summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--puppet/.mrconfig177
-rw-r--r--puppet/Makefile12
-rw-r--r--puppet/README.md10
-rw-r--r--puppet/TODO.md142
-rw-r--r--puppet/Vagrantfile56
-rwxr-xr-xpuppet/bin/dependencies8
-rwxr-xr-xpuppet/bin/deploy58
-rwxr-xr-xpuppet/bin/mrconfig8
-rwxr-xr-xpuppet/bin/post-receive7
-rwxr-xr-xpuppet/bin/post-update16
-rwxr-xr-xpuppet/bin/provision30
-rwxr-xr-xpuppet/bin/submodules2
-rw-r--r--puppet/files/patches/trusty/puppet-stack-level.md3
-rw-r--r--puppet/files/patches/trusty/puppet-stack-level.patch15
-rw-r--r--puppet/hiera/common.yaml5
-rw-r--r--puppet/hiera/hiera.yaml28
-rw-r--r--puppet/hiera/node/puppet-bootstrap.example.org.yaml14
-rw-r--r--puppet/manifests/bootstrap/configurator.pp2
-rw-r--r--puppet/manifests/bootstrap/host.pp7
-rw-r--r--puppet/manifests/bootstrap/master.pp7
-rw-r--r--puppet/manifests/bootstrap/vagrant.pp61
-rw-r--r--puppet/manifests/modules.pp6
-rw-r--r--puppet/manifests/nodes.pp5
-rw-r--r--puppet/manifests/nodes/default.pp3
-rw-r--r--puppet/manifests/site.pp8
-rw-r--r--puppet/modules/site_apt/files/keys.d/.empty0
-rw-r--r--puppet/modules/site_bind/manifests/init.pp16
-rw-r--r--puppet/modules/site_mail/files/aliases14
-rw-r--r--puppet/modules/site_users/manifests/admin.pp16
-rw-r--r--puppet/modules/site_users/manifests/backups.pp3
-rw-r--r--puppet/modules/site_users/manifests/init.pp2
-rw-r--r--puppet/modules/site_users/manifests/virtual.pp3
-rw-r--r--puppet/modules/site_websites/manifests/admin.pp (renamed from puppet/manifests/classes/websites.pp)19
-rw-r--r--puppet/modules/site_websites/manifests/init.pp21
-rw-r--r--puppet/puppet.conf32
-rw-r--r--puppet/templates/apache/vhosts/cgit.erb30
-rw-r--r--puppet/templates/apache/vhosts/git.erb1
-rw-r--r--puppet/templates/etc/nginx/domain.erb1
-rw-r--r--puppet/templates/puppet/users.pp.erb8
39 files changed, 564 insertions, 292 deletions
diff --git a/puppet/.mrconfig b/puppet/.mrconfig
index 8731bee..5c24dc7 100644
--- a/puppet/.mrconfig
+++ b/puppet/.mrconfig
@@ -1,258 +1,255 @@
[puppet/modules/apache]
-checkout = git clone git://git.sarava.org/puppet-apache.git apache
+checkout = git clone git://git.fluxo.info/puppet-apache.git apache
[puppet/modules/apcupsd]
-checkout = git clone git://git.sarava.org/puppet-apcupsd.git apcupsd
+checkout = git clone git://git.fluxo.info/puppet-apcupsd.git apcupsd
[puppet/modules/apparmor]
-checkout = git clone git://git.sarava.org/puppet-apparmor.git apparmor
+checkout = git clone git://git.fluxo.info/puppet-apparmor.git apparmor
[puppet/modules/apt]
-checkout = git clone git://git.sarava.org/puppet-apt.git apt
+checkout = git clone git://git.fluxo.info/puppet-apt.git apt
[puppet/modules/autofs]
-checkout = git clone git://git.sarava.org/puppet-autofs.git autofs
+checkout = git clone git://git.fluxo.info/puppet-autofs.git autofs
[puppet/modules/autossh]
-checkout = git clone git://git.sarava.org/puppet-autossh.git autossh
+checkout = git clone git://git.fluxo.info/puppet-autossh.git autossh
[puppet/modules/avahi]
-checkout = git clone git://git.sarava.org/puppet-avahi.git avahi
+checkout = git clone git://git.fluxo.info/puppet-avahi.git avahi
[puppet/modules/backup]
-checkout = git clone git://git.sarava.org/puppet-backup.git backup
+checkout = git clone git://git.fluxo.info/puppet-backup.git backup
[puppet/modules/backupninja]
-checkout = git clone git://git.sarava.org/puppet-backupninja.git backupninja
+checkout = git clone git://git.fluxo.info/puppet-backupninja.git backupninja
[puppet/modules/bind]
-checkout = git clone git://git.sarava.org/puppet-bind.git bind
+checkout = git clone git://git.fluxo.info/puppet-bind.git bind
[puppet/modules/bitcoind]
-checkout = git clone git://git.sarava.org/puppet-bitcoind.git bitcoind
-
-[puppet/modules/bootstrap]
-checkout = git clone git://git.sarava.org/puppet-bootstrap.git bootstrap
+checkout = git clone git://git.fluxo.info/puppet-bitcoind.git bitcoind
[puppet/modules/common]
-checkout = git clone git://git.sarava.org/puppet-common.git common
+checkout = git clone git://git.fluxo.info/puppet-common.git common
[puppet/modules/concat]
-checkout = git clone git://git.sarava.org/puppet-concat.git concat
+checkout = git clone git://git.fluxo.info/puppet-concat.git concat
[puppet/modules/cron]
-checkout = git clone git://git.sarava.org/puppet-cron.git cron
+checkout = git clone git://git.fluxo.info/puppet-cron.git cron
[puppet/modules/daap_server]
-checkout = git clone git://git.sarava.org/puppet-daap_server.git daap_server
-
-[puppet/modules/darkice]
-checkout = git clone git://git.sarava.org/puppet-darkice.git darkice
+checkout = git clone git://git.fluxo.info/puppet-daap_server.git daap_server
[puppet/modules/database]
-checkout = git clone git://git.sarava.org/puppet-database.git database
+checkout = git clone git://git.fluxo.info/puppet-database.git database
[puppet/modules/dhcp]
-checkout = git clone git://git.sarava.org/puppet-dhcp.git dhcp
+checkout = git clone git://git.fluxo.info/puppet-dhcp.git dhcp
[puppet/modules/domain_check]
-checkout = git clone git://git.sarava.org/puppet-domain_check.git domain_check
+checkout = git clone git://git.fluxo.info/puppet-domain_check.git domain_check
[puppet/modules/drupal]
-checkout = git clone git://git.sarava.org/puppet-drupal.git drupal
+checkout = git clone git://git.fluxo.info/puppet-drupal.git drupal
[puppet/modules/dyndns]
-checkout = git clone git://git.sarava.org/puppet-dyndns.git dyndns
+checkout = git clone git://git.fluxo.info/puppet-dyndns.git dyndns
[puppet/modules/ejabberd]
-checkout = git clone git://git.sarava.org/puppet-ejabberd.git ejabberd
+checkout = git clone git://git.fluxo.info/puppet-ejabberd.git ejabberd
[puppet/modules/ekeyd]
-checkout = git clone git://git.sarava.org/puppet-ekeyd.git ekeyd
+checkout = git clone git://git.fluxo.info/puppet-ekeyd.git ekeyd
[puppet/modules/etherpad]
-checkout = git clone git://git.sarava.org/puppet-etherpad.git etherpad
+checkout = git clone git://git.fluxo.info/puppet-etherpad.git etherpad
[puppet/modules/exim]
-checkout = git clone git://git.sarava.org/puppet-exim.git exim
+checkout = git clone git://git.fluxo.info/puppet-exim.git exim
[puppet/modules/firewall]
-checkout = git clone git://git.sarava.org/puppet-firewall.git firewall
