aboutsummaryrefslogtreecommitdiff
path: root/templates
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2014-09-18 12:47:46 -0300
committerSilvio Rhatto <rhatto@riseup.net>2014-09-18 12:47:46 -0300
commit529cd5077e3d76c1d5b612bc146ab174d7143c30 (patch)
treeda86fdf7c5e9fa6ebf752ffdd6515400057757a8 /templates
downloaddebian-529cd5077e3d76c1d5b612bc146ab174d7143c30.tar.gz
debian-529cd5077e3d76c1d5b612bc146ab174d7143c30.tar.bz2
Squashed 'puppet/' content from commit bb2eae6
git-subtree-dir: puppet git-subtree-split: bb2eae6f3a1f44fef0a05000d79c298442fa24c7
Diffstat (limited to 'templates')
-rw-r--r--templates/apache/htdocs/images/README.html.erb3
-rw-r--r--templates/apache/htdocs/index.html.erb9
-rw-r--r--templates/apache/htdocs/missing.html.erb12
-rw-r--r--templates/apache/vhosts/git.erb20
-rw-r--r--templates/apache/vhosts/lists.erb22
-rw-r--r--templates/apache/vhosts/mail.erb72
-rw-r--r--templates/apache/vhosts/nagios.erb61
-rw-r--r--templates/apache/vhosts/wiki.erb17
-rw-r--r--templates/etc/aliases.erb15
-rw-r--r--templates/etc/nagios3/htpasswd.users.erb1
-rw-r--r--templates/etc/nginx/domain.erb172
-rw-r--r--templates/postfix/tls_policy.erb0
-rw-r--r--templates/puppet/auth.conf.erb120
-rw-r--r--templates/puppet/fileserver.conf.erb21
-rw-r--r--templates/puppet/master.pp.erb10
-rw-r--r--templates/puppet/nodes.pp.erb14
-rw-r--r--templates/puppet/proxy.pp.erb53
-rw-r--r--templates/puppet/puppet.conf.erb30
-rw-r--r--templates/puppet/server.pp.erb41
-rw-r--r--templates/puppet/storage.pp.erb13
-rw-r--r--templates/puppet/test.pp.erb13
-rw-r--r--templates/puppet/users.pp.erb33
-rw-r--r--templates/puppet/web.pp.erb13
23 files changed, 765 insertions, 0 deletions
diff --git a/templates/apache/htdocs/images/README.html.erb b/templates/apache/htdocs/images/README.html.erb
new file mode 100644
index 0000000..4d0f929
--- /dev/null
+++ b/templates/apache/htdocs/images/README.html.erb
@@ -0,0 +1,3 @@
+<pre>
+When not explicitly mentioned, the use of these images is restricted to <%= base_domain %>
+</pre>
diff --git a/templates/apache/htdocs/index.html.erb b/templates/apache/htdocs/index.html.erb
new file mode 100644
index 0000000..6d2d7ea
--- /dev/null
+++ b/templates/apache/htdocs/index.html.erb
@@ -0,0 +1,9 @@
+<html><head>
+<meta http-equiv="refresh" content="1;url=http://<%= domain %>">
+<title><%= domain %></title></head><body>
+
+<center>
+ <p><code>You are being redirected to <a href="http://<%= domain %>">http://<%= domain %></a>.</code></p>
+</center>
+
+</body></html>
diff --git a/templates/apache/htdocs/missing.html.erb b/templates/apache/htdocs/missing.html.erb
new file mode 100644
index 0000000..0c95ef3
--- /dev/null
+++ b/templates/apache/htdocs/missing.html.erb
@@ -0,0 +1,12 @@
+<html>
+<head>
+<title>404 - Not Found</title>
+</head>
+<body>
+ <center>
+ <pre>
+ The address you are trying to reach could not be found. :(
+ </pre>
+ </center>
+</body>
+</html>
diff --git a/templates/apache/vhosts/git.erb b/templates/apache/vhosts/git.erb
