diff options
| author | Silvio Rhatto <rhatto@riseup.net> | 2014-09-18 12:47:46 -0300 |
|---|---|---|
| committer | Silvio Rhatto <rhatto@riseup.net> | 2014-09-18 12:47:46 -0300 |
| commit | 84baf3dfea376e4b35156acc682f93bfae7e23eb (patch) | |
| tree | 570011bbabc460651c61640a9ecb07b2b83b21cf /puppet/templates | |
| parent | 12bedcb9dc59316fcbb38bf1592ef73dace30d15 (diff) | |
| parent | 529cd5077e3d76c1d5b612bc146ab174d7143c30 (diff) | |
| download | debian-84baf3dfea376e4b35156acc682f93bfae7e23eb.tar.gz debian-84baf3dfea376e4b35156acc682f93bfae7e23eb.tar.bz2 | |
Merge commit '529cd5077e3d76c1d5b612bc146ab174d7143c30' as 'puppet'
Diffstat (limited to 'puppet/templates')
23 files changed, 765 insertions, 0 deletions
diff --git a/puppet/templates/apache/htdocs/images/README.html.erb b/puppet/templates/apache/htdocs/images/README.html.erb new file mode 100644 index 0000000..4d0f929 --- /dev/null +++ b/puppet/templates/apache/htdocs/images/README.html.erb @@ -0,0 +1,3 @@ +<pre> +When not explicitly mentioned, the use of these images is restricted to <%= base_domain %> +</pre> diff --git a/puppet/templates/apache/htdocs/index.html.erb b/puppet/templates/apache/htdocs/index.html.erb new file mode 100644 index 0000000..6d2d7ea --- /dev/null +++ b/puppet/templates/apache/htdocs/index.html.erb @@ -0,0 +1,9 @@ +<html><head> +<meta http-equiv="refresh" content="1;url=http://<%= domain %>"> +<title><%= domain %></title></head><body> + +<center> + <p><code>You are being redirected to <a href="http://<%= domain %>">http://<%= domain %></a>.</code></p> +</center> + +</body></html> diff --git a/puppet/templates/apache/htdocs/missing.html.erb b/puppet/templates/apache/htdocs/missing.html.erb new file mode 100644 index 0000000..0c95ef3 --- /dev/null +++ b/puppet/templates/apache/htdocs/missing.html.erb @@ -0,0 +1,12 @@ +<html> +<head> +<title>404 - Not Found</title> +</head> +<body> + <center> + <pre> + The address you are trying to reach could not be found. :( + </pre> + </center> +</body> +</html> diff --git a/puppet/templates/apache/vhosts/git.erb b/puppet/templates/apache/vhosts/git.erb new file mode 100644 index 0000000..25aecd1 --- /dev/null +++ b/puppet/templates/apache/vhosts/git.erb @@ -0,0 +1,20 @@ +# begin vhost for git +<VirtualHost *:80> + # Recipe based on http://josephspiros.com/2009/07/26/configuring-gitweb-for-apache-on-debian + + ServerName git.<%= domain %> + SetEnv GITWEB_CONFIG /etc/gitweb.conf + HeaderName HEADER + DocumentRoot /var/git/repositories + Alias /gitweb.css /usr/share/gitweb/gitweb.css + Alias /git-favicon.png /usr/share/gitweb/git-favicon.png + Alias /git-logo.png /usr/share/gitweb/git-logo.png + + ScriptAlias /gitweb /usr/lib/cgi-bin/gitweb.cgi + RewriteEngine on + + # Rewrite all other paths that aren't git repo internals to gitweb + RewriteRule ^/$ /gitweb [PT] + RewriteRule ^/(.*\.git/(?!/?(HEAD|info|objects|refs)).*)?$ /gitweb%{REQUEST_URI} [L,PT] +</VirtualHost> +# end vhost for git diff --git a/puppet/templates/apache/vhosts/lists.erb b/puppet/templates/apache/vhosts/lists.erb new file mode 100644 index 0000000..158dfd4 --- /dev/null +++ b/puppet/templates/apache/vhosts/lists.erb @@ -0,0 +1,22 @@ +# begin vhost for lists.<%= domain %> +<VirtualHost *:80> + ServerName lists.<%= domain %> + DocumentRoot /var/www/data/lists + + RedirectMatch ^/$ https://lists.<%= domain %>/wws + Alias /static-sympa /var/lib/sympa/static_content + Alias /wwsicons /usr/share/sympa/icons + ScriptAlias /wws /var/www/data/lists/wwsympa.fcgi + + <IfModule mod_fcgid.c> + IPCCommTimeout 120 + MaxProcessCount 2 + </IfModule> + + SuexecUserGroup sympa sympa + + <Location /wws> + SetHandler fcgid-script + </Location> +</VirtualHost> +# end vhost for lists.