14 files changed, 457 insertions, 0 deletions
diff --git a/templates/puppet/auth.conf.erb b/templates/puppet/auth.conf.erb
new file mode 100644
index 0000000..431e4b2
--- /dev/null
+++ b/templates/puppet/auth.conf.erb
@@ -0,0 +1,94 @@
+# This is an example auth.conf file, it mimics the puppetmasterd defaults
+#
+# The ACL are checked in order of appearance in this file.
+#
+# Supported syntax:
+# This file supports two different syntax depending on how
+# you want to express the ACL.
+#
+# Path syntax (the one used below):
+# ---------------------------------
+# path /path/to/resource
+# [environment envlist]
+# [method methodlist]
+# [auth[enthicated] {yes|no|on|off|any}]
+# allow [host|ip|*]
+# deny [host|ip]
+#
+# The path is matched as a prefix. That is /file match at
+# the same time /file_metadat and /file_content.
+#
+# Regex syntax:
+# -------------
+# This one is differenciated from the path one by a '~'
+#
+# path ~ regex
+# [environment envlist]
+# [method methodlist]
+# [auth[enthicated] {yes|no|on|off|any}]
+# allow [host|ip|*]
+# deny [host|ip]
+#
+# The regex syntax is the same as ruby ones.
+#
+# Ex:
+# path ~ .pp$
+# will match every resource ending in .pp (manifests files for instance)
+#
+# path ~ ^/path/to/resource
+# is essentially equivalent to path /path/to/resource
+#
+# environment:: restrict an ACL to a specific set of environments
+# method:: restrict an ACL to a specific set of methods
+# auth:: restrict an ACL to an authenticated or unauthenticated request
+# the default when unspecified is to restrict the ACL to authenticated requests
+# (ie exactly as if auth yes was present).
+#
+
+### Authenticated ACL - those applies only when the client
+### has a valid certificate and is thus authenticated
+
+# allow nodes to retrieve their own catalog (ie their configuration)
+path ~ ^/catalog/([^/]+)$
+method find
+allow $1
+
+# allow all nodes to access the certificates services
+path /certificate_revocation_list/ca
+method find
+allow *
+
+# allow all nodes to store their reports
+path /report
+method save
+allow *
+
+# inconditionnally allow access to all files services
+# which means in practice that fileserver.conf will
+# still be used
+path /file
+allow *
+
+### Unauthenticated ACL, for clients for which the current master doesn't
+### have a valid certificate
+
+# allow access to the master CA
+path /certificate/ca
+auth no
+method find
+allow *
+
+path /certificate/
+auth no
+method find
+allow *
+
+path /certificate_request
+auth no
+method find, save
+allow *
+
+# this one is not stricly necessary, but it has the merit
+# to show the default policy which is deny everything else
+path /
+auth any
diff --git a/templates/puppet/fileserver.conf.erb b/templates/puppet/fileserver.conf.erb
new file mode 100644
index 0000000..b8ad720
--- /dev/null
+++ b/templates/puppet/fileserver.conf.erb
@@ -0,0 +1,17 @@
+# top-level
+[files]
+  path /etc/puppet/files
+  allow *.<%= domain %>
+
+[keys]
+  path /etc/puppet/files/keys
+  allow *.<%= domain %>
+
+# modules
+[common]
+  path /etc/puppet/modules/common/files
+  allow *.<%= domain %>
+
+[puppet]
+  path /etc/puppet/modules/puppet/files
+  allow *.<%= domain %>
diff --git a/templates/puppet/master.pp.erb b/templates/puppet/master.pp.erb
new file mode 100644
index 0000000..3f7b4d9
--- /dev/null
+++ b/templates/puppet/master.pp.erb
@@ -0,0 +1,16 @@
+node '<%= hostname %>-master.<%= domain %>' {
+  $main_master    = true
+  include nodo::master
+
+  # encrypted local backups
+  #backup::duplicity { "localhost":
+  #  encryptkey => "ABCDEF12",
+  #  password   => 'xxxyyy',
+  #}
+  
+  # encrypted data remote backup
+  #backup::rdiff { "other-host":
+  #  port   => "10102",
+  #}
+
+}
diff --git a/templates/puppet/modules.pp.erb b/templates/puppet/modules.pp.erb
new file mode 100644
index 0000000..ee98397
--- /dev/null
+++ b/templates/puppet/modules.pp.erb
@@ -0,0 +1,6 @@
+#
+# These are the modules we use.
