From 5512c493e13998d4c83d7eab3d89e5a1c0836566 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 6 Nov 2015 11:00:06 -0200 Subject: Squashed 'puppet/' changes from 26c7b4f..8f7043a 8f7043a Disable backup on puppet-bootstrap.example.org ea035ff Hiera: change domain and location eval order f418291 Adds default node 096b65a Removes darkice module 7663170 Updates TODO d03a934 Deploy: cleanup 66bd115 Deploy: fixes 51b00aa Deploy: apply patches before deployment (2) fc08d8d Deploy: apply patches before deployment 89cc9aa Typo e0169de Masterless puppet is supported a23b6a0 TODO: apply patches 49c4466 Patches, deployment code and TODO update 91477be Use settings::confdir on hiera datadir 381096e TODO cleanup 3d3eb59 Updates TODO 57c6940 Hiera fixes 5a2de12 New hiera scheme for secrets storage 4fc808f Get rid of environments, use git branches instead 47bc020 Updates mrconfig 0d32fa5 New canonical URL 08cd538 Updates TODO 4cfe7fb Site manifests ff61a20 Updates TODO 20f7608 Adds git hooks for push-to-deploy 6759fe7 Another LAMP example a461d98 Really remove bootstrap from mrconfig 1920fba Vagrant: apache user and group f13cb8a Formatting 7425fad Adds puppet-bootstrap.example.org.yaml 4647b02 Vagrant: LAMP example 42ce487 Vagrantfile: example of forwarded port 328873a Fix default hostname 41c9d89 Vagrantfile: set fqdn 72f61db Switch to parametrized classes fd90a64 Vagrant hostname 43816c7 Vagrantfile minor edit 1932d55 Updates mrconfig 39fa2d5 Fix hiera path df5df0b Submodules: force e0b4ebe Updates TODO ee7491e Updates TODO 65746ac TODO: syslog-ng fe79512 TODO: modules 60a3d68 TODO update a7e3e4c Storeconfigs support for vagrant/jessie 0d6de38 Coding style 28bd7e2 Default empty keys.d folder d33c587 Shell provisioner sudo fix 47c83e6 Vagrant provisioning fixes 6f0a560 Removes VIM modelines from Vagrantfile c9e8e7a Call nodo as a parametrized class 3730114 More changes for puppet 3.x 106977f Remove import definitions (deprecated since puppet 3.x) 3c13239 TODO update 5491a52 Mock puppet.conf with environment config 133e36b Initial changes for jessie 67baef2 Git and cgit vhosts 097b8ec Nginx: dhparams git-subtree-dir: puppet git-subtree-split: 8f7043a8948b3236d3c2582c865b27af4613c632 --- .mrconfig | 177 +++++++++++++------------- Makefile | 12 +- README.md | 10 +- TODO.md | 142 ++++++++++++++++++++- Vagrantfile | 56 ++------ bin/dependencies | 8 +- bin/deploy | 58 +++++++++ bin/mrconfig | 8 +- bin/post-receive | 7 + bin/post-update | 16 +++ bin/provision | 30 +++-- bin/submodules | 2 +- files/patches/trusty/puppet-stack-level.md | 3 + files/patches/trusty/puppet-stack-level.patch | 15 +++ hiera/common.yaml | 5 + hiera/hiera.yaml | 28 ++-- hiera/node/puppet-bootstrap.example.org.yaml | 14 ++ manifests/bootstrap/configurator.pp | 2 +- manifests/bootstrap/host.pp | 7 +- manifests/bootstrap/master.pp | 7 +- manifests/bootstrap/vagrant.pp | 61 ++++----- manifests/classes/websites.pp | 42 ------ manifests/modules.pp | 6 - manifests/nodes.pp | 5 - manifests/nodes/default.pp | 3 + manifests/site.pp | 8 -- modules/site_apt/files/keys.d/.empty | 0 modules/site_bind/manifests/init.pp | 16 +++ modules/site_mail/files/aliases | 14 ++ modules/site_users/manifests/admin.pp | 16 +++ modules/site_users/manifests/backups.pp | 3 + modules/site_users/manifests/init.pp | 2 + modules/site_users/manifests/virtual.pp | 3 + modules/site_websites/manifests/admin.pp | 25 ++++ modules/site_websites/manifests/init.pp | 21 +++ puppet.conf | 4 + templates/apache/vhosts/cgit.erb | 30 +++++ templates/apache/vhosts/git.erb | 1 + templates/etc/nginx/domain.erb | 1 + templates/puppet/users.pp.erb | 8 -- 40 files changed, 589 insertions(+), 287 deletions(-) create mode 100755 bin/deploy create mode 100755 bin/post-receive create mode 100755 bin/post-update create mode 100644 files/patches/trusty/puppet-stack-level.md create mode 100644 files/patches/trusty/puppet-stack-level.patch create mode 100644 hiera/node/puppet-bootstrap.example.org.yaml delete mode 100644 manifests/classes/websites.pp delete mode 100644 manifests/modules.pp delete mode 100644 manifests/nodes.pp create mode 100644 manifests/nodes/default.pp delete mode 100644 manifests/site.pp create mode 100644 modules/site_apt/files/keys.d/.empty create mode 100644 modules/site_bind/manifests/init.pp create mode 100644 modules/site_mail/files/aliases create mode 100644 modules/site_users/manifests/admin.pp create mode 100644 modules/site_users/manifests/backups.pp create mode 100644 modules/site_users/manifests/init.pp create mode 100644 modules/site_users/manifests/virtual.pp create mode 100644 modules/site_websites/manifests/admin.pp create mode 100644 modules/site_websites/manifests/init.pp create mode 100644 puppet.conf create mode 100644 templates/apache/vhosts/cgit.erb diff --git a/.mrconfig b/.mrconfig index 8731bee..5c24dc7 100644 --- a/.mrconfig +++ b/.mrconfig @@ -1,258 +1,255 @@ [puppet/modules/apache] -checkout = git clone git://git.sarava.org/puppet-apache.git apache +checkout = git clone git://git.fluxo.info/puppet-apache.git apache [puppet/modules/apcupsd] -checkout = git clone git://git.sarava.org/puppet-apcupsd.git apcupsd +checkout = git clone git://git.fluxo.info/puppet-apcupsd.git apcupsd [puppet/modules/apparmor] -checkout = git clone git://git.sarava.org/puppet-apparmor.git apparmor +checkout = git clone git://git.fluxo.info/puppet-apparmor.git apparmor [puppet/modules/apt] -checkout = git clone git://git.sarava.org/puppet-apt.git apt +checkout = git clone git://git.fluxo.info/puppet-apt.git apt [puppet/modules/autofs] -checkout = git clone git://git.sarava.org/puppet-autofs.git autofs +checkout = git clone git://git.fluxo.info/puppet-autofs.git autofs [puppet/modules/autossh] -checkout = git clone git://git.sarava.org/puppet-autossh.git autossh +checkout = git clone git://git.fluxo.info/puppet-autossh.git autossh [puppet/modules/avahi] -checkout = git clone git://git.sarava.org/puppet-avahi.git avahi +checkout = git clone git://git.fluxo.info/puppet-avahi.git avahi [puppet/modules/backup] -checkout = git clone git://git.sarava.org/puppet-backup.git backup +checkout = git clone git://git.fluxo.info/puppet-backup.git backup [puppet/modules/backupninja] -checkout = git clone git://git.sarava.org/puppet-backupninja.git backupninja +checkout = git clone git://git.fluxo.info/puppet-backupninja.git backupninja [puppet/modules/bind] -checkout = git clone