diff options
71 files changed, 279 insertions, 1498 deletions
@@ -1,2 +1,3 @@ -modules/* +keys +ssl .vagrant @@ -11,8 +11,8 @@ checkout = git clone git://git.fluxo.info/puppet-apparmor.git apparmor [puppet/modules/apt] checkout = git clone git://git.fluxo.info/puppet-apt.git apt -[puppet/modules/autofs] -checkout = git clone git://git.fluxo.info/puppet-autofs.git autofs +[puppet/modules/augeas] +checkout = git clone git://git.fluxo.info/puppet-augeas.git augeas [puppet/modules/autossh] checkout = git clone git://git.fluxo.info/puppet-autossh.git autossh @@ -32,9 +32,6 @@ checkout = git clone git://git.fluxo.info/puppet-bind.git bind [puppet/modules/bitcoind] checkout = git clone git://git.fluxo.info/puppet-bitcoind.git bitcoind -[puppet/modules/common] -checkout = git clone git://git.fluxo.info/puppet-common.git common - [puppet/modules/concat] checkout = git clone git://git.fluxo.info/puppet-concat.git concat @@ -83,9 +80,6 @@ checkout = git clone git://git.fluxo.info/puppet-hotglue.git hotglue [puppet/modules/hydra] checkout = git clone git://git.fluxo.info/puppet-hydra.git hydra -[puppet/modules/icecast] -checkout = git clone git://git.fluxo.info/puppet-icecast.git icecast - [puppet/modules/ikiwiki] checkout = git clone git://git.fluxo.info/puppet-ikiwiki.git ikiwiki @@ -125,15 +119,9 @@ checkout = git clone git://git.fluxo.info/puppet-mpd.git mpd [puppet/modules/mumble] checkout = git clone git://git.fluxo.info/puppet-mumble.git mumble -[puppet/modules/munin] -checkout = git clone git://git.fluxo.info/puppet-munin.git munin - [puppet/modules/mysql] checkout = git clone git://git.fluxo.info/puppet-mysql.git mysql -[puppet/modules/nagios] -checkout = git clone git://git.fluxo.info/puppet-nagios.git nagios - [puppet/modules/nfs] checkout = git clone git://git.fluxo.info/puppet-nfs.git nfs @@ -149,9 +137,6 @@ checkout = git clone git://git.fluxo.info/puppet-ntp.git ntp [puppet/modules/onion] checkout = git clone git://git.fluxo.info/puppet-onion.git onion -[puppet/modules/pear] -checkout = git clone git://git.fluxo.info/puppet-pear.git pear - [puppet/modules/php] checkout = git clone git://git.fluxo.info/puppet-php.git php @@ -197,9 +182,6 @@ checkout = git clone git://git.fluxo.info/puppet-schroot.git schroot [puppet/modules/shorewall] checkout = git clone git://git.fluxo.info/puppet-shorewall.git shorewall -[puppet/modules/smartmonster] -checkout = git clone git://git.fluxo.info/puppet-smartmonster.git smartmonster - [puppet/modules/smartmontools] checkout = git clone git://git.fluxo.info/puppet-smartmontools.git smartmontools @@ -58,10 +58,6 @@ clean: rm -rf modules git checkout modules -post_update: - git config receive.denyCurrentBranch ignore - cd .git/hooks && ln -sf ../../bin/post-update - post_receive: git config receive.denyCurrentBranch ignore cd .git/hooks && ln -sf ../../bin/post-receive @@ -36,3 +36,9 @@ You might use `make subtrees` instead of `make submodules`. Also, if you already all the modules in a different subtree, use make symlinks MODULES=/path/to/puppet/modules + +Recommended puppet modules +-------------------------- + +This repository plays well with other puppet modules hosted at https://git.fluxo.info, some of them +based on https://gitlab.com/shared-puppet-modules-group. @@ -1,141 +1,4 @@ TODO ==== -High priority -------------- - -- puppet: masterless: - - keyringer/gpg integration. - - https://github.com/compete/hiera_yamlgpg - - https://github.com/crayfishx/hiera-gpg - - https://github.com/sihil/hiera-eyaml-gpg - - https://github.com/StackExchange/blackbox - - http://ww.telent.net/2014/2/10/keeping_secrets_in_public_with_puppet - - https://docs.puppetlabs.com/hiera/1/custom_backends.html - - https://puppetlabs.com/blog/encrypt-your-data-using-hiera-eyaml - - https://packages.debian.org/jessie/hiera-eyaml - - how to distribute keys outside the repo (i.e, avoiding all nodes to have all keys?): - - add a monkeysphere auth subkey to every openpgp key used for backups. - - make backupninja wrap around monkeysphere: http://web.monkeysphere.info/doc/user-ssh-advanced/ - - http://current.workingdirectory.net/posts/2011/puppet-without-masters/ - - http://andrewbunday.co.uk/2012/12/04/masterless-puppet-wrapper/ - - http://semicomplete.com/presentations/puppet-at-loggly/puppet-at-loggly.pdf.html - - https://github.com/jordansissel/puppet-examples/tree/master/masterless -- sshd: - - https://stribika.github.io/2015/01/04/secure-secure-shell.html - - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774711#60 - - enable ecdsa key. - - ecdsa priority: alternatives: - - unsupport ecdsa in the server. - - export ecdsa pubkeys. - - manage client's /root/.ssh/config: `HostKeyAlgorithms ssh-rsa`. - - force option via rsync/rdiff handlers. -- virtual: migrate to kvm/libvirt. -- loginrecords: deploy module. -- deploy https://github.com/wido/puppet-module-tcpwrappers -- nodo: - - run stages. - - allow more resources to be declared via hiera. - - fix hiera default boolean value when true. - - easy way to toggle management of subsystems. - -Medium priority ---------------- - -- apt: raspbian support, including unnatended-upgrades. -- backup: - - support for $dombr and $dobios on backupninja::sys for servers and physical machines. - - sync-backups support for rsyncing from kvms / snapshots. -- nodo: - - cleanup and refactor. - - uniform variable names. - - use prompt.sh from bash-prompt as a submodule. -- common: autoload. -- general: - - rollback of commits about charset. - - switch to conf.d: - - php ("refactor" branch), remove E_STRICT from production's error_reporting. - - apache2. - - sudoers. -- backup: `sync-media-iterate [volume]`. -- mail: - - use ssl::dhparams, move to 2048 bit and use the standard file names and paths: - - [Feature #4012: postfix: ship 2048bit dh parameters - Platform - LEAP Issue Tracker](https://leap.se/code/issues/4012) - -Low priority ------------- - -- merge, review, pull requests for all modules. -- bind: nsupdate / dynamic dns: - - http://linux.yyz.us/nsupdate/ - - http://linux.yyz.us/dns/ddns-server.html - - http://caunter.ca/nsupdate.txt - - http://www.rtfm-sarl.ch/articles/using-nsupdate.html - - https://github.com/skx/dhcp.io/ -- munin: lvm monitoring. -- pyroscope: torrent workflow: torrent-maker, magnet2torrent and torrent-reseed: - - http://wiki.rtorrent.org/MagnetUri - - http://dan.folkes.me/2012/04/19/converting-a-magnet-link-into-a-torrent/ - - https://github.com/danfolkes/Magnet2Torrent - - http://code.google.com/p/pyroscope/wiki/CommandLineTools - - https://trac.transmissionbt.com/ticket/4176 - - http://wiki.rtorrent.org/MagnetUri - - https://github.com/rakshasa/rtorrent/issues/212 - - saving/restoring `.meta` and `~/rtorrent/.session` files. -- support for http/https proxy inside web nodes: - - encrypted ssl keys: http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11440.html - - make all apache sites listen to 8080. -- git: - - gitolite: [monkeysphere integration](http://gitolite.com/gitolite/g2/monkeysphere.html). - - gitweb clean urls. - - email notifications. - - https://packages.debian.org/jessie/git-notifier - - https://github.com/mhagger/git-multimail - - using OpenPGP? -- syslog-ng: use conf.d. -- etherpad: `You need to set a sessionKey value in settings.json`. -- knock integration via https://github.com/juasiepo/knockd -- apache: - - try libapache2-modsecurity. - - deploy https://git.immerda.ch/csp-report/ - - disable other_vhosts_access.log. -- onion: - - support for existing hidden service key, generated with tools like https://github.com/katmagic/Shallot - - load balancing: http://archives.seul.org/tor/relays/Apr-2011/msg00022.html -- nagios: snmp, nrpe, nsca - - http://nagios.sourceforge.net/docs/3_0/addons.html - - http://www.math.wisc.edu/~jheim/snmp/ -- ssh access restrictions: - - denyhosts, but we don't want to log IPs. - - using shorewall: http://www.debian-administration.org/articles/250#comment_16 - - alowed users / groups. -- websites: freewvs. -- puppet: bug report: debian wheezy puppet-common: needs the following patch: