited to 'puppet/modules') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 165ba96e..0c9f1795 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,9 +1,9 @@ class site_openvpn { tag 'leap_service' + # parse hiera config $ip_address = hiera('ip_address') $interface = getvar("interface_${ip_address}") - #$gateway_address = hiera('gateway_address') $openvpn_config = hiera('openvpn') $openvpn_gateway_address = $openvpn_config['gateway_address'] $openvpn_tcp_network_prefix = '10.1.0' @@ -12,6 +12,10 @@ class site_openvpn { $openvpn_udp_network_prefix = '10.2.0' $openvpn_udp_netmask = '255.255.248.0' $openvpn_udp_cidr = '21' + $openvpn_allow_free = $openvpn_config['allow_free'] + $openvpn_free_gateway_address = $openvpn_config['free_gateway_address'] + $openvpn_free_rate_limit = $openvpn_config['free_rate_limit'] + $openvpn_free_prefix = $openvpn_config['free_prefix'] $x509_config = hiera('x509') # deploy ca + server keys @@ -26,22 +30,47 @@ class site_openvpn { push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"", management => '127.0.0.1 1000' } + site_openvpn::server_config { 'udp_config': port => '1194', proto => 'udp', + local => $openvpn_gateway_address, server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}", push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"", - local => $openvpn_gateway_address, management => '127.0.0.1 1001' } + if $openvpn_allow_free { + site_openvpn::server_config { 'free_tcp_config': + port => '1194', + proto => 'tcp', + local => $openvpn_free_gateway_address, + tls_remote => "\"${openvpn_free_prefix}\"", + shaper => $openvpn_free_rate_limit, + server => "${openvpn_tcp_network_prefix}.0 ${openvpn_tcp_netmask}", + push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"", + management => '127.0.0.1 1002' + } + site_openvpn::server_config { 'free_udp_config': + port => '1194', + proto => 'udp', + local => $openvpn_free_gateway_address, + tls_remote => "\"${openvpn_free_prefix}\"", + shaper => $openvpn_free_rate_limit, + server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}", + push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"", + management => '127.0.0.1 1003' + } + } else { + tidy { "/etc/openvpn/free_tcp_config.conf": } + tidy { "/etc/openvpn/free_udp_config.conf": } + } + # add second IP on given interface - file { '/usr/local/bin/leap_add_second_ip.sh': - content => "#!/bin/sh -ip addr show dev ${interface} | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev ${interface} -/bin/echo 1 > /proc/sys/net/ipv4/ip_forward -", - mode => '0755', + file { + '/usr/local/bin/leap_add_second_ip.sh': + content => template('site_openvpn/leap_add_second_ip.sh.erb'), + mode => '0755'; } exec { '/usr/local/bin/leap_add_second_ip.sh': diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 436dd272..1f42400a 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -52,7 +52,9 @@ # note: the default is BF-CBC (blowfish) # -define site_openvpn::server_config ($port, $proto, $local, $server, $push, $management ) { +define site_openvpn::server_config( + $port, $proto, $local, $server, $push, + $management, $tls_remote = undef, $shaper = undef) { $openvpn_configname = $name @@ -66,6 +68,20 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana notify => Service['openvpn']; } + # special options for the "free" gateway daemons + if $shaper != undef { + openvpn::option { + "shaper $openvpn_configname": + key => 'shaper', + value => $shaper, + server => $openvpn_configname; + "tls-remote $openvpn_configname": + key => 'tls-remote', + value => $tls_remote, + server => $openvpn_configname; + } + } + openvpn::option { "ca $openvpn_configname": key => 'ca', diff --git a/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb b/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb new file mode 100644 index 00000000..40866116 --- /dev/null +++ b/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb @@ -0,0 +1,11 @@ +#!/bin/sh + +ip addr show dev <%= @interface %> | grep -q <%= @openvpn_gateway_address %>/24 || + ip addr add <%= @openvpn_gateway_address %>/24 dev <%= @interface %> + +<% if @openvpn_allow_free %> +ip addr show dev <%= @interface %> | grep -q <%= @openvpn_free_gateway_address %>/24 || + ip addr add <%= @openvpn_free_gateway_address %>/24 dev <%= @interface %> +<% end %> + +/bin/echo 1 > /proc/sys/net/ipv4/ip_forward diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp index 68f480d8..0b4370df 100644 --- a/puppet/modules/site_shorewall/manifests/dnat_rule.pp +++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp @@ -11,7 +11,6 @@ define site_shorewall::dnat_rule { destinationport => $port, order => 100; } - shorewall::rule { "dnat_udp_port_$port": action => 'DNAT', @@ -21,5 +20,25 @@ define site_shorewall::dnat_rule { destinationport => $port, order => 100; } + if $site_openvpn::openvpn_allow_free { + shorewall::rule { + "dnat_free_tcp_port_$port": + action => 'DNAT', + source => 'net', + destination => "\$FW:${site_openvpn::openvpn_free_gateway_address}:1194", + proto => 'tcp', + destinationport => $port, + order => 100; + } + shorewall::rule { + "dnat_free_udp_port_$port": + action => 'DNAT', + source => 'net', + destination => "\$FW:${site_openvpn::openvpn_free_gateway_address}:1194", + proto => 'udp', + destinationport => $port, + order => 100; + } + } } } diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 9cf85f0c..cd67d1fd 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -1,5 +1,13 @@ +<%- cert_options = @webapp['client_certificates'] -%> production: admins: [admin] domain: <%= @provider_domain %> client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %> client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %> + +cert_options: + client_cert_lifespan: <%= cert_options['life_span'].to_i %> + client_cert_bit_size: <%= cert_options['bit_size'].to_i %> + client_cert_hash: <%= cert_options['digest'] %> + free_certs_enabled: <%= @webapp['allow_free'].inspect %> + free_cert_prefix: "<%= cert_options['free_prefix'] %>" -- cgit v1.2.3 From 97a17c393f454a32f601db5b6522dd425f325ff3 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 14:58:51 +0100 Subject: automatic update of submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index dcb8a082..b915a67c 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit dcb8a082ac842b0660819ea61f9448c4e373746e +Subproject commit b915a67c6e7e3b1b75400dbbd4a9ac961c8eb032 -- cgit v1.2.3 From 77c8025aebe3a7b83fc128be6e0abe511f9f0888 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 16:36:54 +0100 Subject: increase Exec timeout for dist_upgrade --- puppet/modules/site_apt/manifests/dist_upgrade.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/dist_upgrade.pp b/puppet/modules/site_apt/manifests/dist_upgrade.pp index f8ea05fc..91301efd 100644 --- a/puppet/modules/site_apt/manifests/dist_upgrade.pp +++ b/puppet/modules/site_apt/manifests/dist_upgrade.pp @@ -1,6 +1,6 @@ class site_apt::dist_upgrade { - if $::apt_running == 'true' { + if $::apt_running == 'true' { fail ('apt-get is running in background - Please wait until it finishes. Exiting.') } else { exec{'initial_apt_update': @@ -10,6 +10,7 @@ class site_apt::dist_upgrade { exec{'initial_apt_dist_upgrade': command => "/usr/bin/apt-get -q -y -o 'DPkg::Options::=--force-confold' dist-upgrade", refreshonly => false, + timeout => 1200, } } } -- cgit v1.2.3 From 82d894e5ac82752e88b193acd015e4544141eae1 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 9 Mar 2013 21:14:31 +0100 Subject: couchdb init file moved to couchdb module --- puppet/modules/site_couchdb/files/couchdb | 160 --------------------- puppet/modules/site_couchdb/manifests/configure.pp | 6 - 2 files changed, 166 deletions(-) delete mode 100755 puppet/modules/site_couchdb/files/couchdb (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/files/couchdb b/puppet/modules/site_couchdb/files/couchdb deleted file mode 100755 index ccdfe716..00000000 --- a/puppet/modules/site_couchdb/files/couchdb +++ /dev/null @@ -1,160 +0,0 @@ -#!/bin/sh -e - -# Licensed under the Apache License, Version 2.0 (the "License"); you may not -# use this file except in compliance with the License. You may obtain a copy of -# the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations under -# the License. - -### BEGIN INIT INFO -# Provides: couchdb -# Required-Start: $local_fs $remote_fs -# Required-Stop: $local_fs $remote_fs -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Apache CouchDB init script -# Description: Apache CouchDB init script for the database server. -### END INIT INFO - -SCRIPT_OK=0 -SCRIPT_ERROR=1 - -DESCRIPTION="database server" -NAME=couchdb -SCRIPT_NAME=`basename $0` -COUCHDB=/usr/bin/couchdb -CONFIGURATION_FILE=/etc/default/couchdb -RUN_DIR=/var/run/couchdb -LSB_LIBRARY=/lib/lsb/init-functions - -if test ! -x $COUCHDB; then - exit $SCRIPT_ERROR -fi - -if test -r $CONFIGURATION_FILE; then - . $CONFIGURATION_FILE -fi - -log_daemon_msg () { - # Dummy function to be replaced by LSB library. - - echo $@ -} - -log_end_msg () { - # Dummy function to be replaced by LSB library. - - if test "$1" != "0"; then - echo "Error with $DESCRIPTION: $NAME" - fi - return $1 -} - -if test -r $LSB_LIBRARY; then - . $LSB_LIBRARY -fi - -run_command () { - command="$1" - if test -n "$COUCHDB_OPTIONS"; then - command="$command $COUCHDB_OPTIONS" - fi - if test -n "$COUCHDB_USER"; then - if su $COUCHDB_USER -c "$command"; then - return $SCRIPT_OK - else - return $SCRIPT_ERROR - fi - else - if $command; then - return $SCRIPT_OK - else - return $SCRIPT_ERROR - fi - fi -} - -start_couchdb () { - # Start Apache CouchDB as a background process. - - mkdir -p "$RUN_DIR" - chown -R "$COUCHDB_USER" "$RUN_DIR" - command="$COUCHDB -b" - if test -n "$COUCHDB_STDOUT_FILE"; then - command="$command -o $COUCHDB_STDOUT_FILE" - fi - if test -n "$COUCHDB_STDERR_FILE"; then - command="$command -e $COUCHDB_STDERR_FILE" - fi - if test -n "$COUCHDB_RESPAWN_TIMEOUT"; then - command="$command -r $COUCHDB_RESPAWN_TIMEOUT" - fi - run_command "$command" > /dev/null -} - -stop_couchdb () { - # Stop the running Apache CouchDB process. - - run_command "$COUCHDB -d" > /dev/null - pkill -u couchdb - # always return true even if no remaining couchdb procs got killed - /bin/true -} - -display_status () { - # Display the status of the running Apache CouchDB process. - - run_command "$COUCHDB -s" -} - -parse_script_option_list () { - # Parse arguments passed to the script and take appropriate action. - - case "$1" in - start) - log_daemon_msg "Starting $DESCRIPTION" $NAME - if start_couchdb; then - log_end_msg $SCRIPT_OK - else - log_end_msg $SCRIPT_ERROR - fi - ;; - stop) - log_daemon_msg "Stopping $DESCRIPTION" $NAME - if stop_couchdb; then - log_end_msg $SCRIPT_OK - else - log_end_msg $SCRIPT_ERROR - fi - ;; - restart|force-reload) - log_daemon_msg "Restarting $DESCRIPTION" $NAME - if stop_couchdb; then - if start_couchdb; then - log_end_msg $SCRIPT_OK - else - log_end_msg $SCRIPT_ERROR - fi - else - log_end_msg $SCRIPT_ERROR - fi - ;; - status) - display_status - ;; - *) - cat << EOF >&2 -Usage: $SCRIPT_NAME {start|stop|restart|force-reload|status} -EOF - exit $SCRIPT_ERROR - ;; - esac -} - -parse_script_option_list $@ diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp index 333511b5..c921ad6a 100644 --- a/puppet/modules/site_couchdb/manifests/configure.pp +++ b/puppet/modules/site_couchdb/manifests/configure.pp @@ -1,11 +1,5 @@ class site_couchdb::configure { - file { '/etc/init.d/couchdb': - source => 'puppet:///modules/site_couchdb/couchdb', - mode => '0755', - owner => 'root', - group => 'root', - } file { '/etc/couchdb/local.d/admin.ini': content => "[admins] -- cgit v1.2.3 From 0af4cb352017db95606f64f69b316d360bf2675d Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 10 Mar 2013 15:50:43 +0100 Subject: increase timeout for initial_apt_update to 6 min --- puppet/modules/site_apt/manifests/dist_upgrade.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/dist_upgrade.pp b/puppet/modules/site_apt/manifests/dist_upgrade.pp index 91301efd..08de31bb 100644 --- a/puppet/modules/site_apt/manifests/dist_upgrade.pp +++ b/puppet/modules/site_apt/manifests/dist_upgrade.pp @@ -6,6 +6,7 @@ class site_apt::dist_upgrade { exec{'initial_apt_update': command => '/usr/bin/apt-get update', refreshonly => false, + timeout => 360, } exec{'initial_apt_dist_upgrade': command => "/usr/bin/apt-get -q -y -o 'DPkg::Options::=--force-confold' dist-upgrade", -- cgit v1.2.3 From 0ae8194ef3a3f8065ff455b4daddc0d62c105ace Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 10 Mar 2013 15:55:35 +0100 Subject: futon is enabled by default on bigcouch in default.ini we need to find another way to disable futon, it won't work disabling it here --- puppet/modules/site_couchdb/files/local.ini | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/files/local.ini b/puppet/modules/site_couchdb/files/local.ini index b3376cbb..22aa0177 100644 --- a/puppet/modules/site_couchdb/files/local.ini +++ b/puppet/modules/site_couchdb/files/local.ini @@ -28,8 +28,10 @@ [httpd_global_handlers] ;_google = {couch_httpd_proxy, handle_proxy_req, <<"http://www.google.com">>} +# futon is enabled by default on bigcouch in default.ini +# we need to find another way to disable futon, it won't work disabling it here # enable futon -_utils = {couch_httpd_misc_handlers, handle_utils_dir_req, "/usr/share/couchdb/www"} +#_utils = {couch_httpd_misc_handlers, handle_utils_dir_req, "/usr/share/couchdb/www"} # disable futon #_utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Welcome, Futon is disabled!">>} -- cgit v1.2.3 From 46f1b83431cff1c30e7cda9bc99505d35f37f309 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 10 Mar 2013 16:10:39 +0100 Subject: site_couchdb::configure moved to couchdb --- puppet/modules/site_couchdb/manifests/configure.pp | 21 --------------------- 1 file changed, 21 deletions(-) delete mode 100644 puppet/modules/site_couchdb/manifests/configure.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp deleted file mode 100644 index c921ad6a..00000000 --- a/puppet/modules/site_couchdb/manifests/configure.pp +++ /dev/null @@ -1,21 +0,0 @@ -class site_couchdb::configure { - - - file { '/etc/couchdb/local.d/admin.ini': - content => "[admins] -admin = $site_couchdb::couchdb_admin_pw -", - mode => '0600', - owner => 'couchdb', - group => 'couchdb', - notify => Service[couchdb] - } - - - exec { '/etc/init.d/couchdb restart; sleep 6': - path => ['/bin', '/usr/bin',], - subscribe => File['/etc/couchdb/local.d/admin.ini', - '/etc/couchdb/local.ini'], - refreshonly => true - } -} -- cgit v1.2.3 From 0f5e0b0e5102deab700d25ca4fd4845f15db8529 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 10 Mar 2013 16:13:03 +0100 Subject: use bigcouch in site_couchdb --- puppet/modules/site_couchdb/manifests/init.pp | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 9ecde5e6..35470b5d 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,6 +1,5 @@ -class site_couchdb { +class site_couchdb ( $bigcouch = false ) { tag 'leap_service' - include couchdb $x509 = hiera('x509') $key = $x509['key'] @@ -17,20 +16,18 @@ class site_couchdb { $couchdb_ca_daemon_user = $couchdb_ca_daemon['username'] $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password'] - Package ['couchdb'] - -> File['/etc/init.d/couchdb'] - -> File['/etc/couchdb/local.ini'] - -> File['/etc/couchdb/local.d/admin.ini'] - -> File['/etc/couchdb/couchdb.netrc'] + class {'couchdb': + bigcouch => $bigcouch, + admin_pw => $couchdb_admin_pw + } + + Service ['couchdb'] -> Couchdb::Create_db['users'] -> Couchdb::Create_db['client_certificates'] -> Couchdb::Add_user[$couchdb_webapp_user] -> Couchdb::Add_user[$couchdb_ca_daemon_user] -> Site_couchdb::Apache_ssl_proxy['apache_ssl_proxy'] - include site_couchdb::configure - include couchdb::deploy_config - site_couchdb::apache_ssl_proxy { 'apache_ssl_proxy': key => $key, cert => $cert -- cgit v1.2.3 From daef6834ad05d8516afc784b5e0cb42ecb84db92 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 10 Mar 2013 16:14:02 +0100 Subject: automatic update of submodule stdlib --- puppet/modules/stdlib | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/stdlib b/puppet/modules/stdlib index 2df66c04..095a5a01 160000 --- a/puppet/modules/stdlib +++ b/puppet/modules/stdlib @@ -1 +1 @@ -Subproject commit 2df66c041109ecca1099bf3977657572cc32ad24 +Subproject commit 095a5a01d5a7c7e3d95a71846220545080f7581c -- cgit v1.2.3 From 73b1d0d7e8f359ff48eab1918282eb8cd2f9afb0 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 10 Mar 2013 16:14:32 +0100 Subject: automatic update of submodule apache --- puppet/modules/apache | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/apache b/puppet/modules/apache index 077d4d15..dafb060f 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit 077d4d1508b9ff3355f73ff8597991043b3ba5d9 +Subproject commit dafb060fc57957dbe9e5e90698537e781cebeaf6 -- cgit v1.2.3 From 01941d905a71a2088ec080703f4e5430dec7a2ec Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 10 Mar 2013 17:29:12 +0100 Subject: pass couchdb cookie to class couchdb --- puppet/modules/site_couchdb/manifests/init.pp | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 35470b5d..419e4122 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -15,10 +15,13 @@ class site_couchdb ( $bigcouch = false ) { $couchdb_ca_daemon = $couchdb_users['ca_daemon'] $couchdb_ca_daemon_user = $couchdb_ca_daemon['username'] $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password'] + $bigcouch_config = $couchdb_config['bigcouch'] + $bigcouch_cookie = $bigcouch_config['cookie'] class {'couchdb': - bigcouch => $bigcouch, - admin_pw => $couchdb_admin_pw + bigcouch => $bigcouch, + admin_pw => $couchdb_admin_pw, + bigcouch_cookie => $bigcouch_cookie } Service ['couchdb'] -- cgit v1.2.3 From 5b582c647fc598222ccaa68046ea55832e1145c4 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 12 Mar 2013 14:33:52 +0100 Subject: automatic update of submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index b915a67c..546350d6 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit b915a67c6e7e3b1b75400dbbd4a9ac961c8eb032 +Subproject commit 546350d6f6e83e9ea22db79d07bdc38c694fbcdb -- cgit v1.2.3 From 91877ee952ed89107f800309c23c34e84fc3fd90 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 12 Mar 2013 16:10:06 +0100 Subject: automatic update of submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 546350d6..7c9462a0 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 546350d6f6e83e9ea22db79d07bdc38c694fbcdb +Subproject commit 7c9462a0fab1c6e499b62caa2093dedfa9c8adc8 -- cgit v1.2.3 From 9c1c97b2e2e5b2f361bebe991d7229d271773e24 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 12 Mar 2013 23:54:28 +0100 Subject: enable leap deb package repository and leap apt key on all hosts --- puppet/modules/site_apt/files/keys/leap_key.asc | 63 +++++++++++++++++++++++++ puppet/modules/site_apt/manifests/init.pp | 3 ++ puppet/modules/site_apt/manifests/leap_repo.pp | 6 +++ 3 files changed, 72 insertions(+) create mode 100644 puppet/modules/site_apt/files/keys/leap_key.asc create mode 100644 puppet/modules/site_apt/manifests/leap_repo.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/files/keys/leap_key.asc b/puppet/modules/site_apt/files/keys/leap_key.asc new file mode 100644 index 00000000..b69251f0 --- /dev/null +++ b/puppet/modules/site_apt/files/keys/leap_key.asc @@ -0,0 +1,63 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.11 (GNU/Linux) + +mQINBFESwt0BEAC2CR+XgW04DVwT427v2T4+qz+O/xGOwQcalVaSOUuguYgf29en +Apb6mUqROOTuJWN1nw1lvXiA6iFxg6DjDUhsp6j54X7GAAAjZ9QuavPgcsractsJ +LRz9WSWqDjOAYsb4B5pwmSPAKYtmRAxLVzdxUsuHs2HxRO4VWnaNJQEBj7j7zuGs +gvSJBSq9Vici6cGI9c1fsWyKsnp7R6M54mmQRbsCg2+G/N0hqOz0HE6ZlJKVKaZq +uTrPxGWFuU3mAUpzFLa6Wj8DSUYiWZ/xrqiFdbB4t1HM3vlKB9LEg93DEuG/8Q0T +g2KS0lEWxequBXyE6+jklDNqJeyHmfgkuAfFlkNYa5870XT87MzGE/hS40lbmhQV +HHlwxMkAiERMc0Ys+OfgUJMbIDQBNRFg3Q/bjajFoVBgBoKFp7C22zgoJkUNT+7H +Yv/t6zeDlIzNhgYms5d0gEiAeLauwju36BmwUsbQHwejWKP8pADRZL1bTj0E+rRU +M4FFNh9D2XTFFKaaNubub8tUmo+ZUIEEKfPhNHK9wS/bsFyPv9y3HLe2b3NYGFK5 ++Hznqg8N0H+29I7zLx7VpOh3iRN3Lbxv9dMmukVJtw8Rq/Udprd3Z5p8oCisFo+k +nY+J+IgNjC0eniN8rkkl/4rIN5fvvOR8YCts50hL1fAy3dd/MKExz+QTXQARAQAB +tClMRUFQIGFyY2hpdmUgc2lnbmluZyBrZXkgPHN5c2RldkBsZWFwLnNlPokCHAQQ +AQoABgUCURPzwAAKCRBIWxL6IY6B65FzEACn1Q+9dcLig6yCRPGF8d5qdnWYquts +fLc/W8P9uFCo4bLFhy+BlalZVhOSPt2KMBCApoW0fAc5aXOWjxEmtFOvziPtJ0N7 +uJj7y8XLk1//v7QXDJNYotiO82b9XTmF2G9URhxe/YU7mgx1cRW9X2h6LOG4VCIw +Bd00wM9vV984f50hpftdyjCcWTO9WoSus7dOL457DhcX7uX89AGUJLC9RTiaDtIL +/G/VEM8pIx5zW6Q2TwUXndVsNqyG5s0J0908KNyp5IPI66M07rR939JVAL8HXMxY +KdA9pxkKzPSThx8yWZknJoINsUhrd5ijfiA6kM7HJlJF1SnwyHSSs3KydKHj5zN2 +n3oGGT0bjZiXZHShsWa5mjEvCJ7oqwtcCdo8thW128LY2/0h3JkSsYdgdsJjGJbG +76nYjCIZYa6the4+QI8HM2WG5nrZL4B/EnYHK2lDdeVy/ynu96YhC4mdk566Vcqs +RrWJgRxImkSbxp3f6SAOsLwOdmrs52wCoEpAYPMbu79jb2G7JbR4uDB0i/pXCp+c +aleyKb4ve2EjHAY/VPF5BXKaQh3JIvGKVEZIv5ospoosr78UHBk60RMMzDSlOFso +BcB6Plpqoq4lI/4Zh8M1+eDjAOnOKwQanS4Hv7O2PqldGBUAXS3m6OI2Kvv3VqnM +X0GOB2sX4Ox8UYkCPQQTAQoAJwUCURLC3QIbAwUJAeEzgAULCQgHAwUVCgkICwUW +AgMBAAIeAQIXgAAKCRAeNKGCjiB5AZBiD/wJwUVZjfNeWdpKrYy9HtZExtTcU/94 +3lgRUNinUuLPFU4i2s+hR3h5fzXR15nUD+IBJlXlzLV2G/IjXYPTp4a0gqHpWULa +b5Stu7AzFiO42/RWUAzWD1Fyh6SuZ3FDERvheid8s4SXoe6y4cJ5ErfSlJS6qqku +8ss8mS8lM1Mp+lc9wYTWQ+8hmSUivAZb9WLEljFxhvEnvAKPwD18o7+S9GABFwYs +xflQvKZHguaOVqBEksry+vu8okWNrg3Ll3dDQEeahr7nrLrHe8gqONJgOE9jjxRv +bJmGtIUTyGqgWZZzBfQXL/6uXL23bWkYZDkQNhfsm+colAV8gpj+/E3q/uMXwqz1 +bv06K/LsK3NHzBNE57kJHEhg9K3Uw2Wx5qwFMU1GDxsB3P9p+TyqAboEZAB2irTR +y9k8peFB7wwf0sW3Eg78XFsfy4gyV619VnBR+PbfOpKqFFXAodF1mFiIrPeefaVp +F9fiQ5Owt0sJjDaJnYT83ksAO2Aj+VsY3UjnDrGFaiV8Neit9y/8W8DqmZ3EZEF/ +M3iS0yDjqqt9ACFD+jkGlKYsyHv7gbpTq0yi6u/kRXHUTIvVwFL9M6Z6AUcG8gzo +qbKhXGfWKEq0lN5HAjJ//V9ro3DekFd0A+NQOlFV6XtspZwphVdtW1WS078HmVlw +F5dbD8pcfT/RjbkCDQRREsLdARAA3Frw+j6H9McEIi/gjiGwvxnIdGc8McWchnFp +OWvdhTW9056v+y22DoKbULjT8k+8GzuRQ0xp4VwCC1rX3UExwceczzGs+tSKuIGm +g1ELygsaOZHdQBNLGPvn+TZNGlaYXPlQo7m8YhXGHwgQrdKyjcFD5xnOHxe981LT +q+IQ6jVYhho7/Qik9rVE1XHxoOfYvnNZJD0cFdf9OcX47YoqmM4sZYPMoOmKoVQT +sAAQ527wz742Bd6SpuhqBpdEw6YiCYxEoo5kBY3IhP3L5OTS4tzhOkdf1xlhWSnC +FE7NkPcK6o+r6qCcUqRGV9jRwI97JlPKegEHYWvLD4Sk31pWi8NZ0toU/nqRvxbh +htHxuNf3jeAAzxQBhGVi0C/IBr4vqyFqmEHr9JxIa3DTV8w/a0Y4hX2bczL9Y1cB +6n8qOA68aAn+xerJcSOroTIJh83D/7OguexGGYoZBDvX6dWguf8udFPeYpJvkT6T +SYF9U0JpVTtlCNutjScUO2uaV9+uDqACngwqbzBTjL8UucAleVcFfOi48yepnOd1 +1YFYxbw+/BcqLNhi1eP2AaGxIgXbR88tF9OC0SXaCH+1Z1bbalOmQNYstOv9BbsH +vW7mPgX2xhyoDkVRWaNAQoDLbnJr4gi9cD8/kQMzdlGOzt2ist/+xueblXJs5TOO +80Rw+AEAEQEAAYkCJQQYAQoADwUCURLC3QIbDAUJAeEzgAAKCRAeNKGCjiB5AdMq +D/9SXulJq6Q4U7aN6o7TLMU2MgqeWqtBqwTNIisBoSJjXq9Od4iN2S5Akwo/ZQO0 +1nRNPPc9yjwidgb7wCUFDNglUDuGS2nXaQ0XAO83qHMOsORN2S93dO6xVRX2Chhz +l9bUr1WIQcM+lIs/LZCX2rvKlsFYmZQHX/ibhQs7T01RXajwJqwxyXyVPL+kPNeo +wva4ZUf6rzdqKZLfFgyJyGdHI18bF6lahgHdN2OOawEeU2K+MlluR3ZahoyN4u1M +qijf6snmfd0++EIqDHwYPn70F4JPdMhyuVpYBVyVtsgHy9W5fS+zSj+vX+qj6MBX +dFBs+a9nr8GZJO4BUP2mtyNgmEfUVQefSHnq+0OlGPZG4raxTEqJfp2KTRCGB4hI +zYWO1g1cOBeXxFfXJdkX8LoKbP5s2Kzn9sAK6BxmazOvSNpuimCDNvKjR00iKNS4 +Dxix2FBXQU/4pVpGHjXTQP6RqeTrAedXvpgCHWP1UIlswIQecGmQcJ/hRZjd+0vl +cjfCYhZHr7N96Da6Cy8v2fZiZHaSAt7T2oIZ9X3gEh/kOlLDcuIdvMHUfojn0MrP +Ce1AqOHyQQqhkVylvZpS0PdE0VW3PmJ98uKfX2FVAOTUD4Rw3n9Ew7bfM249HuP4 +JOXi/Skp4sBB/xgrtV1u+E+BW0SS/BOiwfrI4xUy+MrWuw== +=4STg +-----END PGP PUBLIC KEY BLOCK----- diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 80c6fbde..1f8456b2 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -2,6 +2,9 @@ class site_apt { include ::apt + # enable http://deb.leap.se debian package repository + include site_apt::leap_repo + apt::apt_conf { '90disable-pdiffs': content => 'Acquire::PDiffs "false";'; } diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp new file mode 100644 index 00000000..7b2128cd --- /dev/null +++ b/puppet/modules/site_apt/manifests/leap_repo.pp @@ -0,0 +1,6 @@ +class site_apt::leap_repo { + apt::sources_list {'leap.list': + content => "deb http://deb.leap.se/debian $::lsbdistcodename main" + } + +} -- cgit v1.2.3 From e29cd9b4f4d26afd28b31c5b225eb1bac3416ed0 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 13 Mar 2013 10:35:15 +0100 Subject: automatic update of submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 7c9462a0..f6f1af54 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 7c9462a0fab1c6e499b62caa2093dedfa9c8adc8 +Subproject commit f6f1af547d4be89cc9b3ac03eb9ab23ba41ee7a7 -- cgit v1.2.3 From 65afb3a013fedd7c2d5eef15ac879a41c51de8e0 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 13 Mar 2013 10:56:24 +0100 Subject: install apt key before apt-get update --- puppet/modules/site_apt/manifests/leap_repo.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp index 7b2128cd..81559abd 100644 --- a/puppet/modules/site_apt/manifests/leap_repo.pp +++ b/puppet/modules/site_apt/manifests/leap_repo.pp @@ -1,6 +1,7 @@ class site_apt::leap_repo { apt::sources_list {'leap.list': - content => "deb http://deb.leap.se/debian $::lsbdistcodename main" + content => "deb http://deb.leap.se/debian ${::lsbdistcodename} main", + before => Exec[refresh_apt] } } -- cgit v1.2.3 From 19cb13cf3f71bd9b99bed8c0bc214325460d8459 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 13 Mar 2013 14:26:13 +0100 Subject: automatic update of submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index f6f1af54..f0e4edd5 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit f6f1af547d4be89cc9b3ac03eb9ab23ba41ee7a7 +Subproject commit f0e4edd5861107014ebb53c1ee4897f8e0bde8d8 -- cgit v1.2.3 From 04d9283f30993ce201ccee47bcef3a55239c5ad8 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 14 Mar 2013 11:43:11 +0100 Subject: added cloudants apt key, FP: BAF9 B315 D438 5FB9 B5DE 334B 59E0 1FBD 15BE 8E26 --- .../modules/site_apt/files/keys/cloudant-key.asc | 52 ++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 puppet/modules/site_apt/files/keys/cloudant-key.asc (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/files/keys/cloudant-key.asc b/puppet/modules/site_apt/files/keys/cloudant-key.asc new file mode 100644 index 00000000..99716a3c --- /dev/null +++ b/puppet/modules/site_apt/files/keys/cloudant-key.asc @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.11 (GNU/Linux) + +mQINBFE7fhIBEACrDREcODnhdugNozMeBawOm2irpNCP54yMljST/DOXx1uo3gQw +HnVcQ4lL7lXhbfL6Tp0WhrNYTWbbWHO0DaQbW0GQMHa2BGG0Xm0HPrjr3j55tAcM +NPr0ArDuplq4Py2pwviZiEtQkkn+biH9oV+N3jNO+8+zVHLVU7pHaX6Yd7HAxFM8 +XX+7SeVtplZ7nvSxUREiMNxQb9o0kYNRPS+b0UjiIXHrFO9afl7lTdg/I8AhKWa0 +3jJoY/IRvVopJblISQNGFipR11Lpu5sOHghgz4V8mk/in7JLMmoqSl5DP5VhRII8 +OyADBjaUJD2mkv5cGaevqpB4AId78X9+Y62gFJrGkIHY9uBxIUkRe+leYI4Zz4Bm +D9qBIbEY/kKkblTlC1G7u3qbGQcsbCRVIOnhruCih7vifcP40YwGUk5NmDA5AE78 +OovCGYGp4zMepDTSJxGT3sJOTEbzN09so6C7fQWBeQiiG5Uepp1q+VnaGpT1L4rc +Y6yRbu9dOFj6WzY4W5HtnbalzTIEYy+SIGZqRkJt6jREYLiFfyrpSFIgGoJAs0yx +9M0McXfeOod69TPufB1PeppnBwFcTmYNYxakusQxAebRDPEBZqoEgl0gMmxWbAdI +nxGMWWnSsN/Dj0dXRf1MG/5akOhX2zQcUzBOE2m/Xr5kjDPYFtFxVJDGzQARAQAB +tDNDbG91ZGFudCBQYWNrYWdlIFNpZ25pbmcgS2V5IDxzdXBwb3J0QGNsb3VkYW50 +LmNvbT6JAj4EEwECACgFAlE7fhICGwMFCQHhM4AGCwkIBwMCBhUIAgkKCwQWAgMB +Ah4BAheAAAoJEFngH70Vvo4mciIP/AlqHA/LDtSYfrFwdXifY2ImCMyzYvH40Ko2 +DHCw2qDjvK5UXn1iWuzXidT7DrxOfYoZpzySRP7VGyHxa3VPhOtzLDZSvTpk9ELo +2x2IczUwLC17M0Iis4CpqlxSFIBYGX78pMzvsEyC4TFqUDfXRlye3apjD0iwK0hE +kdP1+TPdJjhWImJm+3TLu45zTw3Ph5dnf5pLQPNhKfBSdku+vRrd35N5hHso9S1y +Z3NrxcQlWnXuqkLIA14gM7qbBFD+el9Y+tZ7ERGYg3s5uNDQRTb0QC8zg/um2+zW +4hHmuRcWY3n8IgHcYUruC1VyrrsFIWWMyLv7SZkAAoSY+jKyESDfYpJQ8jtZ4EF9 +2/gYm4FgZR8j4gWkzHSLGVt/4EIykJZb0yIg/QEovmmHqpy8xYri3goMSl4h7tfF +TOCZLTzTyQ7xONdyEsrvQPhmdtXEgvSo5S7ZU9kkx32OjCoshLLjhtqAipBgEXqb +hElFo1oSyOVoGc7UNh7KNBjWfeP8dNdCbIbIYPMeM0/CVjD60kW5ZEVDuYglT+Rz +enJJvS4Hs+fq8cFNxMB+l64qE7iS+I6RP2bPeQM2aBa2UZNWxUIbXF7bb3zLrCGn +GT8GF1AFRoW3GiDzB7QnLVp8BhIaqFUzbDim+5mFFG8wguxHTiz4snDdQXq2Es6V +UETFsNsluQINBFE7fhIBEADIyLHyBh8AKJKQHksFAPHOyA48ocxgQDpQnqYlQcAK +D8eUbRXciIz4ePBmvjaQmz8wJgWULc04u4i9jK8Jd/Ks+VhEz3AjRBfjvkBaVMog +FMPKaoDn9LVMBSZJ3fcC1DVck1oO8LnFIdktt0zhvzG+pV5b/UTRsVZmwNh1p2dM +4cJswxlksJXYnI9tFA74qiomDCPYM0zpv7TEjX23PZTLqTSHP5aWctx+MIEtdoqp +EsEDL6npvYBRz/tuL41cUWs7CItH131Hyuizo4vGrxgWPnoXIxLmLOOZCMk/kbx0 +XCSvengqYwNgAOlIjewtTw+WJm1gtNQQeKmaXBX7njf2Wz7LI/0KVxttEpKT5/5y +embOGn7My9i7zOc1frMCDivIOTQDBZTzR9o7/6wUJ69DIoFLMlO8UcCK3R7o5VUI +ezx+XYsOAD7D2vKoiD8Se65Vnax2rfFlLP7OQqdem5l2lkHpJzP3lA8qmA2MfJ7V +jsk7eDSyJQjG5c6KBoaFlYGhp/E2kR82cAKVaFIbW3euMM4XK6Mgzy3+DVKfk8mu +AEuHub7plfxM+65yjLNAK6l6IKtY1HfM7F4GFyNSd3mNNcWN7ceIHh8Ur4DeD2Tp +7r3XcWd6/czLYNsw2BAHeVUxnMTCeGN99UZTtHgVq9IJMOCDOPwMSzHFfZ6sNaYL +qQARAQABiQIlBBgBAgAPBQJRO34SAhsMBQkB4TOAAAoJEFngH70Vvo4mpokP/jJJ +2mXdhMVqZCtZhwphJfdxg8nBERzrd6ebXxKbTq1MmSN/fDwLknPabFHUpzk1ADCf +6mh2o0HB+67yMzo1UVtyfPOaHgCE/pWer5ultJM8gOdpBfSWL8jRwU8ZQ4fDu3z8 +AC6zTNq7znOVLEzZPy8U7q5Rt5/6QdQYoTLe6DwlLmkflzWP5VWi/mTGvtu/t5OV +tGZkzBYQ5QAXRXXkKswqkJpQFuW6d1vlYm9+x/+Q1+2kGT+CKbRAkqkf77qVcyJR +1M2JQSs4ko+rLMZzr01sYA+EBD17nxqV8vUdYebNc9Qnk8Aphid1zarUbySgAdnJ +5SLAjLe/6N6IEE9F3uKsPEs87gJrnwrYHRrmu0wAPwA0cMmtgD4Bz7Iiz4CLYPFW +rHpQCA313K+rS/LLfLBL66wIRKcPuYIFR9N03jX9eGR6qtk0b5Zb3YjWOo4V9Q1r +o+g6IB0Us5vH6ISuokq7Bv+8cXhEMVoctL9A8xWN1KDkweZ+7dNWCGV8lUWKy3Hw +ig6hENH6H7J57U8H2v2aZTeUo6e7VDP9gddNKPSEEeoBKfVnWYGoG8mVPQ2PzTgZ +ZO2vwp4c3Ix/kIV3xe+/Opcq1lxYhD7HSre1MB7HOeFmis6tBBjMJPaatZVfzj1v +6Uhz5oUCwcPol8rsp69DvGVUPSHfDwBxurDX71oG +=lEm7 +-----END PGP PUBLIC KEY BLOCK----- -- cgit v1.2.3 From c13bbca2cbf1c458aae32460e758d5e7d8a46183 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 14 Mar 2013 15:35:50 +0100 Subject: automatic update of submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index f0e4edd5..77b80561 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit f0e4edd5861107014ebb53c1ee4897f8e0bde8d8 +Subproject commit 77b80561e187c93f7c48f5ac4136e800702b0cec -- cgit v1.2.3 From e358ef4e33cbf9411d57c11d58657331d7ba8a62 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 14 Mar 2013 18:01:01 +0100 Subject: use custom preferences for couchdb host --- puppet/modules/site_apt/manifests/init.pp | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 1f8456b2..f420b0cc 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -1,6 +1,13 @@ -class site_apt { +class site_apt { - include ::apt + # on couchdb we need to include squeeze in apt preferences, + # so the cloudant package can pull some packages from squeeze + if 'couchdb' in $::services { + $custom_preferences = 'site_apt/preferences.include_squeeze' + } else { + $custom_preferences = '' + } + class {'apt': custom_preferences => $custom_preferences } # enable http://deb.leap.se debian package repository include site_apt::leap_repo -- cgit v1.2.3 From 0c61b8e76a4bf813886d4f8458b6002f7d143faa Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 14 Mar 2013 18:27:51 +0100 Subject: added apt preferences template that includes squeeze --- .../site_apt/templates/preferences.include_squeeze | 25 ++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 puppet/modules/site_apt/templates/preferences.include_squeeze (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/templates/preferences.include_squeeze b/puppet/modules/site_apt/templates/preferences.include_squeeze new file mode 100644 index 00000000..d10c2864 --- /dev/null +++ b/puppet/modules/site_apt/templates/preferences.include_squeeze @@ -0,0 +1,25 @@ +Explanation: Debian wheezy +Package: * +Pin: release o=Debian,n=wheezy +Pin-Priority: 990 + +Explanation: Debian wheezy-updates +Package: * +Pin: release o=Debian,n=wheezy-updates +Pin-Priority: 990 + +Explanation: Debian sid +Package: * +Pin: release o=Debian,n=sid +Pin-Priority: 1 + +Explanation: De +Package: * +Pin: release o=Debian,n=squeeze +Pin-Priority: 980 + +Explanation: Debian fallback +Package: * +Pin: release o=Debian +Pin-Priority: -10 + -- cgit v1.2.3 From 3a99b7085c5a6c329adb9277b71f41e0ad9478a4 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 14 Mar 2013 18:28:44 +0100 Subject: pass template() to apt --- puppet/modules/site_apt/manifests/init.