git://git.sarava.org/puppet-bind.git bind +checkout = git clone git://git.fluxo.info/puppet-bind.git bind [puppet/modules/bitcoind] -checkout = git clone git://git.sarava.org/puppet-bitcoind.git bitcoind - -[puppet/modules/bootstrap] -checkout = git clone git://git.sarava.org/puppet-bootstrap.git bootstrap +checkout = git clone git://git.fluxo.info/puppet-bitcoind.git bitcoind [puppet/modules/common] -checkout = git clone git://git.sarava.org/puppet-common.git common +checkout = git clone git://git.fluxo.info/puppet-common.git common [puppet/modules/concat] -checkout = git clone git://git.sarava.org/puppet-concat.git concat +checkout = git clone git://git.fluxo.info/puppet-concat.git concat [puppet/modules/cron] -checkout = git clone git://git.sarava.org/puppet-cron.git cron +checkout = git clone git://git.fluxo.info/puppet-cron.git cron [puppet/modules/daap_server] -checkout = git clone git://git.sarava.org/puppet-daap_server.git daap_server - -[puppet/modules/darkice] -checkout = git clone git://git.sarava.org/puppet-darkice.git darkice +checkout = git clone git://git.fluxo.info/puppet-daap_server.git daap_server [puppet/modules/database] -checkout = git clone git://git.sarava.org/puppet-database.git database +checkout = git clone git://git.fluxo.info/puppet-database.git database [puppet/modules/dhcp] -checkout = git clone git://git.sarava.org/puppet-dhcp.git dhcp +checkout = git clone git://git.fluxo.info/puppet-dhcp.git dhcp [puppet/modules/domain_check] -checkout = git clone git://git.sarava.org/puppet-domain_check.git domain_check +checkout = git clone git://git.fluxo.info/puppet-domain_check.git domain_check [puppet/modules/drupal] -checkout = git clone git://git.sarava.org/puppet-drupal.git drupal +checkout = git clone git://git.fluxo.info/puppet-drupal.git drupal [puppet/modules/dyndns] -checkout = git clone git://git.sarava.org/puppet-dyndns.git dyndns +checkout = git clone git://git.fluxo.info/puppet-dyndns.git dyndns [puppet/modules/ejabberd] -checkout = git clone git://git.sarava.org/puppet-ejabberd.git ejabberd +checkout = git clone git://git.fluxo.info/puppet-ejabberd.git ejabberd [puppet/modules/ekeyd] -checkout = git clone git://git.sarava.org/puppet-ekeyd.git ekeyd +checkout = git clone git://git.fluxo.info/puppet-ekeyd.git ekeyd [puppet/modules/etherpad] -checkout = git clone git://git.sarava.org/puppet-etherpad.git etherpad +checkout = git clone git://git.fluxo.info/puppet-etherpad.git etherpad [puppet/modules/exim] -checkout = git clone git://git.sarava.org/puppet-exim.git exim +checkout = git clone git://git.fluxo.info/puppet-exim.git exim [puppet/modules/firewall] -checkout = git clone git://git.sarava.org/puppet-firewall.git firewall +checkout = git clone git://git.fluxo.info/puppet-firewall.git firewall [puppet/modules/git] -checkout = git clone git://git.sarava.org/puppet-git.git git +checkout = git clone git://git.fluxo.info/puppet-git.git git [puppet/modules/hotglue] -checkout = git clone git://git.sarava.org/puppet-hotglue.git hotglue +checkout = git clone git://git.fluxo.info/puppet-hotglue.git hotglue [puppet/modules/hydra] -checkout = git clone git://git.sarava.org/puppet-hydra.git hydra +checkout = git clone git://git.fluxo.info/puppet-hydra.git hydra [puppet/modules/icecast] -checkout = git clone git://git.sarava.org/puppet-icecast.git icecast +checkout = git clone git://git.fluxo.info/puppet-icecast.git icecast [puppet/modules/ikiwiki] -checkout = git clone git://git.sarava.org/puppet-ikiwiki.git ikiwiki +checkout = git clone git://git.fluxo.info/puppet-ikiwiki.git ikiwiki [puppet/modules/inetd] -checkout = git clone git://git.sarava.org/puppet-inetd.git inetd +checkout = git clone git://git.fluxo.info/puppet-inetd.git inetd [puppet/modules/infinoted] -checkout = git clone git://git.sarava.org/puppet-infinoted.git infinoted +checkout = git clone git://git.fluxo.info/puppet-infinoted.git infinoted [puppet/modules/inifile] -checkout = git clone git://git.sarava.org/puppet-inifile.git inifile +checkout = git clone git://git.fluxo.info/puppet-inifile.git inifile [puppet/modules/lighttpd] -checkout = git clone git://git.sarava.org/puppet-lighttpd.git lighttpd +checkout = git clone git://git.fluxo.info/puppet-lighttpd.git lighttpd [puppet/modules/lsb] -checkout = git clone git://git.sarava.org/puppet-lsb.git lsb +checkout = git clone git://git.fluxo.info/puppet-lsb.git lsb [puppet/modules/mail] -checkout = git clone git://git.sarava.org/puppet-mail.git mail +checkout = git clone git://git.fluxo.info/puppet-mail.git mail [puppet/modules/minidlna] -checkout = git clone git://git.sarava.org/puppet-minidlna.git minidlna +checkout = git clone git://git.fluxo.info/puppet-minidlna.git minidlna [puppet/modules/moin] -checkout = git clone git://git.sarava.org/puppet-moin.git moin +checkout = git clone git://git.fluxo.info/puppet-moin.git moin [puppet/modules/monkeysphere] -checkout = git clone git://git.sarava.org/puppet-monkeysphere.git monkeysphere +checkout = git clone git://git.fluxo.info/puppet-monkeysphere.git monkeysphere [puppet/modules/motion] -checkout = git clone git://git.sarava.org/puppet-motion.git motion +checkout = git clone git://git.fluxo.info/puppet-motion.git motion [puppet/modules/mpd] -checkout = git clone git://git.sarava.org/puppet-mpd.git mpd +checkout = git clone git://git.fluxo.info/puppet-mpd.git mpd [puppet/modules/mumble] -checkout = git clone git://git.sarava.org/puppet-mumble.git mumble +checkout = git clone git://git.fluxo.info/puppet-mumble.git mumble [puppet/modules/munin] -checkout = git clone git://git.sarava.org/puppet-munin.git munin +checkout = git clone git://git.fluxo.info/puppet-munin.git munin [puppet/modules/mysql] -checkout = git clone git://git.sarava.org/puppet-mysql.git mysql +checkout = git clone git://git.fluxo.info/puppet-mysql.git mysql [puppet/modules/nagios] -checkout = git clone git://git.sarava.org/puppet-nagios.git nagios +checkout = git clone git://git.fluxo.info/puppet-nagios.git nagios [puppet/modules/nfs] -checkout = git clone git://git.sarava.org/puppet-nfs.git nfs +checkout = git clone git://git.fluxo.info/puppet-nfs.git nfs [puppet/modules/nginx] -checkout = git clone git://git.sarava.org/puppet-nginx.git nginx +checkout = git clone git://git.fluxo.info/puppet-nginx.git nginx [puppet/modules/nodo] -checkout = git clone git://git.sarava.org/puppet-nodo.git nodo +checkout = git clone