+#
+
+# Nodo automatically import all modules we need.
+import "nodo"
diff --git a/templates/puppet/nodes.pp.erb b/templates/puppet/nodes.pp.erb
new file mode 100644
index 0000000..2cb58b4
--- /dev/null
+++ b/templates/puppet/nodes.pp.erb
@@ -0,0 +1,6 @@
+import "nodes/<%= hostname %>-server.pp"
+import "nodes/<%= hostname %>-master.pp"
+import "nodes/<%= hostname %>-proxy.pp"
+import "nodes/<%= hostname %>-web.pp"
+import "nodes/<%= hostname %>-storage.pp"
+import "nodes/<%= hostname %>-test.pp"
diff --git a/templates/puppet/proxy.pp.erb b/templates/puppet/proxy.pp.erb
new file mode 100644
index 0000000..a108a73
--- /dev/null
+++ b/templates/puppet/proxy.pp.erb
@@ -0,0 +1,59 @@
+node '<%= hostname %>-proxy.<%= domain %>' {
+  #$mail_delivery = 'tunnel'
+  #$mail_hostname = 'mail'
+  #$mail_ssh_port = '2202'
+
+  include nodo::proxy
+
+  # encrypted local backups
+  #backup::duplicity { "localhost":
+  #  encryptkey => "ABCDEF12",
+  #  password   => 'xxxyyy',
+  #}
+  
+  # encrypted data remote backup
+  #backup::rdiff { "other-host":
+  #  port   => "10102",
+  #}
+
+  # reference to admin vserver
+  host { "<%= hostname %>-master":
+    ensure       => present,
+    ip           => "192.168.0.2",
+    host_aliases => [ "<%= hostname %>-master.<%= domain %>", "puppet", "admin" ],
+    notify       => Service["nginx"],
+  }
+
+  # reference to proxy vserver
+  #host { "<%= hostname %>-proxy":
+  #  ensure       => present,
+  #  ip           => "192.168.0.3",
+  #  host_aliases => [ "<%= hostname %>-proxy.<%= domain %>", "<%= hostname %>-proxy" ],
+  #  notify       => Service["nginx"],
+  #}
+
+  # reference to web vserver
+  host { "<%= hostname %>-web":
+    ensure       => present,
+    ip           => "192.168.0.4",
+    host_aliases => [ "<%= hostname %>-web.<%= domain %>", "<%= hostname %>-web", "weblocal" ],
+    notify       => Service["nginx"],
+  }
+
+  # reference to storage vserver
+  host { "<%= hostname %>-storage":
+    ensure       => present,
+    ip           => "192.168.0.5",
+    host_aliases => [ "<%= hostname %>-storage.<%= domain %>", "<%= hostname %>-storage" ],
+    notify       => Service["nginx"],
+  }
+
+  # reference to test vserver
+  host { "<%= hostname %>-test":
+    ensure       => present,
+    ip           => "192.168.0.6",
+    host_aliases => [ "<%= hostname %>-test.<%= domain %>", "<%= hostname %>-test" ],
+    notify       => Service["nginx"],
+  }
+
+}
diff --git a/templates/puppet/puppet.conf.erb b/templates/puppet/puppet.conf.erb
new file mode 100644
index 0000000..ae642de
--- /dev/null
+++ b/templates/puppet/puppet.conf.erb
@@ -0,0 +1,23 @@
+[main]
+logdir        = /var/log/puppet
+rundir        = /var/run/puppet
+factpath      = $vardir/lib/facter
+pluginsync    = true
+
+[master]
+vardir        = /var/lib/puppet
+ssldir        = $vardir/ssl
+autosign      = false
+#storeconfigs  = true
+#dbadapter     = mysql
+#dbserver      = localhost
+#dbuser        = puppet
+#dbpassword    = 
+#dbconnections = 15
+
+[agent]
+server        = puppet.<%= domain%>
+vardir        = /var/lib/puppet
+ssldir        = $vardir/ssl
+runinterval   = 1800
+puppetport    = 8139
diff --git a/templates/puppet/server.pp.erb b/templates/puppet/server.pp.erb
new file mode 100644
index 0000000..ca0ab50
--- /dev/null
+++ b/templates/puppet/server.pp.erb
@@ -0,0 +1,54 @@
