diff --git a/README.md b/README.md
index 7c253f6232480b21dc5c95f1229febd29a0f563c..297c2720fde179338fdf2d1eb0db406a1c42a2cb 100644
--- a/README.md
+++ b/README.md
@@ -30,18 +30,68 @@ To capture the log, you can copy from the console, or run `leap --log FILE` or e
Visit https://leap.se/en/docs/get-involved/communication for details on how to contact the developers.
-More Information
-================
+Known issues
+============
-Changelog
+The following issues are known to be there in 0.5.1:
+
+CouchDB Sync
+------------
+You can't deploy new couchdb nodes after one or more have been deployed. Make *sure* that you configure and deploy all your couchdb nodes when first creating your provider. The problem is that we dont not have a clean way of adding couch nodes after initial creation of the databases, so any nodes added after result in improperly synchronized data. See Bug [#5601](https://leap.se/code/issues/5601) for more information.
+
+Service separation
+------------------
+
+. You can't deploy all services to one single node. You need at least to seperate the mx and the webapp node. The reason is because they both use haproxy to query the couch db, and haproxy still doesn't have a way to split up its config files in a .d directory (see: https://leap.se/code/issues/3839)
+
+User setup and ssh
+------------------
+
+. if you aren't using a single ssh key, but have different ones, you will need to define the following at the top of your ~/.ssh/config:
+ HostName <ip address>
+ IdentityFile <path to identity file>
+
+ (see: https://leap.se/code/issues/2946 and https://leap.se/code/issues/3002)
+
+. If the ssh host key changes, you need to run node init again (see: https://leap.se/en/docs/platform/guide#Working.with.SSH)
+
+. At the moment, only ECDSA ssh host keys are supported. If you get the following error: `= FAILED ssh-keyscan: no hostkey alg (must be missing an ecdsa public host key)` then you should confirm that you have the following line defined in your server's **/etc/ssh/sshd_config**: `HostKey /etc/ssh/ssh_host_ecdsa_key`. If that file doesn't exist, run `ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ""` in order to create it. If you made a change to your sshd_config, then you need to run `/etc/init.d/ssh restart` (see: https://leap.se/code/issues/2373)
+
+. To remove an admin's access to your servers, please remove the directory for that user under the `users/` subdirectory in your provider directory and then remove that user's ssh keys from files/ssh/authorized_keys. When finished you *must* run a `leap deploy` to update that information on the servers.
+
+. At the moment, it is only possible to add an admin who will have access to all LEAP servers (see: https://leap.se/code/issues/2280)
+
+. leap add-user --self allows only one key - if you run that command twice with different keys, you will just replace the key with the second key. To add a second key, add it manually to files/ssh/authorized_keys (see: https://leap.se/code/issues/866)
+
+
+Deploying
---------
+. If you have any errors during a run, please try to deploy again as this often solves non-deterministic issues that were not uncovered in our testing. Please re-deploy with `leap -v2 deploy` to get more verbose logs and capture the complete output to provide to us for debugging.
+
+. If when deploying your debian mirror fails for some reason, network anomoly or the mirror itself is out of date, then platform deployment will not succeed properly. Check the mirror is up and try to deploy again when it is resolved (see: https://leap.se/code/issues/1091)
+
+. Deployment gives 'error: in `%`: too few arguments (ArgumentError)' - this is because you attempted to do a deploy before initializing a node, please initialize the node first and then do a deploy afterwards (see: https://leap.se/code/issues/2550)
+
+. This release has no ability to custom configure apt sources or proxies (see: https://leap.se/code/issues/1971)
+
+. When running a deploy at a verbosity level of 2 and above, you will notice puppet deprecation warnings, these are known and we are working on fixing them
+
+Special Environments
+--------------------
+
+. When deploying to OpenStack release "nova" or newer, you will need to do an initial deploy, then when it has finished run `leap facts update` and then deploy again (see: https://leap.se/code/issues/3020)
+
+
+Changelog
+=========
+
For a changelog of the current branch:
git log
Authors and Credits
-------------------
+===================
See contributors:
@@ -49,6 +99,6 @@ See contributors:
Copyright/License
------------------
+=================
Read LICENSE
diff --git a/bin/run_tests b/bin/run_tests
index 9102c3250429f181fee6e8adabfb249b2f6aef87..526aa83a172262603e318cc4cc1087a628e63326 100755
--- a/bin/run_tests
+++ b/bin/run_tests
@@ -287,6 +287,16 @@ def assert_running(process)
assert pgrep(process).any?, "No running process for #{process}"
end
+#
+# runs the specified command, failing on a non-zero exit status.