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index f420b0cc..de854d58 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -2,8 +2,9 @@ class site_apt { # on couchdb we need to include squeeze in apt preferences, # so the cloudant package can pull some packages from squeeze + # template() must be unquoted ! if 'couchdb' in $::services { - $custom_preferences = 'site_apt/preferences.include_squeeze' + $custom_preferences = template("site_apt/preferences.include_squeeze") } else { $custom_preferences = '' } -- cgit v1.2.3 From cd5394748dd83d3fa5c8a67dc6123e3b02034c2e Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 14 Mar 2013 19:10:49 +0100 Subject: include cloudant package repo for bigcouch server --- puppet/modules/site_couchdb/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 419e4122..25956938 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -23,6 +23,7 @@ class site_couchdb ( $bigcouch = false ) { admin_pw => $couchdb_admin_pw, bigcouch_cookie => $bigcouch_cookie } + include couchdb::bigcouch::package::cloudant Service ['couchdb'] -> Couchdb::Create_db['users'] -- cgit v1.2.3 From 00254ef4fda9b9be88d69df498c3c53c8a6a79da Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 14 Mar 2013 20:34:10 +0100 Subject: automatic update of submodule apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/apt b/puppet/modules/apt index f16a0727..c8a28eb8 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit f16a0727dce187d07389388da8b816f7b520205d +Subproject commit c8a28eb80ec87e65d5cacb2d109d4c0bcbbc76db -- cgit v1.2.3 From 5af58e103fb8a45d095786777909d19e6dabb120 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 14 Mar 2013 22:20:35 +0100 Subject: automatic update of submodule apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/apt b/puppet/modules/apt index c8a28eb8..7e8113b3 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit c8a28eb80ec87e65d5cacb2d109d4c0bcbbc76db +Subproject commit 7e8113b3fcf6f251ca9d5e2f39f43fd024058c97 -- cgit v1.2.3 From 3c5c31e74954ebb7a55c9455809ea55375f273d5 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 14 Mar 2013 13:49:38 -0400 Subject: add shared stunnel module --- puppet/modules/stunnel | 1 + 1 file changed, 1 insertion(+) create mode 160000 puppet/modules/stunnel (limited to 'puppet/modules') diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel new file mode 160000 index 00000000..03b51fcb --- /dev/null +++ b/puppet/modules/stunnel @@ -0,0 +1 @@ +Subproject commit 03b51fcb718734f4b2ea76c038ffbe9b2b348b1a -- cgit v1.2.3 From d4b45da9a521a6faf17f9ba7742bcee897a503cc Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 14 Mar 2013 13:58:06 -0400 Subject: remove apache ssl proxy in preparation of replacing it with a stunnel setup This presents us with an interesting problem of deprecation. We need to manage the removal of something that we previously installed in any released code. How long we carry the puppet code that removes raises some interesting questions: do we require that someone who deployed version 1 (where the apache ssl proxy was deployed) of the platform upgrade first to version 2 (where we remove the apache ssl proxy) before they upgrade to version 3 (where the apache ssl proxy removal is no longer present) -- or do we allow people to skip versions? --- .../site_apache/files/vhosts.d/couchdb_proxy.conf | 10 -------- .../site_couchdb/manifests/apache_ssl_proxy.pp | 30 +++++++--------------- puppet/modules/site_couchdb/manifests/init.pp | 7 ++--- 3 files changed, 11 insertions(+), 36 deletions(-) delete mode 100644 puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf deleted file mode 100644 index 0dff2cd6..00000000 --- a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf +++ /dev/null @@ -1,10 +0,0 @@ -Listen 0.0.0.0:6984 - - - SSLEngine On - SSLProxyEngine On - SSLCertificateKeyFile /etc/x509/keys/leap_couchdb.key - SSLCertificateFile /etc/x509/certs/leap_couchdb.crt - ProxyPass / http://127.0.0.1:5984/ - ProxyPassReverse / http://127.0.0.1:5984/ - diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp index 7739473e..536dd8db 100644 --- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp +++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp @@ -1,25 +1,13 @@ -define site_couchdb::apache_ssl_proxy ($key, $cert) { +class site_couchdb::apache_ssl_proxy { - $apache_no_default_site = true - include apache - apache::module { - 'proxy': ensure => present; - 'proxy_http': ensure => present; - 'rewrite': ensure => present; - 'ssl': ensure => present; - } - apache::vhost::file { 'couchdb_proxy': } +# This is here to disable the previously configured apache ssl proxy +# we were using this, but have switched to stunnel instead. +# +# Unfortunately, the current apache shared module doesn't handle +# ensure=>absent, so this is going to be done the crude way, and will only +# work for debian+derivitives, which is fine for now, but not good for the +# future - x509::key { - 'leap_couchdb': - content => $key, - notify => Service[apache]; - } - - x509::cert { - 'leap_couchdb': - content => $cert, - notify => Service[apache]; - } + package { 'apache2': ensure => absent } } diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 25956938..6f648c51 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -30,12 +30,9 @@ class site_couchdb ( $bigcouch = false ) { -> Couchdb::Create_db['client_certificates'] -> Couchdb::Add_user[$couchdb_webapp_user] -> Couchdb::Add_user[$couchdb_ca_daemon_user] - -> Site_couchdb::Apache_ssl_proxy['apache_ssl_proxy'] - site_couchdb::apache_ssl_proxy { 'apache_ssl_proxy': - key => $key, - cert => $cert - } + # this is here to disable and remove the proxy + include site_couchdb::apache_ssl_proxy couchdb::query::setup { 'localhost': user => $couchdb_admin_user, -- cgit v1.2.3 From 8687640aa9ec3591d0f038e40547a7c9c5e59443 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 14 Mar 2013 14:05:23 -0400 Subject: add a basic site_stunnel that takes care of some generic functionality that all stunnel client/servers will need handled (at least in debian and ubuntu) --- puppet/modules/site_stunnel/manifests/init.pp | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 puppet/modules/site_stunnel/manifests/init.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_stunnel/manifests/init.pp b/puppet/modules/site_stunnel/manifests/init.pp new file mode 100644 index 00000000..6ba2c4b8 --- /dev/null +++ b/puppet/modules/site_stunnel/manifests/init.pp @@ -0,0 +1,18 @@ +class site_stunnel { + + # include the generic stunnel module + # increase the number of open files to allow for 800 connections + $stunnel_default_extra = 'ulimit -n 4096' + include stunnel + + # The stunnel.conf provided by the Debian package is broken by default + # so we get rid of it and just define our own. See #549384 + if !defined(File['/etc/stunnel/stunnel.conf']) { + file { + # this file is a broken config installed by the package + '/etc/stunnel/stunnel.conf': + ensure => absent; + } + } +} + -- cgit v1.2.3 From 42a040ac79e1c92d12b6bb9661bbf05ace44d622 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 14 Mar 2013 18:22:15 -0400 Subject: add couchdb stunnel server --- puppet/modules/site_couchdb/manifests/init.pp | 8 +++++ puppet/modules/site_couchdb/manifests/stunnel.pp | 42 ++++++++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 puppet/modules/site_couchdb/manifests/stunnel.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 6f648c51..d317de65 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -4,6 +4,7 @@ class site_couchdb ( $bigcouch = false ) { $x509 = hiera('x509') $key = $x509['key'] $cert = $x509['cert'] + $ca = $x509['ca_cert'] $couchdb_config = hiera('couch') $couchdb_users = $couchdb_config['users'] $couchdb_admin = $couchdb_users['admin'] @@ -34,6 +35,13 @@ class site_couchdb ( $bigcouch = false ) { # this is here to disable and remove the proxy include site_couchdb::apache_ssl_proxy + # the above apache_ssl_proxy is replaced by the following stunnel + class { 'site_couchdb::stunnel': + key => $key, + cert => $cert, + ca => $ca + } + couchdb::query::setup { 'localhost': user => $couchdb_admin_user, pw => $couchdb_admin_pw diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp new file mode 100644 index 00000000..b4635951 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -0,0 +1,42 @@ +class site_couchdb::stunnel ($key, $cert, $ca) { + + include x509::variables + include site_stunnel + + $cert_name = 'leap_couchdb' + $ca_path = "${x509::variables::certs}/leap_client_ca.crt" + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" + + x509::key { + $cert_name: + content => $key, + notify => Service['stunnel']; + } + + x509::cert { + $cert_name: + content => $cert, + notify => Service['stunnel']; + } + + x509::ca { + $cert_name: + content => $ca, + notify => Service['stunnel']; + } + + stunnel::service { 'couchdb': + accept => '6984', + connect => '127.0.0.1:5984', + client => false, + cafile => $ca_path, + key => $key_path, + cert => $cert_path, + verify => '2', + pid => '/var/run/stunnel4/couchdb.pid', + rndfile => '/var/lib/stunnel4/.rnd', + debuglevel => '4' + } +} + -- cgit v1.2.3 From 90c5b205c4764351e6ea707b965c5e6daca1c0b7 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 14 Mar 2013 18:36:40 -0400 Subject: add couchdb stunnel clients --- puppet/modules/site_webapp/manifests/couchdb.pp | 9 +++++ .../site_webapp/manifests/couchdb_stunnel.pp | 42 ++++++++++++++++++++++ .../manifests/couchdb_stunnel/clients.pp | 17 +++++++++ 3 files changed, 68 insertions(+) create mode 100644 puppet/modules/site_webapp/manifests/couchdb_stunnel.pp create mode 100644 puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 6cac666f..26de62ee 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -1,5 +1,9 @@ class site_webapp::couchdb { + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $ca = $x509['ca_cert'] $webapp = hiera('webapp') $couchdb_host = $webapp['couchdb_hosts'] $couchdb_user = $webapp['couchdb_user']['username'] @@ -13,4 +17,9 @@ class site_webapp::couchdb { mode => '0600'; } + class { 'site_webapp::couchdb_stunnel': + key => $key, + cert => $cert, + ca => $ca + } } diff --git a/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp b/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp new file mode 100644 index 00000000..e6657e13 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp @@ -0,0 +1,42 @@ +class site_webapp::couchdb_stunnel ($key, $cert, $ca) { + + include x509::variables + include site_stunnel + + $cert_name = 'leap_couchdb' + $ca_path = "${x509::variables::certs}/leap_client_ca.crt" + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" + + x509::key { + $cert_name: + content => $key, + notify => Service['stunnel']; + } + + x509::cert { + $cert_name: + content => $cert, + notify => Service['stunnel']; + } + + x509::ca { + $cert_name: + content => $ca, + notify => Service['stunnel']; + } + + $couchdb_stunnel_client_defaults = { + 'client' => true, + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, + 'verify' => '2', + 'rndfile' => '/var/lib/stunnel4/.rnd', + 'debuglevel' => '4' + } + + create_resources(site_webapp::couchdb_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) + +} + diff --git a/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp b/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp new file mode 100644 index 00000000..eac43b08 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp @@ -0,0 +1,17 @@ +define site_webapp::couchdb_stunnel::clients + ( $accept_port, $connect, $client, $cafile, $key, $cert, + $verify, $pid = $name, $rndfile, $debuglevel ) { + + stunnel::service { $name: + accept => "127.0.0.1:${accept_port}", + connect => "${connect}:6984", + client => $client, + cafile => $cafile, + key => $key, + cert => $cert, + verify => $verify, + pid => "/var/run/stunnel4/${pid}.pid", + rndfile => $rndfile, + debuglevel => $debuglevel + } + } -- cgit v1.2.3 From 02e99153b1c83e9acd151188d4ce22091475322e Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 15 Mar 2013 09:19:30 +0100 Subject: automatic update of submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 77b80561..988df731 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 77b80561e187c93f7c48f5ac4136e800702b0cec +Subproject commit 988df7312ec9204b62eedadea9ff2504e5cb10f6 -- cgit v1.2.3 From 9daaf13f44148c26251932edfd71965659986197 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 15 Mar 2013 20:48:00 +0100 Subject: automatic update of submodule apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/apt b/puppet/modules/apt index 7e8113b3..6bf7a6ab 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 7e8113b3fcf6f251ca9d5e2f39f43fd024058c97 +Subproject commit 6bf7a6ab5d6e63f75c94f49aa0f12959e954efa8 -- cgit v1.2.3 From 7c5f2117c8edb12304fb1221bc00e07b9734dff6 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 15 Mar 2013 20:59:54 +0100 Subject: automatic update of submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 988df731..a4809d6b 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 988df7312ec9204b62eedadea9ff2504e5cb10f6 +Subproject commit a4809d6b0627431f72de916abee1214418c01c9d -- cgit v1.2.3 From a275999ab39b49afa2bb0c998c58aec424b4a8c0 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 16 Mar 2013 13:57:14 +0100 Subject: pick the first couchdb host for webapp couch config Until we have a proper load balancing setup (see https://leap.se/code/issues/1994) --- puppet/modules/site_webapp/manifests/couchdb.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 6cac666f..9312cdb1 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -1,7 +1,10 @@ class site_webapp::couchdb { $webapp = hiera('webapp') - $couchdb_host = $webapp['couchdb_hosts'] + $couchdb_hosts = $webapp['couchdb_hosts'] + # for now, pick the first couchdb host before we have a working + # load balancing setup (see https://leap.se/code/issues/1994) + $couchdb_host = $couchdb_hosts[0] $couchdb_user = $webapp['couchdb_user']['username'] $couchdb_password = $webapp['couchdb_user']['password'] -- cgit v1.2.3 From ad62cfdad04c8f8ed9d6454f716c92e850ac53ba Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 17 Mar 2013 13:15:51 -0700 Subject: added support for "limited" service levels (although vpn is not yet actually rate limited). --- puppet/modules/site_openvpn/README | 20 +++ puppet/modules/site_openvpn/manifests/init.pp | 150 +++++++++++++-------- puppet/modules/site_openvpn/manifests/resolver.pp | 90 +++++++++---- .../site_openvpn/manifests/server_config.pp | 9 +- .../site_openvpn/templates/add_gateway_ips.sh.erb | 11 ++ .../templates/leap_add_second_ip.sh.erb | 11 -- .../modules/site_shorewall/manifests/dnat_rule.pp | 40 +++--- puppet/modules/site_shorewall/manifests/eip.pp | 61 +++++---- .../modules/site_webapp/templates/config.yml.erb | 13 +- 9 files changed, 255 insertions(+), 150 deletions(-) create mode 100644 puppet/modules/site_openvpn/README create mode 100644 puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb delete mode 100644 puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb (limited to 'puppet/modules') diff --git a/puppet/modules/site_openvpn/README b/puppet/modules/site_openvpn/README new file mode 100644 index 00000000..cef5be23 --- /dev/null +++ b/puppet/modules/site_openvpn/README @@ -0,0 +1,20 @@ +Place to look when debugging problems +======================================== + +Log files: + + openvpn: /var/log/syslog + shorewall: /var/log/syslog + shorewall startup: /var/log/shorewall-init.log + +Check NAT masq: + + iptables -t nat --list-rules + +Check interfaces: + + ip addr ls + +Scripts: + + /usr/local/bin/add_gateway_ips.sh \ No newline at end of file diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 0c9f1795..c54bb782 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,84 +1,128 @@ +# +# An openvpn gateway can support three modes: +# +# (1) limited and unlimited +# (2) unlimited only +# (3) limited only +# +# The difference is that 'unlimited' gateways only allow client certs that match the 'unlimited_prefix', +# and 'limited' gateways only allow certs that match the 'limited_prefix'. +# +# We potentially create four openvpn config files (thus four daemons): +# +# (1) unlimited + tcp => tcp_config.conf +# (2) unlimited + udp => udp_config.conf +# (3) limited + tcp => limited_tcp_config.conf +# (4) limited + udp => limited_udp_config.conf +# + class site_openvpn { tag 'leap_service' - # parse hiera config - $ip_address = hiera('ip_address') - $interface = getvar("interface_${ip_address}") - $openvpn_config = hiera('openvpn') - $openvpn_gateway_address = $openvpn_config['gateway_address'] - $openvpn_tcp_network_prefix = '10.1.0' - $openvpn_tcp_netmask = '255.255.248.0' - $openvpn_tcp_cidr = '21' - $openvpn_udp_network_prefix = '10.2.0' - $openvpn_udp_netmask = '255.255.248.0' - $openvpn_udp_cidr = '21' - $openvpn_allow_free = $openvpn_config['allow_free'] - $openvpn_free_gateway_address = $openvpn_config['free_gateway_address'] - $openvpn_free_rate_limit = $openvpn_config['free_rate_limit'] - $openvpn_free_prefix = $openvpn_config['free_prefix'] - $x509_config = hiera('x509') + $openvpn_config = hiera('openvpn') + $x509_config = hiera('x509') + $ip_address = hiera('ip_address') + $interface = getvar("interface_${ip_address}") + $openvpn_ports = $openvpn_config['ports'] + $openvpn_gateway_address = $openvpn_config['gateway_address'] + $openvpn_second_gateway_address = undef + if $openvpn_config['second_gateway_address'] { + $openvpn_second_gateway_address = $openvpn_config['second_gateway_address'] + } + + $openvpn_allow_unlimited = $openvpn_config['allow_unlimited'] + $openvpn_unlimited_prefix = $openvpn_config['unlimited_prefix'] + $openvpn_unlimited_tcp_network_prefix = '10.41.0' + $openvpn_unlimited_tcp_netmask = '255.255.248.0' + $openvpn_unlimited_tcp_cidr = '21' + $openvpn_unlimited_udp_network_prefix = '10.42.0' + $openvpn_unlimited_udp_netmask = '255.255.248.0' + $openvpn_unlimited_udp_cidr = '21' + + $openvpn_allow_limited = $openvpn_config['allow_limited'] + $openvpn_limited_prefix = $openvpn_config['limited_prefix'] + $openvpn_rate_limit = $openvpn_config['rate_limit'] + $openvpn_limited_tcp_network_prefix = '10.43.0' + $openvpn_limited_tcp_netmask = '255.255.248.0' + $openvpn_limited_tcp_cidr = '21' + $openvpn_limited_udp_network_prefix = '10.44.0' + $openvpn_limited_udp_netmask = '255.255.248.0' + $openvpn_limited_udp_cidr = '21' # deploy ca + server keys include site_openvpn::keys - # create 2 openvpn config files, one for tcp, one for udp - site_openvpn::server_config { 'tcp_config': - port => '1194', - proto => 'tcp', - local => $openvpn_gateway_address, - server => "${openvpn_tcp_network_prefix}.0 ${openvpn_tcp_netmask}", - push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"", - management => '127.0.0.1 1000' + if $openvpn_allow_unlimited and $openvpn_allow_limited { + $unlimited_gateway_address = $openvpn_gateway_address + $limited_gateway_address = $openvpn_second_gateway_address + } elsif $openvpn_allow_unlimited { + $unlimited_gateway_address = $openvpn_gateway_address + $limited_gateway_address = undef + } elsif $openvpn_allow_limited { + $unlimited_gateway_address = undef + $limited_gateway_address = $openvpn_gateway_address } - site_openvpn::server_config { 'udp_config': - port => '1194', - proto => 'udp', - local => $openvpn_gateway_address, - server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}", - push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"", - management => '127.0.0.1 1001' + if $openvpn_allow_unlimited { + site_openvpn::server_config { 'tcp_config': + port => '1194', + proto => 'tcp', + local => $unlimited_gateway_address, + tls_remote => "\"${openvpn_unlimited_prefix}\"", + server => "${openvpn_unlimited_tcp_network_prefix}.0 ${openvpn_unlimited_tcp_netmask}", + push => "\"dhcp-option DNS ${openvpn_unlimited_tcp_network_prefix}.1\"", + management => '127.0.0.1 1000' + } + site_openvpn::server_config { 'udp_config': + port => '1194', + proto => 'udp', + local => $unlimited_gateway_address, + tls_remote => "\"${openvpn_unlimited_prefix}\"", + server => "${openvpn_unlimited_udp_network_prefix}.0 ${openvpn_unlimited_udp_netmask}", + push => "\"dhcp-option DNS ${openvpn_unlimited_udp_network_prefix}.1\"", + management => '127.0.0.1 1001' + } + } else { + tidy { "/etc/openvpn/tcp_config.conf": } + tidy { "/etc/openvpn/udp_config.conf": } } - if $openvpn_allow_free { - site_openvpn::server_config { 'free_tcp_config': + if $openvpn_allow_limited { + site_openvpn::server_config { 'limited_tcp_config': port => '1194', proto => 'tcp', - local => $openvpn_free_gateway_address, - tls_remote => "\"${openvpn_free_prefix}\"", - shaper => $openvpn_free_rate_limit, - server => "${openvpn_tcp_network_prefix}.0 ${openvpn_tcp_netmask}", - push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"", + local => $limited_gateway_address, + tls_remote => "\"${openvpn_limited_prefix}\"", + server => "${openvpn_limited_tcp_network_prefix}.0 ${openvpn_limited_tcp_netmask}", + push => "\"dhcp-option DNS ${openvpn_limited_tcp_network_prefix}.1\"", management => '127.0.0.1 1002' } - site_openvpn::server_config { 'free_udp_config': + site_openvpn::server_config { 'limited_udp_config': port => '1194', proto => 'udp', - local => $openvpn_free_gateway_address, - tls_remote => "\"${openvpn_free_prefix}\"", - shaper => $openvpn_free_rate_limit, - server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}", - push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"", + local => $limited_gateway_address, + tls_remote => "\"${openvpn_limited_prefix}\"", + server => "${openvpn_limited_udp_network_prefix}.0 ${openvpn_limited_udp_netmask}", + push => "\"dhcp-option DNS ${openvpn_limited_udp_network_prefix}.1\"", management => '127.0.0.1 1003' } } else { - tidy { "/etc/openvpn/free_tcp_config.conf": } - tidy { "/etc/openvpn/free_udp_config.conf": } + tidy { "/etc/openvpn/limited_tcp_config.conf": } + tidy { "/etc/openvpn/limited_udp_config.conf": } } - # add second IP on given interface file { - '/usr/local/bin/leap_add_second_ip.sh': - content => template('site_openvpn/leap_add_second_ip.sh.erb'), + '/usr/local/bin/add_gateway_ips.sh': + content => template('site_openvpn/add_gateway_ips.sh.erb'), mode => '0755'; } - exec { '/usr/local/bin/leap_add_second_ip.sh': - subscribe => File['/usr/local/bin/leap_add_second_ip.sh'], + exec { '/usr/local/bin/add_gateway_ips.sh': + subscribe => File['/usr/local/bin/add_gateway_ips.sh'], } - cron { 'leap_add_second_ip.sh': - command => '/usr/local/bin/leap_add_second_ip.sh', + cron { 'add_gateway_ips.sh': + command => '/usr/local/bin/add_gateway_ips.sh', user => 'root', special => 'reboot', } diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index 26785edb..dc31767c 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -1,5 +1,53 @@ class site_openvpn::resolver { + if $site_openvpn::openvpn_allow_unlimited { + $ensure_unlimited = 'present' + file { + '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': + content => "interface: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr} allow\n", + owner => root, + group => root, + mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; + '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': + content => "interface: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr} allow\n", + owner => root, + group => root, + mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; + } + } else { + $ensure_unlimited = 'absent' + tidy { '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': } + tidy { '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': } + } + + if $site_openvpn::openvpn_allow_limited { + $ensure_limited = 'present' + file { + '/etc/unbound/conf.d/vpn_limited_udp_resolver': + content => "interface: ${site_openvpn::openvpn_limited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr} allow\n", + owner => root, + group => root, + mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; + '/etc/unbound/conf.d/vpn_limited_tcp_resolver': + content => "interface: ${site_openvpn::openvpn_limited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr} allow\n", + owner => root, + group => root, + mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; + } + } else { + $ensure_limited = 'absent' + tidy { '/etc/unbound/conf.d/vpn_limited_udp_resolver': } + tidy { '/etc/unbound/conf.d/vpn_limited_tcp_resolver': } + } + # this is an unfortunate way to get around the fact that the version of # unbound we are working with does not accept a wildcard include directive # (/etc/unbound/conf.d/*), when it does, these line definitions should @@ -7,36 +55,30 @@ class site_openvpn::resolver { # include: /etc/unbound/conf.d/* line { - 'add_tcp_resolver': - ensure => present, + 'add_unlimited_tcp_resolver': + ensure => $ensure_unlimited, file => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver', + line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_tcp_resolver', notify => Service['unbound'], require => Package['unbound']; - - 'add_udp_resolver': - ensure => present, + 'add_unlimited_udp_resolver': + ensure => $ensure_unlimited, file => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_udp_resolver', + line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_udp_resolver', + notify => Service['unbound'], + require => Package['unbound']; + 'add_limited_tcp_resolver': + ensure => $ensure_limited, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_limited_tcp_resolver', + notify => Service['unbound'], + require => Package['unbound']; + 'add_limited_udp_resolver': + ensure => $ensure_limited, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_limited_udp_resolver', notify => Service['unbound'], require => Package['unbound'] } - file { - '/etc/unbound/conf.d/vpn_udp_resolver': - content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr} allow\n", - owner => root, - group => root, - mode => '0644', - require => Service['openvpn'], - notify => Service['unbound']; - - '/etc/unbound/conf.d/vpn_tcp_resolver': - content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr} allow\n", - owner => root, - group => root, - mode => '0644', - require => Service['openvpn'], - notify => Service['unbound']; - } } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 1f42400a..a2e769e1 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -54,7 +54,7 @@ define site_openvpn::server_config( $port, $proto, $local, $server, $push, - $management, $tls_remote = undef, $shaper = undef) { + $management, $tls_remote = undef) { $openvpn_configname = $name @@ -68,13 +68,8 @@ define site_openvpn::server_config( notify => Service['openvpn']; } - # special options for the "free" gateway daemons - if $shaper != undef { + if $tls_remote != undef { openvpn::option { - "shaper $openvpn_configname": - key => 'shaper', - value => $shaper, - server => $openvpn_configname; "tls-remote $openvpn_configname": key => 'tls-remote', value => $tls_remote, diff --git a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb new file mode 100644 index 00000000..ed06a95e --- /dev/null +++ b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb @@ -0,0 +1,11 @@ +#!