aboutsummaryrefslogtreecommitdiff
path: root/templates/puppet
diff options
context:
space:
mode:
authordrebs <drebs@riseup.net>2011-03-11 14:53:39 -0300
committerdrebs <drebs@riseup.net>2011-03-11 14:53:39 -0300
commit01b2048dbf02ac726dabde5e846b9d6ac9aff0e6 (patch)
tree28f13f07a483a73ffcbfb25e4aba0c40f3d656bb /templates/puppet
downloadpuppet-bootstrap-01b2048dbf02ac726dabde5e846b9d6ac9aff0e6.tar.gz
puppet-bootstrap-01b2048dbf02ac726dabde5e846b9d6ac9aff0e6.tar.bz2
initial recommit
Diffstat (limited to 'templates/puppet')
-rw-r--r--templates/puppet/auth.conf.erb94
-rw-r--r--templates/puppet/fileserver.conf.erb17
-rw-r--r--templates/puppet/master.pp.erb16
-rw-r--r--templates/puppet/modules.pp.erb6
-rw-r--r--templates/puppet/nodes.pp.erb6
-rw-r--r--templates/puppet/proxy.pp.erb59
-rw-r--r--templates/puppet/puppet.conf.erb23
-rw-r--r--templates/puppet/server.pp.erb54
-rw-r--r--templates/puppet/site.pp.erb41
-rw-r--r--templates/puppet/storage.pp.erb19
-rw-r--r--templates/puppet/test.pp.erb19
-rw-r--r--templates/puppet/users.pp.erb39
-rw-r--r--templates/puppet/web.pp.erb19
-rw-r--r--templates/puppet/websites.pp.erb45
14 files changed, 457 insertions, 0 deletions
diff --git a/templates/puppet/auth.conf.erb b/templates/puppet/auth.conf.erb
new file mode 100644
index 0000000..431e4b2
--- /dev/null
+++ b/templates/puppet/auth.conf.erb
@@ -0,0 +1,94 @@
+# This is an example auth.conf file, it mimics the puppetmasterd defaults
+#
+# The ACL are checked in order of appearance in this file.
+#
+# Supported syntax:
+# This file supports two different syntax depending on how
+# you want to express the ACL.
+#
+# Path syntax (the one used below):
+# ---------------------------------
+# path /path/to/resource
+# [environment envlist]
+# [method methodlist]
+# [auth[enthicated] {yes|no|on|off|any}]
+# allow [host|ip|*]
+# deny [host|ip]
+#
+# The path is matched as a prefix. That is /file match at
+# the same time /file_metadat and /file_content.
+#
+# Regex syntax:
+# -------------
+# This one is differenciated from the path one by a '~'
+#
+# path ~ regex
+# [environment envlist]
+# [method methodlist]
+# [auth[enthicated] {yes|no|on|off|any}]
+# allow [host|ip|*]
+# deny [host|ip]
+#
+# The regex syntax is the same as ruby ones.
+#
+# Ex:
+# path ~ .pp$
+# will match every resource ending in .pp (manifests files for instance)
+#
+# path ~ ^/path/to/resource
+# is essentially equivalent to path /path/to/resource
+#
+# environment:: restrict an ACL to a specific set of environments
+# method:: restrict an ACL to a specific set of methods
+# auth:: restrict an ACL to an authenticated or unauthenticated request
+# the default when unspecified is to restrict the ACL to authenticated requests
+# (ie exactly as if auth yes was present).