<%= domain %> diff --git a/puppet/templates/apache/vhosts/mail.erb b/puppet/templates/apache/vhosts/mail.erb new file mode 100644 index 0000000..3badcf0 --- /dev/null +++ b/puppet/templates/apache/vhosts/mail.erb @@ -0,0 +1,72 @@ +# begin vhost for mail.<%= domain > +<VirtualHost *:80> + ServerName mail.<%= domain > + #DocumentRoot /usr/share/squirrelmail + DocumentRoot /var/lib/roundcube + + # begin squirrel config + <Directory /usr/share/squirrelmail> + Options Indexes FollowSymLinks + <IfModule mod_php4.c> + php_flag register_globals off + </IfModule> + <IfModule mod_php5.c> + php_flag register_globals off + </IfModule> + <IfModule mod_dir.c> + DirectoryIndex index.php + </IfModule> + + # access to configtest is limited by default to prevent information leak + <Files configtest.php> + order deny,allow + deny from all + allow from 127.0.0.1 + </Files> + </Directory> + # end squirrel config + + # begin roundcube config + # Access to tinymce files + Alias /roundcube/program/js/tiny_mce/ /usr/share/tinymce/www/ + Alias /roundcube /var/lib/roundcube + + <Directory "/usr/share/tinymce/www/"> + Options Indexes MultiViews FollowSymLinks + AllowOverride None + Order allow,deny + allow from all + </Directory> + + <Directory /var/lib/roundcube/> + Options +FollowSymLinks + # This is needed to parse /var/lib/roundcube/.htaccess. See its + # content before setting AllowOverride to None. + AllowOverride All + order allow,deny + allow from all + </Directory> + + # Protecting basic directories: + <Directory /var/lib/roundcube/config> + Options -FollowSymLinks + AllowOverride None + </Directory> + + <Directory /var/lib/roundcube/temp> + Options -FollowSymLinks + AllowOverride None + Order allow,deny + Deny from all + </Directory> + + <Directory /var/lib/roundcube/logs> + Options -FollowSymLinks + AllowOverride None + Order allow,deny + Deny from all + </Directory> + # end roundcube config + +</VirtualHost> +# end vhost for mail.<%= domain > diff --git a/puppet/templates/apache/vhosts/nagios.erb b/puppet/templates/apache/vhosts/nagios.erb new file mode 100644 index 0000000..8b3d252 --- /dev/null +++ b/puppet/templates/apache/vhosts/nagios.erb @@ -0,0 +1,61 @@ +# begin vhost for nagios +<VirtualHost *:80> + ServerName nagios.<%= domain > + DocumentRoot /usr/share/nagios3/htdocs + + # apache configuration for nagios 3.x + # note to users of nagios 1.x and 2.x: + # throughout this file are commented out sections which preserve + # backwards compatibility with bookmarks/config forî<80><80>older nagios versios. + # simply look for lines following "nagios 1.x:" and "nagios 2.x" comments. + + ScriptAlias /cgi-bin/nagios3 /usr/lib/cgi-bin/nagios3 + ScriptAlias /nagios3/cgi-bin /usr/lib/cgi-bin/nagios3 + # nagios 1.x: + #ScriptAlias /cgi-bin/nagios /usr/lib/cgi-bin/nagios3 + #ScriptAlias /nagios/cgi-bin /usr/lib/cgi-bin/nagios3 + # nagios 2.x: + #ScriptAlias /cgi-bin/nagios2 /usr/lib/cgi-bin/nagios3 + #ScriptAlias /nagios2/cgi-bin /usr/lib/cgi-bin/nagios3 + + # Where the stylesheets (config files) reside + Alias /nagios3/stylesheets /etc/nagios3/stylesheets + # nagios 1.x: + #Alias /nagios/stylesheets /etc/nagios3/stylesheets + # nagios 2.x: + #Alias /nagios2/stylesheets /etc/nagios3/stylesheets + + # Where the HTML pages live + Alias /nagios3 /usr/share/nagios3/htdocs + # nagios 2.x: + #Alias /nagios2 /usr/share/nagios3/htdocs + # nagios 1.x: + #Alias /nagios /usr/share/nagios3/htdocs + + <DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3)> + Options FollowSymLinks + + DirectoryIndex index.html + + AllowOverride AuthConfig + Order Allow,Deny + Allow From All + + AuthName "Nagios Access" + AuthType Basic + AuthUserFile /etc/nagios3/htpasswd.users + # nagios 1.x: + #AuthUserFile /etc/nagios/htpasswd.users + require valid-user + </DirectoryMatch> + + # Enable this ScriptAlias if you want to enable the grouplist patch. + # See http://apan.sourceforge.net/download.html for more info + # It allows you to see a clickable list of all hostgroups in the + # left pane of the Nagios web interface + # XXX This is not tested for nagios 2.x use at your own peril + #ScriptAlias /nagios3/side.html /usr/lib/cgi-bin/nagios3/grouplist.cgi + # nagios 1.x: + #ScriptAlias /nagios/side.html /usr/lib/cgi-bin/nagios3/grouplist.cgi +</VirtualHost> +# end vhost for nagios diff --git a/puppet/templates/apache/vhosts/wiki.erb b/puppet/templates/apache/vhosts/wiki.erb new file mode 100644 index 0000000..56e395b --- /dev/null +++ b/puppet/templates/apache/vhosts/wiki.erb @@ -0,0 +1,17 @@ +# begin vhost for wiki.<%= domain > +<VirtualHost *:80> + ServerName wiki.<%= domain > + DocumentRoot /var/www/data/wiki + + # begin wiki config + <Directory /var/www/data/wiki> + Options Indexes Includes FollowSymLinks MultiViews + AllowOverride All + </Directory> + # end wiki config + + <IfModule mpm_itk_module> + AssignUserId wiki wiki + </IfModule> +</VirtualHost> +# end vhost for wiki.<%= domain > diff --git a/puppet/templates/etc/aliases.erb b/puppet/templates/etc/aliases.erb new file mode 100644 index 0000000..f520f68 --- /dev/null +++ b/puppet/templates/etc/aliases.erb @@ -0,0 +1,15 @@ +# /etc/aliases +mailer-daemon: postmaster +postmaster: root +nobody: root +hostmaster: root +usenet: root +news: root +webmaster: root +www: root +ftp: root +abuse: root +noc: root +security: root +reprepro: root +root: <%= first_user_email %> diff --git a/puppet/templates/etc/nagios3/htpasswd.users.erb b/puppet/templates/etc/nagios3/htpasswd.users.erb new file mode 100644 index 0000000..c21d493 --- /dev/null +++ b/puppet/templates/etc/nagios3/htpasswd.users.erb @@ -0,0 +1 @@ +nagiosadmin:0FCabjvUTHvxF diff --git a/puppet/templates/etc/nginx/domain.erb b/puppet/templates/etc/nginx/domain.erb new file mode 100644 index 0000000..4e9fa7d --- /dev/null +++ b/puppet/templates/etc/nginx/domain.erb @@ -0,0 +1,172 @@ +# <%= domain %> proxy config + +# Set the max size for file uploads +client_max_body_size 100M; + +# SNI Configuration +server { + listen 443 default; + server_name _; + ssl on; + ssl_certificate /etc/ssl/certs/blank.crt; + ssl_certificate_key /etc/ssl/private/blank.pem; + return 403; +} + +server { + # see config tips at + # http://blog.taragana.com/index.php/archive/nginx-hacking-tips/ + + # Don't log anything + access_log /dev/null; + error_log /dev/null; + + # simple reverse-proxy + listen 80; + server_name *.<%= domain %> <%= domain %> + + # enable HSTS header + add_header Strict-Transport-Security "max-age=15768000; includeSubdomains"; + + # https redirection by default + rewrite ^(.*) https://$host$1 redirect; + + # rewrite rules for backups.<%= domain %> + #if ($host ~* ^backups\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for admin.<%= domain %> + #if ($host ~* ^admin\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for munin.<%= domain %> + #if ($host ~* ^munin\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for trac.<%= domain %> + #if ($host ~* ^trac\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for nagios.