/bin/sh + +ip addr show dev <%= @interface %> | grep -q <%= @openvpn_gateway_address %>/24 || + ip addr add <%= @openvpn_gateway_address %>/24 dev <%= @interface %> + +<% if @openvpn_second_gateway_address %> +ip addr show dev <%= @interface %> | grep -q <%= @openvpn_second_gateway_address %>/24 || + ip addr add <%= @openvpn_second_gateway_address %>/24 dev <%= @interface %> +<% end %> + +/bin/echo 1 > /proc/sys/net/ipv4/ip_forward diff --git a/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb b/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb deleted file mode 100644 index 40866116..00000000 --- a/puppet/modules/site_openvpn/templates/leap_add_second_ip.sh.erb +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh - -ip addr show dev <%= @interface %> | grep -q <%= @openvpn_gateway_address %>/24 || - ip addr add <%= @openvpn_gateway_address %>/24 dev <%= @interface %> - -<% if @openvpn_allow_free %> -ip addr show dev <%= @interface %> | grep -q <%= @openvpn_free_gateway_address %>/24 || - ip addr add <%= @openvpn_free_gateway_address %>/24 dev <%= @interface %> -<% end %> - -/bin/echo 1 > /proc/sys/net/ipv4/ip_forward diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp index 0b4370df..e1ea86ec 100644 --- a/puppet/modules/site_shorewall/manifests/dnat_rule.pp +++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp @@ -2,30 +2,32 @@ define site_shorewall::dnat_rule { $port = $name if $port != 1194 { - shorewall::rule { - "dnat_tcp_port_$port": - action => 'DNAT', - source => 'net', - destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194", - proto => 'tcp', - destinationport => $port, - order => 100; - } - shorewall::rule { - "dnat_udp_port_$port": - action => 'DNAT', - source => 'net', - destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194", - proto => 'udp', - destinationport => $port, - order => 100; + if $site_openvpn::openvpn_allow_paid { + shorewall::rule { + "dnat_tcp_port_$port": + action => 'DNAT', + source => 'net', + destination => "\$FW:${site_openvpn::paid_gateway_address}:1194", + proto => 'tcp', + destinationport => $port, + order => 100; + } + shorewall::rule { + "dnat_udp_port_$port": + action => 'DNAT', + source => 'net', + destination => "\$FW:${site_openvpn::paid_gateway_address}:1194", + proto => 'udp', + destinationport => $port, + order => 100; + } } if $site_openvpn::openvpn_allow_free { shorewall::rule { "dnat_free_tcp_port_$port": action => 'DNAT', source => 'net', - destination => "\$FW:${site_openvpn::openvpn_free_gateway_address}:1194", + destination => "\$FW:${site_openvpn::free_gateway_address}:1194", proto => 'tcp', destinationport => $port, order => 100; @@ -34,7 +36,7 @@ define site_shorewall::dnat_rule { "dnat_free_udp_port_$port": action => 'DNAT', source => 'net', - destination => "\$FW:${site_openvpn::openvpn_free_gateway_address}:1194", + destination => "\$FW:${site_openvpn::free_gateway_address}:1194", proto => 'udp', destinationport => $port, order => 100; diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index d2bf3c4c..95c3920e 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -3,10 +3,6 @@ class site_shorewall::eip { include site_shorewall::defaults include site_shorewall::ip_forward - $openvpn_config = hiera('openvpn') - $openvpn_ports = $openvpn_config['ports'] - $openvpn_gateway_address = $site_openvpn::openvpn_gateway_address - # define macro for incoming services file { '/etc/shorewall/macro.leap_eip': content => "PARAM - - tcp 1194 @@ -16,41 +12,45 @@ PARAM - - udp 1194 require => Package['shorewall'] } - shorewall::interface { 'tun0': zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; 'tun1': zone => 'eip', - options => 'tcpflags,blacklist,nosmurfs' + options => 'tcpflags,blacklist,nosmurfs'; + 'tun2': + zone => 'eip', + options => 'tcpflags,blacklist,nosmurfs'; + 'tun3': + zone => 'eip', + options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::zone { + 'eip': + type => 'ipv4'; + } - shorewall::zone {'eip': - type => 'ipv4'; } - - case $::virtual { - 'virtualbox': { - shorewall::masq { - 'eth0_tcp': - interface => 'eth0', - source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}"; - 'eth0_udp': - interface => 'eth0', - source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } - } - default: { - $interface = $site_shorewall::defaults::interface - shorewall::masq { - "${interface}_tcp": - interface => $interface, - source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}"; + if $::virtual == 'virtualbox' { + $interface = 'eth0' + } else { + $interface = $site_shorewall::defaults::interface + } - "${interface}_udp": - interface => $interface, - source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } - } + shorewall::masq { + "${interface}_unlimited_tcp": + interface => $interface, + source => "${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr}"; + "${interface}_unlimited_udp": + interface => $interface, + source => "${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr}"; + "${interface}_limited_tcp": + interface => $interface, + source => "${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr}"; + "${interface}_limited_udp": + interface => $interface, + source => "${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr}"; } shorewall::policy { @@ -70,7 +70,6 @@ PARAM - - udp 1194 } # create dnat rule for each port - #create_resources('site_shorewall::dnat_rule', $openvpn_ports) - site_shorewall::dnat_rule { $openvpn_ports: } + site_shorewall::dnat_rule { $site_openvpn::openvpn_ports: } } diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index cd67d1fd..af778212 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -6,8 +6,11 @@ production: client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %> cert_options: - client_cert_lifespan: <%= cert_options['life_span'].to_i %> - client_cert_bit_size: <%= cert_options['bit_size'].to_i %> - client_cert_hash: <%= cert_options['digest'] %> - free_certs_enabled: <%= @webapp['allow_free'].inspect %> - free_cert_prefix: "<%= cert_options['free_prefix'] %>" + client_cert_lifespan: <%= cert_options['life_span'].to_i %> + client_cert_bit_size: <%= cert_options['bit_size'].to_i %> + client_cert_hash: <%= cert_options['digest'] %> + allow_limited_certs: <%= @webapp['allow_limited_certs'].inspect %> + allow_unlimited_certs: <%= @webapp['allow_unlimited_certs'].inspect %> + allow_anonymous_certs: <%= @webapp['allow_anonymous_certs'].inspect %> + limited_cert_prefix: "<%= cert_options['limited_prefix'] %>" + unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>" -- cgit v1.2.3 From 6609b3ed4125d1e46ba16b5bc7d7957bcbee6a42 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 17 Mar 2013 22:58:10 -0400 Subject: fix webapp/couchdb stunnel certificate authority --- puppet/modules/site_couchdb/manifests/stunnel.pp | 7 ++++--- puppet/modules/site_webapp/manifests/couchdb_stunnel.pp | 7 ++++--- 2 files changed, 8 insertions(+), 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index b4635951..1afe25a4 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -4,9 +4,10 @@ class site_couchdb::stunnel ($key, $cert, $ca) { include site_stunnel $cert_name = 'leap_couchdb' - $ca_path = "${x509::variables::certs}/leap_client_ca.crt" + $ca_name = 'leap_ca' + $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" + $key_path = "${x509::variables::keys}/${cert_name}.key" x509::key { $cert_name: @@ -21,7 +22,7 @@ class site_couchdb::stunnel ($key, $cert, $ca) { } x509::ca { - $cert_name: + $ca_name: content => $ca, notify => Service['stunnel']; } diff --git a/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp b/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp index e6657e13..325b18ee 100644 --- a/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp +++ b/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp @@ -4,9 +4,10 @@ class site_webapp::couchdb_stunnel ($key, $cert, $ca) { include site_stunnel $cert_name = 'leap_couchdb' - $ca_path = "${x509::variables::certs}/leap_client_ca.crt" + $ca_name = 'leap_ca' + $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" + $key_path = "${x509::variables::keys}/${cert_name}.key" x509::key { $cert_name: @@ -21,7 +22,7 @@ class site_webapp::couchdb_stunnel ($key, $cert, $ca) { } x509::ca { - $cert_name: + $ca_name: content => $ca, notify => Service['stunnel']; } -- cgit v1.2.3 From fbae857865f3e2d61d9e55693c5cce411f7565ca Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 18 Mar 2013 18:24:16 +0100 Subject: Webapp: Use stunnel localhost:5000 for couchdb connection --- puppet/modules/site_webapp/manifests/couchdb.pp | 4 +++- puppet/modules/site_webapp/templates/couchdb.yml.erb | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index b8a4201d..f3488227 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -8,7 +8,9 @@ class site_webapp::couchdb { $couchdb_hosts = $webapp['couchdb_hosts'] # for now, pick the first couchdb host before we have a working # load balancing setup (see https://leap.se/code/issues/1994) - $couchdb_host = $couchdb_hosts[0] + # which is configured through a stunnel connection, reachable + # through localhost:5000 + $couchdb_host = 'localhost' $couchdb_user = $webapp['couchdb_user']['username'] $couchdb_password = $webapp['couchdb_user']['password'] diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb index ee521713..d9ecb4b2 100644 --- a/puppet/modules/site_webapp/templates/couchdb.yml.erb +++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb @@ -1,8 +1,8 @@ production: prefix: "" - protocol: 'https' + protocol: 'http' host: <%= @couchdb_host %> - port: 6984 + port: 5000 username: <%= @couchdb_user %> password: <%= @couchdb_password %> -- cgit v1.2.3 From 1d14c34e7f4456452d289b23eb1d2ebf00de11b2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Mar 2013 14:26:58 -0400 Subject: turn off automatic updates of couchdb design docs (#1979) --- puppet/modules/site_webapp/templates/couchdb.yml.erb | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb index d9ecb4b2..3ae255b0 100644 --- a/puppet/modules/site_webapp/templates/couchdb.yml.erb +++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb @@ -3,6 +3,7 @@ production: protocol: 'http' host: <%= @couchdb_host %> port: 5000 + auto_update_design_doc: false username: <%= @couchdb_user %> password: <%= @couchdb_password %> -- cgit v1.2.3 From 036506d757423241618774a639778fc9be1413cd Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Mar 2013 14:50:14 -0400 Subject: Migrate the couchdb design documents during webapp deploy (#1976) --- puppet/modules/site_webapp/files/migrate_design_documents | 13 +++++++++++++ puppet/modules/site_webapp/manifests/couchdb.pp | 14 +++++++++++++- 2 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_webapp/files/migrate_design_documents (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/files/migrate_design_documents b/puppet/modules/site_webapp/files/migrate_design_documents new file mode 100644 index 00000000..3441e086 --- /dev/null +++ b/puppet/modules/site_webapp/files/migrate_design_documents @@ -0,0 +1,13 @@ +#!/bin/sh + +cd /srv/leap-webapp + +# use admin credentials +mv config/couchdb.yml.admin config/couchdb.yml + +# needs to be run twice +/usr/bin/bundle exec rake couchrest:migrate +/usr/bin/bundle exec rake couchrest:migrate + +# use user credentials and remove admin credentials +mv config/couchdb.yml.webapp config/couchdb.yml diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index f3488227..095cdb9d 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -20,6 +20,12 @@ class site_webapp::couchdb { owner => leap-webapp, group => leap-webapp, mode => '0600'; + + '/usr/local/sbin/migrate_design_documents': + source => 'puppet:///modules/site_webapp/migrate_design_documents', + owner => root, + group => root, + mode => '0744'; } class { 'site_webapp::couchdb_stunnel': @@ -27,4 +33,10 @@ class site_webapp::couchdb { cert => $cert, ca => $ca } -} + + exec { 'migrate_design_documents': + cwd => '/srv/leap-webapp', + commmand => '/usr/local/sbin/migrate_design_documents', + require => Exec['bundler_update'], + notify => Service['apache']; + } -- cgit v1.2.3 From 5e29e380df9b1ace765ea31254c3fb6e9e0e0cb4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 17 Mar 2013 22:57:27 -0400 Subject: add haproxy submodule --- puppet/modules/haproxy | 1 + 1 file changed, 1 insertion(+) create mode 160000 puppet/modules/haproxy (limited to 'puppet/modules') diff --git a/puppet/modules/haproxy b/puppet/modules/haproxy new file mode 160000 index 00000000..967e0097 --- /dev/null +++ b/puppet/modules/haproxy @@ -0,0 +1 @@ +Subproject commit 967e0097f9447d6c73eeb99ef4b0df2a941820c3 -- cgit v1.2.3 From 7c7ca311ff00c5cddaee892c173354a69f4e59e4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Mar 2013 16:07:00 -0400 Subject: add some generic haproxy defaults --- puppet/modules/site_haproxy/manifests/init.pp | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 puppet/modules/site_haproxy/manifests/init.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_haproxy/manifests/init.pp b/puppet/modules/site_haproxy/manifests/init.pp new file mode 100644 index 00000000..7cb10ab2 --- /dev/null +++ b/puppet/modules/site_haproxy/manifests/init.pp @@ -0,0 +1,25 @@ +class site_haproxy { + + class { 'haproxy': + enable => true, + manage_service => true, + global_options => { + 'log' => '127.0.0.1 local0', + 'maxconn' => '4096', + 'stats' => 'socket /var/run/haproxy.sock user haproxy group haproxy', + 'chroot' => '/usr/share/haproxy', + 'user' => 'haproxy', + 'group' => 'haproxy', + 'daemon' => '' + }, + defaults_options => { + 'log' => 'global', + 'retries' => '3', + 'option' => 'redispatch', + 'contimeout' => '5000', + 'clitimeout' => '50000', + 'srvtimeout' => '50000' + } + } + +} -- cgit v1.2.3 From f1b405b503a76526551ac0110cad8798de46dfd8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Mar 2013 16:09:34 -0400 Subject: configure site_webapp::haproxy to ship a haproxy config::fragment to setup the haproxy listener 'bigcouch-in'. This haproxy listener is configured to listen on port 4096 (arbitrarily chosen) and balance across the locally configured stunnels to the bigcouch instances It may be that we will need some additional haproxy options for handling persistence, cookies, or other HTTP headers, I'm unsure as of this moment --- puppet/modules/site_webapp/manifests/haproxy.pp | 14 ++++++++++++++ puppet/modules/site_webapp/manifests/init.pp | 1 + .../site_webapp/templates/haproxy_couchdb.cfg.erb | 16 ++++++++++++++++ 3 files changed, 31 insertions(+) create mode 100644 puppet/modules/site_webapp/manifests/haproxy.pp create mode 100644 puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/haproxy.pp b/puppet/modules/site_webapp/manifests/haproxy.pp new file mode 100644 index 00000000..4a7e3c25 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/haproxy.pp @@ -0,0 +1,14 @@ +class site_webapp::haproxy { + + include site_haproxy + + $haproxy = hiera('haproxy') + $local_ports = $haproxy['local_ports'] + + # Template uses $global_options, $defaults_options + concat::fragment { 'leap_haproxy_webapp_couchdb': + target => '/etc/haproxy/haproxy.cfg', + order => '20', + content => template('site_webapp/haproxy_couchdb.cfg.erb'), + } +} diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index e8134521..ec70a68d 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -17,6 +17,7 @@ class site_webapp { include site_webapp::apache include site_webapp::couchdb include site_webapp::client_ca + include site_webapp::haproxy group { 'leap-webapp': ensure => present, diff --git a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb new file mode 100644 index 00000000..a9bdb923 --- /dev/null +++ b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb @@ -0,0 +1,16 @@ + +listen bigcouch-in + mode http + balance roundrobin + + option httplog + option dontlognull + option tcplog + + bind localhost:4096 +<% for port in @local_ports -%> + server couchdb_<%=port%> localhost:<%=port%> +<% end -%> + + + -- cgit v1.2.3 From fe8085f670eb3bca10c5bb0d9890e00a0d9c59d9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Mar 2013 16:37:56 -0400 Subject: configure webapp haproxy couchdb connection --- puppet/modules/site_webapp/manifests/couchdb.pp | 6 ++---- puppet/modules/site_webapp/templates/couchdb.yml.erb | 2 +- 2 files changed, 3 insertions(+), 5 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 095cdb9d..820cc1d2 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -6,11 +6,9 @@ class site_webapp::couchdb { $ca = $x509['ca_cert'] $webapp = hiera('webapp') $couchdb_hosts = $webapp['couchdb_hosts'] - # for now, pick the first couchdb host before we have a working - # load balancing setup (see https://leap.se/code/issues/1994) - # which is configured through a stunnel connection, reachable - # through localhost:5000 + # haproxy listener on port localhost:4096, see site_webapp::haproxy $couchdb_host = 'localhost' + $couchdb_port = '4096' $couchdb_user = $webapp['couchdb_user']['username'] $couchdb_password = $webapp['couchdb_user']['password'] diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb index 3ae255b0..4855abd8 100644 --- a/puppet/modules/site_webapp/templates/couchdb.yml.erb +++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb @@ -2,7 +2,7 @@ production: prefix: "" protocol: 'http' host: <%= @couchdb_host %> - port: 5000 + port: <%= @couchdb_port %> auto_update_design_doc: false username: <%= @couchdb_user %> password: <%= @couchdb_password %> -- cgit v1.2.3 From b5018da40c68058ed47286e276ccfbe02b135e8d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Mar 2013 16:59:46 -0400 Subject: fix missing closing curly brace --- puppet/modules/site_webapp/manifests/couchdb.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 820cc1d2..1d847ca1 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -38,3 +38,4 @@ class site_webapp::couchdb { require => Exec['bundler_update'], notify => Service['apache']; } +} -- cgit v1.2.3 From 01434dcd78746f530f218a7ed8ed37b7b1d5ce71 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Mar 2013 17:04:06 -0400 Subject: fix spelling of 'command' parameter --- puppet/modules/site_webapp/manifests/couchdb.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 1d847ca1..760706aa 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -34,7 +34,7 @@ class site_webapp::couchdb { exec { 'migrate_design_documents': cwd => '/srv/leap-webapp', - commmand => '/usr/local/sbin/migrate_design_documents', + command => '/usr/local/sbin/migrate_design_documents', require => Exec['bundler_update'], notify => Service['apache']; } -- cgit v1.2.3 From 9c1c74c359f80cf0e61b62befee0ec5cc04ab4c3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Mar 2013 17:41:37 -0400 Subject: create a separate couchdb.yml.admin that contains the couchdb admin privileges, putting the unprivileged ones in as user webapp in couchdb.yml. This allows us to migrate the couchdb design docs on deployment, but use an unprivileged user the remainder of the time --- puppet/modules/site_webapp/manifests/couchdb.pp | 30 ++++++++++++++-------- .../site_webapp/templates/couchdb.yml.admin.erb | 9 +++++++ .../modules/site_webapp/templates/couchdb.yml.erb | 4 +-- 3 files changed, 30 insertions(+), 13 deletions(-) create mode 100644 puppet/modules/site_webapp/templates/couchdb.yml.admin.erb (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 760706aa..e89880fe 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -1,19 +1,27 @@ class site_webapp::couchdb { - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $ca = $x509['ca_cert'] - $webapp = hiera('webapp') - $couchdb_hosts = $webapp['couchdb_hosts'] + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $ca = $x509['ca_cert'] + $webapp = hiera('webapp') + $couchdb_hosts = $webapp['couchdb_hosts'] # haproxy listener on port localhost:4096, see site_webapp::haproxy - $couchdb_host = 'localhost' - $couchdb_port = '4096' - $couchdb_user = $webapp['couchdb_user']['username'] - $couchdb_password = $webapp['couchdb_user']['password'] + $couchdb_host = 'localhost' + $couchdb_port = '4096' + $couchdb_admin_user = $webapp['couchdb_admin_user']['username'] + $couchdb_admin_password = $webapp['couchdb_admin_user']['password'] + $couchdb_webapp_user = $webapp['couchdb_webapp_user']['username'] + $couchdb_webapp_password = $webapp['couchdb_webapp_user']['password'] file { - '/srv/leap-webapp/config/couchdb.yml': + '/srv/leap-webapp/config/couchdb.yml.admin': + content => template('site_webapp/couchdb.yml.admin.erb'), + owner => leap-webapp, + group => leap-webapp, + mode => '0600'; + + '/srv/leap-webapp/config/couchdb.yml.webapp': content => template('site_webapp/couchdb.yml.erb'), owner => leap-webapp, group => leap-webapp, diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb b/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb new file mode 100644 index 00000000..a0921add --- /dev/null +++ b/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb @@ -0,0 +1,9 @@ +production: + prefix: "" + protocol: 'http' + host: <%= @couchdb_host %> + port: <%= @couchdb_port %> + auto_update_design_doc: false + username: <%= @couchdb_admin_user %> + password: <%= @couchdb_admin_password %> + diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb index 4855abd8..2bef0af5 100644 --- a/puppet/modules/site_webapp/templates/couchdb.yml.erb +++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb @@ -4,6 +4,6 @@ production: host: <%= @couchdb_host %> port: <%= @couchdb_port %> auto_update_design_doc: false - username: <%= @couchdb_user %> - password: <%= @couchdb_password %> + username: <%= @couchdb_webapp_user %> + password: <%= @couchdb_webapp_password %> -- cgit v1.2.3 From e69e40e55abcd3d86e1a12ce214bb64851961e13 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Mar 2013 17:57:03 -0400 Subject: cp instead of mv for the couchdb configuration file if we move, then we need to re-create the file on the next deploy --- puppet/modules/site_webapp/files/migrate_design_documents | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/files/migrate_design_documents b/puppet/modules/site_webapp/files/migrate_design_documents index 3441e086..88d4b8d9 100644 --- a/puppet/modules/site_webapp/files/migrate_design_documents +++ b/puppet/modules/site_webapp/files/migrate_design_documents @@ -3,11 +3,11 @@ cd /srv/leap-webapp # use admin credentials -mv config/couchdb.yml.admin config/couchdb.yml +cp config/couchdb.yml.admin config/couchdb.yml # needs to be run twice /usr/bin/bundle exec rake couchrest:migrate /usr/bin/bundle exec rake couchrest:migrate # use user credentials and remove admin credentials -mv config/couchdb.yml.webapp config/couchdb.yml +cp config/couchdb.yml.webapp config/couchdb.yml -- cgit v1.2.3 From 92ea0355de872a502d552d89ed88729b9b4fbaa2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Mar 2013 18:20:33 -0400 Subject: add webapp secret token that pulls from hiera a 'secret' --- puppet/modules/site_webapp/manifests/init.pp | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index ec70a68d..1e6abe42 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -6,6 +6,7 @@ class site_webapp { $node_domain = hiera('domain') $provider_domain = $node_domain['full_suffix'] $webapp = hiera('webapp') + $secret_token = $webapp['secret_token'] Class[Ruby] -> Class[rubygems] -> Class[bundler::install] @@ -111,6 +112,11 @@ class site_webapp { owner => leap-webapp, group => leap-webapp, mode => '0600'; + + '/srv/leap-webapp/config/initializers/secret_token.rb': + content => "LeapWeb::Application.config.secret_token = '${secret_token}'\n", + owner => leap-webapp, group => leap-webapp, mode => '0644', + notify => Service['apache']; } include site_shorewall::webapp -- cgit v1.2.3 From ffda76a47c7f9d5766325d8cdf13d289430456eb Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 28 Mar 2013 10:01:32 -0700 Subject: added stunnel_server --- puppet/modules/site_webapp/manifests/couchdb.pp | 1 - 1 file changed, 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index e89880fe..ef61aeb6 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -5,7 +5,6 @@ class site_webapp::couchdb { $cert = $x509['cert'] $ca = $x509['ca_cert'] $webapp = hiera('webapp') - $couchdb_hosts = $webapp['couchdb_hosts'] # haproxy listener on port localhost:4096, see site_webapp::haproxy $couchdb_host = 'localhost' $couchdb_port = '4096' -- cgit v1.2.3 From b7ba05040f9f1266d14947f1612fa54060dd37cb Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 29 Mar 2013 14:39:26 -0700 Subject: fixed site_openvpn bug with redefined variable. --- puppet/modules/site_openvpn/manifests/init.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index c54bb782..1ae3fb02 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -25,9 +25,10 @@ class site_openvpn { $interface = getvar("interface_${ip_address}") $openvpn_ports = $openvpn_config['ports'] $openvpn_gateway_address = $openvpn_config['gateway_address'] - $openvpn_second_gateway_address = undef if $openvpn_config['second_gateway_address'] { $openvpn_second_gateway_address = $openvpn_config['second_gateway_address'] + } else { + $openvpn_second_gateway_address = undef } $openvpn_allow_unlimited = $openvpn_config['allow_unlimited'] -- cgit v1.2.3 From e6b981902c2b20eed9a0f3d279df7be9405745b0 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 20:22:57 -0400 Subject: automatic update of submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index a4809d6b..66d918dd 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit a4809d6b0627431f72de916abee1214418c01c9d +Subproject commit 66d918ddb6454fd4a30baed9b49baad98e274243 -- cgit v1.2.3 From 3c41a81f1a3e1757ea6b9bda7e1a98dce624ec1d Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 1 Apr 2013 00:05:42 -0700 Subject: added setup.pp --- puppet/modules/site_config/manifests/hosts.pp | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index 6c00f3b6..81795f7d 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -1,9 +1,8 @@ class site_config::hosts() { - $hosts = hiera('hosts','') $hostname = hiera('name') - - $domain_public = $site_config::default::domain_hash['full_suffix'] + $domain_hash = hiera('domain') + $domain_public = $domain_hash['full_suffix'] file { "/etc/hostname": ensure => present, -- cgit v1.2.3 From e0354eda8f1dba999c452caf99c40dcb6f7af33e Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 19 Mar 2013 08:57:35 +0100 Subject: working on stunnel for bigcouch clustering --- puppet/modules/site_couchdb/manifests/stunnel.pp | 12 ++++++++++++ puppet/modules/site_shorewall/manifests/couchdb.pp | 16 +++++++++++++++- 2 files changed, 27 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 1afe25a4..2133d6da 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -39,5 +39,17 @@ class site_couchdb::stunnel ($key, $cert, $ca) { rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } + stunnel::service { 'bigcouch': + accept => '6984', + connect => '127.0.0.1:5984', + client => false, + cafile => $ca_path, + key => $key_path, + cert => $cert_path, + verify => '2', + pid => '/var/run/stunnel4/couchdb.pid', + rndfile => '/var/lib/stunnel4/.rnd', + debuglevel => '4' + } } diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp index 9fa59569..5fa1861b 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -3,10 +3,13 @@ class site_shorewall::couchdb { include site_shorewall::defaults $couchdb_port = '6984' + # Erlang Port Mapper daemon, used for communication between + # bigcouch cluster nodes + $portmapper_port = '5369' # define macro for incoming services file { '/etc/shorewall/macro.leap_couchdb': - content => "PARAM - - tcp $couchdb_port", + content => "PARAM - - tcp $couchdb_port $portmapper_port", notify => Service['shorewall'], require => Package['shorewall'] } @@ -20,4 +23,15 @@ class site_shorewall::couchdb { order => 200; } + shorewall::rule { + 'dnat-bigcouch-clustering-to-stunnel': + destination => "net:${::ipaddress}:8080", + destinationport => $portmapper_port, + source => '$FW', + proto => 'tcp', + order => 200, + action => 'DNAT'; + } + + } -- cgit v1.2.3 From cc082541980df1062cb5b2d10f4980cf8b6664c9 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 19 Mar 2013 13:54:40 +0100 Subject: moved generic stunnel config from site_webapp to site_stunnel --- puppet/modules/site_stunnel/manifests/clients.pp | 32 ++++++++++++++++ puppet/modules/site_stunnel/manifests/setup.pp | 30 +++++++++++++++ puppet/modules/site_webapp/manifests/couchdb.pp | 21 +++++++++-- .../site_webapp/manifests/couchdb_stunnel.pp | 43 ---------------------- .../manifests/couchdb_stunnel/clients.pp | 17 --------- 5 files changed, 79 insertions(+), 64 deletions(-) create mode 100644 puppet/modules/site_stunnel/manifests/clients.pp create mode 100644 puppet/modules/site_stunnel/manifests/setup.pp delete mode 100644 puppet/modules/site_webapp/manifests/couchdb_stunnel.pp delete mode 100644 puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp new file mode 100644 index 00000000..28ed6d3c --- /dev/null +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -0,0 +1,32 @@ +define site_stunnel::clients ( + $accept_port, + $connect, + $client = true, + $cafile, + $key, + $cert, + $verify = '2', + $pid = $name, + $rndfile = '/var/lib/stunnel4/.rnd', + $debuglevel = '4' ) { + + $couchdb_stunnel_client_defaults = { + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, + } + + + stunnel::service { $name: + accept => "127.0.0.1:${accept_port}", + connect => "${connect}:6984", + client => $client, + cafile => $cafile, + key => $key, + cert => $cert, + verify => $verify, + pid => "/var/run/stunnel4/${pid}.pid", + rndfile => $rndfile, + debuglevel => $debuglevel + } + } diff --git a/puppet/modules/site_stunnel/manifests/setup.pp b/puppet/modules/site_stunnel/manifests/setup.pp new file mode 100644 index 00000000..a6384a6e --- /dev/null +++ b/puppet/modules/site_stunnel/manifests/setup.pp @@ -0,0 +1,30 @@ +class site_stunnel::setup ($cert_name, $key, $cert, $ca) { + + include x509::variables + include site_stunnel + + $ca_name = 'leap_ca' + $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" + + x509::key { + $cert_name: + content => $key, + notify => Service['stunnel']; + } + + x509::cert { + $cert_name: + content => $cert, + notify => Service['stunnel']; + } + + x509::ca { + $ca_name: + content => $ca, + notify => Service['stunnel']; + } + +} + diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index ef61aeb6..e45691c1 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -33,10 +33,11 @@ class site_webapp::couchdb { mode => '0744'; } - class { 'site_webapp::couchdb_stunnel': - key => $key, - cert => $cert, - ca => $ca + class { 'site_stunnel::setup': + cert_name => 'leap_couchdb', + key => $key, + cert => $cert, + ca => $ca } exec { 'migrate_design_documents': @@ -45,4 +46,16 @@ class site_webapp::couchdb { require => Exec['bundler_update'], notify => Service['apache']; } + + $couchdb_stunnel_client_defaults = { + 'client' => true, + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, + 'verify' => '2', + 'rndfile' => '/var/lib/stunnel4/.rnd', + 'debuglevel' => '4' + } + + create_resources(site_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) } diff --git a/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp b/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp deleted file mode 100644 index 325b18ee..00000000 --- a/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp +++ /dev/null @@ -1,43 +0,0 @@ -class site_webapp::couchdb_stunnel ($key, $cert, $ca) { - - include x509::variables - include site_stunnel - - $cert_name = 'leap_couchdb' - $ca_name = 'leap_ca' - $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" - $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" - - x509::key { - $cert_name: - content => $key, - notify => Service['stunnel']; - } - - x509::cert { - $cert_name: - content => $cert, - notify => Service['stunnel']; - } - - x509::ca { - $ca_name: - content => $ca, - notify => Service['stunnel']; - } - - $couchdb_stunnel_client_defaults = { - 'client' => true, - 'cafile' => $ca_path, - 'key' => $key_path, - 'cert' => $cert_path, - 'verify' => '2', - 'rndfile' => '/var/lib/stunnel4/.rnd', - 'debuglevel' => '4' - } - - create_resources(site_webapp::couchdb_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) - -} - diff --git a/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp b/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp deleted file mode 100644 index eac43b08..00000000 --- a/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp +++ /dev/null @@ -1,17 +0,0 @@ -define site_webapp::couchdb_stunnel::clients - ( $accept_port, $connect, $client, $cafile, $key, $cert, - $verify, $pid = $name, $rndfile, $debuglevel ) { - - stunnel::service { $name: - accept => "127.0.0.1:${accept_port}", - connect => "${connect}:6984", - client => $client, - cafile => $cafile, - key => $key, - cert => $cert, - verify => $verify, - pid => "/var/run/stunnel4/${pid}.pid", - rndfile => $rndfile, - debuglevel => $debuglevel - } - } -- cgit v1.2.3 From 4b2aa1020d07d0ab25f907fbc6c76a3d78a6a84e Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 19 Mar 2013 15:11:54 +0100 Subject: shorewall couchdb config: get open ports right --- puppet/modules/site_shorewall/manifests/couchdb.pp | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp index 5fa1861b..f1784a38 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -9,7 +9,7 @@ class site_shorewall::couchdb { # define macro for incoming services file { '/etc/shorewall/macro.leap_couchdb': - content => "PARAM - - tcp $couchdb_port $portmapper_port", + content => "PARAM - - tcp ${couchdb_port},${portmapper_port}", notify => Service['shorewall'], require => Package['shorewall'] } @@ -23,15 +23,15 @@ class site_shorewall::couchdb { order => 200; } - shorewall::rule { - 'dnat-bigcouch-clustering-to-stunnel': - destination => "net:${::ipaddress}:8080", - destinationport => $portmapper_port, - source => '$FW', - proto => 'tcp', - order => 200, - action => 'DNAT'; - } + #shorewall::rule { + # 'dnat-bigcouch-clustering-to-stunnel': + # destination => "net:${::ipaddress}:8080", + # destinationport => $portmapper_port, + # source => '$FW', + # proto => 'tcp', + # order => 200, + # action => 'DNAT'; + #} } -- cgit v1.2.3 From 4669a64cb8e63a67825a35513b51b4e1f2a4ec5d Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 19 Mar 2013 15:14:35 +0100 Subject: moving generic stunnel config from site_webapp to site_stunnel now working --- puppet/modules/site_stunnel/manifests/clients.pp | 31 +++++++++--------------- puppet/modules/site_stunnel/manifests/setup.pp | 6 ----- puppet/modules/site_webapp/manifests/couchdb.pp | 8 +++--- 3 files changed, 16 insertions(+), 29 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp index 28ed6d3c..9f8aeaff 100644 --- a/puppet/modules/site_stunnel/manifests/clients.pp +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -10,23 +10,16 @@ define site_stunnel::clients ( $rndfile = '/var/lib/stunnel4/.rnd', $debuglevel = '4' ) { - $couchdb_stunnel_client_defaults = { - 'cafile' => $ca_path, - 'key' => $key_path, - 'cert' => $cert_path, - } - - - stunnel::service { $name: - accept => "127.0.0.1:${accept_port}", - connect => "${connect}:6984", - client => $client, - cafile => $cafile, - key => $key, - cert => $cert, - verify => $verify, - pid => "/var/run/stunnel4/${pid}.pid", - rndfile => $rndfile, - debuglevel => $debuglevel - } + stunnel::service { $name: + accept => "127.0.0.1:${accept_port}", + connect => "${connect}:6984", + client => $client, + cafile => $cafile, + key => $key, + cert => $cert, + verify => $verify, + pid => "/var/run/stunnel4/${pid}.pid", + rndfile => $rndfile, + debuglevel => $debuglevel } +} diff --git a/puppet/modules/site_stunnel/manifests/setup.pp b/puppet/modules/site_stunnel/manifests/setup.pp index a6384a6e..7ec2378f 100644 --- a/puppet/modules/site_stunnel/manifests/setup.pp +++ b/puppet/modules/site_stunnel/manifests/setup.pp @@ -1,13 +1,7 @@ class site_stunnel::setup ($cert_name, $key, $cert, $ca) { - include x509::variables include site_stunnel - $ca_name = 'leap_ca' - $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" - $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" - x509::key { $cert_name: content => $key, diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index e45691c1..48a95c8d 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -34,7 +34,7 @@ class site_webapp::couchdb { } class { 'site_stunnel::setup': - cert_name => 'leap_couchdb', + cert_name => $cert_name, key => $key, cert => $cert, ca => $ca @@ -49,9 +49,9 @@ class site_webapp::couchdb { $couchdb_stunnel_client_defaults = { 'client' => true, - 'cafile' => $ca_path, - 'key' => $key_path, - 'cert' => $cert_path, + 'cafile' => "${x509::variables::local_CAs}/${ca_name}.crt", + 'key' => "${x509::variables::keys}/${cert_name}.key", + 'cert' => "${x509::variables::certs}/${cert_name}.crt", 'verify' => '2', 'rndfile' => '/var/lib/stunnel4/.rnd', 'debuglevel' => '4' -- cgit v1.2.3 From ec2727a1cae91c34233c831ae31277690a8ef3dc Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 19 Mar 2013 15:29:48 +0100 Subject: added bigcouch.conf as incoming stunnel config for bigcouch clustering --- puppet/modules/site_couchdb/manifests/stunnel.pp | 28 +++++++++--------------- 1 file changed, 10 insertions(+), 18 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 2133d6da..d16e09b5 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -9,24 +9,14 @@ class site_couchdb::stunnel ($key, $cert, $ca) { $cert_path = "${x509::variables::certs}/${cert_name}.crt" $key_path = "${x509::variables::keys}/${cert_name}.key" - x509::key { - $cert_name: - content => $key, - notify => Service['stunnel']; - } - - x509::cert { - $cert_name: - content => $cert, - notify => Service['stunnel']; - } - - x509::ca { - $ca_name: - content => $ca, - notify => Service['stunnel']; + class { 'site_stunnel::setup': + cert_name => $cert_name, + key => $key, + cert => $cert, + ca => $ca } + # webapp access stunnel::service { 'couchdb': accept => '6984', connect => '127.0.0.1:5984', @@ -39,9 +29,11 @@ class site_couchdb::stunnel ($key, $cert, $ca) { rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } + + # clustering between bigcouch nodes stunnel::service { 'bigcouch': - accept => '6984', - connect => '127.0.0.1:5984', + accept => '5369', + connect => '127.0.0.1:4369', client => false, cafile => $ca_path, key => $key_path, -- cgit v1.2.3 From bb0f29e2d7ae2db57257eb4d1a20616c5c834a4e Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 19:06:07 +0100 Subject: make site_stunnel::clients connect_port configurable --- puppet/modules/site_stunnel/manifests/clients.