+#
+def assert_run(command)
+ output = `#{command}`
+ if $?.exitstatus != 0
+ fail "Error running `#{command}`:\n#{output}"
+ end
+end
+
#
# Custom test runner in order to modify the output.
#
diff --git a/platform.rb b/platform.rb
index 689c58b76d9d5921af593834eaea65eb4731cb33..d36cb3affc0550807dd154c88b3e058cf2ee3871 100644
--- a/platform.rb
+++ b/platform.rb
@@ -4,7 +4,7 @@
#
Leap::Platform.define do
- self.version = "0.4.0"
+ self.version = "0.5.2"
self.compatible_cli = "1.5.0".."1.99"
#
@@ -27,12 +27,16 @@ Leap::Platform.define do
# input config files
:common_config => 'common.json',
:provider_config => 'provider.json',
- :provider_env_config => 'provider.#{arg}.json',
:secrets_config => 'secrets.json',
:node_config => 'nodes/#{arg}.json',
:service_config => 'services/#{arg}.json',
:tag_config => 'tags/#{arg}.json',
+ # input config files, environmentally scoped
+ :provider_env_config => 'provider.#{arg}.json',
+ :service_env_config => 'services/#{arg[0]}.#{arg[1]}.json',
+ :tag_env_config => 'tags/#{arg[0]}.#{arg[1]}.json',
+
# input templates
:provider_json_template => 'files/service-definitions/provider.json.erb',
:eip_service_json_template => 'files/service-definitions/#{arg}/eip-service.json.erb',
diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb
index 3e055e9aa9c7487bf5de2056749661d0ece640cb..be8ae484ced0c19e46a303bc923856afc3fb09e7 100644
--- a/provider_base/files/service-definitions/provider.json.erb
+++ b/provider_base/files/service-definitions/provider.json.erb
@@ -14,7 +14,7 @@
hsh['api_version'] = "1"
hsh['api_uri'] = ["https://", api.domain, ':', api.port].join
- hsh['ca_cert_uri'] = 'https://' + domain.full_suffix + '/ca.crt'
+ hsh['ca_cert_uri'] = 'https://' + webapp.domain + '/ca.crt'
hsh['ca_cert_fingerprint'] = fingerprint(:ca_cert)
hsh.dump_json
diff --git a/provider_base/provider.json b/provider_base/provider.json
index fa69318b656151180d88425dddf00dbbc0013980..743964eef30e35d7919964057da3d2bb8d493afe 100644
--- a/provider_base/provider.json
+++ b/provider_base/provider.json
@@ -15,12 +15,18 @@
"default_language": "en",
"enrollment_policy": "open",
"service": {
- "levels": [
- // bandwidth limit is in Bytes, storage limit is in MB.
- {"id": 1, "name": "free", "storage":50},
- {"id": 2, "name": "basic", "storage":1000, "rate": ["US$10", "€10"]},
- {"id": 3, "name": "pro", "storage":10000, "rate": ["US$20", "€20"]}
- ],
+ // bandwidth limit is in Bytes, storage limit is in MB.
+ // for example:
+ // "levels": {
+ // "1": {"name": "free", "description":"Limited service, but without cost to you.", "storage":50},
+ // "2": {"name": "basic", "description":"The standard package.", "storage":1000, "rate": {"USD":5}},
+ // "3": {"name": "pro", "description":"Extra storage for power users." , "storage":10000, "rate": {"USD":10}}
+ // }
+ "levels": {
+ "1": {
+ "name": "free", "description": "Please donate."
