diff options
39 files changed, 564 insertions, 292 deletions
diff --git a/puppet/.mrconfig b/puppet/.mrconfig index 8731bee..5c24dc7 100644 --- a/puppet/.mrconfig +++ b/puppet/.mrconfig @@ -1,258 +1,255 @@ [puppet/modules/apache] -checkout = git clone git://git.sarava.org/puppet-apache.git apache +checkout = git clone git://git.fluxo.info/puppet-apache.git apache [puppet/modules/apcupsd] -checkout = git clone git://git.sarava.org/puppet-apcupsd.git apcupsd +checkout = git clone git://git.fluxo.info/puppet-apcupsd.git apcupsd [puppet/modules/apparmor] -checkout = git clone git://git.sarava.org/puppet-apparmor.git apparmor +checkout = git clone git://git.fluxo.info/puppet-apparmor.git apparmor [puppet/modules/apt] -checkout = git clone git://git.sarava.org/puppet-apt.git apt +checkout = git clone git://git.fluxo.info/puppet-apt.git apt [puppet/modules/autofs] -checkout = git clone git://git.sarava.org/puppet-autofs.git autofs +checkout = git clone git://git.fluxo.info/puppet-autofs.git autofs [puppet/modules/autossh] -checkout = git clone git://git.sarava.org/puppet-autossh.git autossh +checkout = git clone git://git.fluxo.info/puppet-autossh.git autossh [puppet/modules/avahi] -checkout = git clone git://git.sarava.org/puppet-avahi.git avahi +checkout = git clone git://git.fluxo.info/puppet-avahi.git avahi [puppet/modules/backup] -checkout = git clone git://git.sarava.org/puppet-backup.git backup +checkout = git clone git://git.fluxo.info/puppet-backup.git backup [puppet/modules/backupninja] -checkout = git clone git://git.sarava.org/puppet-backupninja.git backupninja +checkout = git clone git://git.fluxo.info/puppet-backupninja.git backupninja [puppet/modules/bind] -checkout = git clone git://git.sarava.org/puppet-bind.git bind +checkout = git clone git://git.fluxo.info/puppet-bind.git bind [puppet/modules/bitcoind] -checkout = git clone git://git.sarava.org/puppet-bitcoind.git bitcoind - -[puppet/modules/bootstrap] -checkout = git clone git://git.sarava.org/puppet-bootstrap.git bootstrap +checkout = git clone git://git.fluxo.info/puppet-bitcoind.git bitcoind [puppet/modules/common] -checkout = git clone git://git.sarava.org/puppet-common.git common +checkout = git clone git://git.fluxo.info/puppet-common.git common [puppet/modules/concat] -checkout = git clone git://git.sarava.org/puppet-concat.git concat +checkout = git clone git://git.fluxo.info/puppet-concat.git concat [puppet/modules/cron] -checkout = git clone git://git.sarava.org/puppet-cron.git cron +checkout = git clone git://git.fluxo.info/puppet-cron.git cron [puppet/modules/daap_server] -checkout = git clone git://git.sarava.org/puppet-daap_server.git daap_server - -[puppet/modules/darkice] -checkout = git clone git://git.sarava.org/puppet-darkice.git darkice +checkout = git clone git://git.fluxo.info/puppet-daap_server.git daap_server [puppet/modules/database] -checkout = git clone git://git.sarava.org/puppet-database.git database +checkout = git clone git://git.fluxo.info/puppet-database.git database [puppet/modules/dhcp] -checkout = git clone git://git.sarava.org/puppet-dhcp.git dhcp +checkout = git clone git://git.fluxo.info/puppet-dhcp.git dhcp [puppet/modules/domain_check] -checkout = git clone git://git.sarava.org/puppet-domain_check.git domain_check +checkout = git clone git://git.fluxo.info/puppet-domain_check.git domain_check [puppet/modules/drupal] -checkout = git clone git://git.sarava.org/puppet-drupal.git drupal +checkout = git clone git://git.fluxo.info/puppet-drupal.git drupal [puppet/modules/dyndns] -checkout = git clone git://git.sarava.org/puppet-dyndns.git dyndns +checkout = git clone git://git.fluxo.info/puppet-dyndns.git dyndns [puppet/modules/ejabberd] -checkout = git clone git://git.sarava.org/puppet-ejabberd.git ejabberd +checkout = git clone git://git.fluxo.info/puppet-ejabberd.git ejabberd [puppet/modules/ekeyd] -checkout = git clone git://git.sarava.org/puppet-ekeyd.git ekeyd +checkout = git clone git://git.fluxo.info/puppet-ekeyd.git ekeyd [puppet/modules/etherpad] -checkout = git clone git://git.sarava.org/puppet-etherpad.git etherpad +checkout = git clone git://git.fluxo.info/puppet-etherpad.git etherpad [puppet/modules/exim] -checkout = git clone git://git.sarava.org/puppet-exim.git exim +checkout = git clone git://git.fluxo.info/puppet-exim.git exim [puppet/modules/firewall] -checkout = git clone git://git.sarava.org/puppet-firewall.git firewall +checkout = git clone git://git.fluxo.info/puppet-firewall.git firewall [puppet/modules/git] -checkout = git clone git://git.sarava.org/puppet-git.git git +checkout = git clone git://git.fluxo.info/puppet-git.git git [puppet/modules/hotglue] -checkout = git clone git://git.sarava.org/puppet-hotglue.git hotglue +checkout = git clone git://git.fluxo.info/puppet-hotglue.git hotglue [puppet/modules/hydra] -checkout = git clone git://git.sarava.org/puppet-hydra.git hydra +checkout = git clone git://git.fluxo.info/puppet-hydra.git hydra [puppet/modules/icecast] -checkout = git clone git://git.sarava.org/puppet-icecast.git icecast +checkout = git clone git://git.fluxo.info/puppet-icecast.git icecast [puppet/modules/ikiwiki] -checkout = git clone git://git.sarava.org/puppet-ikiwiki.git ikiwiki +checkout = git clone git://git.fluxo.info/puppet-ikiwiki.git ikiwiki [puppet/modules/inetd] -checkout = git clone git://git.sarava.org/puppet-inetd.git inetd +checkout = git clone git://git.fluxo.info/puppet-inetd.git inetd [puppet/modules/infinoted] -checkout = git clone git://git.sarava.org/puppet-infinoted.git infinoted +checkout = git clone git://git.fluxo.info/puppet-infinoted.git infinoted [puppet/modules/inifile] -checkout = git clone git://git.sarava.org/puppet-inifile.git inifile +checkout = git clone git://git.fluxo.info/puppet-inifile.git inifile [puppet/modules/lighttpd] -checkout = git clone git://git.sarava.org/puppet-lighttpd.git lighttpd +checkout = git clone