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp index 9f8aeaff..b23c7bc6 100644 --- a/puppet/modules/site_stunnel/manifests/clients.pp +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -1,5 +1,6 @@ define site_stunnel::clients ( $accept_port, + $connect_port, $connect, $client = true, $cafile, @@ -12,7 +13,7 @@ define site_stunnel::clients ( stunnel::service { $name: accept => "127.0.0.1:${accept_port}", - connect => "${connect}:6984", + connect => "${connect}:${connect_port}", client => $client, cafile => $cafile, key => $key, -- cgit v1.2.3 From d9c9cbb7ae5fde7767ac6b2cbc25936a0045104d Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 19:06:45 +0100 Subject: addded client side of bigcouch cluster protocol stunnel config --- puppet/modules/site_couchdb/manifests/stunnel.pp | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index d16e09b5..2d5cbaa1 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -31,6 +31,8 @@ class site_couchdb::stunnel ($key, $cert, $ca) { } # clustering between bigcouch nodes + + # server stunnel::service { 'bigcouch': accept => '5369', connect => '127.0.0.1:4369', @@ -43,5 +45,19 @@ class site_couchdb::stunnel ($key, $cert, $ca) { rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } + + # clients + $couchdb_stunnel_client_defaults = { + 'connect_port' => '5369', + 'client' => true, + 'cafile' => "${x509::variables::local_CAs}/${ca_name}.crt", + 'key' => "${x509::variables::keys}/${cert_name}.key", + 'cert' => "${x509::variables::certs}/${cert_name}.crt", + 'verify' => '2', + 'rndfile' => '/var/lib/stunnel4/.rnd', + 'debuglevel' => '4' + } + create_resources(site_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) + } -- cgit v1.2.3 From 7a08ff22b0317e77895e4ff52e6f56db70afb8df Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 20:06:47 +0100 Subject: increase stunnel verbosity until everything is running smooth --- puppet/modules/site_couchdb/manifests/stunnel.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 2d5cbaa1..44ddae0b 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -43,7 +43,7 @@ class site_couchdb::stunnel ($key, $cert, $ca) { verify => '2', pid => '/var/run/stunnel4/couchdb.pid', rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '4' + debuglevel => '7' } # clients -- cgit v1.2.3 From fbcc9e9a93816374e1b53b561df4b9d2a59ae7b8 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 22:01:41 +0100 Subject: added site_shorewall::dnat to configure DNAT rules --- puppet/modules/site_shorewall/manifests/dnat.pp | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/dnat.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_shorewall/manifests/dnat.pp b/puppet/modules/site_shorewall/manifests/dnat.pp new file mode 100644 index 00000000..5992c91f --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/dnat.pp @@ -0,0 +1,19 @@ +define site_shorewall::dnat ( + $source, + $destination, + $proto, + $destinationport, + $originaldest ) { + + + shorewall::rule { + "dnat_${name}_${destinationport}": + source => $source, + destination => $destination, + destinationport => $destinationport, + originaldest => $originaldest, + proto => $proto, + order => 200, + action => 'DNAT'; + } +} -- cgit v1.2.3 From 40f32a207957293dd7c9a85df3bcccd340e16522 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 22:02:55 +0100 Subject: added site_shorewall::couchdb::bigcouch bigcouch cluster protocol communicate via the fqdn of the neighbor hosts. So we need to bend all requests to :4369 to localhost:400x (which is the entry of an stunnel connection to the other neighbor) --- puppet/modules/site_shorewall/manifests/couchdb.pp | 11 ----------- puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp | 7 +++++++ 2 files changed, 7 insertions(+), 11 deletions(-) create mode 100644 puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp index f1784a38..a448dd42 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -23,15 +23,4 @@ class site_shorewall::couchdb { order => 200; } - #shorewall::rule { - # 'dnat-bigcouch-clustering-to-stunnel': - # destination => "net:${::ipaddress}:8080", - # destinationport => $portmapper_port, - # source => '$FW', - # proto => 'tcp', - # order => 200, - # action => 'DNAT'; - #} - - } diff --git a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp new file mode 100644 index 00000000..f96ef87b --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp @@ -0,0 +1,7 @@ +class site_shorewall::couchdb::bigcouch inherits site_shorewall::couchdb { + + include site_shorewall::defaults + + create_resources(site_shorewall::dnat, hiera('shorewall_dnat')) + +} -- cgit v1.2.3 From 34a44db0de9a7d79ac68e93e79f29dcc32a30c76 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 22:07:25 +0100 Subject: couchdb hosts include site_shorewall::couchdb::bigcouch --- puppet/modules/site_couchdb/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index d317de65..e0f379cd 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -67,4 +67,5 @@ class site_couchdb ( $bigcouch = false ) { } include site_shorewall::couchdb + include site_shorewall::couchdb::bigcouch } -- cgit v1.2.3 From 6e223037a4ca36273984c0ab0f2eb9b81f5f10da Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 22:11:40 +0100 Subject: decrease stunnel debug level --- puppet/modules/site_couchdb/manifests/stunnel.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 44ddae0b..2d5cbaa1 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -43,7 +43,7 @@ class site_couchdb::stunnel ($key, $cert, $ca) { verify => '2', pid => '/var/run/stunnel4/couchdb.pid', rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '7' + debuglevel => '4' } # clients -- cgit v1.2.3 From 63e6b8633e07045751011c0218f9e6891e25cca5 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 22:17:55 +0100 Subject: provide stunnel connect_port to site_webapp:couchdb --- puppet/modules/site_webapp/manifests/couchdb.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 48a95c8d..ffc4454b 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -48,6 +48,7 @@ class site_webapp::couchdb { } $couchdb_stunnel_client_defaults = { + 'connect_port' => '6984', 'client' => true, 'cafile' => "${x509::variables::local_CAs}/${ca_name}.crt", 'key' => "${x509::variables::keys}/${cert_name}.key", -- cgit v1.2.3 From e9b00c6efb65faa4c0dfa955527fafc2b13889d4 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 22:31:51 +0100 Subject: fix bigcouch stunnel pid name --- puppet/modules/site_couchdb/manifests/stunnel.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 2d5cbaa1..f5001051 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -25,7 +25,7 @@ class site_couchdb::stunnel ($key, $cert, $ca) { key => $key_path, cert => $cert_path, verify => '2', - pid => '/var/run/stunnel4/couchdb.pid', + pid => '/var/run/stunnel4/bigcouch.pid', rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } -- cgit v1.2.3 From eac4d82da1675d839fcdc2360df5929e41322c2d Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 21 Mar 2013 14:03:07 +0100 Subject: start erlang vm on dedicated port so firewalling is easier --- puppet/modules/site_shorewall/manifests/couchdb.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp index a448dd42..04b608e2 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -7,9 +7,12 @@ class site_shorewall::couchdb { # bigcouch cluster nodes $portmapper_port = '5369' + # see http://stackoverflow.com/questions/8459949/bigcouch-cluster-connection-issue#comment10467603_8463814 + $erlang_vm_port = '9001' + # define macro for incoming services file { '/etc/shorewall/macro.leap_couchdb': - content => "PARAM - - tcp ${couchdb_port},${portmapper_port}", + content => "PARAM - - tcp ${couchdb_port},${portmapper_port},${erlang_vm_port}", notify => Service['shorewall'], require => Package['shorewall'] } -- cgit v1.2.3 From 50cbfca55b99c0e284aff23c8f779499f4af1f4a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 26 Mar 2013 13:52:22 -0400 Subject: remove duplicate 'include site_stunnel' this already exists in class site_stunnel::setup which is instantiated in this class --- puppet/modules/site_couchdb/manifests/stunnel.pp | 1 - 1 file changed, 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index f5001051..9e1bad49 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -1,7 +1,6 @@ class site_couchdb::stunnel ($key, $cert, $ca) { include x509::variables - include site_stunnel $cert_name = 'leap_couchdb' $ca_name = 'leap_ca' -- cgit v1.2.3 From 8b75721b7941c8ab6b7dc05101e80a121dcb0849 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 12:09:45 -0400 Subject: shorewall: add couch_server stunnel port to macro.leap_couchdb, this is necessary for the stunnel to communicate --- puppet/modules/site_shorewall/manifests/couchdb.pp | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp index 04b608e2..6a8c2cf2 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -2,7 +2,10 @@ class site_shorewall::couchdb { include site_shorewall::defaults - $couchdb_port = '6984' + $stunnel = hiera('stunnel') + $couch_server = $stunnel['couch_server'] + $couch_stunnel_port = $couch_server['accept'] + # Erlang Port Mapper daemon, used for communication between # bigcouch cluster nodes $portmapper_port = '5369' @@ -12,12 +15,11 @@ class site_shorewall::couchdb { # define macro for incoming services file { '/etc/shorewall/macro.leap_couchdb': - content => "PARAM - - tcp ${couchdb_port},${portmapper_port},${erlang_vm_port}", + content => "PARAM - - tcp ${couch_stunnel_port},${portmapper_port},${erlang_vm_port}", notify => Service['shorewall'], require => Package['shorewall'] } - shorewall::rule { 'net2fw-couchdb': source => 'net', -- cgit v1.2.3 From ebc6b4f0e8f8c29b02b284d60402faaddbe2f6a3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 12:10:33 -0400 Subject: lint so default options are together --- puppet/modules/site_stunnel/manifests/clients.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp index b23c7bc6..ed766e1a 100644 --- a/puppet/modules/site_stunnel/manifests/clients.pp +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -2,10 +2,10 @@ define site_stunnel::clients ( $accept_port, $connect_port, $connect, - $client = true, $cafile, $key, $cert, + $client = true, $verify = '2', $pid = $name, $rndfile = '/var/lib/stunnel4/.rnd', -- cgit v1.2.3 From fa65ec5b35433ecc643aa240db4c42e60dac6af9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 12:16:54 -0400 Subject: remove unnecessary class inheritance --- puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp index f96ef87b..2afdea87 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp @@ -1,4 +1,4 @@ -class site_shorewall::couchdb::bigcouch inherits site_shorewall::couchdb { +class site_shorewall::couchdb::bigcouch { include site_shorewall::defaults -- cgit v1.2.3 From 6714ff4ae1a53b6b3eda66f13c2212c3ba285bf3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 12:19:46 -0400 Subject: refactor couch_client stunnel to use new stunnel_client leap_cli macro re-order variables to be more consistant --- puppet/modules/site_webapp/manifests/couchdb.pp | 32 +++++++++++++++---------- 1 file changed, 20 insertions(+), 12 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index ffc4454b..e956fd54 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -1,9 +1,5 @@ class site_webapp::couchdb { - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $ca = $x509['ca_cert'] $webapp = hiera('webapp') # haproxy listener on port localhost:4096, see site_webapp::haproxy $couchdb_host = 'localhost' @@ -13,6 +9,21 @@ class site_webapp::couchdb { $couchdb_webapp_user = $webapp['couchdb_webapp_user']['username'] $couchdb_webapp_password = $webapp['couchdb_webapp_user']['password'] + $stunnel = hiera('stunnel') + $couch_client = $stunnel['couch_client'] + $couch_client_connect = $couch_client['connect'] + + include x509::variable + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $ca = $x509['ca_cert'] + $cert_name = 'leap_couchdb' + $ca_name = 'leap_ca' + $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" + file { '/srv/leap-webapp/config/couchdb.yml.admin': content => template('site_webapp/couchdb.yml.admin.erb'), @@ -48,15 +59,12 @@ class site_webapp::couchdb { } $couchdb_stunnel_client_defaults = { - 'connect_port' => '6984', + 'connect_port' => $couch_client_connect, 'client' => true, - 'cafile' => "${x509::variables::local_CAs}/${ca_name}.crt", - 'key' => "${x509::variables::keys}/${cert_name}.key", - 'cert' => "${x509::variables::certs}/${cert_name}.crt", - 'verify' => '2', - 'rndfile' => '/var/lib/stunnel4/.rnd', - 'debuglevel' => '4' + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, } - create_resources(site_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) + create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults) } -- cgit v1.2.3 From dd459efb1063de6c11f9f11583290c6a0891436a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 12:22:52 -0400 Subject: replace long-form variables with shorter ones remove unnecessary bigcouch_replication_client_default values (verify, rndfile, debuglevel) --- puppet/modules/site_couchdb/manifests/stunnel.pp | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 9e1bad49..a49b51b9 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -49,12 +49,9 @@ class site_couchdb::stunnel ($key, $cert, $ca) { $couchdb_stunnel_client_defaults = { 'connect_port' => '5369', 'client' => true, - 'cafile' => "${x509::variables::local_CAs}/${ca_name}.crt", - 'key' => "${x509::variables::keys}/${cert_name}.key", - 'cert' => "${x509::variables::certs}/${cert_name}.crt", - 'verify' => '2', - 'rndfile' => '/var/lib/stunnel4/.rnd', - 'debuglevel' => '4' + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, } create_resources(site_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) -- cgit v1.2.3 From baf3ed5b6db4e8af052564864d8c3e426cf5d9d0 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 12:32:42 -0400 Subject: switch to using stunnel_client and stunnel_server leap_cli macros add bigcouch_replication_clients to couchdb.json change site_couchdb/manifests/stunnel to use stunnel_client and stunnel_server generated hiera values to setup the stunnels for the couch_server connections, and the bigcouch_replication_server and bigcouch_replication_clients tunnels instead of using hard-coded ips and ports. also change the pid names to be more consistent with what the tunnels are and are named --- puppet/modules/site_couchdb/manifests/stunnel.pp | 41 +++++++++++++++--------- 1 file changed, 26 insertions(+), 15 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index a49b51b9..1eb79293 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -1,13 +1,26 @@ class site_couchdb::stunnel ($key, $cert, $ca) { - include x509::variables + $stunnel = hiera('stunnel') + + $couch_server = $stunnel['couch_server'] + $couch_server_accept = $couch_server['accept'] + $couch_server_connect = $couch_server['connect'] + + $bigcouch_replication_server = $stunnel['bigcouch_replication_server'] + $bigcouch_replication_server_accept = $bigcouch_replication_server['accept'] + $bigcouch_replication_server_connect = $bigcouch_replication_server['connect'] + $bigcouch_replication_clients = $stunnel['bigcouch_replication_clients'] + + include x509::variables $cert_name = 'leap_couchdb' $ca_name = 'leap_ca' $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" $cert_path = "${x509::variables::certs}/${cert_name}.crt" $key_path = "${x509::variables::keys}/${cert_name}.key" + # basic setup: ensure cert, key, ca files are in place, and some generic + # stunnel things are done class { 'site_stunnel::setup': cert_name => $cert_name, key => $key, @@ -15,45 +28,43 @@ class site_couchdb::stunnel ($key, $cert, $ca) { ca => $ca } - # webapp access - stunnel::service { 'couchdb': - accept => '6984', - connect => '127.0.0.1:5984', + # setup a stunnel server for the webapp to connect to couchdb + stunnel::service { 'couch_server': + accept => $couch_server_accept, + connect => $couch_server_connect, client => false, cafile => $ca_path, key => $key_path, cert => $cert_path, verify => '2', - pid => '/var/run/stunnel4/bigcouch.pid', + pid => '/var/run/stunnel4/couchserver.pid', rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } - # clustering between bigcouch nodes + # setup stunnels for bigcouch clustering between each bigcouchdb node # server - stunnel::service { 'bigcouch': - accept => '5369', - connect => '127.0.0.1:4369', + stunnel::service { 'bigcouch_replication_server': + accept => $bigcouch_replication_server_accept, + connect => $bigcouch_replication_server_connect, client => false, cafile => $ca_path, key => $key_path, cert => $cert_path, verify => '2', - pid => '/var/run/stunnel4/couchdb.pid', + pid => '/var/run/stunnel4/bigcouchreplication_server.pid', rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } # clients - $couchdb_stunnel_client_defaults = { - 'connect_port' => '5369', + $bigcouch_replication_client_defaults = { 'client' => true, 'cafile' => $ca_path, 'key' => $key_path, 'cert' => $cert_path, } - create_resources(site_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) + create_resources(site_stunnel::clients, $bigcouch_replication_clients, $bigcouch_replication_client_defaults) } - -- cgit v1.2.3 From 128c8ddfd4969a9b9b525cb4f4a34b1e98c2fe76 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 12:39:36 -0400 Subject: shorewall: create a macro for the bigcouch replication server stunnel to enable these connections pulling bigcouch_replication_clients, bigcouch_replication_server_port from hiera create site_shorewall::couchdb::dnat and create_resources to properly setup DNAT for bigcouch_replication_clients --- .../site_shorewall/manifests/couchdb/bigcouch.pp | 30 +++++++++++++++++++++- .../site_shorewall/manifests/couchdb/dnat.pp | 21 +++++++++++++++ 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_shorewall/manifests/couchdb/dnat.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp index 2afdea87..a0d63d15 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp @@ -2,6 +2,34 @@ class site_shorewall::couchdb::bigcouch { include site_shorewall::defaults - create_resources(site_shorewall::dnat, hiera('shorewall_dnat')) + $stunnel = hiera('stunnel') + $bigcouch_replication_clients = $stunnel['bigcouch_replication_clients'] + + $bigcouch_replication_server = $stunnel['bigcouch_replication_server'] + $bigcouch_replication_server_port = $bigcouch_replication_server['accept'] + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_bigcouch': + content => "PARAM - - tcp ${bigcouch_replication_server_port}", + notify => Service['shorewall'], + require => Package['shorewall'] + } + + shorewall::rule { + 'net2fw-bigcouch': + source => 'net', + destination => '$FW', + action => 'leap_bigcouch(ACCEPT)', + order => 300; + } + + $bigcouch_shorewall_dnat_defaults = { + 'source' => '$FW', + 'proto' => 'tcp', + 'destinationport' => '4369', + } + + create_resources(site_shorewall::couchdb::dnat, $bigcouch_replication_clients, $bigcouch_shorewall_dnat_defaults) } + diff --git a/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp b/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp new file mode 100644 index 00000000..85cea9d5 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp @@ -0,0 +1,21 @@ +define site_shorewall::couchdb::dnat ( + $source, + $connect, + $connect_port, + $accept_port, + $proto, + $destinationport ) +{ + + + shorewall::rule { + "dnat_${name}_${destinationport}": + source => $source, + destination => "\$FW:127.0.0.1:${accept_port}", + destinationport => $destinationport, + originaldest => $connect, + proto => $proto, + order => 200, + action => 'DNAT'; + } +} -- cgit v1.2.3 From c849ef699d6426b3161f901eea625247cdefbef5 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 2 Apr 2013 16:41:06 -0400 Subject: fix variable curly braces --- puppet/modules/site_config/manifests/hosts.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index 81795f7d..1e1590f5 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -9,7 +9,7 @@ class site_config::hosts() { content => $hostname } - exec { "/bin/hostname $hostname": + exec { "/bin/hostname ${hostname}": subscribe => [ File['/etc/hostname'], File['/etc/hosts'] ], refreshonly => true; } -- cgit v1.2.3 From ee1555bd9091e1ffe66e54856d2bde72d50a7e60 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 2 Apr 2013 16:55:12 -0400 Subject: firewall: remove no longer needed epmd port --- puppet/modules/site_shorewall/manifests/couchdb.pp | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp index 6a8c2cf2..1ef91bb0 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -6,16 +6,12 @@ class site_shorewall::couchdb { $couch_server = $stunnel['couch_server'] $couch_stunnel_port = $couch_server['accept'] - # Erlang Port Mapper daemon, used for communication between - # bigcouch cluster nodes - $portmapper_port = '5369' - # see http://stackoverflow.com/questions/8459949/bigcouch-cluster-connection-issue#comment10467603_8463814 $erlang_vm_port = '9001' # define macro for incoming services file { '/etc/shorewall/macro.leap_couchdb': - content => "PARAM - - tcp ${couch_stunnel_port},${portmapper_port},${erlang_vm_port}", + content => "PARAM - - tcp ${couch_stunnel_port},${erlang_vm_port}", notify => Service['shorewall'], require => Package['shorewall'] } -- cgit v1.2.3 From 0227e03513f38cfae4a041ba6740b425fdc21198 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 2 Apr 2013 17:09:22 -0400 Subject: replace hard-coded port number with hiera determined one, manipulated to remove the 'ip:' from the beginning in bigcouch replication client stunnels --- puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp index a0d63d15..85272657 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp @@ -7,6 +7,7 @@ class site_shorewall::couchdb::bigcouch { $bigcouch_replication_server = $stunnel['bigcouch_replication_server'] $bigcouch_replication_server_port = $bigcouch_replication_server['accept'] + $bigcouch_replication_connect = $bigcouch_replication_server['connect'] # define macro for incoming services file { '/etc/shorewall/macro.leap_bigcouch': @@ -26,7 +27,7 @@ class site_shorewall::couchdb::bigcouch { $bigcouch_shorewall_dnat_defaults = { 'source' => '$FW', 'proto' => 'tcp', - 'destinationport' => '4369', + 'destinationport' => regsubst($bigcouch_replication_connect, '^([0-9.]+:)([0-9]+)$', '\2') } create_resources(site_shorewall::couchdb::dnat, $bigcouch_replication_clients, $bigcouch_shorewall_dnat_defaults) -- cgit v1.2.3 From 1750bec7032e90ddbe43da35eb5f49066187d1d4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 2 Apr 2013 17:43:43 -0400 Subject: shorewall: re-order dnat rule variables to match configuration file order --- puppet/modules/site_shorewall/manifests/couchdb/dnat.pp | 6 +++--- puppet/modules/site_shorewall/manifests/dnat.pp | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp b/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp index 85cea9d5..f1bc9acf 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp @@ -10,12 +10,12 @@ define site_shorewall::couchdb::dnat ( shorewall::rule { "dnat_${name}_${destinationport}": + action => 'DNAT', source => $source, destination => "\$FW:127.0.0.1:${accept_port}", + proto => $proto, destinationport => $destinationport, originaldest => $connect, - proto => $proto, - order => 200, - action => 'DNAT'; + order => 200 } } diff --git a/puppet/modules/site_shorewall/manifests/dnat.pp b/puppet/modules/site_shorewall/manifests/dnat.pp index 5992c91f..a73294cc 100644 --- a/puppet/modules/site_shorewall/manifests/dnat.pp +++ b/puppet/modules/site_shorewall/manifests/dnat.pp @@ -8,12 +8,12 @@ define site_shorewall::dnat ( shorewall::rule { "dnat_${name}_${destinationport}": + action => 'DNAT', source => $source, destination => $destination, + proto => $proto, destinationport => $destinationport, originaldest => $originaldest, - proto => $proto, - order => 200, - action => 'DNAT'; + order => 200 } } -- cgit v1.2.3 From 82db11a2efdd0d543b56c99a80cad4ffd90d5ba9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 3 Apr 2013 14:16:10 -0400 Subject: switch stunnel module to our version which has been modified for 2.7 parameterized classes and qualified variables update our stunnel class instantiation to be parameterized --- puppet/modules/site_stunnel/manifests/init.pp | 3 +-- puppet/modules/stunnel | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_stunnel/manifests/init.pp b/puppet/modules/site_stunnel/manifests/init.pp index 6ba2c4b8..c7d6acc6 100644 --- a/puppet/modules/site_stunnel/manifests/init.pp +++ b/puppet/modules/site_stunnel/manifests/init.pp @@ -2,8 +2,7 @@ class site_stunnel { # include the generic stunnel module # increase the number of open files to allow for 800 connections - $stunnel_default_extra = 'ulimit -n 4096' - include stunnel + class { 'stunnel': default_extra => 'ulimit -n 4096' } # The stunnel.conf provided by the Debian package is broken by default # so we get rid of it and just define our own. See #549384 diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index 03b51fcb..b53d5742 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit 03b51fcb718734f4b2ea76c038ffbe9b2b348b1a +Subproject commit b53d574250598178af298c59be957693eaaddb22 -- cgit v1.2.3 From e1aa287ee60d39cc55a1b31da59652898eb21b5c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 3 Apr 2013 15:03:54 -0400 Subject: automatic update to stunnel module --- puppet/modules/stunnel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index b53d5742..75d387fc 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit b53d574250598178af298c59be957693eaaddb22 +Subproject commit 75d387fc8aff12232fdeae2efbbfccdd91f94656 -- cgit v1.2.3 From 264e63967d9247e42662182aec771fbfb81e8e8e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Apr 2013 11:27:59 -0400 Subject: rename the bigcouch_replication_[server,client] to be the more accurately, and shorter named epmd (erlang port mapper daemon) --- puppet/modules/site_couchdb/manifests/stunnel.pp | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 1eb79293..40b8f450 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -6,11 +6,11 @@ class site_couchdb::stunnel ($key, $cert, $ca) { $couch_server_accept = $couch_server['accept'] $couch_server_connect = $couch_server['connect'] - $bigcouch_replication_server = $stunnel['bigcouch_replication_server'] - $bigcouch_replication_server_accept = $bigcouch_replication_server['accept'] - $bigcouch_replication_server_connect = $bigcouch_replication_server['connect'] + $epmd_server = $stunnel['epmd_server'] + $epmd_server_accept = $epmd_server['accept'] + $epmd_server_connect = $epmd_server['connect'] - $bigcouch_replication_clients = $stunnel['bigcouch_replication_clients'] + $epmd_clients = $stunnel['epmd_clients'] include x509::variables $cert_name = 'leap_couchdb' @@ -45,26 +45,26 @@ class site_couchdb::stunnel ($key, $cert, $ca) { # setup stunnels for bigcouch clustering between each bigcouchdb node # server - stunnel::service { 'bigcouch_replication_server': - accept => $bigcouch_replication_server_accept, - connect => $bigcouch_replication_server_connect, + stunnel::service { 'epmd_server': + accept => $epmd_server_accept, + connect => $epmd_server_connect, client => false, cafile => $ca_path, key => $key_path, cert => $cert_path, verify => '2', - pid => '/var/run/stunnel4/bigcouchreplication_server.pid', + pid => '/var/run/stunnel4/epmd_server.pid', rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } # clients - $bigcouch_replication_client_defaults = { + $epmd_client_defaults = { 'client' => true, 'cafile' => $ca_path, 'key' => $key_path, 'cert' => $cert_path, } - create_resources(site_stunnel::clients, $bigcouch_replication_clients, $bigcouch_replication_client_defaults) + create_resources(site_stunnel::clients, $epmd_clients, $epmd_client_defaults) } -- cgit v1.2.3 From e530f0c1d1a0a26bd277b70197b1f26871d92b1b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Apr 2013 11:40:12 -0400 Subject: rename bigcouch.port to more accurate bigcouch.epmd_port --- .../modules/site_shorewall/manifests/couchdb/bigcouch.pp | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp index 85272657..a8320df8 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp @@ -3,15 +3,15 @@ class site_shorewall::couchdb::bigcouch { include site_shorewall::defaults $stunnel = hiera('stunnel') - $bigcouch_replication_clients = $stunnel['bigcouch_replication_clients'] + $epmd_clients = $stunnel['epmd_clients'] - $bigcouch_replication_server = $stunnel['bigcouch_replication_server'] - $bigcouch_replication_server_port = $bigcouch_replication_server['accept'] - $bigcouch_replication_connect = $bigcouch_replication_server['connect'] + $epmd_server = $stunnel['epmd_server'] + $epmd_server_port = $epmd_server['accept'] + $epmd_server_connect = $epmd_server['connect'] # define macro for incoming services file { '/etc/shorewall/macro.leap_bigcouch': - content => "PARAM - - tcp ${bigcouch_replication_server_port}", + content => "PARAM - - tcp ${epmd_server_port}", notify => Service['shorewall'], require => Package['shorewall'] } @@ -24,13 +24,13 @@ class site_shorewall::couchdb::bigcouch { order => 300; } - $bigcouch_shorewall_dnat_defaults = { + $epmd_shorewall_dnat_defaults = { 'source' => '$FW', 'proto' => 'tcp', - 'destinationport' => regsubst($bigcouch_replication_connect, '^([0-9.]+:)([0-9]+)$', '\2') + 'destinationport' => regsubst($epmd_server_connect, '^([0-9.]