summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/.gitignore2
-rw-r--r--puppet/.mrconfig258
-rw-r--r--puppet/LICENSE661
-rw-r--r--puppet/Makefile59
-rw-r--r--puppet/README.md38
-rw-r--r--puppet/TODO.md6
-rw-r--r--puppet/Vagrantfile60
-rw-r--r--puppet/auth.conf99
-rwxr-xr-xpuppet/bin/dependencies28
-rwxr-xr-xpuppet/bin/mrconfig29
-rwxr-xr-xpuppet/bin/provision21
-rwxr-xr-xpuppet/bin/submodules31
-rwxr-xr-xpuppet/bin/subtrees41
-rwxr-xr-xpuppet/bin/symlinks24
-rw-r--r--puppet/files/.empty0
-rw-r--r--puppet/fileserver.conf7
l---------puppet/hiera.yaml1
-rw-r--r--puppet/hiera/bootstrap.yaml44
-rw-r--r--puppet/hiera/common.yaml50
-rw-r--r--puppet/hiera/hiera.yaml19
-rw-r--r--puppet/keys/public/.empty0
-rw-r--r--puppet/keys/ssh/.empty0
-rw-r--r--puppet/keys/ssl/.empty0
-rw-r--r--puppet/manifests/bootstrap/configurator.pp208
-rw-r--r--puppet/manifests/bootstrap/host.pp24
-rw-r--r--puppet/manifests/bootstrap/master.pp12
-rw-r--r--puppet/manifests/bootstrap/vagrant.pp49
-rw-r--r--puppet/manifests/classes/users.pp33
-rw-r--r--puppet/manifests/classes/websites.pp42
l---------puppet/manifests/hiera1
-rw-r--r--puppet/manifests/modules.pp6
-rw-r--r--puppet/manifests/nodes.pp5
-rw-r--r--puppet/manifests/nodes/.empty0
-rw-r--r--puppet/manifests/site.pp8
l---------puppet/modules/bootstrap1
-rw-r--r--puppet/modules/site_apache/files/htdocs/images/.empty0
-rw-r--r--puppet/modules/site_apache/files/vhosts/.empty0
-rw-r--r--puppet/modules/site_keys/files/ssl/.empty0
-rw-r--r--puppet/modules/site_mail/files/.empty0
-rw-r--r--puppet/modules/site_nagios/files/.empty0
-rw-r--r--puppet/modules/site_nginx/files/.empty0
-rw-r--r--puppet/modules/site_postfix/files/.empty0
l---------puppet/puppet (renamed from puppet)0
-rw-r--r--puppet/puppet.conf30
-rw-r--r--puppet/templates/apache/htdocs/images/README.html.erb3
-rw-r--r--puppet/templates/apache/htdocs/index.html.erb9
-rw-r--r--puppet/templates/apache/htdocs/missing.html.erb12
-rw-r--r--puppet/templates/apache/vhosts/git.erb20
-rw-r--r--puppet/templates/apache/vhosts/lists.erb22
-rw-r--r--puppet/templates/apache/vhosts/mail.erb72
-rw-r--r--puppet/templates/apache/vhosts/nagios.erb61
-rw-r--r--puppet/templates/apache/vhosts/wiki.erb17
-rw-r--r--puppet/templates/etc/aliases.erb15
-rw-r--r--puppet/templates/etc/nagios3/htpasswd.users.erb1
-rw-r--r--puppet/templates/etc/nginx/domain.erb172
-rw-r--r--puppet/templates/postfix/tls_policy.erb0
-rw-r--r--puppet/templates/puppet/auth.conf.erb120
-rw-r--r--puppet/templates/puppet/fileserver.conf.erb21
-rw-r--r--puppet/templates/puppet/master.pp.erb10
-rw-r--r--puppet/templates/puppet/nodes.pp.erb14
-rw-r--r--puppet/templates/puppet/proxy.pp.erb53
-rw-r--r--puppet/templates/puppet/puppet.conf.erb30
-rw-r--r--puppet/templates/puppet/server.pp.erb41
-rw-r--r--puppet/templates/puppet/storage.pp.erb13
-rw-r--r--puppet/templates/puppet/test.pp.erb13
-rw-r--r--puppet/templates/puppet/users.pp.erb33
-rw-r--r--puppet/templates/puppet/web.pp.erb13
67 files changed, 2662 insertions, 0 deletions
diff --git a/puppet/.gitignore b/puppet/.gitignore
new file mode 100644
index 0000000..ce9693b
--- /dev/null
+++ b/puppet/.gitignore
@@ -0,0 +1,2 @@
+modules/*
+.vagrant
diff --git a/puppet/.mrconfig b/puppet/.mrconfig
new file mode 100644
index 0000000..8731bee
--- /dev/null
+++ b/puppet/.mrconfig
@@ -0,0 +1,258 @@
+
+[puppet/modules/apache]
+checkout = git clone git://git.sarava.org/puppet-apache.git apache
+
+[puppet/modules/apcupsd]
+checkout = git clone git://git.sarava.org/puppet-apcupsd.git apcupsd
+
+[puppet/modules/apparmor]
+checkout = git clone git://git.sarava.org/puppet-apparmor.git apparmor
+
+[puppet/modules/apt]
+checkout = git clone git://git.sarava.org/puppet-apt.git apt
+
+[puppet/modules/autofs]
+checkout = git clone git://git.sarava.org/puppet-autofs.git autofs
+
+[puppet/modules/autossh]
+checkout = git clone git://git.sarava.org/puppet-autossh.git autossh
+
+[puppet/modules/avahi]
+checkout = git clone git://git.sarava.org/puppet-avahi.git avahi
+
+[puppet/modules/backup]
+checkout = git clone git://git.sarava.org/puppet-backup.git backup
+
+[puppet/modules/backupninja]
+checkout = git clone git://git.sarava.org/puppet-backupninja.git backupninja
+
+[puppet/modules/bind]
+checkout = git clone git://git.sarava.org/puppet-bind.git bind
+
+[puppet/modules/bitcoind]
+checkout = git clone git://git.sarava.org/puppet-bitcoind.git bitcoind
+
+[puppet/modules/bootstrap]
+checkout = git clone git://git.sarava.org/puppet-bootstrap.git bootstrap
+
+[puppet/modules/common]
+checkout = git clone git://git.sarava.org/puppet-common.git common
+
+[puppet/modules/concat]
+checkout = git clone git://git.sarava.org/puppet-concat.git concat
+
+[puppet/modules/cron]
+checkout = git clone git://git.sarava.org/puppet-cron.git cron
+
+[puppet/modules/daap_server]
+checkout = git clone git://git.sarava.org/puppet-daap_server.git daap_server
+
+[puppet/modules/darkice]
+checkout = git clone git://git.sarava.org/puppet-darkice.git darkice
+
+[puppet/modules/database]
+checkout = git clone git://git.sarava.org/puppet-database.git database
+
+[puppet/modules/dhcp]
+checkout = git clone git://git.sarava.org/puppet-dhcp.git dhcp
+
+[puppet/modules/domain_check]
+checkout = git clone git://git.sarava.org/puppet-domain_check.git domain_check
+
+[puppet/modules/drupal]
+checkout = git clone git://git.sarava.org/puppet-drupal.git drupal
+
+[puppet/modules/dyndns]
+checkout = git clone git://git.sarava.org/puppet-dyndns.git dyndns
+
+[puppet/modules/ejabberd]
+checkout = git clone git://git.sarava.org/puppet-ejabberd.git ejabberd
+
+[puppet/modules/ekeyd]
+checkout = git clone git://git.sarava.org/puppet-ekeyd.git ekeyd
+
+[puppet/modules/etherpad]
+checkout = git clone git://git.sarava.org/puppet-etherpad.git etherpad
+
+[puppet/modules/exim]
+checkout = git clone git://git.sarava.org/puppet-exim.git exim
+
+[puppet/modules/firewall]
+checkout = git clone git://git.sarava.org/puppet-firewall.git firewall
+
+[puppet/modules/git]
+checkout = git clone git://git.sarava.org/puppet-git.git git
+
+[puppet/modules/hotglue]
+checkout = git clone git://git.sarava.org/puppet-hotglue.git hotglue
+
+[puppet/modules/hydra]
+checkout = git clone git://git.sarava.org/puppet-hydra.git hydra
+
+[puppet/modules/icecast]
+checkout = git clone git://git.sarava.org/puppet-icecast.git icecast
+
+[puppet/modules/ikiwiki]
+checkout = git clone git://git.sarava.org/puppet-ikiwiki.git ikiwiki
+
+[puppet/modules/inetd]
+checkout = git clone git://git.sarava.org/puppet-inetd.git inetd
+
+[puppet/modules/infinoted]
+checkout = git clone git://git.sarava.org/puppet-infinoted.git infinoted
+
+[puppet/modules/inifile]
+checkout = git clone git://git.sarava.org/puppet-inifile.git inifile
+
+[puppet/modules/lighttpd]
+checkout = git clone git://git.sarava.org/puppet-lighttpd.git lighttpd
+
+[puppet/modules/lsb]
+checkout = git clone git://git.sarava.org/puppet-lsb.git lsb
+
+[puppet/modules/mail]
+checkout = git clone git://git.sarava.org/puppet-mail.git mail
+
+[puppet/modules/minidlna]
+checkout = git clone git://git.sarava.org/puppet-minidlna.git minidlna
+
+[puppet/modules/moin]
+checkout = git clone git://git.sarava.org/puppet-moin.git moin
+
+[puppet/modules/monkeysphere]
+checkout = git clone git://git.sarava.org/puppet-monkeysphere.git monkeysphere
+
+[puppet/modules/motion]
+checkout = git clone git://git.sarava.org/puppet-motion.git motion
+
+[puppet/modules/mpd]
+checkout = git clone git://git.sarava.org/puppet-mpd.git mpd
+
+[puppet/modules/mumble]
+checkout = git clone git://git.sarava.org/puppet-mumble.git mumble
+
+[puppet/modules/munin]
+checkout = git clone git://git.sarava.org/puppet-munin.git munin
+
+[puppet/modules/mysql]
+checkout = git clone git://git.sarava.org/puppet-mysql.git mysql
+
+[puppet/modules/nagios]
+checkout = git clone git://git.sarava.org/puppet-nagios.git nagios
+
+[puppet/modules/nfs]
+checkout = git clone git://git.sarava.org/puppet-nfs.git nfs
+
+[puppet/modules/nginx]
+checkout = git clone git://git.sarava.org/puppet-nginx.git nginx
+
+[puppet/modules/nodo]
+checkout = git clone git://git.sarava.org/puppet-nodo.git nodo
+
+[puppet/modules/ntp]
+checkout = git clone git://git.sarava.org/puppet-ntp.git ntp
+
+[puppet/modules/onion]
+checkout = git clone git://git.sarava.org/puppet-onion.git onion
+
+[puppet/modules/pear]
+checkout = git clone git://git.sarava.org/puppet-pear.git pear
+
+[puppet/modules/php]
+checkout = git clone git://git.sarava.org/puppet-php.git php
+
+[puppet/modules/pmwiki]
+checkout = git clone git://git.sarava.org/puppet-pmwiki.git pmwiki
+
+[puppet/modules/postfix]
+checkout = git clone git://git.sarava.org/puppet-postfix.git postfix
+
+[puppet/modules/puppet]
+checkout = git clone git://git.sarava.org/puppet-puppet.git puppet
+
+[puppet/modules/pureftpd]
+checkout = git clone git://git.sarava.org/puppet-pureftpd.git pureftpd
+
+[puppet/modules/pyroscope]
+checkout = git clone git://git.sarava.org/puppet-pyroscope.git pyroscope
+
+[puppet/modules/qwebirc]
+checkout = git clone git://git.sarava.org/puppet-qwebirc.git qwebirc
+
+[puppet/modules/reprepro]
+checkout = git clone git://git.sarava.org/puppet-reprepro.git reprepro
+
+[puppet/modules/resolvconf]
+checkout = git clone git://git.sarava.org/puppet-resolvconf.git resolvconf
+
+[puppet/modules/rng-tools]
+checkout = git clone git://git.sarava.org/puppet-rng-tools.git rng-tools
+
+[puppet/modules/rsync]
+checkout = git clone git://git.sarava.org/puppet-rsync.git rsync
+
+[puppet/modules/runit]
+checkout = git clone git://git.sarava.org/puppet-runit.git runit
+
+[puppet/modules/samba]
+checkout = git clone git://git.sarava.org/puppet-samba.git samba
+
+[puppet/modules/schroot]
+checkout = git clone git://git.sarava.org/puppet-schroot.git schroot
+
+[puppet/modules/shorewall]
+checkout = git clone git://git.sarava.org/puppet-shorewall.git shorewall
+
+[puppet/modules/smartmonster]
+checkout = git clone git://git.sarava.org/puppet-smartmonster.git smartmonster
+
+[puppet/modules/smartmontools]
+checkout = git clone git://git.sarava.org/puppet-smartmontools.git smartmontools
+
+[puppet/modules/sshd]
+checkout = git clone git://git.sarava.org/puppet-sshd.git sshd
+
+[puppet/modules/ssl]
+checkout = git clone git://git.sarava.org/puppet-ssl.git ssl
+
+[puppet/modules/supervisor]
+checkout = git clone git://git.sarava.org/puppet-supervisor.git supervisor
+
+[puppet/modules/supybot]
+checkout = git clone git://git.sarava.org/puppet-supybot.git supybot
+
+[puppet/modules/syslog-ng]
+checkout = git clone git://git.sarava.org/puppet-syslog-ng.git syslog-ng
+
+[puppet/modules/tftp]
+checkout = git clone git://git.sarava.org/puppet-tftp.git tftp
+
+[puppet/modules/tor]
+checkout = git clone git://git.sarava.org/puppet-tor.git tor
+
+[puppet/modules/trac]
+checkout = git clone git://git.sarava.org/puppet-trac.git trac
+
+[puppet/modules/tunnel]
+checkout = git clone git://git.sarava.org/puppet-tunnel.git tunnel
+
+[puppet/modules/user]
+checkout = git clone git://git.sarava.org/puppet-user.git user
+
+[puppet/modules/vcsrepo]
+checkout = git clone git://git.sarava.org/puppet-vcsrepo.git vcsrepo
+
+[puppet/modules/viewvc]
+checkout = git clone git://git.sarava.org/puppet-viewvc.git viewvc
+
+[puppet/modules/virtual]
+checkout = git clone git://git.sarava.org/puppet-virtual.git virtual
+
+[puppet/modules/websites]
+checkout = git clone git://git.sarava.org/puppet-websites.git websites
+
+[puppet/modules/websvn]
+checkout = git clone git://git.sarava.org/puppet-websvn.git websvn
+
+[puppet/modules/wordpress]
+checkout = git clone git://git.sarava.org/puppet-wordpress.git wordpress
diff --git a/puppet/LICENSE b/puppet/LICENSE
new file mode 100644
index 0000000..dba13ed
--- /dev/null
+++ b/puppet/LICENSE
@@ -0,0 +1,661 @@
+ GNU AFFERO GENERAL PUBLIC LICENSE
+ Version 3, 19 November 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The GNU Affero General Public License is a free, copyleft license for
+software and other kinds of works, specifically designed to ensure
+cooperation with the community in the case of network server software.
+
+ The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works. By contrast,
+our General Public Licenses are intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+ Developers that use our General Public Licenses protect your rights
+with two steps: (1) assert copyright on the software, and (2) offer
+you this License which gives you legal permission to copy, distribute
+and/or modify the software.
+
+ A secondary benefit of defending all users' freedom is that
+improvements made in alternate versions of the program, if they
+receive widespread use, become available for other developers to