git://git.fluxo.info/puppet-lighttpd.git lighttpd [puppet/modules/lsb] -checkout = git clone git://git.sarava.org/puppet-lsb.git lsb +checkout = git clone git://git.fluxo.info/puppet-lsb.git lsb [puppet/modules/mail] -checkout = git clone git://git.sarava.org/puppet-mail.git mail +checkout = git clone git://git.fluxo.info/puppet-mail.git mail [puppet/modules/minidlna] -checkout = git clone git://git.sarava.org/puppet-minidlna.git minidlna +checkout = git clone git://git.fluxo.info/puppet-minidlna.git minidlna [puppet/modules/moin] -checkout = git clone git://git.sarava.org/puppet-moin.git moin +checkout = git clone git://git.fluxo.info/puppet-moin.git moin [puppet/modules/monkeysphere] -checkout = git clone git://git.sarava.org/puppet-monkeysphere.git monkeysphere +checkout = git clone git://git.fluxo.info/puppet-monkeysphere.git monkeysphere [puppet/modules/motion] -checkout = git clone git://git.sarava.org/puppet-motion.git motion +checkout = git clone git://git.fluxo.info/puppet-motion.git motion [puppet/modules/mpd] -checkout = git clone git://git.sarava.org/puppet-mpd.git mpd +checkout = git clone git://git.fluxo.info/puppet-mpd.git mpd [puppet/modules/mumble] -checkout = git clone git://git.sarava.org/puppet-mumble.git mumble +checkout = git clone git://git.fluxo.info/puppet-mumble.git mumble [puppet/modules/munin] -checkout = git clone git://git.sarava.org/puppet-munin.git munin +checkout = git clone git://git.fluxo.info/puppet-munin.git munin [puppet/modules/mysql] -checkout = git clone git://git.sarava.org/puppet-mysql.git mysql +checkout = git clone git://git.fluxo.info/puppet-mysql.git mysql [puppet/modules/nagios] -checkout = git clone git://git.sarava.org/puppet-nagios.git nagios +checkout = git clone git://git.fluxo.info/puppet-nagios.git nagios [puppet/modules/nfs] -checkout = git clone git://git.sarava.org/puppet-nfs.git nfs +checkout = git clone git://git.fluxo.info/puppet-nfs.git nfs [puppet/modules/nginx] -checkout = git clone git://git.sarava.org/puppet-nginx.git nginx +checkout = git clone git://git.fluxo.info/puppet-nginx.git nginx [puppet/modules/nodo] -checkout = git clone git://git.sarava.org/puppet-nodo.git nodo +checkout = git clone git://git.fluxo.info/puppet-nodo.git nodo [puppet/modules/ntp] -checkout = git clone git://git.sarava.org/puppet-ntp.git ntp +checkout = git clone git://git.fluxo.info/puppet-ntp.git ntp [puppet/modules/onion] -checkout = git clone git://git.sarava.org/puppet-onion.git onion +checkout = git clone git://git.fluxo.info/puppet-onion.git onion [puppet/modules/pear] -checkout = git clone git://git.sarava.org/puppet-pear.git pear +checkout = git clone git://git.fluxo.info/puppet-pear.git pear [puppet/modules/php] -checkout = git clone git://git.sarava.org/puppet-php.git php +checkout = git clone git://git.fluxo.info/puppet-php.git php [puppet/modules/pmwiki] -checkout = git clone git://git.sarava.org/puppet-pmwiki.git pmwiki +checkout = git clone git://git.fluxo.info/puppet-pmwiki.git pmwiki [puppet/modules/postfix] -checkout = git clone git://git.sarava.org/puppet-postfix.git postfix +checkout = git clone git://git.fluxo.info/puppet-postfix.git postfix [puppet/modules/puppet] -checkout = git clone git://git.sarava.org/puppet-puppet.git puppet +checkout = git clone git://git.fluxo.info/puppet-puppet.git puppet [puppet/modules/pureftpd] -checkout = git clone git://git.sarava.org/puppet-pureftpd.git pureftpd +checkout = git clone git://git.fluxo.info/puppet-pureftpd.git pureftpd [puppet/modules/pyroscope] -checkout = git clone git://git.sarava.org/puppet-pyroscope.git pyroscope +checkout = git clone git://git.fluxo.info/puppet-pyroscope.git pyroscope [puppet/modules/qwebirc] -checkout = git clone git://git.sarava.org/puppet-qwebirc.git qwebirc +checkout = git clone git://git.fluxo.info/puppet-qwebirc.git qwebirc [puppet/modules/reprepro] -checkout = git clone git://git.sarava.org/puppet-reprepro.git reprepro +checkout = git clone git://git.fluxo.info/puppet-reprepro.git reprepro [puppet/modules/resolvconf] -checkout = git clone git://git.sarava.org/puppet-resolvconf.git resolvconf +checkout = git clone git://git.fluxo.info/puppet-resolvconf.git resolvconf [puppet/modules/rng-tools] -checkout = git clone git://git.sarava.org/puppet-rng-tools.git rng-tools +checkout = git clone git://git.fluxo.info/puppet-rng-tools.git rng-tools [puppet/modules/rsync] -checkout = git clone git://git.sarava.org/puppet-rsync.git rsync +checkout = git clone git://git.fluxo.info/puppet-rsync.git rsync [puppet/modules/runit] -checkout = git clone git://git.sarava.org/puppet-runit.git runit +checkout = git clone git://git.fluxo.info/puppet-runit.git runit [puppet/modules/samba] -checkout = git clone git://git.sarava.org/puppet-samba.git samba +checkout = git clone git://git.fluxo.info/puppet-samba.git samba [puppet/modules/schroot] -checkout = git clone git://git.sarava.org/puppet-schroot.git schroot +checkout = git clone git://git.fluxo.info/puppet-schroot.git schroot [puppet/modules/shorewall] -checkout = git clone git://git.sarava.org/puppet-shorewall.git shorewall +checkout = git clone git://git.fluxo.info/puppet-shorewall.git shorewall [puppet/modules/smartmonster] -checkout = git clone git://git.sarava.org/puppet-smartmonster.git smartmonster +checkout = git clone git://git.fluxo.info/puppet-smartmonster.git smartmonster [puppet/modules/smartmontools] -checkout = git clone git://git.sarava.org/puppet-smartmontools.git smartmontools +checkout = git clone git://git.fluxo.info/puppet-smartmontools.git smartmontools [puppet/modules/sshd] -checkout = git clone git://git.sarava.org/puppet-sshd.git sshd +checkout = git clone git://git.fluxo.info/puppet-sshd.git sshd [puppet/modules/ssl] -checkout = git clone git://git.sarava.org/puppet-ssl.git ssl +checkout = git clone git://git.fluxo.info/puppet-ssl.git ssl + +[puppet/modules/stdlib] +checkout = git clone