<%= domain %> + #if ($host ~* ^nagios\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for htpasswd.<%= domain %> + #if ($host ~* ^htpasswd\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for postfixadmin.<%= domain %> + #if ($host ~* ^postfixadmin\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for mail.<%= domain %> + #if ($host ~* ^mail\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for lists.<%= domain %> + #if ($host ~* ^lists\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # pass requests for dynamic content + location / { + proxy_set_header Host $http_host; + proxy_pass http://weblocal:80; + } + +} + +server { + # https reverse proxy + listen 443; + server_name *.<%= domain %> <%= domain %>; + + # Don't log anything + access_log /dev/null; + error_log /dev/null; + + ssl on; + ssl_certificate /etc/ssl/certs/cert.crt; + ssl_certificate_key /etc/ssl/private/cert.pem; + + ssl_session_timeout 5m; + + ssl_protocols SSLv3 TLSv1; + ssl_ciphers HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH; + ssl_prefer_server_ciphers on; + + # Set the max size for file uploads + client_max_body_size 100M; + + location / { + # preserve http header and set forwarded proto + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto https; + + proxy_read_timeout 120; + proxy_connect_timeout 120; + + # rewrite rules for admin.<%= domain %> + if ($host ~* ^admin\.<%= domain %>$) { + proxy_pass http://admin:80; + break; + } + + # rewrite rules for munin.<%= domain %> + if ($host ~* ^munin\.<%= domain %>$) { + proxy_pass http://admin:80; + break; + } + + # rewrite rules for trac.<%= domain %> + if ($host ~* ^trac\.<%= domain %>$) { + proxy_pass http://admin:80; + break; + } + + # rewrite rules for nagios.<%= domain %> + if ($host ~* ^nagios\.<%= domain %>$) { + proxy_pass http://admin:80; + break; + } + + # rewrite rules for postfixadmin.<%= domain %> + if ($host ~* ^postfixadmin\.<%= domain %>$) { + proxy_pass http://mail:80; + break; + } + + # rewrite rules for mail.<%= domain %> + if ($host ~* ^mail\.<%= domain %>$) { + proxy_pass http://mail:80; + break; + } + + # rewrite rules for lists.<%= domain %> + if ($host ~* ^lists\.<%= domain %>$) { + proxy_pass http://mail:80; + break; + } + + # default proxy pass + proxy_pass http://weblocal:80; + } + +} diff --git a/puppet/templates/postfix/tls_policy.erb b/puppet/templates/postfix/tls_policy.erb new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/puppet/templates/postfix/tls_policy.erb diff --git a/puppet/templates/puppet/auth.conf.erb b/puppet/templates/puppet/auth.conf.erb new file mode 100644 index 0000000..96f078c --- /dev/null +++ b/puppet/templates/puppet/auth.conf.erb @@ -0,0 +1,120 @@ +# This is the default auth.conf file, which implements the default rules +# used by the puppet master. (That is, the rules below will still apply +# even if this file is deleted.) +# +# The ACLs are evaluated in top-down order. More specific stanzas should +# be towards the top of the file and more general ones at the bottom; +# otherwise, the general rules may "steal" requests that should be +# governed by the specific rules. +# +# See http://docs.puppetlabs.com/guides/rest_auth_conf.html for a more complete +# description of auth.conf's behavior. +# +# Supported syntax: +# Each stanza in auth.conf starts with a path to match, followed +# by optional modifiers, and finally, a series of allow or deny +# directives. +# +# Example Stanza +# --------------------------------- +# path /path/to/resource # simple prefix match +# # path ~ regex # alternately, regex match +# [environment envlist] +# [method methodlist] +# [auth[enthicated] {yes|no|on|off|any}] +# allow [host|backreference|*|regex] +# deny [host|backreference|*|regex] +# allow_ip [ip|cidr|ip_wildcard|*] +# deny_ip [ip|cidr|ip_wildcard|*] +# +# The path match can either be a simple prefix match or a regular +# expression. `path /file` would match both `/file_metadata` and +# `/file_content`. Regex matches allow the use of backreferences +# in the allow/deny directives. +# +# The regex syntax is the same as for Ruby regex, and captures backreferences +# for use in the `allow` and `deny` lines of that stanza +# +# Examples: +# +# path ~ ^/path/to/resource # Equivalent to `path /path/to/resource`. +# allow * # Allow all authenticated nodes (since auth +# # defaults to `yes`). +# +# path ~ ^/catalog/([^/]+)$ # Permit nodes to access their own catalog (by +# allow $1 # certname), but not any other node's catalog. +# +# path ~ ^/file_(metadata|content)/extra_files/ # Only allow certain nodes to +# auth yes # access the "extra_files" +# allow /^(.+)\.example\.com$/ # mount point; note this must +# allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule, +# # since it is more specific. +# +# environment:: restrict an ACL to a comma-separated list of environments +# method:: restrict an ACL to a comma-separated list of HTTP methods +# auth:: restrict an ACL to an authenticated or unauthenticated request +# the default when unspecified is to restrict the ACL to authenticated requests +# (ie exactly as if auth yes was present). +# + +### Authenticated ACLs - these rules apply only when the client +### has a valid certificate and is thus authenticated + +# allow nodes to retrieve their own catalog +path ~ ^/catalog/([^/]+)$ +method find +allow $1 + +# allow nodes to retrieve their own node definition +path ~ ^/node/([^/]+)$ +method find +allow $1 + +# allow all nodes to access the certificates services +path /certificate_revocation_list/ca +method find +allow * + +# allow all nodes to store their own reports +path ~ ^/report/([^/]+)$ +method save +allow $1 + +# Allow all nodes to access all file services; this is necessary for +# pluginsync, file serving from modules, and file serving from custom +# mount points (see fileserver.conf). Note that the `/file` prefix matches +# requests to both the file_metadata and file_content paths. See "Examples" +# above if you need more granular access control for custom mount points. +path /file +allow * + +### Unauthenticated ACLs, for clients without valid certificates; authenticated +### clients can also access these paths, though they rarely need to. + +# allow access to the CA certificate; unauthenticated nodes need this +# in order to validate the puppet master's certificate +path /certificate/ca +auth any +method find +allow * + +# allow nodes to retrieve the certificate they requested earlier +path /certificate/ +auth any +method find +allow * + +# allow nodes to request a new certificate +path /certificate_request +auth any +method find, save +allow * + +path /v2.0/environments +method find +allow * + +# deny everything else; this ACL is not strictly necessary, but +# illustrates the default policy. +path / +auth any diff --git a/puppet/templates/puppet/fileserver.conf.erb b/puppet/templates/puppet/fileserver.conf.erb new file mode 100644 index 0000000..e4d6e0a --- /dev/null +++ b/puppet/templates/puppet/fileserver.conf.erb @@ -0,0 +1,21 @@ +# See http://docs.puppetlabs.com/guides/file_serving.html + +# Files +[files] + path /etc/puppet/files + allow *.