+checkout = git clone git://git.fluxo.info/puppet-firewall.git firewall
[puppet/modules/git]
-checkout = git clone git://git.sarava.org/puppet-git.git git
+checkout = git clone git://git.fluxo.info/puppet-git.git git
[puppet/modules/hotglue]
-checkout = git clone git://git.sarava.org/puppet-hotglue.git hotglue
+checkout = git clone git://git.fluxo.info/puppet-hotglue.git hotglue
[puppet/modules/hydra]
-checkout = git clone git://git.sarava.org/puppet-hydra.git hydra
+checkout = git clone git://git.fluxo.info/puppet-hydra.git hydra
[puppet/modules/icecast]
-checkout = git clone git://git.sarava.org/puppet-icecast.git icecast
+checkout = git clone git://git.fluxo.info/puppet-icecast.git icecast
[puppet/modules/ikiwiki]
-checkout = git clone git://git.sarava.org/puppet-ikiwiki.git ikiwiki
+checkout = git clone git://git.fluxo.info/puppet-ikiwiki.git ikiwiki
[puppet/modules/inetd]
-checkout = git clone git://git.sarava.org/puppet-inetd.git inetd
+checkout = git clone git://git.fluxo.info/puppet-inetd.git inetd
[puppet/modules/infinoted]
-checkout = git clone git://git.sarava.org/puppet-infinoted.git infinoted
+checkout = git clone git://git.fluxo.info/puppet-infinoted.git infinoted
[puppet/modules/inifile]
-checkout = git clone git://git.sarava.org/puppet-inifile.git inifile
+checkout = git clone git://git.fluxo.info/puppet-inifile.git inifile
[puppet/modules/lighttpd]
-checkout = git clone git://git.sarava.org/puppet-lighttpd.git lighttpd
+checkout = git clone git://git.fluxo.info/puppet-lighttpd.git lighttpd
[puppet/modules/lsb]
-checkout = git clone git://git.sarava.org/puppet-lsb.git lsb
+checkout = git clone git://git.fluxo.info/puppet-lsb.git lsb
[puppet/modules/mail]
-checkout = git clone git://git.sarava.org/puppet-mail.git mail
+checkout = git clone git://git.fluxo.info/puppet-mail.git mail
[puppet/modules/minidlna]
-checkout = git clone git://git.sarava.org/puppet-minidlna.git minidlna
+checkout = git clone git://git.fluxo.info/puppet-minidlna.git minidlna
[puppet/modules/moin]
-checkout = git clone git://git.sarava.org/puppet-moin.git moin
+checkout = git clone git://git.fluxo.info/puppet-moin.git moin
[puppet/modules/monkeysphere]
-checkout = git clone git://git.sarava.org/puppet-monkeysphere.git monkeysphere
+checkout = git clone git://git.fluxo.info/puppet-monkeysphere.git monkeysphere
[puppet/modules/motion]
-checkout = git clone git://git.sarava.org/puppet-motion.git motion
+checkout = git clone git://git.fluxo.info/puppet-motion.git motion
[puppet/modules/mpd]
-checkout = git clone git://git.sarava.org/puppet-mpd.git mpd
+checkout = git clone git://git.fluxo.info/puppet-mpd.git mpd
[puppet/modules/mumble]
-checkout = git clone git://git.sarava.org/puppet-mumble.git mumble
+checkout = git clone git://git.fluxo.info/puppet-mumble.git mumble
[puppet/modules/munin]
-checkout = git clone git://git.sarava.org/puppet-munin.git munin
+checkout = git clone git://git.fluxo.info/puppet-munin.git munin
[puppet/modules/mysql]
-checkout = git clone git://git.sarava.org/puppet-mysql.git mysql
+checkout = git clone git://git.fluxo.info/puppet-mysql.git mysql
[puppet/modules/nagios]
-checkout = git clone git://git.sarava.org/puppet-nagios.git nagios
+checkout = git clone git://git.fluxo.info/puppet-nagios.git nagios
[puppet/modules/nfs]
-checkout = git clone git://git.sarava.org/puppet-nfs.git nfs
+checkout = git clone git://git.fluxo.info/puppet-nfs.git nfs
[puppet/modules/nginx]
-checkout = git clone git://git.sarava.org/puppet-nginx.git nginx
+checkout = git clone git://git.fluxo.info/puppet-nginx.git nginx
[puppet/modules/nodo]
-checkout = git clone git://git.sarava.org/puppet-nodo.git nodo
+checkout = git clone git://git.fluxo.info/puppet-nodo.git nodo
[puppet/modules/ntp]
-checkout = git clone git://git.sarava.org/puppet-ntp.git ntp
+checkout = git clone git://git.fluxo.info/puppet-ntp.git ntp
[puppet/modules/onion]
-checkout = git clone git://git.sarava.org/puppet-onion.git onion
+checkout = git clone git://git.fluxo.info/puppet-onion.git onion
[puppet/modules/pear]
-checkout = git clone git://git.sarava.org/puppet-pear.git pear
+checkout = git clone git://git.fluxo.info/puppet-pear.git pear
[puppet/modules/php]
-checkout = git clone git://git.sarava.org/puppet-php.git php
+checkout = git clone git://git.fluxo.info/puppet-php.git php
[puppet/modules/pmwiki]
-checkout = git clone git://git.sarava.org/puppet-pmwiki.git pmwiki
+checkout = git clone git://git.fluxo.info/puppet-pmwiki.git pmwiki
[puppet/modules/postfix]
-checkout = git clone git://git.sarava.org/puppet-postfix.git postfix
+checkout = git clone git://git.fluxo.info/puppet-postfix.git postfix
[puppet/modules/puppet]
-checkout = git clone git://git.sarava.org/puppet-puppet.git puppet
+checkout = git clone git://git.fluxo.info/puppet-puppet.git puppet
[puppet/modules/pureftpd]
-checkout = git clone git://git.sarava.org/puppet-pureftpd.git pureftpd
+checkout = git clone git://git.fluxo.info/puppet-pureftpd.git pureftpd
[puppet/modules/pyroscope]
-checkout = git clone git://git.sarava.org/puppet-pyroscope.git pyroscope
+checkout = git clone git://git.fluxo.info/puppet-pyroscope.git pyroscope
[puppet/modules/qwebirc]
-checkout = git clone git://git.sarava.org/puppet-qwebirc.git qwebirc
+checkout = git clone git://git.fluxo.info/puppet-qwebirc.git qwebirc
[puppet/modules/reprepro]
-checkout = git clone git://git.sarava.org/puppet-reprepro.git reprepro
+checkout = git clone git://git.fluxo.info/puppet-reprepro.git reprepro
[puppet/modules/resolvconf]
-checkout = git clone git://git.sarava.org/puppet-resolvconf.git resolvconf
+checkout = git clone git://git.fluxo.info/puppet-resolvconf.git resolvconf
[puppet/modules/rng-tools]
-checkout = git clone git://git.sarava.org/puppet-rng-tools.git rng-tools
+checkout = git clone git://git.fluxo.info/puppet-rng-tools.git rng-tools
[puppet/modules/rsync]
-checkout = git clone git://git.sarava.org/puppet-rsync.git rsync
+checkout = git clone git://git.fluxo.info/puppet-rsync.git rsync
[puppet/modules/runit]
-checkout = git clone git://git.sarava.org/puppet-runit.git runit
+checkout = git clone git://git.fluxo.info/puppet-runit.git runit
[puppet/modules/samba]
-checkout = git clone git://git.sarava.org/puppet-samba.git samba