git://git.fluxo.info/puppet-nodo.git nodo [puppet/modules/ntp] -checkout = git clone git://git.sarava.org/puppet-ntp.git ntp +checkout = git clone git://git.fluxo.info/puppet-ntp.git ntp [puppet/modules/onion] -checkout = git clone git://git.sarava.org/puppet-onion.git onion +checkout = git clone git://git.fluxo.info/puppet-onion.git onion [puppet/modules/pear] -checkout = git clone git://git.sarava.org/puppet-pear.git pear +checkout = git clone git://git.fluxo.info/puppet-pear.git pear [puppet/modules/php] -checkout = git clone git://git.sarava.org/puppet-php.git php +checkout = git clone git://git.fluxo.info/puppet-php.git php [puppet/modules/pmwiki] -checkout = git clone git://git.sarava.org/puppet-pmwiki.git pmwiki +checkout = git clone git://git.fluxo.info/puppet-pmwiki.git pmwiki [puppet/modules/postfix] -checkout = git clone git://git.sarava.org/puppet-postfix.git postfix +checkout = git clone git://git.fluxo.info/puppet-postfix.git postfix [puppet/modules/puppet] -checkout = git clone git://git.sarava.org/puppet-puppet.git puppet +checkout = git clone git://git.fluxo.info/puppet-puppet.git puppet [puppet/modules/pureftpd] -checkout = git clone git://git.sarava.org/puppet-pureftpd.git pureftpd +checkout = git clone git://git.fluxo.info/puppet-pureftpd.git pureftpd [puppet/modules/pyroscope] -checkout = git clone git://git.sarava.org/puppet-pyroscope.git pyroscope +checkout = git clone git://git.fluxo.info/puppet-pyroscope.git pyroscope [puppet/modules/qwebirc] -checkout = git clone git://git.sarava.org/puppet-qwebirc.git qwebirc +checkout = git clone git://git.fluxo.info/puppet-qwebirc.git qwebirc [puppet/modules/reprepro] -checkout = git clone git://git.sarava.org/puppet-reprepro.git reprepro +checkout = git clone git://git.fluxo.info/puppet-reprepro.git reprepro [puppet/modules/resolvconf] -checkout = git clone git://git.sarava.org/puppet-resolvconf.git resolvconf +checkout = git clone git://git.fluxo.info/puppet-resolvconf.git resolvconf [puppet/modules/rng-tools] -checkout = git clone git://git.sarava.org/puppet-rng-tools.git rng-tools +checkout = git clone git://git.fluxo.info/puppet-rng-tools.git rng-tools [puppet/modules/rsync] -checkout = git clone git://git.sarava.org/puppet-rsync.git rsync +checkout = git clone git://git.fluxo.info/puppet-rsync.git rsync [puppet/modules/runit] -checkout = git clone git://git.sarava.org/puppet-runit.git runit +checkout = git clone git://git.fluxo.info/puppet-runit.git runit [puppet/modules/samba] -checkout = git clone git://git.sarava.org/puppet-samba.git samba +checkout = git clone git://git.fluxo.info/puppet-samba.git samba [puppet/modules/schroot] -checkout = git clone git://git.sarava.org/puppet-schroot.git schroot +checkout = git clone git://git.fluxo.info/puppet-schroot.git schroot [puppet/modules/shorewall] -checkout = git clone git://git.sarava.org/puppet-shorewall.git shorewall +checkout = git clone git://git.fluxo.info/puppet-shorewall.git shorewall [puppet/modules/smartmonster] -checkout = git clone git://git.sarava.org/puppet-smartmonster.git smartmonster +checkout = git clone git://git.fluxo.info/puppet-smartmonster.git smartmonster [puppet/modules/smartmontools] -checkout = git clone git://git.sarava.org/puppet-smartmontools.git smartmontools +checkout = git clone git://git.fluxo.info/puppet-smartmontools.git smartmontools [puppet/modules/sshd] -checkout = git clone git://git.sarava.org/puppet-sshd.git sshd +checkout = git clone git://git.fluxo.info/puppet-sshd.git sshd [puppet/modules/ssl] -checkout = git clone git://git.sarava.org/puppet-ssl.git ssl +checkout = git clone git://git.fluxo.info/puppet-ssl.git ssl + +[puppet/modules/stdlib] +checkout = git clone git://git.fluxo.info/puppet-stdlib.git stdlib [puppet/modules/supervisor] -checkout = git clone git://git.sarava.org/puppet-supervisor.git supervisor +checkout = git clone git://git.fluxo.info/puppet-supervisor.git supervisor [puppet/modules/supybot] -checkout = git clone git://git.sarava.org/puppet-supybot.git supybot +checkout = git clone git://git.fluxo.info/puppet-supybot.git supybot [puppet/modules/syslog-ng] -checkout = git clone git://git.sarava.org/puppet-syslog-ng.git syslog-ng +checkout = git clone git://git.fluxo.info/puppet-syslog-ng.git syslog-ng [puppet/modules/tftp] -checkout = git clone git://git.sarava.org/puppet-tftp.git tftp +checkout = git clone git://git.fluxo.info/puppet-tftp.git tftp [puppet/modules/tor] -checkout = git clone git://git.sarava.org/puppet-tor.git tor +checkout = git clone git://git.fluxo.info/puppet-tor.git tor [puppet/modules/trac] -checkout = git clone git://git.sarava.org/puppet-trac.git trac +checkout = git clone git://git.fluxo.info/puppet-trac.git trac [puppet/modules/tunnel] -checkout = git clone git://git.sarava.org/puppet-tunnel.git tunnel +checkout = git clone git://git.fluxo.info/puppet-tunnel.git tunnel [puppet/modules/user] -checkout = git clone git://git.sarava.org/puppet-user.git user +checkout = git clone git://git.fluxo.info/puppet-user.git user [puppet/modules/vcsrepo] -checkout = git clone git://git.sarava.org/puppet-vcsrepo.git vcsrepo +checkout = git clone git://git.fluxo.info/puppet-vcsrepo.git vcsrepo [puppet/modules/viewvc] -checkout = git clone git://git.sarava.org/puppet-viewvc.git viewvc +checkout = git clone git://git.fluxo.info/puppet-viewvc.git viewvc [puppet/modules/virtual] -checkout = git clone git://git.sarava.org/puppet-virtual.git virtual +checkout = git clone git://git.fluxo.info/puppet-virtual.git virtual [puppet/modules/websites] -checkout = git clone git://git.sarava.org/puppet-websites.git websites +checkout = git clone git://git.fluxo.info/puppet-websites.git websites [puppet/modules/websvn] -checkout = git clone git://git.sarava.org/puppet-websvn.git websvn +checkout = git clone git://git.fluxo.info/puppet-websvn.git websvn [puppet/modules/wordpress] -checkout = git clone git://git.sarava.org/puppet-wordpress.git wordpress +checkout = git clone git://git.fluxo.info/puppet-wordpress.git wordpress diff --git a/Makefile b/Makefile index 2209271..97c4a58 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,7 @@ # # This Makefile is distributed in the hope that it will be useful, but WITHOUT # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS -# # FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. +# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along with # this program; if