+:)([0-9]+)$', '\2') } - create_resources(site_shorewall::couchdb::dnat, $bigcouch_replication_clients, $bigcouch_shorewall_dnat_defaults) + create_resources(site_shorewall::couchdb::dnat, $epmd_clients, $epmd_shorewall_dnat_defaults) } -- cgit v1.2.3 From c228491af3929e07766903c3ce29a06fab86ad63 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Apr 2013 12:08:55 -0400 Subject: remove the apache_ssl_proxy cleanup --- puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp | 13 ------------- puppet/modules/site_couchdb/manifests/init.pp | 6 ++---- 2 files changed, 2 insertions(+), 17 deletions(-) delete mode 100644 puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp deleted file mode 100644 index 536dd8db..00000000 --- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp +++ /dev/null @@ -1,13 +0,0 @@ -class site_couchdb::apache_ssl_proxy { - -# This is here to disable the previously configured apache ssl proxy -# we were using this, but have switched to stunnel instead. -# -# Unfortunately, the current apache shared module doesn't handle -# ensure=>absent, so this is going to be done the crude way, and will only -# work for debian+derivitives, which is fine for now, but not good for the -# future - - package { 'apache2': ensure => absent } - -} diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index e0f379cd..0fc951c2 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -5,6 +5,7 @@ class site_couchdb ( $bigcouch = false ) { $key = $x509['key'] $cert = $x509['cert'] $ca = $x509['ca_cert'] + $couchdb_config = hiera('couch') $couchdb_users = $couchdb_config['users'] $couchdb_admin = $couchdb_users['admin'] @@ -16,6 +17,7 @@ class site_couchdb ( $bigcouch = false ) { $couchdb_ca_daemon = $couchdb_users['ca_daemon'] $couchdb_ca_daemon_user = $couchdb_ca_daemon['username'] $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password'] + $bigcouch_config = $couchdb_config['bigcouch'] $bigcouch_cookie = $bigcouch_config['cookie'] @@ -32,10 +34,6 @@ class site_couchdb ( $bigcouch = false ) { -> Couchdb::Add_user[$couchdb_webapp_user] -> Couchdb::Add_user[$couchdb_ca_daemon_user] - # this is here to disable and remove the proxy - include site_couchdb::apache_ssl_proxy - - # the above apache_ssl_proxy is replaced by the following stunnel class { 'site_couchdb::stunnel': key => $key, cert => $cert, -- cgit v1.2.3 From 2c53c5023b925cb596e3f450f194482eade1fbeb Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Apr 2013 12:50:30 -0400 Subject: add Erlang Distributed Node Protocol Port json entry under bigcouch setup ednp_server and ednp_client stunnels update couchdb puppet submodule to support configurable ednp_port parameter and general module cleanup pass ednp_port to couchdb setup so that it is configured in the vm.args template clarify in comments the difference between the epmd and ednp ports remove hard-coded erlang_vm_port variable and instead setup shorewall to allow for the stunnel connection only setup dnat rules for the ednp client connections --- puppet/modules/couchdb | 2 +- puppet/modules/site_couchdb/manifests/init.pp | 7 ++-- puppet/modules/site_couchdb/manifests/stunnel.pp | 41 +++++++++++++++++++--- puppet/modules/site_shorewall/manifests/couchdb.pp | 5 +-- .../site_shorewall/manifests/couchdb/bigcouch.pp | 21 +++++++++-- 5 files changed, 62 insertions(+), 14 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 66d918dd..b49a787a 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 66d918ddb6454fd4a30baed9b49baad98e274243 +Subproject commit b49a787a2961129a969cfecd1eec1df588aaacac diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 0fc951c2..9ffa4122 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -21,10 +21,13 @@ class site_couchdb ( $bigcouch = false ) { $bigcouch_config = $couchdb_config['bigcouch'] $bigcouch_cookie = $bigcouch_config['cookie'] - class {'couchdb': + $ednp_port = $bigcouch_config['ednp_port'] + + class { 'couchdb': bigcouch => $bigcouch, admin_pw => $couchdb_admin_pw, - bigcouch_cookie => $bigcouch_cookie + bigcouch_cookie => $bigcouch_cookie, + ednp_port => $ednp_port } include couchdb::bigcouch::package::cloudant diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 40b8f450..ebd01e4e 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -6,12 +6,18 @@ class site_couchdb::stunnel ($key, $cert, $ca) { $couch_server_accept = $couch_server['accept'] $couch_server_connect = $couch_server['connect'] + # Erlang Port Mapper Daemon (epmd) stunnel server/clients $epmd_server = $stunnel['epmd_server'] $epmd_server_accept = $epmd_server['accept'] $epmd_server_connect = $epmd_server['connect'] - $epmd_clients = $stunnel['epmd_clients'] + # Erlang Distributed Node Protocol (ednp) stunnel server/clients + $ednp_server = $stunnel['ednp_server'] + $ednp_server_accept = $ednp_server['accept'] + $ednp_server_connect = $ednp_server['connect'] + $ednp_clients = $stunnel['ednp_clients'] + include x509::variables $cert_name = 'leap_couchdb' $ca_name = 'leap_ca' @@ -43,8 +49,8 @@ class site_couchdb::stunnel ($key, $cert, $ca) { } - # setup stunnels for bigcouch clustering between each bigcouchdb node - # server + # setup stunnel server for Erlang Port Mapper Daemon (epmd), necessary for + # bigcouch clustering between each bigcouchdb node stunnel::service { 'epmd_server': accept => $epmd_server_accept, connect => $epmd_server_connect, @@ -58,7 +64,8 @@ class site_couchdb::stunnel ($key, $cert, $ca) { debuglevel => '4' } - # clients + # setup stunnel clients for Erlang Port Mapper Daemon (epmd) to connect + # to the above epmd stunnel server. $epmd_client_defaults = { 'client' => true, 'cafile' => $ca_path, @@ -67,4 +74,30 @@ class site_couchdb::stunnel ($key, $cert, $ca) { } create_resources(site_stunnel::clients, $epmd_clients, $epmd_client_defaults) + + # setup stunnel server for Erlang Distributed Node Protocol (ednp), necessary + # for bigcouch clustering between each bigcouchdb node + stunnel::service { 'ednp_server': + accept => $ednp_server_accept, + connect => $ednp_server_connect, + client => false, + cafile => $ca_path, + key => $key_path, + cert => $cert_path, + verify => '2', + pid => '/var/run/stunnel4/ednp_server.pid', + rndfile => '/var/lib/stunnel4/.rnd', + debuglevel => '4' + } + + # setup stunnel clients for Erlang Distributed Node Protocol (ednp) to connect + # to the above ednp stunnel server. + $ednp_client_defaults = { + 'client' => true, + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, + } + + create_resources(site_stunnel::clients, $ednp_clients, $ednp_client_defaults) } diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp index 1ef91bb0..73bed62b 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -6,12 +6,9 @@ class site_shorewall::couchdb { $couch_server = $stunnel['couch_server'] $couch_stunnel_port = $couch_server['accept'] - # see http://stackoverflow.com/questions/8459949/bigcouch-cluster-connection-issue#comment10467603_8463814 - $erlang_vm_port = '9001' - # define macro for incoming services file { '/etc/shorewall/macro.leap_couchdb': - content => "PARAM - - tcp ${couch_stunnel_port},${erlang_vm_port}", + content => "PARAM - - tcp ${couch_stunnel_port}", notify => Service['shorewall'], require => Package['shorewall'] } diff --git a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp index a8320df8..20740650 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp @@ -3,15 +3,22 @@ class site_shorewall::couchdb::bigcouch { include site_shorewall::defaults $stunnel = hiera('stunnel') - $epmd_clients = $stunnel['epmd_clients'] + # Erlang Port Mapper Daemon (epmd) stunnel server/clients + $epmd_clients = $stunnel['epmd_clients'] $epmd_server = $stunnel['epmd_server'] $epmd_server_port = $epmd_server['accept'] $epmd_server_connect = $epmd_server['connect'] + # Erlang Distributed Node Protocol (ednp) stunnel server/clients + $ednp_clients = $stunnel['ednp_clients'] + $ednp_server = $stunnel['ednp_server'] + $ednp_server_port = $ednp_server['accept'] + $ednp_server_connect = $ednp_server['connect'] + # define macro for incoming services file { '/etc/shorewall/macro.leap_bigcouch': - content => "PARAM - - tcp ${epmd_server_port}", + content => "PARAM - - tcp ${epmd_server_port},${ednp_server_port}", notify => Service['shorewall'], require => Package['shorewall'] } @@ -24,13 +31,21 @@ class site_shorewall::couchdb::bigcouch { order => 300; } + # setup DNAT rules for each epmd $epmd_shorewall_dnat_defaults = { 'source' => '$FW', 'proto' => 'tcp', 'destinationport' => regsubst($epmd_server_connect, '^([0-9.]+:)([0-9]+)$', '\2') } - create_resources(site_shorewall::couchdb::dnat, $epmd_clients, $epmd_shorewall_dnat_defaults) + # setup DNAT rules for each ednp + $ednp_shorewall_dnat_defaults = { + 'source' => '$FW', + 'proto' => 'tcp', + 'destinationport' => regsubst($ednp_server_connect, '^([0-9.]+:)([0-9]+)$', '\2') + } + create_resources(site_shorewall::couchdb::dnat, $ednp_clients, $ednp_shorewall_dnat_defaults) + } -- cgit v1.2.3 From 5c44ec03fb9940d2801e6c7765084725656d1ce9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Apr 2013 15:24:23 -0400 Subject: update submodule to get fix for syntax error --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index b49a787a..6b537bb7 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit b49a787a2961129a969cfecd1eec1df588aaacac +Subproject commit 6b537bb77dbfaa754b88e64041ecd57e7f7544a9 -- cgit v1.2.3 From c4397077adb35cf5ec05976e2918bacdd3960703 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Apr 2013 15:31:04 -0400 Subject: pass $ca_name to stunnel::setup - this eliminates a dynamic scoped variable lookup, and warning --- puppet/modules/site_couchdb/manifests/stunnel.pp | 1 + puppet/modules/site_stunnel/manifests/setup.pp | 2 +- puppet/modules/site_webapp/manifests/couchdb.pp | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index ebd01e4e..d982013e 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -31,6 +31,7 @@ class site_couchdb::stunnel ($key, $cert, $ca) { cert_name => $cert_name, key => $key, cert => $cert, + ca_name => $ca_name, ca => $ca } diff --git a/puppet/modules/site_stunnel/manifests/setup.pp b/puppet/modules/site_stunnel/manifests/setup.pp index 7ec2378f..92eeb425 100644 --- a/puppet/modules/site_stunnel/manifests/setup.pp +++ b/puppet/modules/site_stunnel/manifests/setup.pp @@ -1,4 +1,4 @@ -class site_stunnel::setup ($cert_name, $key, $cert, $ca) { +class site_stunnel::setup ($cert_name, $key, $cert, $ca_name, $ca) { include site_stunnel diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index e956fd54..8dfe6e12 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -48,6 +48,7 @@ class site_webapp::couchdb { cert_name => $cert_name, key => $key, cert => $cert, + ca_name => $ca_name ca => $ca } -- cgit v1.2.3 From 78cd7a3a6e098448efa9e8623d1bc5c81d7a393a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Apr 2013 15:40:04 -0400 Subject: fix missing comma --- puppet/modules/site_webapp/manifests/couchdb.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 8dfe6e12..50c6f9d7 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -48,7 +48,7 @@ class site_webapp::couchdb { cert_name => $cert_name, key => $key, cert => $cert, - ca_name => $ca_name + ca_name => $ca_name, ca => $ca } -- cgit v1.2.3 From 61ee35e9210bc771f059ebf227512668c21b62b5 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Apr 2013 16:42:17 -0400 Subject: make sure the couchdb.yml permissions are set properly --- puppet/modules/site_webapp/files/migrate_design_documents | 3 +++ puppet/modules/site_webapp/manifests/couchdb.pp | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/files/migrate_design_documents b/puppet/modules/site_webapp/files/migrate_design_documents index 88d4b8d9..fa28e5ee 100644 --- a/puppet/modules/site_webapp/files/migrate_design_documents +++ b/puppet/modules/site_webapp/files/migrate_design_documents @@ -4,6 +4,7 @@ cd /srv/leap-webapp # use admin credentials cp config/couchdb.yml.admin config/couchdb.yml +chown leap-webapp:leap-webapp config/couchdb.yml # needs to be run twice /usr/bin/bundle exec rake couchrest:migrate @@ -11,3 +12,5 @@ cp config/couchdb.yml.admin config/couchdb.yml # use user credentials and remove admin credentials cp config/couchdb.yml.webapp config/couchdb.yml +chown leap-webapp:leap-webapp config/couchdb.yml + diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 50c6f9d7..6fe144a4 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -27,8 +27,8 @@ class site_webapp::couchdb { file { '/srv/leap-webapp/config/couchdb.yml.admin': content => template('site_webapp/couchdb.yml.admin.erb'), - owner => leap-webapp, - group => leap-webapp, + owner => root, + group => root, mode => '0600'; '/srv/leap-webapp/config/couchdb.yml.webapp': -- cgit v1.2.3 From a115e1c2e48adaa5f53777b63c25814e536e1e5a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Apr 2013 16:42:33 -0400 Subject: fix typo in x509::variables --- puppet/modules/site_webapp/manifests/couchdb.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 6fe144a4..ebb0d72a 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -13,7 +13,7 @@ class site_webapp::couchdb { $couch_client = $stunnel['couch_client'] $couch_client_connect = $couch_client['connect'] - include x509::variable + include x509::variables $x509 = hiera('x509') $key = $x509['key'] $cert = $x509['cert'] -- cgit v1.2.3 From dc6cd0ecd31a03e5093cdd9bb6dd1cad576199a2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Apr 2013 16:43:04 -0400 Subject: set permissions on the rails production.log, otherwise passenger complains about this in the apache log file --- puppet/modules/site_webapp/manifests/couchdb.pp | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index ebb0d72a..f6203552 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -37,6 +37,11 @@ class site_webapp::couchdb { group => leap-webapp, mode => '0600'; + '/srv/leap-webapp/logs/production.log': + owner => leap-webapp, + group => leap-webapp, + mode => '0660'; + '/usr/local/sbin/migrate_design_documents': source => 'puppet:///modules/site_webapp/migrate_design_documents', owner => root, -- cgit v1.2.3 From 5e7faed43cf72e2546334da432fcd90e0d558502 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 9 Apr 2013 13:58:15 -0400 Subject: update deprecated haproxy configuration options, set values a little lower --- puppet/modules/site_haproxy/manifests/init.pp | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_haproxy/manifests/init.pp b/puppet/modules/site_haproxy/manifests/init.pp index 7cb10ab2..602e26be 100644 --- a/puppet/modules/site_haproxy/manifests/init.pp +++ b/puppet/modules/site_haproxy/manifests/init.pp @@ -13,12 +13,12 @@ class site_haproxy { 'daemon' => '' }, defaults_options => { - 'log' => 'global', - 'retries' => '3', - 'option' => 'redispatch', - 'contimeout' => '5000', - 'clitimeout' => '50000', - 'srvtimeout' => '50000' + 'log' => 'global', + 'retries' => '3', + 'option' => 'redispatch', + 'timeout connect' => '4000', + 'timeout client' => '20000', + 'timeout server' => '20000' } } -- cgit v1.2.3 From 994c0212e86c60fa0f83c379308618b901d240c1 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 9 Apr 2013 14:04:25 -0400 Subject: add a httpchk line to haproxy to properly test if the couchdb is available add the useful http-server-close option set check option on the servers, with a 3 second interval, a one second fastinter (for flapping) and a one second downinter. Set the number of checks for failure to be one (so it will take 3 seconds for a node to fail out) and 2 checks to come back --- puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb index a9bdb923..f08161ee 100644 --- a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb +++ b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb @@ -2,14 +2,14 @@ listen bigcouch-in mode http balance roundrobin - option httplog option dontlognull - option tcplog - + option httpchk GET / + option http-server-close + bind localhost:4096 <% for port in @local_ports -%> - server couchdb_<%=port%> localhost:<%=port%> + server couchdb_<%=port%> localhost:<%=port%> check inter 3000 fastinter 1000 downinter 1000 rise 2 fall 1 <% end -%> -- cgit v1.2.3 From 7cb8deafbb02d42c6cd4af4b19d9d269e3d4bf42 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 9 Apr 2013 14:53:44 -0400 Subject: make sure the production environment is used for the migrations --- puppet/modules/site_webapp/files/migrate_design_documents | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/files/migrate_design_documents b/puppet/modules/site_webapp/files/migrate_design_documents index fa28e5ee..88eb2e25 100644 --- a/puppet/modules/site_webapp/files/migrate_design_documents +++ b/puppet/modules/site_webapp/files/migrate_design_documents @@ -7,8 +7,8 @@ cp config/couchdb.yml.admin config/couchdb.yml chown leap-webapp:leap-webapp config/couchdb.yml # needs to be run twice -/usr/bin/bundle exec rake couchrest:migrate -/usr/bin/bundle exec rake couchrest:migrate +RAILS_ENV=production /usr/bin/bundle exec rake couchrest:migrate +RAILS_ENV=production /usr/bin/bundle exec rake couchrest:migrate # use user credentials and remove admin credentials cp config/couchdb.yml.webapp config/couchdb.yml -- cgit v1.2.3 From 92f565f349266f7c5adfc88b31d0d2902431efa4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 10 Apr 2013 12:27:39 -0400 Subject: clean up ca_daemon things, it is not used any longer because it has been included in the web app (#1978) remove site_ca_daemon module and configuration in site.pp as well as the provider_base/services/ca.json --- puppet/modules/site_ca_daemon/manifests/apache.pp | 62 ------------- puppet/modules/site_ca_daemon/manifests/couchdb.pp | 16 ---- puppet/modules/site_ca_daemon/manifests/init.pp | 103 --------------------- .../site_ca_daemon/templates/leap_ca.yaml.erb | 31 ------- 4 files changed, 212 deletions(-) delete mode 100644 puppet/modules/site_ca_daemon/manifests/apache.pp delete mode 100644 puppet/modules/site_ca_daemon/manifests/couchdb.pp delete mode 100644 puppet/modules/site_ca_daemon/manifests/init.pp delete mode 100644 puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb (limited to 'puppet/modules') diff --git a/puppet/modules/site_ca_daemon/manifests/apache.pp b/puppet/modules/site_ca_daemon/manifests/apache.pp deleted file mode 100644 index ab6b08fd..00000000 --- a/puppet/modules/site_ca_daemon/manifests/apache.pp +++ /dev/null @@ -1,62 +0,0 @@ -class site_ca_daemon::apache { - - $api_domain = hiera('api_domain') - $x509 = hiera('x509') - $commercial_key = $x509['commercial_key'] - $commercial_cert = $x509['commercial_cert'] - $commercial_root = $x509['commercial_ca_cert'] - $api_key = $x509['key'] - $api_cert = $x509['cert'] - $api_root = $x509['ca_cert'] - - $apache_no_default_site = true - include apache::ssl - - apache::module { - 'alias': ensure => present; - 'rewrite': ensure => present; - 'headers': ensure => present; - } - - class { 'passenger': use_munin => false } - - apache::vhost::file { - 'leap_ca_daemon': - content => template('site_apache/vhosts.d/leap_ca_daemon.conf.erb') - } - - apache::vhost::file { - 'api': - content => template('site_apache/vhosts.d/api.conf.erb') - } - - x509::key { - 'leap_ca_daemon': - content => $commercial_key, - notify => Service[apache]; - - 'leap_api': - content => $api_key, - notify => Service[apache]; - } - - x509::cert { - 'leap_ca_daemon': - content => $commercial_cert, - notify => Service[apache]; - - 'leap_api': - content => $api_cert, - notify => Service[apache]; - } - - x509::ca { - 'leap_ca_daemon': - content => $commercial_root, - notify => Service[apache]; - - 'leap_api': - content => $api_root, - notify => Service[apache]; - } -} diff --git a/puppet/modules/site_ca_daemon/manifests/couchdb.pp b/puppet/modules/site_ca_daemon/manifests/couchdb.pp deleted file mode 100644 index f446a05b..00000000 --- a/puppet/modules/site_ca_daemon/manifests/couchdb.pp +++ /dev/null @@ -1,16 +0,0 @@ -class site_ca_daemon::couchdb { - - $ca = hiera('ca_daemon') - $couchdb_host = $ca['couchdb_hosts'] - $couchdb_user = $ca['couchdb_user']['username'] - $couchdb_password = $ca['couchdb_user']['password'] - - file { - '/etc/leap/leap_ca.yaml': - content => template('site_ca_daemon/leap_ca.yaml.erb'), - owner => leap_ca_daemon, - group => leap_ca_daemon, - mode => '0600'; - } - -} diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp deleted file mode 100644 index 8ba9c506..00000000 --- a/puppet/modules/site_ca_daemon/manifests/init.pp +++ /dev/null @@ -1,103 +0,0 @@ -class site_ca_daemon { - tag 'leap_service' - #$definition_files = hiera('definition_files') - #$provider = $definition_files['provider'] - #$eip_service = $definition_files['eip_service'] - $x509 = hiera('x509') - - Class[Ruby] -> Class[rubygems] -> Class[bundler::install] - - class { 'ruby': ruby_version => '1.9.3' } - - class { 'bundler::install': install_method => 'package' } - - include rubygems - #include site_ca_daemon::apache - include site_ca_daemon::couchdb - - group { 'leap_ca_daemon': - ensure => present, - allowdupe => false; - } - - user { 'leap_ca_daemon': - ensure => present, - allowdupe => false, - gid => 'leap_ca_daemon', - home => '/srv/leap_ca_daemon', - require => [ Group['leap_ca_daemon'] ]; - } - - - x509::key { - 'leap_ca_daemon': - content => $x509['ca_key']; - #notify => Service['leap_ca_daemon']; <== no service yet for leap_ca_daemon - } - - x509::cert { - 'leap_ca_daemon': - content => $x509['ca_cert']; - #notify => Service['leap_ca_daemon']; <== no service yet for leap_ca_daemon - } - - # - # Does CA need a server key/cert? I think not now. - # - # x509::key { - # 'server': - # content => $x509['key']; - # } - # - # x509::cert { - # 'server': - # content => $x509['cert']; - # } - - # x509::ca { - # 'leap_ca_daemon': - # content => $x509['ca_cert']; - # } - - - file { '/srv/leap_ca_daemon': - ensure => directory, - owner => 'leap_ca_daemon', - group => 'leap_ca_daemon', - require => User['leap_ca_daemon']; - } - - vcsrepo { '/srv/leap_ca_daemon': - ensure => present, - revision => 'origin/master', - provider => git, - source => 'git://code.leap.se/leap_ca', - owner => 'leap_ca_daemon', - group => 'leap_ca_daemon', - require => [ User['leap_ca_daemon'], Group['leap_ca_daemon'] ], - notify => Exec['bundler_update'] - } - - exec { 'bundler_update': - cwd => '/srv/leap_ca_daemon', - command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install"', - unless => '/usr/bin/bundle check', - timeout => 600, - require => [ Class['bundler::install'], Vcsrepo['/srv/leap_ca_daemon'] ]; - } - - file { '/usr/local/bin/leap_ca_daemon': - ensure => link, - target => '/srv/leap_ca_daemon/bin/leap_ca_daemon', - } - - file { '/etc/cron.hourly/leap_ca': - ensure => present, - content => "#/bin/sh\n/srv/leap_ca_daemon/bin/leap_ca_daemon --run-once > /dev/null", - owner => 'root', - group => 0, - mode => '0755', - } - - -} diff --git a/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb b/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb deleted file mode 100644 index e0b95278..00000000 --- a/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb +++ /dev/null @@ -1,31 +0,0 @@ -# -# Default configuration options for LEAP Certificate Authority Daemon -# - -# -# Certificate Authority -# -ca_key_path: "/etc/x509/keys/leap_ca_daemon.key" -ca_key_password: nil -ca_cert_path: "/etc/x509/certs/leap_ca_daemon.crt" - -# -# Certificate pool -# -max_pool_size: 100 -client_cert_lifespan: 2 -client_cert_bit_size: 2024 -client_cert_hash: "SHA256" - -# -# Database -# -db_name: "client_certificates" -couch_connection: - protocol: "https" - host: <%= couchdb_host %> - port: 6984 - username: <%= couchdb_user %> - password: <%= couchdb_password %> - prefix: "" - suffix: "" -- cgit v1.2.3 From 830f2408fa210016fdef855da8b3fd28421bff32 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 11 Apr 2013 17:45:57 +0200 Subject: webapp: use admin creds for now, until we fixed couchdb user permissions --- puppet/modules/site_webapp/files/migrate_design_documents | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/files/migrate_design_documents b/puppet/modules/site_webapp/files/migrate_design_documents index 88eb2e25..4a818950 100644 --- a/puppet/modules/site_webapp/files/migrate_design_documents +++ b/puppet/modules/site_webapp/files/migrate_design_documents @@ -10,7 +10,7 @@ chown leap-webapp:leap-webapp config/couchdb.yml RAILS_ENV=production /usr/bin/bundle exec rake couchrest:migrate RAILS_ENV=production /usr/bin/bundle exec rake couchrest:migrate -# use user credentials and remove admin credentials -cp config/couchdb.yml.webapp config/couchdb.yml +# use admin creds for now, until we fixed couchdb user permissions +cp config/couchdb.yml.admin config/couchdb.yml chown leap-webapp:leap-webapp config/couchdb.yml -- cgit v1.2.3 From 75053a203834ee70e527ba20c8dbad69b5620b04 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 16 Apr 2013 11:59:27 -0400 Subject: update haproxy submodule to get version parameter possibility --- puppet/modules/haproxy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/haproxy b/puppet/modules/haproxy index 967e0097..b398f3cb 160000 --- a/puppet/modules/haproxy +++ b/puppet/modules/haproxy @@ -1 +1 @@ -Subproject commit 967e0097f9447d6c73eeb99ef4b0df2a941820c3 +Subproject commit b398f3cb0a67d1170d0564a3f03977f9a08c2b6c -- cgit v1.2.3 From 9a6026af4f781d081274eb2884e0662dfdd54a07 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 16 Apr 2013 12:26:24 -0400 Subject: pass version to haproxy so that the leap package will be installed this package is a newer version than the one in debian, and as of this writing haproxy is scheduled to be removed from wheezy, also it has hardened flags enabled --- puppet/modules/site_haproxy/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_haproxy/manifests/init.pp b/puppet/modules/site_haproxy/manifests/init.pp index 602e26be..ace88a7b 100644 --- a/puppet/modules/site_haproxy/manifests/init.pp +++ b/puppet/modules/site_haproxy/manifests/init.pp @@ -2,6 +2,7 @@ class site_haproxy { class { 'haproxy': enable => true, + version => '1.4.23-0.1~leap60+1', manage_service => true, global_options => { 'log' => '127.0.0.1 local0', -- cgit v1.2.3 From 7b6882212da16b7f3e778919f6c8c018c6d1111b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 16 Apr 2013 13:58:43 -0400 Subject: move secret token into the config.yaml --- puppet/modules/site_webapp/manifests/init.pp | 8 ++------ puppet/modules/site_webapp/templates/config.yml.erb | 1 + 2 files changed, 3 insertions(+), 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 1e6abe42..636a156d 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -111,12 +111,8 @@ class site_webapp { content => template('site_webapp/config.yml.erb'), owner => leap-webapp, group => leap-webapp, - mode => '0600'; - - '/srv/leap-webapp/config/initializers/secret_token.rb': - content => "LeapWeb::Application.config.secret_token = '${secret_token}'\n", - owner => leap-webapp, group => leap-webapp, mode => '0644', - notify => Service['apache']; + mode => '0600', + notify => Service['apache']; } include site_shorewall::webapp diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index af778212..83348d94 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -4,6 +4,7 @@ production: domain: <%= @provider_domain %> client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %> client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %> + secret_token: "<%= @secret_token %>" cert_options: client_cert_lifespan: <%= cert_options['life_span'].to_i %> -- cgit v1.2.3 From 9f9ea1670bc319f8c5cecff0ae02b2d342615e62 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 17 Apr 2013 11:24:54 -0400 Subject: rename fallback apt source list so it will be more obvious when it is paired with the primary.list --- puppet/modules/site_apt/manifests/init.pp | 4 ++-- puppet/modules/site_apt/templates/fallback.list | 3 --- puppet/modules/site_apt/templates/secondary.list | 3 +++ 3 files changed, 5 insertions(+), 5 deletions(-) delete mode 100644 puppet/modules/site_apt/templates/fallback.list create mode 100644 puppet/modules/site_apt/templates/secondary.list (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index de854d58..c5f37014 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -19,8 +19,8 @@ class site_apt { include ::apt::unattended_upgrades - apt::sources_list { 'fallback.list.disabled': - content => template('site_apt/fallback.list'); + apt::sources_list { 'secondary.list.disabled': + content => template('site_apt/secondary.list'); } } diff --git a/puppet/modules/site_apt/templates/fallback.list b/puppet/modules/site_apt/templates/fallback.list deleted file mode 100644 index 41334b0b..00000000 --- a/puppet/modules/site_apt/templates/fallback.list +++ /dev/null @@ -1,3 +0,0 @@ -# basic -deb http://ftp.debian.org/debian/ <%= lsbdistcodename %> main contrib non-free - diff --git a/puppet/modules/site_apt/templates/secondary.list b/puppet/modules/site_apt/templates/secondary.list new file mode 100644 index 00000000..41334b0b --- /dev/null +++ b/puppet/modules/site_apt/templates/secondary.list @@ -0,0 +1,3 @@ +# basic +deb http://ftp.debian.org/debian/ <%= lsbdistcodename %> main contrib non-free + -- cgit v1.2.3 From 0ad85d0afa39817b07e0f774c7437d1ca9fd5fd6 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 17 Apr 2013 18:08:02 -0400 Subject: update apache module to new 2.7 style --- puppet/modules/apache | 2 +- puppet/modules/site_webapp/manifests/apache.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/apache b/puppet/modules/apache index dafb060f..6844258b 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit dafb060fc57957dbe9e5e90698537e781cebeaf6 +Subproject commit 6844258b567b5065f5488a12f3f18208ff36ecb0 diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 554b9147..103e4f35 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -12,7 +12,7 @@ class site_webapp::apache { $api_cert = $x509['cert'] $api_root = $x509['ca_cert'] - $apache_no_default_site = true + class { '::apache': no_default_site => true } include apache::ssl apache::module { -- cgit v1.2.3 From 1d29e7ad92d4197fed3812add3ad195800f53281 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 18 Apr 2013 01:10:16 -0700 Subject: webapp: removed "Alias /1" from apache config --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 1 - puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 3 +-- 2 files changed, 1 insertion(+), 3 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index cdfcbd68..20d3dc9a 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -22,7 +22,6 @@ Listen 0.0.0.0:<%= api_port %> RequestHeader set X_FORWARDED_PROTO 'https' DocumentRoot /srv/leap-webapp/public - Alias /1 /srv/leap-webapp/public # Check for maintenance file and redirect all requests RewriteEngine On diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 4928cdd6..2ccc4418 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -22,7 +22,6 @@ RequestHeader set X_FORWARDED_PROTO 'https' DocumentRoot /srv/leap-webapp/public - Alias /1 /srv/leap-webapp/public RewriteEngine On # Check for maintenance file and redirect all requests @@ -40,7 +39,7 @@ <% if (defined? @services) and (services.is_a? Array) and (@services.include? 