http://projects.puppetlabs.com/issues/10963 -- mail: - - review dovecot recipient delimiter handling: to which mailbox messages should be sent? - - mlmmj: - - lists with hyphens are not working when mails are sent directly, but work when sent to an alias. - - `mail::mlmmj::domain` needs updating or additional domains should be added into `relay_domains`. -- drupal/wordpress: - - cronjob/cli: switch to site user. - - drupal_update: Do you really want to continue with the update process? (y/n): - Do you really want to continue with the update process? (y/n): Aborting. [cancel], - possibly related to https://www.drupal.org/node/443392 -- php / wordpress / wp-cli: composer installation and dependencies: - - http://getcomposer.org/doc/00-intro.md#installation-nix - - https://github.com/wp-cli/wp-cli/wiki/Alternative-Install-Methods - - suhosin needs `suhosin.executor.include.whitelist = phar` on `/etc/php5/cli/conf.d/suhosin.ini`. -- nodo: support for prosody: - - https://github.com/dgoulet/prosody-otr - - http://prosody.im/doc/creating_accounts#importing_from_ejabberd - - config with good score at https://xmpp.net/index.php -- mail: - - support for [preventing SPAM connections with bird](http://www.debian-administration.org/article/715/Preventing_SPAM_connections_with_bird.). - - schleuder: manage `/etc/schleuder/schleuder.conf`, using `superadminaddr: root` or other recipient, to avoid mails. - sent as `root@localhost`. - - deploy https://git.autistici.org/ale/smtp-fp/tree/master - https://github.com/EFForg/starttls-everywhere - - deploy https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration#Configuration_server_at_ISP - https://git-ipuppet.immerda.ch/module-apache/commit/?id=058dbb366b96cae1f8fb0def65f73a698f1c375d - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577616 - - support for [preventing SPAM connections with bird](http://www.debian-administration.org/article/715/Preventing_SPAM_connections_with_bird.). +* Nothing here? :P diff --git a/Vagrantfile b/Vagrantfile index 3ee05e6..b5cd7f6 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -6,7 +6,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| config.vm.box = "jessie" # Hostname - config.vm.hostname = "puppet-bootstrap.example.org" + config.vm.hostname = "box.example.org" # Shell provisioner to setup basic environment. config.vm.provision :shell, :inline => "/vagrant/puppet/bin/provision" @@ -22,7 +22,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| end # Share hiera configuration. - config.vm.synced_folder "puppet/hiera", "/etc/puppet/hiera" + config.vm.synced_folder "puppet/config", "/etc/puppet/config" # Forwarded ports #config.vm.network "forwarded_port", guest: 80, host: 8081 diff --git a/bin/dependencies b/bin/dependencies index 507145b..4330730 100755 --- a/bin/dependencies +++ b/bin/dependencies @@ -3,6 +3,26 @@ # Puppet bootstrap dependencies. # +# Parameters +BASENAME="`basename $0`" +DEPLOY_DEPENDENCIES="rsync puppet-common hiera-eyaml" +DEVELOP_DEPENDENCIES="git mr whois hiera-eyaml" + +# Additional wheezy dependencies if not using puppet-common from wheezy-backports +#if [ "`head -c 1 /etc/debian_version`" == '7' ]; then +# DEPLOY_DEPENDENCIES="$DEPLOY_DEPENDENCIES ruby-hiera-puppet" +#fi + +# Set sudo config +if [ "`whoami`" != 'root' ]; then + SUDO="sudo" + + if ! sudo -n true; then + echo "Please set passwordless sudo." + exit 1 + fi +fi + # Install a package, thanks to the Hydra Suite. function provision_package { if [ -z "$1" ]; then @@ -17,12 +37,9 @@ function provision_package { fi } -# Set sudo config -if [ "`whoami`" != 'root' ]; then - SUDO="sudo" -fi - # Ensure basic packages are installed. -for package in puppet git mr whois; do - provision_package $package -done +if [ "$BASENAME" == "dependencies" ]; then + for package in $DEVELOP_DEPENDENCIES; do + provision_package $package + done +fi @@ -6,7 +6,6 @@ # Parameters DIRNAME="`dirname $0`" BASEDIR="$DIRNAME/.." -DEPLOY_DEPENDENCIES="puppet ruby-sqlite3 ruby-activerecord ruby-activerecord-deprecated-finders" # Determine hostname if [ ! -z "$1" ]; then @@ -15,10 +14,15 @@ else FQDN="`cat /etc/hostname`" fi -# Check for manifest -PUPPET_MANIFEST="$BASEDIR/puppet/manifests/nodes/$FQDN.pp" +# Set manifest +PUPPET_MANIFEST="$BASEDIR/manifests/nodes/$FQDN.pp" if [ ! -e "$PUPPET_MANIFEST" ]; then - echo "file not found: $PUPPET_MANIFEST" + PUPPET_MANIFEST="$BASEDIR/manifests/nodes/default.pp" +fi + +# Check manifest +if [ ! -e "$PUPPET_MANIFEST" ]; then + echo "No manifest found for $FQDN" exit 1 fi @@ -54,5 +58,5 @@ if [ -d "$BASEDIR/puppet/files/patches/$DIST" ]; then fi # Run puppet apply -PUPPET_OPTS="--confdir=$BASEDIR/puppet --modulepath=$BASEDIR/puppet/modules" +PUPPET_OPTS="--confdir=$BASEDIR --modulepath=$BASEDIR/modules" LC_ALL=C $SUDO puppet apply $PUPPET_OPTS $PUPPET_MANIFEST diff --git a/bin/mrconfig b/bin/mrconfig index dc753ac..48815c1 100755 --- a/bin/mrconfig +++ b/bin/mrconfig @@ -5,7 +5,7 @@ # Parameters GIT="git.fluxo.info" -URL="https://$GIT/?a=project_index" +URL="https://$GIT/projects.list" CWD="`pwd`" WORK="`dirname $0`/.." @@ -15,13 +15,12 @@ rm -f .mrconfig touch .mrconfig # Fetch repository list and updtate mrconfig -curl --stderr - $URL | grep "^puppet-" | cut -d ' ' -f 1 | while read module; do +curl --stderr - $URL | grep "^puppet-" | cut -d ' ' -f 1 | sed -e 's/\.git$//' | while read module; do folder="`echo $module | sed -e 's/^puppet-//'`" - folder="`basename $folder .git`" if [ "$folder" != "bootstrap" ]; then echo "Processing $folder..." - mr config puppet/modules/$folder checkout="git clone git://$GIT/$module $folder" + mr config puppet/modules/$folder checkout="git clone https://$GIT/$module $folder" fi done diff --git a/bin/post-receive b/bin/post-receive index 996189d..e6baa07 100755 --- a/bin/post-receive +++ b/bin/post-receive @@ -3,5 +3,15 @@ cd .. unset GIT_DIR -git checkout -f +if [ -d ".git/annex" ]; then + git annex sync +else + #git reset HEAD + git checkout -f +fi + +git submodule sync --recursive git submodule update --init --recursive + +cd - +exec git update-server-info diff --git a/bin/post-update b/bin/post-update deleted file mode 100755 index 48a6a16..0000000 --- a/bin/post-update +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/sh - -cd .. -unset GIT_DIR - -if [ -d ".git/annex" ]; then - git annex sync -else - git reset HEAD - git checkout -f -fi - -git submodule update --init --recursive - -cd - -exec git update-server-info diff --git a/bin/provision b/bin/provision index 16f102f..99cb862 100755 --- a/bin/provision +++ b/bin/provision @@ -13,23 +13,18 @@ source $DIRNAME/dependencies $SUDO apt-get update && DEBIAN_FRONTEND=noninteractive $SUDO apt-get dist-upgrade -y && $SUDO apt-get autoremove -y && $SUDO apt-get clean # Ensure additional dependencies are installed. -for package in usbutils; do - provision_package $package -done - -# Storeconfigs support -for package in ruby-sqlite3 ruby-activerecord ruby-activerecord-deprecated-finders; do +for package in $DEPLOY_DEPENDENCIES; do provision_package $package done # Link hiera configuration if needed. if [ ! -h "/etc/puppet/hiera.yaml" ]; then $SUDO rm -f /etc/puppet/hiera.yaml - $SUDO ln -s $DIRNAME/../hiera/hiera.yaml /etc/puppet/hiera.yaml + $SUDO ln -s $DIRNAME/../config/hiera.yaml /etc/puppet/hiera.yaml fi # Link puppet configuration if needed. -if [ ! -h "/etc/puppet/puppet.conf" ]; then +if [ ! -h "/etc/puppet/puppet.conf" ] && [ -e "$DIRNAME/../puppet.conf" ]; then $SUDO rm -f /etc/puppet/puppet.conf $SUDO ln -s $DIRNAME/../puppet.conf /etc/puppet/puppet.conf fi diff --git a/config/common.yaml b/config/common.yaml new file mode 100644 index 0000000..29fb400 --- /dev/null +++ b/config/common.yaml @@ -0,0 +1,65 @@ +--- +# +# General +# +nodo::subsystem::apt::include_src : false +nodo::subsystem::apt::use_next_release : false +nodo::subsystem::monitor::use_nagios : false +nodo::subsystem::monitor::address : "%{::fqdn}" + +# +# Firewall +# +firewall::ssl_ratelimit : "s:ssl:200/min:20" +firewall::local_net : false +firewall::local::manage_host : true +firewall::local::manage_iface : false + +# +# Mail +# +mail::sympa::subdomain : "listas" +mail::sympa::lang : "pt_BR" + +# +# Monitoring +# +nodo::munin_node::allow: '127.0.0.1:192.168.0.