new file mode 100644
index 0000000..25aecd1
--- /dev/null
+++ b/templates/apache/vhosts/git.erb
@@ -0,0 +1,20 @@
+# begin vhost for git
+<VirtualHost *:80>
+ # Recipe based on http://josephspiros.com/2009/07/26/configuring-gitweb-for-apache-on-debian
+
+ ServerName git.<%= domain %>
+ SetEnv GITWEB_CONFIG /etc/gitweb.conf
+ HeaderName HEADER
+ DocumentRoot /var/git/repositories
+ Alias /gitweb.css /usr/share/gitweb/gitweb.css
+ Alias /git-favicon.png /usr/share/gitweb/git-favicon.png
+ Alias /git-logo.png /usr/share/gitweb/git-logo.png
+
+ ScriptAlias /gitweb /usr/lib/cgi-bin/gitweb.cgi
+ RewriteEngine on
+
+ # Rewrite all other paths that aren't git repo internals to gitweb
+ RewriteRule ^/$ /gitweb [PT]
+ RewriteRule ^/(.*\.git/(?!/?(HEAD|info|objects|refs)).*)?$ /gitweb%{REQUEST_URI} [L,PT]
+</VirtualHost>
+# end vhost for git
diff --git a/templates/apache/vhosts/lists.erb b/templates/apache/vhosts/lists.erb
new file mode 100644
index 0000000..158dfd4
--- /dev/null
+++ b/templates/apache/vhosts/lists.erb
@@ -0,0 +1,22 @@
+# begin vhost for lists.<%= domain %>
+<VirtualHost *:80>
+ ServerName lists.<%= domain %>
+ DocumentRoot /var/www/data/lists
+
+ RedirectMatch ^/$ https://lists.<%= domain %>/wws
+ Alias /static-sympa /var/lib/sympa/static_content
+ Alias /wwsicons /usr/share/sympa/icons
+ ScriptAlias /wws /var/www/data/lists/wwsympa.fcgi
+
+ <IfModule mod_fcgid.c>
+ IPCCommTimeout 120
+ MaxProcessCount 2
+ </IfModule>
+
+ SuexecUserGroup sympa sympa
+
+ <Location /wws>
+ SetHandler fcgid-script
+ </Location>
+</VirtualHost>
+# end vhost for lists.<%= domain %>
diff --git a/templates/apache/vhosts/mail.erb b/templates/apache/vhosts/mail.erb
new file mode 100644
index 0000000..3badcf0
--- /dev/null
+++ b/templates/apache/vhosts/mail.erb
@@ -0,0 +1,72 @@
+# begin vhost for mail.<%= domain >
+<VirtualHost *:80>
+ ServerName mail.<%= domain >
+ #DocumentRoot /usr/share/squirrelmail
+ DocumentRoot /var/lib/roundcube
+
+ # begin squirrel config
+ <Directory /usr/share/squirrelmail>
+ Options Indexes FollowSymLinks
+ <IfModule mod_php4.c>
+ php_flag register_globals off
+ </IfModule>
+ <IfModule mod_php5.c>
+ php_flag register_globals off
+ </IfModule>
+ <IfModule mod_dir.c>
+ DirectoryIndex index.php
+ </IfModule>
+
+ # access to configtest is limited by default to prevent information leak
+ <Files configtest.php>
+ order deny,allow
+ deny from all
+ allow from 127.0.0.1
+ </Files>
+ </Directory>
+ # end squirrel config
+
+ # begin roundcube config
+ # Access to tinymce files
+ Alias /roundcube/program/js/tiny_mce/ /usr/share/tinymce/www/
+ Alias /roundcube /var/lib/roundcube
+
+ <Directory "/usr/share/tinymce/www/">
+ Options Indexes MultiViews FollowSymLinks
+ AllowOverride None
+ Order allow,deny
+ allow from all
+ </Directory>
+
+ <Directory /var/lib/roundcube/>
+ Options +FollowSymLinks
+ # This is needed to parse /var/lib/roundcube/.htaccess. See its
+ # content before setting AllowOverride to None.