+incorporate. Many developers of free software are heartened and
+encouraged by the resulting cooperation. However, in the case of
+software used on network servers, this result may fail to come about.
+The GNU General Public License permits making a modified version and
+letting the public access it on a server without ever releasing its
+source code to the public.
+
+ The GNU Affero General Public License is designed specifically to
+ensure that, in such cases, the modified source code becomes available
+to the community. It requires the operator of a network server to
+provide the source code of the modified version running there to the
+users of that server. Therefore, public use of a modified version, on
+a publicly accessible server, gives the public access to the source
+code of the modified version.
+
+ An older license, called the Affero General Public License and
+published by Affero, was designed to accomplish similar goals. This is
+a different license, not a version of the Affero GPL, but Affero has
+released a new version of the Affero GPL which permits relicensing under
+this license.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ TERMS AND CONDITIONS
+
+ 0. Definitions.
+
+ "This License" refers to version 3 of the GNU Affero General Public License.
+
+ "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+ "The Program" refers to any copyrightable work licensed under this
+License. Each licensee is addressed as "you". "Licensees" and
+"recipients" may be individuals or organizations.
+
+ To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy. The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+ A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+ To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy. Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+ To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies. Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+ An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License. If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+ 1. Source Code.
+
+ The "source code" for a work means the preferred form of the work
+for making modifications to it. "Object code" means any non-source
+form of a work.
+
+ A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+ The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form. A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+ The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities. However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work. For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+ The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+ The Corresponding Source for a work in source code form is that
+same work.
+
+ 2. Basic Permissions.
+
+ All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met. This License explicitly affirms your unlimited
+permission to run the unmodified Program. The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work. This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+ You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force. You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright. Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+ Conveying under any other circumstances is permitted solely under
+the conditions stated below. Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+ 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+ No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+ When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+ 4. Conveying Verbatim Copies.
+
+ You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+ You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+ 5. Conveying Modified Source Versions.
+
+ You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+ a) The work must carry prominent notices stating that you modified
+ it, and giving a relevant date.
+
+ b) The work must carry prominent notices stating that it is
+ released under this License and any conditions added under section
+ 7. This requirement modifies the requirement in section 4 to
+ "keep intact all notices".
+
+ c) You must license the entire work, as a whole, under this
+ License to anyone who comes into possession of a copy. This
+ License will therefore apply, along with any applicable section 7
+ additional terms, to the whole of the work, and all its parts,
+ regardless of how they are packaged. This License gives no
+ permission to license the work in any other way, but it does not
+ invalidate such permission if you have separately received it.
+
+ d) If the work has interactive user interfaces, each must display
+ Appropriate Legal Notices; however, if the Program has interactive
+ interfaces that do not display Appropriate Legal Notices, your
+ work need not make them do so.
+
+ A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit. Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+ 6. Conveying Non-Source Forms.
+
+ You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+ a) Convey the object code in, or embodied in, a physical product
+ (including a physical distribution medium), accompanied by the
+ Corresponding Source fixed on a durable physical medium
+ customarily used for software interchange.
+
+ b) Convey the object code in, or embodied in, a physical product
+ (including a physical distribution medium), accompanied by a
+ written offer, valid for at least three years and valid for as
+ long as you offer spare parts or customer support for that product
+ model, to give anyone who possesses the object code either (1) a
+ copy of the Corresponding Source for all the software in the
+ product that is covered by this License, on a durable physical
+ medium customarily used for software interchange, for a price no
+ more than your reasonable cost of physically performing this
+ conveying of source, or (2) access to copy the
+ Corresponding Source from a network server at no charge.
+
+ c) Convey individual copies of the object code with a copy of the
+ written offer to provide the Corresponding Source. This
+ alternative is allowed only occasionally and noncommercially, and
+ only if you received the object code with such an offer, in accord
+ with subsection 6b.
+
+ d) Convey the object code by offering access from a designated
+ place (gratis or for a charge), and offer equivalent access to the
+ Corresponding Source in the same way through the same place at no
+ further charge. You need not require recipients to copy the
+ Corresponding Source along with the object code. If the place to
+ copy the object code is a network server, the Corresponding Source
+ may be on a different server (operated by you or a third party)
+ that supports equivalent copying facilities, provided you maintain
+ clear directions next to the object code saying where to find the
+ Corresponding Source. Regardless of what server hosts the
+ Corresponding Source, you remain obligated to ensure that it is
+ available for as long as needed to satisfy these requirements.
+
+ e) Convey the object code using peer-to-peer transmission, provided
+ you inform other peers where the object code and Corresponding
+ Source of the work are being offered to the general public at no
+ charge under subsection 6d.
+
+ A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+ A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling. In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage. For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product. A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+ "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source. The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+ If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information. But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+ The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed. Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+ Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+ 7. Additional Terms.
+
+ "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law. If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+ When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it. (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.) You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+ Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+ a) Disclaiming warranty or limiting liability differently from the
+ terms of sections 15 and 16 of this License; or
+
+ b) Requiring preservation of specified reasonable legal notices or
+ author attributions in that material or in the Appropriate Legal
+ Notices displayed by works containing it; or
+
+ c) Prohibiting misrepresentation of the origin of that material, or
+ requiring that modified versions of such material be marked in
+ reasonable ways as different from the original version; or
+
+ d) Limiting the use for publicity purposes of names of licensors or
+ authors of the material; or
+
+ e) Declining to grant rights under trademark law for use of some
+ trade names, trademarks, or service marks; or
+
+ f) Requiring indemnification of licensors and authors of that
+ material by anyone who conveys the material (or modified versions of
+ it) with contractual assumptions of liability to the recipient, for
+ any liability that these contractual assumptions directly impose on
+ those licensors and authors.
+
+ All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10. If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term. If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+ If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+ Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+ 8. Termination.
+
+ You may not propagate or modify a covered work except as expressly
+provided under this License. Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+ However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+ Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+ Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License. If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+ 9. Acceptance Not Required for Having Copies.
+
+ You are not required to accept this License in order to receive or
+run a copy of the Program. Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance. However,
+nothing other than this License grants you permission to propagate or
+modify any covered work. These actions infringe copyright if you do
+not accept this License. Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+ 10. Automatic Licensing of Downstream Recipients.
+
+ Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License. You are not responsible
+for enforcing compliance by third parties with this License.
+
+ An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations. If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+ You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License. For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+ 11. Patents.
+
+ A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based. The
+work thus licensed is called the contributor's "contributor version".
+
+ A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version. For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+ Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+ In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement). To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+ If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients. "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+ If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+ A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License. You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+ Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+ 12. No Surrender of Others' Freedom.
+
+ If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all. For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+ 13. Remote Network Interaction; Use with the GNU General Public License.
+
+ Notwithstanding any other provision of this License, if you modify the
+Program, your modified version must prominently offer all users
+interacting with it remotely through a computer network (if your version
+supports such interaction) an opportunity to receive the Corresponding
+Source of your version by providing access to the Corresponding Source
+from a network server at no charge, through some standard or customary
+means of facilitating copying of software. This Corresponding Source
+shall include the Corresponding Source for any work covered by version 3
+of the GNU General Public License that is incorporated pursuant to the
+following paragraph.