[0-9]*:192.168.1.[0-9]*' + +# +# Timezone and ntp +# +ntp::zone : "Brazil/East" +ntp::pool : "south-america.pool.ntp.org" +ntp::servers : + - 'a.ntp.br' + - 'b.ntp.br' + - 'c.ntp.br' + +# +# Nameservers +# +# OpenDNS +nodo::subsystem::resolver::nameservers: + - '208.67.222.222' + - '208.67.220.220' + +# +# OpenSSH +# +sshd::use_storedconfigs : false +sshd::manage_nagios : false +sshd::listen_address : [ "%{::ipaddress}", '127.0.0.1' ] +sshd::password_authentication : 'yes' +sshd::shared_ip : 'yes' +sshd::tcp_forwarding : 'yes' +sshd::x11_forwarding : 'no' +sshd::hardened : 'yes' +sshd::print_motd : 'no' +sshd::ports : [ 22 ] +sshd::use_pam : 'no' + +# +# Backup +# +backupninja::keystore: '' diff --git a/hiera/hiera.yaml b/config/hiera.yaml index a8ae792..c39c8e7 100644 --- a/hiera/hiera.yaml +++ b/config/hiera.yaml @@ -1,5 +1,6 @@ --- :backends: + - eyaml - yaml :yaml: # Right now vagrant and puppet are not fully supporting @@ -8,7 +9,14 @@ # reconsidered in the future. # # See http://docs.vagrantup.com/v2/provisioning/puppet_apply.html - :datadir: '%{settings::confdir}/hiera' + :datadir: '%{settings::confdir}/config' +:eyaml: + :datadir: '%{settings::confdir}/config' + :extension: 'yaml' + + # If using the pkcs7 encryptor (default) + :pkcs7_private_key: '%{settings::confdir}/keys/private_key.pkcs7.pem' + :pkcs7_public_key: '%{settings::confdir}/keys/public_key.pkcs7.pem' :hierarchy: # # Put in the secrets folder all sensitive information that @@ -29,5 +37,5 @@ - 'virtual/%{::virtual}' - 'location/%{::nodo::location}' - 'domain/%{::domain}' - - bootstrap + - compiled - common diff --git a/config/node/box.example.org.yaml b/config/node/box.example.org.yaml new file mode 100644 index 0000000..304d915 --- /dev/null +++ b/config/node/box.example.org.yaml @@ -0,0 +1,47 @@ +--- +# +# Nodo +# +nodo::role 'vagrant' + +# +# Classes +# +classes: + - 'database' + - 'apache' + +# +# MySQL +# +# The following password is public information and therefore +# shall not be user on production. +mysql::server::rootpw: '9pRfteNbSFFyrHhackme' + +# +# Backup +# +nodo::subsystem::backup::localhost : false +nodo::subsystem::backup::encryptkey : 'none' +nodo::subsystem::backup::password : 'hacked' + +# +# Apache +# +apache::default_folder : '/vagrant' +apache::default_user : 'vagrant' +apache::default_group : 'vagrant' + +# Manage your app +apache::sites: + myapp: + docroot : "/vagrant/" + server_alias : 'myapp vagrant localhost' + use : [ "Site myapp" ] + tag : 'all' + owner : vagrant + group : vagrant + mpm_user : vagrant + mpm_group : vagrant + password : '$5$NZfZqcdyZ3Xt$.kfZejriEJP3fc6RU0gBGEzMPQ/c3XiowVImB6VDrtD' + shell : '/bin/bash' diff --git a/files/patches/wheezy/collected-resources.md b/files/patches/wheezy/collected-resources.md new file mode 100644 index 0000000..b2ce77d --- /dev/null +++ b/files/patches/wheezy/collected-resources.md @@ -0,0 +1,3 @@ +# Collected resources patch + +* [Bug #10963: Collected resources with a puppet master fail on Ruby 1.9.x - Puppet - Puppet Labs](https://projects.puppetlabs.com/issues/10963). @@ -1 +1 @@ -hiera/hiera.yaml
\ No newline at end of file +config/hiera.yaml
\ No newline at end of file diff --git a/hiera/bootstrap.yaml b/hiera/bootstrap.yaml deleted file mode 100644 index ce72bfb..0000000 --- a/hiera/bootstrap.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -# -# Puppet Bootstrap Configuration Parameters. -# -# This file is responsible to set custom values to your new puppet repository -# to reflect the custom configuration for your infrastructure. -# -# This configuration is useful mostly after you cloned the puppet-boostrap module -# and want to configure it to boostrap a whole puppetmaster infrastructure. -# - -# The base domain for your infrastructure. -bootstrap::base_domain: 'vagrantup.com' - -# -# Root password. -# -# Use "mkpasswd -m sha-512" to generate root and first user's passwords. -bootstrap::root::password: '' - -# -# First user account -# -# Do not include "ssh-rsa " into the sshkey definition. -bootstrap::first_user: '' -bootstrap::first_user::password: '' -bootstrap::first_user::sshkey: '' -bootstrap::first_user::email: '' - -# -# First nodes -# - -# Hostname of the first server -bootstrap:first_hostname: '' - -# Create manifests and config for the first nodes? -bootstrap::first_nodes: false - -# MySQL password -mysql::server::rootpw: '' - -# Puppet master db password -nodo::role::master::db_password: '' diff --git a/hiera/common.yaml b/hiera/common.yaml deleted file mode 100644 index 8a04a26..0000000 --- a/hiera/common.yaml +++ /dev/null @@ -1,55 +0,0 @@ ---- -# -# General -# -nodo::subsystem::apt::include_src: false -nodo::subsystem::apt::use_next_release: false -nodo::subsystem::monitor::use_nagios: false -nodo::subsystem::monitor::address: "%{::fqdn}" - -# -# Firewall -# -firewall::ssl_ratelimit: "s:ssl:200/min:20" -firewall::local_net: false -firewall::local::manage_host: true -firewall::local::manage_iface: false - -# -# Mail -# -mail::sympa::subdomain: "listas" -mail::sympa::lang: "pt_BR" - -# -# Monitoring -# -nodo::munin_node::allow: '127.0.0.1:192.168.0.[0-9]*:192.168.1.[0-9]*' - -# -# Wordpress -# -wordpress::locale: 'pt_BR' - -# -# Timezone and ntp -# -ntp::zone: "Brazil/East" -ntp::pool: "south-america.pool.ntp.org" -ntp::servers: - - 'a.ntp.br' - - 'b.ntp.br' - - 'c.ntp.br' - -# -# Nameservers -# -# OpenDNS -nodo::subsystem::resolver::nameservers: - - '208.67.222.222' - - '208.67.220.220' - -# -# Puppet config -# -nodo::base::puppet_mode: 'apply' diff --git a/hiera/node/puppet-bootstrap.example.org.yaml b/hiera/node/puppet-bootstrap.example.org.yaml deleted file mode 100644 index c108e7d..0000000 --- a/hiera/node/puppet-bootstrap.example.org.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -# -# MySQL -# -# The following password is public information and therefore -# shall not be user on production. -mysql::server::rootpw: '9pRfteNbSFFyrHhackme' - -# -# Backup -# -nodo::subsystem::backup::localhost: false -nodo::subsystem::backup::encryptkey: 'none' -nodo::subsystem::backup::password: 'hacked' diff --git a/keys/ssh/.empty b/keys/ssh/.empty deleted file mode 100644 index e69de29..0000000 --- a/keys/ssh/.empty +++ /dev/null diff --git a/keys/ssl/.empty b/keys/ssl/.empty deleted file mode 100644 index e69de29..0000000 --- a/keys/ssl/.empty +++ /dev/null diff --git a/kvmxfile b/kvmxfile new file mode 100644 index 0000000..1f494bd --- /dev/null +++ b/kvmxfile @@ -0,0 +1,89 @@ +# +# Sample kvmx file - https://kvmx.fluxo.info +# + +# Which base box you should use. Leave unconfigured to use kvmx-create instead. +#basebox="stretch" + +# First user name +user="vagrant" + +# First user password +password="vagrant" + +# Set this is you want to be able to share folders between host and guest. +shared_folder="." +shared_folder_mountpoint="/vagrant" + +# Folder to sync during provisioning in the format "/host/folder /guest/folder". +provision_rsync="puppet /etc/puppet" + +# Options for provision_rsync +provision_rsync_opts="--exclude=.git --exclude=keys --exclude=config/secrets" + +# Absolute path for a provision script located inside the guest. +provision_command="/etc/puppet/bin/provision && /etc/puppet/bin/deploy" + +# Graphics +# See https://wiki.archlinux.org/index.php/QEMU#Graphics +#graphics="-vga std -nographic -vnc :$GUEST_DISPLAY" +graphics="-vga qxl" + +# VNC Client +#vnc_client="xtightvncviewer" +#vnc_client="xvnc4viewer" +#vnc_client="xvncviewer" +vnc_client="virt-viewer" + +# Set this if you want to automatically attach an spice client when the machine +# boots. +run_spice_client="0" + +# Set additional hostfwd mappings +#port_mapping="hostfwd=tcp:127.0.0.1:8080-:80,hostfwd=tcp:127.0.0.1:8443-:443" + +# Where the guest image is stored +#image="$HOME/.local/share/kvmx/$VM/box.img" + +# Image size +size="10G" + +# Image format: raw or qcow2 +format="qcow2" + +# Bootstrap