+ AllowOverride All
+ order allow,deny
+ allow from all
+ </Directory>
+
+ # Protecting basic directories:
+ <Directory /var/lib/roundcube/config>
+ Options -FollowSymLinks
+ AllowOverride None
+ </Directory>
+
+ <Directory /var/lib/roundcube/temp>
+ Options -FollowSymLinks
+ AllowOverride None
+ Order allow,deny
+ Deny from all
+ </Directory>
+
+ <Directory /var/lib/roundcube/logs>
+ Options -FollowSymLinks
+ AllowOverride None
+ Order allow,deny
+ Deny from all
+ </Directory>
+ # end roundcube config
+
+</VirtualHost>
+# end vhost for mail.<%= domain >
diff --git a/templates/apache/vhosts/nagios.erb b/templates/apache/vhosts/nagios.erb
new file mode 100644
index 0000000..8b3d252
--- /dev/null
+++ b/templates/apache/vhosts/nagios.erb
@@ -0,0 +1,61 @@
+# begin vhost for nagios
+<VirtualHost *:80>
+ ServerName nagios.<%= domain >
+ DocumentRoot /usr/share/nagios3/htdocs
+
+ # apache configuration for nagios 3.x
+ # note to users of nagios 1.x and 2.x:
+ # throughout this file are commented out sections which preserve
+ # backwards compatibility with bookmarks/config forî<80><80>older nagios versios.
+ # simply look for lines following "nagios 1.x:" and "nagios 2.x" comments.
+
+ ScriptAlias /cgi-bin/nagios3 /usr/lib/cgi-bin/nagios3
+ ScriptAlias /nagios3/cgi-bin /usr/lib/cgi-bin/nagios3
+ # nagios 1.x:
+ #ScriptAlias /cgi-bin/nagios /usr/lib/cgi-bin/nagios3
+ #ScriptAlias /nagios/cgi-bin /usr/lib/cgi-bin/nagios3
+ # nagios 2.x:
+ #ScriptAlias /cgi-bin/nagios2 /usr/lib/cgi-bin/nagios3
+ #ScriptAlias /nagios2/cgi-bin /usr/lib/cgi-bin/nagios3
+
+ # Where the stylesheets (config files) reside
+ Alias /nagios3/stylesheets /etc/nagios3/stylesheets
+ # nagios 1.x:
+ #Alias /nagios/stylesheets /etc/nagios3/stylesheets
+ # nagios 2.x:
+ #Alias /nagios2/stylesheets /etc/nagios3/stylesheets
+
+ # Where the HTML pages live
+ Alias /nagios3 /usr/share/nagios3/htdocs
+ # nagios 2.x:
+ #Alias /nagios2 /usr/share/nagios3/htdocs
+ # nagios 1.x:
+ #Alias /nagios /usr/share/nagios3/htdocs
+
+ <DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3)>
+ Options FollowSymLinks
+
+ DirectoryIndex index.html
+
+ AllowOverride AuthConfig
+ Order Allow,Deny
+ Allow From All
+
+ AuthName "Nagios Access"
+ AuthType Basic
+ AuthUserFile /etc/nagios3/htpasswd.users
+ # nagios 1.x:
+ #AuthUserFile /etc/nagios/htpasswd.users
+ require valid-user
+ </DirectoryMatch>
+
+ # Enable this ScriptAlias if you want to enable the grouplist patch.
