1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
#
# TODO: currently, this is dependent on the HAProxy stuff that is in site_webapp.
# it would be good to factor that out into a site_haproxy, so that nickserver could be applied independently.
#
class site_nickserver {
tag 'leap_service'
include site_config::ruby
#
# VARIABLES
#
$nickserver = hiera('nickserver')
$nickserver_port = $nickserver['port']
$couchdb_user = $nickserver['couchdb_user']['username']
$couchdb_password = $nickserver['couchdb_user']['password']
$couchdb_host = 'localhost' # couchdb is available on localhost via haproxy, which is bound to 4096.
$couchdb_port = '4096' # See site_webapp/templates/haproxy_couchdb.cfg.erg
#
# USER AND GROUP
#
group { 'nickserver':
ensure => present,
allowdupe => false;
}
user { 'nickserver':
ensure => present,
allowdupe => false,
gid => 'nickserver',
groups => 'ssl-cert',
home => '/srv/leap/nickserver',
require => Group['nickserver'];
}
#
# NICKSERVER CODE
#
# libssl-dev must be installed before eventmachine gem in order to support TLS
package {
'libssl-dev': ensure => installed;
}
vcsrepo { '/srv/leap/nickserver':
ensure => present,
revision => 'origin/master',
provider => git,
source => 'git://code.leap.se/nickserver',
owner => 'nickserver',
group => 'nickserver',
require => [ User['nickserver'], Group['nickserver'] ],
notify => Exec['nickserver_bundler_update'];
}
exec { 'nickserver_bundler_update':
cwd => '/srv/leap/nickserver',
command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle"',
unless => '/usr/bin/bundle check',
user => 'nickserver',
timeout => 600,
require => [ Class['bundler::install'], Vcsrepo['/srv/leap/nickserver'], Package['libssl-dev'] ],
notify => Service['nickserver'];
}
#
# NICKSERVER CONFIG
#
file { '/etc/leap/nickserver.yml':
content => template('site_nickserver/nickserver.yml.erb'),
owner => nickserver,
group => nickserver,
mode => '0600',
notify => Service['nickserver'];
}
#
# NICKSERVER DAEMON
#
file {
'/usr/bin/nickserver':
ensure => link,
target => '/srv/leap/nickserver/bin/nickserver',
require => Vcsrepo['/srv/leap/nickserver'];
'/etc/init.d/nickserver':
owner => root, group => 0, mode => '0755',
source => '/srv/leap/nickserver/dist/debian-init-script',
require => Vcsrepo['/srv/leap/nickserver'];
}
service { 'nickserver':
ensure => running,
enable => true,
hasrestart => true,
hasstatus => true,
require => File['/etc/init.d/nickserver'];
}
#
# FIREWALL
#
file { '/etc/shorewall/macro.nickserver':
content => "PARAM - - tcp $nickserver_port",
notify => Service['shorewall'],
require => Package['shorewall'];
}
shorewall::rule { 'net2fw-nickserver':
source => 'net',
destination => '$FW',
action => 'nickserver(ACCEPT)',
order => 200;
}
}
|