not, write to the Free Software Foundation, Inc., 59 Temple @@ -15,7 +15,7 @@ # CWD = $(shell pwd) -REPO = git://git.sarava.org/puppet-bootstrap.git +REPO = git://git.fluxo.info/puppet-bootstrap.git PUPPET = FACTER_BOOTSTRAP_PATH="$(CWD)" puppet apply --confdir="$(CWD)" --modulepath=modules all: deps remote modules config @@ -57,3 +57,11 @@ clean: rm -rf ssl rm -rf modules git checkout modules + +post_update: + git config receive.denyCurrentBranch ignore + cd .git/hooks && ln -sf ../../bin/post-update + +post_receive: + git config receive.denyCurrentBranch ignore + cd .git/hooks && ln -sf ../../bin/post-receive diff --git a/README.md b/README.md index 67dad5f..bb5375d 100644 --- a/README.md +++ b/README.md @@ -5,14 +5,14 @@ This is a multi-purpose but very specific puppet module which can be used: * As the base repository for a puppet infrastructure. * As a standalone provisioner for boxes, with Vagrant support. -* It can be optionally used together with the Hydra Suite from https://git.sarava.org/?p=hydra.git +* It can be optionally used together with the Hydra Suite from https://git.fluxo.info/hydra.git -Setting up a new puppetmaster repository ----------------------------------------- +Setting up a new puppet repository +---------------------------------- You'll basically use the `bootstrap` repository as your `puppet` repository: - git clone git://git.sarava.org/puppet-bootstrap.git puppet + git clone git://git.fluxo.info/puppet-bootstrap.git puppet cd puppet && git tag -v # check integrity make deps # install dependencies make submodules # add all needed puppet module as as git submodules @@ -24,7 +24,7 @@ Using as a standalone provisioner This will be a `Vagrant` example: cd your-project - git clone git://git.sarava.org/puppet-bootstrap.git puppet # use submodule or subtree as you please + git clone git://git.fluxo.info/puppet-bootstrap.git puppet # use submodule or subtree as you please ln -s puppet/Vagrantfile # or copy if you want to customize ( cd puppet && make modules ) # need the mr binary to download the submodules vagrant up web # with no arguments, all defined VMs are started diff --git a/TODO.md b/TODO.md index c773654..429bd4d 100644 --- a/TODO.md +++ b/TODO.md @@ -1,7 +1,141 @@ TODO ==== -* Minimal manifest for fast provisioning. -* Update to new nodo style (hiera and nodo::role). -* Support for recursive clones in `bin/mrconfig`. -* Test! +High priority +------------- + +- puppet: masterless: + - keyringer/gpg integration. + - https://github.com/compete/hiera_yamlgpg + - https://github.com/crayfishx/hiera-gpg + - https://github.com/sihil/hiera-eyaml-gpg + - https://github.com/StackExchange/blackbox + - http://ww.telent.net/2014/2/10/keeping_secrets_in_public_with_puppet + - https://docs.puppetlabs.com/hiera/1/custom_backends.html + - https://puppetlabs.com/blog/encrypt-your-data-using-hiera-eyaml + - https://packages.debian.org/jessie/hiera-eyaml + - how to distribute keys outside the repo (i.e, avoiding all nodes to have all keys?): + - add a monkeysphere auth subkey to every openpgp key used for backups. + - make backupninja wrap around monkeysphere: http://web.monkeysphere.info/doc/user-ssh-advanced/ + - http://current.workingdirectory.net/posts/2011/puppet-without-masters/ + - http://andrewbunday.co.uk/2012/12/04/masterless-puppet-wrapper/ + - http://semicomplete.com/presentations/puppet-at-loggly/puppet-at-loggly.pdf.html + - https://github.com/jordansissel/puppet-examples/tree/master/masterless +- sshd: + - https://stribika.github.io/2015/01/04/secure-secure-shell.html + - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774711#60 + - enable ecdsa key. + - ecdsa priority: alternatives: + - unsupport ecdsa in the server. + - export ecdsa pubkeys. + - manage client's /root/.ssh/config: `HostKeyAlgorithms ssh-rsa`. + - force option via rsync/rdiff handlers. +- virtual: migrate to kvm/libvirt. +- loginrecords: deploy module. +- deploy https://github.com/wido/puppet-module-tcpwrappers +- nodo: + - run stages. + - allow more resources to be declared via hiera. + - fix hiera default boolean value when true. + - easy way to toggle management of subsystems. + +Medium priority +--------------- + +- apt: raspbian support, including unnatended-upgrades. +- backup: + - support for $dombr and $dobios on backupninja::sys for servers and physical machines. + - sync-backups support for rsyncing from kvms / snapshots. +- nodo: + - cleanup and refactor. + - uniform variable names. + - use prompt.sh from bash-prompt as a submodule. +- common: autoload. +- general: + - rollback of commits about charset. + - switch to conf.d: + - php ("refactor" branch), remove E_STRICT from production's error_reporting. + - apache2. + - sudoers. +- backup: `sync-media-iterate [volume]`. +- mail: + - use ssl::dhparams, move to 2048 bit and use the standard file names and paths: + - [Feature #4012: postfix: ship 2048bit dh parameters - Platform - LEAP Issue Tracker](https://leap.se/code/issues/4012) + +Low priority +------------ + +- merge, review, pull requests for all modules. +- bind: nsupdate / dynamic dns: + - http://linux.yyz.us/nsupdate/ + - http://linux.yyz.us/dns/ddns-server.html + - http://caunter.ca/nsupdate.txt + - http://www.rtfm-sarl.ch/articles/using-nsupdate.html + - https://github.com/skx/dhcp.io/ +- munin: lvm monitoring. +- pyroscope: torrent workflow: torrent-maker, magnet2torrent and torrent-reseed: + - http://wiki.rtorrent.org/MagnetUri + - http://dan.folkes.me/2012/04/19/converting-a-magnet-link-into-a-torrent/ + - https://github.com/danfolkes/Magnet2Torrent + - http://code.google.com/p/pyroscope/wiki/CommandLineTools + - https://trac.transmissionbt.com/ticket/4176 + - http://wiki.rtorrent.org/MagnetUri + - https://github.com/rakshasa/rtorrent/issues/212 + - saving/restoring `.meta` and `~/rtorrent/.session` files. +- support for http/https proxy inside web nodes: + - encrypted ssl keys: http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11440.html + - make all apache sites listen to 8080. +- git: + - gitolite: [monkeysphere integration](http://gitolite.com/gitolite/g2/monkeysphere.html). + - gitweb clean urls. + - email notifications. + - https://packages.debian.org/jessie/git-notifier + - https://github.com/mhagger/git-multimail + - using OpenPGP? +- syslog-ng: use conf.d. +- etherpad: `You need to set a sessionKey value in settings.json`. +- knock integration via