+ }
+ },
"default_service_level": 1,
"bandwidth_limit": 102400,
"allow_free": "= provider.service.levels.select {|l| l['rate'].nil?}.any?",
diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json
index 04e19aa2356240085102a1e05bfad830f061ba10..090afcd692ddba1c870772dba6f07a0b741ff440 100644
--- a/provider_base/services/openvpn.json
+++ b/provider_base/services/openvpn.json
@@ -23,7 +23,8 @@
"tls-cipher": "DHE-RSA-AES128-SHA",
"auth": "SHA1",
"cipher": "AES-128-CBC",
- "keepalive": "10 30"
+ "keepalive": "10 30",
+ "tun-ipv6": true
}
}
}
diff --git a/provider_base/services/tor.json b/provider_base/services/tor.json
index ae4da46dfb7d895a3de596d200954bc87ee9611c..fc365a196d52f0de9305a1ac53f8c29c233f8389 100644
--- a/provider_base/services/tor.json
+++ b/provider_base/services/tor.json
@@ -1,6 +1,8 @@
{
"tor": {
"bandwidth_rate": 6550,
- "contacts": "= [provider.contacts['tor'] || provider.contacts.default].flatten"
+ "contacts": "= [provider.contacts['tor'] || provider.contacts.default].flatten",
+ "nickname": "= (self.name + secret(:tor_family)).sub('_','')[0..18]",
+ "family": "= nodes[:services => 'tor'][:environment => '!local'].field('tor.nickname').join(',')"
}
}
diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json
index 29c0cbf99fe7c99302fbee6239444fd1b128f7b8..bbb520947d623b74a48bbef62e65cc49160bc357 100644
--- a/provider_base/services/webapp.json
+++ b/provider_base/services/webapp.json
@@ -1,6 +1,7 @@
{
"webapp": {
"admins": [],
+ "domain": "= domain.full_suffix",
"modules": ["user", "billing", "help"],
"couchdb_webapp_user": {
"username": "= global.services[:couchdb].couch.users[:webapp].username",
@@ -12,6 +13,8 @@
"allow_limited_certs": "= provider.service.allow_limited_bandwidth",
"allow_unlimited_certs": "= provider.service.allow_unlimited_bandwidth",
"allow_anonymous_certs": "= provider.service.allow_anonymous",
+ "default_service_level": "= provider.service.default_service_level",
+ "service_levels": "= provider.service.levels",
"secret_token": "= secret :webapp_secret_token",
"api_version": 1,
"secure": false,
@@ -39,7 +42,7 @@
},
"service_type": "public_service",
"api": {
- "domain": "= 'api.' + domain.full_suffix",
+ "domain": "= 'api.' + webapp.domain",
"port": 4430
},
"nickserver": {
@@ -52,15 +55,15 @@
"port": 6425
},
"dns": {
- "aliases": "= [domain.full_suffix, domain.full, api.domain, nickserver.domain]"
+ "aliases": "= [domain.full, webapp.domain, api.domain, nickserver.domain]"
},
"x509": {
"use": true,
"ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
"client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
"client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'",
- "commercial_cert": "= file [:commercial_cert, domain.full_suffix]",
- "commercial_key": "= file [:commercial_key, domain.full_suffix]",
+ "commercial_cert": "= file [:commercial_cert, webapp.domain]",
+ "commercial_key": "= file [:commercial_key, webapp.domain]",
"commercial_ca_cert": "= try_file :commercial_ca_cert"
}
}
diff --git a/puppet/modules/site_apt/manifests/preferences/openvpn.pp b/puppet/modules/site_apt/manifests/preferences/openvpn.pp
new file mode 100644
index 0000000000000000000000000000000000000000..c7ddae2521965cc782743b8141f098cfa05d0260
--- /dev/null
+++ b/puppet/modules/site_apt/manifests/preferences/openvpn.pp
@@ -0,0 +1,9 @@
+class site_apt::preferences::openvpn {
+
+ apt::preferences_snippet { 'openvpn':
+ package => 'openvpn',
+ release => "${::lsbdistcodename}-backports",
+ priority => 999;
+ }
+
+}
diff --git a/puppet/modules/site_apt/manifests/preferences/rsyslog.pp b/puppet/modules/site_apt/manifests/preferences/rsyslog.pp
new file mode 100644
index 0000000000000000000000000000000000000000..132a6e248f4ab0a902d9e32a27e8b1297e6a3f3f
--- /dev/null
+++ b/puppet/modules/site_apt/manifests/preferences/rsyslog.pp
@@ -0,0 +1,9 @@
+class site_apt::preferences::rsyslog {
+
+ apt::preferences_snippet { 'rsyslog_anon_depends':
+ package => 'libestr0 librelp0 rsyslog*',
+ priority => '999',
+ pin => 'release a=wheezy-backports',
+ before => Class['rsyslog::install']
+ }
+}
diff --git a/puppet/modules/site_apt/manifests/preferences/unbound.pp b/puppet/modules/site_apt/manifests/preferences/unbound.pp
new file mode 100644
index 0000000000000000000000000000000000000000..6da964f9bf63af90a078ea4ac81316b553c1fa5a
