diff options
Diffstat (limited to 'puppet')
81 files changed, 2954 insertions, 0 deletions
diff --git a/puppet/.gitignore b/puppet/.gitignore new file mode 100644 index 0000000..ce9693b --- /dev/null +++ b/puppet/.gitignore @@ -0,0 +1,2 @@ +modules/* +.vagrant diff --git a/puppet/.mrconfig b/puppet/.mrconfig new file mode 100644 index 0000000..5c24dc7 --- /dev/null +++ b/puppet/.mrconfig @@ -0,0 +1,255 @@ + +[puppet/modules/apache] +checkout = git clone git://git.fluxo.info/puppet-apache.git apache + +[puppet/modules/apcupsd] +checkout = git clone git://git.fluxo.info/puppet-apcupsd.git apcupsd + +[puppet/modules/apparmor] +checkout = git clone git://git.fluxo.info/puppet-apparmor.git apparmor + +[puppet/modules/apt] +checkout = git clone git://git.fluxo.info/puppet-apt.git apt + +[puppet/modules/autofs] +checkout = git clone git://git.fluxo.info/puppet-autofs.git autofs + +[puppet/modules/autossh] +checkout = git clone git://git.fluxo.info/puppet-autossh.git autossh + +[puppet/modules/avahi] +checkout = git clone git://git.fluxo.info/puppet-avahi.git avahi + +[puppet/modules/backup] +checkout = git clone git://git.fluxo.info/puppet-backup.git backup + +[puppet/modules/backupninja] +checkout = git clone git://git.fluxo.info/puppet-backupninja.git backupninja + +[puppet/modules/bind] +checkout = git clone git://git.fluxo.info/puppet-bind.git bind + +[puppet/modules/bitcoind] +checkout = git clone git://git.fluxo.info/puppet-bitcoind.git bitcoind + +[puppet/modules/common] +checkout = git clone git://git.fluxo.info/puppet-common.git common + +[puppet/modules/concat] +checkout = git clone git://git.fluxo.info/puppet-concat.git concat + +[puppet/modules/cron] +checkout = git clone git://git.fluxo.info/puppet-cron.git cron + +[puppet/modules/daap_server] +checkout = git clone git://git.fluxo.info/puppet-daap_server.git daap_server + +[puppet/modules/database] +checkout = git clone git://git.fluxo.info/puppet-database.git database + +[puppet/modules/dhcp] +checkout = git clone git://git.fluxo.info/puppet-dhcp.git dhcp + +[puppet/modules/domain_check] +checkout = git clone git://git.fluxo.info/puppet-domain_check.git domain_check + +[puppet/modules/drupal] +checkout = git clone git://git.fluxo.info/puppet-drupal.git drupal + +[puppet/modules/dyndns] +checkout = git clone git://git.fluxo.info/puppet-dyndns.git dyndns + +[puppet/modules/ejabberd] +checkout = git clone git://git.fluxo.info/puppet-ejabberd.git ejabberd + +[puppet/modules/ekeyd] +checkout = git clone git://git.fluxo.info/puppet-ekeyd.git ekeyd + +[puppet/modules/etherpad] +checkout = git clone git://git.fluxo.info/puppet-etherpad.git etherpad + +[puppet/modules/exim] +checkout = git clone git://git.fluxo.info/puppet-exim.git exim + +[puppet/modules/firewall] +checkout = git clone git://git.fluxo.info/puppet-firewall.git firewall + +[puppet/modules/git] +checkout = git clone git://git.fluxo.info/puppet-git.git git + +[puppet/modules/hotglue] +checkout = git clone git://git.fluxo.info/puppet-hotglue.git hotglue + +[puppet/modules/hydra] +checkout = git clone git://git.fluxo.info/puppet-hydra.git hydra + +[puppet/modules/icecast] +checkout = git clone git://git.fluxo.info/puppet-icecast.git icecast + +[puppet/modules/ikiwiki] +checkout = git clone git://git.fluxo.info/puppet-ikiwiki.git ikiwiki + +[puppet/modules/inetd] +checkout = git clone git://git.fluxo.info/puppet-inetd.git inetd + +[puppet/modules/infinoted] +checkout = git clone git://git.fluxo.info/puppet-infinoted.git infinoted + +[puppet/modules/inifile] +checkout = git clone git://git.fluxo.info/puppet-inifile.git inifile + +[puppet/modules/lighttpd] +checkout = git clone git://git.fluxo.info/puppet-lighttpd.git lighttpd + +[puppet/modules/lsb] +checkout = git clone git://git.fluxo.info/puppet-lsb.git lsb + +[puppet/modules/mail] +checkout = git clone git://git.fluxo.info/puppet-mail.git mail + +[puppet/modules/minidlna] +checkout = git clone git://git.fluxo.info/puppet-minidlna.git minidlna + +[puppet/modules/moin] +checkout = git clone git://git.fluxo.info/puppet-moin.git moin + +[puppet/modules/monkeysphere] +checkout = git clone git://git.fluxo.info/puppet-monkeysphere.git monkeysphere + +[puppet/modules/motion] +checkout = git clone git://git.fluxo.info/puppet-motion.git motion + +[puppet/modules/mpd] +checkout = git clone git://git.fluxo.info/puppet-mpd.git mpd + +[puppet/modules/mumble] +checkout = git clone git://git.fluxo.info/puppet-mumble.git mumble + +[puppet/modules/munin] +checkout = git clone git://git.fluxo.info/puppet-munin.git munin + +[puppet/modules/mysql] +checkout = git clone git://git.fluxo.info/puppet-mysql.git mysql + +[puppet/modules/nagios] +checkout = git clone git://git.fluxo.info/puppet-nagios.git nagios + +[puppet/modules/nfs] +checkout = git clone git://git.fluxo.info/puppet-nfs.git nfs + +[puppet/modules/nginx] +checkout = git clone git://git.fluxo.info/puppet-nginx.git nginx + +[puppet/modules/nodo] +checkout = git clone git://git.fluxo.info/puppet-nodo.git nodo + +[puppet/modules/ntp] +checkout = git clone git://git.fluxo.info/puppet-ntp.git ntp + +[puppet/modules/onion] +checkout = git clone git://git.fluxo.info/puppet-onion.git onion + +[puppet/modules/pear] +checkout = git clone git://git.fluxo.info/puppet-pear.git pear + +[puppet/modules/php] +checkout = git clone git://git.fluxo.info/puppet-php.git php + +[puppet/modules/pmwiki] +checkout = git clone git://git.fluxo.info/puppet-pmwiki.git pmwiki + +[puppet/modules/postfix] +checkout = git clone git://git.fluxo.info/puppet-postfix.git postfix + +[puppet/modules/puppet] +checkout = git clone git://git.fluxo.info/puppet-puppet.git puppet + +[puppet/modules/pureftpd] +checkout = git clone git://git.fluxo.info/puppet-pureftpd.git pureftpd + +[puppet/modules/pyroscope] +checkout = git clone git://git.fluxo.info/puppet-pyroscope.git pyroscope + +[puppet/modules/qwebirc] +checkout = git clone git://git.fluxo.info/puppet-qwebirc.git qwebirc + +[puppet/modules/reprepro] +checkout = git clone git://git.fluxo.info/puppet-reprepro.git reprepro + +[puppet/modules/resolvconf] +checkout = git clone git://git.fluxo.info/puppet-resolvconf.git resolvconf + +[puppet/modules/rng-tools] +checkout = git clone git://git.fluxo.info/puppet-rng-tools.git rng-tools + +[puppet/modules/rsync] +checkout = git clone git://git.fluxo.info/puppet-rsync.git rsync + +[puppet/modules/runit] +checkout = git clone git://git.fluxo.info/puppet-runit.git runit + +[puppet/modules/samba] +checkout = git clone git://git.fluxo.info/puppet-samba.git samba + +[puppet/modules/schroot] +checkout = git clone git://git.fluxo.info/puppet-schroot.git schroot + +[puppet/modules/shorewall] +checkout = git clone git://git.fluxo.info/puppet-shorewall.git shorewall + +[puppet/modules/smartmonster] +checkout = git clone git://git.fluxo.info/puppet-smartmonster.git smartmonster + +[puppet/modules/smartmontools] +checkout = git clone git://git.fluxo.info/puppet-smartmontools.git smartmontools + +[puppet/modules/sshd] +checkout = git clone git://git.fluxo.info/puppet-sshd.git sshd + +[puppet/modules/ssl] +checkout = git clone git://git.fluxo.info/puppet-ssl.git ssl + +[puppet/modules/stdlib] +checkout = git clone git://git.fluxo.info/puppet-stdlib.git stdlib + +[puppet/modules/supervisor] +checkout = git clone git://git.fluxo.info/puppet-supervisor.git supervisor + +[puppet/modules/supybot] +checkout = git clone git://git.fluxo.info/puppet-supybot.git supybot + +[puppet/modules/syslog-ng] +checkout = git clone git://git.fluxo.info/puppet-syslog-ng.git syslog-ng + +[puppet/modules/tftp] +checkout = git clone git://git.fluxo.info/puppet-tftp.git tftp + +[puppet/modules/tor] +checkout = git clone git://git.fluxo.info/puppet-tor.git tor + +[puppet/modules/trac] +checkout = git clone git://git.fluxo.info/puppet-trac.git trac + +[puppet/modules/tunnel] +checkout = git clone git://git.fluxo.info/puppet-tunnel.git tunnel + +[puppet/modules/user] +checkout = git clone git://git.fluxo.info/puppet-user.git user + +[puppet/modules/vcsrepo] +checkout = git clone git://git.fluxo.info/puppet-vcsrepo.git vcsrepo + +[puppet/modules/viewvc] +checkout = git clone git://git.fluxo.info/puppet-viewvc.git viewvc + +[puppet/modules/virtual] +checkout = git clone git://git.fluxo.info/puppet-virtual.git virtual + +[puppet/modules/websites] +checkout = git clone git://git.fluxo.info/puppet-websites.git websites + +[puppet/modules/websvn] +checkout = git clone git://git.fluxo.info/puppet-websvn.git websvn + +[puppet/modules/wordpress] +checkout = git clone git://git.fluxo.info/puppet-wordpress.git wordpress diff --git a/puppet/LICENSE b/puppet/LICENSE new file mode 100644 index 0000000..dba13ed --- /dev/null +++ b/puppet/LICENSE @@ -0,0 +1,661 @@ + GNU AFFERO GENERAL PUBLIC LICENSE + Version 3, 19 November 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/> + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU Affero General Public License is a free, copyleft license for +software and other kinds of works, specifically designed to ensure +cooperation with the community in the case of network server software. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +our General Public Licenses are intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + Developers that use our General Public Licenses protect your rights +with two steps: (1) assert copyright on the software, and (2) offer +you this License which gives you legal permission to copy, distribute +and/or modify the software. + + A secondary benefit of defending all users' freedom is that +improvements made in alternate versions of the program, if they +receive widespread use, become available for other developers to +incorporate. Many developers of free software are heartened and +encouraged by the resulting cooperation. However, in the case of +software used on network servers, this result may fail to come about. +The GNU General Public License permits making a modified version and +letting the public access it on a server without ever releasing its +source code to the public. + + The GNU Affero General Public License is designed specifically to +ensure that, in such cases, the modified source code becomes available +to the community. It requires the operator of a network server to +provide the source code of the modified version running there to the +users of that server. Therefore, public use of a modified version, on +a publicly accessible server, gives the public access to the source +code of the modified version. + + An older license, called the Affero General Public License and +published by Affero, was designed to accomplish similar goals. This is +a different license, not a version of the Affero GPL, but Affero has +released a new version of the Affero GPL which permits relicensing under +this license. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU Affero General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Remote Network Interaction; Use with the GNU General Public License. + + Notwithstanding any other provision of this License, if you modify the +Program, your modified version must prominently offer all users +interacting with it remotely through a computer network (if your version +supports such interaction) an opportunity to receive the Corresponding +Source of your version by providing access to the Corresponding Source +from a network server at no charge, through some standard or customary +means of facilitating copying of software. This Corresponding Source +shall include the Corresponding Source for any work covered by version 3 +of the GNU General Public License that is incorporated pursuant to the +following paragraph. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the work with which it is combined will remain governed by version +3 of the GNU General Public License. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU Affero General Public License from time to time. Such new versions +will be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU Affero General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU Affero General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU Affero General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + <one line to give the program's name and a brief idea of what it does.> + Copyright (C) <year> <name of author> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. + +Also add information on how to contact you by electronic and paper mail. + + If your software can interact with users remotely through a computer +network, you should also make sure that it provides a way for users to +get its source. For example, if your program is a web application, its +interface could display a "Source" link that leads users to an archive +of the code. There are many ways you could offer source, and different +solutions will be better for different programs; see section 13 for the +specific requirements. + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU AGPL, see +<http://www.gnu.org/licenses/>. diff --git a/puppet/Makefile b/puppet/Makefile new file mode 100644 index 0000000..97c4a58 --- /dev/null +++ b/puppet/Makefile @@ -0,0 +1,67 @@ +# +# Puppet Boostrap Makefile by Silvio Rhatto (rhatto at riseup.net). +# +# This Makefile is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the Free +# Software Foundation; either version 3 of the License, or any later version. +# +# This Makefile is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along with +# this program; if not, write to the Free Software Foundation, Inc., 59 Temple +# Place - Suite 330, Boston, MA 02111-1307, USA +# + +CWD = $(shell pwd) +REPO = git://git.fluxo.info/puppet-bootstrap.git +PUPPET = FACTER_BOOTSTRAP_PATH="$(CWD)" puppet apply --confdir="$(CWD)" --modulepath=modules + +all: deps remote modules config + +deps: + bin/dependencies + +modules: + mr up + +submodules: + bin/submodules + +subtrees: + bin/subtrees + +symlinks: + bin/symlinks $(MODULES) + +remote: + git remote add bootstrap $(REPO) + +hiera/boostrap.yaml: + $(EDITOR) hiera/bootstrap.yaml + +puppet.conf: + mkdir -p $(HOME)/.puppet + $(PUPPET) manifests/bootstrap/configurator.pp + +config: hiera/boostrap.yaml puppet.conf + @true + +apply: + $(PUPPET) manifests/bootstrap/$(stage).pp + +clean: + rm -f auth.conf fileserver.conf puppet.conf + rm -f manifests/classes/users.pp + rm -rf ssl + rm -rf modules + git checkout modules + +post_update: + git config receive.denyCurrentBranch ignore + cd .git/hooks && ln -sf ../../bin/post-update + +post_receive: + git config receive.denyCurrentBranch ignore + cd .git/hooks && ln -sf ../../bin/post-receive diff --git a/puppet/README.md b/puppet/README.md new file mode 100644 index 0000000..bb5375d --- /dev/null +++ b/puppet/README.md @@ -0,0 +1,38 @@ +Puppet Boostrap Module +====================== + +This is a multi-purpose but very specific puppet module which can be used: + +* As the base repository for a puppet infrastructure. +* As a standalone provisioner for boxes, with Vagrant support. +* It can be optionally used together with the Hydra Suite from https://git.fluxo.info/hydra.git + +Setting up a new puppet repository +---------------------------------- + +You'll basically use the `bootstrap` repository as your `puppet` repository: + + git clone git://git.fluxo.info/puppet-bootstrap.git puppet + cd puppet && git tag -v # check integrity + make deps # install dependencies + make submodules # add all needed puppet module as as git submodules + make config # basic configuration + +Using as a standalone provisioner +--------------------------------- + +This will be a `Vagrant` example: + + cd your-project + git clone git://git.fluxo.info/puppet-bootstrap.git puppet # use submodule or subtree as you please + ln -s puppet/Vagrantfile # or copy if you want to customize + ( cd puppet && make modules ) # need the mr binary to download the submodules + vagrant up web # with no arguments, all defined VMs are started + +Using subtrees or symlinks for modules +-------------------------------------- + +You might use `make subtrees` instead of `make submodules`. Also, if you already have +all the modules in a different subtree, use + + make symlinks MODULES=/path/to/puppet/modules diff --git a/puppet/TODO.md b/puppet/TODO.md new file mode 100644 index 0000000..429bd4d --- /dev/null +++ b/puppet/TODO.md @@ -0,0 +1,141 @@ +TODO +==== + +High priority +------------- + +- puppet: masterless: + - keyringer/gpg integration. + - https://github.com/compete/hiera_yamlgpg + - https://github.com/crayfishx/hiera-gpg + - https://github.com/sihil/hiera-eyaml-gpg + - https://github.com/StackExchange/blackbox + - http://ww.telent.net/2014/2/10/keeping_secrets_in_public_with_puppet + - https://docs.puppetlabs.com/hiera/1/custom_backends.html + - https://puppetlabs.com/blog/encrypt-your-data-using-hiera-eyaml + - https://packages.debian.org/jessie/hiera-eyaml + - how to distribute keys outside the repo (i.e, avoiding all nodes to have all keys?): + - add a monkeysphere auth subkey to every openpgp key used for backups. + - make backupninja wrap around monkeysphere: http://web.monkeysphere.info/doc/user-ssh-advanced/ + - http://current.workingdirectory.net/posts/2011/puppet-without-masters/ + - http://andrewbunday.co.uk/2012/12/04/masterless-puppet-wrapper/ + - http://semicomplete.com/presentations/puppet-at-loggly/puppet-at-loggly.pdf.html + - https://github.com/jordansissel/puppet-examples/tree/master/masterless +- sshd: + - https://stribika.github.io/2015/01/04/secure-secure-shell.html + - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774711#60 + - enable ecdsa key. + - ecdsa priority: alternatives: + - unsupport ecdsa in the server. + - export ecdsa pubkeys. + - manage client's /root/.ssh/config: `HostKeyAlgorithms ssh-rsa`. + - force option via rsync/rdiff handlers. +- virtual: migrate to kvm/libvirt. +- loginrecords: deploy module. +- deploy https://github.com/wido/puppet-module-tcpwrappers +- nodo: + - run stages. + - allow more resources to be declared via hiera. + - fix hiera default boolean value when true. + - easy way to toggle management of subsystems. + +Medium priority +--------------- + +- apt: raspbian support, including unnatended-upgrades. +- backup: + - support for $dombr and $dobios on backupninja::sys for servers and physical machines. + - sync-backups support for rsyncing from kvms / snapshots. +- nodo: + - cleanup and refactor. + - uniform variable names. + - use prompt.sh from bash-prompt as a submodule. +- common: autoload. +- general: + - rollback of commits about charset. + - switch to conf.d: + - php ("refactor" branch), remove E_STRICT from production's error_reporting. + - apache2. + - sudoers. +- backup: `sync-media-iterate [volume]`. +- mail: + - use ssl::dhparams, move to 2048 bit and use the standard file names and paths: + - [Feature #4012: postfix: ship 2048bit dh parameters - Platform - LEAP Issue Tracker](https://leap.se/code/issues/4012) + +Low priority +------------ + +- merge, review, pull requests for all modules. +- bind: nsupdate / dynamic dns: + - http://linux.yyz.us/nsupdate/ + - http://linux.yyz.us/dns/ddns-server.html + - http://caunter.ca/nsupdate.txt + - http://www.rtfm-sarl.ch/articles/using-nsupdate.html + - https://github.com/skx/dhcp.io/ +- munin: lvm monitoring. +- pyroscope: torrent workflow: torrent-maker, magnet2torrent and torrent-reseed: + - http://wiki.rtorrent.org/MagnetUri + - http://dan.folkes.me/2012/04/19/converting-a-magnet-link-into-a-torrent/ + - https://github.com/danfolkes/Magnet2Torrent + - http://code.google.com/p/pyroscope/wiki/CommandLineTools + - https://trac.transmissionbt.com/ticket/4176 + - http://wiki.rtorrent.org/MagnetUri + - https://github.com/rakshasa/rtorrent/issues/212 + - saving/restoring `.meta` and `~/rtorrent/.session` files. +- support for http/https proxy inside web nodes: + - encrypted ssl keys: http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11440.html + - make all apache sites listen to 8080. +- git: + - gitolite: [monkeysphere integration](http://gitolite.com/gitolite/g2/monkeysphere.html). + - gitweb clean urls. + - email notifications. + - https://packages.debian.org/jessie/git-notifier + - https://github.com/mhagger/git-multimail + - using OpenPGP? +- syslog-ng: use conf.d. +- etherpad: `You need to set a sessionKey value in settings.json`. +- knock integration via https://github.com/juasiepo/knockd +- apache: + - try libapache2-modsecurity. + - deploy https://git.immerda.ch/csp-report/ + - disable other_vhosts_access.log. +- onion: + - support