+ # See http://apan.sourceforge.net/download.html for more info
+ # It allows you to see a clickable list of all hostgroups in the
+ # left pane of the Nagios web interface
+ # XXX This is not tested for nagios 2.x use at your own peril
+ #ScriptAlias /nagios3/side.html /usr/lib/cgi-bin/nagios3/grouplist.cgi
+ # nagios 1.x:
+ #ScriptAlias /nagios/side.html /usr/lib/cgi-bin/nagios3/grouplist.cgi
+</VirtualHost>
+# end vhost for nagios
diff --git a/templates/apache/vhosts/wiki.erb b/templates/apache/vhosts/wiki.erb
new file mode 100644
index 0000000..56e395b
--- /dev/null
+++ b/templates/apache/vhosts/wiki.erb
@@ -0,0 +1,17 @@
+# begin vhost for wiki.<%= domain >
+<VirtualHost *:80>
+ ServerName wiki.<%= domain >
+ DocumentRoot /var/www/data/wiki
+
+ # begin wiki config
+ <Directory /var/www/data/wiki>
+ Options Indexes Includes FollowSymLinks MultiViews
+ AllowOverride All
+ </Directory>
+ # end wiki config
+
+ <IfModule mpm_itk_module>
+ AssignUserId wiki wiki
+ </IfModule>
+</VirtualHost>
+# end vhost for wiki.<%= domain >
diff --git a/templates/etc/aliases.erb b/templates/etc/aliases.erb
new file mode 100644
index 0000000..f520f68
--- /dev/null
+++ b/templates/etc/aliases.erb
@@ -0,0 +1,15 @@
+# /etc/aliases
+mailer-daemon: postmaster
+postmaster: root
+nobody: root
+hostmaster: root
+usenet: root
+news: root
+webmaster: root
+www: root
+ftp: root
+abuse: root
+noc: root
+security: root
+reprepro: root
+root: <%= first_user_email %>
diff --git a/templates/etc/nagios3/htpasswd.users.erb b/templates/etc/nagios3/htpasswd.users.erb
new file mode 100644
index 0000000..c21d493
--- /dev/null
+++ b/templates/etc/nagios3/htpasswd.users.erb
@@ -0,0 +1 @@
+nagiosadmin:0FCabjvUTHvxF
diff --git a/templates/etc/nginx/domain.erb b/templates/etc/nginx/domain.erb
new file mode 100644
index 0000000..4e9fa7d
--- /dev/null
+++ b/templates/etc/nginx/domain.erb
@@ -0,0 +1,172 @@
+# <%= domain %> proxy config
+
+# Set the max size for file uploads
+client_max_body_size 100M;
+
+# SNI Configuration
+server {
+ listen 443 default;
+ server_name _;
+ ssl on;
+ ssl_certificate /etc/ssl/certs/blank.crt;
+ ssl_certificate_key /etc/ssl/private/blank.pem;
+ return 403;
+}
+
+server {
+ # see config tips at
+ # http://blog.taragana.com/index.php/archive/nginx-hacking-tips/
+
+ # Don't log anything
+ access_log /dev/null;
+ error_log /dev/null;
+
+ # simple reverse-proxy
+ listen 80;
+ server_name *.<%= domain %> <%= domain %>
+
+ # enable HSTS header
+ add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
+
+ # https redirection by default
+ rewrite ^(.*) https://$host$1 redirect;
+
+ # rewrite rules for backups.<%= domain %>
+ #if ($host ~* ^backups\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # rewrite rules for admin.<%= domain %>
+ #if ($host ~* ^admin\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # rewrite rules for munin.<%= domain %>
+ #if ($host ~* ^munin\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # rewrite rules for trac.<%= domain %>
+ #if ($host ~* ^trac\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # rewrite rules for nagios.<%= domain %>
+ #if ($host ~* ^nagios\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # rewrite rules for htpasswd.<%= domain %>
+ #if ($host ~* ^htpasswd\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # rewrite rules for postfixadmin.<%= domain %>
+ #if ($host ~* ^postfixadmin\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # rewrite rules for mail.<%= domain %>
+ #if ($host ~* ^mail\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # rewrite rules for lists.<%= domain %>
+ #if ($host ~* ^lists\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # pass requests for dynamic content
+ location / {
+ proxy_set_header Host $http_host;
