diff --git a/.gitignore b/.gitignore index f21b49bb98..d3bc276056 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ *.pyc doc/html/ +manifests/secrets.pp diff --git a/manifests/site.pp b/manifests/site.pp index bcca172b5b..66ff2ecab8 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -260,7 +260,15 @@ node "review.openstack.org" { script_key_file => '/home/gerrit2/.ssh/launchpadsync_rsa', script_site => 'openstack', enable_melody => 'true', - melody_session => 'true' + melody_session => 'true', + gerritbot_nick => 'openstackgerrit', + gerritbot_password => hiera('gerrit_gerritbot_password'), + gerritbot_server => 'irc.freenode.net', + gerritbot_user => 'gerritbot', + github_user => 'openstack-gerrit', + github_token => hiera('gerrit_github_token'), + mysql_password => hiera('gerrit_mysql_password'), + email_private_key => hiera('gerrit_email_private_key'), } } @@ -305,6 +313,9 @@ node "jenkins.openstack.org" { ssl_chain_file => '/etc/ssl/certs/intermediate.pem', } class { "jenkins_jobs": + url => "https://jenkins.openstack.org/", + username => "gerrig", + password => hiera('jenkins_jobs_password'), site => "openstack", projects => [ 'cinder', @@ -473,6 +484,7 @@ node "eavesdrop.openstack.org" { meetbot::site { "openstack": nick => "openstack", + nickpass => hiera('openstack_meetbot_password'), network => "FreeNode", server => "chat.us.freenode.net:7000", url => "eavesdrop.openstack.org", @@ -523,11 +535,13 @@ node 'etherpad.openstack.org' { } include etherpad_lite - class { 'etherpad_lite::nginx': - server_name => 'etherpad.openstack.org' + include etherpad_list::nginx + class { 'etherpad_lite::site': + database_password => hiera('etherpad_db_password'), + } + class { 'etherpad_lite::mysql': + database_password => hiera('etherpad_db_password'), } - include etherpad_lite::site - include etherpad_lite::mysql include etherpad_lite::backup } diff --git a/modules/etherpad_lite/manifests/init.pp b/modules/etherpad_lite/manifests/init.pp index 6cdde769ef..a4c6492828 100644 --- a/modules/etherpad_lite/manifests/init.pp +++ b/modules/etherpad_lite/manifests/init.pp @@ -87,11 +87,6 @@ define buildsource( # include etherpad_lite::nginx # will add reverse proxy on localhost # The defaults for all the classes should just work (tm) # -# You will need to have a file at -# /root/secret-files/etherpad-lite_settings.json on the host that is puppet -# master or running puppet apply. This file should contain the settings for -# etherpad-lite. A template for that settings file can be found at: -# https://raw.github.com/Pita/etherpad-lite/master/settings.json.template # class etherpad_lite ( $ep_user = 'eplite', diff --git a/modules/etherpad_lite/manifests/mysql.pp b/modules/etherpad_lite/manifests/mysql.pp index 8af56ca4c2..65994a3aa5 100644 --- a/modules/etherpad_lite/manifests/mysql.pp +++ b/modules/etherpad_lite/manifests/mysql.pp @@ -1,4 +1,9 @@ -class etherpad_lite::mysql { +class etherpad_lite::mysql ( + $dbType = 'mysql', + $database_user = 'eplite', + $database_name = 'etherpad-lite', + $database_password +) { include etherpad_lite @@ -18,20 +23,42 @@ class etherpad_lite::mysql { Package['mysql-client']] } + file { "${etherpad_lite::base_install_dir}/etherpad-lite/create_database.sh": + ensure => 'present', + content => template('etherpad_lite/create_database.sh.erb'), + replace => true, + owner => $etherpad_lite::ep_user, + group => $etherpad_lite::ep_user, + mode => 0755, + require => Class['etherpad_lite'] + } + + file { "${etherpad_lite::base_install_dir}/etherpad-lite/create_user.sh": + ensure => 'present', + content => template('etherpad_lite/create_user.sh.erb'), + replace => true, + owner => $etherpad_lite::ep_user, + group => $etherpad_lite::ep_user, + mode => 0755, + require => Class['etherpad_lite'] + } + exec { "create-etherpad-lite-db": - unless => 'mysql --defaults-file=/etc/mysql/debian.cnf etherpad-lite', + unless => "mysql --defaults-file=/etc/mysql/debian.cnf ${database_name}", path => ['/bin', '/usr/bin'], - command => "mysql --defaults-file=/etc/mysql/debian.cnf -e \"create database \`etherpad-lite\` CHARACTER SET utf8 COLLATE utf8_bin;\"", + command => "${etherpad_lite::base_install_dir}/etherpad-lite/create_database.sh", require => [Service['mysql'], - File["${etherpad_lite::base_install_dir}/etherpad-lite/settings.json"]] + File["${etherpad_lite::base_install_dir}/etherpad-lite/settings.json"], + File["${etherpad_lite::base_install_dir}/etherpad-lite/create_database.sh"]] } -> exec { "grant-etherpad-lite-db": - unless => "mysql -ueplite -p\"`grep password ${etherpad_lite::base_install_dir}/etherpad-lite/settings.json | cut -d: -f2 | sed -e 's/.*\"\(.*\)\".*/\1/'`\" etherpad-lite", + unless => "mysql -u${database_user} -p${database_password} ${database_name}", path => ['/bin', '/usr/bin'], - command => "mysql --defaults-file=/etc/mysql/debian.cnf -e \"grant all on \`etherpad-lite\`.* to 'eplite'@'localhost' identified by '`grep password ${etherpad_lite::base_install_dir}/etherpad-lite/settings.json | cut -d: -f2 | sed -e 's/.*\"\(.*\)\".*/\1/'`';\" mysql", + command => "${etherpad_lite::base_install_dir}/etherpad-lite/create_user.sh", require => [Service['mysql'], - File["${etherpad_lite::base_install_dir}/etherpad-lite/settings.json"]] + File["${etherpad_lite::base_install_dir}/etherpad-lite/settings.json"], + File["${etherpad_lite::base_install_dir}/etherpad-lite/create_user.sh"]] } } diff --git a/modules/etherpad_lite/manifests/nginx.pp b/modules/etherpad_lite/manifests/nginx.pp index d9d56b96a4..4b0d5e3ea7 100644 --- a/modules/etherpad_lite/manifests/nginx.pp +++ b/modules/etherpad_lite/manifests/nginx.pp @@ -1,6 +1,6 @@ class etherpad_lite::nginx ( $default_server = 'default_server', - $server_name = 'localhost' + $server_name = $fqdn ) { package { 'nginx': @@ -38,7 +38,7 @@ class etherpad_lite::nginx ( replace => true, owner => 'root', mode => 0600, - source => 'file:///root/secret-files/eplite.crt', + content => template('etherpad_lite/eplite.crt.erb'), require => Package['nginx'], } @@ -47,7 +47,7 @@ class etherpad_lite::nginx ( replace => true, owner => 'root', mode => 0600, - source => 'file:///root/secret-files/eplite.key', + content => template('etherpad_lite/eplite.key.erb'), require => Package['nginx'], } diff --git a/modules/etherpad_lite/manifests/site.pp b/modules/etherpad_lite/manifests/site.pp index a69185ae52..2641cae8a1 100644 --- a/modules/etherpad_lite/manifests/site.pp +++ b/modules/etherpad_lite/manifests/site.pp @@ -1,5 +1,8 @@ class etherpad_lite::site ( - $dbType = 'mysql' + $dbType = 'mysql', + $database_user = 'eplite', + $database_name = 'etherpad-lite', + $database_password, ) { include etherpad_lite @@ -22,7 +25,7 @@ class etherpad_lite::site ( file { "${etherpad_lite::base_install_dir}/etherpad-lite/settings.json": ensure => 'present', - source => 'file:///root/secret-files/etherpad-lite_settings.json', + content => template('etherpad_lite/etherpad-lite_settings.json.erb'), replace => true, owner => $etherpad_lite::ep_user, group => $etherpad_lite::ep_user, diff --git a/modules/etherpad_lite/templates/create_database.sh.erb b/modules/etherpad_lite/templates/create_database.sh.erb new file mode 100644 index 0000000000..97af276a9e --- /dev/null +++ b/modules/etherpad_lite/templates/create_database.sh.erb @@ -0,0 +1,3 @@ +#!/bin/bash + +mysql --defaults-file=/etc/mysql/debian.cnf -e 'create database `<%= database_name %>` CHARACTER SET utf8 COLLATE utf8_bin' diff --git a/modules/etherpad_lite/templates/create_user.sh.erb b/modules/etherpad_lite/templates/create_user.sh.erb new file mode 100644 index 0000000000..0c1f24bd34 --- /dev/null +++ b/modules/etherpad_lite/templates/create_user.sh.erb @@ -0,0 +1,3 @@ +#!/bin/bash + +mysql --defaults-file=/etc/mysql/debian.cnf -e 'grant all on `<%= database_name %>`.