for existing hidden service key, generated with tools like https://github.com/katmagic/Shallot + - load balancing: http://archives.seul.org/tor/relays/Apr-2011/msg00022.html +- nagios: snmp, nrpe, nsca + - http://nagios.sourceforge.net/docs/3_0/addons.html + - http://www.math.wisc.edu/~jheim/snmp/ +- ssh access restrictions: + - denyhosts, but we don't want to log IPs. + - using shorewall: http://www.debian-administration.org/articles/250#comment_16 + - alowed users / groups. +- websites: freewvs. +- puppet: bug report: debian wheezy puppet-common: needs the following patch: http://projects.puppetlabs.com/issues/10963 +- mail: + - review dovecot recipient delimiter handling: to which mailbox messages should be sent? + - mlmmj: + - lists with hyphens are not working when mails are sent directly, but work when sent to an alias. + - `mail::mlmmj::domain` needs updating or additional domains should be added into `relay_domains`. +- drupal/wordpress: + - cronjob/cli: switch to site user. + - drupal_update: Do you really want to continue with the update process? (y/n): + Do you really want to continue with the update process? (y/n): Aborting. [cancel], + possibly related to https://www.drupal.org/node/443392 +- php / wordpress / wp-cli: composer installation and dependencies: + - http://getcomposer.org/doc/00-intro.md#installation-nix + - https://github.com/wp-cli/wp-cli/wiki/Alternative-Install-Methods + - suhosin needs `suhosin.executor.include.whitelist = phar` on `/etc/php5/cli/conf.d/suhosin.ini`. +- nodo: support for prosody: + - https://github.com/dgoulet/prosody-otr + - http://prosody.im/doc/creating_accounts#importing_from_ejabberd + - config with good score at https://xmpp.net/index.php +- mail: + - support for [preventing SPAM connections with bird](http://www.debian-administration.org/article/715/Preventing_SPAM_connections_with_bird.). + - schleuder: manage `/etc/schleuder/schleuder.conf`, using `superadminaddr: root` or other recipient, to avoid mails. + sent as `root@localhost`. + - deploy https://git.autistici.org/ale/smtp-fp/tree/master + https://github.com/EFForg/starttls-everywhere + - deploy https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration#Configuration_server_at_ISP + https://git-ipuppet.immerda.ch/module-apache/commit/?id=058dbb366b96cae1f8fb0def65f73a698f1c375d + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577616 + - support for [preventing SPAM connections with bird](http://www.debian-administration.org/article/715/Preventing_SPAM_connections_with_bird.). diff --git a/puppet/Vagrantfile b/puppet/Vagrantfile new file mode 100644 index 0000000..3ee05e6 --- /dev/null +++ b/puppet/Vagrantfile @@ -0,0 +1,29 @@ +# Vagrantfile API/syntax version. Don't touch unless you know what you're doing! +VAGRANTFILE_API_VERSION = "2" + +Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| + # Every Vagrant virtual environment requires a box to build off of. + config.vm.box = "jessie" + + # Hostname + config.vm.hostname = "puppet-bootstrap.example.org" + + # Shell provisioner to setup basic environment. + config.vm.provision :shell, :inline => "/vagrant/puppet/bin/provision" + + # Enable provisioning with Puppet stand alone. + config.vm.provision :puppet do |puppet| + puppet.manifest_file = "bootstrap/vagrant.pp" + puppet.manifests_path = "puppet/manifests" + puppet.module_path = "puppet/modules" + puppet.hiera_config_path = "puppet/hiera.yaml" + puppet.temp_dir = "/etc/puppet" + puppet.working_directory = "/etc/puppet" + end + + # Share hiera configuration. + config.vm.synced_folder "puppet/hiera", "/etc/puppet/hiera" + + # Forwarded ports + #config.vm.network "forwarded_port", guest: 80, host: 8081 +end diff --git a/puppet/auth.conf b/puppet/auth.conf new file mode 100644 index 0000000..47740dc --- /dev/null +++ b/puppet/auth.conf @@ -0,0 +1,99 @@ +# This is an example auth.conf file, it mimics the puppetmasterd defaults +# +# The ACL are checked in order of appearance in this file. +# +# Supported syntax: +# This file supports two different syntax depending on how +# you want to express the ACL. +# +# Path syntax (the one used below): +# --------------------------------- +# path /path/to/resource +# [environment envlist] +# [method methodlist] +# [auth[enthicated] {yes|no|on|off|any}] +# allow [host|ip|*] +# deny [host|ip] +# +# The path is matched as a prefix. That is /file match at +# the same time /file_metadat and /file_content. +# +# Regex syntax: +# ------------- +# This one is differenciated from the path one by a '~' +# +# path ~ regex +# [environment envlist] +# [method methodlist] +# [auth[enthicated] {yes|no|on|off|any}] +# allow [host|ip|*] +# deny [host|ip] +# +# The regex syntax is the same as ruby ones. +# +# Ex: +# path ~ .pp$ +# will match every resource ending in .pp (manifests files for instance) +# +# path ~ ^/path/to/resource +# is essentially equivalent to path /path/to/resource +# +# environment:: restrict an ACL to a specific set of environments +# method:: restrict an ACL to a specific set of methods +# auth:: restrict an ACL to an authenticated or unauthenticated request +# the default when unspecified is to restrict the ACL to authenticated requests +# (ie exactly as if auth yes was present). +# + +# Allow authenticated nodes to retrieve their own catalogs: + +path ~ ^/catalog/([^/]+)$ +method find +allow $1 + +# allow nodes to retrieve their own node definition + +path ~ ^/node/([^/]+)$ +method find +allow $1 + +# Allow authenticated nodes to access any file services --- in practice, this results in fileserver.conf being consulted: + +path /file +allow * + +# Allow authenticated nodes to access the certificate revocation list: + +path /certificate_revocation_list/ca +method find +allow * + +# Allow authenticated nodes to send reports: + +path /report +method save +allow * + +# Allow unauthenticated access to certificates: + +path /certificate/ca +auth no +method find +allow * + +path /certificate/ +auth no +method find +allow * + +# Allow unauthenticated nodes to submit certificate signing requests: + +path /certificate_request +auth no +method find, save +allow * + +# Deny all other requests: + +path / +auth any diff --git a/puppet/bin/dependencies b/puppet/bin/dependencies new file mode 100755 index 0000000..507145b --- /dev/null +++ b/puppet/bin/dependencies @@ -0,0 +1,28 @@ +#!/bin/bash +# +# Puppet bootstrap dependencies. +# + +# Install a package, thanks to the Hydra Suite. +function provision_package { + if [ -z "$1" ]; then + return + fi + + dpkg -s $1 &> /dev/null + + if [ "$?" == "1" ]; then + echo "Installing package $1..." + DEBIAN_FRONTEND=noninteractive $SUDO apt-get install $1 -y + fi +} + +# Set sudo config +if [ "`whoami`" != 'root' ]; then + SUDO="sudo" +fi + +# Ensure basic packages are installed. +for package in puppet git mr whois; do + provision_package $package +done diff --git a/puppet/bin/deploy b/puppet/bin/deploy new file mode 100755 index 0000000..5d3361b --- /dev/null +++ b/puppet/bin/deploy @@ -0,0 +1,58 @@ +#!/bin/bash +# +# Deploy configuration using puppet. +# + +# Parameters +DIRNAME="`dirname $0`" +BASEDIR="$DIRNAME/.." +DEPLOY_DEPENDENCIES="puppet ruby-sqlite3 ruby-activerecord ruby-activerecord-deprecated-finders" + +# Determine hostname +if [ ! -z "$1" ]; then + FQDN="$1" +else + FQDN="`cat /etc/hostname`" +fi + +# Check for manifest +PUPPET_MANIFEST="$BASEDIR/puppet/manifests/nodes/$FQDN.pp" +if [ ! -e "$PUPPET_MANIFEST" ]; then + echo "file not found: $PUPPET_MANIFEST" + exit 1 +fi + +# Install dependencies +source $DIRNAME/dependencies + +# Ensure additional dependencies are installed. +for package in $DEPLOY_DEPENDENCIES; do + provision_package $package +done + +# Parameters that needs dependencies installed +DIST="`facter lsbdistcodename`" + +# Apply patches +if [ -d "$BASEDIR/puppet/files/patches/$DIST" ]; then + ( + # Patches should be generated relativelly to the root folder + cd / + + # Only apply if needed + # Thanks https://unix.stackexchange.com/questions/55780/check-if-a-file-or-folder-has-been-patched-already + for patch in `ls $BASEDIR/puppet/files/patches/$DIST`; do + patch -p0 -N --dry-run --silent < $BASEDIR/puppet/files/patches/$DIST/$patch &> /dev/null + # If the patch has not been applied then the $? which is the exit status + # for last command would have a success status code = 0 + if [ "$?" == "0" ]; then + # Apply the patch + patch -p0 -N < $BASEDIR/puppet/files/patches/$DIST/$patch + fi + done + ) +fi + +# Run puppet apply +PUPPET_OPTS="--confdir=$BASEDIR/puppet --modulepath=$BASEDIR/puppet/modules" +LC_ALL=C $SUDO puppet apply $PUPPET_OPTS $PUPPET_MANIFEST diff --git a/puppet/bin/mrconfig b/puppet/bin/mrconfig new file mode 100755 index 0000000..dc753ac --- /dev/null +++ b/puppet/bin/mrconfig @@ -0,0 +1,29 @@ +#!/bin/bash +# +# Build a mrconfig for the needed modules. +# + +# Parameters +GIT="git.fluxo.info" +URL="https://$GIT/?a=project_index" +CWD="`pwd`" +WORK="`dirname $0`/.." + +# Create a new config +cd $WORK +rm -f .mrconfig +touch .mrconfig + +# Fetch repository list and updtate mrconfig +curl --stderr - $URL | grep "^puppet-" | cut -d ' ' -f 1 | while read module; do + folder="`echo $module | sed -e 's/^puppet-//'`" + folder="`basename $folder .git`" + + if [ "$folder" != "bootstrap" ]; then + echo "Processing $folder..." + mr config puppet/modules/$folder checkout="git clone git://$GIT/$module $folder" + fi +done + +# Teardown +cd $CWD diff --git a/puppet/bin/post-receive b/puppet/bin/post-receive new file mode 100755 index 0000000..996189d --- /dev/null +++ b/puppet/bin/post-receive @@ -0,0 +1,7 @@ +#!/bin/sh + +cd .. +unset GIT_DIR + +git checkout -f +git submodule update --init --recursive diff --git a/puppet/bin/post-update b/puppet/bin/post-update new file mode 100755 index 0000000..48a6a16 --- /dev/null +++ b/puppet/bin/post-update @@ -0,0 +1,16 @@ +#!/bin/sh + +cd .. +unset GIT_DIR + +if [ -d ".git/annex" ]; then + git annex sync +else + git reset HEAD + git checkout -f +fi + +git submodule update --init --recursive + +cd - +exec git update-server-info diff --git a/puppet/bin/provision b/puppet/bin/provision new file mode 100755 index 0000000..16f102f --- /dev/null +++ b/puppet/bin/provision @@ -0,0 +1,35 @@ +#!