git://git.fluxo.info/puppet-stdlib.git stdlib [puppet/modules/supervisor] -checkout = git clone git://git.sarava.org/puppet-supervisor.git supervisor +checkout = git clone git://git.fluxo.info/puppet-supervisor.git supervisor [puppet/modules/supybot] -checkout = git clone git://git.sarava.org/puppet-supybot.git supybot +checkout = git clone git://git.fluxo.info/puppet-supybot.git supybot [puppet/modules/syslog-ng] -checkout = git clone git://git.sarava.org/puppet-syslog-ng.git syslog-ng +checkout = git clone git://git.fluxo.info/puppet-syslog-ng.git syslog-ng [puppet/modules/tftp] -checkout = git clone git://git.sarava.org/puppet-tftp.git tftp +checkout = git clone git://git.fluxo.info/puppet-tftp.git tftp [puppet/modules/tor] -checkout = git clone git://git.sarava.org/puppet-tor.git tor +checkout = git clone git://git.fluxo.info/puppet-tor.git tor [puppet/modules/trac] -checkout = git clone git://git.sarava.org/puppet-trac.git trac +checkout = git clone git://git.fluxo.info/puppet-trac.git trac [puppet/modules/tunnel] -checkout = git clone git://git.sarava.org/puppet-tunnel.git tunnel +checkout = git clone git://git.fluxo.info/puppet-tunnel.git tunnel [puppet/modules/user] -checkout = git clone git://git.sarava.org/puppet-user.git user +checkout = git clone git://git.fluxo.info/puppet-user.git user [puppet/modules/vcsrepo] -checkout = git clone git://git.sarava.org/puppet-vcsrepo.git vcsrepo +checkout = git clone git://git.fluxo.info/puppet-vcsrepo.git vcsrepo [puppet/modules/viewvc] -checkout = git clone git://git.sarava.org/puppet-viewvc.git viewvc +checkout = git clone git://git.fluxo.info/puppet-viewvc.git viewvc [puppet/modules/virtual] -checkout = git clone git://git.sarava.org/puppet-virtual.git virtual +checkout = git clone git://git.fluxo.info/puppet-virtual.git virtual [puppet/modules/websites] -checkout = git clone git://git.sarava.org/puppet-websites.git websites +checkout = git clone git://git.fluxo.info/puppet-websites.git websites [puppet/modules/websvn] -checkout = git clone git://git.sarava.org/puppet-websvn.git websvn +checkout = git clone git://git.fluxo.info/puppet-websvn.git websvn [puppet/modules/wordpress] -checkout = git clone git://git.sarava.org/puppet-wordpress.git wordpress +checkout = git clone git://git.fluxo.info/puppet-wordpress.git wordpress diff --git a/puppet/Makefile b/puppet/Makefile index 2209271..97c4a58 100644 --- a/puppet/Makefile +++ b/puppet/Makefile @@ -7,7 +7,7 @@ # # This Makefile is distributed in the hope that it will be useful, but WITHOUT # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS -# # FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. +# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along with # this program; if not, write to the Free Software Foundation, Inc., 59 Temple @@ -15,7 +15,7 @@ # CWD = $(shell pwd) -REPO = git://git.sarava.org/puppet-bootstrap.git +REPO = git://git.fluxo.info/puppet-bootstrap.git PUPPET = FACTER_BOOTSTRAP_PATH="$(CWD)" puppet apply --confdir="$(CWD)" --modulepath=modules all: deps remote modules config @@ -57,3 +57,11 @@ clean: rm -rf ssl rm -rf modules git checkout modules + +post_update: + git config receive.denyCurrentBranch ignore + cd .git/hooks && ln -sf ../../bin/post-update + +post_receive: + git config receive.denyCurrentBranch ignore + cd .git/hooks && ln -sf ../../bin/post-receive diff --git a/puppet/README.md b/puppet/README.md index 67dad5f..bb5375d 100644 --- a/puppet/README.md +++ b/puppet/README.md @@ -5,14 +5,14 @@ This is a multi-purpose but very specific puppet module which can be used: * As the base repository for a puppet infrastructure. * As a standalone provisioner for boxes, with Vagrant support. -* It can be optionally used together with the Hydra Suite from https://git.sarava.org/?p=hydra.git +* It can be optionally used together with the Hydra Suite from https://git.fluxo.info/hydra.git -Setting up a new puppetmaster repository ----------------------------------------- +Setting up a new puppet repository +---------------------------------- You'll basically use the `bootstrap` repository as your `puppet` repository: - git clone git://git.sarava.org/puppet-bootstrap.git puppet + git clone git://git.fluxo.info/puppet-bootstrap.git puppet cd puppet && git tag -v # check integrity make deps # install dependencies make submodules # add all needed puppet module as as git submodules @@ -24,7 +24,7 @@ Using as a standalone provisioner This will be a `Vagrant` example: cd your-project - git clone git://git.sarava.org/puppet-bootstrap.git puppet # use submodule or subtree as you please + git clone git://git.fluxo.info/puppet-bootstrap.git puppet # use submodule or subtree as you please ln -s puppet/Vagrantfile # or copy if you want to customize ( cd puppet && make modules ) # need the mr binary to download the submodules vagrant up web # with no arguments, all defined VMs are started diff --git a/puppet/TODO.md b/puppet/TODO.md index c773654..429bd4d 100644 --- a/puppet/TODO.md +++ b/puppet/TODO.md @@ -1,7 +1,141 @@ TODO ==== -* Minimal manifest for fast provisioning. -* Update to new nodo style (hiera and nodo::role). -* Support for recursive clones in `bin/mrconfig`. -* Test! +High priority +------------- + +- puppet: masterless: + - keyringer/gpg integration. + - https://github.com/compete/hiera_yamlgpg + - https://github.com/crayfishx/hiera-gpg + - https://github.com/sihil/hiera-eyaml-gpg + - https://github.com/StackExchange/blackbox + - http://ww.telent.net/2014/2/10/keeping_secrets_in_public_with_puppet + - https://docs.puppetlabs.com/hiera/1/custom_backends.html + - https://puppetlabs.com/blog/encrypt-your-data-using-hiera-eyaml + - https://packages.debian.org/jessie/hiera-eyaml + - how to distribute keys outside the repo (i.e, avoiding all nodes to have all keys?): + - add a monkeysphere auth subkey to every openpgp key used for backups. + - make backupninja wrap around