+node '<%= hostname %>.<%= domain %>' {
+  #$mail_delivery          = 'tunnel'
+  #$mail_hostname          = 'mail'
+  #$mail_ssh_port          = '2202'
+  $shorewall_dmz          = true
+  $resolvconf_nameservers = $opendns_nameservers
+  $has_ups                = false
+  include nodo::server
+
+  host { "puppet":
+    ensure        => present,
+    ip            => "127.0.0.1",
+    host_aliases  => [ "puppet.<%= domain %>" ],
+  }
+
+  #
+  # Linux-VServers
+  #
+  #nodo::vserver::instance { "<%= hostname %>-master":
+  #  context      => '2',
+  #  puppetmaster => true,
+  #}
+
+  #nodo::vserver::instance { "<%= hostname %>-proxy":
+  #  context => '3',
+  #  proxy   => true,
+  #}
+
+  #nodo::vserver::instance { "<%= hostname %>-web":
+  #  context => '4',
+  #  gitd    => true,
+  #}
+
+  #nodo::vserver::instance { "<%= hostname %>-storage":
+  #  context      => '5',
+  #}
+
+  #nodo::vserver::instance { "<%= hostname %>-test":
+  #  context => '6',
+  #  memory_limit => 500,
+  #}
+
+  # encrypted local backups
+  #backup::duplicity { "localhost":
+  #  encryptkey => "ABCDEF12",
+  #  password   => 'xxxyyy',
+  #}
+  
+  # encrypted data remote backup
+  #backup::rdiff { "other-host":
+  #  port   => "10105",
+  #}
+
+}
diff --git a/templates/puppet/site.pp.erb b/templates/puppet/site.pp.erb
new file mode 100644
index 0000000..273f2c7
--- /dev/null
+++ b/templates/puppet/site.pp.erb
@@ -0,0 +1,41 @@
+#
+# Puppet site configuration.
+#
+import "classes/users.pp"
+import "classes/websites.pp"
+import "modules.pp"
+import "nodes.pp"
+
+# Default execution path
+Exec { path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" }
+
+# Fileserver backup
+filebucket { server: server => "admin.<%= domain %>" }
+File { backup => server }
+
+# General configuration
+$network_name = '<%= domain %> cloud'
+
+# MySQL password
+$mysql_rootpw = '<%= mysql_rootpw %>'
+
+# Puppetmaster db password
+$puppetmaster_db_password = '<%= puppetmaster_db_password %>'
+
+# OpenDNS nameservers in case we need on DNS outages
+$opendns_nameservers = '208.67.222.222:208.67.220.220'
+
+# Munin
+$global_munin_allow = '192.168.0.[0-9]*'
+
+# We want puppet to manage it's certificates
+$puppetmaster_manage_ca = false
+
+# Reprepro
+#$reprepro_uploaders = [ '' ]
+
+# Mail configuration
+#$root_mail_recipient = 'messages@lists.project'
+#$postfix_mynetworks  = '127.0.0.0/8, 192.168.0.0/28'
+#$postfixadmin_database_password = ''
+#$postfixadmin_setup_hash = ''
diff --git a/templates/puppet/storage.pp.erb b/templates/puppet/storage.pp.erb
new file mode 100644
index 0000000..ab3ddc9
--- /dev/null
+++ b/templates/puppet/storage.pp.erb
@@ -0,0 +1,19 @@
+node '<%= hostname %>-storage.<%= domain %>' {
+  #$mail_delivery          = 'tunnel'
+  #$mail_hostname          = 'mail'
+  #$mail_ssh_port          = '2202'
+
+  include nodo::storage
+
+  # encrypted local backups
+  #backup::duplicity { "localhost":
+  #  encryptkey => "ABCDEF12",
+  #  password   => 'xxxyyy',
+  #}
+  
+  # encrypted data remote backup
+  #backup::rdiff { "other-host":
+  #  port   => "10102",
+  #}
+
+}
diff --git a/templates/puppet/test.pp.erb b/templates/puppet/test.pp.erb
new file mode 100644
index 0000000..0440ee4
--- /dev/null
+++ b/templates/puppet/test.pp.erb
@@ -0,0 +1,19 @@
+node '<%= hostname %>-test.<%= domain %>' {
+  #$mail_delivery          = 'tunnel'