/bin/bash +# +# Simple shell provisioner for Vagrant instances. +# + +# Parameters +DIRNAME="`dirname $0`" + +# Load dependencies +source $DIRNAME/dependencies + +# Ensure the system is updated. +$SUDO apt-get update && DEBIAN_FRONTEND=noninteractive $SUDO apt-get dist-upgrade -y && $SUDO apt-get autoremove -y && $SUDO apt-get clean + +# Ensure additional dependencies are installed. +for package in usbutils; do + provision_package $package +done + +# Storeconfigs support +for package in ruby-sqlite3 ruby-activerecord ruby-activerecord-deprecated-finders; do + provision_package $package +done + +# Link hiera configuration if needed. +if [ ! -h "/etc/puppet/hiera.yaml" ]; then + $SUDO rm -f /etc/puppet/hiera.yaml + $SUDO ln -s $DIRNAME/../hiera/hiera.yaml /etc/puppet/hiera.yaml +fi + +# Link puppet configuration if needed. +if [ ! -h "/etc/puppet/puppet.conf" ]; then + $SUDO rm -f /etc/puppet/puppet.conf + $SUDO ln -s $DIRNAME/../puppet.conf /etc/puppet/puppet.conf +fi diff --git a/puppet/bin/submodules b/puppet/bin/submodules new file mode 100755 index 0000000..3abc46d --- /dev/null +++ b/puppet/bin/submodules @@ -0,0 +1,31 @@ +#!/bin/bash +# +# Setup submodules. +# + +# Parameters +DIRNAME="`dirname $0`" + +# Usage +function usage { + echo "Usage: $1 add-submodules <DIR>" + exit $2 +} + +# Get module list +repos="`grep = $DIRNAME/../.mrconfig | cut -d = -f 2 | cut -d ' ' -f 4`" + +# Add submodules +for repo in $repos; do + module="`basename $repo .git | sed -e s/^puppet-//`" + if [ ! -d "modules/$module" ]; then + echo "Processing puppet module $module..." + git submodule add -f $repo modules/$module + elif [ -e "modules/$module/.git" ]; then + # The puppet module exists and is a git submodule, so update it + ( cd module/$module && git pull origin master ) + fi +done + +# Update all modules +git submodule update --init diff --git a/puppet/bin/subtrees b/puppet/bin/subtrees new file mode 100755 index 0000000..1858a48 --- /dev/null +++ b/puppet/bin/subtrees @@ -0,0 +1,41 @@ +#!/bin/bash +# +# Setup subtrees. +# + +# Parameters +DIRNAME="`dirname $0`" + +# Usage +function usage { + echo "Usage: $1 add-submodules <DIR>" + exit $2 +} + +# Check for git-subtree +if ! which git-subtree &> /dev/null; then + echo "fatal: please install git-subtree" + exit 1 +fi + +# Get module list +repos="`grep = $DIRNAME/../.mrconfig | cut -d = -f 2 | cut -d ' ' -f 4`" + +# Add subtrees +for repo in $repos; do + module="`basename $repo .git | sed -e s/^puppet-//`" + if [ ! -d "modules/$module" ]; then + echo "Processing puppet module $module..." + git remote add $module $repo + git subtree add --prefix modules/$module $module master --squash + elif [ ! -d "modules/$module/.git" ]; then + # The puppet module exists and is a subtree, so update it + if ! git remote | grep -qe "^$module$"; then + git remote add $module $repo + fi + + # Update subtrees + git fetch $module master + git subtree pull --prefix modules/$module $module master --squash + fi +done diff --git a/puppet/bin/symlinks b/puppet/bin/symlinks new file mode 100755 index 0000000..0a221c4 --- /dev/null +++ b/puppet/bin/symlinks @@ -0,0 +1,24 @@ +#!/bin/bash +# +# Setup symlinks. +# + +# Parameters +BASENAME="`basename $0`" +MODULES="$1" + +# Check parameters +if [ -z "$MODULES" ]; then + echo "Usage: $BASENAME <submodules-folder>" + exit 1 +elif [ ! -e "$MODULES" ]; then + echo "Not found: $MODULES" +fi + +# Add module symlinks using absolute folders +for module in `ls $MODULES`; do + if [ "$module" != "bootstrap" ]; then + path="`cd $MODULES/$module && pwd`" + ( cd modules &> /dev/null && ln -sf $path ) + fi +done diff --git a/puppet/files/.empty b/puppet/files/.empty new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/puppet/files/.empty diff --git a/puppet/files/patches/trusty/puppet-stack-level.md b/puppet/files/patches/trusty/puppet-stack-level.md new file mode 100644 index 0000000..9a3f4d7 --- /dev/null +++ b/puppet/files/patches/trusty/puppet-stack-level.md @@ -0,0 +1,3 @@ +# Puppet stack level patch + +* [Puppet master fails with 'stack level too deep' error when storeconfigs = true](https://bugs.launchpad.net/ubuntu/+source/puppet/+bug/1313595). diff --git a/puppet/files/patches/trusty/puppet-stack-level.patch b/puppet/files/patches/trusty/puppet-stack-level.patch new file mode 100644 index 0000000..1d112f7 --- /dev/null +++ b/puppet/files/patches/trusty/puppet-stack-level.patch @@ -0,0 +1,15 @@ +--- /usr/lib/ruby/vendor_ruby/puppet/rails/resource.rb.orig 2015-10-19 17:19:13.500193213 -0200 ++++ /usr/lib/ruby/vendor_ruby/puppet/rails/resource.rb 2015-10-19 17:19:58.972194943 -0200 +@@ -84,7 +84,11 @@ + end + + def [](param) +- super || parameter(param) ++ if param == 'id' ++ super ++ else ++ super || parameter(param) ++ end + end + + # Make sure this resource is equivalent to the provided Parser resource. diff --git a/puppet/fileserver.conf b/puppet/fileserver.conf new file mode 100644 index 0000000..e777078 --- /dev/null +++ b/puppet/fileserver.conf @@ -0,0 +1,7 @@ +# This file consists of arbitrarily named sections/modules +# defining where files are served from and to whom + +# Files +[files] + path /etc/puppet/files + allow *.vagrantup.com diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml new file mode 120000 index 0000000..5230565 --- /dev/null +++ b/puppet/hiera.yaml @@ -0,0 +1 @@ +hiera/hiera.yaml
\ No newline at end of file diff --git a/puppet/hiera/bootstrap.yaml b/puppet/hiera/bootstrap.yaml new file mode 100644 index 0000000..c4f6bca --- /dev/null +++ b/puppet/hiera/bootstrap.yaml @@ -0,0 +1,44 @@ +--- +# +# Puppet Bootstrap Configuration Parameters. +# +# This file is responsible to set custom values to your new puppet repository +# to reflect the custom configuration for your infrastructure. +# +# This configuration is useful mostly after you cloned the puppet-boostrap module +# and want to configure it to boostrap a whole puppetmaster infrastructure. +# + +# The base domain for your infrastructure. +bootstrap::base_domain: 'vagrantup.com' + +# +# Root password. +# +# Use "mkpasswd -m sha-512" to generate root and first user's passwords. +bootstrap::root::password: '$5$aosRByu9U0$Cc7l2vpjV4sRLlao2JmG0lxOnD2crNLU7gZfn2eayu.' + +# +# First user account +# +# Do not include "ssh-rsa " into the sshkey definition. +bootstrap::first_user: 'vagrant' +bootstrap::first_user::password: '$5$NCuDu81a$iHr7tZiGX0tKooq6N0bEwE7QDhRqfI9/yyD7WU1GiFB' +bootstrap::first_user::sshkey: 'AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ==' +bootstrap::first_user::email: '' + +# +# First nodes +# + +# Hostname of the first server +bootstrap:first_hostname: '' + +# Create manifests and config for the first nodes? +bootstrap::first_nodes: false + +# MySQL password +mysql::server::rootpw: 'hackme' + +# Puppet master db password +nodo::role::master::db_password: 'hackme' diff --git a/puppet/hiera/common.yaml b/puppet/hiera/common.yaml new file mode 100644 index 0000000..8a04a26 --- /dev/null +++ b/puppet/hiera/common.yaml @@ -0,0 +1,55 @@ +--- +# +# General +# +nodo::subsystem::apt::include_src: false +nodo::subsystem::apt::use_next_release: false +nodo::subsystem::monitor::use_nagios: false +nodo::subsystem::monitor::address: "%{::fqdn}" + +# +# Firewall +# +firewall::ssl_ratelimit: "s:ssl:200/min:20" +firewall::local_net: false +firewall::local::manage_host: true +firewall::local::manage_iface: false + +# +# Mail +# +mail::sympa::subdomain: "listas" +mail::sympa::lang: "pt_BR" + +# +# Monitoring +# +nodo::munin_node::allow: '127.0.0.1:192.168.0.[0-9]*:192.168.1.[0-9]*' + +# +# Wordpress +# +wordpress::locale: 'pt_BR' + +# +# Timezone and ntp +# +ntp::zone: "Brazil/East" +ntp::pool: "south-america.pool.ntp.org" +ntp::servers: + - 'a.ntp.br' + - 'b.ntp.br' + - 'c.ntp.br' + +# +# Nameservers +# +# OpenDNS +nodo::subsystem::resolver::nameservers: + - '208.67.222.222' + - '208.67.220.220' + +# +# Puppet config +# +nodo::base::puppet_mode: 'apply' diff --git a/puppet/hiera/hiera.yaml b/puppet/hiera/hiera.yaml new file mode 100644 index 0000000..a8ae792 --- /dev/null +++ b/puppet/hiera/hiera.yaml @@ -0,0 +1,33 @@ +--- +:backends: + - yaml +:yaml: + # Right now vagrant and puppet are not fully supporting + # a relative datadir. For it to work, we were forced to + # create a manifests/hiera symlink. This should be + # reconsidered in the future. + # + # See http://docs.vagrantup.com/v2/provisioning/puppet_apply.html + :datadir: '%{settings::confdir}/hiera' +:hierarchy: + # + # Put in the secrets folder all sensitive information that + # wont be spread into every system if you're using the Hydra Suite. + # + # We also recommend to leave only encrypted data in your hiera config. + # + - 'secrets/node/%{::clientcert}' + - 'secrets/role/%{::nodo::role}' + - 'secrets/location/%{::nodo::location}' + - 'secrets/domain/%{::domain}' + + # + # All other stuff goes in regular YAML files. + # + - 'node/%{::clientcert}' + - 'role/%{::nodo::role}' + - 'virtual/%{::virtual}' + - 'location/%{::nodo::location}' + - 'domain/%{::domain}' + - bootstrap + - common diff --git a/puppet/hiera/node/puppet-bootstrap.example.org.yaml b/puppet/hiera/node/puppet-bootstrap.example.org.yaml new file mode 100644 index 0000000..c108e7d --- /dev/null +++ b/puppet/hiera/node/puppet-bootstrap.example.org.yaml @@ -0,0 +1,14 @@ +--- +# +# MySQL +# +# The following password is public information and therefore +# shall not be user on production. +mysql::server::rootpw: '9pRfteNbSFFyrHhackme' + +# +# Backup +# +nodo::subsystem::backup::localhost: false +nodo::subsystem::backup::encryptkey: 'none' +nodo::subsystem::backup::password: 'hacked' diff --git a/puppet/keys/public/.empty b/puppet/keys/public/.empty new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/puppet/keys/public/.empty diff --git a/puppet/keys/ssh/.empty b/puppet/keys/ssh/.empty new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/puppet/keys/ssh/.empty diff --git a/puppet/keys/ssl/.empty b/puppet/keys/ssl/.empty new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/puppet/keys/ssl/.empty diff --git a/puppet/manifests/bootstrap/configurator.pp b/puppet/manifests/bootstrap/configurator.pp new file mode 100644 index 0000000..edcbe92 --- /dev/null +++ b/puppet/manifests/bootstrap/configurator.pp @@ -0,0 +1,208 @@ +# +# Puppet Bootstrap Configuration Manifest. +# +# This file is responsible to set custom configuration in the bootstrap +# repository for values set in the hiera configuration. +# +# This manifest is useful mostly after you cloned the puppet-boostrap module +# and want to configure it to boostrap a whole puppetmaster infrastructure. +# + +# +# Basic variables +# +$templates = "$bootstrap_path/templates" +$base_domain = hiera('bootstrap::base_domain', "${::domain}") +$first_hostname = hiera('bootstrap::first_hostname', "${::hostname}") +$first_nodes = hiera('bootstrap::first_nodes', 'absent') +$db_password = hiera('nodo::role::master::db_password', '') +$mysql_rootpw = hiera('mysql::server::rootpw', '') +$root_password = hiera('bootstrap::root::password', '') +$first_user = hiera('bootstrap::first_user', 'user') +$first_user_password = hiera('bootstrap::first_user::password', '') +$first_user_sshkey = hiera('bootstrap::first_user::sshkey', '') +$first_user_email = hiera('bootstrap::first_user::email', 'user@example.org') +$resolvconf_nameservers = hiera('nodo::subsystem::resolver::nameservers', '201.6.2.152:201.6.2.32') +$global_munin_allow = hiera('nodo::munin_node::allow', '192.168.0.