11 files changed, 361 insertions, 0 deletions
diff --git a/puppet/templates/puppet/auth.conf.erb b/puppet/templates/puppet/auth.conf.erb
new file mode 100644
index 0000000..96f078c
--- /dev/null
+++ b/puppet/templates/puppet/auth.conf.erb
@@ -0,0 +1,120 @@
+# This is the default auth.conf file, which implements the default rules
+# used by the puppet master. (That is, the rules below will still apply
+# even if this file is deleted.)
+#
+# The ACLs are evaluated in top-down order. More specific stanzas should
+# be towards the top of the file and more general ones at the bottom;
+# otherwise, the general rules may "steal" requests that should be
+# governed by the specific rules.
+#
+# See http://docs.puppetlabs.com/guides/rest_auth_conf.html for a more complete
+# description of auth.conf's behavior.
+#
+# Supported syntax:
+# Each stanza in auth.conf starts with a path to match, followed
+# by optional modifiers, and finally, a series of allow or deny
+# directives.
+#
+# Example Stanza
+# ---------------------------------
+# path /path/to/resource     # simple prefix match
+# # path ~ regex             # alternately, regex match
+# [environment envlist]
+# [method methodlist]
+# [auth[enthicated] {yes|no|on|off|any}]
+# allow [host|backreference|*|regex]
+# deny [host|backreference|*|regex]
+# allow_ip [ip|cidr|ip_wildcard|*]
+# deny_ip [ip|cidr|ip_wildcard|*]
+#
+# The path match can either be a simple prefix match or a regular
+# expression. `path /file` would match both `/file_metadata` and
+# `/file_content`. Regex matches allow the use of backreferences
+# in the allow/deny directives.
+#
+# The regex syntax is the same as for Ruby regex, and captures backreferences
+# for use in the `allow` and `deny` lines of that stanza
+#
+# Examples:
+#
+# path ~ ^/path/to/resource    # Equivalent to `path /path/to/resource`.
+# allow *                      # Allow all authenticated nodes (since auth
+#                              # defaults to `yes`).
+#
+# path ~ ^/catalog/([^/]+)$    # Permit nodes to access their own catalog (by
+# allow $1                     # certname), but not any other node's catalog.
+#
+# path ~ ^/file_(metadata|content)/extra_files/  # Only allow certain nodes to
+# auth yes                                       # access the "extra_files"
+# allow /^(.+)\.example\.com$/                   # mount point; note this must
+# allow_ip 192.168.100.0/24                      # go ABOVE the "/file" rule,
+#                                                # since it is more specific.
+#
+# environment:: restrict an ACL to a comma-separated list of environments
+# method:: restrict an ACL to a comma-separated list of HTTP methods
+# auth:: restrict an ACL to an authenticated or unauthenticated request
+# the default when unspecified is to restrict the ACL to authenticated requests
+# (ie exactly as if auth yes was present).
+#
+
+### Authenticated ACLs - these rules apply only when the client
+### has a valid certificate and is thus authenticated
+
+# allow nodes to retrieve their own catalog
+path ~ ^/catalog/([^/]+)$
+method find
+allow $1
+
+# allow nodes to retrieve their own node definition
+path ~ ^/node/([^/]+)$
+method find
+allow $1
+
+# allow all nodes to access the certificates services
+path /certificate_revocation_list/ca
+method find
+allow *
+
+# allow all nodes to store their own reports
+path ~ ^/report/([^/]+)$
+method save
+allow $1
+
+# Allow all nodes to access all file services; this is necessary for
+# pluginsync, file serving from modules, and file serving from custom
+# mount points (see fileserver.conf). Note that the `/file` prefix matches
+# requests to both the file_metadata and file_content paths. See "Examples"
+# above if you need more granular access control for custom mount points.
+path /file
+allow *
+
+### Unauthenticated ACLs, for clients without valid certificates; authenticated
+### clients can also access these paths, though they rarely need to.
+
+# allow access to the CA certificate; unauthenticated nodes need this
+# in order to validate the puppet master's certificate
+path /certificate/ca
+auth any
+method find
+allow *
+
+# allow nodes to retrieve the certificate they requested earlier
+path /certificate/
+auth any
+method find
+allow *
+
+# allow nodes to request a new certificate
+path /certificate_request
+auth any
+method find, save
+allow *
+
+path /v2.0/environments
+method find
+allow *
+
+# deny everything else; this ACL is not strictly necessary, but
+# illustrates the default policy.