+checkout = git clone git://git.fluxo.info/puppet-samba.git samba
[puppet/modules/schroot]
-checkout = git clone git://git.sarava.org/puppet-schroot.git schroot
+checkout = git clone git://git.fluxo.info/puppet-schroot.git schroot
[puppet/modules/shorewall]
-checkout = git clone git://git.sarava.org/puppet-shorewall.git shorewall
+checkout = git clone git://git.fluxo.info/puppet-shorewall.git shorewall
[puppet/modules/smartmonster]
-checkout = git clone git://git.sarava.org/puppet-smartmonster.git smartmonster
+checkout = git clone git://git.fluxo.info/puppet-smartmonster.git smartmonster
[puppet/modules/smartmontools]
-checkout = git clone git://git.sarava.org/puppet-smartmontools.git smartmontools
+checkout = git clone git://git.fluxo.info/puppet-smartmontools.git smartmontools
[puppet/modules/sshd]
-checkout = git clone git://git.sarava.org/puppet-sshd.git sshd
+checkout = git clone git://git.fluxo.info/puppet-sshd.git sshd
[puppet/modules/ssl]
-checkout = git clone git://git.sarava.org/puppet-ssl.git ssl
+checkout = git clone git://git.fluxo.info/puppet-ssl.git ssl
+
+[puppet/modules/stdlib]
+checkout = git clone git://git.fluxo.info/puppet-stdlib.git stdlib
[puppet/modules/supervisor]
-checkout = git clone git://git.sarava.org/puppet-supervisor.git supervisor
+checkout = git clone git://git.fluxo.info/puppet-supervisor.git supervisor
[puppet/modules/supybot]
-checkout = git clone git://git.sarava.org/puppet-supybot.git supybot
+checkout = git clone git://git.fluxo.info/puppet-supybot.git supybot
[puppet/modules/syslog-ng]
-checkout = git clone git://git.sarava.org/puppet-syslog-ng.git syslog-ng
+checkout = git clone git://git.fluxo.info/puppet-syslog-ng.git syslog-ng
[puppet/modules/tftp]
-checkout = git clone git://git.sarava.org/puppet-tftp.git tftp
+checkout = git clone git://git.fluxo.info/puppet-tftp.git tftp
[puppet/modules/tor]
-checkout = git clone git://git.sarava.org/puppet-tor.git tor
+checkout = git clone git://git.fluxo.info/puppet-tor.git tor
[puppet/modules/trac]
-checkout = git clone git://git.sarava.org/puppet-trac.git trac
+checkout = git clone git://git.fluxo.info/puppet-trac.git trac
[puppet/modules/tunnel]
-checkout = git clone git://git.sarava.org/puppet-tunnel.git tunnel
+checkout = git clone git://git.fluxo.info/puppet-tunnel.git tunnel
[puppet/modules/user]
-checkout = git clone git://git.sarava.org/puppet-user.git user
+checkout = git clone git://git.fluxo.info/puppet-user.git user
[puppet/modules/vcsrepo]
-checkout = git clone git://git.sarava.org/puppet-vcsrepo.git vcsrepo
+checkout = git clone git://git.fluxo.info/puppet-vcsrepo.git vcsrepo
[puppet/modules/viewvc]
-checkout = git clone git://git.sarava.org/puppet-viewvc.git viewvc
+checkout = git clone git://git.fluxo.info/puppet-viewvc.git viewvc
[puppet/modules/virtual]
-checkout = git clone git://git.sarava.org/puppet-virtual.git virtual
+checkout = git clone git://git.fluxo.info/puppet-virtual.git virtual
[puppet/modules/websites]
-checkout = git clone git://git.sarava.org/puppet-websites.git websites
+checkout = git clone git://git.fluxo.info/puppet-websites.git websites
[puppet/modules/websvn]
-checkout = git clone git://git.sarava.org/puppet-websvn.git websvn
+checkout = git clone git://git.fluxo.info/puppet-websvn.git websvn
[puppet/modules/wordpress]
-checkout = git clone git://git.sarava.org/puppet-wordpress.git wordpress
+checkout = git clone git://git.fluxo.info/puppet-wordpress.git wordpress
diff --git a/puppet/Makefile b/puppet/Makefile
index 2209271..97c4a58 100644
--- a/puppet/Makefile
+++ b/puppet/Makefile
@@ -7,7 +7,7 @@
#
# This Makefile is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
-# # FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along with
# this program; if not, write to the Free Software Foundation, Inc., 59 Temple
@@ -15,7 +15,7 @@
#
CWD = $(shell pwd)
-REPO = git://git.sarava.org/puppet-bootstrap.git
+REPO = git://git.fluxo.info/puppet-bootstrap.git
PUPPET = FACTER_BOOTSTRAP_PATH="$(CWD)" puppet apply --confdir="$(CWD)" --modulepath=modules
all: deps remote modules config
@@ -57,3 +57,11 @@ clean:
rm -rf ssl
rm -rf modules
git checkout modules
+
+post_update:
+ git config receive.denyCurrentBranch ignore
+ cd .git/hooks && ln -sf ../../bin/post-update
+
+post_receive:
+ git config receive.denyCurrentBranch ignore
+ cd .git/hooks && ln -sf ../../bin/post-receive
diff --git a/puppet/README.md b/puppet/README.md
index 67dad5f..bb5375d 100644
--- a/puppet/README.md
+++ b/puppet/README.md
@@ -5,14 +5,14 @@ This is a multi-purpose but very specific puppet module which can be used:
* As the base repository for a puppet infrastructure.
* As a standalone provisioner for boxes, with Vagrant support.
-* It can be optionally used together with the Hydra Suite from https://git.sarava.org/?p=hydra.git
+* It can be optionally used together with the Hydra Suite from https://git.fluxo.info/hydra.git
-Setting up a new puppetmaster repository
-----------------------------------------
+Setting up a new puppet repository
+----------------------------------
You'll basically use the `bootstrap` repository as your `puppet` repository:
- git clone git://git.sarava.org/puppet-bootstrap.git puppet
+ git clone git://git.fluxo.info/puppet-bootstrap.git puppet
cd puppet && git tag -v # check integrity
make deps # install dependencies
make submodules # add all needed puppet module as as git submodules
@@ -24,7 +24,7 @@ Using as a standalone provisioner
This will be a `Vagrant` example:
cd your-project
- git clone git://git.sarava.org/puppet-bootstrap.git puppet # use submodule or subtree as you please
+ git clone git://git.fluxo.info/puppet-bootstrap.git puppet # use submodule or subtree as you please
ln -s puppet/Vagrantfile # or copy if you want to customize
( cd puppet && make modules ) # need the mr binary to download the submodules
vagrant up web # with no arguments, all defined VMs are started
diff --git a/puppet/TODO.md b/puppet/TODO.md
index c773654..429bd4d 100644
--- a/puppet/TODO.md
+++ b/puppet/TODO.md
@@ -1,7 +1,141 @@
TODO
====
-* Minimal manifest for fast provisioning.
-* Update to new nodo style (hiera and nodo::role).
-* Support for recursive clones in `bin/mrconfig`.