<%= base_domain %> + +# SSL keys +[ssl] + path /etc/puppet/keys/ssl + deny * + +# SSH keys +[ssh] + path /etc/puppet/keys/ssh/%h + allow * + +# Public keys +[pubkeys] + path /etc/puppet/keys/public + allow * diff --git a/puppet/templates/puppet/master.pp.erb b/puppet/templates/puppet/master.pp.erb new file mode 100644 index 0000000..5865723 --- /dev/null +++ b/puppet/templates/puppet/master.pp.erb @@ -0,0 +1,10 @@ +node '<%= hostname %>-master.<%= domain %>' { + $main_master = true + include nodo::master + + # encrypted data remote backup + #backup::rdiff { "other-host": + # port => "10102", + #} + +} diff --git a/puppet/templates/puppet/nodes.pp.erb b/puppet/templates/puppet/nodes.pp.erb new file mode 100644 index 0000000..4acddc6 --- /dev/null +++ b/puppet/templates/puppet/nodes.pp.erb @@ -0,0 +1,14 @@ +# +# Node definitions. +# + +<%- if first_nodes == 'present' then -%> +import "nodes/<%= first_hostname %>.pp" +import "nodes/<%= first_hostname %>-master.pp" +import "nodes/<%= first_hostname %>-proxy.pp" +import "nodes/<%= first_hostname %>-web.pp" +import "nodes/<%= first_hostname %>-storage.pp" +import "nodes/<%= first_hostname %>-test.pp" +<%- else -%> +#import "nodes/example.pp" +<%- end -%> diff --git a/puppet/templates/puppet/proxy.pp.erb b/puppet/templates/puppet/proxy.pp.erb new file mode 100644 index 0000000..908c2ec --- /dev/null +++ b/puppet/templates/puppet/proxy.pp.erb @@ -0,0 +1,53 @@ +node '<%= hostname %>-proxy.<%= domain %>' { + #$mail_delivery = 'tunnel' + #$mail_hostname = 'mail' + #$mail_ssh_port = '2202' + + include nodo::proxy + + # encrypted data remote backup + #backup::rdiff { "other-host": + # port => "10102", + #} + + # reference to admin vserver + host { "<%= hostname %>-master": + ensure => present, + ip => "192.168.0.2", + host_aliases => [ "<%= hostname %>-master.<%= domain %>", "puppet", "admin" ], + notify => Service["nginx"], + } + + # reference to proxy vserver + #host { "<%= hostname %>-proxy": + # ensure => present, + # ip => "192.168.0.3", + # host_aliases => [ "<%= hostname %>-proxy.<%= domain %>", "<%= hostname %>-proxy" ], + # notify => Service["nginx"], + #} + + # reference to web vserver + host { "<%= hostname %>-web": + ensure => present, + ip => "192.168.0.4", + host_aliases => [ "<%= hostname %>-web.<%= domain %>", "<%= hostname %>-web", "weblocal" ], + notify => Service["nginx"], + } + + # reference to storage vserver + host { "<%= hostname %>-storage": + ensure => present, + ip => "192.168.0.5", + host_aliases => [ "<%= hostname %>-storage.<%= domain %>", "<%= hostname %>-storage" ], + notify => Service["nginx"], + } + + # reference to test vserver + host { "<%= hostname %>-test": + ensure => present, + ip => "192.168.0.6", + host_aliases => [ "<%= hostname %>-test.<%= domain %>", "<%= hostname %>-test" ], + notify => Service["nginx"], + } + +} diff --git a/puppet/templates/puppet/puppet.conf.erb b/puppet/templates/puppet/puppet.conf.erb new file mode 100644 index 0000000..e2751ca --- /dev/null +++ b/puppet/templates/puppet/puppet.conf.erb @@ -0,0 +1,30 @@ +[main] +logdir = /var/log/puppet +vardir = /var/lib/puppetmaster +ssldir = $vardir/ssl +rundir = /var/run/puppet +factpath = $vardir/lib/facter +pluginsync = true + +[master] +templatedir = $vardir/templates +masterport = 8140 +autosign = false +storeconfigs = true +dbadapter = sqlite3 +#dbadapter = mysql +#dbserver = localhost +#dbuser = puppet +#dbpassword = <%= db_password %> +dbconnections = 15 +certname = puppet.