+
+ Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU General Public License into a single
+combined work, and to convey the resulting work. The terms of this
+License will continue to apply to the part which is the covered work,
+but the work with which it is combined will remain governed by version
+3 of the GNU General Public License.
+
+ 14. Revised Versions of this License.
+
+ The Free Software Foundation may publish revised and/or new versions of
+the GNU Affero General Public License from time to time. Such new versions
+will be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+ Each version is given a distinguishing version number. If the
+Program specifies that a certain numbered version of the GNU Affero General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation. If the Program does not specify a version number of the
+GNU Affero General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+ If the Program specifies that a proxy can decide which future
+versions of the GNU Affero General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+ Later license versions may give you additional or different
+permissions. However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+ 15. Disclaimer of Warranty.
+
+ THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+ 16. Limitation of Liability.
+
+ IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+ 17. Interpretation of Sections 15 and 16.
+
+ If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU Affero General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU Affero General Public License for more details.
+
+ You should have received a copy of the GNU Affero General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+ If your software can interact with users remotely through a computer
+network, you should also make sure that it provides a way for users to
+get its source. For example, if your program is a web application, its
+interface could display a "Source" link that leads users to an archive
+of the code. There are many ways you could offer source, and different
+solutions will be better for different programs; see section 13 for the
+specific requirements.
+
+ You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU AGPL, see
+<http://www.gnu.org/licenses/>.
diff --git a/puppet/Makefile b/puppet/Makefile
new file mode 100644
index 0000000..2209271
--- /dev/null
+++ b/puppet/Makefile
@@ -0,0 +1,59 @@
+#
+# Puppet Boostrap Makefile by Silvio Rhatto (rhatto at riseup.net).
+#
+# This Makefile is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the Free
+# Software Foundation; either version 3 of the License, or any later version.
+#
+# This Makefile is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# # FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+# Place - Suite 330, Boston, MA 02111-1307, USA
+#
+
+CWD = $(shell pwd)
+REPO = git://git.sarava.org/puppet-bootstrap.git
+PUPPET = FACTER_BOOTSTRAP_PATH="$(CWD)" puppet apply --confdir="$(CWD)" --modulepath=modules
+
+all: deps remote modules config
+
+deps:
+ bin/dependencies
+
+modules:
+ mr up
+
+submodules:
+ bin/submodules
+
+subtrees:
+ bin/subtrees
+
+symlinks:
+ bin/symlinks $(MODULES)
+
+remote:
+ git remote add bootstrap $(REPO)
+
+hiera/boostrap.yaml:
+ $(EDITOR) hiera/bootstrap.yaml
+
+puppet.conf:
+ mkdir -p $(HOME)/.puppet
+ $(PUPPET) manifests/bootstrap/configurator.pp
+
+config: hiera/boostrap.yaml puppet.conf
+ @true
+
+apply:
+ $(PUPPET) manifests/bootstrap/$(stage).pp
+
+clean:
+ rm -f auth.conf fileserver.conf puppet.conf
+ rm -f manifests/classes/users.pp
+ rm -rf ssl
+ rm -rf modules
+ git checkout modules
diff --git a/puppet/README.md b/puppet/README.md
new file mode 100644
index 0000000..67dad5f
--- /dev/null
+++ b/puppet/README.md
@@ -0,0 +1,38 @@
+Puppet Boostrap Module
+======================
+
+This is a multi-purpose but very specific puppet module which can be used:
+
+* As the base repository for a puppet infrastructure.
+* As a standalone provisioner for boxes, with Vagrant support.
+* It can be optionally used together with the Hydra Suite from https://git.sarava.org/?p=hydra.git
+
+Setting up a new puppetmaster repository
+----------------------------------------
+
+You'll basically use the `bootstrap` repository as your `puppet` repository:
+
+ git clone git://git.sarava.org/puppet-bootstrap.git puppet
+ cd puppet && git tag -v # check integrity
+ make deps # install dependencies
+ make submodules # add all needed puppet module as as git submodules
+ make config # basic configuration
+
+Using as a standalone provisioner
+---------------------------------
+
+This will be a `Vagrant` example:
+
+ cd your-project
+ git clone git://git.sarava.org/puppet-bootstrap.git puppet # use submodule or subtree as you please
+ ln -s puppet/Vagrantfile # or copy if you want to customize
+ ( cd puppet && make modules ) # need the mr binary to download the submodules
+ vagrant up web # with no arguments, all defined VMs are started
+
+Using subtrees or symlinks for modules
+--------------------------------------
+
+You might use `make subtrees` instead of `make submodules`. Also, if you already have
+all the modules in a different subtree, use
+
+ make symlinks MODULES=/path/to/puppet/modules
diff --git a/puppet/TODO.md b/puppet/TODO.md
new file mode 100644
index 0000000..1cb987f
--- /dev/null
+++ b/puppet/TODO.md
@@ -0,0 +1,6 @@
+TODO
+====
+
+* Update to new nodo style (hiera and nodo::role).
+* Support for recursive clones in `bin/mrconfig`.
+* Test!
diff --git a/puppet/Vagrantfile b/puppet/Vagrantfile
new file mode 100644
index 0000000..e7404a9
--- /dev/null
+++ b/puppet/Vagrantfile
@@ -0,0 +1,60 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant::Config.run do |config|
+ # Every Vagrant virtual environment requires a box to build off of.
+ config.vm.box = "wheezy"
+
+ # Shell provisioner to setup basic environment.
+ config.vm.provision :shell, :inline => "/vagrant/puppet/bin/provision"
+
+ # Enable provisioning with Puppet stand alone.
+ config.vm.provision :puppet do |puppet|
+ puppet.manifest_file = "bootstrap/vagrant.pp"
+ puppet.manifests_path = "puppet/manifests"
+ puppet.module_path = "puppet/modules"
+ puppet.temp_dir = "/etc/puppet"
+ end
+
+ # Define a Host VM
+ config.vm.define :host do |host_config|
+ db_config.vm.box = "host"
+ web_config.vm.network :hostonly, "192.168.50.101"
+ end
+
+ # Define a Puppetmaster VM
+ config.vm.define :master do |master_config|
+ master_config.vm.box = "master"
+ master_config.vm.forward_port 8139, 8140
+ web_config.vm.network :hostonly, "192.168.50.102"
+ end
+
+ # Define a Proxy VM
+ config.vm.define :proxy do |proxy_config|
+ proxy_config.vm.box = "proxy"
+ proxy_config.vm.forward_port 8139, 8140
+ web_config.vm.network :hostonly, "192.168.50.103"
+ end
+
+ # Define a Web VM
+ config.vm.define :web do |web_config|
+ web_config.vm.box = "web"
+ web_config.vm.forward_port 80, 8080
+ web_config.vm.network :hostonly, "192.168.50.104"
+ end
+
+ # Define a Storage VM
+ config.vm.define :storage do |storage_config|
+ storage_config.vm.box = "storage"
+ storage_config.vm.network :hostonly, "192.168.50.105"
+ end
+
+ # Define a Test VM
+ config.vm.define :test do |test_config|
+ test_config.vm.box = "test"
+ test_config.vm.network :hostonly, "192.168.50.106"
+ end
+
+ # Share hiera configuration.
+ config.vm.share_folder "hiera", "/etc/puppet/hiera", "puppet/hiera", create: true
+end
diff --git a/puppet/auth.conf b/puppet/auth.conf
new file mode 100644
index 0000000..47740dc
--- /dev/null
+++ b/puppet/auth.conf
@@ -0,0 +1,99 @@
+# This is an example auth.conf file, it mimics the puppetmasterd defaults
+#
+# The ACL are checked in order of appearance in this file.
+#
+# Supported syntax:
+# This file supports two different syntax depending on how
+# you want to express the ACL.
+#
+# Path syntax (the one used below):
+# ---------------------------------
+# path /path/to/resource
+# [environment envlist]
+# [method methodlist]
+# [auth[enthicated] {yes|no|on|off|any}]
+# allow [host|ip|*]
+# deny [host|ip]
+#
+# The path is matched as a prefix. That is /file match at
+# the same time /file_metadat and /file_content.
+#
+# Regex syntax:
+# -------------
+# This one is differenciated from the path one by a '~'
+#
+# path ~ regex
+# [environment envlist]
+# [method methodlist]
+# [auth[enthicated] {yes|no|on|off|any}]
+# allow [host|ip|*]
+# deny [host|ip]
+#
+# The regex syntax is the same as ruby ones.
+#
+# Ex:
+# path ~ .pp$
+# will match every resource ending in .pp (manifests files for instance)
+#
+# path ~ ^/path/to/resource
+# is essentially equivalent to path /path/to/resource
+#
+# environment:: restrict an ACL to a specific set of environments
+# method:: restrict an ACL to a specific set of methods
+# auth:: restrict an ACL to an authenticated or unauthenticated request
+# the default when unspecified is to restrict the ACL to authenticated requests
+# (ie exactly as if auth yes was present).
+#
+
+# Allow authenticated nodes to retrieve their own catalogs:
+
+path ~ ^/catalog/([^/]+)$
+method find
+allow $1
+
+# allow nodes to retrieve their own node definition
+
+path ~ ^/node/([^/]+)$
+method find
+allow $1
+
+# Allow authenticated nodes to access any file services --- in practice, this results in fileserver.conf being consulted:
+
+path /file
+allow *
+
+# Allow authenticated nodes to access the certificate revocation list:
+
+path /certificate_revocation_list/ca
+method find
+allow *
+
+# Allow authenticated nodes to send reports:
+
+path /report
+method save
+allow *
+
+# Allow unauthenticated access to certificates:
+
+path /certificate/ca
+auth no
+method find
+allow *
+
+path /certificate/
+auth no
+method find
+allow *
+
+# Allow unauthenticated nodes to submit certificate signing requests:
+
+path /certificate_request
+auth no
+method find, save
+allow *
+
+# Deny all other requests:
+
+path /
+auth any
diff --git a/puppet/bin/dependencies b/puppet/bin/dependencies
new file mode 100755
index 0000000..78ca659
--- /dev/null
+++ b/puppet/bin/dependencies
@@ -0,0 +1,28 @@
+#!/bin/bash
+#
+# Simple shell provisioner for Vagrant instances.
+#
+
+# Install a package, thanks to the Hydra Suite.
+function provision_package {
+ if [ -z "$1" ]; then
+ return
+ fi
+
+ dpkg -s $1 &> /dev/null
+
+ if [ "$?" == "1" ]; then
+ echo "Installing package $1..."
+ DEBIAN_FRONTEND=noninteractive $sudo apt-get install $1 -y
+ fi
+}
+
+# Set sudo config
+if [ "`whoami`" != 'root' ]; then
+ sudo="sudo"
+fi
+
+# Ensure basic packages are installed.
+for package in puppet ruby-hiera-puppet mr whois; do
+ provision_package $package
+done
diff --git a/puppet/bin/mrconfig b/puppet/bin/mrconfig
new file mode 100755
index 0000000..f525db3
--- /dev/null
+++ b/puppet/bin/mrconfig
@@ -0,0 +1,29 @@
+#!/bin/bash
+#
+# Build a mrconfig for the needed modules.
