First pass at parameterizing secret infos.

Change-Id: Iee56a7e65be51ebf19a61eefd60cc93de6a764bf

.gitignore

@@ -1,2 +1,3 @@
 *.pyc
 doc/html/
+manifests/secrets.pp

manifests/site.pp

@@ -260,7 +260,15 @@ node "review.openstack.org" {
     script_key_file => '/home/gerrit2/.ssh/launchpadsync_rsa',
     script_site => 'openstack',
     enable_melody => 'true',
-    melody_session => 'true'
+    melody_session => 'true',
+    gerritbot_nick => 'openstackgerrit',
+    gerritbot_password => hiera('gerrit_gerritbot_password'),
+    gerritbot_server => 'irc.freenode.net',
+    gerritbot_user => 'gerritbot',
+    github_user => 'openstack-gerrit',
+    github_token => hiera('gerrit_github_token'),
+    mysql_password => hiera('gerrit_mysql_password'),
+    email_private_key => hiera('gerrit_email_private_key'),
   }
 }
 
@@ -305,6 +313,9 @@ node "jenkins.openstack.org" {
     ssl_chain_file => '/etc/ssl/certs/intermediate.pem',
   }
   class { "jenkins_jobs":
+    url => "https://jenkins.openstack.org/",
+    username => "gerrig",
+    password => hiera('jenkins_jobs_password'),
     site => "openstack",
     projects => [
       'cinder',
@@ -473,6 +484,7 @@ node "eavesdrop.openstack.org" {
 
   meetbot::site { "openstack":
     nick => "openstack",
+    nickpass => hiera('openstack_meetbot_password'),
     network => "FreeNode",
     server => "chat.us.freenode.net:7000",
     url => "eavesdrop.openstack.org",
@@ -523,11 +535,13 @@ node 'etherpad.openstack.org' {
   }
 
   include etherpad_lite
-  class { 'etherpad_lite::nginx':
-    server_name => 'etherpad.openstack.org'
+  include etherpad_list::nginx
+  class { 'etherpad_lite::site':
+    database_password => hiera('etherpad_db_password'),
+  }
+  class { 'etherpad_lite::mysql':
+    database_password => hiera('etherpad_db_password'),
   }
-  include etherpad_lite::site
-  include etherpad_lite::mysql
   include etherpad_lite::backup
 }
 

modules/etherpad_lite/manifests/init.pp

@@ -87,11 +87,6 @@ define buildsource(
 # include etherpad_lite::nginx # will add reverse proxy on localhost
 # The defaults for all the classes should just work (tm)
 #
-# You will need to have a file at
-# /root/secret-files/etherpad-lite_settings.json on the host that is puppet
-# master or running puppet apply. This file should contain the settings for
-# etherpad-lite. A template for that settings file can be found at:
-# https://raw.github.com/Pita/etherpad-lite/master/settings.json.template
 #
 class etherpad_lite (
   $ep_user          = 'eplite',

modules/etherpad_lite/manifests/mysql.pp

@@ -1,4 +1,9 @@
-class etherpad_lite::mysql {
+class etherpad_lite::mysql (
+  $dbType = 'mysql',
+  $database_user = 'eplite',
+  $database_name = 'etherpad-lite',
+  $database_password
+) {
 
   include etherpad_lite
 
@@ -18,20 +23,42 @@ class etherpad_lite::mysql {
                    Package['mysql-client']]
   }
 