[0-9]*') + +# +# Check bootstrap configuration +# + +if ($mysql_rootpw == '') { + alert('You must set mysql::server::rootpw at your configuration') + fail() +} + +if ($db_password == '') { + alert('You must set nodo::role::master::db_password at your configuration') + fail() +} + +if ($root_password == '') { + alert('You must set bootstrap::root::password at your configuration') + fail() +} + +if ($first_user_password == '') { + alert('You must set bootstrap::first_user::password at your configuration') + fail() +} + +# +# Puppet configuration +# +file { "$bootstrap_path/puppet.conf": + ensure => present, + mode => 0644, + content => template("$templates/puppet/puppet.conf.erb"), +} + +# Fileserver configuration +file { "$bootstrap_path/fileserver.conf": + ensure => present, + mode => 0644, + content => template("$templates/puppet/fileserver.conf.erb"), +} + +file { "$bootstrap_path/auth.conf": + ensure => present, + mode => 0644, + content => template("$templates/puppet/auth.conf.erb"), +} + +# +# Basic users +# +file { "$bootstrap_path/modules/site_users/manifests/init.pp": + ensure => present, + mode => 0644, + content => template("$templates/puppet/users.pp.erb"), +} + +# +# Site files +# + +file { "$bootstrap_path/modules/site_apache/files/htdocs/images/README.html": + ensure => present, + mode => 0644, + content => template("$templates/apache/htdocs/images/README.html.erb"), +} + +file { "$bootstrap_path/modules/site_apache/files/htdocs/index.html": + ensure => present, + mode => 0644, + content => template("$templates/apache/htdocs/index.html.erb"), +} + +file { "$bootstrap_path/modules/site_apache/files/htdocs/missing.html": + ensure => present, + mode => 0644, + content => template("$templates/apache/htdocs/missing.html.erb"), +} + +file { "$bootstrap_path/modules/site_apache/files/vhosts/git": + ensure => present, + mode => 0644, + content => template("$templates/apache/vhosts/git.erb"), +} + +file { "$bootstrap_path/modules/site_apache/files/vhosts/lists": + ensure => present, + mode => 0644, + content => template("$templates/apache/vhosts/lists.erb"), +} + +file { "$bootstrap_path/modules/site_apache/files/vhosts/mail": + ensure => present, + mode => 0644, + content => template("$templates/apache/vhosts/mail.erb"), +} + +file { "$bootstrap_path/modules/site_apache/files/vhosts/nagios": + ensure => present, + mode => 0644, + content => template("$templates/apache/vhosts/nagios.erb"), +} + +file { "$bootstrap_path/modules/site_apache/files/vhosts/wiki": + ensure => present, + mode => 0644, + content => template("$templates/apache/vhosts/wiki.erb"), +} + +file { "$bootstrap_path/modules/site_mail/files/aliases": + ensure => present, + mode => 0644, + content => template("$templates/etc/aliases.erb"), +} + +file { "$bootstrap_path/modules/site_nagios/files/htpasswd.users": + ensure => present, + mode => 0644, + content => template("$templates/etc/nagios3/htpasswd.users.erb"), +} + +file { "$bootstrap_path/modules/site_nginx/files/$domain": + ensure => present, + mode => 0644, + content => template("$templates/etc/nginx/domain.erb"), +} + +file { "$bootstrap_path/modules/site_postfix/files/tls_policy": + ensure => present, + mode => 0644, + content => template("$templates/postfix/tls_policy.erb"), +} + +# +# Basic nodes +# +file { "$bootstrap_path/manifests/nodes.pp": + ensure => present, + mode => 0644, + content => template("$templates/puppet/nodes.pp.erb"), +} + +# First host +file { "$bootstrap_path/manifests/nodes/$first_hostname.pp": + ensure => $first_nodes, + mode => 0644, + content => template("$templates/puppet/server.pp.erb"), +} + +# Master node +file { "$bootstrap_path/manifests/nodes/$first_hostname-master.pp": + ensure => $first_nodes, + mode => 0644, + content => template("$templates/puppet/master.pp.erb"), +} + +# Proxy node +file { "$bootstrap_path/manifests/nodes/$first_hostname-proxy.pp": + ensure => $first_nodes, + mode => 0644, + content => template("$templates/puppet/proxy.pp.erb"), +} + +# Web node +file { "$bootstrap_path/manifests/nodes/$first_hostname-web.pp": + ensure => $first_nodes, + mode => 0644, + content => template("$templates/puppet/web.pp.erb"), +} + +# Storage node +file { "$bootstrap_path/manifests/nodes/$first_hostname-storage.pp": + ensure => $first_nodes, + mode => 0644, + content => template("$templates/puppet/storage.pp.erb"), +} + +# Test node +file { "$bootstrap_path/manifests/nodes/$first_hostname-test.pp": + ensure => $first_nodes, + mode => 0644, + content => template("$templates/puppet/test.pp.erb"), +} diff --git a/puppet/manifests/bootstrap/debian.pp b/puppet/manifests/bootstrap/debian.pp new file mode 100644 index 0000000..3038324 --- /dev/null +++ b/puppet/manifests/bootstrap/debian.pp @@ -0,0 +1,10 @@ +# +# This manifest is intended to configure a vagrant +# virtual machine for debian development. +# + +# Import vagrant configuration +import "vagrant.pp" + +# Debian utilities +include nodo::utils::development::debian diff --git a/puppet/manifests/bootstrap/host.pp b/puppet/manifests/bootstrap/host.pp new file mode 100644 index 0000000..5f9c23a --- /dev/null +++ b/puppet/manifests/bootstrap/host.pp @@ -0,0 +1,23 @@ +# +# This manifest is intended to configure the initial +# machine wich will host the first puppetmaster +# virtual machine. +# + +# The server role +class { 'nodo: + role => 'server', +} + +# Creates vserver for administrative node +nodo::vserver::instance { "$hostname-master": + context => '2', + puppetmaster => true, +} + +# Create a host entry for this puppet node +host { "puppet": + ensure => present, + ip => "192.168.0.2", + host_aliases => [ "puppet.$domain", "admin" ], +} diff --git a/puppet/manifests/bootstrap/master.pp b/puppet/manifests/bootstrap/master.pp new file mode 100644 index 0000000..5934d3e --- /dev/null +++ b/puppet/manifests/bootstrap/master.pp @@ -0,0 +1,11 @@ +# +# This manifest is intended to configure the initial +# puppetmaster node. +# +# Once it's running it can setup all the other nodes. +# + +# Include the master node configuration +class { 'nodo': + role => 'master', +} diff --git a/puppet/manifests/bootstrap/vagrant.pp b/puppet/manifests/bootstrap/vagrant.pp new file mode 100644 index 0000000..47305dc --- /dev/null +++ b/puppet/manifests/bootstrap/vagrant.pp @@ -0,0 +1,38 @@ +# +# This manifest is intended to configure a vagrant +# virtual machine. +# + +# +# Class definitions +# + +# Vagrant classes +class { 'nodo': + role => 'vagrant', +} + +# +# LAMP example +# +#include database +# +#class { 'apache': +# default_folder => '/vagrant', +# default_user => 'vagrant', +# default_group => 'vagrant', +#} +# +# If you want to manage another website +#apache::site { "myapp": +# docroot => "/vagrant/", +# server_alias => 'myapp vagrant localhost', +# use => [ "Site myapp" ], +# tag => 'all', +# owner => vagrant, +# group => vagrant, +# mpm_user => vagrant, +# mpm_group => vagrant, +# password => '$5$NZfZqcdyZ3Xt$.kfZejriEJP3fc6RU0gBGEzMPQ/c3XiowVImB6VDrtD', +# shell => '/bin/bash', +#} diff --git a/puppet/manifests/classes/users.pp b/puppet/manifests/classes/users.pp new file mode 100644 index 0000000..7ebc9a8 --- /dev/null +++ b/puppet/manifests/classes/users.pp @@ -0,0 +1,33 @@ +class users::virtual inherits user { + # define custom users here +} + +class users::backup inherits user { + # define third-party hosted backup users here +} + +class users::admin inherits user { + + # Reprepro group needed for web nodes + #if !defined(Group["reprepro"]) { + # group { "reprepro": + # ensure => present, + # } + #} + + # root user and password (default 'vagrant' passphrase) + user::manage { "root": + tag => "admin", + homedir => '/root', + password => '$5$aosRByu9U0$Cc7l2vpjV4sRLlao2JmG0lxOnD2crNLU7gZfn2eayu.', + } + + # first user config (default 'vagrant' passphrase and pubkey) + user::manage { "vagrant": + tag => "admin", + groups => [ "sudo", ], + password => '$5$NCuDu81a$iHr7tZiGX0tKooq6N0bEwE7QDhRqfI9/yyD7WU1GiFB', + sshkey => [ "AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ==" ], + } + +} diff --git a/puppet/manifests/hiera b/puppet/manifests/hiera new file mode 120000 index 0000000..ba8aae1 --- /dev/null +++ b/puppet/manifests/hiera @@ -0,0 +1 @@ +../hiera
\ No newline at end of file diff --git a/puppet/manifests/nodes/.empty b/puppet/manifests/nodes/.empty new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/puppet/manifests/nodes/.empty diff --git a/puppet/manifests/nodes/default.pp b/puppet/manifests/nodes/default.pp new file mode 100644 index 0000000..5ebbf90 --- /dev/null +++ b/puppet/manifests/nodes/default.pp @@ -0,0 +1,3 @@ +node default { + include nodo +} diff --git a/puppet/modules/bootstrap b/puppet/modules/bootstrap new file mode 120000 index 0000000..a96aa0e --- /dev/null +++ b/puppet/modules/bootstrap @@ -0,0 +1 @@ +..