method: custom or vmdeboostrap +method="custom" + +# Hostname +hostname="puppet" + +# Domain +domain="example.org" + +# System arch +arch="amd64" + +# Box distribution when bootstraping a new image +version="stretch" + +# Debian mirror +mirror="http://http.debian.net/debian/" + +# Enables remote administration using SSH. With this configuration enabled, +# kvmx will be able to administer a running virtual machine using SSH access +# inside the virtual machine. +ssh_support="y" + +# Use a custom, per-virtual-machine generated SSH keypair. If you disable this +# configuration but still want guest administration using SSH, the default +# insecure keypair will be used. +# +# Please note that this setting won't take effect if you're using a basebox. +# In that case the basebox keypair will be used if it exists, otherwise kvmx +# fallsback to the default insecure keypair. +# +# This setting is used during virtual machine bootstrapping by kvmx-create. +ssh_custom="y" + +# Bootloader (used only during bootstrapping by kvmx-create). +bootloader="grub" diff --git a/manifests/bootstrap/configurator.pp b/manifests/bootstrap/configurator.pp deleted file mode 100644 index edcbe92..0000000 --- a/manifests/bootstrap/configurator.pp +++ /dev/null @@ -1,208 +0,0 @@ -# -# Puppet Bootstrap Configuration Manifest. -# -# This file is responsible to set custom configuration in the bootstrap -# repository for values set in the hiera configuration. -# -# This manifest is useful mostly after you cloned the puppet-boostrap module -# and want to configure it to boostrap a whole puppetmaster infrastructure. -# - -# -# Basic variables -# -$templates = "$bootstrap_path/templates" -$base_domain = hiera('bootstrap::base_domain', "${::domain}") -$first_hostname = hiera('bootstrap::first_hostname', "${::hostname}") -$first_nodes = hiera('bootstrap::first_nodes', 'absent') -$db_password = hiera('nodo::role::master::db_password', '') -$mysql_rootpw = hiera('mysql::server::rootpw', '') -$root_password = hiera('bootstrap::root::password', '') -$first_user = hiera('bootstrap::first_user', 'user') -$first_user_password = hiera('bootstrap::first_user::password', '') -$first_user_sshkey = hiera('bootstrap::first_user::sshkey', '') -$first_user_email = hiera('bootstrap::first_user::email', 'user@example.org') -$resolvconf_nameservers = hiera('nodo::subsystem::resolver::nameservers', '201.6.2.152:201.6.2.32') -$global_munin_allow = hiera('nodo::munin_node::allow', '192.168.0.[0-9]*') - -# -# Check bootstrap configuration -# - -if ($mysql_rootpw == '') { - alert('You must set mysql::server::rootpw at your configuration') - fail() -} - -if ($db_password == '') { - alert('You must set nodo::role::master::db_password at your configuration') - fail() -} - -if ($root_password == '') { - alert('You must set bootstrap::root::password at your configuration') - fail() -} - -if ($first_user_password == '') { - alert('You must set bootstrap::first_user::password at your configuration') - fail() -} - -# -# Puppet configuration -# -file { "$bootstrap_path/puppet.conf": - ensure => present, - mode => 0644, - content => template("$templates/puppet/puppet.conf.erb"), -} - -# Fileserver configuration -file { "$bootstrap_path/fileserver.conf": - ensure => present, - mode => 0644, - content => template("$templates/puppet/fileserver.conf.erb"), -} - -file { "$bootstrap_path/auth.conf": - ensure => present, - mode => 0644, - content => template("$templates/puppet/auth.conf.erb"), -} - -# -# Basic users -# -file { "$bootstrap_path/modules/site_users/manifests/init.pp": - ensure => present, - mode => 0644, - content => template("$templates/puppet/users.pp.erb"), -} - -# -# Site files -# - -file { "$bootstrap_path/modules/site_apache/files/htdocs/images/README.html": - ensure => present, - mode => 0644, - content => template("$templates/apache/htdocs/images/README.html.erb"), -} - -file { "$bootstrap_path/modules/site_apache/files/htdocs/index.html": - ensure => present, - mode => 0644, - content => template("$templates/apache/htdocs/index.html.erb"), -} - -file { "$bootstrap_path/modules/site_apache/files/htdocs/missing.html": - ensure => present, - mode => 0644, - content => template("$templates/apache/htdocs/missing.html.erb"), -} - -file { "$bootstrap_path/modules/site_apache/files/vhosts/git": - ensure => present, - mode => 0644, - content => template("$templates/apache/vhosts/git.erb"), -} - -file { "$bootstrap_path/modules/site_apache/files/vhosts/lists": - ensure => present, - mode => 0644, - content => template("$templates/apache/vhosts/lists.erb"), -} - -file { "$bootstrap_path/modules/site_apache/files/vhosts/mail": - ensure => present, - mode => 0644, - content => template("$templates/apache/vhosts/mail.erb"), -} - -file { "$bootstrap_path/modules/site_apache/files/vhosts/nagios": - ensure => present, - mode => 0644, - content => template("$templates/apache/vhosts/nagios.erb"), -} - -file { "$bootstrap_path/modules/site_apache/files/vhosts/wiki": - ensure => present, - mode => 0644, - content => template("$templates/apache/vhosts/wiki.erb"), -} - -file { "$bootstrap_path/modules/site_mail/files/aliases": - ensure => present, - mode => 0644, - content => template("$templates/etc/aliases.erb"), -} - -file { "$bootstrap_path/modules/site_nagios/files/htpasswd.users": - ensure => present, - mode => 0644, - content => template("$templates/etc/nagios3/htpasswd.users.erb"), -} - -file { "$bootstrap_path/modules/site_nginx/files/$domain": - ensure => present, - mode => 0644, - content => template("$templates/etc/nginx/domain.erb"), -} - -file { "$bootstrap_path/modules/site_postfix/files/tls_policy": - ensure => present, - mode => 0644, - content => template("$templates/postfix/tls_policy.erb"), -} - -# -# Basic nodes -# -file { "$bootstrap_path/manifests/nodes.pp": - ensure => present, - mode => 0644, - content => template("$templates/puppet/nodes.pp.erb"), -} - -# First host -file { "$bootstrap_path/manifests/nodes/$first_hostname.pp": - ensure => $first_nodes, - mode => 0644, - content => template("$templates/puppet/server.pp.erb"), -} - -# Master node -file { "$bootstrap_path/manifests/nodes/$first_hostname-master.pp": - ensure => $first_nodes, - mode => 0644, - content => template("$templates/puppet/master.pp.erb"), -} - -# Proxy node -file { "$bootstrap_path/manifests/nodes/$first_hostname-proxy.pp": - ensure => $first_nodes, - mode => 0644, - content => template("$templates/puppet/proxy.pp.erb"), -} - -# Web node -file { "$bootstrap_path/manifests/nodes/$first_hostname-web.pp": - ensure => $first_nodes, - mode => 0644, - content => template("$templates/puppet/web.pp.erb"), -} - -# Storage node -file { "$bootstrap_path/manifests/nodes/$first_hostname-storage.pp": - ensure => $first_nodes, - mode => 0644, - content => template("$templates/puppet/storage.pp.erb"), -} - -# Test node -file { "$bootstrap_path/manifests/nodes/$first_hostname-test.pp": - ensure => $first_nodes, - mode => 0644, - content => template("$templates/puppet/test.pp.erb"), -} diff --git a/manifests/bootstrap/host.pp b/manifests/bootstrap/host.pp deleted file mode 100644 index 5f9c23a..0000000 --- a/manifests/bootstrap/host.pp +++ /dev/null @@ -1,23 +0,0 @@ -# -# This manifest is intended to configure the initial -# machine wich will host the first puppetmaster -# virtual machine. -# - -# The server role -class { 'nodo: - role => 'server', -} - -# Creates vserver for administrative node -nodo::vserver::instance { "$hostname-master": - context => '2', - puppetmaster => true, -} - -# Create a host entry for this puppet node -host { "puppet": - ensure => present, - ip => "192.168.0.2", - host_aliases => [ "puppet.$domain", "admin" ], -} diff --git a/manifests/bootstrap/master.pp b/manifests/bootstrap/master.pp deleted file mode 100644 index 5934d3e..0000000 --- a/manifests/bootstrap/master.pp +++ /dev/null @@ -1,11 +0,0 @@ -# -# This manifest is intended to configure the initial -# puppetmaster node. -# -# Once it's running it can setup all the other nodes. -# - -# Include the master node configuration -class { 'nodo': - role => 'master', -} diff --git a/manifests/bootstrap/vagrant.pp b/manifests/bootstrap/vagrant.pp deleted file mode 100644 index 47305dc..0000000 --- a/manifests/bootstrap/vagrant.pp +++ /dev/null @@ -1,38 +0,0 @@ -# -# This manifest is intended to configure a vagrant -# virtual machine. -# - -# -# Class definitions -# - -# Vagrant classes -class { 'nodo': - role => 'vagrant', -} - -# -# LAMP example -# -#include database -# -#class { 'apache': -# default_folder => '/vagrant', -# default_user => 'vagrant', -# default_group => 'vagrant', -#} -# -# If you want to manage another website -#apache::site { "myapp": -# docroot => "/vagrant/", -# server_alias => 'myapp vagrant localhost', -# use => [ "Site myapp" ], -# tag => 'all', -# owner => vagrant, -# group => vagrant, -# mpm_user => vagrant, -# mpm_group => vagrant, -# password => '$5$NZfZqcdyZ3Xt$.kfZejriEJP3fc6RU0gBGEzMPQ/c3XiowVImB6VDrtD', -# shell => '/bin/bash', -#} diff --git a/manifests/hiera b/manifests/hiera deleted file mode 120000 index ba8aae1..0000000 --- a/manifests/hiera +++ /dev/null @@ -1 +0,0 @@ -../hiera