+#
+
+# Parameters
+GIT="git.sarava.org"
+URL="https://$GIT/?a=project_index"
+CWD="`pwd`"
+WORK="`dirname $0`/.."
+
+# Create a new config
+cd $WORK
+rm -f .mrconfig
+touch .mrconfig
+
+# Fetch repository list and updtate mrconfig
+curl --stderr - $URL | grep "^puppet-" | cut -d ' ' -f 1 | while read module; do
+ folder="`echo $module | sed -e 's/^puppet-//'`"
+ folder="`basename $folder .git`"
+
+ if [ "$module" != "$bootstrap" ]; then
+ echo "Processing $folder..."
+ mr config puppet/modules/$folder checkout="git clone git://$GIT/$module $folder"
+ fi
+done
+
+# Teardown
+cd $CWD
diff --git a/puppet/bin/provision b/puppet/bin/provision
new file mode 100755
index 0000000..7fa056b
--- /dev/null
+++ b/puppet/bin/provision
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# Simple shell provisioner for Vagrant instances.
+#
+
+# Ensure the system is updated.
+sudo apt-get update && DEBIAN_FRONTEND=noninteractive sudo apt-get dist-upgrade -y && sudo apt-get autoremove -y && sudo apt-get clean
+
+# Install dependencies
+source /vagrant/puppet/bin/dependencies
+
+# Ensure additional dependencies are installed.
+for package in sqlite3 libsqlite3-ruby libactiverecord-ruby ruby-sqlite3 usbutils; do
+ provision_package $package
+done
+
+# Make sure we have an initial hiera configuration.
+if [ ! -h "/etc/puppet/hiera.yaml" ]; then
+ sudo rm -f /etc/puppet/hiera.yaml
+ sudo ln -s /vagrant/puppet/hiera/hiera.yaml /etc/puppet/hiera.yaml
+fi
diff --git a/puppet/bin/submodules b/puppet/bin/submodules
new file mode 100755
index 0000000..f79b635
--- /dev/null
+++ b/puppet/bin/submodules
@@ -0,0 +1,31 @@
+#!/bin/bash
+#
+# Setup submodules.
+#
+
+# Parameters
+DIRNAME="`dirname $0`"
+
+# Usage
+function usage {
+ echo "Usage: $1 add-submodules <DIR>"
+ exit $2
+}
+
+# Get module list
+repos="`grep = $DIRNAME/../.mrconfig | cut -d = -f 2 | cut -d ' ' -f 4`"
+
+# Add submodules
+for repo in $repos; do
+ module="`basename $repo .git | sed -e s/^puppet-//`"
+ if [ ! -d "modules/$module" ]; then
+ echo "Processing puppet module $module..."
+ git submodule add $repo modules/$module
+ elif [ -e "modules/$module/.git" ]; then
+ # The puppet module exists and is a git submodule, so update it
+ ( cd module/$module && git pull origin master )
+ fi
+done
+
+# Update all modules
+git submodule update --init
diff --git a/puppet/bin/subtrees b/puppet/bin/subtrees
new file mode 100755
index 0000000..1858a48
--- /dev/null
+++ b/puppet/bin/subtrees
@@ -0,0 +1,41 @@
+#!/bin/bash
+#
+# Setup subtrees.
+#
+
+# Parameters
+DIRNAME="`dirname $0`"
+
+# Usage
+function usage {
+ echo "Usage: $1 add-submodules <DIR>"
+ exit $2
+}
+
+# Check for git-subtree
+if ! which git-subtree &> /dev/null; then
+ echo "fatal: please install git-subtree"
+ exit 1
+fi
+
+# Get module list
+repos="`grep = $DIRNAME/../.mrconfig | cut -d = -f 2 | cut -d ' ' -f 4`"
+
+# Add subtrees
+for repo in $repos; do
+ module="`basename $repo .git | sed -e s/^puppet-//`"
+ if [ ! -d "modules/$module" ]; then
+ echo "Processing puppet module $module..."
+ git remote add $module $repo
+ git subtree add --prefix modules/$module $module master --squash
+ elif [ ! -d "modules/$module/.git" ]; then
+ # The puppet module exists and is a subtree, so update it
+ if ! git remote | grep -qe "^$module$"; then
+ git remote add $module $repo
+ fi
+
+ # Update subtrees
+ git fetch $module master
+ git subtree pull --prefix modules/$module $module master --squash
+ fi
+done
diff --git a/puppet/bin/symlinks b/puppet/bin/symlinks
new file mode 100755
index 0000000..0a221c4
--- /dev/null
+++ b/puppet/bin/symlinks
@@ -0,0 +1,24 @@
+#!/bin/bash
+#
+# Setup symlinks.
+#
+
+# Parameters
+BASENAME="`basename $0`"
+MODULES="$1"
+
+# Check parameters
+if [ -z "$MODULES" ]; then
+ echo "Usage: $BASENAME <submodules-folder>"
+ exit 1
+elif [ ! -e "$MODULES" ]; then
+ echo "Not found: $MODULES"
+fi
+
+# Add module symlinks using absolute folders
+for module in `ls $MODULES`; do
+ if [ "$module" != "bootstrap" ]; then
+ path="`cd $MODULES/$module && pwd`"
+ ( cd modules &> /dev/null && ln -sf $path )
+ fi
+done
diff --git a/puppet/files/.empty b/puppet/files/.empty
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/puppet/files/.empty
diff --git a/puppet/fileserver.conf b/puppet/fileserver.conf
new file mode 100644
index 0000000..e777078
--- /dev/null
+++ b/puppet/fileserver.conf
@@ -0,0 +1,7 @@
+# This file consists of arbitrarily named sections/modules
+# defining where files are served from and to whom
+
+# Files
+[files]
+ path /etc/puppet/files
+ allow *.vagrantup.com
diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml
new file mode 120000
index 0000000..5230565
--- /dev/null
+++ b/puppet/hiera.yaml
@@ -0,0 +1 @@
+hiera/hiera.yaml \ No newline at end of file
diff --git a/puppet/hiera/bootstrap.yaml b/puppet/hiera/bootstrap.yaml
new file mode 100644
index 0000000..c4f6bca
--- /dev/null
+++ b/puppet/hiera/bootstrap.yaml
@@ -0,0 +1,44 @@
+---
+#
+# Puppet Bootstrap Configuration Parameters.
+#
+# This file is responsible to set custom values to your new puppet repository
+# to reflect the custom configuration for your infrastructure.
+#
+# This configuration is useful mostly after you cloned the puppet-boostrap module
+# and want to configure it to boostrap a whole puppetmaster infrastructure.
+#
+
+# The base domain for your infrastructure.
+bootstrap::base_domain: 'vagrantup.com'
+
+#
+# Root password.
+#
+# Use "mkpasswd -m sha-512" to generate root and first user's passwords.
+bootstrap::root::password: '$5$aosRByu9U0$Cc7l2vpjV4sRLlao2JmG0lxOnD2crNLU7gZfn2eayu.'
+
+#
+# First user account
+#
+# Do not include "ssh-rsa " into the sshkey definition.
+bootstrap::first_user: 'vagrant'
+bootstrap::first_user::password: '$5$NCuDu81a$iHr7tZiGX0tKooq6N0bEwE7QDhRqfI9/yyD7WU1GiFB'
+bootstrap::first_user::sshkey: 'AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ=='
+bootstrap::first_user::email: ''
+
+#
+# First nodes
+#
+
+# Hostname of the first server
+bootstrap:first_hostname: ''
+
+# Create manifests and config for the first nodes?
+bootstrap::first_nodes: false
+
+# MySQL password
+mysql::server::rootpw: 'hackme'
+
+# Puppet master db password
+nodo::role::master::db_password: 'hackme'
diff --git a/puppet/hiera/common.yaml b/puppet/hiera/common.yaml
new file mode 100644
index 0000000..d7e35a1
--- /dev/null
+++ b/puppet/hiera/common.yaml
@@ -0,0 +1,50 @@
+---
+#
+# General
+#
+nodo::subsystem::apt::include_src: false
+nodo::subsystem::apt::use_next_release: false
+nodo::subsystem::monitor::use_nagios: false
+nodo::subsystem::monitor::address: "%{::fqdn}"
+
+#
+# Firewall
+#
+firewall::ssl_ratelimit: "s:ssl:200/min:20"
+firewall::local_net: false
+firewall::local::manage_host: true
+firewall::local::manage_iface: false
+
+#
+# Mail
+#
+mail::sympa::subdomain: "listas"
+mail::sympa::lang: "pt_BR"
+
+#
+# Monitoring
+#
+nodo::munin_node::allow: '127.0.0.1:192.168.0.[0-9]*:192.168.1.[0-9]*'
+
+#
+# Wordpress
+#
+wordpress::locale: 'pt_BR'
+
+#
+# Timezone and ntp
+#
+ntp::zone: "Brazil/East"
+ntp::pool: "south-america.pool.ntp.org"
+ntp::servers:
+ - 'a.ntp.br'
+ - 'b.ntp.br'
+ - 'c.ntp.br'
+
+#
+# Nameservers
+#
+# OpenDNS
+nodo::subsystem::resolver::nameservers:
+ - '208.67.222.222'
+ - '208.67.220.220'
diff --git a/puppet/hiera/hiera.yaml b/puppet/hiera/hiera.yaml
new file mode 100644
index 0000000..0a23dec
--- /dev/null
+++ b/puppet/hiera/hiera.yaml
@@ -0,0 +1,19 @@
+---
+:backends:
+ - yaml
+:yaml:
+ # Right now vagrant and puppet are not fully supporting
+ # a relative datadir. For it to work, we were forced to
+ # create a manifests/hiera symlink. This should be
+ # reconsidered in the future.
+ :datadir: hiera
+:hierarchy:
+ - '%{::environment}/domain/%{::domain}/node/%{::clientcert}'
+ - '%{::environment}/domain/%{::domain}/role/%{::role}'
+ - '%{::environment}/domain/%{::domain}/location/%{::location}'
+ - '%{::environment}/domain/%{::domain}/%{::domain}'
+ - '%{::environment}/location/%{::location}'
+ - '%{::environment}/virtual/%{::virtual}'
+ - '%{::environment}/role/%{::role}'
+ - bootstrap
+ - common
diff --git a/puppet/keys/public/.empty b/puppet/keys/public/.empty
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/puppet/keys/public/.empty
diff --git a/puppet/keys/ssh/.empty b/puppet/keys/ssh/.empty
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/puppet/keys/ssh/.empty
diff --git a/puppet/keys/ssl/.empty b/puppet/keys/ssl/.empty
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/puppet/keys/ssl/.empty
diff --git a/puppet/manifests/bootstrap/configurator.pp b/puppet/manifests/bootstrap/configurator.pp
new file mode 100644
index 0000000..d93a0ce
--- /dev/null
+++ b/puppet/manifests/bootstrap/configurator.pp
@@ -0,0 +1,208 @@
+#
+# Puppet Bootstrap Configuration Manifest.
+#
+# This file is responsible to set custom configuration in the bootstrap
+# repository for values set in the hiera configuration.
+#
+# This manifest is useful mostly after you cloned the puppet-boostrap module
+# and want to configure it to boostrap a whole puppetmaster infrastructure.