-* Test!
+High priority
+-------------
+
+- puppet: masterless:
+ - keyringer/gpg integration.
+ - https://github.com/compete/hiera_yamlgpg
+ - https://github.com/crayfishx/hiera-gpg
+ - https://github.com/sihil/hiera-eyaml-gpg
+ - https://github.com/StackExchange/blackbox
+ - http://ww.telent.net/2014/2/10/keeping_secrets_in_public_with_puppet
+ - https://docs.puppetlabs.com/hiera/1/custom_backends.html
+ - https://puppetlabs.com/blog/encrypt-your-data-using-hiera-eyaml
+ - https://packages.debian.org/jessie/hiera-eyaml
+ - how to distribute keys outside the repo (i.e, avoiding all nodes to have all keys?):
+ - add a monkeysphere auth subkey to every openpgp key used for backups.
+ - make backupninja wrap around monkeysphere: http://web.monkeysphere.info/doc/user-ssh-advanced/
+ - http://current.workingdirectory.net/posts/2011/puppet-without-masters/
+ - http://andrewbunday.co.uk/2012/12/04/masterless-puppet-wrapper/
+ - http://semicomplete.com/presentations/puppet-at-loggly/puppet-at-loggly.pdf.html
+ - https://github.com/jordansissel/puppet-examples/tree/master/masterless
+- sshd:
+ - https://stribika.github.io/2015/01/04/secure-secure-shell.html
+ - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774711#60
+ - enable ecdsa key.
+ - ecdsa priority: alternatives:
+ - unsupport ecdsa in the server.
+ - export ecdsa pubkeys.
+ - manage client's /root/.ssh/config: `HostKeyAlgorithms ssh-rsa`.
+ - force option via rsync/rdiff handlers.
+- virtual: migrate to kvm/libvirt.
+- loginrecords: deploy module.
+- deploy https://github.com/wido/puppet-module-tcpwrappers
+- nodo:
+ - run stages.
+ - allow more resources to be declared via hiera.
+ - fix hiera default boolean value when true.
+ - easy way to toggle management of subsystems.
+
+Medium priority
+---------------
+
+- apt: raspbian support, including unnatended-upgrades.
+- backup:
+ - support for $dombr and $dobios on backupninja::sys for servers and physical machines.
+ - sync-backups support for rsyncing from kvms / snapshots.
+- nodo:
+ - cleanup and refactor.
+ - uniform variable names.
+ - use prompt.sh from bash-prompt as a submodule.
+- common: autoload.
+- general:
+ - rollback of commits about charset.
+ - switch to conf.d:
+ - php ("refactor" branch), remove E_STRICT from production's error_reporting.
+ - apache2.
+ - sudoers.
+- backup: `sync-media-iterate [volume]`.
+- mail:
+ - use ssl::dhparams, move to 2048 bit and use the standard file names and paths:
+ - [Feature #4012: postfix: ship 2048bit dh parameters - Platform - LEAP Issue Tracker](https://leap.se/code/issues/4012)
+
+Low priority
+------------
+
+- merge, review, pull requests for all modules.
+- bind: nsupdate / dynamic dns:
+ - http://linux.yyz.us/nsupdate/
+ - http://linux.yyz.us/dns/ddns-server.html
+ - http://caunter.ca/nsupdate.txt
+ - http://www.rtfm-sarl.ch/articles/using-nsupdate.html
+ - https://github.com/skx/dhcp.io/
+- munin: lvm monitoring.
+- pyroscope: torrent workflow: torrent-maker, magnet2torrent and torrent-reseed:
+ - http://wiki.rtorrent.org/MagnetUri
+ - http://dan.folkes.me/2012/04/19/converting-a-magnet-link-into-a-torrent/
+ - https://github.com/danfolkes/Magnet2Torrent
+ - http://code.google.com/p/pyroscope/wiki/CommandLineTools
+ - https://trac.transmissionbt.com/ticket/4176
+ - http://wiki.rtorrent.org/MagnetUri
+ - https://github.com/rakshasa/rtorrent/issues/212
+ - saving/restoring `.meta` and `~/rtorrent/.session` files.
+- support for http/https proxy inside web nodes:
+ - encrypted ssl keys: http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11440.html
+ - make all apache sites listen to 8080.
+- git:
+ - gitolite: [monkeysphere integration](http://gitolite.com/gitolite/g2/monkeysphere.html).
+ - gitweb clean urls.
+ - email notifications.
+ - https://packages.debian.org/jessie/git-notifier
+ - https://github.com/mhagger/git-multimail
+ - using OpenPGP?
+- syslog-ng: use conf.d.
+- etherpad: `You need to set a sessionKey value in settings.json`.
+- knock integration via https://github.com/juasiepo/knockd
+- apache:
+ - try libapache2-modsecurity.
+ - deploy https://git.immerda.ch/csp-report/
+ - disable other_vhosts_access.log.
+- onion:
+ - support for existing hidden service key, generated with tools like https://github.com/katmagic/Shallot
+ - load balancing: http://archives.seul.org/tor/relays/Apr-2011/msg00022.html
+- nagios: snmp, nrpe, nsca
+ - http://nagios.sourceforge.net/docs/3_0/addons.html
+ - http://www.math.wisc.edu/~jheim/snmp/
+- ssh access restrictions:
+ - denyhosts, but we don't want to log IPs.
+ - using shorewall: http://www.debian-administration.org/articles/250#comment_16
+ - alowed users / groups.
+- websites: freewvs.
+- puppet: bug report: debian wheezy puppet-common: needs the following patch: http://projects.puppetlabs.com/issues/10963
+- mail:
+ - review dovecot recipient delimiter handling: to which mailbox messages should be sent?
+ - mlmmj:
+ - lists with hyphens are not working when mails are sent directly, but work when sent to an alias.
+ - `mail::mlmmj::domain` needs updating or additional domains should be added into `relay_domains`.
+- drupal/wordpress:
+ - cronjob/cli: switch to site user.
+ - drupal_update: Do you really want to continue with the update process? (y/n):
+ Do you really want to continue with the update process? (y/n): Aborting. [cancel],
+ possibly related to https://www.drupal.org/node/443392
+- php / wordpress / wp-cli: composer installation and dependencies:
+ - http://getcomposer.org/doc/00-intro.md#installation-nix
+ - https://github.com/wp-cli/wp-cli/wiki/Alternative-Install-Methods
+ - suhosin needs `suhosin.executor.include.whitelist = phar` on `/etc/php5/cli/conf.d/suhosin.ini`.
+- nodo: support for prosody:
+ - https://github.com/dgoulet/prosody-otr
+ - http://prosody.im/doc/creating_accounts#importing_from_ejabberd
+ - config with good score at https://xmpp.net/index.php
+- mail:
+ - support for [preventing SPAM connections with bird](http://www.debian-administration.org/article/715/Preventing_SPAM_connections_with_bird.).
+ - schleuder: manage `/etc/schleuder/schleuder.conf`, using `superadminaddr: root` or other recipient, to avoid mails.
+ sent as `root@localhost`.