monkeysphere: http://web.monkeysphere.info/doc/user-ssh-advanced/ + - http://current.workingdirectory.net/posts/2011/puppet-without-masters/ + - http://andrewbunday.co.uk/2012/12/04/masterless-puppet-wrapper/ + - http://semicomplete.com/presentations/puppet-at-loggly/puppet-at-loggly.pdf.html + - https://github.com/jordansissel/puppet-examples/tree/master/masterless +- sshd: + - https://stribika.github.io/2015/01/04/secure-secure-shell.html + - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774711#60 + - enable ecdsa key. + - ecdsa priority: alternatives: + - unsupport ecdsa in the server. + - export ecdsa pubkeys. + - manage client's /root/.ssh/config: `HostKeyAlgorithms ssh-rsa`. + - force option via rsync/rdiff handlers. +- virtual: migrate to kvm/libvirt. +- loginrecords: deploy module. +- deploy https://github.com/wido/puppet-module-tcpwrappers +- nodo: + - run stages. + - allow more resources to be declared via hiera. + - fix hiera default boolean value when true. + - easy way to toggle management of subsystems. + +Medium priority +--------------- + +- apt: raspbian support, including unnatended-upgrades. +- backup: + - support for $dombr and $dobios on backupninja::sys for servers and physical machines. + - sync-backups support for rsyncing from kvms / snapshots. +- nodo: + - cleanup and refactor. + - uniform variable names. + - use prompt.sh from bash-prompt as a submodule. +- common: autoload. +- general: + - rollback of commits about charset. + - switch to conf.d: + - php ("refactor" branch), remove E_STRICT from production's error_reporting. + - apache2. + - sudoers. +- backup: `sync-media-iterate [volume]`. +- mail: + - use ssl::dhparams, move to 2048 bit and use the standard file names and paths: + - [Feature #4012: postfix: ship 2048bit dh parameters - Platform - LEAP Issue Tracker](https://leap.se/code/issues/4012) + +Low priority +------------ + +- merge, review, pull requests for all modules. +- bind: nsupdate / dynamic dns: + - http://linux.yyz.us/nsupdate/ + - http://linux.yyz.us/dns/ddns-server.html + - http://caunter.ca/nsupdate.txt + - http://www.rtfm-sarl.ch/articles/using-nsupdate.html + - https://github.com/skx/dhcp.io/ +- munin: lvm monitoring. +- pyroscope: torrent workflow: torrent-maker, magnet2torrent and torrent-reseed: + - http://wiki.rtorrent.org/MagnetUri + - http://dan.folkes.me/2012/04/19/converting-a-magnet-link-into-a-torrent/ + - https://github.com/danfolkes/Magnet2Torrent + - http://code.google.com/p/pyroscope/wiki/CommandLineTools + - https://trac.transmissionbt.com/ticket/4176 + - http://wiki.rtorrent.org/MagnetUri + - https://github.com/rakshasa/rtorrent/issues/212 + - saving/restoring `.meta` and `~/rtorrent/.session` files. +- support for http/https proxy inside web nodes: + - encrypted ssl keys: http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11440.html + - make all apache sites listen to 8080. +- git: + - gitolite: [monkeysphere integration](http://gitolite.com/gitolite/g2/monkeysphere.html). + - gitweb clean urls. + - email notifications. + - https://packages.debian.org/jessie/git-notifier + - https://github.com/mhagger/git-multimail + - using OpenPGP? +- syslog-ng: use conf.d. +- etherpad: `You need to set a sessionKey value in settings.json`. +- knock integration via https://github.com/juasiepo/knockd +- apache: + - try libapache2-modsecurity. + - deploy https://git.immerda.ch/csp-report/ + - disable other_vhosts_access.log. +- onion: + - support for existing hidden service key, generated with tools like https://github.com/katmagic/Shallot + - load balancing: http://archives.seul.org/tor/relays/Apr-2011/msg00022.html +- nagios: snmp, nrpe, nsca + - http://nagios.sourceforge.net/docs/3_0/addons.html + - http://www.math.wisc.edu/~jheim/snmp/ +- ssh access restrictions: + - denyhosts, but we don't want to log IPs. + - using shorewall: http://www.debian-administration.org/articles/250#comment_16 + - alowed users / groups. +- websites: freewvs. +- puppet: bug report: debian wheezy puppet-common: needs the following patch: http://projects.puppetlabs.com/issues/10963 +- mail: + - review dovecot recipient delimiter handling: to which mailbox messages should be sent? + - mlmmj: + - lists with hyphens are not working when mails are sent directly, but work when sent to an alias. + - `mail::mlmmj::domain` needs updating or additional domains should be added into `relay_domains`. +- drupal/wordpress: + - cronjob/cli: switch to site user. + - drupal_update: Do you really want to continue with the update process? (y/n): + Do you really want to continue with the update process? (y/n): Aborting. [cancel], + possibly related to https://www.drupal.org/node/443392 +- php / wordpress / wp-cli: composer installation and dependencies: + - http://getcomposer.org/doc/00-intro.md#installation-nix + - https://github.com/wp-cli/wp-cli/wiki/Alternative-Install-Methods + - suhosin needs `suhosin.executor.include.whitelist = phar` on `/etc/php5/cli/conf.d/suhosin.ini`. +- nodo: support for prosody: + - https://github.com/dgoulet/prosody-otr + - http://prosody.im/doc/creating_accounts#importing_from_ejabberd + - config with good score at https://xmpp.net/index.php +- mail: + - support for [preventing SPAM connections with bird](http://www.debian-administration.org/article/715/Preventing_SPAM_connections_with_bird.). + - schleuder: manage `/etc/schleuder/schleuder.conf`, using `superadminaddr: root` or other recipient, to avoid mails. + sent as `root@localhost`. + - deploy https://git.autistici.org/ale/smtp-fp/tree/master + https://github.com/EFForg/starttls-everywhere + - deploy https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration#Configuration_server_at_ISP + https://git-ipuppet.immerda.ch/module-apache/commit/?id=058dbb366b96cae1f8fb0def65f73a698f1c375d + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577616 + - support for [preventing SPAM connections