https://github.com/juasiepo/knockd +- apache: + - try libapache2-modsecurity. + - deploy https://git.immerda.ch/csp-report/ + - disable other_vhosts_access.log. +- onion: + - support for existing hidden service key, generated with tools like https://github.com/katmagic/Shallot + - load balancing: http://archives.seul.org/tor/relays/Apr-2011/msg00022.html +- nagios: snmp, nrpe, nsca + - http://nagios.sourceforge.net/docs/3_0/addons.html + - http://www.math.wisc.edu/~jheim/snmp/ +- ssh access restrictions: + - denyhosts, but we don't want to log IPs. + - using shorewall: http://www.debian-administration.org/articles/250#comment_16 + - alowed users / groups. +- websites: freewvs. +- puppet: bug report: debian wheezy puppet-common: needs the following patch: http://projects.puppetlabs.com/issues/10963 +- mail: + - review dovecot recipient delimiter handling: to which mailbox messages should be sent? + - mlmmj: + - lists with hyphens are not working when mails are sent directly, but work when sent to an alias. + - `mail::mlmmj::domain` needs updating or additional domains should be added into `relay_domains`. +- drupal/wordpress: + - cronjob/cli: switch to site user. + - drupal_update: Do you really want to continue with the update process? (y/n): + Do you really want to continue with the update process? (y/n): Aborting. [cancel], + possibly related to https://www.drupal.org/node/443392 +- php / wordpress / wp-cli: composer installation and dependencies: + - http://getcomposer.org/doc/00-intro.md#installation-nix + - https://github.com/wp-cli/wp-cli/wiki/Alternative-Install-Methods + - suhosin needs `suhosin.executor.include.whitelist = phar` on `/etc/php5/cli/conf.d/suhosin.ini`. +- nodo: support for prosody: + - https://github.com/dgoulet/prosody-otr + - http://prosody.im/doc/creating_accounts#importing_from_ejabberd + - config with good score at https://xmpp.net/index.php +- mail: + - support for [preventing SPAM connections with bird](http://www.debian-administration.org/article/715/Preventing_SPAM_connections_with_bird.). + - schleuder: manage `/etc/schleuder/schleuder.conf`, using `superadminaddr: root` or other recipient, to avoid mails. + sent as `root@localhost`. + - deploy https://git.autistici.org/ale/smtp-fp/tree/master + https://github.com/EFForg/starttls-everywhere + - deploy https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration#Configuration_server_at_ISP + https://git-ipuppet.immerda.ch/module-apache/commit/?id=058dbb366b96cae1f8fb0def65f73a698f1c375d + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577616 + - support for [preventing SPAM connections with bird](http://www.debian-administration.org/article/715/Preventing_SPAM_connections_with_bird.). diff --git a/Vagrantfile b/Vagrantfile index 8999cf0..3ee05e6 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -1,9 +1,12 @@ -# -*- mode: ruby -*- -# vi: set ft=ruby : +# Vagrantfile API/syntax version. Don't touch unless you know what you're doing! +VAGRANTFILE_API_VERSION = "2" -Vagrant::Config.run do |config| +Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| # Every Vagrant virtual environment requires a box to build off of. - config.vm.box = "wheezy" + config.vm.box = "jessie" + + # Hostname + config.vm.hostname = "puppet-bootstrap.example.org" # Shell provisioner to setup basic environment. config.vm.provision :shell, :inline => "/vagrant/puppet/bin/provision" @@ -13,49 +16,14 @@ Vagrant::Config.run do |config| puppet.manifest_file = "bootstrap/vagrant.pp" puppet.manifests_path = "puppet/manifests" puppet.module_path = "puppet/modules" + puppet.hiera_config_path = "puppet/hiera.yaml" puppet.temp_dir = "/etc/puppet" puppet.working_directory = "/etc/puppet" end - # Define a Host VM - config.vm.define :host do |host_config| - db_config.vm.box = "host" - web_config.vm.network :hostonly, "192.168.50.101" - end - - # Define a Puppetmaster VM - config.vm.define :master do |master_config| - master_config.vm.box = "master" - master_config.vm.forward_port 8139, 8140 - web_config.vm.network :hostonly, "192.168.50.102" - end - - # Define a Proxy VM - config.vm.define :proxy do |proxy_config| - proxy_config.vm.box = "proxy" - proxy_config.vm.forward_port 8139, 8140 - web_config.vm.network :hostonly, "192.168.50.103" - end - - # Define a Web VM - config.vm.define :web do |web_config| - web_config.vm.box = "web" - web_config.vm.forward_port 80, 8080 - web_config.vm.network :hostonly, "192.168.50.104" - end - - # Define a Storage VM - config.vm.define :storage do |storage_config| - storage_config.vm.box = "storage" - storage_config.vm.network :hostonly, "192.168.50.105" - end - - # Define a Test VM - config.vm.define :test do |test_config| - test_config.vm.box = "test" - test_config.vm.network :hostonly, "192.168.50.106" - end - # Share hiera configuration. - config.vm.share_folder "hiera", "/etc/puppet/hiera", "puppet/hiera", create: true + config.vm.synced_folder "puppet/hiera", "/etc/puppet/hiera" + + # Forwarded ports + #config.vm.network "forwarded_port", guest: 80, host: 8081 end diff --git a/bin/dependencies b/bin/dependencies index 78ca659..507145b 100755 --- a/bin/dependencies +++ b/bin/dependencies @@ -1,6 +1,6 @@ #!/bin/bash # -# Simple shell provisioner for Vagrant instances. +# Puppet bootstrap dependencies. # # Install a package, thanks to the Hydra Suite. @@ -13,16 +13,16 @@ function provision_package { if [ "$?" == "1" ]; then echo "Installing package $1..." - DEBIAN_FRONTEND=noninteractive $sudo apt-get install $1 -y + DEBIAN_FRONTEND=noninteractive $SUDO apt-get install $1 -y fi } # Set sudo config if [ "`whoami`" != 'root' ]; then - sudo="sudo" + SUDO="sudo" fi # Ensure basic packages are installed. -for package in puppet ruby-hiera-puppet mr whois; do +for package in puppet git mr whois; do provision_package $package done diff --git a/bin/deploy b/bin/deploy new file mode 100755 index 0000000..5d3361b --- /dev/null +++ b/bin/deploy @@ -0,0 +1,58 @@ +#!