--- /dev/null
+++ b/puppet/modules/site_apt/manifests/preferences/unbound.pp
@@ -0,0 +1,10 @@
+class site_apt::preferences::unbound {
+
+ apt::preferences_snippet { 'unbound':
+ package => 'libunbound* unbound*',
+ release => "${::lsbdistcodename}-backports",
+ priority => 999,
+ before => Class['unbound::package'];
+ }
+
+}
diff --git a/puppet/modules/site_check_mk/manifests/agent/mx.pp b/puppet/modules/site_check_mk/manifests/agent/mx.pp
index 35a4e9a50a584d92a1a40b340a1135974e1ccf7c..1e370125ae8705f91be7ba3f09d78661572f3673 100644
--- a/puppet/modules/site_check_mk/manifests/agent/mx.pp
+++ b/puppet/modules/site_check_mk/manifests/agent/mx.pp
@@ -8,7 +8,7 @@ class site_check_mk::agent::mx {
# local nagios plugin checks via mrpe
file_line {
'Leap_MX_Procs':
- line => 'Leap_MX_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a leap_mx',
+ line => 'Leap_MX_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a \'/usr/bin/python /usr/bin/twistd --pidfile=/var/run/leap_mx.pid --rundir=/var/lib/leap_mx/ --python=/usr/share/app/leap_mx.tac --logfile=/var/log/leap_mx.log\'',
path => '/etc/check_mk/mrpe.cfg';
}
diff --git a/puppet/modules/site_check_mk/manifests/agent/soledad.pp b/puppet/modules/site_check_mk/manifests/agent/soledad.pp
index cbae81fe70a1e057a58a95346b349c3b02394fd5..512d1a3ddce91e408ec0596b8ddf4aa9117107aa 100644
--- a/puppet/modules/site_check_mk/manifests/agent/soledad.pp
+++ b/puppet/modules/site_check_mk/manifests/agent/soledad.pp
@@ -7,7 +7,7 @@ class site_check_mk::agent::soledad {
# local nagios plugin checks via mrpe
file_line {
'Soledad_Procs':
- line => 'Soledad_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a soledad',
+ line => 'Soledad_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a \'/usr/bin/python /usr/bin/twistd --pidfile=/var/run/soledad.pid --logfile=/var/log/soledad.log web --wsgi=leap.soledad.server.application\'',
path => '/etc/check_mk/mrpe.cfg';
}
diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp
index 3d7b92061cc95e945516cccc376d032cbd1a4b4c..1b8bd1a2a44b3511ae175ee3d5dc887eacd1acc1 100644
--- a/puppet/modules/site_config/manifests/caching_resolver.pp
+++ b/puppet/modules/site_config/manifests/caching_resolver.pp
@@ -10,16 +10,16 @@ class site_config::caching_resolver {
# the newer unbound, then we will add 'include: /etc/unbound.d/*' to the
# configuration file
+ include site_apt::preferences::unbound
+
file {
+ # cleanup from how we used to do it
'/etc/unbound/conf.d':
- ensure => directory,
- owner => root, group => root, mode => '0755',
- require => Package['unbound'];
+ force => true,
+ ensure => absent;
'/etc/unbound/conf.d/placeholder':
- ensure => present,
- content => '',
- owner => root, group => root, mode => '0644';
+ ensure => absent;
}
class { 'unbound':
@@ -39,4 +39,10 @@ class site_config::caching_resolver {
}
}
}
+
+ concat::fragment { 'unbound glob include':
+ target => $unbound::params::config,
+ content => "include: /etc/unbound/unbound.conf.d/*.conf\n\n",
+ order => 10
+ }
}
diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp
index 7e421a2104d8cb4d85a6b530a50864d5f72121e4..c7352857c3ade16b39762a374957b708f6f58375 100644
--- a/puppet/modules/site_config/manifests/default.pp
+++ b/puppet/modules/site_config/manifests/default.pp
@@ -27,6 +27,9 @@ class site_config::default {
if $::ec2_instance_id {
include site_config::dhclient
}
+ if $::virtual == 'virtualbox' {
+ include site_config::dhclient
+ }
# configure /etc/resolv.conf
include site_config::resolvconf
diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp
index 51cceb3121dd4714428eda73a1d9adea729ea1d3..93cfb8473b61ce3542108259160f05ad86b8a2d2 100644
--- a/puppet/modules/site_config/manifests/initial_firewall.pp
+++ b/puppet/modules/site_config/manifests/initial_firewall.pp
@@ -51,12 +51,14 @@ class site_config::initial_firewall {
command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules',
logoutput => true,
unless => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status',
+ subscribe => File['/etc/network/ipv4firewall_up.rules'],
require => File['/etc/network/ipv4firewall_up.rules'];
'default_ipv6_firewall':
command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules',
logoutput => true,