\ No newline at end of file diff --git a/keys/public/.empty b/modules/.empty index e69de29..e69de29 100644 --- a/keys/public/.empty +++ b/modules/.empty diff --git a/modules/bootstrap b/modules/bootstrap deleted file mode 120000 index a96aa0e..0000000 --- a/modules/bootstrap +++ /dev/null @@ -1 +0,0 @@ -..
\ No newline at end of file diff --git a/modules/site_apache/files/htdocs/images/.empty b/modules/site_apache/files/htdocs/images/.empty deleted file mode 100644 index e69de29..0000000 --- a/modules/site_apache/files/htdocs/images/.empty +++ /dev/null diff --git a/modules/site_apache/files/vhosts/.empty b/modules/site_apache/files/vhosts/.empty deleted file mode 100644 index e69de29..0000000 --- a/modules/site_apache/files/vhosts/.empty +++ /dev/null diff --git a/modules/site_apt/files/keys.d/.empty b/modules/site_apt/files/keys.d/.empty deleted file mode 100644 index e69de29..0000000 --- a/modules/site_apt/files/keys.d/.empty +++ /dev/null diff --git a/modules/site_bind/manifests/init.pp b/modules/site_bind/manifests/init.pp deleted file mode 100644 index 7ee08d2..0000000 --- a/modules/site_bind/manifests/init.pp +++ /dev/null @@ -1,16 +0,0 @@ -class site_bind { - # - # See http://oreilly.com/pub/a/oreilly/networking/news/views_0501.html - # http://www.debian-administration.org/articles/355 - - # This is needed so we can comment out the inclusion of - # /etc/bind/named.conf.default-zones - #file { '/etc/bind/named.conf': - # ensure => present, - # owner => root, - # group => root, - # mode => 0644, - # source => 'puppet:///modules/site_bind/named.conf', - # notify => Service['bind9'], - #} -} diff --git a/modules/site_keys/files/ssl/.empty b/modules/site_keys/files/ssl/.empty deleted file mode 100644 index e69de29..0000000 --- a/modules/site_keys/files/ssl/.empty +++ /dev/null diff --git a/modules/site_mail/files/.empty b/modules/site_mail/files/.empty deleted file mode 100644 index e69de29..0000000 --- a/modules/site_mail/files/.empty +++ /dev/null diff --git a/modules/site_mail/files/aliases b/modules/site_mail/files/aliases deleted file mode 100644 index 08a0723..0000000 --- a/modules/site_mail/files/aliases +++ /dev/null @@ -1,14 +0,0 @@ -# /etc/aliases -mailer-daemon: postmaster -postmaster: root -nobody: root -hostmaster: root -usenet: root -news: root -webmaster: root -www: root -ftp: root -abuse: root -noc: root -security: root -reprepro: root diff --git a/modules/site_nagios/files/.empty b/modules/site_nagios/files/.empty deleted file mode 100644 index e69de29..0000000 --- a/modules/site_nagios/files/.empty +++ /dev/null diff --git a/modules/site_nginx/files/.empty b/modules/site_nginx/files/.empty deleted file mode 100644 index e69de29..0000000 --- a/modules/site_nginx/files/.empty +++ /dev/null diff --git a/modules/site_postfix/files/.empty b/modules/site_postfix/files/.empty deleted file mode 100644 index e69de29..0000000 --- a/modules/site_postfix/files/.empty +++ /dev/null diff --git a/modules/site_users/manifests/admin.pp b/modules/site_users/manifests/admin.pp deleted file mode 100644 index 14ad9da..0000000 --- a/modules/site_users/manifests/admin.pp +++ /dev/null @@ -1,16 +0,0 @@ -class site_users::admin inherits user { - # root user and password - #user::manage { "root": - # tag => "admin", - # homedir => '/root', - # password => '$5$zpdXgIaLKMDckKx9$qTS9WbmS/zylFwPu1orq.779CNnAiA9VoGdFNU94jz/', - #} - - # first user config - #user::manage { "user": - # tag => "admin", - # groups => [ "sudo", ], - # password => '$5$D8kCEIo5/MNCA7Tz$VhGg2MNDs21JzX9HgxSWMupA5GD5MXnKwDuveMSdPH7', - # sshkey => [ "WRONG" ], - #} -} diff --git a/modules/site_users/manifests/backups.pp b/modules/site_users/manifests/backups.pp deleted file mode 100644 index aab00f9..0000000 --- a/modules/site_users/manifests/backups.pp +++ /dev/null @@ -1,3 +0,0 @@ -class site_users::backup inherits user { - # define third-party hosted backup users here -} diff --git a/modules/site_users/manifests/init.pp b/modules/site_users/manifests/init.pp deleted file mode 100644 index b3c656a..0000000 --- a/modules/site_users/manifests/init.pp +++ /dev/null @@ -1,2 +0,0 @@ -class site_users { -} diff --git a/modules/site_users/manifests/virtual.pp b/modules/site_users/manifests/virtual.pp deleted file mode 100644 index 20aba01..0000000 --- a/modules/site_users/manifests/virtual.pp +++ /dev/null @@ -1,3 +0,0 @@ -class site_users::virtual inherits user { - # define custom users here -} diff --git a/modules/site_websites/manifests/admin.pp b/modules/site_websites/manifests/admin.pp deleted file mode 100644 index 0be3a94..0000000 --- a/modules/site_websites/manifests/admin.pp +++ /dev/null @@ -1,25 +0,0 @@ -class site_websites::admin inherits websites::hosting::admin { - # An administrative Trac instance - #apache::site { "admin": - # docroot => "${apache::sites_folder}/admin/trac/htdocs", - # use => [ "Trac admin" ], - # redirect_match => "trac", - # mpm => false, - # tag => 'all', - #} - - apache::site { "munin": - docroot => '/var/www/munin', - owner => "munin", - group => "munin", - mpm => false, - tag => 'all', - } - - apache::site { "nagios": - source => true, - docroot => '/usr/share/nagios3/htdocs', - mpm => false, - tag => 'all', - } -} diff --git a/modules/site_websites/manifests/init.pp b/modules/site_websites/manifests/init.pp deleted file mode 100644 index c98ca7d..0000000 --- a/modules/site_websites/manifests/init.pp +++ /dev/null @@ -1,21 +0,0 @@ -class site_websites inherits websites::hosting { - # Website definitions: always use tagged resources - apache::site { "git": - source => true, - docroot => '/var/git/repositories', - mpm => false, - tag => 'all', - } - - #apache::site { "site": - # source => true, - # ticket => '001', - # docroot => '/var/www/site', - # tag => 'all', - #} - - #database::instance { "site": - # password => 'xxx', - # tag => 'all', - #} -} diff --git a/puppet.conf b/puppet.conf deleted file mode 100644 index ea5ed0e..0000000 --- a/puppet.conf +++ /dev/null @@ -1,4 +0,0 @@ -[main] - thin_storeconfigs = true - storeconfigs = true - dbadapter = sqlite3 diff --git a/templates/apache/htdocs/images/README.html.erb b/templates/apache/htdocs/images/README.html.erb deleted file mode 100644 index 4d0f929..0000000 --- a/templates/apache/htdocs/images/README.html.erb +++ /dev/null @@ -1,3 +0,0 @@ -<pre> -When not explicitly mentioned, the use of these images is restricted to <%= base_domain %> -</pre> diff --git a/templates/apache/htdocs/index.html.erb b/templates/apache/htdocs/index.html.erb deleted file mode 100644 index 6d2d7ea..0000000 --- a/templates/apache/htdocs/index.html.erb +++ /dev/null @@ -1,9 +0,0 @@ -<html><head> -<meta http-equiv="refresh" content="1;url=http://<%= domain %>"> -<title><%= domain %></title></head><body> - -<center> - <p><code>You are being redirected to <a href="http://<%= domain %>">http://<%= domain %></a>.