+#
+
+### Authenticated ACL - those applies only when the client
+### has a valid certificate and is thus authenticated
+
+# allow nodes to retrieve their own catalog (ie their configuration)
+path ~ ^/catalog/([^/]+)$
+method find
+allow $1
+
+# allow all nodes to access the certificates services
+path /certificate_revocation_list/ca
+method find
+allow *
+
+# allow all nodes to store their reports
+path /report
+method save
+allow *
+
+# inconditionnally allow access to all files services
+# which means in practice that fileserver.conf will
+# still be used
+path /file
+allow *
+
+### Unauthenticated ACL, for clients for which the current master doesn't
+### have a valid certificate
+
+# allow access to the master CA
+path /certificate/ca
+auth no
+method find
+allow *
+
+path /certificate/
+auth no
+method find
+allow *
+
+path /certificate_request
+auth no
+method find, save
+allow *
+
+# this one is not stricly necessary, but it has the merit
+# to show the default policy which is deny everything else
+path /
+auth any
diff --git a/templates/puppet/fileserver.conf.erb b/templates/puppet/fileserver.conf.erb
new file mode 100644
index 0000000..b8ad720
--- /dev/null
+++ b/templates/puppet/fileserver.conf.erb
@@ -0,0 +1,17 @@
+# top-level
+[files]
+ path /etc/puppet/files
+ allow *.<%= domain %>
+
+[keys]
+ path /etc/puppet/files/keys
+ allow *.<%= domain %>
+
+# modules
+[common]
+ path /etc/puppet/modules/common/files
+ allow *.<%= domain %>
+
+[puppet]
+ path /etc/puppet/modules/puppet/files
+ allow *.<%= domain %>
diff --git a/templates/puppet/master.pp.erb b/templates/puppet/master.pp.erb
new file mode 100644
index 0000000..3f7b4d9
--- /dev/null
+++ b/templates/puppet/master.pp.erb
@@ -0,0 +1,16 @@
+node '<%= hostname %>-master.<%= domain %>' {
+ $main_master = true
+ include nodo::master
+
+ # encrypted local backups
+ #backup::duplicity { "localhost":
+ # encryptkey => "ABCDEF12",
+ # password => 'xxxyyy',
+ #}
+
+ # encrypted data remote backup
+ #backup::rdiff { "other-host":
+ # port => "10102",
+ #}
+
+}
diff --git a/templates/puppet/modules.pp.erb b/templates/puppet/modules.pp.erb
new file mode 100644
index 0000000..ee98397
--- /dev/null
+++ b/templates/puppet/modules.pp.erb
@@ -0,0 +1,6 @@
+#
+# These are the modules we use.
+#
+
+# Nodo automatically import all modules we need.
+import "nodo"
diff --git a/templates/puppet/nodes.pp.erb b/templates/puppet/nodes.pp.erb
new file mode 100644
index 0000000..2cb58b4
--- /dev/null
+++ b/templates/puppet/nodes.pp.erb
@@ -0,0 +1,6 @@
+import "nodes/<%= hostname %>-server.pp"
+import "nodes/<%= hostname %>-master.pp"
+import "nodes/<%= hostname %>-proxy.pp"
+import "nodes/<%= hostname %>-web.pp"
+import "nodes/<%= hostname %>-storage.pp"
+import "nodes/<%= hostname %>-test.pp"
diff --git a/templates/puppet/proxy.pp.erb b/templates/puppet/proxy.pp.erb
new file mode 100644
index 0000000..a108a73
--- /dev/null
+++ b/templates/puppet/proxy.pp.erb
@@ -0,0 +1,59 @@
+node '<%= hostname %>-proxy.<%= domain %>' {
+ #$mail_delivery = 'tunnel'
+ #$mail_hostname = 'mail'
+ #$mail_ssh_port = '2202'
+
+ include nodo::proxy
+
+ # encrypted local backups
+ #backup::duplicity { "localhost":
+ # encryptkey => "ABCDEF12",
+ # password => 'xxxyyy',
+ #}
+
+ # encrypted data remote backup
+ #backup::rdiff { "other-host":
+ # port => "10102",
+ #}
+
+ # reference to admin vserver
+ host { "<%= hostname %>-master":
+ ensure => present,
+ ip => "192.168.0.2",
+ host_aliases => [ "<%= hostname %>-master.<%= domain %>", "puppet", "admin" ],
+ notify => Service["nginx"],
+ }
+
+ # reference to proxy vserver
+ #host { "<%= hostname %>-proxy":
+ # ensure => present,
+ # ip => "192.168.0.3",
+ # host_aliases => [ "<%= hostname %>-proxy.<%= domain %>", "<%= hostname %>-proxy" ],
+ # notify => Service["nginx"],
+ #}
+
+ # reference to web vserver