- unless => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status',
+ unless => 'test -x /etc/init.d/shorewall6 && /etc/init.d/shorewall6 status',
+ subscribe => File['/etc/network/ipv6firewall_up.rules'],
require => File['/etc/network/ipv6firewall_up.rules'];
}
}
diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp
index d3abeca1d6474724c202ffe4833f02ef9d95e477..26c65f02f452aa673599bd1ea17c762e541ec937 100644
--- a/puppet/modules/site_config/manifests/syslog.pp
+++ b/puppet/modules/site_config/manifests/syslog.pp
@@ -1,20 +1,6 @@
class site_config::syslog {
- # we need to pull in rsyslog from the leap repository until it is availbale in
- # wheezy-backports
- apt::preferences_snippet { 'fixed_rsyslog_anon_package':
- package => 'rsyslog*',
- priority => '999',
- pin => 'release o=leap.se',
- before => Class['rsyslog::install']
- }
-
- apt::preferences_snippet { 'rsyslog_anon_depends':
- package => 'libestr0 librelp0',
- priority => '999',
- pin => 'release a=wheezy-backports',
- before => Class['rsyslog::install']
- }
+ include site_apt::preferences::rsyslog
class { 'rsyslog::client':
log_remote => false,
diff --git a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb
index 524ae308c8a05b18047e95370b9d3b3ed16c1f81..928a2b31412453b8387f0d92158dae80d27ae86d 100644
--- a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb
+++ b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb
@@ -5,6 +5,7 @@
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport <%= @ssh_port %> -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
@@ -13,6 +14,7 @@
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport 22 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport <%= @ssh_port %> -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT
diff --git a/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb
index e7fae52e14668ee334082dc9b73c2b9888d8a1f2..e2c92524fb4a7e5ec23ee5557dee06083cf6975e 100644
--- a/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb
+++ b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb
@@ -3,5 +3,6 @@
:INPUT DROP [24:1980]
:FORWARD DROP [0:0]
:OUTPUT DROP [14:8030]
+-A OUTPUT -j REJECT --reject-with icmp6-port-unreachable
COMMIT
# Completed on Tue Aug 20 12:19:43 2013
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index 7aec0faa1474f2185d14678687834aae812072ec..b6331f12933e318045c8db1c526866add113e869 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -168,9 +168,14 @@ class site_openvpn {
include site_shorewall::eip
+ # In wheezy, we need the openvpn backport to get the 2.3 version of
+ # openvpn which has proper ipv6 support
+ include site_apt::preferences::openvpn
+
package {
'openvpn':
- ensure => installed;
+ ensure => latest,
+ require => Class['site_apt::preferences::openvpn'];
}
service {
diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp
index c74fb509434eaf8f1c764fc51014483d566ed2d1..c1367a33e993a56eaec840b396e360aed253b72b 100644
--- a/puppet/modules/site_openvpn/manifests/resolver.pp
+++ b/puppet/modules/site_openvpn/manifests/resolver.pp
@@ -3,82 +3,48 @@ class site_openvpn::resolver {
if $site_openvpn::openvpn_allow_unlimited {
$ensure_unlimited = 'present'
file {
- '/etc/unbound/conf.d/vpn_unlimited_udp_resolver':
+ '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver':
content => "interface: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr} allow\n",
owner => root,
group => root,
mode => '0644',
- require => Service['openvpn'],
+ require => [ Class['site_config::caching_resolver'], Service['openvpn'] ],
notify => Service['unbound'];
- '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver':
+ '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver':
content => "interface: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr} allow\n",
owner => root,
group => root,
mode => '0644',
- require => Service['openvpn'],
+ require => [ Class['site_config::caching_resolver'], Service['openvpn'] ],
notify => Service['unbound'];
}
} else {
$ensure_unlimited = 'absent'
- tidy { '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': }
- tidy { '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': }
+ tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver': }
+ tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver': }
}