+  #$mail_hostname          = 'mail'
+  #$mail_ssh_port          = '2202'
+
+  include nodo::test
+
+  # encrypted local backups
+  #backup::duplicity { "localhost":
+  #  encryptkey => "ABCDEF12",
+  #  password   => 'xxxyyy',
+  #}
+  
+  # encrypted data remote backup
+  #backup::rdiff { "other-host":
+  #  port   => "10102",
+  #}
+
+}
diff --git a/templates/puppet/users.pp.erb b/templates/puppet/users.pp.erb
new file mode 100644
index 0000000..4ec5604
--- /dev/null
+++ b/templates/puppet/users.pp.erb
@@ -0,0 +1,39 @@
+class users::virtual inherits user {
+  # define custom users here
+}
+
+class users::backup inherits user {
+  # define third-party hosted backup users here
+}
+
+class users::admin inherits user {
+
+  # reprepro group needed for web nodes
+  #if !defined(Group["reprepro"]) {
+  #  group { "reprepro":
+  #    ensure => present,
+  #  }
+  #}
+
+  # fucked up password for root
+  user::manage { "root":
+    tag      => "admin",
+    homedir  => '/root',
+    password => '$5$9jXNrc7jaVIe.dOz$A0L8MwtKOeZqVPQZVEoYm8lhVwBxPyRsBMHpNRLyF/7',
+  }
+
+  # TODO: temporary cleanup; remove after all nodes have applied it
+  file { '/home/root':
+    ensure  => absent,
+    recurse => true,
+    force   => true,
+  }
+
+  user::manage { "<%= first_user %>":
+    tag      => "admin",
+    groups   => [ "sudo", ],
+    password => '<%= first_user_password %>',
+    sshkey   => [ "<%= first_user_sshkey %>" ],
+  }
+
+}
diff --git a/templates/puppet/web.pp.erb b/templates/puppet/web.pp.erb
new file mode 100644
index 0000000..098ec9c
--- /dev/null
+++ b/templates/puppet/web.pp.erb
@@ -0,0 +1,19 @@
+node '<%= hostname %>-web.<%= domain %>' {
+  #$mail_delivery          = 'tunnel'
+  #$mail_hostname          = 'mail'
+  #$mail_ssh_port          = '2202'
+
+  include nodo::web
+
+  # encrypted local backups
+  #backup::duplicity { "localhost":
+  #  encryptkey => "ABCDEF12",
+  #  password   => 'xxxyyy',
+  #}
+  
+  # encrypted data remote backup
+  #backup::rdiff { "other-host":
+  #  port   => "10102",
+  #}
+
+}
diff --git a/templates/puppet/websites.pp.erb b/templates/puppet/websites.pp.erb
new file mode 100644
index 0000000..75dcd0b
--- /dev/null
+++ b/templates/puppet/websites.pp.erb
@@ -0,0 +1,45 @@
+class websites::admin inherits websites::hosting::admin {
+  #apache::site { "admin":
+  #  ticket         => '64',
+  #  docroot        => "${apache_sites_folder}/admin/trac/htdocs",
+  #  use            => [ "Trac admin" ],
+  #  redirect_match => "trac",
+  #  mpm            => false,
+  #}
+
+  #apache::site { "munin":
+  #  ticket         => '153',
+  #  docroot        => '/var/www/munin',
+  #  owner          => "munin",
+  #  group          => "munin",
+  #  mpm            => false,
+  #}
+
+  #apache::site { "nagios":
+  #  source         => true,
+  #  docroot        => '/usr/share/nagios3/htdocs',
+  #  mpm            => false,
+  #}
+}
+
+class websites inherits websites::hosting {
+  # Website definitions
+  #
+  # TODO:
+  #
+  #  - Use virtual resources:
+  #    - Tags by locations where the site can be hosted.
+  #    - Possible integration with cache proxies.
+  #
+
+  #apache::site { "site":
+  #  source         => true,
+  #  ticket         => '001',
+  #  docroot        => '/var/www/site',
+  #}
+
+  #database::instance { "site":
+  #  password => 'xxx',
+  #}  
+
+}