+ host { "<%= hostname %>-web":
+ ensure => present,
+ ip => "192.168.0.4",
+ host_aliases => [ "<%= hostname %>-web.<%= domain %>", "<%= hostname %>-web", "weblocal" ],
+ notify => Service["nginx"],
+ }
+
+ # reference to storage vserver
+ host { "<%= hostname %>-storage":
+ ensure => present,
+ ip => "192.168.0.5",
+ host_aliases => [ "<%= hostname %>-storage.<%= domain %>", "<%= hostname %>-storage" ],
+ notify => Service["nginx"],
+ }
+
+ # reference to test vserver
+ host { "<%= hostname %>-test":
+ ensure => present,
+ ip => "192.168.0.6",
+ host_aliases => [ "<%= hostname %>-test.<%= domain %>", "<%= hostname %>-test" ],
+ notify => Service["nginx"],
+ }
+
+}
diff --git a/templates/puppet/puppet.conf.erb b/templates/puppet/puppet.conf.erb
new file mode 100644
index 0000000..ae642de
--- /dev/null
+++ b/templates/puppet/puppet.conf.erb
@@ -0,0 +1,23 @@
+[main]
+logdir = /var/log/puppet
+rundir = /var/run/puppet
+factpath = $vardir/lib/facter
+pluginsync = true
+
+[master]
+vardir = /var/lib/puppet
+ssldir = $vardir/ssl
+autosign = false
+#storeconfigs = true
+#dbadapter = mysql
+#dbserver = localhost
+#dbuser = puppet
+#dbpassword =
+#dbconnections = 15
+
+[agent]
+server = puppet.<%= domain%>
+vardir = /var/lib/puppet
+ssldir = $vardir/ssl
+runinterval = 1800
+puppetport = 8139
diff --git a/templates/puppet/server.pp.erb b/templates/puppet/server.pp.erb
new file mode 100644
index 0000000..ca0ab50
--- /dev/null
+++ b/templates/puppet/server.pp.erb
@@ -0,0 +1,54 @@
+node '<%= hostname %>.<%= domain %>' {
+ #$mail_delivery = 'tunnel'
+ #$mail_hostname = 'mail'
+ #$mail_ssh_port = '2202'
+ $shorewall_dmz = true
+ $resolvconf_nameservers = $opendns_nameservers
+ $has_ups = false
+ include nodo::server
+
+ host { "puppet":
+ ensure => present,
+ ip => "127.0.0.1",
+ host_aliases => [ "puppet.<%= domain %>" ],
+ }
+
+ #
+ # Linux-VServers
+ #
+ #nodo::vserver::instance { "<%= hostname %>-master":
+ # context => '2',
+ # puppetmaster => true,
+ #}
+
+ #nodo::vserver::instance { "<%= hostname %>-proxy":
+ # context => '3',
+ # proxy => true,
+ #}
+
+ #nodo::vserver::instance { "<%= hostname %>-web":
+ # context => '4',
+ # gitd => true,
+ #}
+
+ #nodo::vserver::instance { "<%= hostname %>-storage":
+ # context => '5',
+ #}
+
+ #nodo::vserver::instance { "<%= hostname %>-test":
+ # context => '6',
+ # memory_limit => 500,
+ #}
+
+ # encrypted local backups
+ #backup::duplicity { "localhost":
+ # encryptkey => "ABCDEF12",
+ # password => 'xxxyyy',
+ #}
+
+ # encrypted data remote backup
+ #backup::rdiff { "other-host":
+ # port => "10105",
+ #}
+
+}
diff --git a/templates/puppet/site.pp.erb b/templates/puppet/site.pp.erb
new file mode 100644
index 0000000..273f2c7
--- /dev/null
+++ b/templates/puppet/site.pp.erb
@@ -0,0 +1,41 @@
+#
+# Puppet site configuration.
+#
+import "classes/users.pp"
+import "classes/websites.pp"
+import "modules.pp"
+import "nodes.pp"
+
+# Default execution path
+Exec { path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" }
+
+# Fileserver backup
+filebucket { server: server => "admin.<%= domain %>" }
+File { backup => server }
+
+# General configuration
+$network_name = '<%= domain %> cloud'
+
+# MySQL password
+$mysql_rootpw = '<%= mysql_rootpw %>'
+
+# Puppetmaster db password
+$puppetmaster_db_password = '<%= puppetmaster_db_password %>'
+
+# OpenDNS nameservers in case we need on DNS outages
+$opendns_nameservers = '208.67.222.222:208.67.220.220'
+
+# Munin
+$global_munin_allow = '192.168.0.[0-9]*'
+
+# We want puppet to manage it's certificates
+$puppetmaster_manage_ca = false
+
+# Reprepro
+#$reprepro_uploaders = [ '' ]
+
+# Mail configuration
+#$root_mail_recipient = 'messages@lists.project'
+#$postfix_mynetworks = '127.0.0.0/8, 192.168.0.0/28'
+#$postfixadmin_database_password = ''
+#$postfixadmin_setup_hash = ''