'monitor') -%> PassengerEnabled off - AllowOverride all + AllowOverride all <% end -%> -- cgit v1.2.3 From aa9d9d8516981d08b0b6e230d290c22834dee8d0 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 18 Apr 2013 17:19:32 -0400 Subject: update apache module to take the 'ssl' parameter, and pass it to the class, this eliminates a potential variable lookup ordering problem (#2273) --- puppet/modules/apache | 2 +- puppet/modules/site_webapp/manifests/apache.pp | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/apache b/puppet/modules/apache index 6844258b..688f0779 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit 6844258b567b5065f5488a12f3f18208ff36ecb0 +Subproject commit 688f07793a72ba4453f6663b6d19fe6388ba382f diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 103e4f35..8b340160 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -12,8 +12,7 @@ class site_webapp::apache { $api_cert = $x509['cert'] $api_root = $x509['ca_cert'] - class { '::apache': no_default_site => true } - include apache::ssl + class { '::apache': no_default_site => true, ssl => true } apache::module { 'alias': ensure => present; -- cgit v1.2.3 From 14dae1c1f5e2f12a37c6a4e71a89ef2f6a784712 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 22 Apr 2013 15:36:45 -0700 Subject: webapp -- fixed bug in configuration --- puppet/modules/site_webapp/templates/config.yml.erb | 2 -- 1 file changed, 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 83348d94..df562cd9 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -5,8 +5,6 @@ production: client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %> client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %> secret_token: "<%= @secret_token %>" - -cert_options: client_cert_lifespan: <%= cert_options['life_span'].to_i %> client_cert_bit_size: <%= cert_options['bit_size'].to_i %> client_cert_hash: <%= cert_options['digest'] %> -- cgit v1.2.3 From 5323c8c48df57dae61cb73a1b8df5b39736f5a89 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 23 Apr 2013 11:52:16 -0400 Subject: fix mode for webapp production.log (#2300) --- puppet/modules/site_webapp/manifests/couchdb.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index f6203552..840bb12e 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -40,7 +40,7 @@ class site_webapp::couchdb { '/srv/leap-webapp/logs/production.log': owner => leap-webapp, group => leap-webapp, - mode => '0660'; + mode => '0666'; '/usr/local/sbin/migrate_design_documents': source => 'puppet:///modules/site_webapp/migrate_design_documents', -- cgit v1.2.3 From 17774818485d9fe6db95f10fcc1f7815cee4510f Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 23 Apr 2013 23:32:29 +0200 Subject: automatic update of submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 6b537bb7..321278b3 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 6b537bb77dbfaa754b88e64041ecd57e7f7544a9 +Subproject commit 321278b3805ce74b6869ec070e083c8a91849d6f -- cgit v1.2.3 From 4d01724ff48a990f70f81779936840824c78ca6e Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Apr 2013 00:32:18 +0200 Subject: Use pre-salted+hashed user pw for couchdb (Feature #2324) --- puppet/modules/site_couchdb/manifests/init.pp | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 9ffa4122..de9b715c 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -11,12 +11,15 @@ class site_couchdb ( $bigcouch = false ) { $couchdb_admin = $couchdb_users['admin'] $couchdb_admin_user = $couchdb_admin['username'] $couchdb_admin_pw = $couchdb_admin['password'] + $couchdb_admin_salt = $couchdb_admin['salt'] $couchdb_webapp = $couchdb_users['webapp'] $couchdb_webapp_user = $couchdb_webapp['username'] $couchdb_webapp_pw = $couchdb_webapp['password'] + $couchdb_webapp_salt = $couchdb_webapp['salt'] $couchdb_ca_daemon = $couchdb_users['ca_daemon'] $couchdb_ca_daemon_user = $couchdb_ca_daemon['username'] $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password'] + $couchdb_ca_daemon_salt = $couchdb_ca_daemon['salt'] $bigcouch_config = $couchdb_config['bigcouch'] $bigcouch_cookie = $bigcouch_config['cookie'] @@ -45,18 +48,20 @@ class site_couchdb ( $bigcouch = false ) { couchdb::query::setup { 'localhost': user => $couchdb_admin_user, - pw => $couchdb_admin_pw + pw => $couchdb_admin_pw, } # Populate couchdb couchdb::add_user { $couchdb_webapp_user: roles => '["certs"]', - pw => $couchdb_webapp_pw + pw => $couchdb_webapp_pw, + salt => $couchdb_webapp_salt } couchdb::add_user { $couchdb_ca_daemon_user: roles => '["certs"]', - pw => $couchdb_ca_daemon_pw + pw => $couchdb_ca_daemon_pw, + salt => $couchdb_ca_daemon_salt } couchdb::create_db { 'users': -- cgit v1.2.3 From 1589e8dfa7e364c1d884100fa752bcc388c3589d Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Apr 2013 00:33:08 +0200 Subject: automatic update of submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 321278b3..ec9d3c46 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 321278b3805ce74b6869ec070e083c8a91849d6f +Subproject commit ec9d3c4629586caa910323c7cd5ffe769843ad42 -- cgit v1.2.3 From 8322444051739f276c4cb19aa7d6addcad287782 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Apr 2013 15:16:18 +0200 Subject: automatic update of submodule stdlib --- puppet/modules/stdlib | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/stdlib b/puppet/modules/stdlib index 095a5a01..66e0fa8f 160000 --- a/puppet/modules/stdlib +++ b/puppet/modules/stdlib @@ -1 +1 @@ -Subproject commit 095a5a01d5a7c7e3d95a71846220545080f7581c +Subproject commit 66e0fa8f1bc5062e9d753598ad17602c378a2994 -- cgit v1.2.3 From 3ced5ec963311c45cf359803727bd18fe6e23b69 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Apr 2013 15:53:05 +0200 Subject: updated needed couchdb users and DBs --- puppet/modules/site_couchdb/manifests/init.pp | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index de9b715c..6cf8e209 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -16,10 +16,10 @@ class site_couchdb ( $bigcouch = false ) { $couchdb_webapp_user = $couchdb_webapp['username'] $couchdb_webapp_pw = $couchdb_webapp['password'] $couchdb_webapp_salt = $couchdb_webapp['salt'] - $couchdb_ca_daemon = $couchdb_users['ca_daemon'] - $couchdb_ca_daemon_user = $couchdb_ca_daemon['username'] - $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password'] - $couchdb_ca_daemon_salt = $couchdb_ca_daemon['salt'] + $couchdb_soledad = $couchdb_users['soledad'] + $couchdb_soledad_user = $couchdb_soledad['username'] + $couchdb_soledad_pw = $couchdb_soledad['password'] + $couchdb_soledad_salt = $couchdb_soledad['salt'] $bigcouch_config = $couchdb_config['bigcouch'] $bigcouch_cookie = $bigcouch_config['cookie'] @@ -36,9 +36,9 @@ class site_couchdb ( $bigcouch = false ) { Service ['couchdb'] -> Couchdb::Create_db['users'] - -> Couchdb::Create_db['client_certificates'] + -> Couchdb::Create_db['tokens'] -> Couchdb::Add_user[$couchdb_webapp_user] - -> Couchdb::Add_user[$couchdb_ca_daemon_user] + -> Couchdb::Add_user[$couchdb_soledad_user] class { 'site_couchdb::stunnel': key => $key, @@ -53,23 +53,23 @@ class site_couchdb ( $bigcouch = false ) { # Populate couchdb couchdb::add_user { $couchdb_webapp_user: - roles => '["certs"]', + roles => '["auth"]', pw => $couchdb_webapp_pw, salt => $couchdb_webapp_salt } - couchdb::add_user { $couchdb_ca_daemon_user: - roles => '["certs"]', - pw => $couchdb_ca_daemon_pw, - salt => $couchdb_ca_daemon_salt + couchdb::add_user { $couchdb_soledad_user: + roles => '["auth"]', + pw => $couchdb_soledad_pw, + salt => $couchdb_soledad_salt } couchdb::create_db { 'users': readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }" } - couchdb::create_db { 'client_certificates': - readers => "{ \"names\": [], \"roles\": [\"certs\"] }" + couchdb::create_db { 'tokens': + readers => "{ \"names\": [], \"roles\": [\"auth\"] }" } include site_shorewall::couchdb -- cgit v1.2.3 From b3572aed530b0834d58e75c83ef1eb670d1824e3 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Apr 2013 16:50:19 +0200 Subject: Use pre-salted+hashed admin pw for couchdb (Feature #1941) --- puppet/modules/site_couchdb/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 6cf8e209..5e26b837 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -29,6 +29,7 @@ class site_couchdb ( $bigcouch = false ) { class { 'couchdb': bigcouch => $bigcouch, admin_pw => $couchdb_admin_pw, + admin_salt => $couchdb_admin_salt, bigcouch_cookie => $bigcouch_cookie, ednp_port => $ednp_port } -- cgit v1.2.3 From 6f1bfbcca5de5620a3ad9c3076776073b5d7aa20 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Apr 2013 16:50:43 +0200 Subject: automatic update of submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index ec9d3c46..7b6c9a29 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit ec9d3c4629586caa910323c7cd5ffe769843ad42 +Subproject commit 7b6c9a29b1333ce733dd5d7c0dadd7f90513b261 -- cgit v1.2.3 From 037d002bc3e29e8c88018b1a80a96bab0cc354b7 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Apr 2013 17:15:36 +0200 Subject: couchdb.yml.admin is changed on every puppetrun from leap-webapp to root --- puppet/modules/site_webapp/manifests/couchdb.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 840bb12e..2062a267 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -27,8 +27,8 @@ class site_webapp::couchdb { file { '/srv/leap-webapp/config/couchdb.yml.admin': content => template('site_webapp/couchdb.yml.admin.erb'), - owner => root, - group => root, + owner => leap_webapp, + group => leap_webapp, mode => '0600'; '/srv/leap-webapp/config/couchdb.yml.webapp': -- cgit v1.2.3 From ae7b1d3b68c2e2e295967cb638413627bfbe0734 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Apr 2013 17:22:17 +0200 Subject: user leap-webapp instead of leap_webapp --- puppet/modules/site_webapp/manifests/couchdb.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 2062a267..1dd346fd 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -27,8 +27,8 @@ class site_webapp::couchdb { file { '/srv/leap-webapp/config/couchdb.yml.admin': content => template('site_webapp/couchdb.yml.admin.erb'), - owner => leap_webapp, - group => leap_webapp, + owner => leap-webapp, + group => leap-webapp, mode => '0600'; '/srv/leap-webapp/config/couchdb.yml.webapp': -- cgit v1.2.3 From 2bd18fcad2e1446388948ed0b98232d93564b8ad Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Apr 2013 18:23:41 +0200 Subject: take out plain couchdb setup, always deploy bigcouch (Feature #2176) --- puppet/modules/site_couchdb/manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 5e26b837..9f4824b4 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,4 +1,4 @@ -class site_couchdb ( $bigcouch = false ) { +class site_couchdb { tag 'leap_service' $x509 = hiera('x509') @@ -27,7 +27,7 @@ class site_couchdb ( $bigcouch = false ) { $ednp_port = $bigcouch_config['ednp_port'] class { 'couchdb': - bigcouch => $bigcouch, + bigcouch => true, admin_pw => $couchdb_admin_pw, admin_salt => $couchdb_admin_salt, bigcouch_cookie => $bigcouch_cookie, -- cgit v1.2.3 From 4ed2bb37ea8283f79aecca8b78e80b141e9eff50 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 24 Apr 2013 18:04:48 -0700 Subject: provider base - service definitions are now versioned (requires new leap_cli) --- puppet/modules/site_webapp/manifests/init.pp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 636a156d..8b5bb0e3 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -6,6 +6,7 @@ class site_webapp { $node_domain = hiera('domain') $provider_domain = $node_domain['full_suffix'] $webapp = hiera('webapp') + $api_version = $webapp['api_version'] $secret_token = $webapp['secret_token'] Class[Ruby] -> Class[rubygems] -> Class[bundler::install] @@ -83,7 +84,11 @@ class site_webapp { ensure => directory, owner => leap-webapp, group => leap-webapp, mode => '0755'; - '/srv/leap-webapp/public/config/eip-service.json': + "/srv/leap-webapp/public/config/${api_version}": + ensure => directory, + owner => leap-webapp, group => leap-webapp, mode => '0755'; + + "/srv/leap-webapp/public/config/${api_version}/eip-service.json": content => $eip_service, owner => leap-webapp, group => leap-webapp, mode => '0644'; } -- cgit v1.2.3 From 27cb083212a74c94ed069ce9ef3dfc7593e85524 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 25 Apr 2013 14:35:48 -0400 Subject: update apache submodule to fix #2279 --- puppet/modules/apache | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/apache b/puppet/modules/apache index 688f0779..090e59ad 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit 688f07793a72ba4453f6663b6d19fe6388ba382f +Subproject commit 090e59ad1fcba01e868237a83cadf9254cf09d3e -- cgit v1.2.3 From 1c61472a0c0c14351993574f2673a6a3a3c75371 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Apr 2013 12:28:19 +0200 Subject: Revert "webapp: use admin creds for now, until we fixed couchdb user permissions" This reverts commit 830f2408fa210016fdef855da8b3fd28421bff32. --- puppet/modules/site_webapp/files/migrate_design_documents | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/files/migrate_design_documents b/puppet/modules/site_webapp/files/migrate_design_documents index 4a818950..88eb2e25 100644 --- a/puppet/modules/site_webapp/files/migrate_design_documents +++ b/puppet/modules/site_webapp/files/migrate_design_documents @@ -10,7 +10,7 @@ chown leap-webapp:leap-webapp config/couchdb.yml RAILS_ENV=production /usr/bin/bundle exec rake couchrest:migrate RAILS_ENV=production /usr/bin/bundle exec rake couchrest:migrate -# use admin creds for now, until we fixed couchdb user permissions -cp config/couchdb.yml.admin config/couchdb.yml +# use user credentials and remove admin credentials +cp config/couchdb.yml.webapp config/couchdb.yml chown leap-webapp:leap-webapp config/couchdb.yml -- cgit v1.2.3 From 8e5716518b361aceac5c2cc5433148edf8785d89 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 30 Apr 2013 17:17:54 -0400 Subject: setup a site_config::params class that can be used to set some common variables that are used in different places to start with we setup the $interface variable, based on logic as defined in #2213 change the various places that were looking up this value to use site_config::params::interface instead --- puppet/modules/site_config/manifests/params.pp | 25 ++++++++++++++++++++++ puppet/modules/site_openvpn/manifests/init.pp | 2 -- .../site_openvpn/templates/add_gateway_ips.sh.erb | 8 +++---- .../modules/site_shorewall/manifests/defaults.pp | 14 +++--------- puppet/modules/site_shorewall/manifests/eip.pp | 7 ++---- 5 files changed, 34 insertions(+), 22 deletions(-) create mode 100644 puppet/modules/site_config/manifests/params.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp new file mode 100644 index 00000000..237ee454 --- /dev/null +++ b/puppet/modules/site_config/manifests/params.pp @@ -0,0 +1,25 @@ +class site_config::params { + + $ip_address = hiera('ip_address') + $ip_address_interface = getvar("interface_${ip_address}") + $ec2_local_ipv4_interface = getvar("interface_${::ec2_local_ipv4}") + + if $::virtual == 'virtualbox' { + $interface = [ 'eth0', 'eth1' ] + } + elsif hiera('interface','') != '' { + $interface = hiera('interface') + } + elsif $ip_address_interface != '' { + $interface = $ip_address_interface + } + elsif $ec2_local_ipv4_interface != '' { + $interface = $ec2_local_ipv4_interface + } + elsif $::interfaces =~ /eth0/ { + $interface = eth0 + } + else { + fail("unable to determine a valid interface, please set a valid interface for this node in nodes/${::hostname}.json") + } +} diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 1ae3fb02..9bfffa6f 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -21,8 +21,6 @@ class site_openvpn { $openvpn_config = hiera('openvpn') $x509_config = hiera('x509') - $ip_address = hiera('ip_address') - $interface = getvar("interface_${ip_address}") $openvpn_ports = $openvpn_config['ports'] $openvpn_gateway_address = $openvpn_config['gateway_address'] if $openvpn_config['second_gateway_address'] { diff --git a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb index ed06a95e..05f3d16b 100644 --- a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb +++ b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb @@ -1,11 +1,11 @@ #!/bin/sh -ip addr show dev <%= @interface %> | grep -q <%= @openvpn_gateway_address %>/24 || - ip addr add <%= @openvpn_gateway_address %>/24 dev <%= @interface %> +ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_gateway_address %>/24 || + ip addr add <%= @openvpn_gateway_address %>/24 dev <%= scope.lookupvar('site_config::params::interface') %> <% if @openvpn_second_gateway_address %> -ip addr show dev <%= @interface %> | grep -q <%= @openvpn_second_gateway_address %>/24 || - ip addr add <%= @openvpn_second_gateway_address %>/24 dev <%= @interface %> +ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_second_gateway_address %>/24 || + ip addr add <%= @openvpn_second_gateway_address %>/24 dev <%= scope.lookupvar('site_config::params::interface') %> <% end %> /bin/echo 1 > /proc/sys/net/ipv4/ip_forward diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index d5639a90..c62c9307 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -1,17 +1,10 @@ class site_shorewall::defaults { include shorewall + include site_config::params # be safe for development #if ( $::virtual == 'virtualbox') { $shorewall_startup='0' } - $ip_address = hiera('ip_address') - # a special case for vagrant interfaces - $interface = $::virtual ? { - virtualbox => [ 'eth0', 'eth1' ], - default => getvar("interface_${ip_address}") - } - - # If you want logging: shorewall::params { 'LOG': value => 'debug'; @@ -19,14 +12,13 @@ class site_shorewall::defaults { shorewall::zone {'net': type => 'ipv4'; } - # define interfaces - shorewall::interface { $interface: + shorewall::interface { $site_config::params::interface: zone => 'net', options => 'tcpflags,blacklist,nosmurfs'; } - shorewall::routestopped { $interface: } + shorewall::routestopped { $site_config::params::interface: } shorewall::policy { 'fw-to-all': diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 95c3920e..2f84d45c 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -1,6 +1,7 @@ class site_shorewall::eip { include site_shorewall::defaults + include site_config::params include site_shorewall::ip_forward # define macro for incoming services @@ -32,11 +33,7 @@ PARAM - - udp 1194 type => 'ipv4'; } - if $::virtual == 'virtualbox' { - $interface = 'eth0' - } else { - $interface = $site_shorewall::defaults::interface - } + $interface = $site_config::params::interface shorewall::masq { "${interface}_unlimited_tcp": -- cgit v1.2.3 From b54161a12561c5983f6bc5215f764a1f46a4bd1f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 30 Apr 2013 17:18:19 -0400 Subject: minor spacing changes --- puppet/modules/site_shorewall/manifests/eip.pp | 30 +++++++++++++------------- 1 file changed, 15 insertions(+), 15 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 2f84d45c..8a986d28 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -7,8 +7,8 @@ class site_shorewall::eip { # define macro for incoming services file { '/etc/shorewall/macro.leap_eip': content => "PARAM - - tcp 1194 -PARAM - - udp 1194 -", + PARAM - - udp 1194 + ", notify => Service['shorewall'], require => Package['shorewall'] } @@ -37,17 +37,17 @@ PARAM - - udp 1194 shorewall::masq { "${interface}_unlimited_tcp": - interface => $interface, - source => "${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr}"; + interface => $interface, + source => "${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr}"; "${interface}_unlimited_udp": - interface => $interface, - source => "${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr}"; + interface => $interface, + source => "${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr}"; "${interface}_limited_tcp": - interface => $interface, - source => "${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr}"; + interface => $interface, + source => "${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr}"; "${interface}_limited_udp": - interface => $interface, - source => "${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr}"; + interface => $interface, + source => "${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr}"; } shorewall::policy { @@ -59,11 +59,11 @@ PARAM - - udp 1194 } shorewall::rule { - 'net2fw-openvpn': - source => 'net', - destination => '$FW', - action => 'leap_eip(ACCEPT)', - order => 200; + 'net2fw-openvpn': + source => 'net', + destination => '$FW', + action => 'leap_eip(ACCEPT)', + order => 200; } # create dnat rule for each port -- cgit v1.2.3 From c8e427c39285a0ac8750c1b9bbf247533bbce519 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 30 Apr 2013 14:25:45 -0700 Subject: added soledad-service.json --- puppet/modules/site_webapp/manifests/init.pp | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 8b5bb0e3..8e0aa11c 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -3,6 +3,7 @@ class site_webapp { $definition_files = hiera('definition_files') $provider = $definition_files['provider'] $eip_service = $definition_files['eip_service'] + $soledad_service = $definition_files['soledad_service'] $node_domain = hiera('domain') $provider_domain = $node_domain['full_suffix'] $webapp = hiera('webapp') @@ -80,17 +81,21 @@ class site_webapp { ensure => link, target => '/usr/local/share/ca-certificates/leap_api.crt'; - '/srv/leap-webapp/public/config': + "/srv/leap-webapp/public/${api_version}": ensure => directory, owner => leap-webapp, group => leap-webapp, mode => '0755'; - "/srv/leap-webapp/public/config/${api_version}": + "/srv/leap-webapp/public/${api_version}/config/": ensure => directory, owner => leap-webapp, group => leap-webapp, mode => '0755'; - "/srv/leap-webapp/public/config/${api_version}/eip-service.json": + "/srv/leap-webapp/public/${api_version}/config/eip-service.json": content => $eip_service, owner => leap-webapp, group => leap-webapp, mode => '0644'; + + "/srv/leap-webapp/public/${api_version}/config/soledad-service.json": + content => $soledad_service, + owner => leap-webapp, group => leap-webapp, mode => '0644'; } try::file { -- cgit v1.2.3 From 8087a374429c1b1be5a766e6e89cdeb02de292a3 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 2 May 2013 14:01:35 -0700 Subject: fixed dnat_rules --- puppet/modules/site_shorewall/manifests/dnat_rule.pp | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp index e1ea86ec..aa298408 100644 --- a/puppet/modules/site_shorewall/manifests/dnat_rule.pp +++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp @@ -2,12 +2,12 @@ define site_shorewall::dnat_rule { $port = $name if $port != 1194 { - if $site_openvpn::openvpn_allow_paid { + if $site_openvpn::openvpn_allow_unlimited { shorewall::rule { "dnat_tcp_port_$port": action => 'DNAT', source => 'net', - destination => "\$FW:${site_openvpn::paid_gateway_address}:1194", + destination => "\$FW:${site_openvpn::unlimited_gateway_address}:1194", proto => 'tcp', destinationport => $port, order => 100; @@ -16,18 +16,18 @@ define site_shorewall::dnat_rule { "dnat_udp_port_$port": action => 'DNAT', source => 'net', - destination => "\$FW:${site_openvpn::paid_gateway_address}:1194", + destination => "\$FW:${site_openvpn::unlimited_gateway_address}:1194", proto => 'udp', destinationport => $port, order => 100; } } - if $site_openvpn::openvpn_allow_free { + if $site_openvpn::openvpn_allow_limited { shorewall::rule { "dnat_free_tcp_port_$port": action => 'DNAT', source => 'net', - destination => "\$FW:${site_openvpn::free_gateway_address}:1194", + destination => "\$FW:${site_openvpn::limited_gateway_address}:1194", proto => 'tcp', destinationport => $port, order => 100; @@ -36,7 +36,7 @@ define site_shorewall::dnat_rule { "dnat_free_udp_port_$port": action => 'DNAT', source => 'net', - destination => "\$FW:${site_openvpn::free_gateway_address}:1194", + destination => "\$FW:${site_openvpn::limited_gateway_address}:1194", proto => 'udp', destinationport => $port, order => 100; -- cgit v1.2.3 From 4132a1b857c79670ef457ae7e11b77b6ff2c477b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 9 May 2013 17:16:48 -0400 Subject: the leap platform repo should track 'stable' --- puppet/modules/site_apt/manifests/leap_repo.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp index 81559abd..9d967841 100644 --- a/puppet/modules/site_apt/manifests/leap_repo.pp +++ b/puppet/modules/site_apt/manifests/leap_repo.pp @@ -1,6 +1,6 @@ class site_apt::leap_repo { - apt::sources_list {'leap.list': - content => "deb http://deb.leap.se/debian ${::lsbdistcodename} main", + apt::sources_list { 'leap.list': + content => 'deb http://deb.leap.se/debian stable main', before => Exec[refresh_apt] } -- cgit v1.2.3 From b3d1c6c58838b0c4f368bc42493ac3bae280b5af Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 14 May 2013 12:23:20 -0700 Subject: added smtp-service.json, requires latest leap_cli --- puppet/modules/site_webapp/manifests/init.pp | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 8e0aa11c..5c084a0c 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -4,6 +4,7 @@ class site_webapp { $provider = $definition_files['provider'] $eip_service = $definition_files['eip_service'] $soledad_service = $definition_files['soledad_service'] + $smtp_service = $definition_files['smtp_service'] $node_domain = hiera('domain') $provider_domain = $node_domain['full_suffix'] $webapp = hiera('webapp') @@ -96,6 +97,10 @@ class site_webapp { "/srv/leap-webapp/public/${api_version}/config/soledad-service.json": content => $soledad_service, owner => leap-webapp, group => leap-webapp, mode => '0644'; + + "/srv/leap-webapp/public/${api_version}/config/smtp-service.json": + content => $smtp_service, + owner => leap-webapp, group => leap-webapp, mode => '0644'; } try::file { -- cgit v1.2.3 From 0f6d2ebd6467d1c793d1907d677ca374a1efe477 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 11 May 2013 14:05:14 -0400 Subject: special casing for pistoncloud/openstack/ec2 --- puppet/modules/site_openvpn/manifests/init.pp | 33 ++++++++++++++++---------- puppet/modules/site_shorewall/manifests/eip.pp | 16 ++++++++----- 2 files changed, 30 insertions(+), 19 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 9bfffa6f..685871bd 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -22,11 +22,16 @@ class site_openvpn { $openvpn_config = hiera('openvpn') $x509_config = hiera('x509') $openvpn_ports = $openvpn_config['ports'] - $openvpn_gateway_address = $openvpn_config['gateway_address'] - if $openvpn_config['second_gateway_address'] { - $openvpn_second_gateway_address = $openvpn_config['second_gateway_address'] + + if $::ec2_instance_id { + $openvpn_gateway_address = $::ipaddress } else { - $openvpn_second_gateway_address = undef + $openvpn_gateway_address = $openvpn_config['gateway_address'] + if $openvpn_config['second_gateway_address'] { + $openvpn_second_gateway_address = $openvpn_config['second_gateway_address'] + } else { + $openvpn_second_gateway_address = undef + } } $openvpn_allow_unlimited = $openvpn_config['allow_unlimited'] @@ -38,15 +43,17 @@ class site_openvpn { $openvpn_unlimited_udp_netmask = '255.255.248.0' $openvpn_unlimited_udp_cidr = '21' - $openvpn_allow_limited = $openvpn_config['allow_limited'] - $openvpn_limited_prefix = $openvpn_config['limited_prefix'] - $openvpn_rate_limit = $openvpn_config['rate_limit'] - $openvpn_limited_tcp_network_prefix = '10.43.0' - $openvpn_limited_tcp_netmask = '255.255.248.0' - $openvpn_limited_tcp_cidr = '21' - $openvpn_limited_udp_network_prefix = '10.44.0' - $openvpn_limited_udp_netmask = '255.255.248.0' - $openvpn_limited_udp_cidr = '21' + if !$::ec2_instance_id { + $openvpn_allow_limited = $openvpn_config['allow_limited'] + $openvpn_limited_prefix = $openvpn_config['limited_prefix'] + $openvpn_rate_limit = $openvpn_config['rate_limit'] + $openvpn_limited_tcp_network_prefix = '10.43.0' + $openvpn_limited_tcp_netmask = '255.255.248.0' + $openvpn_limited_tcp_cidr = '21' + $openvpn_limited_udp_network_prefix = '10.44.0' + $openvpn_limited_udp_netmask = '255.255.248.0' + $openvpn_limited_udp_cidr = '21' + } # deploy ca + server keys include site_openvpn::keys diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 8a986d28..7109b770 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -42,12 +42,16 @@ class site_shorewall::eip { "${interface}_unlimited_udp": interface => $interface, source => "${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr}"; - "${interface}_limited_tcp": - interface => $interface, - source => "${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr}"; - "${interface}_limited_udp": - interface => $interface, - source => "${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr}"; + } + if ! $::ec2_instance_id { + shorewall::masq { + "${interface}_limited_tcp": + interface => $interface, + source => "${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr}"; + "${interface}_limited_udp": + interface => $interface, + source => "${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr}"; + } } shorewall::policy { -- cgit v1.2.3 From 450fb19a4df8f4740dcf077b585dbd77c096d133 Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 18 May 2013 17:13:05 -0700 Subject: added module site_nickserver --- puppet/modules/site_config/manifests/ruby.pp | 14 +++ puppet/modules/site_nickserver/manifests/init.pp | 120 +++++++++++++++++++++ .../site_nickserver/templates/nickserver.yml.erb | 7 ++ puppet/modules/site_webapp/manifests/init.pp | 8 +- 4 files changed, 142 insertions(+), 7 deletions(-) create mode 100644 puppet/modules/site_config/manifests/ruby.pp create mode 100644 puppet/modules/site_nickserver/manifests/init.pp create mode 100644 puppet/modules/site_nickserver/templates/nickserver.yml.erb (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/ruby.pp b/puppet/modules/site_config/manifests/ruby.pp new file mode 100644 index 00000000..2a720114 --- /dev/null +++ b/puppet/modules/site_config/manifests/ruby.pp @@ -0,0 +1,14 @@ +class site_config::ruby { + Class[Ruby] -> Class[rubygems] -> Class[bundler::install] + class { '::ruby': ruby_version => '1.9.3' } + class { 'bundler::install': install_method => 'package' } + include rubygems +} + + +# +# Ruby settings common to all servers +# +# Why this way? So that other classes can do 'include site_ruby' without creating redeclaration errors. +# See https://puppetlabs.com/blog/modeling-class-composition-with-parameterized-classes/ +# diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp new file mode 100644 index 00000000..4a80d8fd --- /dev/null +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -0,0 +1,120 @@ +# +# TODO: currently, this is dependent on the HAProxy stuff that is in site_webapp. +# it would be good to factor that out into a site_haproxy, so that nickserver could be applied independently. +# + +class site_nickserver { + tag 'leap_service' + include site_config::ruby + + # + # VARIABLES + # + + $nickserver = hiera('nickserver') + $nickserver_port = $nickserver['port'] + $couchdb_user = $nickserver['couchdb_user']['username'] + $couchdb_password = $nickserver['couchdb_user']['password'] + $couchdb_host = 'localhost' # couchdb is available on localhost via haproxy, which is bound to 4096. + $couchdb_port = '4096' # See site_webapp/templates/haproxy_couchdb.cfg.erg + + # + # USER AND GROUP + # + + group { 'nickserver': + ensure => present, + allowdupe => false; + } + user { 'nickserver': + ensure => present, + allowdupe => false, + gid => 'nickserver', + groups => 'ssl-cert', + home => '/srv/leap/nickserver', + require => Group['nickserver']; + } + + # + # NICKSERVER CODE + # + + #file { '/srv/leap/nickserver': + # ensure => directory, + # owner => 'nickserver', + # group => 'nickserver', + # require => User['nickserver']; + #} + vcsrepo { '/srv/leap/nickserver': + ensure => present, + revision => 'origin/master', + provider => git, + source => 'git://code.leap.se/nickserver', + owner => 'nickserver', + group => 'nickserver', + require => [ User['nickserver'], Group['nickserver'] ], + notify => Exec['nickserver_bundler_update']; + } + exec { 'nickserver_bundler_update': + cwd => '/srv/leap/nickserver', + command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle"', + unless => '/usr/bin/bundle check', + user => 'nickserver', + timeout => 600, + require => [ Class['bundler::install'], Vcsrepo['/srv/leap/nickserver'] ], + notify => Service['nickserver']; + } + + # + # NICKSERVER CONFIG + # + + file { '/etc/leap/nickserver.yml': + content => template('site_nickserver/nickserver.yml.erb'), + owner => nickserver, + group => nickserver, + mode => '0600', + notify => Service['nickserver']; + } + + # + # NICKSERVER DAEMON + # + + file { + '/usr/bin/nickserver': + ensure => link, + target => '/srv/leap/nickserver/bin/nickserver', + require => Vcsrepo['/srv/leap/nickserver']; + '/etc/init.d/nickserver': + owner => root, group => 0, mode => '0755', + source => '/srv/leap/nickserver/dist/debian-init-script', + require => Vcsrepo['/srv/leap/nickserver']; + } + + service { 'nickserver': + ensure => running, + enable => true, + hasrestart => true, + hasstatus => true, + require => File['/etc/init.d/nickserver']; + } + + # + # FIREWALL + # + + file { '/etc/shorewall/macro.nickserver': + content => "PARAM - - tcp $nickserver_port", + notify => Service['shorewall'], + require => Package['shorewall']; + } + + shorewall::rule { 'net2fw-nickserver': + source => 'net', + destination => '$FW', + action => 'nickserver(ACCEPT)', + order => 200; + } + +} \ No newline at end of file diff --git a/puppet/modules/site_nickserver/templates/nickserver.yml.erb b/puppet/modules/site_nickserver/templates/nickserver.yml.erb new file mode 100644 index 00000000..ec1c22ed --- /dev/null +++ b/puppet/modules/site_nickserver/templates/nickserver.yml.erb @@ -0,0 +1,7 @@ +couch_host: <%= @couchdb_host %> +couch_port: <%= @couchdb_port %> +couch_database: 'users' +couch_user: <%= @couchdb_user %> +couch_password: <%= @couchdb_password %> +hkp_url: 'https://hkps.pool.sks-keyservers.net:/pks/lookup' +port: <%= @nickserver_port %> diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 5c084a0c..80b7c271 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -11,13 +11,7 @@ class site_webapp { $api_version = $webapp['api_version'] $secret_token = $webapp['secret_token'] - Class[Ruby] -> Class[rubygems] -> Class[bundler::install] - - class { 'ruby': ruby_version => '1.9.3' } - - class { 'bundler::install': install_method => 'package' } - - include rubygems + include site_config::ruby include site_webapp::apache include site_webapp::couchdb include site_webapp::client_ca -- cgit v1.2.3 From b3cd7fc827d51007053ae1077cda2a2fc78a48dc Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 18 May 2013 22:55:34 -0700 Subject: nickserver - ensure libssl-dev is installed before EventMachine gem is installed. --- puppet/modules/site_nickserver/manifests/init.pp | 12 +++++------- puppet/modules/site_nickserver/templates/nickserver.yml.erb | 3 +++ 2 files changed, 8 insertions(+), 7 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index 4a80d8fd..03af4acb 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -39,12 +39,10 @@ class site_nickserver { # NICKSERVER CODE # - #file { '/srv/leap/nickserver': - # ensure => directory, - # owner => 'nickserver', - # group => 'nickserver', - # require => User['nickserver']; - #} + # libssl-dev must be installed before eventmachine gem in order to support TLS + package { + 'libssl-dev': ensure => installed; + } vcsrepo { '/srv/leap/nickserver': ensure => present, revision => 'origin/master', @@ -61,7 +59,7 @@ class site_nickserver { unless => '/usr/bin/bundle check', user => 'nickserver', timeout => 600, - require => [ Class['bundler::install'], Vcsrepo['/srv/leap/nickserver'] ], + require => [ Class['bundler::install'], Vcsrepo['/srv/leap/nickserver'], Package['libssl-dev'] ], notify => Service['nickserver']; } diff --git a/puppet/modules/site_nickserver/templates/nickserver.yml.erb b/puppet/modules/site_nickserver/templates/nickserver.yml.erb index ec1c22ed..b6e0b3bf 100644 --- a/puppet/modules/site_nickserver/templates/nickserver.yml.erb +++ b/puppet/modules/site_nickserver/templates/nickserver.yml.erb @@ -5,3 +5,6 @@ couch_user: <%= @couchdb_user %> couch_password: <%= @couchdb_password %> hkp_url: 'https://hkps.pool.sks-keyservers.net:/pks/lookup' port: <%= @nickserver_port %> +pid_file: '/var/run/nickserver' +user: 'nickserver' +log_file: '/var/log/nickserver.log' -- cgit v1.2.3 From 379c6ff12c28a10dac4518c5cd2143ce11a39f85 Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 19 May 2013 12:41:01 -0700 Subject: updated apache submodule --- puppet/modules/apache | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/apache b/puppet/modules/apache index 090e59ad..c3e92a9b 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit 090e59ad1fcba01e868237a83cadf9254cf09d3e +Subproject commit c3e92a9b3cb02f1546b6b1570f10a968d380005c -- cgit v1.2.3 From aafeaecb26fbb05284558114332a89439261637b Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 21 May 2013 13:17:25 -0700 Subject: nickserver - added support for apache reverse proxy frontend to handle the TLS. --- puppet/modules/site_nickserver/manifests/init.pp | 54 ++++++++++++++++++++-- .../templates/nickserver-proxy.conf.erb | 23 +++++++++ .../site_nickserver/templates/nickserver.yml.erb | 27 +++++++---- 3 files changed, 90 insertions(+), 14 deletions(-) create mode 100644 puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb (limited to 'puppet/modules') diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index 03af4acb..7dfa2603 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -1,6 +1,10 @@ # -# TODO: currently, this is dependent on the HAProxy stuff that is in site_webapp. -# it would be good to factor that out into a site_haproxy, so that nickserver could be applied independently. +# TODO: currently, this is dependent on some things that are set up in site_webapp +# +# (1) HAProxy -> couchdb +# (2) Apache +# +# It would be good in the future to make nickserver installable independently of site_webapp. # class site_nickserver { @@ -12,12 +16,23 @@ class site_nickserver { # $nickserver = hiera('nickserver') - $nickserver_port = $nickserver['port'] + $nickserver_port = $nickserver['port'] # the port that public connects to (should be 6425) + $nickserver_local_port = '64250' # the port that nickserver is actually running on + $nickserver_domain = $nickserver['domain'] + $couchdb_user = $nickserver['couchdb_user']['username'] $couchdb_password = $nickserver['couchdb_user']['password'] $couchdb_host = 'localhost' # couchdb is available on localhost via haproxy, which is bound to 4096. $couchdb_port = '4096' # See site_webapp/templates/haproxy_couchdb.cfg.erg + # temporarily for now: + $domain = hiera('domain') + $address_domain = $domain['full_suffix'] + $x509 = hiera('x509') + $x509_key = $x509['key'] + $x509_cert = $x509['cert'] + $x509_ca = $x509['ca_cert'] + # # USER AND GROUP # @@ -30,16 +45,16 @@ class site_nickserver { ensure => present, allowdupe => false, gid => 'nickserver', - groups => 'ssl-cert', home => '/srv/leap/nickserver', require => Group['nickserver']; } # # NICKSERVER CODE + # NOTE: in order to support TLS, libssl-dev must be installed before EventMachine gem + # is built/installed. # - # libssl-dev must be installed before eventmachine gem in order to support TLS package { 'libssl-dev': ensure => installed; } @@ -100,6 +115,7 @@ class site_nickserver { # # FIREWALL + # poke a hole in the firewall to allow nickserver requests # file { '/etc/shorewall/macro.nickserver': @@ -115,4 +131,32 @@ class site_nickserver { order => 200; } + # + # APACHE REVERSE PROXY + # nickserver doesn't speak TLS natively, let Apache handle that. + # + + apache::module { + 'proxy': ensure => present; + 'proxy_http': ensure => present + } + + apache::vhost::file { + 'nickserver': content => template('site_nickserver/nickserver-proxy.conf.erb') + } + + x509::key { 'nickserver': + content => $x509_key, + notify => Service[apache]; + } + + x509::cert { 'nickserver': + content => $x509_cert, + notify => Service[apache]; + } + + x509::ca { 'nickserver': + content => $x509_ca, + notify => Service[apache]; + } } \ No newline at end of file diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb new file mode 100644 index 00000000..67896cd3 --- /dev/null +++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb @@ -0,0 +1,23 @@ +# +# Apache reverse proxy configuration for the Nickserver +# + +Listen 0.0.0.0:<%= @nickserver_port -%> + +> + ServerName <%= @nickserver_domain %> + ServerAlias <%= @address_domain %> + + SSLEngine on + SSLProtocol -all +SSLv3 +TLSv1 + SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLHonorCipherOrder on + + SSLCACertificatePath /etc/ssl/certs + SSLCertificateChainFile /etc/ssl/certs/nickserver.pem + SSLCertificateKeyFile /etc/x509/keys/nickserver.key + SSLCertificateFile /etc/x509/certs/nickserver.crt + + ProxyPass / http://localhost:<%= @nickserver_local_port %>/ + ProxyPreserveHost On # preserve Host header in HTTP request + diff --git a/puppet/modules/site_nickserver/templates/nickserver.yml.erb b/puppet/modules/site_nickserver/templates/nickserver.yml.erb index b6e0b3bf..7aab5605 100644 --- a/puppet/modules/site_nickserver/templates/nickserver.yml.erb +++ b/puppet/modules/site_nickserver/templates/nickserver.yml.erb @@ -1,10 +1,19 @@ -couch_host: <%= @couchdb_host %> +# +# configuration for nickserver. +# + +domain: "<%= @address_domain %>" + +couch_host: "<%= @couchdb_host %>" couch_port: <%= @couchdb_port %> -couch_database: 'users' -couch_user: <%= @couchdb_user %> -couch_password: <%= @couchdb_password %> -hkp_url: 'https://hkps.pool.sks-keyservers.net:/pks/lookup' -port: <%= @nickserver_port %> -pid_file: '/var/run/nickserver' -user: 'nickserver' -log_file: '/var/log/nickserver.log' +couch_database: "users" +couch_user: "<%= @couchdb_user %>" +couch_password: "<%= @couchdb_password %>" + +hkp_url: "https://hkps.pool.sks-keyservers.net:/pks/lookup" + +user: "nickserver" +port: <%= @nickserver_local_port %> +pid_file: "/var/run/nickserver" +log_file: "/var/log/nickserver.log" + -- cgit v1.2.3 From 264fa32a719d77b15e623cc3fc4574fd04837716 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 21 May 2013 17:42:40 -0400 Subject: change paths for leap webapp to be under /srv/leap/webapp from /srv/leap-webapp --- .../site_apache/templates/vhosts.d/api.conf.erb | 2 +- .../templates/vhosts.d/leap_webapp.conf.erb | 2 +- .../site_webapp/files/migrate_design_documents | 2 +- puppet/modules/site_webapp/manifests/couchdb.pp | 8 ++--- puppet/modules/site_webapp/manifests/init.pp | 36 +++++++++++----------- 5 files changed, 25 insertions(+), 25 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 20d3dc9a..ae894cd4 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -21,7 +21,7 @@ Listen 0.0.0.0:<%= api_port %> RequestHeader set X_FORWARDED_PROTO 'https' - DocumentRoot /srv/leap-webapp/public + DocumentRoot /srv/leap/webapp/public # Check for maintenance file and redirect all requests RewriteEngine On diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 2ccc4418..3055a7bb 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -21,7 +21,7 @@ RequestHeader set X_FORWARDED_PROTO 'https' - DocumentRoot /srv/leap-webapp/public + DocumentRoot /srv/leap/webapp/public RewriteEngine On # Check for maintenance file and redirect all requests diff --git a/puppet/modules/site_webapp/files/migrate_design_documents b/puppet/modules/site_webapp/files/migrate_design_documents index 88eb2e25..6e24aa5b 100644 --- a/puppet/modules/site_webapp/files/migrate_design_documents +++ b/puppet/modules/site_webapp/files/migrate_design_documents @@ -1,6 +1,6 @@ #!/bin/sh -cd /srv/leap-webapp +cd /srv/leap/webapp # use admin credentials cp config/couchdb.yml.admin config/couchdb.yml diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 1dd346fd..7a3839c8 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -25,19 +25,19 @@ class site_webapp::couchdb { $key_path = "${x509::variables::keys}/${cert_name}.key" file { - '/srv/leap-webapp/config/couchdb.yml.admin': + '/srv/leap/webapp/config/couchdb.yml.admin': content => template('site_webapp/couchdb.yml.admin.erb'), owner => leap-webapp, group => leap-webapp, mode => '0600'; - '/srv/leap-webapp/config/couchdb.yml.webapp': + '/srv/leap/webapp/config/couchdb.yml.webapp': content => template('site_webapp/couchdb.yml.erb'), owner => leap-webapp, group => leap-webapp, mode => '0600'; - '/srv/leap-webapp/logs/production.log': + '/srv/leap/webapp/logs/production.log': owner => leap-webapp, group => leap-webapp, mode => '0666'; @@ -58,7 +58,7 @@ class site_webapp::couchdb { } exec { 'migrate_design_documents': - cwd => '/srv/leap-webapp', + cwd => '/srv/leap/webapp', command => '/usr/local/sbin/migrate_design_documents', require => Exec['bundler_update'], notify => Service['apache']; diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 5c084a0c..f7a4b598 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -33,18 +33,18 @@ class site_webapp { allowdupe => false, gid => 'leap-webapp', groups => 'ssl-cert', - home => '/srv/leap-webapp', + home => '/srv/leap/webapp', require => [ Group['leap-webapp'] ]; } - file { '/srv/leap-webapp': + file { '/srv/leap/webapp': ensure => directory, owner => 'leap-webapp', group => 'leap-webapp', require => User['leap-webapp']; } - vcsrepo { '/srv/leap-webapp': + vcsrepo { '/srv/leap/webapp': ensure => present, revision => 'origin/master', provider => git, @@ -56,17 +56,17 @@ class site_webapp { } exec { 'bundler_update': - cwd => '/srv/leap-webapp', + cwd => '/srv/leap/webapp', command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle"', unless => '/usr/bin/bundle check', user => 'leap-webapp', timeout => 600, - require => [ Class['bundler::install'], Vcsrepo['/srv/leap-webapp'] ], + require => [ Class['bundler::install'], Vcsrepo['/srv/leap/webapp'] ], notify => Service['apache']; } exec { 'compile_assets': - cwd => '/srv/leap-webapp', + cwd => '/srv/leap/webapp', command => '/bin/bash -c "/usr/bin/bundle exec rake assets:precompile"', user => 'leap-webapp', require => Exec['bundler_update'], @@ -74,55 +74,55 @@ class site_webapp { } file { - '/srv/leap-webapp/public/provider.json': + '/srv/leap/webapp/public/provider.json': content => $provider, owner => leap-webapp, group => leap-webapp, mode => '0644'; - '/srv/leap-webapp/public/ca.crt': + '/srv/leap/webapp/public/ca.crt': ensure => link, target => '/usr/local/share/ca-certificates/leap_api.crt'; - "/srv/leap-webapp/public/${api_version}": + "/srv/leap/webapp/public/${api_version}": ensure => directory, owner => leap-webapp, group => leap-webapp, mode => '0755'; - "/srv/leap-webapp/public/${api_version}/config/": + "/srv/leap/webapp/public/${api_version}/config/": ensure => directory, owner => leap-webapp, group => leap-webapp, mode => '0755'; - "/srv/leap-webapp/public/${api_version}/config/eip-service.json": + "/srv/leap/webapp/public/${api_version}/config/eip-service.json": content => $eip_service, owner => leap-webapp, group => leap-webapp, mode => '0644'; - "/srv/leap-webapp/public/${api_version}/config/soledad-service.json": + "/srv/leap/webapp/public/${api_version}/config/soledad-service.json": content => $soledad_service, owner => leap-webapp, group => leap-webapp, mode => '0644'; - "/srv/leap-webapp/public/${api_version}/config/smtp-service.json": + "/srv/leap/webapp/public/${api_version}/config/smtp-service.json": content => $smtp_service, owner => leap-webapp, group => leap-webapp, mode => '0644'; } try::file { - '/srv/leap-webapp/public/favicon.ico': + '/srv/leap/webapp/public/favicon.ico': ensure => 'link', target => $webapp['favicon']; - '/srv/leap-webapp/app/assets/stylesheets/tail.scss': + '/srv/leap/webapp/app/assets/stylesheets/tail.scss': ensure => 'link', target => $webapp['tail_scss']; - '/srv/leap-webapp/app/assets/stylesheets/head.scss': + '/srv/leap/webapp/app/assets/stylesheets/head.scss': ensure => 'link', target => $webapp['head_scss']; - '/srv/leap-webapp/public/img': + '/srv/leap/webapp/public/img': ensure => 'link', target => $webapp['img_dir']; } file { - '/srv/leap-webapp/config/config.yml': + '/srv/leap/webapp/config/config.yml': content => template('site_webapp/config.yml.erb'), owner => leap-webapp, group => leap-webapp, -- cgit v1.2.3 From 92b90bc4507f412497c3128f0817bd24e2628b1b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 22 May 2013 12:53:47 -0400 Subject: add force => true parameter to webapp vcsrepo checkout this should have been added to d669a5fb56acf9101cf677ecbd30bcc47b092cd3 resolve #1722 after the vcsrepo module was updated to handle this, but it wasn't. --- puppet/modules/site_webapp/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index f7a4b598..aac48188 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -46,6 +46,7 @@ class site_webapp { vcsrepo { '/srv/leap/webapp': ensure => present, + force => true, revision => 'origin/master', provider => git, source => 'git://code.leap.se/leap_web', -- cgit v1.2.3 From e0b591b063d3c49012a4266ee837737758f58dc2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 22 May 2013 12:56:43 -0400 Subject: add requirements to the try::file resources normally a file resource would automatically require the parent directory first, but try::file doesn't do this so it has errors if /srv/leap/webapp doesn't exist yet: for example: - [web1] err: /Stage[main]/Site_webapp/Try::File[/srv/leap/webapp/public/img]/Exec[restore_/srv/leap/webapp/public/img]/returns: change from notrun to 0 failed: Working directory '/srv/leap/webapp/public' does not exist that was 'tried' before the vcsrepo was done which would have resolved that problem. This makes sure that the vcsrepo is done first --- puppet/modules/site_webapp/manifests/init.pp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index aac48188..b01141ae 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -106,19 +106,23 @@ class site_webapp { try::file { '/srv/leap/webapp/public/favicon.ico': - ensure => 'link', - target => $webapp['favicon']; + ensure => 'link', + require => Vcsrepo['/srv/leap/webapp'], + target => $webapp['favicon']; '/srv/leap/webapp/app/assets/stylesheets/tail.scss': ensure => 'link', + require => Vcsrepo['/srv/leap/webapp'], target => $webapp['tail_scss']; '/srv/leap/webapp/app/assets/stylesheets/head.scss': ensure => 'link', + require => Vcsrepo['/srv/leap/webapp'], target => $webapp['head_scss']; '/srv/leap/webapp/public/img': ensure => 'link', + require => Vcsrepo['/srv/leap/webapp'], target => $webapp['img_dir']; } -- cgit v1.2.3 From a386d3862a581d502b9611bc9af0e144ac29e4f9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 22 May 2013 15:07:08 -0400 Subject: add missing require => on the vcsrepo which could cause these resources to fail --- puppet/modules/site_webapp/manifests/couchdb.pp | 9 +++++--- puppet/modules/site_webapp/manifests/init.pp | 29 +++++++++++++++++-------- 2 files changed, 26 insertions(+), 12 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 1dd346fd..7858dbfd 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -29,18 +29,21 @@ class site_webapp::couchdb { content => template('site_webapp/couchdb.yml.admin.erb'), owner => leap-webapp, group => leap-webapp, - mode => '0600'; + mode => '0600', + require => Vcsrepo['/srv/leap/webapp']; '/srv/leap-webapp/config/couchdb.yml.webapp': content => template('site_webapp/couchdb.yml.erb'), owner => leap-webapp, group => leap-webapp, - mode => '0600'; + mode => '0600', + require => Vcsrepo['/srv/leap/webapp']; '/srv/leap-webapp/logs/production.log': owner => leap-webapp, group => leap-webapp, - mode => '0666'; + mode => '0666', + require => Vcsrepo['/srv/leap/webapp']; '/usr/local/sbin/migrate_design_documents': source => 'puppet:///modules/site_webapp/migrate_design_documents', diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 80b7c271..92cf4b25 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -70,30 +70,37 @@ class site_webapp { file { '/srv/leap-webapp/public/provider.json': content => $provider, + require => Vcsrepo['/srv/leap/webapp'], owner => leap-webapp, group => leap-webapp, mode => '0644'; '/srv/leap-webapp/public/ca.crt': ensure => link, + require => Vcsrepo['/srv/leap/webapp'], target => '/usr/local/share/ca-certificates/leap_api.crt'; "/srv/leap-webapp/public/${api_version}": ensure => directory, + require => Vcsrepo['/srv/leap/webapp'], owner => leap-webapp, group => leap-webapp, mode => '0755'; "/srv/leap-webapp/public/${api_version}/config/": ensure => directory, + require => Vcsrepo['/srv/leap/webapp'], owner => leap-webapp, group => leap-webapp, mode => '0755'; "/srv/leap-webapp/public/${api_version}/config/eip-service.json": content => $eip_service, + require => Vcsrepo['/srv/leap/webapp'], owner => leap-webapp, group => leap-webapp, mode => '0644'; "/srv/leap-webapp/public/${api_version}/config/soledad-service.json": content => $soledad_service, + require => Vcsrepo['/srv/leap/webapp'], owner => leap-webapp, group => leap-webapp, mode => '0644'; "/srv/leap-webapp/public/${api_version}/config/smtp-service.json": content => $smtp_service, + require => Vcsrepo['/srv/leap/webapp'], owner => leap-webapp, group => leap-webapp, mode => '0644'; } @@ -102,17 +109,20 @@ class site_webapp { ensure => 'link', target => $webapp['favicon']; - '/srv/leap-webapp/app/assets/stylesheets/tail.scss': - ensure => 'link', - target => $webapp['tail_scss']; + '/srv/leap/webapp/app/assets/stylesheets/tail.scss': + ensure => 'link', + require => Vcsrepo['/srv/leap/webapp'], + target => $webapp['tail_scss']; - '/srv/leap-webapp/app/assets/stylesheets/head.scss': - ensure => 'link', - target => $webapp['head_scss']; + '/srv/leap/webapp/app/assets/stylesheets/head.scss': + ensure => 'link', + require => Vcsrepo['/srv/leap/webapp'], + target => $webapp['head_scss']; - '/srv/leap-webapp/public/img': - ensure => 'link', - target => $webapp['img_dir']; + '/srv/leap/webapp/public/img': + ensure => 'link', + require => Vcsrepo['/srv/leap/webapp'], + target => $webapp['img_dir']; } file { @@ -121,6 +131,7 @@ class site_webapp { owner => leap-webapp, group => leap-webapp, mode => '0600', + require => Vcsrepo['/srv/leap/webapp'], notify => Service['apache']; } -- cgit v1.2.3 From 79d5bba4674185b9db06f40b4976ce447bfb2f38 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 22 May 2013 15:05:52 -0400 Subject: pass any require => parameters that are in the try::file resource so dependencies can be satisfied Change-Id: I10d3ebe6a3009ebe01e578ea582d00dc930689ed --- puppet/modules/try/manifests/file.pp | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/try/manifests/file.pp b/puppet/modules/try/manifests/file.pp index 406c0b7a..47a8c269 100644 --- a/puppet/modules/try/manifests/file.pp +++ b/puppet/modules/try/manifests/file.pp @@ -18,7 +18,10 @@ define try::file ( file { "$name": ensure => $ensure, target => $target, - require => Exec["check_${name}"], + require => $require ? { + undef => Exec["check_${name}"], + default => [ $require, Exec["check_${name}"] ] + }, loglevel => info; } } @@ -37,6 +40,10 @@ define try::file ( exec { "restore_${name}": command => $command, cwd => $file_dirname, + require => $require ? { + undef => undef, + default => [ $require ] + }, loglevel => info; } } else { @@ -44,6 +51,10 @@ define try::file ( unless => "/usr/bin/test -e '${target}'", command => $command, cwd => $file_dirname, + require => $require ? { + undef => undef, + default => [ $require ] + }, loglevel => info; } } -- cgit v1.2.3 From f96d049c407110fb471199ee73c47db8b7cd474a Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 23 May 2013 22:42:56 +0200 Subject: Install git before vcsrepo call (Feature #2510) --- puppet/modules/site_config/manifests/default.pp | 3 +++ 1 file changed, 3 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 77241df5..7758a69d 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -33,4 +33,7 @@ class site_config::default { # include basic shorewall config include site_shorewall::defaults + + Class['git'] -> Vcsrepo<||> + } -- cgit v1.2.3 From 064195792e264a125b9bd75ff931552af054ecf9 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 23 May 2013 18:53:17 +0200 Subject: include site_couchdb::bigcouch::add_nodes in site_couchdb/manifests/init.pp --- puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp | 5 +++++ puppet/modules/site_couchdb/manifests/init.pp | 9 +++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp b/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp new file mode 100644 index 00000000..241a4914 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp @@ -0,0 +1,5 @@ +class site_couchdb::bigcouch::add_nodes { + # loop through neighbors array and add nodes + $nodes = $::site_couchdb::bigcouch_config['neighbors'] + couchdb::bigcouch::add_node { $nodes: } +} diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 9f4824b4..802f3224 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -33,9 +33,12 @@ class site_couchdb { bigcouch_cookie => $bigcouch_cookie, ednp_port => $ednp_port } - include couchdb::bigcouch::package::cloudant - Service ['couchdb'] + class { 'couchdb::bigcouch::package::cloudant': } + + Class ['couchdb::bigcouch::package::cloudant'] + -> Service ['couchdb'] + -> Class ['site_couchdb::bigcouch::add_nodes'] -> Couchdb::Create_db['users'] -> Couchdb::Create_db['tokens'] -> Couchdb::Add_user[$couchdb_webapp_user] @@ -47,6 +50,8 @@ class site_couchdb { ca => $ca } + class { 'site_couchdb::bigcouch::add_nodes': } + couchdb::query::setup { 'localhost': user => $couchdb_admin_user, pw => $couchdb_admin_pw, -- cgit v1.2.3 From fed63320dc026f8ea1e0f0de250c8008f6f71b7e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 23 May 2013 18:06:00 -0400 Subject: update couchdb submodule to get couchdb::bigcouch::add_node and couchdb::bigcouch::query --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 7b6c9a29..20deb065 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 7b6c9a29b1333ce733dd5d7c0dadd7f90513b261 +Subproject commit 20deb0652ccfe105eddec6ba2ad32b8d633705f6 -- cgit v1.2.3 From e7b927d607e1e3bb02cfb8910d69df5254af5f35 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 26 May 2013 17:11:15 -0400 Subject: update apt submodule, necessary for wheezy release; update apache module to get bugfix Change-Id: I1f5f42bb3b62a5b86de38aed31fdb073626b10af --- puppet/modules/apache | 2 +- puppet/modules/apt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/apache b/puppet/modules/apache index c3e92a9b..090e59ad 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit c3e92a9b3cb02f1546b6b1570f10a968d380005c +Subproject commit 090e59ad1fcba01e868237a83cadf9254cf09d3e diff --git a/puppet/modules/apt b/puppet/modules/apt index 6bf7a6ab..61a2f489 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 6bf7a6ab5d6e63f75c94f49aa0f12959e954efa8 +Subproject commit 61a2f4894898baa98dbaaba7b69b7198864ca04a -- cgit v1.2.3 From c92d3ac0780e813a5440c5e475bfdba5de5a0447 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 30 May 2013 17:06:14 -0700 Subject: site_sshd -- added xterm title, optional support for mosh --- puppet/modules/site_config/manifests/sshd.pp | 2 +- puppet/modules/site_sshd/files/xterm-title.sh | 8 +++++ puppet/modules/site_sshd/manifests/init.pp | 42 ++++++++++++++++++++++++++- 3 files changed, 50 insertions(+), 2 deletions(-) create mode 100644 puppet/modules/site_sshd/files/xterm-title.sh (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/sshd.pp b/puppet/modules/site_config/manifests/sshd.pp index 944dbce2..8ff337a0 100644 --- a/puppet/modules/site_config/manifests/sshd.pp +++ b/puppet/modules/site_config/manifests/sshd.pp @@ -2,7 +2,7 @@ class site_config::sshd { # configure sshd include sshd include site_sshd - # no need for configuring authorized_keys as leap_cli cares for that + # no need for configuring authorized_keys as leap_cli cares for that #$ssh_pubkeys=hiera_hash('ssh_pubkeys') #notice($ssh_pubkeys) #create_resources('site_sshd::ssh_key', $ssh_pubkeys) diff --git a/puppet/modules/site_sshd/files/xterm-title.sh b/puppet/modules/site_sshd/files/xterm-title.sh new file mode 100644 index 00000000..3cff0e3a --- /dev/null +++ b/puppet/modules/site_sshd/files/xterm-title.sh @@ -0,0 +1,8 @@ +# If this is an xterm set the title to user@host:dir +case "$TERM" in +xterm*|rxvt*) + PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD}\007"' + ;; +*) + ;; +esac diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index 630e9bdf..c1c4d3b3 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -1 +1,41 @@ -class site_sshd {} +class site_sshd { + $ssh = hiera_hash('ssh') + + ## + ## XTERM TITLE + ## + + file {'/etc/profile.d/xterm-title.sh': + source => "puppet://$server/modules/site_sshd/xterm-title.sh", + owner => root, group => 0, mode => 0644; + } + + ## + ## OPTIONAL MOSH SUPPORT + ## + + $mosh = $ssh['mosh'] + $mosh_ports = $mosh['ports'] + if $ssh['mosh']['enabled'] { + $mosh_ensure = present + } else { + $mosh_ensure = absent + } + + package { 'mosh': + ensure => $mosh_ensure; + } + file { '/etc/shorewall/macro.mosh': + ensure => $mosh_ensure, + content => "PARAM - - udp $mosh_ports", + notify => Service['shorewall'], + require => Package['shorewall']; + } + shorewall::rule { 'net2fw-mosh': + ensure => $mosh_ensure, + source => 'net', + destination => '$FW', + action => 'mosh(ACCEPT)', + order => 200; + } +} -- cgit v1.2.3 From 14bd8cf734fec65d4f1e16bfe64710008bdac174 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 2 Jun 2013 17:44:35 -0400 Subject: lint hosts.pp Change-Id: If10470978ee31a398e0b88d8d98552c93d4706a2 --- puppet/modules/site_config/manifests/hosts.pp | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index 1e1590f5..83a1040d 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -1,11 +1,11 @@ class site_config::hosts() { - $hosts = hiera('hosts','') - $hostname = hiera('name') - $domain_hash = hiera('domain') + $hosts = hiera('hosts','') + $hostname = hiera('name') + $domain_hash = hiera('domain') $domain_public = $domain_hash['full_suffix'] - file { "/etc/hostname": - ensure => present, + file { '/etc/hostname': + ensure => present, content => $hostname } @@ -16,6 +16,8 @@ class site_config::hosts() { file { '/etc/hosts': content => template('site_config/hosts'), - mode => '0644', owner => root, group => root; + mode => '0644', + owner => root, + group => root; } } -- cgit v1.2.3 From 400dde54f3950ad01d716b664d2ed1a236b8ca42 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 11 Jun 2013 15:00:36 -0400 Subject: add a class site_config::shell for shell-related configurations setup a /etc/profile.d configuration snippet to put /srv/leap/bin in the $PATH (#2122) Change-Id: I0afb5232375e6c6d9f692a97243023c710265d54 --- puppet/modules/site_config/manifests/default.pp | 2 ++ puppet/modules/site_config/manifests/shell.pp | 10 ++++++++++ 2 files changed, 12 insertions(+) create mode 100644 puppet/modules/site_config/manifests/shell.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 7758a69d..cfb46130 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -36,4 +36,6 @@ class site_config::default { Class['git'] -> Vcsrepo<||> + # include basic shell config + include site_config::shell } diff --git a/puppet/modules/site_config/manifests/shell.pp b/puppet/modules/site_config/manifests/shell.pp new file mode 100644 index 00000000..b1a65389 --- /dev/null +++ b/puppet/modules/site_config/manifests/shell.pp @@ -0,0 +1,10 @@ +class site_config::shell { + + file { + '/etc/profile.d/leap_path.sh': + content => 'PATH=$PATH:/srv/leap/bin', + mode => '0644', + owner => root, + group => root; + } +} -- cgit v1.2.3 From 95d0c71fa4017a7908ccda0adae8057e2115cc42 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 11 Jun 2013 16:33:03 -0700 Subject: use hiera hashes for source data for /etc/hosts --- puppet/modules/site_config/templates/hosts | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts index 00cc6a79..c2522367 100644 --- a/puppet/modules/site_config/templates/hosts +++ b/puppet/modules/site_config/templates/hosts @@ -1,10 +1,12 @@ # This file is managed by puppet, any changes will be overwritten! 127.0.0.1 localhost -127.0.1.1 <%= hostname %>.