+ proxy_pass http://weblocal:80;
+ }
+
+}
+
+server {
+ # https reverse proxy
+ listen 443;
+ server_name *.<%= domain %> <%= domain %>;
+
+ # Don't log anything
+ access_log /dev/null;
+ error_log /dev/null;
+
+ ssl on;
+ ssl_certificate /etc/ssl/certs/cert.crt;
+ ssl_certificate_key /etc/ssl/private/cert.pem;
+
+ ssl_session_timeout 5m;
+
+ ssl_protocols SSLv3 TLSv1;
+ ssl_ciphers HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH;
+ ssl_prefer_server_ciphers on;
+
+ # Set the max size for file uploads
+ client_max_body_size 100M;
+
+ location / {
+ # preserve http header and set forwarded proto
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Forwarded-Proto https;
+
+ proxy_read_timeout 120;
+ proxy_connect_timeout 120;
+
+ # rewrite rules for admin.<%= domain %>
+ if ($host ~* ^admin\.<%= domain %>$) {
+ proxy_pass http://admin:80;
+ break;
+ }
+
+ # rewrite rules for munin.<%= domain %>
+ if ($host ~* ^munin\.<%= domain %>$) {
+ proxy_pass http://admin:80;
+ break;
+ }
+
+ # rewrite rules for trac.<%= domain %>
+ if ($host ~* ^trac\.<%= domain %>$) {
+ proxy_pass http://admin:80;
+ break;
+ }
+
+ # rewrite rules for nagios.<%= domain %>
+ if ($host ~* ^nagios\.<%= domain %>$) {
+ proxy_pass http://admin:80;
+ break;
+ }
+
+ # rewrite rules for postfixadmin.<%= domain %>
+ if ($host ~* ^postfixadmin\.<%= domain %>$) {
+ proxy_pass http://mail:80;
+ break;
+ }
+
+ # rewrite rules for mail.<%= domain %>
+ if ($host ~* ^mail\.<%= domain %>$) {
+ proxy_pass http://mail:80;
+ break;
+ }
+
+ # rewrite rules for lists.<%= domain %>
+ if ($host ~* ^lists\.<%= domain %>$) {
+ proxy_pass http://mail:80;
+ break;
+ }
+
+ # default proxy pass
+ proxy_pass http://weblocal:80;
+ }
+
+}
diff --git a/templates/postfix/tls_policy.erb b/templates/postfix/tls_policy.erb
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/templates/postfix/tls_policy.erb
diff --git a/templates/puppet/auth.conf.erb b/templates/puppet/auth.conf.erb
new file mode 100644
index 0000000..96f078c
--- /dev/null
+++ b/templates/puppet/auth.conf.erb
@@ -0,0 +1,120 @@
+# This is the default auth.conf file, which implements the default rules
+# used by the puppet master. (That is, the rules below will still apply
+# even if this file is deleted.)
+#
+# The ACLs are evaluated in top-down order. More specific stanzas should
+# be towards the top of the file and more general ones at the bottom;
+# otherwise, the general rules may "steal" requests that should be
+# governed by the specific rules.
+#
+# See http://docs.puppetlabs.com/guides/rest_auth_conf.html for a more complete
+# description of auth.conf's behavior.
+#
+# Supported syntax:
+# Each stanza in auth.conf starts with a path to match, followed
+# by optional modifiers, and finally, a series of allow or deny
+# directives.
+#
+# Example Stanza
+# ---------------------------------
+# path /path/to/resource # simple prefix match
+# # path ~ regex # alternately, regex match
+# [environment envlist]
+# [method methodlist]
+# [auth[enthicated] {yes|no|on|off|any}]
+# allow [host|backreference|*|regex]
+# deny [host|backreference|*|regex]
+# allow_ip [ip|cidr|ip_wildcard|*]
+# deny_ip [ip|cidr|ip_wildcard|*]
+#
+# The path match can either be a simple prefix match or a regular
+# expression. `path /file` would match both `/file_metadata` and
+# `/file_content`. Regex matches allow the use of backreferences
+# in the allow/deny directives.
+#
+# The regex syntax is the same as for Ruby regex, and captures backreferences
+# for use in the `allow` and `deny` lines of that stanza
+#
+# Examples:
+#
+# path ~ ^/path/to/resource # Equivalent to `path /path/to/resource`.
+# allow * # Allow all authenticated nodes (since auth
+# # defaults to `yes`).