if $site_openvpn::openvpn_allow_limited {
$ensure_limited = 'present'
file {
- '/etc/unbound/conf.d/vpn_limited_udp_resolver':
+ '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver':
content => "interface: ${site_openvpn::openvpn_limited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr} allow\n",
owner => root,
group => root,
mode => '0644',
- require => Service['openvpn'],
+ require => [ Class['site_config::caching_resolver'], Service['openvpn'] ],
notify => Service['unbound'];
- '/etc/unbound/conf.d/vpn_limited_tcp_resolver':
+ '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver':
content => "interface: ${site_openvpn::openvpn_limited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr} allow\n",
owner => root,
group => root,
mode => '0644',
- require => Service['openvpn'],
+ require => [ Class['site_config::caching_resolver'], Service['openvpn'] ],
notify => Service['unbound'];
}
} else {
$ensure_limited = 'absent'
- tidy { '/etc/unbound/conf.d/vpn_limited_udp_resolver': }
- tidy { '/etc/unbound/conf.d/vpn_limited_tcp_resolver': }
+ tidy { '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver': }
+ tidy { '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver': }
}
-
- # this is an unfortunate way to get around the fact that the version of
- # unbound we are working with does not accept a wildcard include directive
- # (/etc/unbound/conf.d/*), when it does, these line definitions should
- # go away and instead the caching_resolver should be configured to
- # include: /etc/unbound/conf.d/*
-
- file_line {
- 'add_unlimited_tcp_resolver':
- ensure => $ensure_unlimited,
- path => '/etc/unbound/unbound.conf',
- line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_tcp_resolver',
- notify => Service['unbound'],
- require => [ Package['openvpn'], Package['unbound'] ];
- 'add_unlimited_udp_resolver':
- ensure => $ensure_unlimited,
- path => '/etc/unbound/unbound.conf',
- line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_udp_resolver',
- notify => Service['unbound'],
- require => [ Package['openvpn'], Package['unbound'] ];
- 'add_limited_tcp_resolver':
- ensure => $ensure_limited,
- path => '/etc/unbound/unbound.conf',
- line => 'server: include: /etc/unbound/conf.d/vpn_limited_tcp_resolver',
- notify => Service['unbound'],
- require => [ Package['openvpn'], Package['unbound'] ];
- 'add_limited_udp_resolver':
- ensure => $ensure_limited,
- path => '/etc/unbound/unbound.conf',
- line => 'server: include: /etc/unbound/conf.d/vpn_limited_udp_resolver',
- notify => Service['unbound'],
- require => [ Package['openvpn'], Package['unbound'] ];
- }
-
}
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index b1f4997cd30674be3781e725ac1f3b8001c6d7f1..97cf2842bda25cd53b319baff81c48fc30a4fcb9 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -60,12 +60,13 @@ define site_openvpn::server_config(
concat {
"/etc/openvpn/${openvpn_configname}.conf":
- owner => root,
- group => root,
- mode => 644,
- warn => true,
- require => File['/etc/openvpn'],
- notify => Exec['restart_openvpn'];
+ owner => root,
+ group => root,
+ mode => 644,
+ warn => true,
+ require => File['/etc/openvpn'],
+ before => Service['openvpn'],
+ notify => Exec['restart_openvpn'];
}
if $tls_remote != undef {
@@ -77,101 +78,116 @@ define site_openvpn::server_config(
}
}
+ # according to openvpn man page: tcp-nodelay is a "generally a good latency optimization".
+ if $proto == 'tcp' {
+ openvpn::option {
+ "tcp-nodelay ${openvpn_configname}":
+ key => 'tcp-nodelay',
+ server => $openvpn_configname;
+ }
+ }
+
openvpn::option {
"ca ${openvpn_configname}":
- key => 'ca',
- value => "${x509::variables::local_CAs}/${site_config::params::ca_bundle_name}.crt",
- server => $openvpn_configname;
+ key => 'ca',
+ value => "${x509::variables::local_CAs}/${site_config::params::ca_bundle_name}.crt",
+ server => $openvpn_configname;
"cert ${openvpn_configname}":
- key => 'cert',
- value => "${x509::variables::certs}/${site_config::params::cert_name}.crt",
+ key => 'cert',
+ value => "${x509::variables::certs}/${site_config::params::cert_name}.crt",
server => $openvpn_configname;
"key ${openvpn_configname}":
- key => 'key',
- value => "${x509::variables::keys}/${site_config::params::cert_name}.key",
- server => $openvpn_configname;
