diff options
Diffstat (limited to 'templates')
27 files changed, 999 insertions, 0 deletions
diff --git a/templates/apache/htdocs/images/README.html.erb b/templates/apache/htdocs/images/README.html.erb new file mode 100644 index 0000000..5732efe --- /dev/null +++ b/templates/apache/htdocs/images/README.html.erb @@ -0,0 +1,3 @@ +<pre> +When not explicitly mentioned, the use of these images is restricted to domain.org +</pre> diff --git a/templates/apache/htdocs/index.html.erb b/templates/apache/htdocs/index.html.erb new file mode 100644 index 0000000..6d2d7ea --- /dev/null +++ b/templates/apache/htdocs/index.html.erb @@ -0,0 +1,9 @@ +<html><head> +<meta http-equiv="refresh" content="1;url=http://<%= domain %>"> +<title><%= domain %></title></head><body> + +<center> + <p><code>You are being redirected to <a href="http://<%= domain %>">http://<%= domain %></a>.</code></p> +</center> + +</body></html> diff --git a/templates/apache/htdocs/missing.html.erb b/templates/apache/htdocs/missing.html.erb new file mode 100644 index 0000000..0c95ef3 --- /dev/null +++ b/templates/apache/htdocs/missing.html.erb @@ -0,0 +1,12 @@ +<html> +<head> +<title>404 - Not Found</title> +</head> +<body> + <center> + <pre> + The address you are trying to reach could not be found. :( + </pre> + </center> +</body> +</html> diff --git a/templates/apache/vhosts/git.erb b/templates/apache/vhosts/git.erb new file mode 100644 index 0000000..25aecd1 --- /dev/null +++ b/templates/apache/vhosts/git.erb @@ -0,0 +1,20 @@ +# begin vhost for git +<VirtualHost *:80> + # Recipe based on http://josephspiros.com/2009/07/26/configuring-gitweb-for-apache-on-debian + + ServerName git.<%= domain %> + SetEnv GITWEB_CONFIG /etc/gitweb.conf + HeaderName HEADER + DocumentRoot /var/git/repositories + Alias /gitweb.css /usr/share/gitweb/gitweb.css + Alias /git-favicon.png /usr/share/gitweb/git-favicon.png + Alias /git-logo.png /usr/share/gitweb/git-logo.png + + ScriptAlias /gitweb /usr/lib/cgi-bin/gitweb.cgi + RewriteEngine on + + # Rewrite all other paths that aren't git repo internals to gitweb + RewriteRule ^/$ /gitweb [PT] + RewriteRule ^/(.*\.git/(?!/?(HEAD|info|objects|refs)).*)?$ /gitweb%{REQUEST_URI} [L,PT] +</VirtualHost> +# end vhost for git diff --git a/templates/apache/vhosts/lists.erb b/templates/apache/vhosts/lists.erb new file mode 100644 index 0000000..158dfd4 --- /dev/null +++ b/templates/apache/vhosts/lists.erb @@ -0,0 +1,22 @@ +# begin vhost for lists.<%= domain %> +<VirtualHost *:80> + ServerName lists.<%= domain %> + DocumentRoot /var/www/data/lists + + RedirectMatch ^/$ https://lists.<%= domain %>/wws + Alias /static-sympa /var/lib/sympa/static_content + Alias /wwsicons /usr/share/sympa/icons + ScriptAlias /wws /var/www/data/lists/wwsympa.fcgi + + <IfModule mod_fcgid.c> + IPCCommTimeout 120 + MaxProcessCount 2 + </IfModule> + + SuexecUserGroup sympa sympa + + <Location /wws> + SetHandler fcgid-script + </Location> +</VirtualHost> +# end vhost for lists.<%= domain %> diff --git a/templates/apache/vhosts/mail.erb b/templates/apache/vhosts/mail.erb new file mode 100644 index 0000000..1467c47 --- /dev/null +++ b/templates/apache/vhosts/mail.erb @@ -0,0 +1,33 @@ +# begin vhost for mail.<%= domain > +<VirtualHost *:80> + ServerName mail.<%= domain > + DocumentRoot /usr/share/squirrelmail + + # begin mail config + <Directory /var/www/data/mail> + Options Indexes Includes FollowSymLinks MultiViews + AllowOverride All + </Directory> + # end mail config + + <Directory /usr/share/squirrelmail> + Options Indexes FollowSymLinks + <IfModule mod_php4.c> + php_flag register_globals off + </IfModule> + <IfModule mod_php5.c> + php_flag register_globals off + </IfModule> + <IfModule mod_dir.c> + DirectoryIndex index.php + </IfModule> + + # access to configtest is limited by default to prevent information leak + <Files configtest.php> + order deny,allow + deny from all + allow from 127.0.0.1 + </Files> + </Directory> +</VirtualHost> +# end vhost for mail.