* to "<%= database_user %>"@"localhost" identified by "<%= database_password %>";' diff --git a/modules/etherpad_lite/templates/eplite.crt.erb b/modules/etherpad_lite/templates/eplite.crt.erb new file mode 100644 index 0000000000..b9ce57ad7d --- /dev/null +++ b/modules/etherpad_lite/templates/eplite.crt.erb @@ -0,0 +1 @@ +<%= cert_file %> diff --git a/modules/etherpad_lite/templates/eplite.key.erb b/modules/etherpad_lite/templates/eplite.key.erb new file mode 100644 index 0000000000..2ba76d2919 --- /dev/null +++ b/modules/etherpad_lite/templates/eplite.key.erb @@ -0,0 +1 @@ +<%= key_file %> diff --git a/modules/etherpad_lite/templates/etherpad-lite_settings.json.erb b/modules/etherpad_lite/templates/etherpad-lite_settings.json.erb new file mode 100644 index 0000000000..7d9ee88257 --- /dev/null +++ b/modules/etherpad_lite/templates/etherpad-lite_settings.json.erb @@ -0,0 +1,47 @@ +/* + This file must be valid JSON. But comments are allowed + + Please edit settings.json, not settings.json.template +*/ +{ + //Ip and port which etherpad should bind at + "ip": "127.0.0.1", + "port" : 9001, + + //The Type of the database. You can choose between dirty, sqlite and mysql + //You should use mysql or sqlite for anything else than testing or development + "dbType" : "<%= dbType %>", + //the database specific settings + "dbSettings" : { + "user" : "<%= database_user %>", + "host" : "localhost", + "password": "<%= database_password %>", + "database": "<%= database_name %>" + }, + //the default text of a pad + "defaultPadText" : "Welcome to Etherpad Lite!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nEtherpad Lite on Github: http:\/\/j.mp/ep-lite\n", + + /* Users must have a session to access pads. This effectively allows only group pads to be accessed. */ + "requireSession" : false, + + /* Users may edit pads but not create new ones. Pad creation is only via the API. This applies both to group pads and regular pads. */ + "editOnly" : false, + + /* if true, all css & js will be minified before sending to the client. This will improve the loading performance massivly, + but makes it impossible to debug the javascript/css */ + "minify" : true, + + /* How long may clients use served javascript code? Without versioning this + is may cause problems during deployment. */ + "maxAge" : 21600000, // 6 hours + + /* This is the path to the Abiword executable. Setting it to null, disables abiword. + Abiword is needed to enable the import/export of pads*/ + "abiword" : "/usr/bin/abiword", + + /* This setting is used if you need http basic auth */ + // "httpAuth" : "user:pass", + + /* The log level we are using, can be: DEBUG, INFO, WARN, ERROR */ + "loglevel": "INFO" +} diff --git a/modules/gerrit/manifests/init.pp b/modules/gerrit/manifests/init.pp index 412d1ff67b..cbab26f556 100644 --- a/modules/gerrit/manifests/init.pp +++ b/modules/gerrit/manifests/init.pp @@ -89,7 +89,15 @@ class gerrit($virtual_hostname='', $script_key_file, $script_site, $enable_melody = 'false', - $melody_session = 'false' + $melody_session = 'false', + $gerritbot_nick, + $gerritbot_password, + $gerritbot_server, + $gerritbot_user, + $github_user, + $github_token, + $mysql_password, + $email_private_key ) { # Set this to true to disable cron jobs and replication, which can @@ -140,7 +148,7 @@ class gerrit($virtual_hostname='', cron { "gerritsyncusers": user => gerrit2, minute => "*/15", - command => "sleep $((RANDOM\%60+60)) && python /usr/local/gerrit/scripts/update_gerrit_users.py ${script_user} ${script_key_file} ${script_site}", + command => "sleep $((RANDOM\\%60+60)) && python /usr/local/gerrit/scripts/update_gerrit_users.py ${script_user} ${script_key_file} ${script_site}", require => File['/usr/local/gerrit/scripts'], } @@ -357,14 +365,13 @@ class gerrit($virtual_hostname='', # Secret files. # TODO: move the first two into other modules since they aren't for gerrit. - # TODO: move secure.config to a puppet master file { '/home/gerrit2/github.secure.config': owner => 'root', group => 'gerrit2', mode => 440, ensure => 'present', - source => 'file:///root/secret-files/github.secure.config', + content => template('gerrit/github.secure.config.erb'), replace => 'true', require => User['gerrit2'] } @@ -374,7 +381,7 @@ class gerrit($virtual_hostname='', group => 'gerrit2', mode => 440, ensure => 'present', - source => 'file:///root/secret-files/gerritbot.config', + content => template('gerrit/gerritbot.config.erb'), replace => 'true', require => User['gerrit2'] } @@ -387,7 +394,7 @@ class gerrit($virtual_hostname='', group => 'gerrit2', mode => 600, ensure => 'present', - source => 'file:///root/secret-files/secure.config', + content => template('gerrit/secure.config.erb'), replace => 'true', require => File["/home/gerrit2/review_site/etc"] } @@ -399,12 +406,12 @@ class gerrit($virtual_hostname='', exec { "gerrit-mysql": creates => "/var/lib/mysql/reviewdb/", command => "/usr/bin/mysql --defaults-file=/etc/mysql/debian.cnf -e \"\ - CREATE USER 'gerrit2'@'localhost' IDENTIFIED BY '`grep password /home/gerrit2/review_site/etc/secure.config |cut -d= -f2|sed -e 's/ //'`';\ + CREATE USER 'gerrit2'@'localhost' IDENTIFIED BY '${mysql_password}';\ CREATE DATABASE reviewdb;\ ALTER DATABASE reviewdb charset=latin1;\ GRANT ALL ON reviewdb.* TO 'gerrit2'@'localhost';\ FLUSH PRIVILEGES;\"", - require => [File['/home/gerrit2/review_site/etc/secure.config'], Package["mysql-server"]], + require => Package["mysql-server"], } file { "/etc/mysql/my.cnf": diff --git a/modules/gerrit/templates/gerritbot.config.erb b/modules/gerrit/templates/gerritbot.config.erb new file mode 100644 index 0000000000..a4f373f75b --- /dev/null +++ b/modules/gerrit/templates/gerritbot.config.erb @@ -0,0 +1,13 @@ +[ircbot] +nick=<%= gerritbot_nick %> +pass=<%= gerritbot_password %> +server=<%= gerritbot_server %> +port=6667 +channel_config=/home/gerrit2/gerritbot_channel_config.yaml +lockfile=/var/run/gerritbot/gerritbot.pid + +[gerrit] +user=<%= gerritbot_user %> +key=/home/gerrit2/.ssh/gerritbot_rsa +host=<%= virtual_hostname %> +port=29418 diff --git a/modules/gerrit/templates/github.secure.config.erb b/modules/gerrit/templates/github.secure.config.erb new file mode 100644 index 0000000000..c23de8ca36 --- /dev/null +++ b/modules/gerrit/templates/github.secure.config.erb @@ -0,0 +1,3 @@ +[github] +username = <%= github_user %> +oauth_token = <%= github_token %> diff --git a/modules/gerrit/templates/secure.config.erb b/modules/gerrit/templates/secure.config.erb new file mode 100644 index 0000000000..a20f1d1cb5 --- /dev/null +++ b/modules/gerrit/templates/secure.config.erb @@ -0,0 +1,4 @@ +[database] + password = <%= database_password %> +[auth] + registerEmailPrivateKey = <%= email_private_key %> diff --git a/modules/jenkins_jobs/manifests/init.pp b/modules/jenkins_jobs/manifests/init.pp index dac6b3c2d2..574c6c2df2 100644 --- a/modules/jenkins_jobs/manifests/init.pp +++ b/modules/jenkins_jobs/manifests/init.pp @@ -1,4 +1,5 @@ -class jenkins_jobs($site, $projects) { +class jenkins_jobs($url, $username, $password, $site, $projects) { + package { 'python-yaml': ensure => 'present' } @@ -18,7 +19,7 @@ class jenkins_jobs($site, $projects) { group => 'root', mode => 440, ensure => 'present', - source => 'file:///root/secret-files/jenkins_jobs.ini', + content => template('jenkins_jobs/jenkins_jobs.ini.erb'), replace => 'true', require => File['/usr/local/jenkins_jobs'] } diff --git a/modules/jenkins_jobs/templates/jenkins_jobs.ini.erb b/modules/jenkins_jobs/templates/jenkins_jobs.ini.erb new file mode 100644 index 0000000000..9b04cb6f1d --- /dev/null +++ b/modules/jenkins_jobs/templates/jenkins_jobs.ini.erb @@ -0,0 +1,4 @@ +[jenkins] +user=<%= user %> +password=<%= password %> +url=<%= url %> diff --git a/modules/meetbot/manifests/site.pp b/modules/meetbot/manifests/site.pp index 7b68f5aac1..b2aeec8b48 100644 --- a/modules/meetbot/manifests/site.pp +++ b/modules/meetbot/manifests/site.pp @@ -1,5 +1,4 @@ -define meetbot::site($nick, $network, $server, $url, $channels, $use_ssl) { - $nickpass = file("/root/secret-files/${name}-nickserv.pass") +define meetbot::site($nick, $nickpass, $network, $server, $url, $channels, $use_ssl) { file { "/etc/nginx/sites-available/${name}-meetbot": ensure => 'present',