/bin/bash +# +# Deploy configuration using puppet. +# + +# Parameters +DIRNAME="`dirname $0`" +BASEDIR="$DIRNAME/.." +DEPLOY_DEPENDENCIES="puppet ruby-sqlite3 ruby-activerecord ruby-activerecord-deprecated-finders" + +# Determine hostname +if [ ! -z "$1" ]; then + FQDN="$1" +else + FQDN="`cat /etc/hostname`" +fi + +# Check for manifest +PUPPET_MANIFEST="$BASEDIR/puppet/manifests/nodes/$FQDN.pp" +if [ ! -e "$PUPPET_MANIFEST" ]; then + echo "file not found: $PUPPET_MANIFEST" + exit 1 +fi + +# Install dependencies +source $DIRNAME/dependencies + +# Ensure additional dependencies are installed. +for package in $DEPLOY_DEPENDENCIES; do + provision_package $package +done + +# Parameters that needs dependencies installed +DIST="`facter lsbdistcodename`" + +# Apply patches +if [ -d "$BASEDIR/puppet/files/patches/$DIST" ]; then + ( + # Patches should be generated relativelly to the root folder + cd / + + # Only apply if needed + # Thanks https://unix.stackexchange.com/questions/55780/check-if-a-file-or-folder-has-been-patched-already + for patch in `ls $BASEDIR/puppet/files/patches/$DIST`; do + patch -p0 -N --dry-run --silent < $BASEDIR/puppet/files/patches/$DIST/$patch &> /dev/null + # If the patch has not been applied then the $? which is the exit status + # for last command would have a success status code = 0 + if [ "$?" == "0" ]; then + # Apply the patch + patch -p0 -N < $BASEDIR/puppet/files/patches/$DIST/$patch + fi + done + ) +fi + +# Run puppet apply +PUPPET_OPTS="--confdir=$BASEDIR/puppet --modulepath=$BASEDIR/puppet/modules" +LC_ALL=C $SUDO puppet apply $PUPPET_OPTS $PUPPET_MANIFEST diff --git a/bin/mrconfig b/bin/mrconfig index f525db3..dc753ac 100755 --- a/bin/mrconfig +++ b/bin/mrconfig @@ -1,10 +1,10 @@ #!/bin/bash # # Build a mrconfig for the needed modules. -# +# # Parameters -GIT="git.sarava.org" +GIT="git.fluxo.info" URL="https://$GIT/?a=project_index" CWD="`pwd`" WORK="`dirname $0`/.." @@ -18,8 +18,8 @@ touch .mrconfig curl --stderr - $URL | grep "^puppet-" | cut -d ' ' -f 1 | while read module; do folder="`echo $module | sed -e 's/^puppet-//'`" folder="`basename $folder .git`" - - if [ "$module" != "$bootstrap" ]; then + + if [ "$folder" != "bootstrap" ]; then echo "Processing $folder..." mr config puppet/modules/$folder checkout="git clone git://$GIT/$module $folder" fi diff --git a/bin/post-receive b/bin/post-receive new file mode 100755 index 0000000..996189d --- /dev/null +++ b/bin/post-receive @@ -0,0 +1,7 @@ +#!/bin/sh + +cd .. +unset GIT_DIR + +git checkout -f +git submodule update --init --recursive diff --git a/bin/post-update b/bin/post-update new file mode 100755 index 0000000..48a6a16 --- /dev/null +++ b/bin/post-update @@ -0,0 +1,16 @@ +#!/bin/sh + +cd .. +unset GIT_DIR + +if [ -d ".git/annex" ]; then + git annex sync +else + git reset HEAD + git checkout -f +fi + +git submodule update --init --recursive + +cd - +exec git update-server-info diff --git a/bin/provision b/bin/provision index e200e51..16f102f 100755 --- a/bin/provision +++ b/bin/provision @@ -3,25 +3,33 @@ # Simple shell provisioner for Vagrant instances. # -# Ensure the system is updated. -sudo apt-get update && DEBIAN_FRONTEND=noninteractive sudo apt-get dist-upgrade -y && sudo apt-get autoremove -y && sudo apt-get clean +# Parameters +DIRNAME="`dirname $0`" + +# Load dependencies +source $DIRNAME/dependencies -# Install dependencies -source /vagrant/puppet/bin/dependencies +# Ensure the system is updated. +$SUDO apt-get update && DEBIAN_FRONTEND=noninteractive $SUDO apt-get dist-upgrade -y && $SUDO apt-get autoremove -y && $SUDO apt-get clean # Ensure additional dependencies are installed. -for package in sqlite3 libsqlite3-ruby libactiverecord-ruby ruby-sqlite3 usbutils; do +for package in usbutils; do + provision_package $package +done + +# Storeconfigs support +for package in ruby-sqlite3 ruby-activerecord ruby-activerecord-deprecated-finders; do provision_package $package done -# Link hiera configuration. +# Link hiera configuration if needed. if [ ! -h "/etc/puppet/hiera.yaml" ]; then - sudo rm -f /etc/puppet/hiera.yaml - sudo ln -s /vagrant/puppet/hiera/hiera.yaml /etc/puppet/hiera.yaml + $SUDO rm -f /etc/puppet/hiera.yaml + $SUDO ln -s $DIRNAME/../hiera/hiera.yaml /etc/puppet/hiera.yaml fi -# Link puppet configuration. +# Link puppet configuration if needed. if [ ! -h "/etc/puppet/puppet.conf" ]; then - sudo rm -f /etc/puppet/puppet.conf - sudo ln -s /vagrant/puppet/puppet.conf /etc/puppet/puppet.conf + $SUDO rm -f /etc/puppet/puppet.conf + $SUDO ln -s $DIRNAME/../puppet.conf /etc/puppet/puppet.conf fi diff --git a/bin/submodules b/bin/submodules index f79b635..3abc46d 100755 --- a/bin/submodules +++ b/bin/submodules @@ -20,7 +20,7 @@ for repo in $repos; do module="`basename $repo .git | sed -e s/^puppet-//`" if [ ! -d "modules/$module" ]; then echo "Processing puppet module $module..." - git submodule add $repo modules/$module + git submodule add -f $repo modules/$module elif [ -e "modules/$module/.git" ]; then # The puppet module exists and is a git submodule, so update it ( cd module/$module && git pull origin master ) diff --git a/files/patches/trusty/puppet-stack-level.md b/files/patches/trusty/puppet-stack-level.md new file mode 100644 index 0000000..9a3f4d7 --- /dev/null +++ b/files/patches/trusty/puppet-stack-level.md @@ -0,0 +1,3 @@ +# Puppet stack level patch + +* [Puppet master fails with 'stack level too deep' error when storeconfigs = true](https://bugs.launchpad.net/ubuntu/+source/puppet/+bug/1313595). diff --git a/files/patches/trusty/puppet-stack-level.patch b/files/patches/trusty/puppet-stack-level.patch new file mode 100644 index 0000000..1d112f7 --- /dev/null +++ b/files/patches/trusty/puppet-stack-level.patch @@ -0,0 +1,15 @@ +--- /usr/lib/ruby/vendor_ruby/puppet/rails/resource.rb.orig 2015-10-19 17:19:13.500193213 -0200 ++++ /usr/lib/ruby/vendor_ruby/puppet/rails/resource.rb 2015-10-19 17:19:58.972194943 -0200 +@@ -84,7 +84,11 @@ + end + + def [](param) +- super || parameter(param) ++ if param == 'id' ++ super ++ else ++ super || parameter(param) ++ end + end + + # Make sure this resource is equivalent to the provided Parser resource. diff --git a/hiera/common.yaml b/hiera/common.yaml index d7e35a1..8a04a26 100644 --- a/hiera/common.yaml +++ b/hiera/common.yaml @@ -48,3 +48,8 @@ ntp::servers: nodo::subsystem::resolver::nameservers: - '208.67.222.222' - '208.67.220.220' + +# +# Puppet config +# +nodo::base::puppet_mode: 'apply' diff --git a/hiera/hiera.yaml b/hiera/hiera.yaml index 33acc9e..a8ae792 100644 --- a/hiera/hiera.yaml +++ b/hiera/hiera.yaml @@ -8,14 +8,26 @@ # reconsidered in the future. # # See http://docs.vagrantup.com/v2/provisioning/puppet_apply.html - :datadir: hiera + :datadir: '%{settings::confdir}/hiera' :hierarchy: - - '%{::environment}/domain/%{::domain}/node/%{::clientcert}' - - '%{::environment}/domain/%{::domain}/role/%{::role}' - - '%{::environment}/domain/%{::domain}/location/%{::location}' - - '%{::environment}/domain/%{::domain}/%{::domain}' - - '%{::environment}/location/%{::location}' - - '%{::environment}/virtual/%{::virtual}' - - '%{::environment}/role/%{::role}' + # + # Put in the secrets folder all sensitive information that + # wont be spread into every system if you're using the Hydra Suite. + # + # We also recommend to leave only encrypted data in your hiera config. + # + - 'secrets/node/%{::clientcert}' + - 'secrets/role/%{::nodo::role}' + - 'secrets/location/%{::nodo::location}' + - 'secrets/domain/%{::domain}' + + # + # All other stuff goes in regular YAML files. + # + - 'node/%{::clientcert}' + - 'role/%{::nodo::role}' + - 'virtual/%{::virtual}' + - 'location/%{::nodo::location}' + - 'domain/%{::domain}' - bootstrap - common diff --git a/hiera/node/puppet-bootstrap.example.org.yaml b/hiera/node/puppet-bootstrap.example.org.yaml new file mode 100644 index 0000000..c108e7d --- /dev/null +++ b/hiera/node/puppet-bootstrap.example.org.yaml @@ -0,0 +1,14 @@ +--- +# +# MySQL +# +# The following password is public information and therefore +# shall not be user on production. +mysql::server::rootpw: '9pRfteNbSFFyrHhackme' + +# +# Backup +# +nodo::subsystem::backup::localhost: false +nodo::subsystem::backup::encryptkey: 'none' +nodo::subsystem::backup::password: 'hacked' diff --git a/manifests/bootstrap/configurator.pp b/manifests/bootstrap/configurator.pp index d93a0ce..edcbe92 100644 --- a/manifests/bootstrap/configurator.pp +++ b/manifests/bootstrap/configurator.pp @@ -74,7 +74,7 @@ file { "$bootstrap_path/auth.conf": # # Basic users # -file { "$bootstrap_path/manifests/classes/users.pp": +file { "$bootstrap_path/modules/site_users/manifests/init.pp": ensure => present, mode => 0644, content => template("$templates/puppet/users.pp.erb"), diff --git a/manifests/bootstrap/host.pp b/manifests/bootstrap/host.pp index c1aead8..5f9c23a 100644 --- a/manifests/bootstrap/host.pp +++ b/manifests/bootstrap/host.pp @@ -4,11 +4,10 @@ # virtual machine. # -# Import site configuration -import "../site.pp" - # The server role -include nodo::role::server +class { 'nodo: + role => 'server', +} # Creates vserver for administrative node nodo::vserver::instance { "$hostname-master": diff --git a/manifests/bootstrap/master.pp b/manifests/bootstrap/master.pp index 51167f3..5934d3e 100644 --- a/manifests/bootstrap/master.pp +++ b/manifests/bootstrap/master.pp @@ -5,8 +5,7 @@ # Once it's running it can setup all the other nodes. # -# Import site configuration -import "../site.pp" - # Include the master node configuration -include nodo::role::master +class { 'nodo': + role => 'master', +} diff --git a/manifests/bootstrap/vagrant.pp b/manifests/bootstrap/vagrant.pp index 9206db6..47305dc 100644 --- a/manifests/bootstrap/vagrant.pp +++ b/manifests/bootstrap/vagrant.pp @@ -3,47 +3,36 @@ # virtual machine. # -# Import site configuration -import "../site.pp" - -# -# Stage definitions -# - -stage { 'first': - before => Stage['main'], -} - -stage { 'last': } -Stage['main'] -> Stage['last'] - # # Class definitions # # Vagrant classes -include nodo::role::vagrant - -class vagrant_config { - # Symlink to the mounted module folder - file { '/etc/puppet/modules': - ensure => '/etc/puppet/modules-0', - force => true, - } - - # Ensure a custom hiera configuration - file { '/etc/puppet/hiera.yaml': - owner => root, - group => root, - mode => 0644, - force => true, - ensure => '/etc/puppet/hiera/hiera.yaml', - } +class { 'nodo': + role => 'vagrant', } # -# Class instantiations -# -class { 'vagrant_config': - stage => first, -} +# LAMP example +# +#include database +# +#class { 'apache': +# default_folder => '/vagrant', +# default_user => 'vagrant', +# default_group => 'vagrant', +#} +# +# If you want to manage another website +#apache::site { "myapp": +# docroot => "/vagrant/", +# server_alias => 'myapp vagrant localhost', +# use => [ "Site myapp" ], +# tag => 'all', +# owner => vagrant, +# group => vagrant, +# mpm_user => vagrant, +# mpm_group => vagrant, +# password => '$5$NZfZqcdyZ3Xt$.kfZejriEJP3fc6RU0gBGEzMPQ/c3XiowVImB6VDrtD', +# shell => '/bin/bash', +#} diff --git a/manifests/classes/websites.pp b/manifests/classes/websites.pp deleted file mode 100644 index 35f27c6..0000000 --- a/manifests/classes/websites.pp +++ /dev/null @@ -1,42 +0,0 @@ -class websites::admin inherits websites::hosting::admin { - # An administrative Trac instance - #apache::site { "admin": - # docroot => "${apache::sites_folder}/admin/trac/htdocs", - # use => [ "Trac admin" ], - # redirect_match => "trac", - # mpm => false, - # tag => 'all', - #} - - apache::site { "munin": - docroot => '/var/www/munin', - owner => "munin", - group => "munin", - mpm => false, - tag => 'all', - } - - apache::site { "nagios": - source => true, - docroot => '/usr/share/nagios3/htdocs', - mpm => false, - tag => 'all', - } -} - -class websites inherits websites::hosting { - # Website definitions: always use tagged resources - - #apache::site { "site": - # source => true, - # ticket => '001', - # docroot => '/var/www/site', - # tag => 'all', - #} - - #database::instance { "site": - # password => 'xxx', - # tag => 'all', - #} - -} diff --git a/manifests/modules.pp b/manifests/modules.pp deleted file mode 100644 index 3df3fe3..0000000 --- a/manifests/modules.pp +++ /dev/null @@ -1,6 +0,0 @@ -# -# Module definitions. -# - -# Nodo automatically import all modules we need. -import "nodo" diff --git a/manifests/nodes.pp b/manifests/nodes.pp deleted file mode 100644 index b90f04e..0000000 --- a/manifests/nodes.pp +++ /dev/null @@ -1,5 +0,0 @@ -# -# Node definitions. -# - -#import "nodes/example.pp" diff --git a/manifests/nodes/default.pp b/manifests/nodes/default.pp new file mode 100644 index 0000000..5ebbf90 --- /dev/null +++ b/manifests/nodes/default.pp @@ -0,0 +1,3 @@ +node default { + include nodo +} diff --git a/manifests/site.pp b/manifests/site.pp deleted file mode 100644 index 6f3e5aa..0000000 --- a/manifests/site.pp +++ /dev/null @@ -1,8 +0,0 @@ -# -# Puppet site configuration. -# - -import "classes/users.pp" -import "classes/websites.pp" -import "modules.pp" -import "nodes.pp" diff --git a/modules/site_apt/files/keys.d/.empty b/modules/site_apt/files/keys.d/.empty new file mode 100644 index 0000000..e69de29 diff --git