+ - deploy https://git.autistici.org/ale/smtp-fp/tree/master
+ https://github.com/EFForg/starttls-everywhere
+ - deploy https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration#Configuration_server_at_ISP
+ https://git-ipuppet.immerda.ch/module-apache/commit/?id=058dbb366b96cae1f8fb0def65f73a698f1c375d
+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577616
+ - support for [preventing SPAM connections with bird](http://www.debian-administration.org/article/715/Preventing_SPAM_connections_with_bird.).
diff --git a/puppet/Vagrantfile b/puppet/Vagrantfile
index 8999cf0..3ee05e6 100644
--- a/puppet/Vagrantfile
+++ b/puppet/Vagrantfile
@@ -1,9 +1,12 @@
-# -*- mode: ruby -*-
-# vi: set ft=ruby :
+# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
+VAGRANTFILE_API_VERSION = "2"
-Vagrant::Config.run do |config|
+Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
# Every Vagrant virtual environment requires a box to build off of.
- config.vm.box = "wheezy"
+ config.vm.box = "jessie"
+
+ # Hostname
+ config.vm.hostname = "puppet-bootstrap.example.org"
# Shell provisioner to setup basic environment.
config.vm.provision :shell, :inline => "/vagrant/puppet/bin/provision"
@@ -13,49 +16,14 @@ Vagrant::Config.run do |config|
puppet.manifest_file = "bootstrap/vagrant.pp"
puppet.manifests_path = "puppet/manifests"
puppet.module_path = "puppet/modules"
+ puppet.hiera_config_path = "puppet/hiera.yaml"
puppet.temp_dir = "/etc/puppet"
puppet.working_directory = "/etc/puppet"
end
- # Define a Host VM
- config.vm.define :host do |host_config|
- db_config.vm.box = "host"
- web_config.vm.network :hostonly, "192.168.50.101"
- end
-
- # Define a Puppetmaster VM
- config.vm.define :master do |master_config|
- master_config.vm.box = "master"
- master_config.vm.forward_port 8139, 8140
- web_config.vm.network :hostonly, "192.168.50.102"
- end
-
- # Define a Proxy VM
- config.vm.define :proxy do |proxy_config|
- proxy_config.vm.box = "proxy"
- proxy_config.vm.forward_port 8139, 8140
- web_config.vm.network :hostonly, "192.168.50.103"
- end
-
- # Define a Web VM
- config.vm.define :web do |web_config|
- web_config.vm.box = "web"
- web_config.vm.forward_port 80, 8080
- web_config.vm.network :hostonly, "192.168.50.104"
- end
-
- # Define a Storage VM
- config.vm.define :storage do |storage_config|
- storage_config.vm.box = "storage"
- storage_config.vm.network :hostonly, "192.168.50.105"
- end
-
- # Define a Test VM
- config.vm.define :test do |test_config|
- test_config.vm.box = "test"
- test_config.vm.network :hostonly, "192.168.50.106"
- end
-
# Share hiera configuration.
- config.vm.share_folder "hiera", "/etc/puppet/hiera", "puppet/hiera", create: true
+ config.vm.synced_folder "puppet/hiera", "/etc/puppet/hiera"
+
+ # Forwarded ports
+ #config.vm.network "forwarded_port", guest: 80, host: 8081
end
diff --git a/puppet/bin/dependencies b/puppet/bin/dependencies
index 78ca659..507145b 100755
--- a/puppet/bin/dependencies
+++ b/puppet/bin/dependencies
@@ -1,6 +1,6 @@
#!/bin/bash
#
-# Simple shell provisioner for Vagrant instances.
+# Puppet bootstrap dependencies.
#
# Install a package, thanks to the Hydra Suite.
@@ -13,16 +13,16 @@ function provision_package {
if [ "$?" == "1" ]; then
echo "Installing package $1..."
- DEBIAN_FRONTEND=noninteractive $sudo apt-get install $1 -y
+ DEBIAN_FRONTEND=noninteractive $SUDO apt-get install $1 -y
fi
}
# Set sudo config
if [ "`whoami`" != 'root' ]; then
- sudo="sudo"
+ SUDO="sudo"
fi
# Ensure basic packages are installed.
-for package in puppet ruby-hiera-puppet mr whois; do
+for package in puppet git mr whois; do
provision_package $package
done
diff --git a/puppet/bin/deploy b/puppet/bin/deploy
new file mode 100755
index 0000000..5d3361b
--- /dev/null
+++ b/puppet/bin/deploy
@@ -0,0 +1,58 @@
+#!/bin/bash
+#
+# Deploy configuration using puppet.
+#
+
+# Parameters
+DIRNAME="`dirname $0`"
+BASEDIR="$DIRNAME/.."
+DEPLOY_DEPENDENCIES="puppet ruby-sqlite3 ruby-activerecord ruby-activerecord-deprecated-finders"
+
+# Determine hostname
+if [ ! -z "$1" ]; then
+ FQDN="$1"
+else
+ FQDN="`cat /etc/hostname`"
+fi
+
+# Check for manifest
+PUPPET_MANIFEST="$BASEDIR/puppet/manifests/nodes/$FQDN.pp"
+if [ ! -e "$PUPPET_MANIFEST" ]; then
+ echo "file not found: $PUPPET_MANIFEST"
+ exit 1
+fi
+
+# Install dependencies
+source $DIRNAME/dependencies
+
+# Ensure additional dependencies are installed.
+for package in $DEPLOY_DEPENDENCIES; do
+ provision_package $package
+done
+
+# Parameters that needs dependencies installed
+DIST="`facter lsbdistcodename`"
+
+# Apply patches
+if [ -d "$BASEDIR/puppet/files/patches/$DIST" ]; then
+ (
+ # Patches should be generated relativelly to the root folder
+ cd /
+
+ # Only apply if needed
+ # Thanks https://unix.stackexchange.com/questions/55780/check-if-a-file-or-folder-has-been-patched-already
+ for patch in `ls $BASEDIR/puppet/files/patches/$DIST`; do
+ patch -p0 -N --dry-run --silent < $BASEDIR/puppet/files/patches/$DIST/$patch &> /dev/null
+ # If the patch has not been applied then the $? which is the exit status
+ # for last command would have a success status code = 0
+ if [ "$?" == "0" ]; then
+ # Apply the patch
+ patch -p0 -N < $BASEDIR/puppet/files/patches/$DIST/$patch
+ fi
+ done
+ )
+fi
+
+# Run puppet apply
+PUPPET_OPTS="--confdir=$BASEDIR/puppet --modulepath=$BASEDIR/puppet/modules"
+LC_ALL=C $SUDO puppet apply $PUPPET_OPTS $PUPPET_MANIFEST
diff --git a/puppet/bin/mrconfig b/puppet/bin/mrconfig
index f525db3..dc753ac 100755
--- a/puppet/bin/mrconfig
+++ b/puppet/bin/mrconfig
@@ -1,10 +1,10 @@
#!/bin/bash
#
# Build a mrconfig for the needed modules.
-#
+#
# Parameters
-GIT="git.sarava.org"
+GIT="git.fluxo.info"
URL="https://$GIT/?a=project_index"
CWD="`pwd`"
WORK="`dirname $0`/.."
@@ -18,8 +18,8 @@ touch .mrconfig
curl --stderr - $URL | grep "^puppet-" | cut -d ' ' -f 1 | while read module; do
folder="`echo $module | sed -e 's/^puppet-//'`"
folder="`basename $folder .git`"
-
- if [ "$module" != "$bootstrap" ]; then
+
+ if [ "$folder" != "bootstrap" ]; then
echo "Processing $folder..."
mr config puppet/modules/$folder checkout="git clone git://$GIT/$module $folder"
fi
diff --git a/puppet/bin/post-receive b/puppet/bin/post-receive
new file mode 100755
index 0000000..996189d
--- /dev/null
+++ b/puppet/bin/post-receive
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+cd ..