diff --git a/templates/puppet/storage.pp.erb b/templates/puppet/storage.pp.erb
new file mode 100644
index 0000000..ab3ddc9
--- /dev/null
+++ b/templates/puppet/storage.pp.erb
@@ -0,0 +1,19 @@
+node '<%= hostname %>-storage.<%= domain %>' {
+ #$mail_delivery = 'tunnel'
+ #$mail_hostname = 'mail'
+ #$mail_ssh_port = '2202'
+
+ include nodo::storage
+
+ # encrypted local backups
+ #backup::duplicity { "localhost":
+ # encryptkey => "ABCDEF12",
+ # password => 'xxxyyy',
+ #}
+
+ # encrypted data remote backup
+ #backup::rdiff { "other-host":
+ # port => "10102",
+ #}
+
+}
diff --git a/templates/puppet/test.pp.erb b/templates/puppet/test.pp.erb
new file mode 100644
index 0000000..0440ee4
--- /dev/null
+++ b/templates/puppet/test.pp.erb
@@ -0,0 +1,19 @@
+node '<%= hostname %>-test.<%= domain %>' {
+ #$mail_delivery = 'tunnel'
+ #$mail_hostname = 'mail'
+ #$mail_ssh_port = '2202'
+
+ include nodo::test
+
+ # encrypted local backups
+ #backup::duplicity { "localhost":
+ # encryptkey => "ABCDEF12",
+ # password => 'xxxyyy',
+ #}
+
+ # encrypted data remote backup
+ #backup::rdiff { "other-host":
+ # port => "10102",
+ #}
+
+}
diff --git a/templates/puppet/users.pp.erb b/templates/puppet/users.pp.erb
new file mode 100644
index 0000000..4ec5604
--- /dev/null
+++ b/templates/puppet/users.pp.erb
@@ -0,0 +1,39 @@
+class users::virtual inherits user {
+ # define custom users here
+}
+
+class users::backup inherits user {
+ # define third-party hosted backup users here
+}
+
+class users::admin inherits user {
+
+ # reprepro group needed for web nodes
+ #if !defined(Group["reprepro"]) {
+ # group { "reprepro":
+ # ensure => present,
+ # }
+ #}
+
+ # fucked up password for root
+ user::manage { "root":
+ tag => "admin",
+ homedir => '/root',
+ password => '$5$9jXNrc7jaVIe.dOz$A0L8MwtKOeZqVPQZVEoYm8lhVwBxPyRsBMHpNRLyF/7',
+ }
+
+ # TODO: temporary cleanup; remove after all nodes have applied it
+ file { '/home/root':
+ ensure => absent,
+ recurse => true,
+ force => true,
+ }
+
+ user::manage { "<%= first_user %>":
+ tag => "admin",
+ groups => [ "sudo", ],
+ password => '<%= first_user_password %>',
+ sshkey => [ "<%= first_user_sshkey %>" ],
+ }
+
+}
diff --git a/templates/puppet/web.pp.erb b/templates/puppet/web.pp.erb
new file mode 100644
index 0000000..098ec9c
--- /dev/null
+++ b/templates/puppet/web.pp.erb
@@ -0,0 +1,19 @@
+node '<%= hostname %>-web.<%= domain %>' {
+ #$mail_delivery = 'tunnel'
+ #$mail_hostname = 'mail'
+ #$mail_ssh_port = '2202'
+
+ include nodo::web
+
+ # encrypted local backups
+ #backup::duplicity { "localhost":
+ # encryptkey => "ABCDEF12",
+ # password => 'xxxyyy',
+ #}
+
+ # encrypted data remote backup
+ #backup::rdiff { "other-host":
+ # port => "10102",
+ #}
+
+}
diff --git a/templates/puppet/websites.pp.erb b/templates/puppet/websites.pp.erb
new file mode 100644
index 0000000..75dcd0b
--- /dev/null
+++ b/templates/puppet/websites.pp.erb
@@ -0,0 +1,45 @@
+class websites::admin inherits websites::hosting::admin {
+ #apache::site { "admin":
+ # ticket => '64',
+ # docroot => "${apache_sites_folder}/admin/trac/htdocs",
+ # use => [ "Trac admin" ],
+ # redirect_match => "trac",
+ # mpm => false,
+ #}
+
+ #apache::site { "munin":
+ # ticket => '153',
+ # docroot => '/var/www/munin',
+ # owner => "munin",
+ # group => "munin",
+ # mpm => false,
+ #}
+
+ #apache::site { "nagios":
+ # source => true,
+ # docroot => '/usr/share/nagios3/htdocs',
+ # mpm => false,
+ #}
+}
+
+class websites inherits websites::hosting {
+ # Website definitions
+ #
+ # TODO:
+ #
+ # - Use virtual resources:
+ # - Tags by locations where the site can be hosted.
+ # - Possible integration with cache proxies.
+ #
+
+ #apache::site { "site":
+ # source => true,
+ # ticket => '001',
+ # docroot => '/var/www/site',
+ #}
+
+ #database::instance { "site":
+ # password => 'xxx',
+ #}
+
+}