</code></p> -</center> - -</body></html> diff --git a/templates/apache/htdocs/missing.html.erb b/templates/apache/htdocs/missing.html.erb deleted file mode 100644 index 0c95ef3..0000000 --- a/templates/apache/htdocs/missing.html.erb +++ /dev/null @@ -1,12 +0,0 @@ -<html> -<head> -<title>404 - Not Found</title> -</head> -<body> - <center> - <pre> - The address you are trying to reach could not be found. :( - </pre> - </center> -</body> -</html> diff --git a/templates/apache/vhosts/cgit.erb b/templates/apache/vhosts/cgit.erb deleted file mode 100644 index d2d393d..0000000 --- a/templates/apache/vhosts/cgit.erb +++ /dev/null @@ -1,30 +0,0 @@ -# begin vhost for cgit -<VirtualHost *:80> - ServerName git.<%= domain %> - ServerAlias gitweb.<%= domain %> - - ServerSignature Off - - Alias /cgit.css /var/www/htdocs/cgit/cgit.css - Alias /cgit.png /var/www/htdocs/cgit/cgit.png - - ScriptAlias /cgi-bin/ /var/www/htdocs/cgit/ - - DocumentRoot /var/git/repositories - <Directory /var/git/repositories> - AllowOverride None - Options +ExecCGI - Order allow,deny - Allow from all - - DirectoryIndex /cgi-bin/cgit.cgi - - RewriteEngine on - RewriteCond %{REQUEST_FILENAME} !-f - RewriteRule ^.*$ /cgi-bin/cgit.cgi/$0 [L,PT] - </Directory> - - ErrorLog /var/log/apache2/cgit.openezx.org/error.log - CustomLog /var/log/apache2/cgit.openezx.org/access.log common -</VirtualHost> -# end vhost for git diff --git a/templates/apache/vhosts/git.erb b/templates/apache/vhosts/git.erb deleted file mode 100644 index 89173ac..0000000 --- a/templates/apache/vhosts/git.erb +++ /dev/null @@ -1,21 +0,0 @@ -# begin vhost for git -<VirtualHost *:80> - # Recipe based on http://josephspiros.com/2009/07/26/configuring-gitweb-for-apache-on-debian - - ServerName git.<%= domain %> - ServerAlias gitweb.<%= domain %> - SetEnv GITWEB_CONFIG /etc/gitweb.conf - HeaderName HEADER - DocumentRoot /var/git/repositories - Alias /gitweb.css /usr/share/gitweb/gitweb.css - Alias /git-favicon.png /usr/share/gitweb/git-favicon.png - Alias /git-logo.png /usr/share/gitweb/git-logo.png - - ScriptAlias /gitweb /usr/lib/cgi-bin/gitweb.cgi - RewriteEngine on - - # Rewrite all other paths that aren't git repo internals to gitweb - RewriteRule ^/$ /gitweb [PT] - RewriteRule ^/(.*\.git/(?!/?(HEAD|info|objects|refs)).*)?$ /gitweb%{REQUEST_URI} [L,PT] -</VirtualHost> -# end vhost for git diff --git a/templates/apache/vhosts/lists.erb b/templates/apache/vhosts/lists.erb deleted file mode 100644 index 158dfd4..0000000 --- a/templates/apache/vhosts/lists.erb +++ /dev/null @@ -1,22 +0,0 @@ -# begin vhost for lists.<%= domain %> -<VirtualHost *:80> - ServerName lists.<%= domain %> - DocumentRoot /var/www/data/lists - - RedirectMatch ^/$ https://lists.<%= domain %>/wws - Alias /static-sympa /var/lib/sympa/static_content - Alias /wwsicons /usr/share/sympa/icons - ScriptAlias /wws /var/www/data/lists/wwsympa.fcgi - - <IfModule mod_fcgid.c> - IPCCommTimeout 120 - MaxProcessCount 2 - </IfModule> - - SuexecUserGroup sympa sympa - - <Location /wws> - SetHandler fcgid-script - </Location> -</VirtualHost> -# end vhost for lists.<%= domain %> diff --git a/templates/apache/vhosts/mail.erb b/templates/apache/vhosts/mail.erb deleted file mode 100644 index 3badcf0..0000000 --- a/templates/apache/vhosts/mail.erb +++ /dev/null @@ -1,72 +0,0 @@ -# begin vhost for mail.<%= domain > -<VirtualHost *:80> - ServerName mail.<%= domain > - #DocumentRoot /usr/share/squirrelmail - DocumentRoot /var/lib/roundcube - - # begin squirrel config - <Directory /usr/share/squirrelmail> - Options Indexes FollowSymLinks - <IfModule mod_php4.c> - php_flag register_globals off - </IfModule> - <IfModule mod_php5.c> - php_flag register_globals off - </IfModule> - <IfModule mod_dir.c> - DirectoryIndex index.php - </IfModule> - - # access to configtest is limited by default to prevent information leak - <Files configtest.php> - order deny,allow - deny from all - allow from 127.0.0.1 - </Files> - </Directory> - # end squirrel config - - # begin roundcube config - # Access to tinymce files - Alias /roundcube/program/js/tiny_mce/ /usr/share/tinymce/www/ - Alias /roundcube /var/lib/roundcube - - <Directory "/usr/share/tinymce/www/"> - Options Indexes MultiViews FollowSymLinks - AllowOverride None - Order allow,deny - allow from all - </Directory> - - <Directory /var/lib/roundcube/> - Options +FollowSymLinks - # This is needed to parse /var/lib/roundcube/.htaccess. See its - # content before setting AllowOverride to None. - AllowOverride All - order allow,deny - allow from all - </Directory> - - # Protecting basic directories: - <Directory /var/lib/roundcube/config> - Options -FollowSymLinks - AllowOverride None - </Directory> - - <Directory /var/lib/roundcube/temp> - Options -FollowSymLinks - AllowOverride None - Order allow,deny - Deny from all - </Directory> - - <Directory /var/lib/roundcube/logs> - Options -FollowSymLinks - AllowOverride None - Order allow,deny - Deny from all - </Directory> - # end roundcube config - -</VirtualHost> -# end vhost for mail.<%= domain > diff --git a/templates/apache/vhosts/nagios.erb b/templates/apache/vhosts/nagios.erb deleted file mode 100644 index 8b3d252..0000000 --- a/templates/apache/vhosts/nagios.erb +++ /dev/null @@ -1,61 +0,0 @@ -# begin vhost for nagios -<VirtualHost *:80> - ServerName nagios.<%= domain > - DocumentRoot /usr/share/nagios3/htdocs - - # apache configuration for nagios 3.x - # note to users of nagios 1.x and 2.x: - # throughout this file are commented out sections which preserve - # backwards compatibility with bookmarks/config forî<80><80>older nagios versios. - # simply look for lines following "nagios 1.x:" and "nagios 2.x" comments. - - ScriptAlias /cgi-bin/nagios3 /usr/lib/cgi-bin/nagios3 - ScriptAlias /nagios3/cgi-bin /usr/lib/cgi-bin/nagios3 - # nagios 1.x: - #ScriptAlias /cgi-bin/nagios /usr/lib/cgi-bin/nagios3 - #ScriptAlias /nagios/cgi-bin /usr/lib/cgi-bin/nagios3 - # nagios 2.x: - #ScriptAlias /cgi-bin/nagios2 /usr/lib/cgi-bin/nagios3 - #ScriptAlias /nagios2/cgi-bin /usr/lib/cgi-bin/nagios3 - - # Where the stylesheets (config files) reside - Alias /nagios3/stylesheets /etc/nagios3/stylesheets - # nagios 1.x: - #Alias /nagios/stylesheets /etc/nagios3/stylesheets - # nagios 2.x: - #Alias /nagios2/stylesheets /etc/nagios3/stylesheets - - # Where the HTML pages live - Alias /nagios3 /usr/share/nagios3/htdocs - # nagios 2.x: - #Alias /nagios2 /usr/share/nagios3/htdocs - # nagios 1.x: - #Alias /nagios /usr/share/nagios3/htdocs - - <DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3)> - Options FollowSymLinks - - DirectoryIndex index.html - - AllowOverride AuthConfig - Order Allow,Deny - Allow From All - - AuthName "Nagios Access" - AuthType Basic - AuthUserFile /etc/nagios3/htpasswd.users - # nagios 1.x: - #AuthUserFile /etc/nagios/htpasswd.users - require valid-user - </DirectoryMatch> - - # Enable this ScriptAlias if you want to enable the grouplist patch. - # See http://apan.sourceforge.net/download.html for more info - # It allows you to see a clickable list of all hostgroups in the - # left pane of the Nagios web interface - # XXX This is not tested for nagios 2.x use at your own peril - #ScriptAlias /nagios3/side.html /usr/lib/cgi-bin/nagios3/grouplist.cgi - # nagios 1.x: - #ScriptAlias /nagios/side.html /usr/lib/cgi-bin/nagios3/grouplist.cgi -</VirtualHost> -# end vhost for nagios diff --git a/templates/apache/vhosts/wiki.erb b/templates/apache/vhosts/wiki.erb deleted file mode 100644 index 56e395b..0000000 --- a/templates/apache/vhosts/wiki.erb +++ /dev/null @@ -1,17 +0,0 @@ -# begin vhost for wiki.<%= domain > -<VirtualHost *:80> - ServerName wiki.<%= domain > - DocumentRoot /var/www/data/wiki - - # begin wiki config - <Directory /var/www/data/wiki> - Options Indexes Includes FollowSymLinks MultiViews - AllowOverride All - </Directory> - # end wiki config - - <IfModule mpm_itk_module> - AssignUserId wiki wiki - </IfModule> -</VirtualHost> -# end vhost for wiki.