+  file { "${etherpad_lite::base_install_dir}/etherpad-lite/create_database.sh":
+    ensure  => 'present',
+    content => template('etherpad_lite/create_database.sh.erb'),
+    replace => true,
+    owner   => $etherpad_lite::ep_user,
+    group   => $etherpad_lite::ep_user,
+    mode    => 0755,
+    require => Class['etherpad_lite']
+  }
+
+  file { "${etherpad_lite::base_install_dir}/etherpad-lite/create_user.sh":
+    ensure  => 'present',
+    content => template('etherpad_lite/create_user.sh.erb'),
+    replace => true,
+    owner   => $etherpad_lite::ep_user,
+    group   => $etherpad_lite::ep_user,
+    mode    => 0755,
+    require => Class['etherpad_lite']
+  }
+
   exec { "create-etherpad-lite-db":
-    unless  => 'mysql --defaults-file=/etc/mysql/debian.cnf etherpad-lite',
+    unless  => "mysql --defaults-file=/etc/mysql/debian.cnf ${database_name}",
     path    => ['/bin', '/usr/bin'],
-    command => "mysql --defaults-file=/etc/mysql/debian.cnf -e \"create database \`etherpad-lite\` CHARACTER SET utf8 COLLATE utf8_bin;\"",
+    command => "${etherpad_lite::base_install_dir}/etherpad-lite/create_database.sh",
     require => [Service['mysql'],
-                File["${etherpad_lite::base_install_dir}/etherpad-lite/settings.json"]]
+                File["${etherpad_lite::base_install_dir}/etherpad-lite/settings.json"],
+                File["${etherpad_lite::base_install_dir}/etherpad-lite/create_database.sh"]]
   } ->
 
   exec { "grant-etherpad-lite-db":
-    unless  => "mysql -ueplite -p\"`grep password ${etherpad_lite::base_install_dir}/etherpad-lite/settings.json | cut -d: -f2 | sed -e 's/.*\"\(.*\)\".*/\1/'`\" etherpad-lite",
+    unless  => "mysql -u${database_user} -p${database_password} ${database_name}",
     path    => ['/bin', '/usr/bin'],
-    command => "mysql --defaults-file=/etc/mysql/debian.cnf -e \"grant all on \`etherpad-lite\`.* to 'eplite'@'localhost' identified by '`grep password ${etherpad_lite::base_install_dir}/etherpad-lite/settings.json | cut -d: -f2 | sed -e 's/.*\"\(.*\)\".*/\1/'`';\" mysql",
+    command => "${etherpad_lite::base_install_dir}/etherpad-lite/create_user.sh",
     require => [Service['mysql'],
-                File["${etherpad_lite::base_install_dir}/etherpad-lite/settings.json"]]
+                File["${etherpad_lite::base_install_dir}/etherpad-lite/settings.json"],
+                File["${etherpad_lite::base_install_dir}/etherpad-lite/create_user.sh"]]
   }
 
 }

modules/etherpad_lite/manifests/nginx.pp

@@ -1,6 +1,6 @@
 class etherpad_lite::nginx (
   $default_server = 'default_server',
-  $server_name    = 'localhost'
+  $server_name    = $fqdn
 ) {
 
   package { 'nginx':
@@ -38,7 +38,7 @@ class etherpad_lite::nginx (
     replace => true,
     owner   => 'root',
     mode    => 0600,
-    source  => 'file:///root/secret-files/eplite.crt',
+    content => template('etherpad_lite/eplite.crt.erb'),
     require => Package['nginx'],
   }
 
@@ -47,7 +47,7 @@ class etherpad_lite::nginx (
     replace => true,
     owner   => 'root',
     mode    => 0600,
-    source  => 'file:///root/secret-files/eplite.key',
+    content => template('etherpad_lite/eplite.key.erb'),
     require => Package['nginx'],
   }
 

modules/etherpad_lite/manifests/site.pp

@@ -1,5 +1,8 @@
 class etherpad_lite::site (
-  $dbType = 'mysql'
+  $dbType = 'mysql',
+  $database_user = 'eplite',
+  $database_name = 'etherpad-lite',
+  $database_password,
 ) {
 
   include etherpad_lite
@@ -22,7 +25,7 @@ class etherpad_lite::site (
 
   file { "${etherpad_lite::base_install_dir}/etherpad-lite/settings.json":
     ensure  => 'present',
-    source  => 'file:///root/secret-files/etherpad-lite_settings.json',
+    content => template('etherpad_lite/etherpad-lite_settings.json.erb'),
     replace => true,
     owner   => $etherpad_lite::ep_user,
     group   => $etherpad_lite::ep_user,

modules/etherpad_lite/templates/create_database.sh.erb

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+mysql --defaults-file=/etc/mysql/debian.cnf -e 'create database `<%= database_name %>` CHARACTER SET utf8 COLLATE utf8_bin'