+path /
+auth any
diff --git a/puppet/templates/puppet/fileserver.conf.erb b/puppet/templates/puppet/fileserver.conf.erb
new file mode 100644
index 0000000..e4d6e0a
--- /dev/null
+++ b/puppet/templates/puppet/fileserver.conf.erb
@@ -0,0 +1,21 @@
+# See http://docs.puppetlabs.com/guides/file_serving.html
+
+# Files
+[files]
+  path /etc/puppet/files
+  allow *.<%= base_domain %>
+
+# SSL keys
+[ssl]
+  path /etc/puppet/keys/ssl
+  deny *
+
+# SSH keys
+[ssh]
+  path /etc/puppet/keys/ssh/%h
+  allow *
+
+# Public keys
+[pubkeys]
+  path /etc/puppet/keys/public
+  allow *
diff --git a/puppet/templates/puppet/master.pp.erb b/puppet/templates/puppet/master.pp.erb
new file mode 100644
index 0000000..5865723
--- /dev/null
+++ b/puppet/templates/puppet/master.pp.erb
@@ -0,0 +1,10 @@
+node '<%= hostname %>-master.<%= domain %>' {
+  $main_master    = true
+  include nodo::master
+
+  # encrypted data remote backup
+  #backup::rdiff { "other-host":
+  #  port   => "10102",
+  #}
+
+}
diff --git a/puppet/templates/puppet/nodes.pp.erb b/puppet/templates/puppet/nodes.pp.erb
new file mode 100644
index 0000000..4acddc6
--- /dev/null
+++ b/puppet/templates/puppet/nodes.pp.erb
@@ -0,0 +1,14 @@
+#
+# Node definitions.
+#
+
+<%- if first_nodes == 'present' then -%>
+import "nodes/<%= first_hostname %>.pp"
+import "nodes/<%= first_hostname %>-master.pp"
+import "nodes/<%= first_hostname %>-proxy.pp"
+import "nodes/<%= first_hostname %>-web.pp"
+import "nodes/<%= first_hostname %>-storage.pp"
+import "nodes/<%= first_hostname %>-test.pp"
+<%- else -%>
+#import "nodes/example.pp"
+<%- end -%>
diff --git a/puppet/templates/puppet/proxy.pp.erb b/puppet/templates/puppet/proxy.pp.erb
new file mode 100644
index 0000000..908c2ec
--- /dev/null
+++ b/puppet/templates/puppet/proxy.pp.erb
@@ -0,0 +1,53 @@
+node '<%= hostname %>-proxy.<%= domain %>' {
+  #$mail_delivery = 'tunnel'
+  #$mail_hostname = 'mail'
+  #$mail_ssh_port = '2202'
+
+  include nodo::proxy
+
+  # encrypted data remote backup
+  #backup::rdiff { "other-host":
+  #  port   => "10102",
+  #}
+
+  # reference to admin vserver
+  host { "<%= hostname %>-master":
+    ensure       => present,
+    ip           => "192.168.0.2",
+    host_aliases => [ "<%= hostname %>-master.<%= domain %>", "puppet", "admin" ],
+    notify       => Service["nginx"],
+  }
+
+  # reference to proxy vserver
+  #host { "<%= hostname %>-proxy":
+  #  ensure       => present,
+  #  ip           => "192.168.0.3",
+  #  host_aliases => [ "<%= hostname %>-proxy.<%= domain %>", "<%= hostname %>-proxy" ],
+  #  notify       => Service["nginx"],
+  #}
+
+  # reference to web vserver
+  host { "<%= hostname %>-web":
+    ensure       => present,
+    ip           => "192.168.0.4",
+    host_aliases => [ "<%= hostname %>-web.<%= domain %>", "<%= hostname %>-web", "weblocal" ],
+    notify       => Service["nginx"],
+  }
+
+  # reference to storage vserver
+  host { "<%= hostname %>-storage":
+    ensure       => present,
+    ip           => "192.168.0.5",
+    host_aliases => [ "<%= hostname %>-storage.<%= domain %>", "<%= hostname %>-storage" ],
+    notify       => Service["nginx"],
+  }
+
+  # reference to test vserver
+  host { "<%= hostname %>-test":
+    ensure       => present,
+    ip           => "192.168.0.6",
+    host_aliases => [ "<%= hostname %>-test.<%= domain %>", "<%= hostname %>-test" ],
+    notify       => Service["nginx"],
+  }
+
+}
diff --git a/puppet/templates/puppet/puppet.conf.erb b/puppet/templates/puppet/puppet.conf.erb
new file mode 100644
index 0000000..e2751ca
--- /dev/null
+++ b/puppet/templates/puppet/puppet.conf.erb
@@ -0,0 +1,30 @@
+[main]
+logdir                   = /var/log/puppet
+vardir                   = /var/lib/puppetmaster
+ssldir                   = $vardir/ssl
+rundir                   = /var/run/puppet
+factpath                 = $vardir/lib/facter
+pluginsync               = true
+
+[master]
+templatedir              = $vardir/templates
+masterport               = 8140
+autosign                 = false
+storeconfigs             = true
+dbadapter                = sqlite3
+#dbadapter                = mysql