+unset GIT_DIR
+
+git checkout -f
+git submodule update --init --recursive
diff --git a/puppet/bin/post-update b/puppet/bin/post-update
new file mode 100755
index 0000000..48a6a16
--- /dev/null
+++ b/puppet/bin/post-update
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+cd ..
+unset GIT_DIR
+
+if [ -d ".git/annex" ]; then
+ git annex sync
+else
+ git reset HEAD
+ git checkout -f
+fi
+
+git submodule update --init --recursive
+
+cd -
+exec git update-server-info
diff --git a/puppet/bin/provision b/puppet/bin/provision
index e200e51..16f102f 100755
--- a/puppet/bin/provision
+++ b/puppet/bin/provision
@@ -3,25 +3,33 @@
# Simple shell provisioner for Vagrant instances.
#
-# Ensure the system is updated.
-sudo apt-get update && DEBIAN_FRONTEND=noninteractive sudo apt-get dist-upgrade -y && sudo apt-get autoremove -y && sudo apt-get clean
+# Parameters
+DIRNAME="`dirname $0`"
+
+# Load dependencies
+source $DIRNAME/dependencies
-# Install dependencies
-source /vagrant/puppet/bin/dependencies
+# Ensure the system is updated.
+$SUDO apt-get update && DEBIAN_FRONTEND=noninteractive $SUDO apt-get dist-upgrade -y && $SUDO apt-get autoremove -y && $SUDO apt-get clean
# Ensure additional dependencies are installed.
-for package in sqlite3 libsqlite3-ruby libactiverecord-ruby ruby-sqlite3 usbutils; do
+for package in usbutils; do
+ provision_package $package
+done
+
+# Storeconfigs support
+for package in ruby-sqlite3 ruby-activerecord ruby-activerecord-deprecated-finders; do
provision_package $package
done
-# Link hiera configuration.
+# Link hiera configuration if needed.
if [ ! -h "/etc/puppet/hiera.yaml" ]; then
- sudo rm -f /etc/puppet/hiera.yaml
- sudo ln -s /vagrant/puppet/hiera/hiera.yaml /etc/puppet/hiera.yaml
+ $SUDO rm -f /etc/puppet/hiera.yaml
+ $SUDO ln -s $DIRNAME/../hiera/hiera.yaml /etc/puppet/hiera.yaml
fi
-# Link puppet configuration.
+# Link puppet configuration if needed.
if [ ! -h "/etc/puppet/puppet.conf" ]; then
- sudo rm -f /etc/puppet/puppet.conf
- sudo ln -s /vagrant/puppet/puppet.conf /etc/puppet/puppet.conf
+ $SUDO rm -f /etc/puppet/puppet.conf
+ $SUDO ln -s $DIRNAME/../puppet.conf /etc/puppet/puppet.conf
fi
diff --git a/puppet/bin/submodules b/puppet/bin/submodules
index f79b635..3abc46d 100755
--- a/puppet/bin/submodules
+++ b/puppet/bin/submodules
@@ -20,7 +20,7 @@ for repo in $repos; do
module="`basename $repo .git | sed -e s/^puppet-//`"
if [ ! -d "modules/$module" ]; then
echo "Processing puppet module $module..."
- git submodule add $repo modules/$module
+ git submodule add -f $repo modules/$module
elif [ -e "modules/$module/.git" ]; then
# The puppet module exists and is a git submodule, so update it
( cd module/$module && git pull origin master )
diff --git a/puppet/files/patches/trusty/puppet-stack-level.md b/puppet/files/patches/trusty/puppet-stack-level.md
new file mode 100644
index 0000000..9a3f4d7
--- /dev/null
+++ b/puppet/files/patches/trusty/puppet-stack-level.md
@@ -0,0 +1,3 @@
+# Puppet stack level patch
+
+* [Puppet master fails with 'stack level too deep' error when storeconfigs = true](https://bugs.launchpad.net/ubuntu/+source/puppet/+bug/1313595).
diff --git a/puppet/files/patches/trusty/puppet-stack-level.patch b/puppet/files/patches/trusty/puppet-stack-level.patch
new file mode 100644
index 0000000..1d112f7
--- /dev/null
+++ b/puppet/files/patches/trusty/puppet-stack-level.patch
@@ -0,0 +1,15 @@
+--- /usr/lib/ruby/vendor_ruby/puppet/rails/resource.rb.orig 2015-10-19 17:19:13.500193213 -0200
++++ /usr/lib/ruby/vendor_ruby/puppet/rails/resource.rb 2015-10-19 17:19:58.972194943 -0200
+@@ -84,7 +84,11 @@
+ end
+
+ def [](param)
+- super || parameter(param)
++ if param == 'id'
++ super
++ else
++ super || parameter(param)
++ end
+ end
+
+ # Make sure this resource is equivalent to the provided Parser resource.
diff --git a/puppet/hiera/common.yaml b/puppet/hiera/common.yaml
index d7e35a1..8a04a26 100644
--- a/puppet/hiera/common.yaml
+++ b/puppet/hiera/common.yaml
@@ -48,3 +48,8 @@ ntp::servers:
nodo::subsystem::resolver::nameservers:
- '208.67.222.222'
- '208.67.220.220'
+
+#
+# Puppet config
+#
+nodo::base::puppet_mode: 'apply'
diff --git a/puppet/hiera/hiera.yaml b/puppet/hiera/hiera.yaml
index 33acc9e..a8ae792 100644
--- a/puppet/hiera/hiera.yaml
+++ b/puppet/hiera/hiera.yaml
@@ -8,14 +8,26 @@
# reconsidered in the future.
#
# See http://docs.vagrantup.com/v2/provisioning/puppet_apply.html
- :datadir: hiera
+ :datadir: '%{settings::confdir}/hiera'
:hierarchy:
- - '%{::environment}/domain/%{::domain}/node/%{::clientcert}'
- - '%{::environment}/domain/%{::domain}/role/%{::role}'
- - '%{::environment}/domain/%{::domain}/location/%{::location}'
- - '%{::environment}/domain/%{::domain}/%{::domain}'
- - '%{::environment}/location/%{::location}'
- - '%{::environment}/virtual/%{::virtual}'
- - '%{::environment}/role/%{::role}'
+ #
+ # Put in the secrets folder all sensitive information that
+ # wont be spread into every system if you're using the Hydra Suite.
+ #
+ # We also recommend to leave only encrypted data in your hiera config.
+ #
+ - 'secrets/node/%{::clientcert}'
+ - 'secrets/role/%{::nodo::role}'
+ - 'secrets/location/%{::nodo::location}'
+ - 'secrets/domain/%{::domain}'
+
+ #
+ # All other stuff goes in regular YAML files.
+ #
+ - 'node/%{::clientcert}'
+ - 'role/%{::nodo::role}'
+ - 'virtual/%{::virtual}'
+ - 'location/%{::nodo::location}'
+ - 'domain/%{::domain}'
- bootstrap
- common
diff --git a/puppet/hiera/node/puppet-bootstrap.example.org.yaml b/puppet/hiera/node/puppet-bootstrap.example.org.yaml
new file mode 100644
index 0000000..c108e7d
--- /dev/null
+++ b/puppet/hiera/node/puppet-bootstrap.example.org.yaml
@@ -0,0 +1,14 @@
+---
+#
+# MySQL
+#
+# The following password is public information and therefore
+# shall not be user on production.