+#
+# path ~ ^/catalog/([^/]+)$ # Permit nodes to access their own catalog (by
+# allow $1 # certname), but not any other node's catalog.
+#
+# path ~ ^/file_(metadata|content)/extra_files/ # Only allow certain nodes to
+# auth yes # access the "extra_files"
+# allow /^(.+)\.example\.com$/ # mount point; note this must
+# allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule,
+# # since it is more specific.
+#
+# environment:: restrict an ACL to a comma-separated list of environments
+# method:: restrict an ACL to a comma-separated list of HTTP methods
+# auth:: restrict an ACL to an authenticated or unauthenticated request
+# the default when unspecified is to restrict the ACL to authenticated requests
+# (ie exactly as if auth yes was present).
+#
+
+### Authenticated ACLs - these rules apply only when the client
+### has a valid certificate and is thus authenticated
+
+# allow nodes to retrieve their own catalog
+path ~ ^/catalog/([^/]+)$
+method find
+allow $1
+
+# allow nodes to retrieve their own node definition
+path ~ ^/node/([^/]+)$
+method find
+allow $1
+
+# allow all nodes to access the certificates services
+path /certificate_revocation_list/ca
+method find
+allow *
+
+# allow all nodes to store their own reports
+path ~ ^/report/([^/]+)$
+method save
+allow $1
+
+# Allow all nodes to access all file services; this is necessary for
+# pluginsync, file serving from modules, and file serving from custom
+# mount points (see fileserver.conf). Note that the `/file` prefix matches
+# requests to both the file_metadata and file_content paths. See "Examples"
+# above if you need more granular access control for custom mount points.
+path /file
+allow *
+
+### Unauthenticated ACLs, for clients without valid certificates; authenticated
+### clients can also access these paths, though they rarely need to.
+
+# allow access to the CA certificate; unauthenticated nodes need this
+# in order to validate the puppet master's certificate
+path /certificate/ca
+auth any
+method find
+allow *
+
+# allow nodes to retrieve the certificate they requested earlier
+path /certificate/
+auth any
+method find
+allow *
+
+# allow nodes to request a new certificate
+path /certificate_request
+auth any
+method find, save
+allow *
+
+path /v2.0/environments
+method find
+allow *
+
+# deny everything else; this ACL is not strictly necessary, but
+# illustrates the default policy.
+path /
+auth any
diff --git a/templates/puppet/fileserver.conf.erb b/templates/puppet/fileserver.conf.erb
new file mode 100644
index 0000000..e4d6e0a
--- /dev/null
+++ b/templates/puppet/fileserver.conf.erb
@@ -0,0 +1,21 @@
+# See http://docs.puppetlabs.com/guides/file_serving.html
+
+# Files
+[files]
+ path /etc/puppet/files
+ allow *.<%= base_domain %>
+
+# SSL keys
+[ssl]
+ path /etc/puppet/keys/ssl
+ deny *
+
+# SSH keys
+[ssh]
+ path /etc/puppet/keys/ssh/%h
+ allow *
+
+# Public keys
+[pubkeys]
+ path /etc/puppet/keys/public
+ allow *
diff --git a/templates/puppet/master.pp.erb b/templates/puppet/master.pp.erb
new file mode 100644
index 0000000..5865723
--- /dev/null
+++ b/templates/puppet/master.pp.erb
@@ -0,0 +1,10 @@
+node '<%= hostname %>-master.<%= domain %>' {
+ $main_master = true
+ include nodo::master
+
+ # encrypted data remote backup
+ #backup::rdiff { "other-host":
+ # port => "10102",
+ #}
+
+}
diff --git a/templates/puppet/nodes.pp.erb b/templates/puppet/nodes.pp.erb
new file mode 100644
index 0000000..4acddc6
--- /dev/null
+++ b/templates/puppet/nodes.pp.erb
@@ -0,0 +1,14 @@
+#
+# Node definitions.