<%= @domain_public %> <%= hostname %> +127.0.1.1 <%= @hostname %>.<%= @domain_public %> <%= @hostname %> -<%- if hosts.to_s != '' then -%> -<%= hosts %> +<%- if @hosts then -%> +<% @hosts.each do |name, props| -%> +<%= props["ip_address"] %> <%= props["domain_full"] %>, <%= props["domain_internal"] %>, <%= name %> +<% end -%> <% end -%> # The following lines are desirable for IPv6 capable hosts -- cgit v1.2.3 From 722ff7da46de4e656b3a110a65b9ccaa57f82898 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 11 Jun 2013 23:22:57 -0700 Subject: /etc/hosts must not have commas!! --- puppet/modules/site_config/templates/hosts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts index c2522367..2c784b05 100644 --- a/puppet/modules/site_config/templates/hosts +++ b/puppet/modules/site_config/templates/hosts @@ -5,7 +5,7 @@ <%- if @hosts then -%> <% @hosts.each do |name, props| -%> -<%= props["ip_address"] %> <%= props["domain_full"] %>, <%= props["domain_internal"] %>, <%= name %> +<%= props["ip_address"] %> <%= props["domain_full"] %> <%= props["domain_internal"] %> <%= name %> <% end -%> <% end -%> -- cgit v1.2.3 From d10240be7ac7116e86cee32f5b8d5b90768e7094 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 12 Jun 2013 14:01:24 -0400 Subject: webapp should be available over http so a proper redirect can be done to https without this rule, one just gets a 'site is unavailable' result Change-Id: I27b80a0044e9fe4e87e607412c8d0a089d4866a6 --- puppet/modules/site_shorewall/manifests/webapp.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_shorewall/manifests/webapp.pp b/puppet/modules/site_shorewall/manifests/webapp.pp index d12bbc8f..a8d2aa5b 100644 --- a/puppet/modules/site_shorewall/manifests/webapp.pp +++ b/puppet/modules/site_shorewall/manifests/webapp.pp @@ -2,5 +2,6 @@ class site_shorewall::webapp { include site_shorewall::defaults include site_shorewall::service::https + include site_shorewall::service::http include site_shorewall::service::webapp_api } -- cgit v1.2.3 From 086439b2676a763d4414ea3f2ef80fb0daaba088 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 12 Jun 2013 14:45:31 -0400 Subject: update apache submodule to get ssl no_default_site fix. I previously accidentally reverted this change Change-Id: Iebc041cf6fb54b79d75eeabd27410ad953b8e340 --- puppet/modules/apache | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/apache b/puppet/modules/apache index 090e59ad..c3e92a9b 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit 090e59ad1fcba01e868237a83cadf9254cf09d3e +Subproject commit c3e92a9b3cb02f1546b6b1570f10a968d380005c -- cgit v1.2.3 From 03cb737490a12813b63801bbf9198e7e4a91a37b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 13 Jun 2013 16:54:56 -0400 Subject: install the leap-keyring package, after the leap apt source has been added and apt has been refreshed Change-Id: I485420c4ea50f8c3f6699b9b8073dc6c67b7a353 --- puppet/modules/site_apt/manifests/leap_repo.pp | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp index 9d967841..6b3d9919 100644 --- a/puppet/modules/site_apt/manifests/leap_repo.pp +++ b/puppet/modules/site_apt/manifests/leap_repo.pp @@ -4,4 +4,11 @@ class site_apt::leap_repo { before => Exec[refresh_apt] } + package { 'leap-keyring': + ensure => latest + } + + # We wont be able to install the leap-keyring package unless the leap apt + # source has been added and apt has been refreshed + Exec['refresh_apt'] -> Package['leap-keyring'] } -- cgit v1.2.3 From 8ee0d3af919b169e1cb096a777beff68dbeb61d3 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 14 Jun 2013 20:47:46 +0200 Subject: automatic update of submodule stunnel --- puppet/modules/stunnel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index 75d387fc..1a12adc9 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit 75d387fc8aff12232fdeae2efbbfccdd91f94656 +Subproject commit 1a12adc97d70224a0e750c6ab8a41073ced72d2b -- cgit v1.2.3 From d9614163ed327fc17d27ac623dfd639ce00a43ce Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 19 Jun 2013 13:41:23 -0400 Subject: disable dhclient from modifying the /etc/resolv.conf file on openstack/amazon instances The dhclient in these environments is quite aggressive and overwrites the nameservers we've deliberately chosen to use with google's nameservers. This commit attempts to fix that. The dhclient methodology for altering these things is particularly unpleasant. We effectively redefine the functions that mess with this file to be noops in the /etc/dhcp/dhclient-enter-hooks.d directory and then we are forced to restart dhclient by shipping a script that tries to determine the correct PID and arguments that it was running as before killing and restarting it with the same arguments. See debian bugs #681698, #712796 for further discussion about how to make this less difficult Change-Id: I51cf40cf98eaddcefd8180e157b6e3ca824173f0 --- puppet/modules/site_config/manifests/default.pp | 6 ++++- puppet/modules/site_config/manifests/dhclient.pp | 30 ++++++++++++++++++++++ .../site_config/templates/reload_dhclient.erb | 13 ++++++++++ 3 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_config/manifests/dhclient.pp create mode 100644 puppet/modules/site_config/templates/reload_dhclient.erb (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index cfb46130..5518ea56 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -12,10 +12,14 @@ class site_config::default { # configure apt include site_apt - # configure ssh and include ssh-keys include site_config::sshd + # fix dhclient from changing resolver information + if $::ec2_instance_id { + include site_config::dhclient + } + # configure /etc/resolv.conf include site_config::resolvconf diff --git a/puppet/modules/site_config/manifests/dhclient.pp b/puppet/modules/site_config/manifests/dhclient.pp new file mode 100644 index 00000000..7ac0caf3 --- /dev/null +++ b/puppet/modules/site_config/manifests/dhclient.pp @@ -0,0 +1,30 @@ +class site_config::dhclient { + + # Unfortunately, there does not seem to be a way to reload the dhclient.conf + # config file, or a convenient way to disable the modifications to + # /etc/resolv.conf. So the following makes the functions involved noops and + # ships a script to kill and restart dhclient. See the debian bugs: + # #681698, #712796 + + include site_config::params + + file { '/usr/local/sbin/reload_dhclient': + owner => 0, + group => 0, + mode => '0755', + content => template('site_config/reload_dhclient.erb'); + } + + exec { 'reload_dhclient': + refreshonly => true, + command => '/usr/local/sbin/reload_dhclient'; + } + + file { '/etc/dhcp/dhclient-enter-hooks.d/disable_resolvconf': + content => 'make_resolv_conf() { : ; } ; set_hostname() { : ; }', + mode => '0644', + owner => 'root', + group => 'root', + notify => Exec['reload_dhclient']; + } +} diff --git a/puppet/modules/site_config/templates/reload_dhclient.erb b/puppet/modules/site_config/templates/reload_dhclient.erb new file mode 100644 index 00000000..882c985a --- /dev/null +++ b/puppet/modules/site_config/templates/reload_dhclient.erb @@ -0,0 +1,13 @@ +#!/bin/sh + +# Get the PID +PIDFILE='/var/run/dhclient.<%= scope.lookupvar('site_config::params::interface') %>.pid + +# Capture how dhclient is currently running so we can relaunch it +dhclient=`/bin/ps --no-headers --pid $(cat $PIDFILE) -f | /usr/bin/awk '{for(i=8;i<=NF;++i) printf("%s ", $i) }'` + +# Kill the current dhclient +/usr/bin/pkill -F $PIDFILE + +# Restart dhclient with the arguments it had previously +$dhclient -- cgit v1.2.3 From e085e66f0f1c045b0282f738f4501e7a1d2fd301 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 20 Jun 2013 12:03:34 -0400 Subject: We need to have a newer facter installed in order to get an updated fact for piston cloud This moves the apt configuration into the setup.pp run, so we can get the backport source added early which will enable us to install the latest facter from the backports repository. Change-Id: I8ccf1a0445dea72f1b94be08484f33e648439ec1 --- puppet/modules/site_apt/manifests/init.pp | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index c5f37014..c33b7a84 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -23,4 +23,9 @@ class site_apt { content => template('site_apt/secondary.list'); } + apt::preferences_snippet { 'facter': + release => "${::lsbdistcodename}-backports", + priority => 999 + } + } -- cgit v1.2.3 From f2f4b3cfc2ad70e649da42ef82cca7c2e1d73096 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Jun 2013 00:02:19 +0200 Subject: Install all packages after refresh_apt (Feature #2971) --- puppet/modules/site_apt/manifests/init.pp | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index c33b7a84..0da7f3be 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -28,4 +28,12 @@ class site_apt { priority => 999 } + # All packages should be installed _after_ refresh_apt is called, + # which does an apt-get update. + # There is one exception: + # The creation of sources.list depends on the lsb package + + File['/etc/apt/preferences'] -> + Exec['refresh_apt'] + Package <| ( title != 'lsb' ) |> } -- cgit v1.2.3 From e61c7dfe1aa0ba4b5fc5fef2fd64d9fb2f1d2784 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Jun 2013 17:38:13 +0200 Subject: updated apt submodule, remove unnecessary before dependency on the /etc/apt/preferences file in unattended_upgrades.pp --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/apt b/puppet/modules/apt index 61a2f489..f11e3d47 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 61a2f4894898baa98dbaaba7b69b7198864ca04a +Subproject commit f11e3d475345059220402a44a97da491c85d2b5a -- cgit v1.2.3 From ad48e4616e438c94122b144009f54651408387aa Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 25 Jun 2013 12:23:19 -0400 Subject: fix preferences description for Debian squeeze Change-Id: I30ca424bd9b89b3e95532e325828982e8e513fc7 --- puppet/modules/site_apt/templates/preferences.include_squeeze | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/templates/preferences.include_squeeze b/puppet/modules/site_apt/templates/preferences.include_squeeze index d10c2864..d6d36b60 100644 --- a/puppet/modules/site_apt/templates/preferences.include_squeeze +++ b/puppet/modules/site_apt/templates/preferences.include_squeeze @@ -13,7 +13,7 @@ Package: * Pin: release o=Debian,n=sid Pin-Priority: 1 -Explanation: De +Explanation: Debian squeeze Package: * Pin: release o=Debian,n=squeeze Pin-Priority: 980 -- cgit v1.2.3 From 89ad90073b5289da62eed74c8794e2911672081f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 25 Jun 2013 15:51:37 -0400 Subject: fix for #2986 - the services variable is no longer an array Change-Id: Ia6fc60c0c1fdfa50e1d6d981699c1d8010df63fc --- puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 3055a7bb..4b051699 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -36,7 +36,7 @@ PassengerFriendlyErrorPages off SetEnv TMPDIR /var/tmp - <% if (defined? @services) and (services.is_a? Array) and (@services.include? 'monitor') -%> + <% if (defined? @services) and (@services.include? 'monitor') -%> PassengerEnabled off AllowOverride all -- cgit v1.2.3 From 4b5b54d031344aa7a7b86254c820e391a4d4d762 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 25 Jun 2013 17:05:11 -0400 Subject: update the apt submodule in order to get the fix for unattended_upgrades (#2984) and the custom_key_dir as a class parameter remove the global variable from setup.pp and site.pp and instead pass it into the apt class declaration as a parameter Change-Id: I24806f2fd22b5a066b951c5f76f3dd748481b5b6 --- puppet/modules/apt | 2 +- puppet/modules/site_apt/manifests/init.pp | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/apt b/puppet/modules/apt index f11e3d47..1a72a996 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit f11e3d475345059220402a44a97da491c85d2b5a +Subproject commit 1a72a99693c1d77bfe891546408f88264fca98ee diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 0da7f3be..8821c110 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -8,7 +8,10 @@ class site_apt { } else { $custom_preferences = '' } - class {'apt': custom_preferences => $custom_preferences } + class { 'apt': + custom_preferences => $custom_preferences, + custom_key_dir => 'puppet:///modules/site_apt/keys' + } # enable http://deb.leap.se debian package repository include site_apt::leap_repo -- cgit v1.2.3 From e6bd481933bd4104fb7839703c88de971559d3db Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 27 Jun 2013 10:52:54 +0200 Subject: added site_sshd::authorized_keys --- puppet/modules/site_sshd/manifests/authorized_keys.pp | 6 ++++++ puppet/modules/site_sshd/manifests/authorized_keys/key.pp | 8 ++++++++ puppet/modules/site_sshd/manifests/init.pp | 3 +++ puppet/modules/site_sshd/manifests/ssh_key.pp | 3 --- 4 files changed, 17 insertions(+), 3 deletions(-) create mode 100644 puppet/modules/site_sshd/manifests/authorized_keys.pp create mode 100644 puppet/modules/site_sshd/manifests/authorized_keys/key.pp delete mode 100644 puppet/modules/site_sshd/manifests/ssh_key.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp new file mode 100644 index 00000000..edd6e3c4 --- /dev/null +++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp @@ -0,0 +1,6 @@ +class site_sshd::authorized_keys { + tag 'leap_authorized_keys' + + create_resources(site_sshd::authorized_keys::key, $site_sshd::ssh_authorized_keys) + +} diff --git a/puppet/modules/site_sshd/manifests/authorized_keys/key.pp b/puppet/modules/site_sshd/manifests/authorized_keys/key.pp new file mode 100644 index 00000000..56271cdc --- /dev/null +++ b/puppet/modules/site_sshd/manifests/authorized_keys/key.pp @@ -0,0 +1,8 @@ +define site_sshd::authorized_keys::key ($key, $type) { + ssh_authorized_key { + $name: + type => $type, + user => 'root', + key => $key + } +} diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index c1c4d3b3..714c0c5a 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -1,5 +1,8 @@ class site_sshd { $ssh = hiera_hash('ssh') + $ssh_authorized_keys = $ssh['authorized_keys'] + + include site_sshd::authorized_keys ## ## XTERM TITLE diff --git a/puppet/modules/site_sshd/manifests/ssh_key.pp b/puppet/modules/site_sshd/manifests/ssh_key.pp deleted file mode 100644 index b47b2ebd..00000000 --- a/puppet/modules/site_sshd/manifests/ssh_key.pp +++ /dev/null @@ -1,3 +0,0 @@ -define site_sshd::ssh_key($key) { - # ... todo: deploy ssh_key -} -- cgit v1.2.3 From 3b6f11a60778d5cb3ae265980e4e4870bf065de2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 28 Jun 2013 12:11:32 -0400 Subject: modularize and standardize site_sshd: . move the setting of the xterm title to site_config::shell . change the xterm file resource to use standard source lines, switch to single quotes, quote mode, and line up parameters . move the mosh pieces into a site_ssh::mosh class and only include it if the right mosh variable is enabled, passing into the class the necessary hiera parameters . lint the site_ssh::mosh resources . change the authorized_keys class to accept the key parameter which is passed in from the main ssh class (but allow for out of scope variable lookup when the tag is passed) Change-Id: Ieec5a3932de9bad1b98633032b28f88e91e46604 --- puppet/modules/site_config/files/xterm-title.sh | 8 +++++ puppet/modules/site_config/manifests/shell.pp | 12 +++++++ puppet/modules/site_sshd/files/xterm-title.sh | 8 ----- .../modules/site_sshd/manifests/authorized_keys.pp | 4 +-- puppet/modules/site_sshd/manifests/init.pp | 41 ++++++++-------------- puppet/modules/site_sshd/manifests/mosh.pp | 21 +++++++++++ 6 files changed, 57 insertions(+), 37 deletions(-) create mode 100644 puppet/modules/site_config/files/xterm-title.sh delete mode 100644 puppet/modules/site_sshd/files/xterm-title.sh create mode 100644 puppet/modules/site_sshd/manifests/mosh.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/files/xterm-title.sh b/puppet/modules/site_config/files/xterm-title.sh new file mode 100644 index 00000000..3cff0e3a --- /dev/null +++ b/puppet/modules/site_config/files/xterm-title.sh @@ -0,0 +1,8 @@ +# If this is an xterm set the title to user@host:dir +case "$TERM" in +xterm*|rxvt*) + PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD}\007"' + ;; +*) + ;; +esac diff --git a/puppet/modules/site_config/manifests/shell.pp b/puppet/modules/site_config/manifests/shell.pp index b1a65389..5b8c025d 100644 --- a/puppet/modules/site_config/manifests/shell.pp +++ b/puppet/modules/site_config/manifests/shell.pp @@ -7,4 +7,16 @@ class site_config::shell { owner => root, group => root; } + + ## + ## XTERM TITLE + ## + + file { '/etc/profile.d/xterm-title.sh': + source => 'puppet:///modules/site_config/xterm-title.sh', + owner => root, + group => 0, + mode => '0644'; + } + } diff --git a/puppet/modules/site_sshd/files/xterm-title.sh b/puppet/modules/site_sshd/files/xterm-title.sh deleted file mode 100644 index 3cff0e3a..00000000 --- a/puppet/modules/site_sshd/files/xterm-title.sh +++ /dev/null @@ -1,8 +0,0 @@ -# If this is an xterm set the title to user@host:dir -case "$TERM" in -xterm*|rxvt*) - PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD}\007"' - ;; -*) - ;; -esac diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp index edd6e3c4..8e0c15ac 100644 --- a/puppet/modules/site_sshd/manifests/authorized_keys.pp +++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp @@ -1,6 +1,6 @@ -class site_sshd::authorized_keys { +class site_sshd::authorized_keys ( $keys = $site_sshd::authorized_keys ) { tag 'leap_authorized_keys' - create_resources(site_sshd::authorized_keys::key, $site_sshd::ssh_authorized_keys) + create_resources(site_sshd::authorized_keys::key, $keys) } diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index 714c0c5a..905d5c9b 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -1,16 +1,14 @@ class site_sshd { $ssh = hiera_hash('ssh') - $ssh_authorized_keys = $ssh['authorized_keys'] - - include site_sshd::authorized_keys ## - ## XTERM TITLE + ## SETUP AUTHORIZED KEYS ## - file {'/etc/profile.d/xterm-title.sh': - source => "puppet://$server/modules/site_sshd/xterm-title.sh", - owner => root, group => 0, mode => 0644; + $authorized_keys = $ssh['authorized_keys'] + + class { 'site_sshd::authorized_keys': + keys => $authorized_keys } ## @@ -18,27 +16,16 @@ class site_sshd { ## $mosh = $ssh['mosh'] - $mosh_ports = $mosh['ports'] - if $ssh['mosh']['enabled'] { - $mosh_ensure = present - } else { - $mosh_ensure = absent - } - package { 'mosh': - ensure => $mosh_ensure; - } - file { '/etc/shorewall/macro.mosh': - ensure => $mosh_ensure, - content => "PARAM - - udp $mosh_ports", - notify => Service['shorewall'], - require => Package['shorewall']; + if $mosh['enabled'] { + class { 'site_sshd::mosh': + ensure => present, + ports => $mosh['ports'] + } } - shorewall::rule { 'net2fw-mosh': - ensure => $mosh_ensure, - source => 'net', - destination => '$FW', - action => 'mosh(ACCEPT)', - order => 200; + else { + class { 'site_sshd::mosh': + ensure => absent + } } } diff --git a/puppet/modules/site_sshd/manifests/mosh.pp b/puppet/modules/site_sshd/manifests/mosh.pp new file mode 100644 index 00000000..49f56ca0 --- /dev/null +++ b/puppet/modules/site_sshd/manifests/mosh.pp @@ -0,0 +1,21 @@ +class site_sshd::mosh ( $ensure = present, $ports = '60000-61000' ) { + + package { 'mosh': + ensure => $ensure + } + + file { '/etc/shorewall/macro.mosh': + ensure => $ensure, + content => "PARAM - - udp ${ports}", + notify => Service['shorewall'], + require => Package['shorewall']; + } + + shorewall::rule { 'net2fw-mosh': + ensure => $ensure, + source => 'net', + destination => '$FW', + action => 'mosh(ACCEPT)', + order => 200; + } +} -- cgit v1.2.3 From 6c34c73f7e4c5203321547b699c6eaba9de8e2fe Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 27 Jun 2013 10:52:54 +0200 Subject: switch to own define for managing ssh keys The problem with puppet's built-in ssh_authorized_key is that you can purge unmanaged keys in a authorized_keys file. see https://leap.se/code/issues/3010 for details. Conflicts: puppet/modules/site_sshd/manifests/authorized_keys.pp Change-Id: I640bf7ebc0f0f7fb19cc46feb4cb2702d6561a9b --- .../modules/site_sshd/manifests/authorized_keys.pp | 23 +++++++++++++++++----- .../site_sshd/manifests/authorized_keys/key.pp | 8 -------- .../site_sshd/manifests/deploy_authorized_keys.pp | 9 +++++++++ puppet/modules/site_sshd/manifests/init.pp | 2 +- .../site_sshd/templates/authorized_keys.erb | 6 ++++++ 5 files changed, 34 insertions(+), 14 deletions(-) delete mode 100644 puppet/modules/site_sshd/manifests/authorized_keys/key.pp create mode 100644 puppet/modules/site_sshd/manifests/deploy_authorized_keys.pp create mode 100644 puppet/modules/site_sshd/templates/authorized_keys.erb (limited to 'puppet/modules') diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp index 8e0c15ac..c18f691c 100644 --- a/puppet/modules/site_sshd/manifests/authorized_keys.pp +++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp @@ -1,6 +1,19 @@ -class site_sshd::authorized_keys ( $keys = $site_sshd::authorized_keys ) { - tag 'leap_authorized_keys' - - create_resources(site_sshd::authorized_keys::key, $keys) - +define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') { + # This line allows default homedir based on $title variable. + # If $home is empty, the default is used. + $homedir = $home ? {'' => "/home/${title}", default => $home} + file { + "${homedir}/.ssh": + ensure => 'directory', + owner => $title, + group => $title, + mode => '0700'; + "${homedir}/.ssh/authorized_keys": + ensure => $ensure, + owner => $ensure ? {'present' => $title, default => undef }, + group => $ensure ? {'present' => $title, default => undef }, + mode => '0600', + require => File["${homedir}/.ssh"], + content => template('site_sshd/authorized_keys.erb'); + } } diff --git a/puppet/modules/site_sshd/manifests/authorized_keys/key.pp b/puppet/modules/site_sshd/manifests/authorized_keys/key.pp deleted file mode 100644 index 56271cdc..00000000 --- a/puppet/modules/site_sshd/manifests/authorized_keys/key.pp +++ /dev/null @@ -1,8 +0,0 @@ -define site_sshd::authorized_keys::key ($key, $type) { - ssh_authorized_key { - $name: - type => $type, - user => 'root', - key => $key - } -} diff --git a/puppet/modules/site_sshd/manifests/deploy_authorized_keys.pp b/puppet/modules/site_sshd/manifests/deploy_authorized_keys.pp new file mode 100644 index 00000000..97ca058f --- /dev/null +++ b/puppet/modules/site_sshd/manifests/deploy_authorized_keys.pp @@ -0,0 +1,9 @@ +class site_sshd::deploy_authorized_keys ( $keys ) { + tag 'leap_authorized_keys' + + site_sshd::authorized_keys {'root': + keys => $keys, + home => '/root' + } + +} diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index 905d5c9b..90dd2d0e 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -7,7 +7,7 @@ class site_sshd { $authorized_keys = $ssh['authorized_keys'] - class { 'site_sshd::authorized_keys': + class { 'site_sshd::deploy_authorized_keys': keys => $authorized_keys } diff --git a/puppet/modules/site_sshd/templates/authorized_keys.erb b/puppet/modules/site_sshd/templates/authorized_keys.erb new file mode 100644 index 00000000..3c65e8ab --- /dev/null +++ b/puppet/modules/site_sshd/templates/authorized_keys.erb @@ -0,0 +1,6 @@ +# NOTICE: This file is autogenerated by Puppet +# all manually added keys will be overridden + +<% keys.sort.each do |user, hash| -%> +<%=hash['type']-%> <%=hash['key']%> <%=user%> +<% end -%> -- cgit v1.2.3 From 1d91ef608855059dbb7938dbd59adf2f70220139 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 30 Jun 2013 19:35:32 -0400 Subject: Fix 'Failed to call refresh: /usr/local/sbin/reload_dhclient returned 2 instead of one of [0]' by putting in the missing closing single quote. Change-Id: I86feb5d06dd25e28ea67da0b5627e7be4174e01e --- puppet/modules/site_config/templates/reload_dhclient.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/templates/reload_dhclient.erb b/puppet/modules/site_config/templates/reload_dhclient.erb index 882c985a..075828b7 100644 --- a/puppet/modules/site_config/templates/reload_dhclient.erb +++ b/puppet/modules/site_config/templates/reload_dhclient.erb @@ -1,7 +1,7 @@ #!/bin/sh # Get the PID -PIDFILE='/var/run/dhclient.<%= scope.lookupvar('site_config::params::interface') %>.pid +PIDFILE='/var/run/dhclient.<%= scope.lookupvar('site_config::params::interface') %>.pid' # Capture how dhclient is currently running so we can relaunch it dhclient=`/bin/ps --no-headers --pid $(cat $PIDFILE) -f | /usr/bin/awk '{for(i=8;i<=NF;++i) printf("%s ", $i) }'` -- cgit v1.2.3 From 9a522267068a1bcede55ba388d526ddc263d155f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 28 Jun 2013 11:28:13 -0400 Subject: restart stunnels if /etc/hosts is changed (#3031) Due to the fact that /etc/hosts is modified in the early stage setup.pp run and the stunnel service is not deployed on an initial puppet run, we cannot simply override the Service['stunnel'] but instead need to trigger a restart through an exec calling the init script that first tests to see if it is present. Change-Id: I6bf5dfece9ecbdb8319747774185dec50d5a55f6 --- puppet/modules/site_config/manifests/hosts.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index 83a1040d..ccedf036 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -14,6 +14,17 @@ class site_config::hosts() { refreshonly => true; } + # we depend on reliable hostnames from /etc/hosts for the stunnel services + # so restart stunnel service when /etc/hosts is modified + # because this is done in an early stage, the stunnel module may not + # have been deployed and will not be available for overriding, so + # this is handled in an unorthodox manner + exec { '/etc/init.d/stunnel4 restart': + subscribe => File['/etc/hosts'], + refreshonly => true, + onlyif => 'test -f /etc/init.d/stunnel4'; + } + file { '/etc/hosts': content => template('site_config/hosts'), mode => '0644', -- cgit v1.2.3 From 57b2c01c42cc47901bc39504bd5e776a7e3a9c6d Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 2 Jul 2013 16:44:56 +0200 Subject: deleted bind9 purging, it was only needed for the transition from bind to unbound --- puppet/modules/site_config/manifests/resolvconf.pp | 11 ----------- 1 file changed, 11 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index d73f0b78..271c5043 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -1,16 +1,5 @@ class site_config::resolvconf { - # bind9 purging can be taken out after some time - package { 'bind9': - ensure => absent, - } - file { '/etc/default/bind9': - ensure => absent; - } - file { '/etc/bind/named.conf.options': - ensure => absent; - } - $domain_public = $site_config::default::domain_hash['full_suffix'] # 127.0.0.1: caching-only local bind -- cgit v1.2.3 From 0d6694a0ee00be0f35b18025d86883cf3d4e4a7d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 2 Jul 2013 12:44:44 -0400 Subject: create a site_config subclass for package installation and removal add packages that we want to make sure are installed remove packages that were found on vagrant and PC installations that have no business being there Change-Id: I4887a327ca89eb60945ad817a75ff199859824d3 --- .../modules/site_config/manifests/base_packages.pp | 28 ++++++++++++++++++++++ puppet/modules/site_config/manifests/default.pp | 5 ++-- 2 files changed, 30 insertions(+), 3 deletions(-) create mode 100644 puppet/modules/site_config/manifests/base_packages.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/base_packages.pp b/puppet/modules/site_config/manifests/base_packages.pp new file mode 100644 index 00000000..3d40f7a2 --- /dev/null +++ b/puppet/modules/site_config/manifests/base_packages.pp @@ -0,0 +1,28 @@ +class site_config::base_packages { + + # base set of packages that we want to have installed everywhere + package { [ 'etckeeper', 'screen', 'less' ]: + ensure => installed, + } + + # base set of packages that we want to remove everywhere + package { [ 'acpi', 'acpid', 'acpi-support-base', 'eject', 'ftp', + 'laptop-detect', 'lpr', 'nfs-common', 'nfs-kernel-server', + 'portmap', 'pppconfig', 'pppoe', 'pump', 'qstat', 'rpcbind', + 'samba-common', 'samba-common-bin', 'smbclient', 'tcl8.5', + 'tk8.5', 'os-prober', 'unzip', 'xauth', 'x11-common', + 'x11-utils', 'xterm' ]: + ensure => absent; + } + + if $::virtual == 'virtualbox' { + $virtualbox_ensure = present + } else { + $virtualbox_ensure = absent + } + + package { [ 'build-essential', 'fontconfig-config', 'g++', 'g++-4.7', 'gcc', + 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: + ensure => $virtualbox_ensure + } +} diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 5518ea56..00eee9d0 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -31,9 +31,8 @@ class site_config::default { stage => setup, } - package { [ 'etckeeper' ]: - ensure => installed, - } + # install/remove base packages + include site_config::base_packages # include basic shorewall config include site_shorewall::defaults -- cgit v1.2.3 From 373002ee2b7b5373a1ab2f3a1f289bd722ec0d91 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 2 Jul 2013 16:45:16 -0400 Subject: update stunnel submodule to fix refresh bug #3013 Change-Id: I9ed218d9353c05b34d34c363a6a3f10d54b3a60a --- puppet/modules/stunnel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index 1a12adc9..fc1589a5 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit 1a12adc97d70224a0e750c6ab8a41073ced72d2b +Subproject commit fc1589a5f09d80f58d730d4e1f6a8058483f61fc -- cgit v1.2.3 From 7cbc4d41e35fec9dc0192cc3caf11803b562c06d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 4 Jul 2013 16:35:51 -0400 Subject: more robust openvpn restarting this ensures that an actual restart is run on the service when config files are added or removed, instead of relying on the status parameter of the initscript, which can be confused if config files are removed out from under it Change-Id: I1c69fff26933338b707acf7dc4593547f32f92e3 --- puppet/modules/site_openvpn/manifests/init.pp | 9 +++++++++ puppet/modules/site_openvpn/manifests/server_config.pp | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 685871bd..4f900623 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -127,6 +127,13 @@ class site_openvpn { subscribe => File['/usr/local/bin/add_gateway_ips.sh'], } + exec { 'restart_openvpn': + command => '/etc/init.d/openvpn restart', + refreshonly => true, + subscribe => File['/etc/openvpn'], + require => [ Package['openvpn'], File['/etc/openvpn'] ]; + } + cron { 'add_gateway_ips.sh': command => '/usr/local/bin/add_gateway_ips.sh', user => 'root', @@ -142,6 +149,7 @@ class site_openvpn { 'openvpn': ensure => installed; } + service { 'openvpn': ensure => running, @@ -153,6 +161,7 @@ class site_openvpn { file { '/etc/openvpn': ensure => directory, + notify => Exec['restart_openvpn'], require => Package['openvpn']; } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index a2e769e1..6106cfbb 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -65,7 +65,7 @@ define site_openvpn::server_config( mode => 644, warn => true, require => File['/etc/openvpn'], - notify => Service['openvpn']; + notify => Exec['restart_openvpn']; } if $tls_remote != undef { -- cgit v1.2.3 From 672154a8322901b86c9882854234eae53221a38e Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 6 Jul 2013 22:59:50 -0700 Subject: site_webapp -- make bundler not install test-only or development-only gems. --- puppet/modules/site_webapp/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 1dfe6936..e743dc07 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -52,7 +52,7 @@ class site_webapp { exec { 'bundler_update': cwd => '/srv/leap/webapp', - command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle"', + command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle --without test development"', unless => '/usr/bin/bundle check', user => 'leap-webapp', timeout => 600, -- cgit v1.2.3