<%= domain > diff --git a/templates/apache/vhosts/nagios.erb b/templates/apache/vhosts/nagios.erb new file mode 100644 index 0000000..8b3d252 --- /dev/null +++ b/templates/apache/vhosts/nagios.erb @@ -0,0 +1,61 @@ +# begin vhost for nagios +<VirtualHost *:80> + ServerName nagios.<%= domain > + DocumentRoot /usr/share/nagios3/htdocs + + # apache configuration for nagios 3.x + # note to users of nagios 1.x and 2.x: + # throughout this file are commented out sections which preserve + # backwards compatibility with bookmarks/config forî<80><80>older nagios versios. + # simply look for lines following "nagios 1.x:" and "nagios 2.x" comments. + + ScriptAlias /cgi-bin/nagios3 /usr/lib/cgi-bin/nagios3 + ScriptAlias /nagios3/cgi-bin /usr/lib/cgi-bin/nagios3 + # nagios 1.x: + #ScriptAlias /cgi-bin/nagios /usr/lib/cgi-bin/nagios3 + #ScriptAlias /nagios/cgi-bin /usr/lib/cgi-bin/nagios3 + # nagios 2.x: + #ScriptAlias /cgi-bin/nagios2 /usr/lib/cgi-bin/nagios3 + #ScriptAlias /nagios2/cgi-bin /usr/lib/cgi-bin/nagios3 + + # Where the stylesheets (config files) reside + Alias /nagios3/stylesheets /etc/nagios3/stylesheets + # nagios 1.x: + #Alias /nagios/stylesheets /etc/nagios3/stylesheets + # nagios 2.x: + #Alias /nagios2/stylesheets /etc/nagios3/stylesheets + + # Where the HTML pages live + Alias /nagios3 /usr/share/nagios3/htdocs + # nagios 2.x: + #Alias /nagios2 /usr/share/nagios3/htdocs + # nagios 1.x: + #Alias /nagios /usr/share/nagios3/htdocs + + <DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3)> + Options FollowSymLinks + + DirectoryIndex index.html + + AllowOverride AuthConfig + Order Allow,Deny + Allow From All + + AuthName "Nagios Access" + AuthType Basic + AuthUserFile /etc/nagios3/htpasswd.users + # nagios 1.x: + #AuthUserFile /etc/nagios/htpasswd.users + require valid-user + </DirectoryMatch> + + # Enable this ScriptAlias if you want to enable the grouplist patch. + # See http://apan.sourceforge.net/download.html for more info + # It allows you to see a clickable list of all hostgroups in the + # left pane of the Nagios web interface + # XXX This is not tested for nagios 2.x use at your own peril + #ScriptAlias /nagios3/side.html /usr/lib/cgi-bin/nagios3/grouplist.cgi + # nagios 1.x: + #ScriptAlias /nagios/side.html /usr/lib/cgi-bin/nagios3/grouplist.cgi +</VirtualHost> +# end vhost for nagios diff --git a/templates/apache/vhosts/wiki.erb b/templates/apache/vhosts/wiki.erb new file mode 100644 index 0000000..56e395b --- /dev/null +++ b/templates/apache/vhosts/wiki.erb @@ -0,0 +1,17 @@ +# begin vhost for wiki.<%= domain > +<VirtualHost *:80> + ServerName wiki.<%= domain > + DocumentRoot /var/www/data/wiki + + # begin wiki config + <Directory /var/www/data/wiki> + Options Indexes Includes FollowSymLinks MultiViews + AllowOverride All + </Directory> + # end wiki config + + <IfModule mpm_itk_module> + AssignUserId wiki wiki + </IfModule> +</VirtualHost> +# end vhost for wiki.<%= domain > diff --git a/templates/etc/aliases.erb b/templates/etc/aliases.erb new file mode 100644 index 0000000..4b9a4b9 --- /dev/null +++ b/templates/etc/aliases.erb @@ -0,0 +1,14 @@ +# /etc/aliases +mailer-daemon: postmaster +postmaster: root +nobody: root +hostmaster: root +usenet: root +news: root +webmaster: root +www: root +ftp: root +abuse: root +noc: root +security: root +root: <%= first_user_email %> diff --git a/templates/etc/nagios3/htpasswd.users.erb b/templates/etc/nagios3/htpasswd.users.erb new file mode 100644 index 0000000..c21d493 --- /dev/null +++ b/templates/etc/nagios3/htpasswd.users.erb @@ -0,0 +1 @@ +nagiosadmin:0FCabjvUTHvxF diff --git a/templates/etc/nginx/domain.erb b/templates/etc/nginx/domain.erb new file mode 100644 index 0000000..72f864a --- /dev/null +++ b/templates/etc/nginx/domain.erb @@ -0,0 +1,161 @@ +# <%= domain %> proxy config + +# Set the max size for file uploads +client_max_body_size 100M; + +server { + # see config tips at + # http://blog.taragana.com/index.php/archive/nginx-hacking-tips/ + + # Don't log anything + access_log /dev/null; + error_log /dev/null; + + # simple reverse-proxy + listen 80; + server_name *.