+mysql::server::rootpw: '9pRfteNbSFFyrHhackme'
+
+#
+# Backup
+#
+nodo::subsystem::backup::localhost: false
+nodo::subsystem::backup::encryptkey: 'none'
+nodo::subsystem::backup::password: 'hacked'
diff --git a/puppet/manifests/bootstrap/configurator.pp b/puppet/manifests/bootstrap/configurator.pp
index d93a0ce..edcbe92 100644
--- a/puppet/manifests/bootstrap/configurator.pp
+++ b/puppet/manifests/bootstrap/configurator.pp
@@ -74,7 +74,7 @@ file { "$bootstrap_path/auth.conf":
#
# Basic users
#
-file { "$bootstrap_path/manifests/classes/users.pp":
+file { "$bootstrap_path/modules/site_users/manifests/init.pp":
ensure => present,
mode => 0644,
content => template("$templates/puppet/users.pp.erb"),
diff --git a/puppet/manifests/bootstrap/host.pp b/puppet/manifests/bootstrap/host.pp
index c1aead8..5f9c23a 100644
--- a/puppet/manifests/bootstrap/host.pp
+++ b/puppet/manifests/bootstrap/host.pp
@@ -4,11 +4,10 @@
# virtual machine.
#
-# Import site configuration
-import "../site.pp"
-
# The server role
-include nodo::role::server
+class { 'nodo:
+ role => 'server',
+}
# Creates vserver for administrative node
nodo::vserver::instance { "$hostname-master":
diff --git a/puppet/manifests/bootstrap/master.pp b/puppet/manifests/bootstrap/master.pp
index 51167f3..5934d3e 100644
--- a/puppet/manifests/bootstrap/master.pp
+++ b/puppet/manifests/bootstrap/master.pp
@@ -5,8 +5,7 @@
# Once it's running it can setup all the other nodes.
#
-# Import site configuration
-import "../site.pp"
-
# Include the master node configuration
-include nodo::role::master
+class { 'nodo':
+ role => 'master',
+}
diff --git a/puppet/manifests/bootstrap/vagrant.pp b/puppet/manifests/bootstrap/vagrant.pp
index 9206db6..47305dc 100644
--- a/puppet/manifests/bootstrap/vagrant.pp
+++ b/puppet/manifests/bootstrap/vagrant.pp
@@ -3,47 +3,36 @@
# virtual machine.
#
-# Import site configuration
-import "../site.pp"
-
-#
-# Stage definitions
-#
-
-stage { 'first':
- before => Stage['main'],
-}
-
-stage { 'last': }
-Stage['main'] -> Stage['last']
-
#
# Class definitions
#
# Vagrant classes
-include nodo::role::vagrant
-
-class vagrant_config {
- # Symlink to the mounted module folder
- file { '/etc/puppet/modules':
- ensure => '/etc/puppet/modules-0',
- force => true,
- }
-
- # Ensure a custom hiera configuration
- file { '/etc/puppet/hiera.yaml':
- owner => root,
- group => root,
- mode => 0644,
- force => true,
- ensure => '/etc/puppet/hiera/hiera.yaml',
- }
+class { 'nodo':
+ role => 'vagrant',
}
#
-# Class instantiations
-#
-class { 'vagrant_config':
- stage => first,
-}
+# LAMP example
+#
+#include database
+#
+#class { 'apache':
+# default_folder => '/vagrant',
+# default_user => 'vagrant',
+# default_group => 'vagrant',
+#}
+#
+# If you want to manage another website
+#apache::site { "myapp":
+# docroot => "/vagrant/",
+# server_alias => 'myapp vagrant localhost',
+# use => [ "Site myapp" ],
+# tag => 'all',
+# owner => vagrant,
+# group => vagrant,
+# mpm_user => vagrant,
+# mpm_group => vagrant,
+# password => '$5$NZfZqcdyZ3Xt$.kfZejriEJP3fc6RU0gBGEzMPQ/c3XiowVImB6VDrtD',
+# shell => '/bin/bash',
+#}
diff --git a/puppet/manifests/modules.pp b/puppet/manifests/modules.pp
deleted file mode 100644
index 3df3fe3..0000000
--- a/puppet/manifests/modules.pp
+++ /dev/null
@@ -1,6 +0,0 @@
-#
-# Module definitions.
-#
-
-# Nodo automatically import all modules we need.
-import "nodo"
diff --git a/puppet/manifests/nodes.pp b/puppet/manifests/nodes.pp
deleted file mode 100644
index b90f04e..0000000
--- a/puppet/manifests/nodes.pp
+++ /dev/null
@@ -1,5 +0,0 @@
-#
-# Node definitions.
-#
-
-#import "nodes/example.pp"
diff --git a/puppet/manifests/nodes/default.pp b/puppet/manifests/nodes/default.pp
new file mode 100644
index 0000000..5ebbf90
--- /dev/null
+++ b/puppet/manifests/nodes/default.pp
@@ -0,0 +1,3 @@
+node default {
+ include nodo
+}
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
deleted file mode 100644
index 6f3e5aa..0000000
--- a/puppet/manifests/site.pp
+++ /dev/null
@@ -1,8 +0,0 @@
-#
-# Puppet site configuration.
-#
-
-import "classes/users.pp"
-import "classes/websites.pp"
-import "modules.pp"
-import "nodes.pp"
diff --git a/puppet/modules/site_apt/files/keys.d/.empty b/puppet/modules/site_apt/files/keys.d/.empty
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/puppet/modules/site_apt/files/keys.d/.empty
diff --git a/puppet/modules/site_bind/manifests/init.pp b/puppet/modules/site_bind/manifests/init.pp
new file mode 100644
index 0000000..7ee08d2
--- /dev/null
+++ b/puppet/modules/site_bind/manifests/init.pp
@@ -0,0 +1,16 @@
+class site_bind {
+ #
+ # See http://oreilly.com/pub/a/oreilly/networking/news/views_0501.html
+ # http://www.debian-administration.org/articles/355
+
+ # This is needed so we can comment out the inclusion of
+ # /etc/bind/named.conf.default-zones
+ #file { '/etc/bind/named.conf':
+ # ensure => present,
+ # owner => root,
+ # group => root,
+ # mode => 0644,
+ # source => 'puppet:///modules/site_bind/named.conf',
+ # notify => Service['bind9'],
+ #}
+}
diff --git a/puppet/modules/site_mail/files/aliases b/puppet/modules/site_mail/files/aliases
new file mode 100644
index 0000000..08a0723
--- /dev/null
+++ b/puppet/modules/site_mail/files/aliases
@@ -0,0 +1,14 @@
+# /etc/aliases
+mailer-daemon: postmaster
+postmaster: root
+nobody: root
+hostmaster: root
+usenet: root
+news: root
+webmaster: root
+www: root
+ftp: root
+abuse: root
+noc: root
+security: root
+reprepro: root
diff --git a/puppet/modules/site_users/manifests/admin.pp b/puppet/modules/site_users/manifests/admin.pp
new file mode 100644
index 0000000..14ad9da
--- /dev/null
+++ b/puppet/modules/site_users/manifests/admin.pp
@@ -0,0 +1,16 @@
+class site_users::admin inherits user {
+ # root user and password
+ #user::manage { "root":
+ # tag => "admin",
+ # homedir => '/root',
+ # password => '$5$zpdXgIaLKMDckKx9$qTS9WbmS/zylFwPu1orq.779CNnAiA9VoGdFNU94jz/',