+#
+
+<%- if first_nodes == 'present' then -%>
+import "nodes/<%= first_hostname %>.pp"
+import "nodes/<%= first_hostname %>-master.pp"
+import "nodes/<%= first_hostname %>-proxy.pp"
+import "nodes/<%= first_hostname %>-web.pp"
+import "nodes/<%= first_hostname %>-storage.pp"
+import "nodes/<%= first_hostname %>-test.pp"
+<%- else -%>
+#import "nodes/example.pp"
+<%- end -%>
diff --git a/templates/puppet/proxy.pp.erb b/templates/puppet/proxy.pp.erb
new file mode 100644
index 0000000..908c2ec
--- /dev/null
+++ b/templates/puppet/proxy.pp.erb
@@ -0,0 +1,53 @@
+node '<%= hostname %>-proxy.<%= domain %>' {
+ #$mail_delivery = 'tunnel'
+ #$mail_hostname = 'mail'
+ #$mail_ssh_port = '2202'
+
+ include nodo::proxy
+
+ # encrypted data remote backup
+ #backup::rdiff { "other-host":
+ # port => "10102",
+ #}
+
+ # reference to admin vserver
+ host { "<%= hostname %>-master":
+ ensure => present,
+ ip => "192.168.0.2",
+ host_aliases => [ "<%= hostname %>-master.<%= domain %>", "puppet", "admin" ],
+ notify => Service["nginx"],
+ }
+
+ # reference to proxy vserver
+ #host { "<%= hostname %>-proxy":
+ # ensure => present,
+ # ip => "192.168.0.3",
+ # host_aliases => [ "<%= hostname %>-proxy.<%= domain %>", "<%= hostname %>-proxy" ],
+ # notify => Service["nginx"],
+ #}
+
+ # reference to web vserver
+ host { "<%= hostname %>-web":
+ ensure => present,
+ ip => "192.168.0.4",
+ host_aliases => [ "<%= hostname %>-web.<%= domain %>", "<%= hostname %>-web", "weblocal" ],
+ notify => Service["nginx"],
+ }
+
+ # reference to storage vserver
+ host { "<%= hostname %>-storage":
+ ensure => present,
+ ip => "192.168.0.5",
+ host_aliases => [ "<%= hostname %>-storage.<%= domain %>", "<%= hostname %>-storage" ],
+ notify => Service["nginx"],
+ }
+
+ # reference to test vserver
+ host { "<%= hostname %>-test":
+ ensure => present,
+ ip => "192.168.0.6",
+ host_aliases => [ "<%= hostname %>-test.<%= domain %>", "<%= hostname %>-test" ],
+ notify => Service["nginx"],
+ }
+
+}
diff --git a/templates/puppet/puppet.conf.erb b/templates/puppet/puppet.conf.erb
new file mode 100644
index 0000000..e2751ca
--- /dev/null
+++ b/templates/puppet/puppet.conf.erb
@@ -0,0 +1,30 @@
+[main]
+logdir = /var/log/puppet
+vardir = /var/lib/puppetmaster
+ssldir = $vardir/ssl
+rundir = /var/run/puppet
+factpath = $vardir/lib/facter
+pluginsync = true
+
+[master]
+templatedir = $vardir/templates
+masterport = 8140
+autosign = false
+storeconfigs = true
+dbadapter = sqlite3
+#dbadapter = mysql
+#dbserver = localhost
+#dbuser = puppet
+#dbpassword = <%= db_password %>
+dbconnections = 15
+certname = puppet.<%= base_domain %>
+ssl_client_header = SSL_CLIENT_S_DN
+ssl_client_verify_header = SSL_CLIENT_VERIFY
+
+[agent]
+server = puppet.<%= base_domain %>
+vardir = /var/lib/puppet
+ssldir = $vardir/ssl
+runinterval = 7200
+puppetport = 8139
+configtimeout = 300
diff --git a/templates/puppet/server.pp.erb b/templates/puppet/server.pp.erb
new file mode 100644
index 0000000..fcd21e0
--- /dev/null
+++ b/templates/puppet/server.pp.erb