+ key => 'key',
+ value => "${x509::variables::keys}/${site_config::params::cert_name}.key",
+ server => $openvpn_configname;
"dh ${openvpn_configname}":
- key => 'dh',
- value => '/etc/openvpn/keys/dh.pem',
- server => $openvpn_configname;
+ key => 'dh',
+ value => '/etc/openvpn/keys/dh.pem',
+ server => $openvpn_configname;
"tls-cipher ${openvpn_configname}":
- key => 'tls-cipher',
- value => $config['tls-cipher'],
- server => $openvpn_configname;
+ key => 'tls-cipher',
+ value => $config['tls-cipher'],
+ server => $openvpn_configname;
"auth ${openvpn_configname}":
- key => 'auth',
- value => $config['auth'],
- server => $openvpn_configname;
+ key => 'auth',
+ value => $config['auth'],
+ server => $openvpn_configname;
"cipher ${openvpn_configname}":
- key => 'cipher',
- value => $config['cipher'],
- server => $openvpn_configname;
+ key => 'cipher',
+ value => $config['cipher'],
+ server => $openvpn_configname;
"dev ${openvpn_configname}":
- key => 'dev',
- value => 'tun',
- server => $openvpn_configname;
+ key => 'dev',
+ value => 'tun',
+ server => $openvpn_configname;
+ "tun-ipv6 ${openvpn_configname}":
+ key => 'tun-ipv6',
+ server => $openvpn_configname;
"duplicate-cn ${openvpn_configname}":
- key => 'duplicate-cn',
- server => $openvpn_configname;
+ key => 'duplicate-cn',
+ server => $openvpn_configname;
"keepalive ${openvpn_configname}":
- key => 'keepalive',
- value => $config['keepalive'],
- server => $openvpn_configname;
+ key => 'keepalive',
+ value => $config['keepalive'],
+ server => $openvpn_configname;
"local ${openvpn_configname}":
- key => 'local',
- value => $local,
- server => $openvpn_configname;
+ key => 'local',
+ value => $local,
+ server => $openvpn_configname;
"mute ${openvpn_configname}":
- key => 'mute',
- value => '5',
- server => $openvpn_configname;
+ key => 'mute',
+ value => '5',
+ server => $openvpn_configname;
"mute-replay-warnings ${openvpn_configname}":
- key => 'mute-replay-warnings',
- server => $openvpn_configname;
+ key => 'mute-replay-warnings',
+ server => $openvpn_configname;
"management ${openvpn_configname}":
- key => 'management',
- value => $management,
- server => $openvpn_configname;
+ key => 'management',
+ value => $management,
+ server => $openvpn_configname;
"proto ${openvpn_configname}":
- key => 'proto',
- value => $proto,
- server => $openvpn_configname;
+ key => 'proto',
+ value => $proto,
+ server => $openvpn_configname;
"push1 ${openvpn_configname}":
- key => 'push',
- value => $push,
- server => $openvpn_configname;
+ key => 'push',
+ value => $push,
+ server => $openvpn_configname;
"push2 ${openvpn_configname}":
- key => 'push',
- value => '"redirect-gateway def1"',
- server => $openvpn_configname;
+ key => 'push',
+ value => '"redirect-gateway def1"',
+ server => $openvpn_configname;
+ "push-ipv6 ${openvpn_configname}":
+ key => 'push',
+ value => '"route-ipv6 2000::/3"',
+ server => $openvpn_configname;
"script-security ${openvpn_configname}":
- key => 'script-security',
- value => '2',
- server => $openvpn_configname;
+ key => 'script-security',
+ value => '1',
+ server => $openvpn_configname;
"server ${openvpn_configname}":
- key => 'server',
- value => $server,
- server => $openvpn_configname;
+ key => 'server',
+ value => $server,
+ server => $openvpn_configname;
+ "server-ipv6 ${openvpn_configname}":
+ key => 'server-ipv6',
+ value => '2001:db8:123::/64',
+ server => $openvpn_configname;
"status ${openvpn_configname}":
- key => 'status',
- value => '/var/run/openvpn-status 10',
- server => $openvpn_configname;
+ key => 'status',
+ value => '/var/run/openvpn-status 10',
+ server => $openvpn_configname;
"status-version ${openvpn_configname}":
- key => 'status-version',
- value => '3',
- server => $openvpn_configname;
+ key => 'status-version',
+ value => '3',
+ server => $openvpn_configname;
"topology ${openvpn_configname}":
- key => 'topology',
- value => 'subnet',
- server => $openvpn_configname;
- # no need for server-up.sh right now
- #"up $openvpn_configname":
- # key => 'up',
- # value => '/etc/openvpn/server-up.sh',
- # server => $openvpn_configname;
+ key => 'topology',
+ value => 'subnet',
+ server => $openvpn_configname;
"verb ${openvpn_configname}":
- key => 'verb',
- value => '3',
- server => $openvpn_configname;
+ key => 'verb',