\ No newline at end of file diff --git a/puppet/modules/site_apache/files/htdocs/images/.empty b/puppet/modules/site_apache/files/htdocs/images/.empty new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/puppet/modules/site_apache/files/htdocs/images/.empty diff --git a/puppet/modules/site_apache/files/vhosts/.empty b/puppet/modules/site_apache/files/vhosts/.empty new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/puppet/modules/site_apache/files/vhosts/.empty diff --git a/puppet/modules/site_apt/files/keys.d/.empty b/puppet/modules/site_apt/files/keys.d/.empty new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/puppet/modules/site_apt/files/keys.d/.empty diff --git a/puppet/modules/site_bind/manifests/init.pp b/puppet/modules/site_bind/manifests/init.pp new file mode 100644 index 0000000..7ee08d2 --- /dev/null +++ b/puppet/modules/site_bind/manifests/init.pp @@ -0,0 +1,16 @@ +class site_bind { + # + # See http://oreilly.com/pub/a/oreilly/networking/news/views_0501.html + # http://www.debian-administration.org/articles/355 + + # This is needed so we can comment out the inclusion of + # /etc/bind/named.conf.default-zones + #file { '/etc/bind/named.conf': + # ensure => present, + # owner => root, + # group => root, + # mode => 0644, + # source => 'puppet:///modules/site_bind/named.conf', + # notify => Service['bind9'], + #} +} diff --git a/puppet/modules/site_keys/files/ssl/.empty b/puppet/modules/site_keys/files/ssl/.empty new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/puppet/modules/site_keys/files/ssl/.empty diff --git a/puppet/modules/site_mail/files/.empty b/puppet/modules/site_mail/files/.empty new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/puppet/modules/site_mail/files/.empty diff --git a/puppet/modules/site_mail/files/aliases b/puppet/modules/site_mail/files/aliases new file mode 100644 index 0000000..08a0723 --- /dev/null +++ b/puppet/modules/site_mail/files/aliases @@ -0,0 +1,14 @@ +# /etc/aliases +mailer-daemon: postmaster +postmaster: root +nobody: root +hostmaster: root +usenet: root +news: root +webmaster: root +www: root +ftp: root +abuse: root +noc: root +security: root +reprepro: root diff --git a/puppet/modules/site_nagios/files/.empty b/puppet/modules/site_nagios/files/.empty new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/puppet/modules/site_nagios/files/.empty diff --git a/puppet/modules/site_nginx/files/.empty b/puppet/modules/site_nginx/files/.empty new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/puppet/modules/site_nginx/files/.empty diff --git a/puppet/modules/site_postfix/files/.empty b/puppet/modules/site_postfix/files/.empty new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/puppet/modules/site_postfix/files/.empty diff --git a/puppet/modules/site_users/manifests/admin.pp b/puppet/modules/site_users/manifests/admin.pp new file mode 100644 index 0000000..14ad9da --- /dev/null +++ b/puppet/modules/site_users/manifests/admin.pp @@ -0,0 +1,16 @@ +class site_users::admin inherits user { + # root user and password + #user::manage { "root": + # tag => "admin", + # homedir => '/root', + # password => '$5$zpdXgIaLKMDckKx9$qTS9WbmS/zylFwPu1orq.779CNnAiA9VoGdFNU94jz/', + #} + + # first user config + #user::manage { "user": + # tag => "admin", + # groups => [ "sudo", ], + # password => '$5$D8kCEIo5/MNCA7Tz$VhGg2MNDs21JzX9HgxSWMupA5GD5MXnKwDuveMSdPH7', + # sshkey => [ "WRONG" ], + #} +} diff --git a/puppet/modules/site_users/manifests/backups.pp b/puppet/modules/site_users/manifests/backups.pp new file mode 100644 index 0000000..aab00f9 --- /dev/null +++ b/puppet/modules/site_users/manifests/backups.pp @@ -0,0 +1,3 @@ +class site_users::backup inherits user { + # define third-party hosted backup users here +} diff --git a/puppet/modules/site_users/manifests/init.pp b/puppet/modules/site_users/manifests/init.pp new file mode 100644 index 0000000..b3c656a --- /dev/null +++ b/puppet/modules/site_users/manifests/init.pp @@ -0,0 +1,2 @@ +class site_users { +} diff --git a/puppet/modules/site_users/manifests/virtual.pp b/puppet/modules/site_users/manifests/virtual.pp new file mode 100644 index 0000000..20aba01 --- /dev/null +++ b/puppet/modules/site_users/manifests/virtual.pp @@ -0,0 +1,3 @@ +class site_users::virtual inherits user { + # define custom users here +} diff --git a/puppet/modules/site_websites/manifests/admin.pp b/puppet/modules/site_websites/manifests/admin.pp new file mode 100644 index 0000000..0be3a94 --- /dev/null +++ b/puppet/modules/site_websites/manifests/admin.pp @@ -0,0 +1,25 @@ +class site_websites::admin inherits websites::hosting::admin { + # An administrative Trac instance + #apache::site { "admin": + # docroot => "${apache::sites_folder}/admin/trac/htdocs", + # use => [ "Trac admin" ], + # redirect_match => "trac", + # mpm => false, + # tag => 'all', + #} + + apache::site { "munin": + docroot => '/var/www/munin', + owner => "munin", + group => "munin", + mpm => false, + tag => 'all', + } + + apache::site { "nagios": + source => true, + docroot => '/usr/share/nagios3/htdocs', + mpm => false, + tag => 'all', + } +} diff --git a/puppet/modules/site_websites/manifests/init.pp b/puppet/modules/site_websites/manifests/init.pp new file mode 100644 index 0000000..c98ca7d --- /dev/null +++ b/puppet/modules/site_websites/manifests/init.pp @@ -0,0 +1,21 @@ +class site_websites inherits websites::hosting { + # Website definitions: always use tagged resources + apache::site { "git": + source => true, + docroot => '/var/git/repositories', + mpm => false, + tag => 'all', + } + + #apache::site { "site": + # source => true, + # ticket => '001', + # docroot => '/var/www/site', + # tag => 'all', + #} + + #database::instance { "site": + # password => 'xxx', + # tag => 'all', + #} +} diff --git a/puppet/puppet.conf b/puppet/puppet.conf new file mode 100644 index 0000000..ea5ed0e --- /dev/null +++ b/puppet/puppet.conf @@ -0,0 +1,4 @@ +[main] + thin_storeconfigs = true + storeconfigs = true + dbadapter = sqlite3 diff --git a/puppet/templates/apache/htdocs/images/README.html.erb b/puppet/templates/apache/htdocs/images/README.html.erb new file mode 100644 index 0000000..4d0f929 --- /dev/null +++ b/puppet/templates/apache/htdocs/images/README.html.erb @@ -0,0 +1,3 @@ +<pre> +When not explicitly mentioned, the use of these images is restricted to <%= base_domain %> +</pre> diff --git a/puppet/templates/apache/htdocs/index.html.erb b/puppet/templates/apache/htdocs/index.html.erb new file mode 100644 index 0000000..6d2d7ea --- /dev/null +++ b/puppet/templates/apache/htdocs/index.html.erb @@ -0,0 +1,9 @@ +<html><head> +<meta http-equiv="refresh" content="1;url=http://<%= domain %>"> +<title><%= domain %></title></head><body> + +<center> + <p><code>You are being redirected to <a href="http://<%= domain %>">http://<%= domain %></a>.</code></p> +</center> + +</body></html> diff --git a/puppet/templates/apache/htdocs/missing.html.erb b/puppet/templates/apache/htdocs/missing.html.erb new file mode 100644 index 0000000..0c95ef3 --- /dev/null +++ b/puppet/templates/apache/htdocs/missing.html.erb @@ -0,0 +1,12 @@ +<html> +<head> +<title>404 - Not Found</title> +</head> +<body> + <center> + <pre> + The address you are trying to reach could not be found. :( + </pre> + </center> +</body> +</html> diff --git a/puppet/templates/apache/vhosts/cgit.erb b/puppet/templates/apache/vhosts/cgit.erb new file mode 100644 index 0000000..d2d393d --- /dev/null +++ b/puppet/templates/apache/vhosts/cgit.erb @@ -0,0 +1,30 @@ +# begin vhost for cgit +<VirtualHost *:80> + ServerName git.<%= domain %> + ServerAlias gitweb.<%= domain %> + + ServerSignature Off + + Alias /cgit.css /var/www/htdocs/cgit/cgit.css + Alias /cgit.png /var/www/htdocs/cgit/cgit.png + + ScriptAlias /cgi-bin/ /var/www/htdocs/cgit/ + + DocumentRoot /var/git/repositories + <Directory /var/git/repositories> + AllowOverride None + Options +ExecCGI + Order allow,deny + Allow from all + + DirectoryIndex /cgi-bin/cgit.cgi + + RewriteEngine on + RewriteCond %{REQUEST_FILENAME} !-f + RewriteRule ^.*$ /cgi-bin/cgit.cgi/$0 [L,PT] + </Directory> + + ErrorLog /var/log/apache2/cgit.openezx.org/error.log + CustomLog /var/log/apache2/cgit.openezx.org/access.log common +</VirtualHost> +# end vhost for git diff --git a/puppet/templates/apache/vhosts/git.erb b/puppet/templates/apache/vhosts/git.erb new file mode 100644 index 0000000..89173ac --- /dev/null +++ b/puppet/templates/apache/vhosts/git.erb @@ -0,0 +1,21 @@ +# begin vhost for git +<VirtualHost *:80> + # Recipe based on http://josephspiros.com/2009/07/26/configuring-gitweb-for-apache-on-debian + + ServerName git.<%= domain %> + ServerAlias gitweb.<%= domain %> + SetEnv GITWEB_CONFIG /etc/gitweb.conf + HeaderName HEADER + DocumentRoot /var/git/repositories + Alias /gitweb.css /usr/share/gitweb/gitweb.css + Alias /git-favicon.png /usr/share/gitweb/git-favicon.png + Alias /git-logo.png /usr/share/gitweb/git-logo.png + + ScriptAlias /gitweb /usr/lib/cgi-bin/gitweb.cgi + RewriteEngine on + + # Rewrite all other paths that aren't git repo internals to gitweb + RewriteRule ^/$ /gitweb [PT] + RewriteRule ^/(.*\.git/(?!/?(HEAD|info|objects|refs)).*)?$ /gitweb%{REQUEST_URI} [L,PT] +</VirtualHost> +# end vhost for git diff --git a/puppet/templates/apache/vhosts/lists.erb b/puppet/templates/apache/vhosts/lists.erb new file mode 100644 index 0000000..158dfd4 --- /dev/null +++ b/puppet/templates/apache/vhosts/lists.erb @@ -0,0 +1,22 @@ +# begin vhost for lists.<%= domain %> +<VirtualHost *:80> + ServerName lists.<%= domain %> + DocumentRoot /var/www/data/lists + + RedirectMatch ^/$ https://lists.<%= domain %>/wws + Alias /static-sympa /var/lib/sympa/static_content + Alias /wwsicons /usr/share/sympa/icons + ScriptAlias /wws /var/www/data/lists/wwsympa.fcgi + + <IfModule mod_fcgid.c> + IPCCommTimeout 120 + MaxProcessCount 2 + </IfModule> + + SuexecUserGroup sympa sympa + + <Location /wws> + SetHandler fcgid-script + </Location> +</VirtualHost> +# end vhost for lists.<%= domain %> diff --git a/puppet/templates/apache/vhosts/mail.erb b/puppet/templates/apache/vhosts/mail.erb new file mode 100644 index 0000000..3badcf0 --- /dev/null +++ b/puppet/templates/apache/vhosts/mail.erb @@ -0,0 +1,72 @@ +# begin vhost for mail.<%= domain > +<VirtualHost *:80> + ServerName mail.