modules/etherpad_lite/templates/create_user.sh.erb

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+mysql --defaults-file=/etc/mysql/debian.cnf -e 'grant all on `<%= database_name %>`.* to "<%= database_user %>"@"localhost" identified by "<%= database_password %>";'

modules/etherpad_lite/templates/eplite.crt.erb

@@ -0,0 +1 @@
+<%= cert_file %>

modules/etherpad_lite/templates/eplite.key.erb

@@ -0,0 +1 @@
+<%= key_file %>

modules/etherpad_lite/templates/etherpad-lite_settings.json.erb

@@ -0,0 +1,47 @@
+/*
+  This file must be valid JSON. But comments are allowed
+
+  Please edit settings.json, not settings.json.template
+*/
+{
+  //Ip and port which etherpad should bind at
+  "ip": "127.0.0.1",
+  "port" : 9001,
+
+  //The Type of the database. You can choose between dirty, sqlite and mysql
+  //You should use mysql or sqlite for anything else than testing or development
+  "dbType" : "<%= dbType %>",
+  //the database specific settings
+  "dbSettings" : {
+                   "user"    : "<%= database_user %>",
+                   "host"    : "localhost",
+                   "password": "<%= database_password %>",
+                   "database": "<%= database_name %>"
+                 },
+  //the default text of a pad
+  "defaultPadText" : "Welcome to Etherpad Lite!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nEtherpad Lite on Github: http:\/\/j.mp/ep-lite\n",
+
+  /* Users must have a session to access pads. This effectively allows only group pads to be accessed. */
+  "requireSession" : false,
+
+  /* Users may edit pads but not create new ones. Pad creation is only via the API. This applies both to group pads and regular pads. */
+  "editOnly" : false,
+
+  /* if true, all css & js will be minified before sending to the client. This will improve the loading performance massivly,
+     but makes it impossible to debug the javascript/css */
+  "minify" : true,
+
+  /* How long may clients use served javascript code? Without versioning this
+    is may cause problems during deployment. */
+  "maxAge" : 21600000, // 6 hours
+
+  /* This is the path to the Abiword executable. Setting it to null, disables abiword.
+     Abiword is needed to enable the import/export of pads*/
+  "abiword" : "/usr/bin/abiword",
+
+  /* This setting is used if you need http basic auth */
+  // "httpAuth" : "user:pass",
+
+  /* The log level we are using, can be: DEBUG, INFO, WARN, ERROR */
+  "loglevel": "INFO"
+}

modules/gerrit/manifests/init.pp

@@ -89,7 +89,15 @@ class gerrit($virtual_hostname='',
       $script_key_file,
       $script_site,
       $enable_melody = 'false',
-      $melody_session = 'false'
+      $melody_session = 'false',
+      $gerritbot_nick,
+      $gerritbot_password,
+      $gerritbot_server,
+      $gerritbot_user,
+      $github_user,
+      $github_token,
+      $mysql_password,
+      $email_private_key
   ) {
 
   # Set this to true to disable cron jobs and replication, which can
@@ -140,7 +148,7 @@ class gerrit($virtual_hostname='',
     cron { "gerritsyncusers":
       user => gerrit2,
       minute => "*/15",
-      command => "sleep $((RANDOM\%60+60)) && python /usr/local/gerrit/scripts/update_gerrit_users.py ${script_user} ${script_key_file} ${script_site}",
+      command => "sleep $((RANDOM\\%60+60)) && python /usr/local/gerrit/scripts/update_gerrit_users.py ${script_user} ${script_key_file} ${script_site}",
       require => File['/usr/local/gerrit/scripts'],
     }
 