<%= domain > diff --git a/templates/etc/aliases.erb b/templates/etc/aliases.erb deleted file mode 100644 index f520f68..0000000 --- a/templates/etc/aliases.erb +++ /dev/null @@ -1,15 +0,0 @@ -# /etc/aliases -mailer-daemon: postmaster -postmaster: root -nobody: root -hostmaster: root -usenet: root -news: root -webmaster: root -www: root -ftp: root -abuse: root -noc: root -security: root -reprepro: root -root: <%= first_user_email %> diff --git a/templates/etc/nagios3/htpasswd.users.erb b/templates/etc/nagios3/htpasswd.users.erb deleted file mode 100644 index c21d493..0000000 --- a/templates/etc/nagios3/htpasswd.users.erb +++ /dev/null @@ -1 +0,0 @@ -nagiosadmin:0FCabjvUTHvxF diff --git a/templates/etc/nginx/domain.erb b/templates/etc/nginx/domain.erb deleted file mode 100644 index 8beff14..0000000 --- a/templates/etc/nginx/domain.erb +++ /dev/null @@ -1,173 +0,0 @@ -# <%= domain %> proxy config - -# Set the max size for file uploads -client_max_body_size 100M; - -# SNI Configuration -server { - listen 443 default; - server_name _; - ssl on; - ssl_certificate /etc/ssl/certs/blank.crt; - ssl_certificate_key /etc/ssl/private/blank.pem; - return 403; -} - -server { - # see config tips at - # http://blog.taragana.com/index.php/archive/nginx-hacking-tips/ - - # Don't log anything - access_log /dev/null; - error_log /dev/null; - - # simple reverse-proxy - listen 80; - server_name *.<%= domain %> <%= domain %> - - # enable HSTS header - add_header Strict-Transport-Security "max-age=15768000; includeSubdomains"; - - # https redirection by default - rewrite ^(.*) https://$host$1 redirect; - - # rewrite rules for backups.<%= domain %> - #if ($host ~* ^backups\.<%= domain %>$) { - # rewrite ^(.*) https://$host$1 redirect; - # break; - #} - - # rewrite rules for admin.<%= domain %> - #if ($host ~* ^admin\.<%= domain %>$) { - # rewrite ^(.*) https://$host$1 redirect; - # break; - #} - - # rewrite rules for munin.<%= domain %> - #if ($host ~* ^munin\.<%= domain %>$) { - # rewrite ^(.*) https://$host$1 redirect; - # break; - #} - - # rewrite rules for trac.<%= domain %> - #if ($host ~* ^trac\.<%= domain %>$) { - # rewrite ^(.*) https://$host$1 redirect; - # break; - #} - - # rewrite rules for nagios.<%= domain %> - #if ($host ~* ^nagios\.<%= domain %>$) { - # rewrite ^(.*) https://$host$1 redirect; - # break; - #} - - # rewrite rules for htpasswd.<%= domain %> - #if ($host ~* ^htpasswd\.<%= domain %>$) { - # rewrite ^(.*) https://$host$1 redirect; - # break; - #} - - # rewrite rules for postfixadmin.<%= domain %> - #if ($host ~* ^postfixadmin\.<%= domain %>$) { - # rewrite ^(.*) https://$host$1 redirect; - # break; - #} - - # rewrite rules for mail.<%= domain %> - #if ($host ~* ^mail\.<%= domain %>$) { - # rewrite ^(.*) https://$host$1 redirect; - # break; - #} - - # rewrite rules for lists.<%= domain %> - #if ($host ~* ^lists\.<%= domain %>$) { - # rewrite ^(.*) https://$host$1 redirect; - # break; - #} - - # pass requests for dynamic content - location / { - proxy_set_header Host $http_host; - proxy_pass http://weblocal:80; - } - -} - -server { - # https reverse proxy - listen 443; - server_name *.<%= domain %> <%= domain %>; - - # Don't log anything - access_log /dev/null; - error_log /dev/null; - - ssl on; - ssl_certificate /etc/ssl/certs/cert.crt; - ssl_certificate_key /etc/ssl/private/cert.pem; - - ssl_session_timeout 5m; - - ssl_protocols SSLv3 TLSv1; - ssl_ciphers HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH; - ssl_prefer_server_ciphers on; - ssl_dhparam /etc/ssl/dhparams/dhparams_2048.pem; - - # Set the max size for file uploads - client_max_body_size 100M; - - location / { - # preserve http header and set forwarded proto - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto https; - - proxy_read_timeout 120; - proxy_connect_timeout 120; - - # rewrite rules for admin.<%= domain %> - if ($host ~* ^admin\.<%= domain %>$) { - proxy_pass http://admin:80; - break; - } - - # rewrite rules for munin.<%= domain %> - if ($host ~* ^munin\.<%= domain %>$) { - proxy_pass http://admin:80; - break; - } - - # rewrite rules for trac.<%= domain %> - if ($host ~* ^trac\.<%= domain %>$) { - proxy_pass http://admin:80; - break; - } - - # rewrite rules for nagios.<%= domain %> - if ($host ~* ^nagios\.<%= domain %>$) { - proxy_pass http://admin:80; - break; - } - - # rewrite rules for postfixadmin.<%= domain %> - if ($host ~* ^postfixadmin\.<%= domain %>$) { - proxy_pass http://mail:80; - break; - } - - # rewrite rules for mail.<%= domain %> - if ($host ~* ^mail\.<%= domain %>$) { - proxy_pass http://mail:80; - break; - } - - # rewrite rules for lists.<%= domain %> - if ($host ~* ^lists\.<%= domain %>$) { - proxy_pass http://mail:80; - break; - } - - # default proxy pass - proxy_pass http://weblocal:80; - } - -} diff --git a/templates/postfix/tls_policy.erb b/templates/postfix/tls_policy.erb deleted file mode 100644 index e69de29..0000000 --- a/templates/postfix/tls_policy.erb +++ /dev/null diff --git a/templates/puppet/auth.conf.erb b/templates/puppet/auth.conf.erb deleted file mode 100644 index 96f078c..0000000 --- a/templates/puppet/auth.conf.erb +++ /dev/null @@ -1,120 +0,0 @@ -# This is the default auth.conf file, which implements the default rules -# used by the puppet master. (That is, the rules below will still apply -# even if this file is deleted.) -# -# The ACLs are evaluated in top-down order. More specific stanzas should -# be towards the top of the file and more general ones at the bottom; -# otherwise, the general rules may "steal" requests that should be -# governed by the specific rules. -# -# See http://docs.puppetlabs.com/guides/rest_auth_conf.html for a more complete -# description of auth.conf's behavior. -# -# Supported syntax: -# Each stanza in auth.conf starts with a path to match, followed -# by optional modifiers, and finally, a series of allow or deny -# directives. -# -# Example Stanza -# --------------------------------- -# path /path/to/resource # simple prefix match -# # path ~ regex # alternately, regex match -# [environment envlist] -# [method methodlist] -# [auth[enthicated] {yes|no|on|off|any}] -# allow [host|backreference|*|regex] -# deny [host|backreference|*|regex] -# allow_ip [ip|cidr|ip_wildcard|*] -# deny_ip [ip|cidr|ip_wildcard|*] -# -# The path match can either be a simple prefix match or a regular -# expression. `path /file` would match both `/file_metadata` and -# `/file_content`. Regex matches allow the use of backreferences -# in the allow/deny directives. -# -# The regex syntax is the same as for Ruby regex, and captures backreferences -# for use in the `allow` and `deny` lines of that stanza -# -# Examples: -# -# path ~ ^/path/to/resource # Equivalent to `path /path/to/resource`. -# allow * # Allow all authenticated nodes (since auth -# # defaults to `yes`). -# -# path ~ ^/catalog/([^/]+)$ # Permit nodes to access their own catalog (by -# allow $1 # certname), but not any other node's catalog. -# -# path ~ ^/file_(metadata|content)/extra_files/ # Only allow certain nodes to -# auth yes # access the "extra_files" -# allow /^(.