<%= base_domain %> +ssl_client_header = SSL_CLIENT_S_DN +ssl_client_verify_header = SSL_CLIENT_VERIFY + +[agent] +server = puppet.<%= base_domain %> +vardir = /var/lib/puppet +ssldir = $vardir/ssl +runinterval = 7200 +puppetport = 8139 +configtimeout = 300 diff --git a/puppet/templates/puppet/server.pp.erb b/puppet/templates/puppet/server.pp.erb new file mode 100644 index 0000000..fcd21e0 --- /dev/null +++ b/puppet/templates/puppet/server.pp.erb @@ -0,0 +1,41 @@ +node '<%= hostname %>.<%= domain %>' { + #$mail_delivery = 'tunnel' + #$mail_hostname = 'mail' + #$mail_ssh_port = '2202' + $shorewall_dmz = true + $resolvconf_nameservers = $opendns_nameservers + $has_ups = false + include nodo::server + + # + # Linux-VServers + # + #nodo::vserver::instance { "<%= hostname %>-master": + # context => '2', + # puppetmaster => true, + #} + + #nodo::vserver::instance { "<%= hostname %>-proxy": + # context => '3', + # proxy => true, + #} + + #nodo::vserver::instance { "<%= hostname %>-web": + # context => '4', + # gitd => true, + #} + + #nodo::vserver::instance { "<%= hostname %>-storage": + # context => '5', + #} + + #nodo::vserver::instance { "<%= hostname %>-test": + # context => '6', + # memory_limit => 500, + #} + + # encrypted data remote backup + #backup::rdiff { "other-host": + # port => "10105", + #} +} diff --git a/puppet/templates/puppet/storage.pp.erb b/puppet/templates/puppet/storage.pp.erb new file mode 100644 index 0000000..be93335 --- /dev/null +++ b/puppet/templates/puppet/storage.pp.erb @@ -0,0 +1,13 @@ +node '<%= hostname %>-storage.<%= domain %>' { + #$mail_delivery = 'tunnel' + #$mail_hostname = 'mail' + #$mail_ssh_port = '2202' + + include nodo::storage + + # encrypted data remote backup + #backup::rdiff { "other-host": + # port => "10102", + #} + +} diff --git a/puppet/templates/puppet/test.pp.erb b/puppet/templates/puppet/test.pp.erb new file mode 100644 index 0000000..816eca9 --- /dev/null +++ b/puppet/templates/puppet/test.pp.erb @@ -0,0 +1,13 @@ +node '<%= hostname %>-test.<%= domain %>' { + #$mail_delivery = 'tunnel' + #$mail_hostname = 'mail' + #$mail_ssh_port = '2202' + + include nodo::test + + # encrypted data remote backup + #backup::rdiff { "other-host": + # port => "10102", + #} + +} diff --git a/puppet/templates/puppet/users.pp.erb b/puppet/templates/puppet/users.pp.erb new file mode 100644 index 0000000..55a2706 --- /dev/null +++ b/puppet/templates/puppet/users.pp.erb @@ -0,0 +1,33 @@ +class users::virtual inherits user { + # define custom users here +} + +class users::backup inherits user { + # define third-party hosted backup users here +} + +class users::admin inherits user { + + # Reprepro group needed for web nodes + #if !defined(Group["reprepro"]) { + # group { "reprepro": + # ensure => present, + # } + #} + + # root user and password + user::manage { "root": + tag => "admin", + homedir => '/root', + password => '<%= root_password %>', + } + + # first user config + user::manage { "<%= first_user %>": + tag => "admin", + groups => [ "sudo", ], + password => '<%= first_user_password %>', + sshkey => [ "<%= first_user_sshkey %>" ], + } + +} diff --git a/puppet/templates/puppet/web.pp.erb b/puppet/templates/puppet/web.pp.erb new file mode 100644 index 0000000..afc328b --- /dev/null +++ b/puppet/templates/puppet/web.pp.erb @@ -0,0 +1,13 @@ +node '<%= hostname %>-web.<%= domain %>' { + #$mail_delivery = 'tunnel' + #$mail_hostname = 'mail' + #$mail_ssh_port = '2202' + + include nodo::web + + # encrypted data remote backup + #backup::rdiff { "other-host": + # port => "10102", + #} + +} |