+#
+
+#
+# Basic variables
+#
+$templates = "$bootstrap_path/templates"
+$base_domain = hiera('bootstrap::base_domain', "${::domain}")
+$first_hostname = hiera('bootstrap::first_hostname', "${::hostname}")
+$first_nodes = hiera('bootstrap::first_nodes', 'absent')
+$db_password = hiera('nodo::role::master::db_password', '')
+$mysql_rootpw = hiera('mysql::server::rootpw', '')
+$root_password = hiera('bootstrap::root::password', '')
+$first_user = hiera('bootstrap::first_user', 'user')
+$first_user_password = hiera('bootstrap::first_user::password', '')
+$first_user_sshkey = hiera('bootstrap::first_user::sshkey', '')
+$first_user_email = hiera('bootstrap::first_user::email', 'user@example.org')
+$resolvconf_nameservers = hiera('nodo::subsystem::resolver::nameservers', '201.6.2.152:201.6.2.32')
+$global_munin_allow = hiera('nodo::munin_node::allow', '192.168.0.[0-9]*')
+
+#
+# Check bootstrap configuration
+#
+
+if ($mysql_rootpw == '') {
+ alert('You must set mysql::server::rootpw at your configuration')
+ fail()
+}
+
+if ($db_password == '') {
+ alert('You must set nodo::role::master::db_password at your configuration')
+ fail()
+}
+
+if ($root_password == '') {
+ alert('You must set bootstrap::root::password at your configuration')
+ fail()
+}
+
+if ($first_user_password == '') {
+ alert('You must set bootstrap::first_user::password at your configuration')
+ fail()
+}
+
+#
+# Puppet configuration
+#
+file { "$bootstrap_path/puppet.conf":
+ ensure => present,
+ mode => 0644,
+ content => template("$templates/puppet/puppet.conf.erb"),
+}
+
+# Fileserver configuration
+file { "$bootstrap_path/fileserver.conf":
+ ensure => present,
+ mode => 0644,
+ content => template("$templates/puppet/fileserver.conf.erb"),
+}
+
+file { "$bootstrap_path/auth.conf":
+ ensure => present,
+ mode => 0644,
+ content => template("$templates/puppet/auth.conf.erb"),
+}
+
+#
+# Basic users
+#
+file { "$bootstrap_path/manifests/classes/users.pp":
+ ensure => present,
+ mode => 0644,
+ content => template("$templates/puppet/users.pp.erb"),
+}
+
+#
+# Site files
+#
+
+file { "$bootstrap_path/modules/site_apache/files/htdocs/images/README.html":
+ ensure => present,
+ mode => 0644,
+ content => template("$templates/apache/htdocs/images/README.html.erb"),
+}
+
+file { "$bootstrap_path/modules/site_apache/files/htdocs/index.html":
+ ensure => present,
+ mode => 0644,
+ content => template("$templates/apache/htdocs/index.html.erb"),
+}
+
+file { "$bootstrap_path/modules/site_apache/files/htdocs/missing.html":
+ ensure => present,
+ mode => 0644,
+ content => template("$templates/apache/htdocs/missing.html.erb"),
+}
+
+file { "$bootstrap_path/modules/site_apache/files/vhosts/git":
+ ensure => present,
+ mode => 0644,
+ content => template("$templates/apache/vhosts/git.erb"),
+}
+
+file { "$bootstrap_path/modules/site_apache/files/vhosts/lists":
+ ensure => present,
+ mode => 0644,
+ content => template("$templates/apache/vhosts/lists.erb"),
+}
+
+file { "$bootstrap_path/modules/site_apache/files/vhosts/mail":
+ ensure => present,
+ mode => 0644,
+ content => template("$templates/apache/vhosts/mail.erb"),
+}
+
+file { "$bootstrap_path/modules/site_apache/files/vhosts/nagios":
+ ensure => present,
+ mode => 0644,
+ content => template("$templates/apache/vhosts/nagios.erb"),
+}
+
+file { "$bootstrap_path/modules/site_apache/files/vhosts/wiki":
+ ensure => present,
+ mode => 0644,
+ content => template("$templates/apache/vhosts/wiki.erb"),
+}
+
+file { "$bootstrap_path/modules/site_mail/files/aliases":
+ ensure => present,
+ mode => 0644,
+ content => template("$templates/etc/aliases.erb"),
+}
+
+file { "$bootstrap_path/modules/site_nagios/files/htpasswd.users":
+ ensure => present,
+ mode => 0644,
+ content => template("$templates/etc/nagios3/htpasswd.users.erb"),
+}
+
+file { "$bootstrap_path/modules/site_nginx/files/$domain":
+ ensure => present,
+ mode => 0644,
+ content => template("$templates/etc/nginx/domain.erb"),
+}
+
+file { "$bootstrap_path/modules/site_postfix/files/tls_policy":
+ ensure => present,
+ mode => 0644,
+ content => template("$templates/postfix/tls_policy.erb"),
+}
+
+#
+# Basic nodes
+#
+file { "$bootstrap_path/manifests/nodes.pp":
+ ensure => present,
+ mode => 0644,
+ content => template("$templates/puppet/nodes.pp.erb"),
+}
+
+# First host
+file { "$bootstrap_path/manifests/nodes/$first_hostname.pp":
+ ensure => $first_nodes,
+ mode => 0644,
+ content => template("$templates/puppet/server.pp.erb"),
+}
+
+# Master node
+file { "$bootstrap_path/manifests/nodes/$first_hostname-master.pp":
+ ensure => $first_nodes,
+ mode => 0644,
+ content => template("$templates/puppet/master.pp.erb"),
+}
+
+# Proxy node
+file { "$bootstrap_path/manifests/nodes/$first_hostname-proxy.pp":
+ ensure => $first_nodes,
+ mode => 0644,
+ content => template("$templates/puppet/proxy.pp.erb"),
+}
+
+# Web node
+file { "$bootstrap_path/manifests/nodes/$first_hostname-web.pp":
+ ensure => $first_nodes,
+ mode => 0644,
+ content => template("$templates/puppet/web.pp.erb"),
+}
+
+# Storage node
+file { "$bootstrap_path/manifests/nodes/$first_hostname-storage.pp":
+ ensure => $first_nodes,
+ mode => 0644,
+ content => template("$templates/puppet/storage.pp.erb"),
+}
+
+# Test node
+file { "$bootstrap_path/manifests/nodes/$first_hostname-test.pp":
+ ensure => $first_nodes,
+ mode => 0644,
+ content => template("$templates/puppet/test.pp.erb"),
+}
diff --git a/puppet/manifests/bootstrap/host.pp b/puppet/manifests/bootstrap/host.pp
new file mode 100644
index 0000000..c1aead8
--- /dev/null
+++ b/puppet/manifests/bootstrap/host.pp
@@ -0,0 +1,24 @@
+#
+# This manifest is intended to configure the initial
+# machine wich will host the first puppetmaster
+# virtual machine.
+#
+
+# Import site configuration
+import "../site.pp"
+
+# The server role
+include nodo::role::server
+
+# Creates vserver for administrative node
+nodo::vserver::instance { "$hostname-master":
+ context => '2',
+ puppetmaster => true,
+}
+
+# Create a host entry for this puppet node
+host { "puppet":
+ ensure => present,
+ ip => "192.168.0.2",
+ host_aliases => [ "puppet.$domain", "admin" ],
+}
diff --git a/puppet/manifests/bootstrap/master.pp b/puppet/manifests/bootstrap/master.pp
new file mode 100644
index 0000000..51167f3
--- /dev/null
+++ b/puppet/manifests/bootstrap/master.pp
@@ -0,0 +1,12 @@
+#
+# This manifest is intended to configure the initial
+# puppetmaster node.
+#
+# Once it's running it can setup all the other nodes.
+#
+
+# Import site configuration
+import "../site.pp"
+
+# Include the master node configuration
+include nodo::role::master
diff --git a/puppet/manifests/bootstrap/vagrant.pp b/puppet/manifests/bootstrap/vagrant.pp
new file mode 100644
index 0000000..9206db6
--- /dev/null
+++ b/puppet/manifests/bootstrap/vagrant.pp
@@ -0,0 +1,49 @@
+#
+# This manifest is intended to configure a vagrant
+# virtual machine.
+#
+
+# Import site configuration
+import "../site.pp"
+
+#
+# Stage definitions
+#
+
+stage { 'first':
+ before => Stage['main'],
+}
+
+stage { 'last': }
+Stage['main'] -> Stage['last']
+
+#
+# Class definitions
+#
+
+# Vagrant classes
+include nodo::role::vagrant
+
+class vagrant_config {
+ # Symlink to the mounted module folder
+ file { '/etc/puppet/modules':
+ ensure => '/etc/puppet/modules-0',
+ force => true,
+ }
+
+ # Ensure a custom hiera configuration
+ file { '/etc/puppet/hiera.yaml':
+ owner => root,
+ group => root,
+ mode => 0644,
+ force => true,
+ ensure => '/etc/puppet/hiera/hiera.yaml',
+ }
+}
+
+#
+# Class instantiations
+#
+class { 'vagrant_config':
+ stage => first,
+}
diff --git a/puppet/manifests/classes/users.pp b/puppet/manifests/classes/users.pp
new file mode 100644
index 0000000..7ebc9a8
--- /dev/null
+++ b/puppet/manifests/classes/users.pp
@@ -0,0 +1,33 @@
+class users::virtual inherits user {
+ # define custom users here
+}
+
+class users::backup inherits user {
+ # define third-party hosted backup users here
+}
+
+class users::admin inherits user {
+
+ # Reprepro group needed for web nodes
+ #if !defined(Group["reprepro"]) {
+ # group { "reprepro":
+ # ensure => present,
+ # }
+ #}
+
+ # root user and password (default 'vagrant' passphrase)
+ user::manage { "root":
+ tag => "admin",
+ homedir => '/root',
+ password => '$5$aosRByu9U0$Cc7l2vpjV4sRLlao2JmG0lxOnD2crNLU7gZfn2eayu.',
+ }
+
+ # first user config (default 'vagrant' passphrase and pubkey)
+ user::manage { "vagrant":
+ tag => "admin",
+ groups => [ "sudo", ],
+ password => '$5$NCuDu81a$iHr7tZiGX0tKooq6N0bEwE7QDhRqfI9/yyD7WU1GiFB',
+ sshkey => [ "AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ==" ],
+ }
+
+}
diff --git a/puppet/manifests/classes/websites.pp b/puppet/manifests/classes/websites.pp
new file mode 100644
index 0000000..35f27c6
--- /dev/null
+++ b/puppet/manifests/classes/websites.pp
@@ -0,0 +1,42 @@
+class websites::admin inherits websites::hosting::admin {
+ # An administrative Trac instance
+ #apache::site { "admin":
+ # docroot => "${apache::sites_folder}/admin/trac/htdocs",
+ # use => [ "Trac admin" ],
+ # redirect_match => "trac",
+ # mpm => false,
+ # tag => 'all',
+ #}
+
+ apache::site { "munin":
+ docroot => '/var/www/munin',
+ owner => "munin",
+ group => "munin",
+ mpm => false,
+ tag => 'all',
+ }
+
+ apache::site { "nagios":
+ source => true,
+ docroot => '/usr/share/nagios3/htdocs',
+ mpm => false,
+ tag => 'all',
+ }
+}
+
+class websites inherits websites::hosting {
+ # Website definitions: always use tagged resources
+
+ #apache::site { "site":
+ # source => true,
+ # ticket => '001',
+ # docroot => '/var/www/site',
+ # tag => 'all',
+ #}
+
+ #database::instance { "site":
+ # password => 'xxx',
+ # tag => 'all',
+ #}
+
+}
diff --git a/puppet/manifests/hiera b/puppet/manifests/hiera
new file mode 120000
index 0000000..ba8aae1
--- /dev/null
+++ b/puppet/manifests/hiera
@@ -0,0 +1 @@
+../hiera \ No newline at end of file
diff --git a/puppet/manifests/modules.pp b/puppet/manifests/modules.pp
new file mode 100644
index 0000000..3df3fe3
--- /dev/null
+++ b/puppet/manifests/modules.pp
@@ -0,0 +1,6 @@
+#
+# Module definitions.