<%= domain > + #DocumentRoot /usr/share/squirrelmail + DocumentRoot /var/lib/roundcube + + # begin squirrel config + <Directory /usr/share/squirrelmail> + Options Indexes FollowSymLinks + <IfModule mod_php4.c> + php_flag register_globals off + </IfModule> + <IfModule mod_php5.c> + php_flag register_globals off + </IfModule> + <IfModule mod_dir.c> + DirectoryIndex index.php + </IfModule> + + # access to configtest is limited by default to prevent information leak + <Files configtest.php> + order deny,allow + deny from all + allow from 127.0.0.1 + </Files> + </Directory> + # end squirrel config + + # begin roundcube config + # Access to tinymce files + Alias /roundcube/program/js/tiny_mce/ /usr/share/tinymce/www/ + Alias /roundcube /var/lib/roundcube + + <Directory "/usr/share/tinymce/www/"> + Options Indexes MultiViews FollowSymLinks + AllowOverride None + Order allow,deny + allow from all + </Directory> + + <Directory /var/lib/roundcube/> + Options +FollowSymLinks + # This is needed to parse /var/lib/roundcube/.htaccess. See its + # content before setting AllowOverride to None. + AllowOverride All + order allow,deny + allow from all + </Directory> + + # Protecting basic directories: + <Directory /var/lib/roundcube/config> + Options -FollowSymLinks + AllowOverride None + </Directory> + + <Directory /var/lib/roundcube/temp> + Options -FollowSymLinks + AllowOverride None + Order allow,deny + Deny from all + </Directory> + + <Directory /var/lib/roundcube/logs> + Options -FollowSymLinks + AllowOverride None + Order allow,deny + Deny from all + </Directory> + # end roundcube config + +</VirtualHost> +# end vhost for mail.<%= domain > diff --git a/puppet/templates/apache/vhosts/nagios.erb b/puppet/templates/apache/vhosts/nagios.erb new file mode 100644 index 0000000..8b3d252 --- /dev/null +++ b/puppet/templates/apache/vhosts/nagios.erb @@ -0,0 +1,61 @@ +# begin vhost for nagios +<VirtualHost *:80> + ServerName nagios.<%= domain > + DocumentRoot /usr/share/nagios3/htdocs + + # apache configuration for nagios 3.x + # note to users of nagios 1.x and 2.x: + # throughout this file are commented out sections which preserve + # backwards compatibility with bookmarks/config forî<80><80>older nagios versios. + # simply look for lines following "nagios 1.x:" and "nagios 2.x" comments. + + ScriptAlias /cgi-bin/nagios3 /usr/lib/cgi-bin/nagios3 + ScriptAlias /nagios3/cgi-bin /usr/lib/cgi-bin/nagios3 + # nagios 1.x: + #ScriptAlias /cgi-bin/nagios /usr/lib/cgi-bin/nagios3 + #ScriptAlias /nagios/cgi-bin /usr/lib/cgi-bin/nagios3 + # nagios 2.x: + #ScriptAlias /cgi-bin/nagios2 /usr/lib/cgi-bin/nagios3 + #ScriptAlias /nagios2/cgi-bin /usr/lib/cgi-bin/nagios3 + + # Where the stylesheets (config files) reside + Alias /nagios3/stylesheets /etc/nagios3/stylesheets + # nagios 1.x: + #Alias /nagios/stylesheets /etc/nagios3/stylesheets + # nagios 2.x: + #Alias /nagios2/stylesheets /etc/nagios3/stylesheets + + # Where the HTML pages live + Alias /nagios3 /usr/share/nagios3/htdocs + # nagios 2.x: + #Alias /nagios2 /usr/share/nagios3/htdocs + # nagios 1.x: + #Alias /nagios /usr/share/nagios3/htdocs + + <DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3)> + Options FollowSymLinks + + DirectoryIndex index.html + + AllowOverride AuthConfig + Order Allow,Deny + Allow From All + + AuthName "Nagios Access" + AuthType Basic + AuthUserFile /etc/nagios3/htpasswd.users + # nagios 1.x: + #AuthUserFile /etc/nagios/htpasswd.users + require valid-user + </DirectoryMatch> + + # Enable this ScriptAlias if you want to enable the grouplist patch. + # See http://apan.sourceforge.net/download.html for more info + # It allows you to see a clickable list of all hostgroups in the + # left pane of the Nagios web interface + # XXX This is not tested for nagios 2.x use at your own peril + #ScriptAlias /nagios3/side.html /usr/lib/cgi-bin/nagios3/grouplist.cgi + # nagios 1.x: + #ScriptAlias /nagios/side.html /usr/lib/cgi-bin/nagios3/grouplist.cgi +</VirtualHost> +# end vhost for nagios diff --git a/puppet/templates/apache/vhosts/wiki.erb b/puppet/templates/apache/vhosts/wiki.erb new file mode 100644 index 0000000..56e395b --- /dev/null +++ b/puppet/templates/apache/vhosts/wiki.erb @@ -0,0 +1,17 @@ +# begin vhost for wiki.<%= domain > +<VirtualHost *:80> + ServerName wiki.<%= domain > + DocumentRoot /var/www/data/wiki + + # begin wiki config + <Directory /var/www/data/wiki> + Options Indexes Includes FollowSymLinks MultiViews + AllowOverride All + </Directory> + # end wiki config + + <IfModule mpm_itk_module> + AssignUserId wiki wiki + </IfModule> +</VirtualHost> +# end vhost for wiki.<%= domain > diff --git a/puppet/templates/etc/aliases.erb b/puppet/templates/etc/aliases.erb new file mode 100644 index 0000000..f520f68 --- /dev/null +++ b/puppet/templates/etc/aliases.erb @@ -0,0 +1,15 @@ +# /etc/aliases +mailer-daemon: postmaster +postmaster: root +nobody: root +hostmaster: root +usenet: root +news: root +webmaster: root +www: root +ftp: root +abuse: root +noc: root +security: root +reprepro: root +root: <%= first_user_email %> diff --git a/puppet/templates/etc/nagios3/htpasswd.users.erb b/puppet/templates/etc/nagios3/htpasswd.users.erb new file mode 100644 index 0000000..c21d493 --- /dev/null +++ b/puppet/templates/etc/nagios3/htpasswd.users.erb @@ -0,0 +1 @@ +nagiosadmin:0FCabjvUTHvxF diff --git a/puppet/templates/etc/nginx/domain.erb b/puppet/templates/etc/nginx/domain.erb new file mode 100644 index 0000000..8beff14 --- /dev/null +++ b/puppet/templates/etc/nginx/domain.erb @@ -0,0 +1,173 @@ +# <%= domain %> proxy config + +# Set the max size for file uploads +client_max_body_size 100M; + +# SNI Configuration +server { + listen 443 default; + server_name _; + ssl on; + ssl_certificate /etc/ssl/certs/blank.crt; + ssl_certificate_key /etc/ssl/private/blank.pem; + return 403; +} + +server { + # see config tips at + # http://blog.taragana.com/index.php/archive/nginx-hacking-tips/ + + # Don't log anything + access_log /dev/null; + error_log /dev/null; + + # simple reverse-proxy + listen 80; + server_name *.<%= domain %> <%= domain %> + + # enable HSTS header + add_header Strict-Transport-Security "max-age=15768000; includeSubdomains"; + + # https redirection by default + rewrite ^(.*) https://$host$1 redirect; + + # rewrite rules for backups.<%= domain %> + #if ($host ~* ^backups\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for admin.<%= domain %> + #if ($host ~* ^admin\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for munin.<%= domain %> + #if ($host ~* ^munin\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for trac.<%= domain %> + #if ($host ~* ^trac\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for nagios.<%= domain %> + #if ($host ~* ^nagios\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for htpasswd.<%= domain %> + #if ($host ~* ^htpasswd\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for postfixadmin.<%= domain %> + #if ($host ~* ^postfixadmin\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for mail.<%= domain %> + #if ($host ~* ^mail\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for lists.<%= domain %> + #if ($host ~* ^lists\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # pass requests for dynamic content + location / { + proxy_set_header Host $http_host; + proxy_pass http://weblocal:80; + } + +} + +server { + # https reverse proxy + listen 443; + server_name *.<%= domain %> <%= domain %>; + + # Don't log anything + access_log /dev/null; + error_log /dev/null; + + ssl on; + ssl_certificate /etc/ssl/certs/cert.crt; + ssl_certificate_key /etc/ssl/private/cert.pem; + + ssl_session_timeout 5m; + + ssl_protocols SSLv3 TLSv1; + ssl_ciphers HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH; + ssl_prefer_server_ciphers on; + ssl_dhparam /etc/ssl/dhparams/dhparams_2048.pem; + + # Set the max size for file uploads + client_max_body_size 100M; + + location / { + # preserve http header and set forwarded proto + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto https; + + proxy_read_timeout 120; + proxy_connect_timeout 120; + + # rewrite rules for admin.<%= domain %> + if ($host ~* ^admin\.<%= domain %>$) { + proxy_pass http://admin:80; + break; + } + + # rewrite rules for munin.<%= domain %> + if ($host ~* ^munin\.<%= domain %>$) { + proxy_pass http://admin:80; + break; + } + + # rewrite rules for trac.<%= domain %> + if ($host ~* ^trac\.<%= domain %>$) { + proxy_pass http://admin:80; + break; + } + + # rewrite rules for nagios.<%= domain %> + if ($host ~* ^nagios\.<%= domain %>$) { + proxy_pass http://admin:80; + break; + } + + # rewrite rules for postfixadmin.<%= domain %> + if ($host ~* ^postfixadmin\.<%= domain %>$) { + proxy_pass http://mail:80; + break; + } + + # rewrite rules for mail.<%= domain %> + if ($host ~* ^mail\.<%= domain %>$) { + proxy_pass http://mail:80; + break; + } + + # rewrite rules for lists.<%= domain %> + if ($host ~* ^lists\.<%= domain %>$) { + proxy_pass http://mail:80; + break; + } + + # default proxy pass + proxy_pass http://weblocal:80; + } + +} diff --git a/puppet/templates/postfix/tls_policy.erb b/puppet/templates/postfix/tls_policy.erb new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/puppet/templates/postfix/tls_policy.erb diff --git a/puppet/templates/puppet/auth.conf.erb b/puppet/templates/puppet/auth.conf.erb new file mode 100644 index 0000000..96f078c --- /dev/null +++ b/puppet/templates/puppet/auth.conf.erb @@ -0,0 +1,120 @@ +# This is the default auth.conf file, which implements the default rules +# used by the puppet master. (That is, the rules below will still apply +# even if this file is deleted.) +# +# The ACLs are evaluated in top-down order. More specific stanzas should +# be towards the top of the file and more general ones at the bottom; +# otherwise, the general rules may "steal" requests that should be +# governed by the specific rules. +# +# See http://docs.puppetlabs.com/guides/rest_auth_conf.html for a more complete +# description of auth.conf's behavior. +# +# Supported syntax: +# Each stanza in auth.conf starts with a path to match, followed +# by optional modifiers, and finally, a series of allow or deny +# directives. +# +# Example Stanza +# --------------------------------- +# path /path/to/resource # simple prefix match +# # path ~ regex # alternately, regex match +# [environment envlist] +# [method methodlist] +# [auth[enthicated] {yes|no|on|off|any}] +# allow [host|backreference|*|regex] +# deny [host|backreference|*|regex] +# allow_ip [ip|cidr|ip_wildcard|*] +# deny_ip [ip|cidr|ip_wildcard|*] +# +# The path match can either be a simple prefix match or a regular +# expression. `path /file` would match both `/file_metadata` and +# `/file_content`. Regex matches allow the use of backreferences +# in the allow/deny directives. +# +# The regex syntax is the same as for Ruby regex, and captures backreferences +# for use in the `allow` and `deny` lines of that stanza +# +# Examples: +# +# path ~ ^/path/to/resource # Equivalent to `path /path/to/resource`. +# allow * # Allow all authenticated nodes (since auth +# # defaults to `yes`). +# +# path ~ ^/catalog/([^/]+)$ # Permit nodes to access their own catalog (by +# allow $1 # certname), but not any other node's catalog. +# +# path ~ ^/file_(metadata|content)/extra_files/ # Only allow certain nodes to +# auth yes # access the "extra_files" +# allow /^(.