summaryrefslogtreecommitdiff
path: root/puppet/modules/site_couchdb/manifests/stunnel.pp
blob: 91f1e3aaf4a7867ed191ab16dbc8cb43d91890ef (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
class site_couchdb::stunnel {

  $stunnel              = hiera('stunnel')

  $couch_server         = $stunnel['couch_server']
  $couch_server_accept  = $couch_server['accept']
  $couch_server_connect = $couch_server['connect']

  # Erlang Port Mapper Daemon (epmd) stunnel server/clients
  $epmd_server          = $stunnel['epmd_server']
  $epmd_server_accept   = $epmd_server['accept']
  $epmd_server_connect  = $epmd_server['connect']
  $epmd_clients         = $stunnel['epmd_clients']

  # Erlang Distributed Node Protocol (ednp) stunnel server/clients
  $ednp_server          = $stunnel['ednp_server']
  $ednp_server_accept   = $ednp_server['accept']
  $ednp_server_connect  = $ednp_server['connect']
  $ednp_clients         = $stunnel['ednp_clients']



  include site_config::x509::cert
  include site_config::x509::key
  include site_config::x509::ca

  include x509::variables
  $ca_path   = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt"
  $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt"
  $key_path  = "${x509::variables::keys}/${site_config::params::cert_name}.key"

  # setup a stunnel server for the webapp to connect to couchdb
  stunnel::service { 'couch_server':
    accept     => $couch_server_accept,
    connect    => $couch_server_connect,
    client     => false,
    cafile     => $ca_path,
    key        => $key_path,
    cert       => $cert_path,
    verify     => '2',
    pid        => '/var/run/stunnel4/couchserver.pid',
    rndfile    => '/var/lib/stunnel4/.rnd',
    debuglevel => '4',
    require    => [
      Class['Site_config::X509::Key'],
      Class['Site_config::X509::Cert'],
      Class['Site_config::X509::Ca'] ];
  }


  # setup stunnel server for Erlang Port Mapper Daemon (epmd), necessary for
  # bigcouch clustering between each bigcouchdb node
  stunnel::service { 'epmd_server':
    accept     => $epmd_server_accept,
    connect    => $epmd_server_connect,
    client     => false,
    cafile     => $ca_path,
    key        => $key_path,
    cert       => $cert_path,
    verify     => '2',
    pid        => '/var/run/stunnel4/epmd_server.pid',
    rndfile    => '/var/lib/stunnel4/.rnd',
    debuglevel => '4',
    require    => [
      Class['Site_config::X509::Key'],
      Class['Site_config::X509::Cert'],
      Class['Site_config::X509::Ca'] ];
  }

  # setup stunnel clients for Erlang Port Mapper Daemon (epmd) to connect
  # to the above epmd stunnel server.
  $epmd_client_defaults = {
    'client'       => true,
    'cafile'       => $ca_path,
    'key'          => $key_path,
    'cert'         => $cert_path,
  }

  create_resources(site_stunnel::clients, $epmd_clients, $epmd_client_defaults)

  # setup stunnel server for Erlang Distributed Node Protocol (ednp), necessary
  # for bigcouch clustering between each bigcouchdb node
  stunnel::service { 'ednp_server':
    accept     => $ednp_server_accept,
    connect    => $ednp_server_connect,
    client     => false,
    cafile     => $ca_path,
    key        => $key_path,
    cert       => $cert_path,
    verify     => '2',
    pid        => '/var/run/stunnel4/ednp_server.pid',
    rndfile    => '/var/lib/stunnel4/.rnd',
    debuglevel => '4',
    require    => [
      Class['Site_config::X509::Key'],
      Class['Site_config::X509::Cert'],
      Class['Site_config::X509::Ca'] ];
  }

  # setup stunnel clients for Erlang Distributed Node Protocol (ednp) to connect
  # to the above ednp stunnel server.
  $ednp_client_defaults = {
    'client'       => true,
    'cafile'       => $ca_path,
    'key'          => $key_path,
    'cert'         => $cert_path,
  }

  create_resources(site_stunnel::clients, $ednp_clients, $ednp_client_defaults)

  include site_check_mk::agent::stunnel
}