+#
+
+# Nodo automatically import all modules we need.
+import "nodo"
diff --git a/puppet/manifests/nodes.pp b/puppet/manifests/nodes.pp
new file mode 100644
index 0000000..b90f04e
--- /dev/null
+++ b/puppet/manifests/nodes.pp
@@ -0,0 +1,5 @@
+#
+# Node definitions.
+#
+
+#import "nodes/example.pp"
diff --git a/puppet/manifests/nodes/.empty b/puppet/manifests/nodes/.empty
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/puppet/manifests/nodes/.empty
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
new file mode 100644
index 0000000..6f3e5aa
--- /dev/null
+++ b/puppet/manifests/site.pp
@@ -0,0 +1,8 @@
+#
+# Puppet site configuration.
+#
+
+import "classes/users.pp"
+import "classes/websites.pp"
+import "modules.pp"
+import "nodes.pp"
diff --git a/puppet/modules/bootstrap b/puppet/modules/bootstrap
new file mode 120000
index 0000000..a96aa0e
--- /dev/null
+++ b/puppet/modules/bootstrap
@@ -0,0 +1 @@
+.. \ No newline at end of file
diff --git a/puppet/modules/site_apache/files/htdocs/images/.empty b/puppet/modules/site_apache/files/htdocs/images/.empty
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/puppet/modules/site_apache/files/htdocs/images/.empty
diff --git a/puppet/modules/site_apache/files/vhosts/.empty b/puppet/modules/site_apache/files/vhosts/.empty
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/puppet/modules/site_apache/files/vhosts/.empty
diff --git a/puppet/modules/site_keys/files/ssl/.empty b/puppet/modules/site_keys/files/ssl/.empty
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/puppet/modules/site_keys/files/ssl/.empty
diff --git a/puppet/modules/site_mail/files/.empty b/puppet/modules/site_mail/files/.empty
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/puppet/modules/site_mail/files/.empty
diff --git a/puppet/modules/site_nagios/files/.empty b/puppet/modules/site_nagios/files/.empty
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/puppet/modules/site_nagios/files/.empty
diff --git a/puppet/modules/site_nginx/files/.empty b/puppet/modules/site_nginx/files/.empty
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/puppet/modules/site_nginx/files/.empty
diff --git a/puppet/modules/site_postfix/files/.empty b/puppet/modules/site_postfix/files/.empty
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/puppet/modules/site_postfix/files/.empty
diff --git a/puppet b/puppet/puppet
index 945c9b4..945c9b4 120000
--- a/puppet
+++ b/puppet/puppet
diff --git a/puppet/puppet.conf b/puppet/puppet.conf
new file mode 100644
index 0000000..81c47ed
--- /dev/null
+++ b/puppet/puppet.conf
@@ -0,0 +1,30 @@
+[main]
+logdir = /var/log/puppet
+vardir = /var/lib/puppetmaster
+ssldir = $vardir/ssl
+rundir = /var/run/puppet
+factpath = $vardir/lib/facter
+pluginsync = true
+
+[master]
+templatedir = $vardir/templates
+masterport = 8140
+autosign = false
+storeconfigs = true
+dbadapter = sqlite3
+#dbadapter = mysql
+#dbserver = localhost
+#dbuser = puppet
+#dbpassword = hackme
+dbconnections = 15
+certname = puppet.vagrantup.com
+ssl_client_header = SSL_CLIENT_S_DN
+ssl_client_verify_header = SSL_CLIENT_VERIFY
+
+[agent]
+server = puppet.vagrantup.com
+vardir = /var/lib/puppet
+ssldir = $vardir/ssl
+runinterval = 7200
+puppetport = 8139
+configtimeout = 300
diff --git a/puppet/templates/apache/htdocs/images/README.html.erb b/puppet/templates/apache/htdocs/images/README.html.erb
new file mode 100644
index 0000000..4d0f929
--- /dev/null
+++ b/puppet/templates/apache/htdocs/images/README.html.erb
@@ -0,0 +1,3 @@
+<pre>
+When not explicitly mentioned, the use of these images is restricted to <%= base_domain %>
+</pre>
diff --git a/puppet/templates/apache/htdocs/index.html.erb b/puppet/templates/apache/htdocs/index.html.erb
new file mode 100644
index 0000000..6d2d7ea
--- /dev/null
+++ b/puppet/templates/apache/htdocs/index.html.erb
@@ -0,0 +1,9 @@
+<html><head>
+<meta http-equiv="refresh" content="1;url=http://<%= domain %>">
+<title><%= domain %></title></head><body>
+
+<center>
+ <p><code>You are being redirected to <a href="http://<%= domain %>">http://<%= domain %></a>.</code></p>
+</center>
+
+</body></html>
diff --git a/puppet/templates/apache/htdocs/missing.html.erb b/puppet/templates/apache/htdocs/missing.html.erb
new file mode 100644
index 0000000..0c95ef3
--- /dev/null
+++ b/puppet/templates/apache/htdocs/missing.html.erb
@@ -0,0 +1,12 @@
+<html>
+<head>
+<title>404 - Not Found</title>
+</head>
+<body>
+ <center>
+ <pre>
+ The address you are trying to reach could not be found. :(
+ </pre>
+ </center>
+</body>
+</html>
diff --git a/puppet/templates/apache/vhosts/git.erb b/puppet/templates/apache/vhosts/git.erb
new file mode 100644
index 0000000..25aecd1
--- /dev/null
+++ b/puppet/templates/apache/vhosts/git.erb
@@ -0,0 +1,20 @@
+# begin vhost for git
+<VirtualHost *:80>
+ # Recipe based on http://josephspiros.com/2009/07/26/configuring-gitweb-for-apache-on-debian
+
+ ServerName git.<%= domain %>
+ SetEnv GITWEB_CONFIG /etc/gitweb.conf
+ HeaderName HEADER
+ DocumentRoot /var/git/repositories
+ Alias /gitweb.css /usr/share/gitweb/gitweb.css
+ Alias /git-favicon.png /usr/share/gitweb/git-favicon.png
+ Alias /git-logo.png /usr/share/gitweb/git-logo.png
+
+ ScriptAlias /gitweb /usr/lib/cgi-bin/gitweb.cgi
+ RewriteEngine on
+
+ # Rewrite all other paths that aren't git repo internals to gitweb
+ RewriteRule ^/$ /gitweb [PT]
+ RewriteRule ^/(.*\.git/(?!/?(HEAD|info|objects|refs)).*)?$ /gitweb%{REQUEST_URI} [L,PT]
+</VirtualHost>
+# end vhost for git
diff --git a/puppet/templates/apache/vhosts/lists.erb b/puppet/templates/apache/vhosts/lists.erb
new file mode 100644
index 0000000..158dfd4
--- /dev/null
+++ b/puppet/templates/apache/vhosts/lists.erb
@@ -0,0 +1,22 @@
+# begin vhost for lists.<%= domain %>
+<VirtualHost *:80>
+ ServerName lists.<%= domain %>
+ DocumentRoot /var/www/data/lists
+
+ RedirectMatch ^/$ https://lists.<%= domain %>/wws
+ Alias /static-sympa /var/lib/sympa/static_content
+ Alias /wwsicons /usr/share/sympa/icons
+ ScriptAlias /wws /var/www/data/lists/wwsympa.fcgi
+
+ <IfModule mod_fcgid.c>
+ IPCCommTimeout 120
+ MaxProcessCount 2
+ </IfModule>
+
+ SuexecUserGroup sympa sympa
+
+ <Location /wws>
+ SetHandler fcgid-script
+ </Location>
+</VirtualHost>
+# end vhost for lists.<%= domain %>
diff --git a/puppet/templates/apache/vhosts/mail.erb b/puppet/templates/apache/vhosts/mail.erb
new file mode 100644
index 0000000..3badcf0
--- /dev/null
+++ b/puppet/templates/apache/vhosts/mail.erb
@@ -0,0 +1,72 @@
+# begin vhost for mail.<%= domain >
+<VirtualHost *:80>
+ ServerName mail.<%= domain >
+ #DocumentRoot /usr/share/squirrelmail
+ DocumentRoot /var/lib/roundcube
+
+ # begin squirrel config
+ <Directory /usr/share/squirrelmail>
+ Options Indexes FollowSymLinks
+ <IfModule mod_php4.c>
+ php_flag register_globals off
+ </IfModule>
+ <IfModule mod_php5.c>
+ php_flag register_globals off
+ </IfModule>
+ <IfModule mod_dir.c>
+ DirectoryIndex index.php
+ </IfModule>
+
+ # access to configtest is limited by default to prevent information leak
+ <Files configtest.php>
+ order deny,allow
+ deny from all
+ allow from 127.0.0.1
+ </Files>
+ </Directory>
+ # end squirrel config
+
+ # begin roundcube config
+ # Access to tinymce files
+ Alias /roundcube/program/js/tiny_mce/ /usr/share/tinymce/www/
+ Alias /roundcube /var/lib/roundcube
+
+ <Directory "/usr/share/tinymce/www/">
+ Options Indexes MultiViews FollowSymLinks
+ AllowOverride None
+ Order allow,deny
+ allow from all
+ </Directory>
+
+ <Directory /var/lib/roundcube/>
+ Options +FollowSymLinks
+ # This is needed to parse /var/lib/roundcube/.htaccess. See its
+ # content before setting AllowOverride to None.
+ AllowOverride All
+ order allow,deny
+ allow from all
+ </Directory>
+
+ # Protecting basic directories:
+ <Directory /var/lib/roundcube/config>
+ Options -FollowSymLinks
+ AllowOverride None
+ </Directory>
+
+ <Directory /var/lib/roundcube/temp>
+ Options -FollowSymLinks
+ AllowOverride None
+ Order allow,deny
+ Deny from all
+ </Directory>
+
+ <Directory /var/lib/roundcube/logs>
+ Options -FollowSymLinks
+ AllowOverride None
+ Order allow,deny
+ Deny from all
+ </Directory>
+ # end roundcube config
+
+</VirtualHost>
+# end vhost for mail.<%= domain >
diff --git a/puppet/templates/apache/vhosts/nagios.erb b/puppet/templates/apache/vhosts/nagios.erb
new file mode 100644
index 0000000..8b3d252
--- /dev/null
+++ b/puppet/templates/apache/vhosts/nagios.erb
@@ -0,0 +1,61 @@
+# begin vhost for nagios
+<VirtualHost *:80>
+ ServerName nagios.<%= domain >
+ DocumentRoot /usr/share/nagios3/htdocs
+
+ # apache configuration for nagios 3.x
+ # note to users of nagios 1.x and 2.x:
+ # throughout this file are commented out sections which preserve
+ # backwards compatibility with bookmarks/config forî<80><80>older nagios versios.