+ #}
+
+ # first user config
+ #user::manage { "user":
+ # tag => "admin",
+ # groups => [ "sudo", ],
+ # password => '$5$D8kCEIo5/MNCA7Tz$VhGg2MNDs21JzX9HgxSWMupA5GD5MXnKwDuveMSdPH7',
+ # sshkey => [ "WRONG" ],
+ #}
+}
diff --git a/puppet/modules/site_users/manifests/backups.pp b/puppet/modules/site_users/manifests/backups.pp
new file mode 100644
index 0000000..aab00f9
--- /dev/null
+++ b/puppet/modules/site_users/manifests/backups.pp
@@ -0,0 +1,3 @@
+class site_users::backup inherits user {
+ # define third-party hosted backup users here
+}
diff --git a/puppet/modules/site_users/manifests/init.pp b/puppet/modules/site_users/manifests/init.pp
new file mode 100644
index 0000000..b3c656a
--- /dev/null
+++ b/puppet/modules/site_users/manifests/init.pp
@@ -0,0 +1,2 @@
+class site_users {
+}
diff --git a/puppet/modules/site_users/manifests/virtual.pp b/puppet/modules/site_users/manifests/virtual.pp
new file mode 100644
index 0000000..20aba01
--- /dev/null
+++ b/puppet/modules/site_users/manifests/virtual.pp
@@ -0,0 +1,3 @@
+class site_users::virtual inherits user {
+ # define custom users here
+}
diff --git a/puppet/manifests/classes/websites.pp b/puppet/modules/site_websites/manifests/admin.pp
index 35f27c6..0be3a94 100644
--- a/puppet/manifests/classes/websites.pp
+++ b/puppet/modules/site_websites/manifests/admin.pp
@@ -1,4 +1,4 @@
-class websites::admin inherits websites::hosting::admin {
+class site_websites::admin inherits websites::hosting::admin {
# An administrative Trac instance
#apache::site { "admin":
# docroot => "${apache::sites_folder}/admin/trac/htdocs",
@@ -23,20 +23,3 @@ class websites::admin inherits websites::hosting::admin {
tag => 'all',
}
}
-
-class websites inherits websites::hosting {
- # Website definitions: always use tagged resources
-
- #apache::site { "site":
- # source => true,
- # ticket => '001',
- # docroot => '/var/www/site',
- # tag => 'all',
- #}
-
- #database::instance { "site":
- # password => 'xxx',
- # tag => 'all',
- #}
-
-}
diff --git a/puppet/modules/site_websites/manifests/init.pp b/puppet/modules/site_websites/manifests/init.pp
new file mode 100644
index 0000000..c98ca7d
--- /dev/null
+++ b/puppet/modules/site_websites/manifests/init.pp
@@ -0,0 +1,21 @@
+class site_websites inherits websites::hosting {
+ # Website definitions: always use tagged resources
+ apache::site { "git":
+ source => true,
+ docroot => '/var/git/repositories',
+ mpm => false,
+ tag => 'all',
+ }
+
+ #apache::site { "site":
+ # source => true,
+ # ticket => '001',
+ # docroot => '/var/www/site',
+ # tag => 'all',
+ #}
+
+ #database::instance { "site":
+ # password => 'xxx',
+ # tag => 'all',
+ #}
+}
diff --git a/puppet/puppet.conf b/puppet/puppet.conf
index 81c47ed..ea5ed0e 100644
--- a/puppet/puppet.conf
+++ b/puppet/puppet.conf
@@ -1,30 +1,4 @@
[main]
-logdir = /var/log/puppet
-vardir = /var/lib/puppetmaster
-ssldir = $vardir/ssl
-rundir = /var/run/puppet
-factpath = $vardir/lib/facter
-pluginsync = true
-
-[master]
-templatedir = $vardir/templates
-masterport = 8140
-autosign = false
-storeconfigs = true
-dbadapter = sqlite3
-#dbadapter = mysql
-#dbserver = localhost
-#dbuser = puppet
-#dbpassword = hackme
-dbconnections = 15
-certname = puppet.vagrantup.com
-ssl_client_header = SSL_CLIENT_S_DN
-ssl_client_verify_header = SSL_CLIENT_VERIFY
-
-[agent]
-server = puppet.vagrantup.com
-vardir = /var/lib/puppet
-ssldir = $vardir/ssl
-runinterval = 7200
-puppetport = 8139
-configtimeout = 300
+ thin_storeconfigs = true
+ storeconfigs = true
+ dbadapter = sqlite3
diff --git a/puppet/templates/apache/vhosts/cgit.erb b/puppet/templates/apache/vhosts/cgit.erb
new file mode 100644
index 0000000..d2d393d
--- /dev/null
+++ b/puppet/templates/apache/vhosts/cgit.erb
@@ -0,0 +1,30 @@
+# begin vhost for cgit
+<VirtualHost *:80>
+ ServerName git.<%= domain %>
+ ServerAlias gitweb.<%= domain %>
+
+ ServerSignature Off
+
+ Alias /cgit.css /var/www/htdocs/cgit/cgit.css
+ Alias /cgit.png /var/www/htdocs/cgit/cgit.png
+
+ ScriptAlias /cgi-bin/ /var/www/htdocs/cgit/
+
+ DocumentRoot /var/git/repositories
+ <Directory /var/git/repositories>
+ AllowOverride None
+ Options +ExecCGI
+ Order allow,deny
+ Allow from all
+
+ DirectoryIndex /cgi-bin/cgit.cgi
+
+ RewriteEngine on
+ RewriteCond %{REQUEST_FILENAME} !-f
+ RewriteRule ^.*$ /cgi-bin/cgit.cgi/$0 [L,PT]
+ </Directory>
+
+ ErrorLog /var/log/apache2/cgit.openezx.org/error.log
+ CustomLog /var/log/apache2/cgit.openezx.org/access.log common
+</VirtualHost>
+# end vhost for git
diff --git a/puppet/templates/apache/vhosts/git.erb b/puppet/templates/apache/vhosts/git.erb
index 25aecd1..89173ac 100644
--- a/puppet/templates/apache/vhosts/git.erb
+++ b/puppet/templates/apache/vhosts/git.erb
@@ -3,6 +3,7 @@
# Recipe based on http://josephspiros.com/2009/07/26/configuring-gitweb-for-apache-on-debian
ServerName git.<%= domain %>
+ ServerAlias gitweb.<%= domain %>
SetEnv GITWEB_CONFIG /etc/gitweb.conf
HeaderName HEADER
DocumentRoot /var/git/repositories
diff --git a/puppet/templates/etc/nginx/domain.erb b/puppet/templates/etc/nginx/domain.erb
index 4e9fa7d..8beff14 100644
--- a/puppet/templates/etc/nginx/domain.erb
+++ b/puppet/templates/etc/nginx/domain.erb
@@ -111,6 +111,7 @@ server {
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH;
ssl_prefer_server_ciphers on;
+ ssl_dhparam /etc/ssl/dhparams/dhparams_2048.pem;
# Set the max size for file uploads
client_max_body_size 100M;
diff --git a/puppet/templates/puppet/users.pp.erb b/puppet/templates/puppet/users.pp.erb
index 55a2706..3b7c857 100644
--- a/puppet/templates/puppet/users.pp.erb
+++ b/puppet/templates/puppet/users.pp.erb
@@ -7,14 +7,6 @@ class users::backup inherits user {
}
class users::admin inherits user {
-
- # Reprepro group needed for web nodes
- #if !defined(Group["reprepro"]) {
- # group { "reprepro":
- # ensure => present,
- # }
- #}
-
# root user and password
user::manage { "root":
tag => "admin",