a/modules/site_bind/manifests/init.pp b/modules/site_bind/manifests/init.pp new file mode 100644 index 0000000..7ee08d2 --- /dev/null +++ b/modules/site_bind/manifests/init.pp @@ -0,0 +1,16 @@ +class site_bind { + # + # See http://oreilly.com/pub/a/oreilly/networking/news/views_0501.html + # http://www.debian-administration.org/articles/355 + + # This is needed so we can comment out the inclusion of + # /etc/bind/named.conf.default-zones + #file { '/etc/bind/named.conf': + # ensure => present, + # owner => root, + # group => root, + # mode => 0644, + # source => 'puppet:///modules/site_bind/named.conf', + # notify => Service['bind9'], + #} +} diff --git a/modules/site_mail/files/aliases b/modules/site_mail/files/aliases new file mode 100644 index 0000000..08a0723 --- /dev/null +++ b/modules/site_mail/files/aliases @@ -0,0 +1,14 @@ +# /etc/aliases +mailer-daemon: postmaster +postmaster: root +nobody: root +hostmaster: root +usenet: root +news: root +webmaster: root +www: root +ftp: root +abuse: root +noc: root +security: root +reprepro: root diff --git a/modules/site_users/manifests/admin.pp b/modules/site_users/manifests/admin.pp new file mode 100644 index 0000000..14ad9da --- /dev/null +++ b/modules/site_users/manifests/admin.pp @@ -0,0 +1,16 @@ +class site_users::admin inherits user { + # root user and password + #user::manage { "root": + # tag => "admin", + # homedir => '/root', + # password => '$5$zpdXgIaLKMDckKx9$qTS9WbmS/zylFwPu1orq.779CNnAiA9VoGdFNU94jz/', + #} + + # first user config + #user::manage { "user": + # tag => "admin", + # groups => [ "sudo", ], + # password => '$5$D8kCEIo5/MNCA7Tz$VhGg2MNDs21JzX9HgxSWMupA5GD5MXnKwDuveMSdPH7', + # sshkey => [ "WRONG" ], + #} +} diff --git a/modules/site_users/manifests/backups.pp b/modules/site_users/manifests/backups.pp new file mode 100644 index 0000000..aab00f9 --- /dev/null +++ b/modules/site_users/manifests/backups.pp @@ -0,0 +1,3 @@ +class site_users::backup inherits user { + # define third-party hosted backup users here +} diff --git a/modules/site_users/manifests/init.pp b/modules/site_users/manifests/init.pp new file mode 100644 index 0000000..b3c656a --- /dev/null +++ b/modules/site_users/manifests/init.pp @@ -0,0 +1,2 @@ +class site_users { +} diff --git a/modules/site_users/manifests/virtual.pp b/modules/site_users/manifests/virtual.pp new file mode 100644 index 0000000..20aba01 --- /dev/null +++ b/modules/site_users/manifests/virtual.pp @@ -0,0 +1,3 @@ +class site_users::virtual inherits user { + # define custom users here +} diff --git a/modules/site_websites/manifests/admin.pp b/modules/site_websites/manifests/admin.pp new file mode 100644 index 0000000..0be3a94 --- /dev/null +++ b/modules/site_websites/manifests/admin.pp @@ -0,0 +1,25 @@ +class site_websites::admin inherits websites::hosting::admin { + # An administrative Trac instance + #apache::site { "admin": + # docroot => "${apache::sites_folder}/admin/trac/htdocs", + # use => [ "Trac admin" ], + # redirect_match => "trac", + # mpm => false, + # tag => 'all', + #} + + apache::site { "munin": + docroot => '/var/www/munin', + owner => "munin", + group => "munin", + mpm => false, + tag => 'all', + } + + apache::site { "nagios": + source => true, + docroot => '/usr/share/nagios3/htdocs', + mpm => false, + tag => 'all', + } +} diff --git a/modules/site_websites/manifests/init.pp b/modules/site_websites/manifests/init.pp new file mode 100644 index 0000000..c98ca7d --- /dev/null +++ b/modules/site_websites/manifests/init.pp @@ -0,0 +1,21 @@ +class site_websites inherits websites::hosting { + # Website definitions: always use tagged resources + apache::site { "git": + source => true, + docroot => '/var/git/repositories', + mpm => false, + tag => 'all', + } + + #apache::site { "site": + # source => true, + # ticket => '001', + # docroot => '/var/www/site', + # tag => 'all', + #} + + #database::instance { "site": + # password => 'xxx', + # tag => 'all', + #} +} diff --git a/puppet.conf b/puppet.conf new file mode 100644 index 0000000..ea5ed0e --- /dev/null +++ b/puppet.conf @@ -0,0 +1,4 @@ +[main] + thin_storeconfigs = true + storeconfigs = true + dbadapter = sqlite3 diff --git a/templates/apache/vhosts/cgit.erb b/templates/apache/vhosts/cgit.erb new file mode 100644 index 0000000..d2d393d --- /dev/null +++ b/templates/apache/vhosts/cgit.erb @@ -0,0 +1,30 @@ +# begin vhost for cgit + + ServerName git.<%= domain %> + ServerAlias gitweb.<%= domain %> + + ServerSignature Off + + Alias /cgit.css /var/www/htdocs/cgit/cgit.css + Alias /cgit.png /var/www/htdocs/cgit/cgit.png + + ScriptAlias /cgi-bin/ /var/www/htdocs/cgit/ + + DocumentRoot /var/git/repositories + + AllowOverride None + Options +ExecCGI + Order allow,deny + Allow from all + + DirectoryIndex /cgi-bin/cgit.cgi + + RewriteEngine on + RewriteCond %{REQUEST_FILENAME} !-f + RewriteRule ^.*$ /cgi-bin/cgit.cgi/$0 [L,PT] + + + ErrorLog /var/log/apache2/cgit.openezx.org/error.log + CustomLog /var/log/apache2/cgit.openezx.org/access.log common + +# end vhost for git diff --git a/templates/apache/vhosts/git.erb b/templates/apache/vhosts/git.erb index 25aecd1..89173ac 100644 --- a/templates/apache/vhosts/git.erb +++ b/templates/apache/vhosts/git.erb @@ -3,6 +3,7 @@ # Recipe based on http://josephspiros.com/2009/07/26/configuring-gitweb-for-apache-on-debian ServerName git.<%= domain %> + ServerAlias gitweb.<%= domain %> SetEnv GITWEB_CONFIG /etc/gitweb.conf HeaderName HEADER DocumentRoot /var/git/repositories diff --git a/templates/etc/nginx/domain.erb b/templates/etc/nginx/domain.erb index 4e9fa7d..8beff14 100644 --- a/templates/etc/nginx/domain.erb +++ b/templates/etc/nginx/domain.erb @@ -111,6 +111,7 @@ server { ssl_protocols SSLv3 TLSv1; ssl_ciphers HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH; ssl_prefer_server_ciphers on; + ssl_dhparam /etc/ssl/dhparams/dhparams_2048.pem; # Set the max size for file uploads client_max_body_size 100M; diff --git a/templates/puppet/users.pp.erb b/templates/puppet/users.pp.erb index 55a2706..3b7c857 100644 --- a/templates/puppet/users.pp.erb +++ b/templates/puppet/users.pp.erb @@ -7,14 +7,6 @@ class users::backup inherits user { } class users::admin inherits user { - - # Reprepro group needed for web nodes - #if !defined(Group["reprepro"]) { - # group { "reprepro": - # ensure => present, - # } - #} - # root user and password user::manage { "root": tag => "admin", -- cgit v1.2.3