+ # simply look for lines following "nagios 1.x:" and "nagios 2.x" comments.
+
+ ScriptAlias /cgi-bin/nagios3 /usr/lib/cgi-bin/nagios3
+ ScriptAlias /nagios3/cgi-bin /usr/lib/cgi-bin/nagios3
+ # nagios 1.x:
+ #ScriptAlias /cgi-bin/nagios /usr/lib/cgi-bin/nagios3
+ #ScriptAlias /nagios/cgi-bin /usr/lib/cgi-bin/nagios3
+ # nagios 2.x:
+ #ScriptAlias /cgi-bin/nagios2 /usr/lib/cgi-bin/nagios3
+ #ScriptAlias /nagios2/cgi-bin /usr/lib/cgi-bin/nagios3
+
+ # Where the stylesheets (config files) reside
+ Alias /nagios3/stylesheets /etc/nagios3/stylesheets
+ # nagios 1.x:
+ #Alias /nagios/stylesheets /etc/nagios3/stylesheets
+ # nagios 2.x:
+ #Alias /nagios2/stylesheets /etc/nagios3/stylesheets
+
+ # Where the HTML pages live
+ Alias /nagios3 /usr/share/nagios3/htdocs
+ # nagios 2.x:
+ #Alias /nagios2 /usr/share/nagios3/htdocs
+ # nagios 1.x:
+ #Alias /nagios /usr/share/nagios3/htdocs
+
+ <DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3)>
+ Options FollowSymLinks
+
+ DirectoryIndex index.html
+
+ AllowOverride AuthConfig
+ Order Allow,Deny
+ Allow From All
+
+ AuthName "Nagios Access"
+ AuthType Basic
+ AuthUserFile /etc/nagios3/htpasswd.users
+ # nagios 1.x:
+ #AuthUserFile /etc/nagios/htpasswd.users
+ require valid-user
+ </DirectoryMatch>
+
+ # Enable this ScriptAlias if you want to enable the grouplist patch.
+ # See http://apan.sourceforge.net/download.html for more info
+ # It allows you to see a clickable list of all hostgroups in the
+ # left pane of the Nagios web interface
+ # XXX This is not tested for nagios 2.x use at your own peril
+ #ScriptAlias /nagios3/side.html /usr/lib/cgi-bin/nagios3/grouplist.cgi
+ # nagios 1.x:
+ #ScriptAlias /nagios/side.html /usr/lib/cgi-bin/nagios3/grouplist.cgi
+</VirtualHost>
+# end vhost for nagios
diff --git a/puppet/templates/apache/vhosts/wiki.erb b/puppet/templates/apache/vhosts/wiki.erb
new file mode 100644
index 0000000..56e395b
--- /dev/null
+++ b/puppet/templates/apache/vhosts/wiki.erb
@@ -0,0 +1,17 @@
+# begin vhost for wiki.<%= domain >
+<VirtualHost *:80>
+ ServerName wiki.<%= domain >
+ DocumentRoot /var/www/data/wiki
+
+ # begin wiki config
+ <Directory /var/www/data/wiki>
+ Options Indexes Includes FollowSymLinks MultiViews
+ AllowOverride All
+ </Directory>
+ # end wiki config
+
+ <IfModule mpm_itk_module>
+ AssignUserId wiki wiki
+ </IfModule>
+</VirtualHost>
+# end vhost for wiki.<%= domain >
diff --git a/puppet/templates/etc/aliases.erb b/puppet/templates/etc/aliases.erb
new file mode 100644
index 0000000..f520f68
--- /dev/null
+++ b/puppet/templates/etc/aliases.erb
@@ -0,0 +1,15 @@
+# /etc/aliases
+mailer-daemon: postmaster
+postmaster: root
+nobody: root
+hostmaster: root
+usenet: root
+news: root
+webmaster: root
+www: root
+ftp: root
+abuse: root
+noc: root
+security: root
+reprepro: root
+root: <%= first_user_email %>
diff --git a/puppet/templates/etc/nagios3/htpasswd.users.erb b/puppet/templates/etc/nagios3/htpasswd.users.erb
new file mode 100644
index 0000000..c21d493
--- /dev/null
+++ b/puppet/templates/etc/nagios3/htpasswd.users.erb
@@ -0,0 +1 @@
+nagiosadmin:0FCabjvUTHvxF
diff --git a/puppet/templates/etc/nginx/domain.erb b/puppet/templates/etc/nginx/domain.erb
new file mode 100644
index 0000000..4e9fa7d
--- /dev/null
+++ b/puppet/templates/etc/nginx/domain.erb
@@ -0,0 +1,172 @@
+# <%= domain %> proxy config
+
+# Set the max size for file uploads
+client_max_body_size 100M;
+
+# SNI Configuration
+server {
+ listen 443 default;
+ server_name _;
+ ssl on;
+ ssl_certificate /etc/ssl/certs/blank.crt;
+ ssl_certificate_key /etc/ssl/private/blank.pem;
+ return 403;
+}
+
+server {
+ # see config tips at
+ # http://blog.taragana.com/index.php/archive/nginx-hacking-tips/
+
+ # Don't log anything
+ access_log /dev/null;
+ error_log /dev/null;
+
+ # simple reverse-proxy
+ listen 80;
+ server_name *.<%= domain %> <%= domain %>
+
+ # enable HSTS header
+ add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
+
+ # https redirection by default
+ rewrite ^(.*) https://$host$1 redirect;
+
+ # rewrite rules for backups.<%= domain %>
+ #if ($host ~* ^backups\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # rewrite rules for admin.<%= domain %>
+ #if ($host ~* ^admin\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # rewrite rules for munin.<%= domain %>
+ #if ($host ~* ^munin\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # rewrite rules for trac.<%= domain %>
+ #if ($host ~* ^trac\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # rewrite rules for nagios.<%= domain %>
+ #if ($host ~* ^nagios\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # rewrite rules for htpasswd.<%= domain %>
+ #if ($host ~* ^htpasswd\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # rewrite rules for postfixadmin.<%= domain %>
+ #if ($host ~* ^postfixadmin\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # rewrite rules for mail.<%= domain %>
+ #if ($host ~* ^mail\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # rewrite rules for lists.<%= domain %>
+ #if ($host ~* ^lists\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # pass requests for dynamic content
+ location / {
+ proxy_set_header Host $http_host;
+ proxy_pass http://weblocal:80;
+ }
+
+}
+
+server {
+ # https reverse proxy
+ listen 443;
+ server_name *.<%= domain %> <%= domain %>;
+
+ # Don't log anything
+ access_log /dev/null;
+ error_log /dev/null;
+
+ ssl on;
+ ssl_certificate /etc/ssl/certs/cert.crt;
+ ssl_certificate_key /etc/ssl/private/cert.pem;
+
+ ssl_session_timeout 5m;
+
+ ssl_protocols SSLv3 TLSv1;
+ ssl_ciphers HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH;
+ ssl_prefer_server_ciphers on;
+
+ # Set the max size for file uploads
+ client_max_body_size 100M;
+
+ location / {
+ # preserve http header and set forwarded proto
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Forwarded-Proto https;
+
+ proxy_read_timeout 120;
+ proxy_connect_timeout 120;
+
+ # rewrite rules for admin.<%= domain %>
+ if ($host ~* ^admin\.<%= domain %>$) {
+ proxy_pass http://admin:80;
+ break;
+ }
+
+ # rewrite rules for munin.<%= domain %>
+ if ($host ~* ^munin\.<%= domain %>$) {
+ proxy_pass http://admin:80;
+ break;
+ }
+
+ # rewrite rules for trac.<%= domain %>
+ if ($host ~* ^trac\.<%= domain %>$) {
+ proxy_pass http://admin:80;
+ break;
+ }
+
+ # rewrite rules for nagios.<%= domain %>
+ if ($host ~* ^nagios\.<%= domain %>$) {
+ proxy_pass http://admin:80;
+ break;
+ }
+
+ # rewrite rules for postfixadmin.<%= domain %>
+ if ($host ~* ^postfixadmin\.<%= domain %>$) {
+ proxy_pass http://mail:80;
+ break;
+ }
+
+ # rewrite rules for mail.<%= domain %>
+ if ($host ~* ^mail\.<%= domain %>$) {
+ proxy_pass http://mail:80;
+ break;
+ }
+
+ # rewrite rules for lists.<%= domain %>
+ if ($host ~* ^lists\.<%= domain %>$) {
+ proxy_pass http://mail:80;
+ break;
+ }
+
+ # default proxy pass
+ proxy_pass http://weblocal:80;
+ }
+
+}
diff --git a/puppet/templates/postfix/tls_policy.erb b/puppet/templates/postfix/tls_policy.erb
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/puppet/templates/postfix/tls_policy.erb
diff --git a/puppet/templates/puppet/auth.conf.erb b/puppet/templates/puppet/auth.conf.erb
new file mode 100644
index 0000000..96f078c
--- /dev/null
+++ b/puppet/templates/puppet/auth.conf.erb
@@ -0,0 +1,120 @@
+# This is the default auth.conf file, which implements the default rules
+# used by the puppet master. (That is, the rules below will still apply
+# even if this file is deleted.)
+#
+# The ACLs are evaluated in top-down order. More specific stanzas should
+# be towards the top of the file and more general ones at the bottom;
+# otherwise, the general rules may "steal" requests that should be
+# governed by the specific rules.
+#
+# See http://docs.puppetlabs.com/guides/rest_auth_conf.html for a more complete
+# description of auth.conf's behavior.
+#
+# Supported syntax:
+# Each stanza in auth.conf starts with a path to match, followed
+# by optional modifiers, and finally, a series of allow or deny
+# directives.
+#
+# Example Stanza
+# ---------------------------------
+# path /path/to/resource # simple prefix match
+# # path ~ regex # alternately, regex match
+# [environment envlist]
+# [method methodlist]
+# [auth[enthicated] {yes|no|on|off|any}]
+# allow [host|backreference|*|regex]
+# deny [host|backreference|*|regex]
+# allow_ip [ip|cidr|ip_wildcard|*]
+# deny_ip [ip|cidr|ip_wildcard|*]
+#
+# The path match can either be a simple prefix match or a regular
+# expression. `path /file` would match both `/file_metadata` and
+# `/file_content`. Regex matches allow the use of backreferences
+# in the allow/deny directives.
+#
+# The regex syntax is the same as for Ruby regex, and captures backreferences
+# for use in the `allow` and `deny` lines of that stanza
+#
+# Examples:
+#
+# path ~ ^/path/to/resource # Equivalent to `path /path/to/resource`.
+# allow * # Allow all authenticated nodes (since auth
+# # defaults to `yes`).
+#
+# path ~ ^/catalog/([^/]+)$ # Permit nodes to access their own catalog (by
+# allow $1 # certname), but not any other node's catalog.
+#
+# path ~ ^/file_(metadata|content)/extra_files/ # Only allow certain nodes to
+# auth yes # access the "extra_files"
+# allow /^(.+)\.example\.com$/ # mount point; note this must
+# allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule,
+# # since it is more specific.
+#
+# environment:: restrict an ACL to a comma-separated list of environments
+# method:: restrict an ACL to a comma-separated list of HTTP methods
+# auth:: restrict an ACL to an authenticated or unauthenticated request
+# the default when unspecified is to restrict the ACL to authenticated requests
+# (ie exactly as if auth yes was present).