@@ -357,14 +365,13 @@ class gerrit($virtual_hostname='',
 
   # Secret files.
   # TODO: move the first two into other modules since they aren't for gerrit.
-  # TODO: move secure.config to a puppet master
 
   file { '/home/gerrit2/github.secure.config':
     owner => 'root',
     group => 'gerrit2',
     mode => 440,
     ensure => 'present',
-    source => 'file:///root/secret-files/github.secure.config',
+    content => template('gerrit/github.secure.config.erb'),
     replace => 'true',
     require => User['gerrit2']
   }
@@ -374,7 +381,7 @@ class gerrit($virtual_hostname='',
     group => 'gerrit2',
     mode => 440,
     ensure => 'present',
-    source => 'file:///root/secret-files/gerritbot.config',
+    content => template('gerrit/gerritbot.config.erb'),
     replace => 'true',
     require => User['gerrit2']
   }
@@ -387,7 +394,7 @@ class gerrit($virtual_hostname='',
     group => 'gerrit2',
     mode => 600,
     ensure => 'present',
-    source => 'file:///root/secret-files/secure.config',
+    content => template('gerrit/secure.config.erb'),
     replace => 'true',
     require => File["/home/gerrit2/review_site/etc"]
   }
@@ -399,12 +406,12 @@ class gerrit($virtual_hostname='',
   exec { "gerrit-mysql":
     creates => "/var/lib/mysql/reviewdb/",
     command => "/usr/bin/mysql --defaults-file=/etc/mysql/debian.cnf -e \"\
-      CREATE USER 'gerrit2'@'localhost' IDENTIFIED BY '`grep password /home/gerrit2/review_site/etc/secure.config |cut -d= -f2|sed -e 's/ //'`';\
+      CREATE USER 'gerrit2'@'localhost' IDENTIFIED BY '${mysql_password}';\
       CREATE DATABASE reviewdb;\
       ALTER DATABASE reviewdb charset=latin1;\
       GRANT ALL ON reviewdb.* TO 'gerrit2'@'localhost';\
       FLUSH PRIVILEGES;\"",
-    require => [File['/home/gerrit2/review_site/etc/secure.config'], Package["mysql-server"]],
+    require => Package["mysql-server"],
   }
 
   file { "/etc/mysql/my.cnf":

modules/gerrit/templates/gerritbot.config.erb

@@ -0,0 +1,13 @@
+[ircbot]
+nick=<%= gerritbot_nick %>
+pass=<%= gerritbot_password %>
+server=<%= gerritbot_server %>
+port=6667
+channel_config=/home/gerrit2/gerritbot_channel_config.yaml
+lockfile=/var/run/gerritbot/gerritbot.pid
+
+[gerrit]
+user=<%= gerritbot_user %>
+key=/home/gerrit2/.ssh/gerritbot_rsa
+host=<%= virtual_hostname %>
+port=29418

modules/gerrit/templates/github.secure.config.erb

@@ -0,0 +1,3 @@
+[github]
+username = <%= github_user %>
+oauth_token = <%= github_token %>

modules/gerrit/templates/secure.config.erb

@@ -0,0 +1,4 @@
+[database]
+	password = <%= database_password %>
+[auth]
+	registerEmailPrivateKey = <%= email_private_key %>

modules/jenkins_jobs/manifests/init.pp

@@ -1,4 +1,5 @@
-class jenkins_jobs($site, $projects) {
+class jenkins_jobs($url, $username, $password, $site, $projects) {
+
   package { 'python-yaml':
     ensure => 'present'
   }
@@ -18,7 +19,7 @@ class jenkins_jobs($site, $projects) {
     group => 'root',
     mode => 440,
     ensure => 'present',
-    source => 'file:///root/secret-files/jenkins_jobs.ini',
+    content => template('jenkins_jobs/jenkins_jobs.ini.erb'),
     replace => 'true',
     require => File['/usr/local/jenkins_jobs']
   }

modules/jenkins_jobs/templates/jenkins_jobs.ini.erb

@@ -0,0 +1,4 @@
+[jenkins]
+user=<%= user %>
+password=<%= password %>
+url=<%= url %>

modules/meetbot/manifests/site.pp

@@ -1,5 +1,4 @@
-define meetbot::site($nick, $network, $server, $url, $channels, $use_ssl) {
-  $nickpass = file("/root/secret-files/${name}-nickserv.pass")
+define meetbot::site($nick, $nickpass, $network, $server, $url, $channels, $use_ssl) {
 
   file { "/etc/nginx/sites-available/${name}-meetbot":
     ensure => 'present',