+#dbserver                 = localhost
+#dbuser                   = puppet
+#dbpassword               = <%= db_password %>
+dbconnections            = 15
+certname                 = puppet.<%= base_domain %>
+ssl_client_header        = SSL_CLIENT_S_DN
+ssl_client_verify_header = SSL_CLIENT_VERIFY
+
+[agent]
+server                   = puppet.<%= base_domain %>
+vardir                   = /var/lib/puppet
+ssldir                   = $vardir/ssl
+runinterval              = 7200
+puppetport               = 8139
+configtimeout            = 300
diff --git a/puppet/templates/puppet/server.pp.erb b/puppet/templates/puppet/server.pp.erb
new file mode 100644
index 0000000..fcd21e0
--- /dev/null
+++ b/puppet/templates/puppet/server.pp.erb
@@ -0,0 +1,41 @@
+node '<%= hostname %>.<%= domain %>' {
+  #$mail_delivery          = 'tunnel'
+  #$mail_hostname          = 'mail'
+  #$mail_ssh_port          = '2202'
+  $shorewall_dmz          = true
+  $resolvconf_nameservers = $opendns_nameservers
+  $has_ups                = false
+  include nodo::server
+
+  #
+  # Linux-VServers
+  #
+  #nodo::vserver::instance { "<%= hostname %>-master":
+  #  context      => '2',
+  #  puppetmaster => true,
+  #}
+
+  #nodo::vserver::instance { "<%= hostname %>-proxy":
+  #  context => '3',
+  #  proxy   => true,
+  #}
+
+  #nodo::vserver::instance { "<%= hostname %>-web":
+  #  context => '4',
+  #  gitd    => true,
+  #}
+
+  #nodo::vserver::instance { "<%= hostname %>-storage":
+  #  context      => '5',
+  #}
+
+  #nodo::vserver::instance { "<%= hostname %>-test":
+  #  context => '6',
+  #  memory_limit => 500,
+  #}
+
+  # encrypted data remote backup
+  #backup::rdiff { "other-host":
+  #  port   => "10105",
+  #}
+}
diff --git a/puppet/templates/puppet/storage.pp.erb b/puppet/templates/puppet/storage.pp.erb
new file mode 100644
index 0000000..be93335
--- /dev/null
+++ b/puppet/templates/puppet/storage.pp.erb
@@ -0,0 +1,13 @@
+node '<%= hostname %>-storage.<%= domain %>' {
+  #$mail_delivery          = 'tunnel'
+  #$mail_hostname          = 'mail'
+  #$mail_ssh_port          = '2202'
+
+  include nodo::storage
+
+  # encrypted data remote backup
+  #backup::rdiff { "other-host":
+  #  port   => "10102",
+  #}
+
+}
diff --git a/puppet/templates/puppet/test.pp.erb b/puppet/templates/puppet/test.pp.erb
new file mode 100644
index 0000000..816eca9
--- /dev/null
+++ b/puppet/templates/puppet/test.pp.erb
@@ -0,0 +1,13 @@
+node '<%= hostname %>-test.<%= domain %>' {
+  #$mail_delivery          = 'tunnel'
+  #$mail_hostname          = 'mail'
+  #$mail_ssh_port          = '2202'
+
+  include nodo::test
+
+  # encrypted data remote backup
+  #backup::rdiff { "other-host":
+  #  port   => "10102",
+  #}
+
+}
diff --git a/puppet/templates/puppet/users.pp.erb b/puppet/templates/puppet/users.pp.erb
new file mode 100644
index 0000000..55a2706
--- /dev/null
+++ b/puppet/templates/puppet/users.pp.erb
@@ -0,0 +1,33 @@
+class users::virtual inherits user {
+  # define custom users here
+}
+
+class users::backup inherits user {
+  # define third-party hosted backup users here
+}
+
+class users::admin inherits user {
+
+  # Reprepro group needed for web nodes
+  #if !defined(Group["reprepro"]) {
+  #  group { "reprepro":
+  #    ensure => present,
+  #  }
+  #}
+
+  # root user and password
+  user::manage { "root":
+    tag      => "admin",
+    homedir  => '/root',
+    password => '<%= root_password %>',
+  }
+
+  # first user config
+  user::manage { "<%= first_user %>":
+    tag      => "admin",
+    groups   => [ "sudo", ],
+    password => '<%= first_user_password %>',
+    sshkey   => [ "<%= first_user_sshkey %>" ],
+  }
+
+}
diff --git a/puppet/templates/puppet/web.pp.erb b/puppet/templates/puppet/web.pp.erb
new file mode 100644
index 0000000..afc328b
--- /dev/null
+++ b/puppet/templates/puppet/web.pp.erb
@@ -0,0 +1,13 @@
+node '<%= hostname %>-web.<%= domain %>' {
+  #$mail_delivery          = 'tunnel'
+  #$mail_hostname          = 'mail'
+  #$mail_ssh_port          = '2202'
+
+  include nodo::web
+
+  # encrypted data remote backup
+  #backup::rdiff { "other-host":
+  #  port   => "10102",
+  #}
+
+}