+#
+
+### Authenticated ACLs - these rules apply only when the client
+### has a valid certificate and is thus authenticated
+
+# allow nodes to retrieve their own catalog
+path ~ ^/catalog/([^/]+)$
+method find
+allow $1
+
+# allow nodes to retrieve their own node definition
+path ~ ^/node/([^/]+)$
+method find
+allow $1
+
+# allow all nodes to access the certificates services
+path /certificate_revocation_list/ca
+method find
+allow *
+
+# allow all nodes to store their own reports
+path ~ ^/report/([^/]+)$
+method save
+allow $1
+
+# Allow all nodes to access all file services; this is necessary for
+# pluginsync, file serving from modules, and file serving from custom
+# mount points (see fileserver.conf). Note that the `/file` prefix matches
+# requests to both the file_metadata and file_content paths. See "Examples"
+# above if you need more granular access control for custom mount points.
+path /file
+allow *
+
+### Unauthenticated ACLs, for clients without valid certificates; authenticated
+### clients can also access these paths, though they rarely need to.
+
+# allow access to the CA certificate; unauthenticated nodes need this
+# in order to validate the puppet master's certificate
+path /certificate/ca
+auth any
+method find
+allow *
+
+# allow nodes to retrieve the certificate they requested earlier
+path /certificate/
+auth any
+method find
+allow *
+
+# allow nodes to request a new certificate
+path /certificate_request
+auth any
+method find, save
+allow *
+
+path /v2.0/environments
+method find
+allow *
+
+# deny everything else; this ACL is not strictly necessary, but
+# illustrates the default policy.
+path /
+auth any
diff --git a/puppet/templates/puppet/fileserver.conf.erb b/puppet/templates/puppet/fileserver.conf.erb
new file mode 100644
index 0000000..e4d6e0a
--- /dev/null
+++ b/puppet/templates/puppet/fileserver.conf.erb
@@ -0,0 +1,21 @@
+# See http://docs.puppetlabs.com/guides/file_serving.html
+
+# Files
+[files]
+ path /etc/puppet/files
+ allow *.<%= base_domain %>
+
+# SSL keys
+[ssl]
+ path /etc/puppet/keys/ssl
+ deny *
+
+# SSH keys
+[ssh]
+ path /etc/puppet/keys/ssh/%h
+ allow *
+
+# Public keys
+[pubkeys]
+ path /etc/puppet/keys/public
+ allow *
diff --git a/puppet/templates/puppet/master.pp.erb b/puppet/templates/puppet/master.pp.erb
new file mode 100644
index 0000000..5865723
--- /dev/null
+++ b/puppet/templates/puppet/master.pp.erb
@@ -0,0 +1,10 @@
+node '<%= hostname %>-master.<%= domain %>' {
+ $main_master = true
+ include nodo::master
+
+ # encrypted data remote backup
+ #backup::rdiff { "other-host":
+ # port => "10102",
+ #}
+
+}
diff --git a/puppet/templates/puppet/nodes.pp.erb b/puppet/templates/puppet/nodes.pp.erb
new file mode 100644
index 0000000..4acddc6
--- /dev/null
+++ b/puppet/templates/puppet/nodes.pp.erb
@@ -0,0 +1,14 @@
+#
+# Node definitions.
+#
+
+<%- if first_nodes == 'present' then -%>
+import "nodes/<%= first_hostname %>.pp"
+import "nodes/<%= first_hostname %>-master.pp"
+import "nodes/<%= first_hostname %>-proxy.pp"
+import "nodes/<%= first_hostname %>-web.pp"
+import "nodes/<%= first_hostname %>-storage.pp"
+import "nodes/<%= first_hostname %>-test.pp"
+<%- else -%>
+#import "nodes/example.pp"
+<%- end -%>
diff --git a/puppet/templates/puppet/proxy.pp.erb b/puppet/templates/puppet/proxy.pp.erb
new file mode 100644
index 0000000..908c2ec
--- /dev/null
+++ b/puppet/templates/puppet/proxy.pp.erb
@@ -0,0 +1,53 @@
+node '<%= hostname %>-proxy.<%= domain %>' {
+ #$mail_delivery = 'tunnel'
+ #$mail_hostname = 'mail'
+ #$mail_ssh_port = '2202'
+
+ include nodo::proxy
+
+ # encrypted data remote backup
+ #backup::rdiff { "other-host":
+ # port => "10102",
+ #}
+
+ # reference to admin vserver
+ host { "<%= hostname %>-master":
+ ensure => present,
+ ip => "192.168.0.2",
+ host_aliases => [ "<%= hostname %>-master.<%= domain %>", "puppet", "admin" ],
+ notify => Service["nginx"],
+ }
+
+ # reference to proxy vserver
+ #host { "<%= hostname %>-proxy":
+ # ensure => present,
+ # ip => "192.168.0.3",
+ # host_aliases => [ "<%= hostname %>-proxy.<%= domain %>", "<%= hostname %>-proxy" ],
+ # notify => Service["nginx"],
+ #}
+
+ # reference to web vserver
+ host { "<%= hostname %>-web":
+ ensure => present,
+ ip => "192.168.0.4",
+ host_aliases => [ "<%= hostname %>-web.<%= domain %>", "<%= hostname %>-web", "weblocal" ],
+ notify => Service["nginx"],
+ }
+
+ # reference to storage vserver
+ host { "<%= hostname %>-storage":
+ ensure => present,
+ ip => "192.168.0.5",
+ host_aliases => [ "<%= hostname %>-storage.<%= domain %>", "<%= hostname %>-storage" ],
+ notify => Service["nginx"],
+ }
+
+ # reference to test vserver
+ host { "<%= hostname %>-test":
+ ensure => present,
+ ip => "192.168.0.6",
+ host_aliases => [ "<%= hostname %>-test.<%= domain %>", "<%= hostname %>-test" ],
+ notify => Service["nginx"],
+ }
+
+}
diff --git a/puppet/templates/puppet/puppet.conf.erb b/puppet/templates/puppet/puppet.conf.erb
new file mode 100644
index 0000000..e2751ca
--- /dev/null
+++ b/puppet/templates/puppet/puppet.conf.erb
@@ -0,0 +1,30 @@
+[main]
+logdir = /var/log/puppet
+vardir = /var/lib/puppetmaster
+ssldir = $vardir/ssl
+rundir = /var/run/puppet
+factpath = $vardir/lib/facter
+pluginsync = true
+
+[master]
+templatedir = $vardir/templates
+masterport = 8140
+autosign = false
+storeconfigs = true
+dbadapter = sqlite3
+#dbadapter = mysql
+#dbserver = localhost
+#dbuser = puppet
+#dbpassword = <%= db_password %>
+dbconnections = 15
+certname = puppet.<%= base_domain %>
+ssl_client_header = SSL_CLIENT_S_DN
+ssl_client_verify_header = SSL_CLIENT_VERIFY
+
+[agent]
+server = puppet.<%= base_domain %>
+vardir = /var/lib/puppet
+ssldir = $vardir/ssl
+runinterval = 7200
+puppetport = 8139
+configtimeout = 300
diff --git a/puppet/templates/puppet/server.pp.erb b/puppet/templates/puppet/server.pp.erb
new file mode 100644
index 0000000..fcd21e0
--- /dev/null
+++ b/puppet/templates/puppet/server.pp.erb
@@ -0,0 +1,41 @@
+node '<%= hostname %>.<%= domain %>' {
+ #$mail_delivery = 'tunnel'
+ #$mail_hostname = 'mail'
+ #$mail_ssh_port = '2202'
+ $shorewall_dmz = true
+ $resolvconf_nameservers = $opendns_nameservers
+ $has_ups = false
+ include nodo::server
+
+ #
+ # Linux-VServers
+ #
+ #nodo::vserver::instance { "<%= hostname %>-master":
+ # context => '2',
+ # puppetmaster => true,
+ #}
+
+ #nodo::vserver::instance { "<%= hostname %>-proxy":
+ # context => '3',
+ # proxy => true,
+ #}
+
+ #nodo::vserver::instance { "<%= hostname %>-web":
+ # context => '4',
+ # gitd => true,
+ #}
+
+ #nodo::vserver::instance { "<%= hostname %>-storage":
+ # context => '5',
+ #}
+
+ #nodo::vserver::instance { "<%= hostname %>-test":
+ # context => '6',
+ # memory_limit => 500,
+ #}
+
+ # encrypted data remote backup
+ #backup::rdiff { "other-host":
+ # port => "10105",
+ #}
+}
diff --git a/puppet/templates/puppet/storage.pp.erb b/puppet/templates/puppet/storage.pp.erb
new file mode 100644
index 0000000..be93335
--- /dev/null
+++ b/puppet/templates/puppet/storage.pp.erb
@@ -0,0 +1,13 @@
+node '<%= hostname %>-storage.<%= domain %>' {
+ #$mail_delivery = 'tunnel'
+ #$mail_hostname = 'mail'
+ #$mail_ssh_port = '2202'
+
+ include nodo::storage
+
+ # encrypted data remote backup
+ #backup::rdiff { "other-host":
+ # port => "10102",
+ #}
+
+}
diff --git a/puppet/templates/puppet/test.pp.erb b/puppet/templates/puppet/test.pp.erb
new file mode 100644
index 0000000..816eca9
--- /dev/null
+++ b/puppet/templates/puppet/test.pp.erb
@@ -0,0 +1,13 @@
+node '<%= hostname %>-test.<%= domain %>' {
+ #$mail_delivery = 'tunnel'
+ #$mail_hostname = 'mail'
+ #$mail_ssh_port = '2202'
+
+ include nodo::test
+
+ # encrypted data remote backup
+ #backup::rdiff { "other-host":
+ # port => "10102",
+ #}
+
+}
diff --git a/puppet/templates/puppet/users.pp.erb b/puppet/templates/puppet/users.pp.erb
new file mode 100644
index 0000000..55a2706
--- /dev/null
+++ b/puppet/templates/puppet/users.pp.erb
@@ -0,0 +1,33 @@
+class users::virtual inherits user {
+ # define custom users here
+}
+
+class users::backup inherits user {
+ # define third-party hosted backup users here
+}
+
+class users::admin inherits user {
+
+ # Reprepro group needed for web nodes
+ #if !defined(Group["reprepro"]) {
+ # group { "reprepro":
+ # ensure => present,
+ # }
+ #}
+
+ # root user and password
+ user::manage { "root":
+ tag => "admin",
+ homedir => '/root',
+ password => '<%= root_password %>',
+ }
+
+ # first user config
+ user::manage { "<%= first_user %>":
+ tag => "admin",
+ groups => [ "sudo", ],
+ password => '<%= first_user_password %>',
+ sshkey => [ "<%= first_user_sshkey %>" ],
+ }
+
+}
diff --git a/puppet/templates/puppet/web.pp.erb b/puppet/templates/puppet/web.pp.erb
new file mode 100644
index 0000000..afc328b
--- /dev/null
+++ b/puppet/templates/puppet/web.pp.erb
@@ -0,0 +1,13 @@
+node '<%= hostname %>-web.<%= domain %>' {
+ #$mail_delivery = 'tunnel'
+ #$mail_hostname = 'mail'
+ #$mail_ssh_port = '2202'
+
+ include nodo::web
+
+ # encrypted data remote backup
+ #backup::rdiff { "other-host":
+ # port => "10102",
+ #}
+
+}