@@ -0,0 +1,41 @@
+node '<%= hostname %>.<%= domain %>' {
+ #$mail_delivery = 'tunnel'
+ #$mail_hostname = 'mail'
+ #$mail_ssh_port = '2202'
+ $shorewall_dmz = true
+ $resolvconf_nameservers = $opendns_nameservers
+ $has_ups = false
+ include nodo::server
+
+ #
+ # Linux-VServers
+ #
+ #nodo::vserver::instance { "<%= hostname %>-master":
+ # context => '2',
+ # puppetmaster => true,
+ #}
+
+ #nodo::vserver::instance { "<%= hostname %>-proxy":
+ # context => '3',
+ # proxy => true,
+ #}
+
+ #nodo::vserver::instance { "<%= hostname %>-web":
+ # context => '4',
+ # gitd => true,
+ #}
+
+ #nodo::vserver::instance { "<%= hostname %>-storage":
+ # context => '5',
+ #}
+
+ #nodo::vserver::instance { "<%= hostname %>-test":
+ # context => '6',
+ # memory_limit => 500,
+ #}
+
+ # encrypted data remote backup
+ #backup::rdiff { "other-host":
+ # port => "10105",
+ #}
+}
diff --git a/templates/puppet/storage.pp.erb b/templates/puppet/storage.pp.erb
new file mode 100644
index 0000000..be93335
--- /dev/null
+++ b/templates/puppet/storage.pp.erb
@@ -0,0 +1,13 @@
+node '<%= hostname %>-storage.<%= domain %>' {
+ #$mail_delivery = 'tunnel'
+ #$mail_hostname = 'mail'
+ #$mail_ssh_port = '2202'
+
+ include nodo::storage
+
+ # encrypted data remote backup
+ #backup::rdiff { "other-host":
+ # port => "10102",
+ #}
+
+}
diff --git a/templates/puppet/test.pp.erb b/templates/puppet/test.pp.erb
new file mode 100644
index 0000000..816eca9
--- /dev/null
+++ b/templates/puppet/test.pp.erb
@@ -0,0 +1,13 @@
+node '<%= hostname %>-test.<%= domain %>' {
+ #$mail_delivery = 'tunnel'
+ #$mail_hostname = 'mail'
+ #$mail_ssh_port = '2202'
+
+ include nodo::test
+
+ # encrypted data remote backup
+ #backup::rdiff { "other-host":
+ # port => "10102",
+ #}
+
+}
diff --git a/templates/puppet/users.pp.erb b/templates/puppet/users.pp.erb
new file mode 100644
index 0000000..55a2706
--- /dev/null
+++ b/templates/puppet/users.pp.erb
@@ -0,0 +1,33 @@
+class users::virtual inherits user {
+ # define custom users here
+}
+
+class users::backup inherits user {
+ # define third-party hosted backup users here
+}
+
+class users::admin inherits user {
+
+ # Reprepro group needed for web nodes
+ #if !defined(Group["reprepro"]) {
+ # group { "reprepro":
+ # ensure => present,
+ # }
+ #}
+
+ # root user and password
+ user::manage { "root":
+ tag => "admin",
+ homedir => '/root',
+ password => '<%= root_password %>',
+ }
+
+ # first user config
+ user::manage { "<%= first_user %>":
+ tag => "admin",
+ groups => [ "sudo", ],
+ password => '<%= first_user_password %>',
+ sshkey => [ "<%= first_user_sshkey %>" ],
+ }
+
+}
diff --git a/templates/puppet/web.pp.erb b/templates/puppet/web.pp.erb
new file mode 100644
index 0000000..afc328b
--- /dev/null
+++ b/templates/puppet/web.pp.erb
@@ -0,0 +1,13 @@
+node '<%= hostname %>-web.<%= domain %>' {
+ #$mail_delivery = 'tunnel'
+ #$mail_hostname = 'mail'
+ #$mail_ssh_port = '2202'
+
+ include nodo::web
+
+ # encrypted data remote backup
+ #backup::rdiff { "other-host":
+ # port => "10102",
+ #}
+
+}