+)\.example\.com$/ # mount point; note this must -# allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule, -# # since it is more specific. -# -# environment:: restrict an ACL to a comma-separated list of environments -# method:: restrict an ACL to a comma-separated list of HTTP methods -# auth:: restrict an ACL to an authenticated or unauthenticated request -# the default when unspecified is to restrict the ACL to authenticated requests -# (ie exactly as if auth yes was present). -# - -### Authenticated ACLs - these rules apply only when the client -### has a valid certificate and is thus authenticated - -# allow nodes to retrieve their own catalog -path ~ ^/catalog/([^/]+)$ -method find -allow $1 - -# allow nodes to retrieve their own node definition -path ~ ^/node/([^/]+)$ -method find -allow $1 - -# allow all nodes to access the certificates services -path /certificate_revocation_list/ca -method find -allow * - -# allow all nodes to store their own reports -path ~ ^/report/([^/]+)$ -method save -allow $1 - -# Allow all nodes to access all file services; this is necessary for -# pluginsync, file serving from modules, and file serving from custom -# mount points (see fileserver.conf). Note that the `/file` prefix matches -# requests to both the file_metadata and file_content paths. See "Examples" -# above if you need more granular access control for custom mount points. -path /file -allow * - -### Unauthenticated ACLs, for clients without valid certificates; authenticated -### clients can also access these paths, though they rarely need to. - -# allow access to the CA certificate; unauthenticated nodes need this -# in order to validate the puppet master's certificate -path /certificate/ca -auth any -method find -allow * - -# allow nodes to retrieve the certificate they requested earlier -path /certificate/ -auth any -method find -allow * - -# allow nodes to request a new certificate -path /certificate_request -auth any -method find, save -allow * - -path /v2.0/environments -method find -allow * - -# deny everything else; this ACL is not strictly necessary, but -# illustrates the default policy. -path / -auth any diff --git a/templates/puppet/fileserver.conf.erb b/templates/puppet/fileserver.conf.erb deleted file mode 100644 index e4d6e0a..0000000 --- a/templates/puppet/fileserver.conf.erb +++ /dev/null @@ -1,21 +0,0 @@ -# See http://docs.puppetlabs.com/guides/file_serving.html - -# Files -[files] - path /etc/puppet/files - allow *.<%= base_domain %> - -# SSL keys -[ssl] - path /etc/puppet/keys/ssl - deny * - -# SSH keys -[ssh] - path /etc/puppet/keys/ssh/%h - allow * - -# Public keys -[pubkeys] - path /etc/puppet/keys/public - allow * diff --git a/templates/puppet/master.pp.erb b/templates/puppet/master.pp.erb deleted file mode 100644 index 5865723..0000000 --- a/templates/puppet/master.pp.erb +++ /dev/null @@ -1,10 +0,0 @@ -node '<%= hostname %>-master.<%= domain %>' { - $main_master = true - include nodo::master - - # encrypted data remote backup - #backup::rdiff { "other-host": - # port => "10102", - #} - -} diff --git a/templates/puppet/nodes.pp.erb b/templates/puppet/nodes.pp.erb deleted file mode 100644 index 4acddc6..0000000 --- a/templates/puppet/nodes.pp.erb +++ /dev/null @@ -1,14 +0,0 @@ -# -# Node definitions. -# - -<%- if first_nodes == 'present' then -%> -import "nodes/<%= first_hostname %>.pp" -import "nodes/<%= first_hostname %>-master.pp" -import "nodes/<%= first_hostname %>-proxy.pp" -import "nodes/<%= first_hostname %>-web.pp" -import "nodes/<%= first_hostname %>-storage.pp" -import "nodes/<%= first_hostname %>-test.pp" -<%- else -%> -#import "nodes/example.pp" -<%- end -%> diff --git a/templates/puppet/proxy.pp.erb b/templates/puppet/proxy.pp.erb deleted file mode 100644 index 908c2ec..0000000 --- a/templates/puppet/proxy.pp.erb +++ /dev/null @@ -1,53 +0,0 @@ -node '<%= hostname %>-proxy.<%= domain %>' { - #$mail_delivery = 'tunnel' - #$mail_hostname = 'mail' - #$mail_ssh_port = '2202' - - include nodo::proxy - - # encrypted data remote backup - #backup::rdiff { "other-host": - # port => "10102", - #} - - # reference to admin vserver - host { "<%= hostname %>-master": - ensure => present, - ip => "192.168.0.2", - host_aliases => [ "<%= hostname %>-master.<%= domain %>", "puppet", "admin" ], - notify => Service["nginx"], - } - - # reference to proxy vserver - #host { "<%= hostname %>-proxy": - # ensure => present, - # ip => "192.168.0.3", - # host_aliases => [ "<%= hostname %>-proxy.<%= domain %>", "<%= hostname %>-proxy" ], - # notify => Service["nginx"], - #} - - # reference to web vserver - host { "<%= hostname %>-web": - ensure => present, - ip => "192.168.0.4", - host_aliases => [ "<%= hostname %>-web.<%= domain %>", "<%= hostname %>-web", "weblocal" ], - notify => Service["nginx"], - } - - # reference to storage vserver - host { "<%= hostname %>-storage": - ensure => present, - ip => "192.168.0.5", - host_aliases => [ "<%= hostname %>-storage.<%= domain %>", "<%= hostname %>-storage" ], - notify => Service["nginx"], - } - - # reference to test vserver - host { "<%= hostname %>-test": - ensure => present, - ip => "192.168.0.6", - host_aliases => [ "<%= hostname %>-test.<%= domain %>", "<%= hostname %>-test" ], - notify => Service["nginx"], - } - -} diff --git a/templates/puppet/puppet.conf.erb b/templates/puppet/puppet.conf.erb deleted file mode 100644 index e2751ca..0000000 --- a/templates/puppet/puppet.conf.erb +++ /dev/null @@ -1,30 +0,0 @@ -[main] -logdir = /var/log/puppet -vardir = /var/lib/puppetmaster -ssldir = $vardir/ssl -rundir = /var/run/puppet -factpath = $vardir/lib/facter -pluginsync = true - -[master] -templatedir = $vardir/templates -masterport = 8140 -autosign = false -storeconfigs = true -dbadapter = sqlite3 -#dbadapter = mysql -#dbserver = localhost -#dbuser = puppet -#dbpassword = <%= db_password %> -dbconnections = 15 -certname = puppet.<%= base_domain %> -ssl_client_header = SSL_CLIENT_S_DN -ssl_client_verify_header = SSL_CLIENT_VERIFY - -[agent] -server = puppet.<%= base_domain %> -vardir = /var/lib/puppet -ssldir = $vardir/ssl -runinterval = 7200 -puppetport = 8139 -configtimeout = 300 diff --git a/templates/puppet/server.pp.erb b/templates/puppet/server.pp.erb deleted file mode 100644 index fcd21e0..0000000 --- a/templates/puppet/server.pp.erb +++ /dev/null @@ -1,41 +0,0 @@ -node '<%= hostname %>.<%= domain %>' { - #$mail_delivery = 'tunnel' - #$mail_hostname = 'mail' - #$mail_ssh_port = '2202' - $shorewall_dmz = true - $resolvconf_nameservers = $opendns_nameservers - $has_ups = false - include nodo::server - - # - # Linux-VServers - # - #nodo::vserver::instance { "<%= hostname %>-master": - # context => '2', - # puppetmaster => true, - #} - - #nodo::vserver::instance { "<%= hostname %>-proxy": - # context => '3', - # proxy => true, - #} - - #nodo::vserver::instance { "<%= hostname %>-web": - # context => '4', - # gitd => true, - #} - - #nodo::vserver::instance { "<%= hostname %>-storage": - # context => '5', - #} - - #nodo::vserver::instance { "<%= hostname %>-test": - # context => '6', - # memory_limit => 500, - #} - - # encrypted data remote backup - #backup::rdiff { "other-host": - # port => "10105", - #} -} diff --git a/templates/puppet/storage.pp.erb b/templates/puppet/storage.pp.erb deleted file mode 100644 index be93335..0000000 --- a/templates/puppet/storage.pp.erb +++ /dev/null @@ -1,13 +0,0 @@ -node '<%= hostname %>-storage.<%= domain %>' { - #$mail_delivery = 'tunnel' - #$mail_hostname = 'mail' - #$mail_ssh_port = '2202' - - include nodo::storage - - # encrypted data remote backup - #backup::rdiff { "other-host": - # port => "10102", - #} - -} diff --git a/templates/puppet/test.pp.erb b/templates/puppet/test.pp.erb deleted file mode 100644 index 816eca9..0000000 --- a/templates/puppet/test.pp.erb +++ /dev/null @@ -1,13 +0,0 @@ -node '<%= hostname %>-test.<%= domain %>' { - #$mail_delivery = 'tunnel' - #$mail_hostname = 'mail' - #$mail_ssh_port = '2202' - - include nodo::test - - # encrypted data remote backup - #backup::rdiff { "other-host": - # port => "10102", - #} - -} diff --git a/templates/puppet/users.pp.erb b/templates/puppet/users.pp.erb deleted file mode 100644 index 3b7c857..0000000 --- a/templates/puppet/users.pp.erb +++ /dev/null @@ -1,25 +0,0 @@ -class users::virtual inherits user { - # define custom users here -} - -class users::backup inherits user { - # define third-party hosted backup users here -} - -class users::admin inherits user { - # root user and password - user::manage { "root": - tag => "admin", - homedir => '/root', - password => '<%= root_password %>', - } - - # first user config - user::manage { "<%= first_user %>": - tag => "admin", - groups => [ "sudo", ], - password => '<%= first_user_password %>', - sshkey => [ "<%= first_user_sshkey %>" ], - } - -} diff --git a/templates/puppet/web.pp.erb b/templates/puppet/web.pp.erb deleted file mode 100644 index afc328b..0000000 --- a/templates/puppet/web.pp.erb +++ /dev/null @@ -1,13 +0,0 @@ -node '<%= hostname %>-web.<%= domain %>' { - #$mail_delivery = 'tunnel' - #$mail_hostname = 'mail' - #$mail_ssh_port = '2202' - - include nodo::web - - # encrypted data remote backup - #backup::rdiff { "other-host": - # port => "10102", - #} - -} |