+)\.example\.com$/ # mount point; note this must +# allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule, +# # since it is more specific. +# +# environment:: restrict an ACL to a comma-separated list of environments +# method:: restrict an ACL to a comma-separated list of HTTP methods +# auth:: restrict an ACL to an authenticated or unauthenticated request +# the default when unspecified is to restrict the ACL to authenticated requests +# (ie exactly as if auth yes was present). +# + +### Authenticated ACLs - these rules apply only when the client +### has a valid certificate and is thus authenticated + +# allow nodes to retrieve their own catalog +path ~ ^/catalog/([^/]+)$ +method find +allow $1 + +# allow nodes to retrieve their own node definition +path ~ ^/node/([^/]+)$ +method find +allow $1 + +# allow all nodes to access the certificates services +path /certificate_revocation_list/ca +method find +allow * + +# allow all nodes to store their own reports +path ~ ^/report/([^/]+)$ +method save +allow $1 + +# Allow all nodes to access all file services; this is necessary for +# pluginsync, file serving from modules, and file serving from custom +# mount points (see fileserver.conf). Note that the `/file` prefix matches +# requests to both the file_metadata and file_content paths. See "Examples" +# above if you need more granular access control for custom mount points. +path /file +allow * + +### Unauthenticated ACLs, for clients without valid certificates; authenticated +### clients can also access these paths, though they rarely need to. + +# allow access to the CA certificate; unauthenticated nodes need this +# in order to validate the puppet master's certificate +path /certificate/ca +auth any +method find +allow * + +# allow nodes to retrieve the certificate they requested earlier +path /certificate/ +auth any +method find +allow * + +# allow nodes to request a new certificate +path /certificate_request +auth any +method find, save +allow * + +path /v2.0/environments +method find +allow * + +# deny everything else; this ACL is not strictly necessary, but +# illustrates the default policy. +path / +auth any diff --git a/puppet/templates/puppet/fileserver.conf.erb b/puppet/templates/puppet/fileserver.conf.erb new file mode 100644 index 0000000..e4d6e0a --- /dev/null +++ b/puppet/templates/puppet/fileserver.conf.erb @@ -0,0 +1,21 @@ +# See http://docs.puppetlabs.com/guides/file_serving.html + +# Files +[files] + path /etc/puppet/files + allow *.<%= base_domain %> + +# SSL keys +[ssl] + path /etc/puppet/keys/ssl + deny * + +# SSH keys +[ssh] + path /etc/puppet/keys/ssh/%h + allow * + +# Public keys +[pubkeys] + path /etc/puppet/keys/public + allow * diff --git a/puppet/templates/puppet/master.pp.erb b/puppet/templates/puppet/master.pp.erb new file mode 100644 index 0000000..5865723 --- /dev/null +++ b/puppet/templates/puppet/master.pp.erb @@ -0,0 +1,10 @@ +node '<%= hostname %>-master.<%= domain %>' { + $main_master = true + include nodo::master + + # encrypted data remote backup + #backup::rdiff { "other-host": + # port => "10102", + #} + +} diff --git a/puppet/templates/puppet/nodes.pp.erb b/puppet/templates/puppet/nodes.pp.erb new file mode 100644 index 0000000..4acddc6 --- /dev/null +++ b/puppet/templates/puppet/nodes.pp.erb @@ -0,0 +1,14 @@ +# +# Node definitions. +# + +<%- if first_nodes == 'present' then -%> +import "nodes/<%= first_hostname %>.pp" +import "nodes/<%= first_hostname %>-master.pp" +import "nodes/<%= first_hostname %>-proxy.pp" +import "nodes/<%= first_hostname %>-web.pp" +import "nodes/<%= first_hostname %>-storage.pp" +import "nodes/<%= first_hostname %>-test.pp" +<%- else -%> +#import "nodes/example.pp" +<%- end -%> diff --git a/puppet/templates/puppet/proxy.pp.erb b/puppet/templates/puppet/proxy.pp.erb new file mode 100644 index 0000000..908c2ec --- /dev/null +++ b/puppet/templates/puppet/proxy.pp.erb @@ -0,0 +1,53 @@ +node '<%= hostname %>-proxy.<%= domain %>' { + #$mail_delivery = 'tunnel' + #$mail_hostname = 'mail' + #$mail_ssh_port = '2202' + + include nodo::proxy + + # encrypted data remote backup + #backup::rdiff { "other-host": + # port => "10102", + #} + + # reference to admin vserver + host { "<%= hostname %>-master": + ensure => present, + ip => "192.168.0.2", + host_aliases => [ "<%= hostname %>-master.<%= domain %>", "puppet", "admin" ], + notify => Service["nginx"], + } + + # reference to proxy vserver + #host { "<%= hostname %>-proxy": + # ensure => present, + # ip => "192.168.0.3", + # host_aliases => [ "<%= hostname %>-proxy.<%= domain %>", "<%= hostname %>-proxy" ], + # notify => Service["nginx"], + #} + + # reference to web vserver + host { "<%= hostname %>-web": + ensure => present, + ip => "192.168.0.4", + host_aliases => [ "<%= hostname %>-web.<%= domain %>", "<%= hostname %>-web", "weblocal" ], + notify => Service["nginx"], + } + + # reference to storage vserver + host { "<%= hostname %>-storage": + ensure => present, + ip => "192.168.0.5", + host_aliases => [ "<%= hostname %>-storage.<%= domain %>", "<%= hostname %>-storage" ], + notify => Service["nginx"], + } + + # reference to test vserver + host { "<%= hostname %>-test": + ensure => present, + ip => "192.168.0.6", + host_aliases => [ "<%= hostname %>-test.<%= domain %>", "<%= hostname %>-test" ], + notify => Service["nginx"], + } + +} diff --git a/puppet/templates/puppet/puppet.conf.erb b/puppet/templates/puppet/puppet.conf.erb new file mode 100644 index 0000000..e2751ca --- /dev/null +++ b/puppet/templates/puppet/puppet.conf.erb @@ -0,0 +1,30 @@ +[main] +logdir = /var/log/puppet +vardir = /var/lib/puppetmaster +ssldir = $vardir/ssl +rundir = /var/run/puppet +factpath = $vardir/lib/facter +pluginsync = true + +[master] +templatedir = $vardir/templates +masterport = 8140 +autosign = false +storeconfigs = true +dbadapter = sqlite3 +#dbadapter = mysql +#dbserver = localhost +#dbuser = puppet +#dbpassword = <%= db_password %> +dbconnections = 15 +certname = puppet.<%= base_domain %> +ssl_client_header = SSL_CLIENT_S_DN +ssl_client_verify_header = SSL_CLIENT_VERIFY + +[agent] +server = puppet.<%= base_domain %> +vardir = /var/lib/puppet +ssldir = $vardir/ssl +runinterval = 7200 +puppetport = 8139 +configtimeout = 300 diff --git a/puppet/templates/puppet/server.pp.erb b/puppet/templates/puppet/server.pp.erb new file mode 100644 index 0000000..fcd21e0 --- /dev/null +++ b/puppet/templates/puppet/server.pp.erb @@ -0,0 +1,41 @@ +node '<%= hostname %>.<%= domain %>' { + #$mail_delivery = 'tunnel' + #$mail_hostname = 'mail' + #$mail_ssh_port = '2202' + $shorewall_dmz = true + $resolvconf_nameservers = $opendns_nameservers + $has_ups = false + include nodo::server + + # + # Linux-VServers + # + #nodo::vserver::instance { "<%= hostname %>-master": + # context => '2', + # puppetmaster => true, + #} + + #nodo::vserver::instance { "<%= hostname %>-proxy": + # context => '3', + # proxy => true, + #} + + #nodo::vserver::instance { "<%= hostname %>-web": + # context => '4', + # gitd => true, + #} + + #nodo::vserver::instance { "<%= hostname %>-storage": + # context => '5', + #} + + #nodo::vserver::instance { "<%= hostname %>-test": + # context => '6', + # memory_limit => 500, + #} + + # encrypted data remote backup + #backup::rdiff { "other-host": + # port => "10105", + #} +} diff --git a/puppet/templates/puppet/storage.pp.erb b/puppet/templates/puppet/storage.pp.erb new file mode 100644 index 0000000..be93335 --- /dev/null +++ b/puppet/templates/puppet/storage.pp.erb @@ -0,0 +1,13 @@ +node '<%= hostname %>-storage.<%= domain %>' { + #$mail_delivery = 'tunnel' + #$mail_hostname = 'mail' + #$mail_ssh_port = '2202' + + include nodo::storage + + # encrypted data remote backup + #backup::rdiff { "other-host": + # port => "10102", + #} + +} diff --git a/puppet/templates/puppet/test.pp.erb b/puppet/templates/puppet/test.pp.erb new file mode 100644 index 0000000..816eca9 --- /dev/null +++ b/puppet/templates/puppet/test.pp.erb @@ -0,0 +1,13 @@ +node '<%= hostname %>-test.<%= domain %>' { + #$mail_delivery = 'tunnel' + #$mail_hostname = 'mail' + #$mail_ssh_port = '2202' + + include nodo::test + + # encrypted data remote backup + #backup::rdiff { "other-host": + # port => "10102", + #} + +} diff --git a/puppet/templates/puppet/users.pp.erb b/puppet/templates/puppet/users.pp.erb new file mode 100644 index 0000000..3b7c857 --- /dev/null +++ b/puppet/templates/puppet/users.pp.erb @@ -0,0 +1,25 @@ +class users::virtual inherits user { + # define custom users here +} + +class users::backup inherits user { + # define third-party hosted backup users here +} + +class users::admin inherits user { + # root user and password + user::manage { "root": + tag => "admin", + homedir => '/root', + password => '<%= root_password %>', + } + + # first user config + user::manage { "<%= first_user %>": + tag => "admin", + groups => [ "sudo", ], + password => '<%= first_user_password %>', + sshkey => [ "<%= first_user_sshkey %>" ], + } + +} diff --git a/puppet/templates/puppet/web.pp.erb b/puppet/templates/puppet/web.pp.erb new file mode 100644 index 0000000..afc328b --- /dev/null +++ b/puppet/templates/puppet/web.pp.erb @@ -0,0 +1,13 @@ +node '<%= hostname %>-web.<%= domain %>' { + #$mail_delivery = 'tunnel' + #$mail_hostname = 'mail' + #$mail_ssh_port = '2202' + + include nodo::web + + # encrypted data remote backup + #backup::rdiff { "other-host": + # port => "10102", + #} + +} |