puppet: Document smokescreen installation, and move to puppet/zulip/.

This is more broadly useful than for just Kandra; provide
documentation and means to install Smokescreen for stand-alone
servers, and motivate its use somewhat more.

docs/production/deployment.md

@@ -186,28 +186,40 @@ behind reverse proxies.
 ## Using an outgoing HTTP proxy
 
 Zulip supports routing all of its outgoing HTTP and HTTPS traffic
-through an HTTP `CONNECT` proxy, such as [smokescreen][smokescreen];
+through an HTTP `CONNECT` proxy, such as [`smokescreen`][smokescreen];
 this includes outgoing webhooks, image and website previews, and
 mobile push notifications.  You may wish to enable this feature to
-provide a consistent egress point, or enforce access control on URLs.
+provide a consistent egress point, or enforce access control on URLs
+to prevent [SSRF][ssrf] against internal resources.
 
-To enable an outgoing HTTP proxy:
+To use `smokescreen`:
+
+1. Add `, zulip::profile::smokescreen` to the list of `puppet_classes`
+   in `/etc/zulip/zulip.conf`.  A typical value after this change is:
+    ```
+    puppet_classes = zulip::profile::standalone, zulip::profile::smokescreen
+    ```
 
 1. Add the following block to `/etc/zulip/zulip.conf`, substituting in
    your proxy's hostname/IP and port:
 
     ```
     [http_proxy]
-    host = 192.168.0.1
+    host = 127.0.0.1
     port = 4750
     ```
 
 1. As root, run
    `/home/zulip/deployments/current/scripts/zulip-puppet-apply`.  This
-   will reconfigure services to use the outgoing proxy, and restart
-   Zulip.
+   will compile and install `smokescreen`, reconfigure services to use
+   it, and restart Zulip.
+
+If you would like to use an already-installed HTTP proxy, omit the
+first step, and adjust the IP address and port in the second step
+accordingly.
 
 [smokescreen]: https://github.com/stripe/smokescreen
+[ssrf]: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
 
 ## Putting the Zulip application behind a reverse proxy
 

puppet/zulip/manifests/profile/smokescreen.pp

@@ -0,0 +1,57 @@
+# @summary Outgoing HTTP CONNECT proxy for HTTP/HTTPS on port 4750.
+#
+class zulip::profile::smokescreen {
+  include zulip::profile::base
+  include zulip::supervisor
+
+  $golang_version = '1.14.10'
+  zulip::sha256_tarball_to { 'golang':
+    url     => "https://golang.org/dl/go${golang_version}.linux-amd64.tar.gz",
+    sha256  => '66eb6858f375731ba07b0b33f5c813b141a81253e7e74071eec3ae85e9b37098',
+    install => {
+      'go/' => "/srv/golang-${golang_version}/",
+    },
+  }
+  file { '/srv/golang':
+    ensure  => 'link',
+    target  => "/srv/golang-${golang_version}/",
+    require => Zulip::Sha256_tarball_to['golang'],
+  }
+
+  $version = '0.0.2'
+  zulip::sha256_tarball_to { 'smokescreen':
+    url     => "https://github.com/stripe/smokescreen/archive/v${version}.tar.gz",
+    sha256  => '7255744f89a62a103fde97d28e3586644d30191b4e3d1f62c9a99e13d732a012',
+    install => {
+      "smokescreen-${version}/" => "/srv/smokescreen-src-${version}/",
+    },
+  }
+  exec { 'compile smokescreen':
+    command     => "/srv/golang/bin/go build -o /usr/local/bin/smokescreen-${version}",
+    cwd         => "/srv/smokescreen-src-${version}/",
+    # GOCACHE is required; nothing is written to GOPATH, but it is required to be set
+    environment => ['GOCACHE=/tmp/gocache', 'GOPATH=/root/go'],
+    creates     => "/usr/local/bin/smokescreen-${version}",
+    require     => [Zulip::Sha256_tarball_to['golang'], Zulip::Sha256_tarball_to['smokescreen']],
+  }
+
+  file { '/usr/local/bin/smokescreen':
+    ensure  => 'link',
+    target  => "/usr/local/bin/smokescreen-${version}",
+    require => Exec['compile smokescreen'],
+    notify  => Service[supervisor],
+  }
+
+  file { '/etc/supervisor/conf.d/smokescreen.conf':
+    ensure  => file,
+    require => [
+      Package[supervisor],
+      File['/usr/local/bin/smokescreen'],
+    ],
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => template('zulip/supervisor/smokescreen.conf.erb'),
+    notify  => Service[supervisor],
+  }
+}

puppet/zulip_ops/manifests/profile/smokescreen.pp

@@ -1,58 +1,5 @@
-# @summary Outgoing HTTP CONNECT proxy for HTTP/HTTPS on port 4750.
-#
 class zulip_ops::profile::smokescreen {
   include zulip_ops::profile::base
-  include zulip::supervisor
+  include zulip::profile::smokescreen
   include zulip_ops::camo
-
-  $golang_version = '1.14.10'
-  zulip::sha256_tarball_to { 'golang':
-    url     => "https://golang.org/dl/go${golang_version}.linux-amd64.tar.gz",
-    sha256  => '66eb6858f375731ba07b0b33f5c813b141a81253e7e74071eec3ae85e9b37098',
-    install => {
-      'go/' => "/srv/golang-${golang_version}/",
-    },
-  }
-  file { '/srv/golang':
-    ensure  => 'link',
-    target  => "/srv/golang-${golang_version}/",
-    require => Zulip::Sha256_tarball_to['golang'],
-  }
-
-  $version = '0.0.2'
-  zulip::sha256_tarball_to { 'smokescreen':
-    url     => "https://github.com/stripe/smokescreen/archive/v${version}.tar.gz",
-    sha256  => '7255744f89a62a103fde97d28e3586644d30191b4e3d1f62c9a99e13d732a012',
-    install => {
-      "smokescreen-${version}/" => "/srv/smokescreen-src-${version}/",
-    },
-  }
-  exec { 'compile smokescreen':
-    command     => "/srv/golang/bin/go build -o /usr/local/bin/smokescreen-${version}",
-    cwd         => "/srv/smokescreen-src-${version}/",
-    # GOCACHE is required; nothing is written to GOPATH, but it is required to be set
-    environment => ['GOCACHE=/tmp/gocache', 'GOPATH=/root/go'],
-    creates     => "/usr/local/bin/smokescreen-${version}",
-    require     => [Zulip::Sha256_tarball_to['golang'], Zulip::Sha256_tarball_to['smokescreen']],
-  }
-
-  file { '/usr/local/bin/smokescreen':
-    ensure  => 'link',
-    target  => "/usr/local/bin/smokescreen-${version}",
-    require => Exec['compile smokescreen'],
-    notify  => Service[supervisor],
-  }
-
-  file { '/etc/supervisor/conf.d/smokescreen.conf':
-    ensure  => file,
-    require => [
-      Package[supervisor],
-      File['/usr/local/bin/smokescreen'],
-    ],
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    content => template('zulip_ops/supervisor/conf.d/smokescreen.conf.erb'),
-    notify  => Service[supervisor],
-  }
 }