with bird](http://www.debian-administration.org/article/715/Preventing_SPAM_connections_with_bird.). diff --git a/puppet/Vagrantfile b/puppet/Vagrantfile index 8999cf0..3ee05e6 100644 --- a/puppet/Vagrantfile +++ b/puppet/Vagrantfile @@ -1,9 +1,12 @@ -# -*- mode: ruby -*- -# vi: set ft=ruby : +# Vagrantfile API/syntax version. Don't touch unless you know what you're doing! +VAGRANTFILE_API_VERSION = "2" -Vagrant::Config.run do |config| +Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| # Every Vagrant virtual environment requires a box to build off of. - config.vm.box = "wheezy" + config.vm.box = "jessie" + + # Hostname + config.vm.hostname = "puppet-bootstrap.example.org" # Shell provisioner to setup basic environment. config.vm.provision :shell, :inline => "/vagrant/puppet/bin/provision" @@ -13,49 +16,14 @@ Vagrant::Config.run do |config| puppet.manifest_file = "bootstrap/vagrant.pp" puppet.manifests_path = "puppet/manifests" puppet.module_path = "puppet/modules" + puppet.hiera_config_path = "puppet/hiera.yaml" puppet.temp_dir = "/etc/puppet" puppet.working_directory = "/etc/puppet" end - # Define a Host VM - config.vm.define :host do |host_config| - db_config.vm.box = "host" - web_config.vm.network :hostonly, "192.168.50.101" - end - - # Define a Puppetmaster VM - config.vm.define :master do |master_config| - master_config.vm.box = "master" - master_config.vm.forward_port 8139, 8140 - web_config.vm.network :hostonly, "192.168.50.102" - end - - # Define a Proxy VM - config.vm.define :proxy do |proxy_config| - proxy_config.vm.box = "proxy" - proxy_config.vm.forward_port 8139, 8140 - web_config.vm.network :hostonly, "192.168.50.103" - end - - # Define a Web VM - config.vm.define :web do |web_config| - web_config.vm.box = "web" - web_config.vm.forward_port 80, 8080 - web_config.vm.network :hostonly, "192.168.50.104" - end - - # Define a Storage VM - config.vm.define :storage do |storage_config| - storage_config.vm.box = "storage" - storage_config.vm.network :hostonly, "192.168.50.105" - end - - # Define a Test VM - config.vm.define :test do |test_config| - test_config.vm.box = "test" - test_config.vm.network :hostonly, "192.168.50.106" - end - # Share hiera configuration. - config.vm.share_folder "hiera", "/etc/puppet/hiera", "puppet/hiera", create: true + config.vm.synced_folder "puppet/hiera", "/etc/puppet/hiera" + + # Forwarded ports + #config.vm.network "forwarded_port", guest: 80, host: 8081 end diff --git a/puppet/bin/dependencies b/puppet/bin/dependencies index 78ca659..507145b 100755 --- a/puppet/bin/dependencies +++ b/puppet/bin/dependencies @@ -1,6 +1,6 @@ #!/bin/bash # -# Simple shell provisioner for Vagrant instances. +# Puppet bootstrap dependencies. # # Install a package, thanks to the Hydra Suite. @@ -13,16 +13,16 @@ function provision_package { if [ "$?" == "1" ]; then echo "Installing package $1..." - DEBIAN_FRONTEND=noninteractive $sudo apt-get install $1 -y + DEBIAN_FRONTEND=noninteractive $SUDO apt-get install $1 -y fi } # Set sudo config if [ "`whoami`" != 'root' ]; then - sudo="sudo" + SUDO="sudo" fi # Ensure basic packages are installed. -for package in puppet ruby-hiera-puppet mr whois; do +for package in puppet git mr whois; do provision_package $package done diff --git a/puppet/bin/deploy b/puppet/bin/deploy new file mode 100755 index 0000000..5d3361b --- /dev/null +++ b/puppet/bin/deploy @@ -0,0 +1,58 @@ +#!/bin/bash +# +# Deploy configuration using puppet. +# + +# Parameters +DIRNAME="`dirname $0`" +BASEDIR="$DIRNAME/.." +DEPLOY_DEPENDENCIES="puppet ruby-sqlite3 ruby-activerecord ruby-activerecord-deprecated-finders" + +# Determine hostname +if [ ! -z "$1" ]; then + FQDN="$1" +else + FQDN="`cat /etc/hostname`" +fi + +# Check for manifest +PUPPET_MANIFEST="$BASEDIR/puppet/manifests/nodes/$FQDN.pp" +if [ ! -e "$PUPPET_MANIFEST" ]; then + echo "file not found: $PUPPET_MANIFEST" + exit 1 +fi + +# Install dependencies +source $DIRNAME/dependencies + +# Ensure additional dependencies are installed. +for package in $DEPLOY_DEPENDENCIES; do + provision_package $package +done + +# Parameters that needs dependencies installed +DIST="`facter lsbdistcodename`" + +# Apply patches +if [ -d "$BASEDIR/puppet/files/patches/$DIST" ]; then + ( + # Patches should be generated relativelly to the root folder + cd / + + # Only apply if needed + # Thanks https://unix.stackexchange.com/questions/55780/check-if-a-file-or-folder-has-been-patched-already + for patch in `ls $BASEDIR/puppet/files/patches/$DIST`; do + patch -p0 -N --dry-run --silent < $BASEDIR/puppet/files/patches/$DIST/$patch &> /dev/null + # If the patch has not been applied then the $? which is the exit status + # for last command would have a success status code = 0 + if [ "$?" == "0" ]; then + # Apply the patch + patch -p0 -N < $BASEDIR/puppet/files/patches/$DIST/$patch + fi + done + ) +fi + +# Run puppet apply +PUPPET_OPTS="--confdir=$BASEDIR/puppet --modulepath=$BASEDIR/puppet/modules" +LC_ALL=C $SUDO puppet apply $PUPPET_OPTS $PUPPET_MANIFEST diff --git a/puppet/bin/mrconfig b/puppet/bin/mrconfig index f525db3..dc753ac 100755 --- a/puppet/bin/mrconfig +++ b/puppet/bin/mrconfig @@ -1,10 +1,10 @@ #!/bin/bash # # Build a mrconfig for the needed modules. -# +# # Parameters -GIT="git.sarava.org" +GIT="git.fluxo.info" URL="https://$GIT/?a=project_index" CWD="`pwd`" WORK="`dirname $0`/.." @@ -18,8 +18,8 @@ touch .mrconfig curl --stderr - $URL | grep "^puppet-" | cut -d ' ' -f 1 | while read module; do folder="`echo $module | sed -e 's/^puppet-//'`" folder="`basename $folder .git`" - - if [ "$module" != "$bootstrap" ]; then + + if [ "$folder" != "bootstrap" ]; then echo "Processing $folder..." mr config puppet/modules/$folder checkout="git clone git://$GIT/$module $folder" fi diff --git a/puppet/bin/post-receive b/puppet/bin/post-receive new file mode 100755 index 0000000..996189d --- /dev/null +++ b/puppet/bin/post-receive @@ -0,0 +1,7 @@ +#!