+ value => '3',
+ server => $openvpn_configname;
}
}
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index 7109b77029114f3218fe4b7730048dcd89cba6a3..8fbba65888c33c1831428c9a6305c52bfd3e50a1 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -68,6 +68,22 @@ class site_shorewall::eip {
destination => '$FW',
action => 'leap_eip(ACCEPT)',
order => 200;
+
+ 'block_eip_dns_udp':
+ action => 'REJECT',
+ source => 'eip',
+ destination => 'net',
+ proto => 'udp',
+ destinationport => 'domain',
+ order => 300;
+
+ 'block_eip_dns_tcp':
+ action => 'REJECT',
+ source => 'eip',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => 'domain',
+ order => 301;
}
# create dnat rule for each port
diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp
index 91a4a7a98436d07f8be8590aa47051f1b644b01a..4f6d895fd88ceedecedd3303133af42b36424c31 100644
--- a/puppet/modules/site_static/manifests/init.pp
+++ b/puppet/modules/site_static/manifests/init.pp
@@ -6,7 +6,7 @@ class site_static {
if (member($formats, 'amber')) {
include site_config::ruby::dev
- rubygems::gem{'amber': }
+ rubygems::gem{'amber-0.3.0': }
}
create_resources(site_static::domain, $domains)
diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp
index 837665a354416931cfbc7367a6ff12e43eee3cb6..b75c9ac36095ab33288f080b0a2eda866ab7c0ac 100644
--- a/puppet/modules/site_stunnel/manifests/clients.pp
+++ b/puppet/modules/site_stunnel/manifests/clients.pp
@@ -22,7 +22,7 @@ define site_stunnel::clients (
pid => "/var/run/stunnel4/${pid}.pid",
rndfile => $rndfile,
debuglevel => $debuglevel,
- require => [
+ subscribe => [
Class['Site_config::X509::Key'],
Class['Site_config::X509::Cert'],
Class['Site_config::X509::Ca'] ];
diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp
index 02368a0e7e677160ae7c31733321f6cd891d0309..e62cb12ddd39e6677a1a65392d0ab782057e40a9 100644
--- a/puppet/modules/site_tor/manifests/init.pp
+++ b/puppet/modules/site_tor/manifests/init.pp
@@ -7,6 +7,7 @@ class site_tor {
$tor_type = $tor['type']
$nickname = $tor['nickname']
$contact_emails = join($tor['contacts'],', ')
+ $family = $tor['family']
$address = hiera('ip_address')
@@ -16,7 +17,7 @@ class site_tor {
address => $address,
contact_info => obfuscate_email($contact_emails),
bandwidth_rate => $bandwidth_rate,
- my_family => '$2A431444756B0E7228A7918C85A8DACFF7E3B050',
+ my_family => $family
}
if ( $tor_type == 'exit'){
diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb
index 98f8564ee4715b5230a4073d7c68d7d1c8c9d0af..6461c5e8c0306eea82dbcc48ccca0950796e1c1b 100644
--- a/puppet/modules/site_webapp/templates/config.yml.erb
+++ b/puppet/modules/site_webapp/templates/config.yml.erb
@@ -1,3 +1,4 @@
+<%- require 'json' -%>
<%- cert_options = @webapp['client_certificates'] -%>
production:
admins: <%= @webapp['admins'].inspect %>
@@ -15,3 +16,5 @@ production:
limited_cert_prefix: "<%= cert_options['limited_prefix'] %>"
unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>"
minimum_client_version: "<%= @webapp['client_version']['min'] %>"
+ default_service_level: "<%= @webapp['default_service_level'] %>"
+ service_levels: <%= @webapp['service_levels'].to_json %>
diff --git a/puppet/modules/tapicero/manifests/init.pp b/puppet/modules/tapicero/manifests/init.pp
index 743e8a84ee337babcf13bd39c1d87ac90a452af1..af1a96ac003fb239c97271113b4ccc2e859e015d 100644
--- a/puppet/modules/tapicero/manifests/init.pp
+++ b/puppet/modules/tapicero/manifests/init.pp
@@ -56,6 +56,13 @@ class tapicero {
group => 'tapicero',
require => User['tapicero'];
+ # for pid file
+ '/var/run/tapicero':
+ ensure => directory,
+ owner => 'tapicero',
+ group => 'tapicero',
+ require => User['tapicero'];
+
##
## TAPICERO CONFIG
##
@@ -117,7 +124,7 @@ class tapicero {
enable => true,
hasstatus => true,
hasrestart => true,
- require => File['/etc/init.d/tapicero'];
+ require => [ File['/etc/init.d/tapicero'], File['/var/run/tapicero'] ];
}
}
diff --git a/tests/white-box/network.rb b/tests/white-box/network.rb
index 955857dc253a8f8af283c7a6a9d06b4fb71fed3e..e0b0339d6c592c8140f76a70d427571809e1edc5 100644
--- a/tests/white-box/network.rb
+++ b/tests/white-box/network.rb
@@ -57,4 +57,9 @@ class Network < LeapTest
end
end
+ def test_03_Is_shorewall_running?
+ assert_run('/sbin/shorewall status')
+ pass
+ end
+
end