/bin/sh + +cd .. +unset GIT_DIR + +git checkout -f +git submodule update --init --recursive diff --git a/puppet/bin/post-update b/puppet/bin/post-update new file mode 100755 index 0000000..48a6a16 --- /dev/null +++ b/puppet/bin/post-update @@ -0,0 +1,16 @@ +#!/bin/sh + +cd .. +unset GIT_DIR + +if [ -d ".git/annex" ]; then + git annex sync +else + git reset HEAD + git checkout -f +fi + +git submodule update --init --recursive + +cd - +exec git update-server-info diff --git a/puppet/bin/provision b/puppet/bin/provision index e200e51..16f102f 100755 --- a/puppet/bin/provision +++ b/puppet/bin/provision @@ -3,25 +3,33 @@ # Simple shell provisioner for Vagrant instances. # -# Ensure the system is updated. -sudo apt-get update && DEBIAN_FRONTEND=noninteractive sudo apt-get dist-upgrade -y && sudo apt-get autoremove -y && sudo apt-get clean +# Parameters +DIRNAME="`dirname $0`" + +# Load dependencies +source $DIRNAME/dependencies -# Install dependencies -source /vagrant/puppet/bin/dependencies +# Ensure the system is updated. +$SUDO apt-get update && DEBIAN_FRONTEND=noninteractive $SUDO apt-get dist-upgrade -y && $SUDO apt-get autoremove -y && $SUDO apt-get clean # Ensure additional dependencies are installed. -for package in sqlite3 libsqlite3-ruby libactiverecord-ruby ruby-sqlite3 usbutils; do +for package in usbutils; do + provision_package $package +done + +# Storeconfigs support +for package in ruby-sqlite3 ruby-activerecord ruby-activerecord-deprecated-finders; do provision_package $package done -# Link hiera configuration. +# Link hiera configuration if needed. if [ ! -h "/etc/puppet/hiera.yaml" ]; then - sudo rm -f /etc/puppet/hiera.yaml - sudo ln -s /vagrant/puppet/hiera/hiera.yaml /etc/puppet/hiera.yaml + $SUDO rm -f /etc/puppet/hiera.yaml + $SUDO ln -s $DIRNAME/../hiera/hiera.yaml /etc/puppet/hiera.yaml fi -# Link puppet configuration. +# Link puppet configuration if needed. if [ ! -h "/etc/puppet/puppet.conf" ]; then - sudo rm -f /etc/puppet/puppet.conf - sudo ln -s /vagrant/puppet/puppet.conf /etc/puppet/puppet.conf + $SUDO rm -f /etc/puppet/puppet.conf + $SUDO ln -s $DIRNAME/../puppet.conf /etc/puppet/puppet.conf fi diff --git a/puppet/bin/submodules b/puppet/bin/submodules index f79b635..3abc46d 100755 --- a/puppet/bin/submodules +++ b/puppet/bin/submodules @@ -20,7 +20,7 @@ for repo in $repos; do module="`basename $repo .git | sed -e s/^puppet-//`" if [ ! -d "modules/$module" ]; then echo "Processing puppet module $module..." - git submodule add $repo modules/$module + git submodule add -f $repo modules/$module elif [ -e "modules/$module/.git" ]; then # The puppet module exists and is a git submodule, so update it ( cd module/$module && git pull origin master ) diff --git a/puppet/files/patches/trusty/puppet-stack-level.md b/puppet/files/patches/trusty/puppet-stack-level.md new file mode 100644 index 0000000..9a3f4d7 --- /dev/null +++ b/puppet/files/patches/trusty/puppet-stack-level.md @@ -0,0 +1,3 @@ +# Puppet stack level patch + +* [Puppet master fails with 'stack level too deep' error when storeconfigs = true](https://bugs.launchpad.net/ubuntu/+source/puppet/+bug/1313595). diff --git a/puppet/files/patches/trusty/puppet-stack-level.patch b/puppet/files/patches/trusty/puppet-stack-level.patch new file mode 100644 index 0000000..1d112f7 --- /dev/null +++ b/puppet/files/patches/trusty/puppet-stack-level.patch @@ -0,0 +1,15 @@ +--- /usr/lib/ruby/vendor_ruby/puppet/rails/resource.rb.orig 2015-10-19 17:19:13.500193213 -0200 ++++ /usr/lib/ruby/vendor_ruby/puppet/rails/resource.rb 2015-10-19 17:19:58.972194943 -0200 +@@ -84,7 +84,11 @@ + end + + def [](param) +- super || parameter(param) ++ if param == 'id' ++ super ++ else ++ super || parameter(param) ++ end + end + + # Make sure this resource is equivalent to the provided Parser resource. diff --git a/puppet/hiera/common.yaml b/puppet/hiera/common.yaml index d7e35a1..8a04a26 100644 --- a/puppet/hiera/common.yaml +++ b/puppet/hiera/common.yaml @@ -48,3 +48,8 @@ ntp::servers: nodo::subsystem::resolver::nameservers: - '208.67.222.222' - '208.67.220.220' + +# +# Puppet config +# +nodo::base::puppet_mode: 'apply' diff --git a/puppet/hiera/hiera.yaml b/puppet/hiera/hiera.yaml index 33acc9e..a8ae792 100644 --- a/puppet/hiera/hiera.yaml +++ b/puppet/hiera/hiera.yaml @@ -8,14 +8,26 @@ # reconsidered in the future. # # See http://docs.vagrantup.com/v2/provisioning/puppet_apply.html - :datadir: hiera + :datadir: '%{settings::confdir}/hiera' :hierarchy: - - '%{::environment}/domain/%{::domain}/node/%{::clientcert}' - - '%{::environment}/domain/%{::domain}/role/%{::role}' - - '%{::environment}/domain/%{::domain}/location/%{::location}' - - '%{::environment}/domain/%{::domain}/%{::domain}' - - '%{::environment}/location/%{::location}' - - '%{::environment}/virtual/%{::virtual}' - - '%{::environment}/role/%{::role}' + # + # Put in the secrets folder all sensitive information that + # wont be spread into every system if you're using the Hydra Suite. + # + # We also recommend to leave only encrypted data in your hiera config. + # + - 'secrets/node/%{::clientcert}' + - 'secrets/role/%{::nodo::role}' + - 'secrets/location/%{::nodo::location}' + - 'secrets/domain/%{::domain}' + + # + # All other stuff goes in regular YAML files. + # + - 'node/%{::clientcert}' + - 'role/%{::nodo::role}' + - 'virtual/%{::virtual}' + - 'location/%{::nodo::location}' + - 'domain/%{::domain}' - bootstrap - common diff --git a/puppet/hiera/node/puppet-bootstrap.example.org.yaml b/puppet/hiera/node/puppet-bootstrap.example.org.yaml new file mode 100644 index 0000000..c108e7d --- /dev/null +++ b/puppet/hiera/node/puppet-bootstrap.example.org.yaml @@ -0,0 +1,14 @@ +--- +# +# MySQL +# +# The following password is public information and therefore +# shall not be user on production. +mysql::server::rootpw: '9pRfteNbSFFyrHhackme' + +# +# Backup +# +nodo::subsystem::backup::localhost: false +nodo::subsystem::backup::encryptkey: 'none' +nodo::subsystem::backup::password: 'hacked' diff --git a/puppet/manifests/bootstrap/configurator.pp b/puppet/manifests/bootstrap/configurator.pp index d93a0ce..edcbe92 100644 --- a/puppet/manifests/bootstrap/configurator.pp +++ b/puppet/manifests/bootstrap/configurator.pp @@ -74,7 +74,7 @@ file { "$bootstrap_path/auth.conf": # # Basic users # -file { "$bootstrap_path/manifests/classes/users.pp": +file { "$bootstrap_path/modules/site_users/manifests/init.pp": ensure => present, mode => 0644, content => template("$templates/puppet/users.pp.erb"), diff --git a/puppet/manifests/bootstrap/host.pp b/puppet/manifests/bootstrap/host.pp index c1aead8..5f9c23a 100644 --- a/puppet/manifests/bootstrap/host.pp +++ b/puppet/manifests/bootstrap/host.pp @@ -4,11 +4,10 @@ # virtual machine. # -# Import site configuration -import "../site.pp" - # The server role -include nodo::role::server +class { 'nodo: + role => 'server', +} # Creates vserver for administrative node nodo::vserver::instance { "$hostname-master": diff --git a/puppet/manifests/bootstrap/master.pp b/puppet/manifests/bootstrap/master.pp index 51167f3..5934d3e 100644 --- a/puppet/manifests/bootstrap/master.pp +++ b/puppet/manifests/bootstrap/master.pp @@ -5,8 +5,7 @@ # Once it's running it can setup all the other nodes. # -# Import site configuration -import "../site.pp" - # Include the master node configuration -include nodo::role::master +class { 'nodo': + role => 'master', +} diff --git a/puppet/manifests/bootstrap/vagrant.pp b/puppet/manifests/bootstrap/vagrant.pp index 9206db6..47305dc 100644 --- a/puppet/manifests/bootstrap/vagrant.pp +++ b/puppet/manifests/bootstrap/vagrant.pp @@ -3,47 +3,36 @@ # virtual machine. # -# Import site configuration -import "../site.pp" - -# -# Stage definitions -# - -stage { 'first': - before => Stage['main'], -} - -stage { 'last': } -Stage['main'] -> Stage['last'] - # # Class definitions # # Vagrant classes -include nodo::role::vagrant - -class vagrant_config { - # Symlink to the mounted module folder - file { '/etc/puppet/modules': - ensure => '/etc/puppet/modules-0', - force => true, - } - - # Ensure a custom hiera configuration - file { '/etc/puppet/hiera.yaml': - owner => root, - group => root, - mode => 0644, - force => true, - ensure => '/etc/puppet/hiera/hiera.yaml', - } +class { 'nodo': + role => 'vagrant', } # -# Class instantiations -# -class { 'vagrant_config': - stage => first, -} +# LAMP example +# +#include database +# +#class { 'apache': +# default_folder => '/vagrant', +# default_user => 'vagrant', +# default_group => 'vagrant', +#} +# +# If you want to manage another website +#apache::site { "myapp": +# docroot => "/vagrant/", +# server_alias => 'myapp vagrant localhost', +# use => [ "Site myapp" ], +# tag => 'all', +# owner => vagrant, +# group => vagrant, +# mpm_user => vagrant, +# mpm_group => vagrant, +# password => '$5$NZfZqcdyZ3Xt$.kfZejriEJP3fc6RU0gBGEzMPQ/c3XiowVImB6VDrtD', +# shell => '/bin/bash', +#} diff --git a/puppet/manifests/modules.pp b/puppet/manifests/modules.pp deleted file mode 100644 index 3df3fe3..0000000 --- a/puppet/manifests/modules.pp +++ /dev/null @@ -1,6 +0,0 @@ -# -# Module definitions. -# - -# Nodo automatically import all modules we need. -import "nodo" diff --git a/puppet/manifests/nodes.pp b/puppet/manifests/nodes.pp deleted file mode 100644 index b90f04e..0000000 --- a/puppet/manifests/nodes.pp +++ /dev/null @@ -1,5 +0,0 @@ -# -# Node definitions. -# - -#import "nodes/example.pp" diff --git a/puppet/manifests/nodes/default.pp b/puppet/manifests/nodes/default.pp new file mode 100644 index 0000000..5ebbf90 --- /dev/null +++ b/puppet/manifests/nodes/default.pp @@ -0,0 +1,3 @@ +node default { + include nodo +} diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp deleted file mode 100644 index 6f3e5aa..0000000 --- a/puppet/manifests/site.pp +++ /dev/null @@ -1,8 +0,0 @@ -# -# Puppet site configuration. -# - -import "classes/users.pp" -import "classes/websites.pp" -import "modules.pp" -import "nodes.pp" diff --git a/puppet/modules/site_apt/files/keys.d/.empty b/puppet/modules/site_apt/files/keys.d/.empty new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/puppet/modules/site_apt/files/keys.d/.empty diff --git a/puppet/modules/site_bind/manifests/init.pp b/puppet/modules/site_bind/manifests/init.pp new file mode 100644 index 0000000..7ee08d2 --- /dev/null +++ b/puppet/modules/site_bind/manifests/init.pp @@ -0,0 +1,16 @@ +class site_bind { + # + # See http://oreilly.com/pub/a/oreilly/networking/news/views_0501.html + # http://www.debian-administration.org/articles/355 + + # This is needed so we can comment out the inclusion of + # /etc/bind/named.conf.default-zones + #file { '/etc/bind/named.conf': + # ensure => present, + # owner => root, + # group => root, + # mode => 0644, + # source => 'puppet:///modules/site_bind/named.conf', + # notify => Service['bind9'], + #} +} diff --git a/puppet/modules/site_mail/files/aliases b/puppet/modules/site_mail/files/aliases new file mode 100644 index 0000000..08a0723 --- /dev/null +++ b/puppet/modules/site_mail/files/aliases @@ -0,0 +1,14 @@ +# /etc/aliases +mailer-daemon: postmaster +postmaster: root +nobody: root +hostmaster: root +usenet: root +news: root +webmaster: root +www: root +ftp: root +abuse: root +noc: root +security: root +reprepro: root diff --git a/puppet/modules/site_users/manifests/admin.pp b/puppet/modules/site_users/manifests/admin.pp new file mode 100644 index 0000000..14ad9da --- /dev/null +++ b/puppet/modules/site_users/manifests/admin.pp @@ -0,0 +1,16 @@ +class site_users::admin inherits user { + # root user and password + #user::manage { "root": + # tag => "admin", + # homedir => '/root', + # password => '$5$zpdXgIaLKMDckKx9$qTS9WbmS/zylFwPu1orq.779CNnAiA9VoGdFNU94jz/', + #} + + # first user config + #user::manage { "user": + # tag => "admin", + # groups => [ "sudo", ], + # password => '$5$D8kCEIo5/MNCA7Tz$VhGg2MNDs21JzX9HgxSWMupA5GD5MXnKwDuveMSdPH7', + # sshkey => [ "WRONG" ], + #} +} diff --git a/puppet/modules/site_users/manifests/backups.pp b/puppet/modules/site_users/manifests/backups.pp new file mode 100644 index 0000000..aab00f9 --- /dev/null +++ b/puppet/modules/site_users/manifests/backups.pp @@ -0,0 +1,3 @@ +class site_users::backup inherits user { + # define third-party hosted backup users here +} diff --git a/puppet/modules/site_users/manifests/init.pp b/puppet/modules/site_users/manifests/init.pp new file mode 100644 index 0000000..b3c656a --- /dev/null +++ b/puppet/modules/site_users/manifests/init.pp @@ -0,0 +1,2 @@ +class site_users { +} diff --git a/puppet/modules/site_users/manifests/virtual.pp b/puppet/modules/site_users/manifests/virtual.pp new file mode 100644 index 0000000..20aba01 --- /dev/null +++ b/puppet/modules/site_users/manifests/virtual.pp @@ -0,0 +1,3 @@ +class site_users::virtual inherits user { + # define custom users here +} diff --git a/puppet/manifests/classes/websites.pp b/puppet/modules/site_websites/manifests/admin.pp index 35f27c6..0be3a94 100644 --- a/puppet/manifests/classes/websites.pp +++ b/puppet/modules/site_websites/manifests/admin.pp @@ -1,4 +1,4 @@ -class websites::admin inherits websites::hosting::admin { +class site_websites::admin inherits websites::hosting::admin { # An administrative Trac instance #apache::site { "admin": # docroot => "${apache::sites_folder}/admin/trac/htdocs", @@ -23,20 +23,3 @@ class websites::admin inherits websites::hosting::admin { tag => 'all', } } - -class websites inherits websites::hosting { - # Website definitions: always use tagged resources - - #apache::site { "site": - # source => true, - # ticket => '001', - # docroot => '/var/www/site', - # tag => 'all', - #} - - #database::instance { "site": - # password => 'xxx', - # tag => 'all', - #} - -} diff --git a/puppet/modules/site_websites/manifests/init.pp b/puppet/modules/site_websites/manifests/init.pp new file mode 100644 index 0000000..c98ca7d --- /dev/null +++ b/puppet/modules/site_websites/manifests/init.pp @@ -0,0 +1,21 @@ +class site_websites inherits websites::hosting { + # Website definitions: always use tagged resources + apache::site { "git": + source => true, + docroot => '/var/git/repositories', + mpm => false, + tag => 'all', + } + + #apache::site { "site": + # source => true, + # ticket => '001', + # docroot => '/var/www/site', + # tag => 'all', + #} + + #database::instance { "site": + # password => 'xxx', + # tag => 'all', + #} +} diff --git a/puppet/puppet.conf b/puppet/puppet.conf index 81c47ed..ea5ed0e 100644 --- a/puppet/puppet.conf +++ b/puppet/puppet.conf @@ -1,30 +1,4 @@ [main] -logdir = /var/log/puppet -vardir = /var/lib/puppetmaster -ssldir = $vardir/ssl -rundir = /var/run/puppet -factpath = $vardir/lib/facter -pluginsync = true - -[master] -templatedir = $vardir/templates -masterport = 8140 -autosign = false -storeconfigs = true -dbadapter = sqlite3 -#dbadapter = mysql -#dbserver = localhost -#dbuser = puppet -#dbpassword = hackme -dbconnections = 15 -certname = puppet.vagrantup.com -ssl_client_header = SSL_CLIENT_S_DN -ssl_client_verify_header = SSL_CLIENT_VERIFY - -[agent] -server = puppet.vagrantup.com -vardir = /var/lib/puppet -ssldir = $vardir/ssl -runinterval = 7200 -puppetport = 8139 -configtimeout = 300 + thin_storeconfigs = true + storeconfigs = true + dbadapter = sqlite3 diff --git a/puppet/templates/apache/vhosts/cgit.erb b/puppet/templates/apache/vhosts/cgit.erb new file mode 100644 index 0000000..d2d393d --- /dev/null +++ b/puppet/templates/apache/vhosts/cgit.erb @@ -0,0 +1,30 @@ +# begin vhost for cgit +<VirtualHost *:80> + ServerName git.<%= domain %> + ServerAlias gitweb.<%= domain %> + + ServerSignature Off + + Alias /cgit.css /var/www/htdocs/cgit/cgit.css + Alias /cgit.png /var/www/htdocs/cgit/cgit.png + + ScriptAlias /cgi-bin/ /var/www/htdocs/cgit/ + + DocumentRoot /var/git/repositories + <Directory /var/git/repositories> + AllowOverride None + Options +ExecCGI + Order allow,deny + Allow from all + + DirectoryIndex /cgi-bin/cgit.cgi + + RewriteEngine on + RewriteCond %{REQUEST_FILENAME} !-f + RewriteRule ^.*$ /cgi-bin/cgit.cgi/$0 [L,PT] + </Directory> + + ErrorLog /var/log/apache2/cgit.openezx.org/error.log + CustomLog /var/log/apache2/cgit.openezx.org/access.log common +</VirtualHost> +# end vhost for git diff --git a/puppet/templates/apache/vhosts/git.erb b/puppet/templates/apache/vhosts/git.erb index 25aecd1..89173ac 100644 --- a/puppet/templates/apache/vhosts/git.erb +++ b/puppet/templates/apache/vhosts/git.erb @@ -3,6 +3,7 @@ # Recipe based on http://josephspiros.com/2009/07/26/configuring-gitweb-for-apache-on-debian ServerName git.<%= domain %> + ServerAlias gitweb.<%= domain %> SetEnv GITWEB_CONFIG /etc/gitweb.conf HeaderName HEADER DocumentRoot /var/git/repositories diff --git a/puppet/templates/etc/nginx/domain.erb b/puppet/templates/etc/nginx/domain.erb index 4e9fa7d..8beff14 100644 --- a/puppet/templates/etc/nginx/domain.erb +++ b/puppet/templates/etc/nginx/domain.erb @@ -111,6 +111,7 @@ server { ssl_protocols SSLv3 TLSv1; ssl_ciphers HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH; ssl_prefer_server_ciphers on; + ssl_dhparam /etc/ssl/dhparams/dhparams_2048.pem; # Set the max size for file uploads client_max_body_size 100M; diff --git a/puppet/templates/puppet/users.pp.erb b/puppet/templates/puppet/users.pp.erb index 55a2706..3b7c857 100644 --- a/puppet/templates/puppet/users.pp.erb +++ b/puppet/templates/puppet/users.pp.erb @@ -7,14 +7,6 @@ class users::backup inherits user { } class users::admin inherits user { - - # Reprepro group needed for web nodes - #if !defined(Group["reprepro"]) { - # group { "reprepro": - # ensure => present, - # } - #} - # root user and password user::manage { "root": tag => "admin", |