<%= domain > <%= domain > + + # enable HSTS header + add_header Strict-Transport-Security max-age=15768000; + + # https redirection by default + rewrite ^(.*) https://$host$1 redirect; + + # rewrite rules for backups.<%= domain > + #if ($host ~* ^backups\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for admin.<%= domain > + #if ($host ~* ^admin\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for munin.<%= domain > + #if ($host ~* ^munin\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for trac.<%= domain > + #if ($host ~* ^trac\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for nagios.<%= domain > + #if ($host ~* ^nagios\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for htpasswd.<%= domain > + #if ($host ~* ^htpasswd\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for postfixadmin.<%= domain > + #if ($host ~* ^postfixadmin\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for mail.<%= domain > + #if ($host ~* ^mail\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for lists.<%= domain > + #if ($host ~* ^lists\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # pass requests for dynamic content + location / { + proxy_set_header Host $http_host; + proxy_pass http://weblocal:80; + } + +} + +server { + # https reverse proxy + listen 443; + server_name *.<%= domain > <%= domain >; + + # Don't log anything + access_log /dev/null; + error_log /dev/null; + + ssl on; + ssl_certificate /etc/ssl/certs/cert.crt; + ssl_certificate_key /etc/ssl/private/cert.pem; + + ssl_session_timeout 5m; + + ssl_protocols SSLv3 TLSv1; + ssl_ciphers HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH; + ssl_prefer_server_ciphers on; + + # Set the max size for file uploads + client_max_body_size 100M; + + location / { + # preserve http header + proxy_set_header Host $http_host; + + proxy_read_timeout 120; + proxy_connect_timeout 120; + + # rewrite rules for admin.<%= domain > + if ($host ~* ^admin\.<%= domain %>$) { + proxy_pass http://admin:80; + break; + } + + # rewrite rules for munin.<%= domain > + if ($host ~* ^munin\.<%= domain %>$) { + proxy_pass http://admin:80; + break; + } + + # rewrite rules for trac.<%= domain > + if ($host ~* ^trac\.<%= domain %>$) { + proxy_pass http://admin:80; + break; + } + + # rewrite rules for nagios.<%= domain > + if ($host ~* ^nagios\.<%= domain %>$) { + proxy_pass http://admin:80; + break; + } + + # rewrite rules for postfixadmin.<%= domain > + if ($host ~* ^postfixadmin\.<%= domain %>$) { + proxy_pass http://mail:80; + break; + } + + # rewrite rules for mail.<%= domain > + if ($host ~* ^mail\.<%= domain %>$) { + proxy_pass http://mail:80; + break; + } + + # rewrite rules for lists.<%= domain > + if ($host ~* ^lists\.<%= domain %>$) { + proxy_pass http://mail:80; + break; + } + + # default proxy pass + proxy_pass http://weblocal:80; + } + +} diff --git a/templates/postfix/tls_policy.erb b/templates/postfix/tls_policy.erb new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/templates/postfix/tls_policy.erb diff --git a/templates/puppet/auth.conf.erb b/templates/puppet/auth.conf.erb new file mode 100644 index 0000000..431e4b2 --- /dev/null +++ b/templates/puppet/auth.conf.erb @@ -0,0 +1,94 @@ +# This is an example auth.conf file, it mimics the puppetmasterd defaults +# +# The ACL are checked in order of appearance in this file. +# +# Supported syntax: +# This file supports two different syntax depending on how +# you want to express the ACL. +# +# Path syntax (the one used below): +# --------------------------------- +# path /path/to/resource +# [environment envlist] +# [method methodlist] +# [auth[enthicated] {yes|no|on|off|any}] +# allow [host|ip|*] +# deny [host|ip] +# +# The path is matched as a prefix. That is /file match at +# the same time /file_metadat and /file_content. +# +# Regex syntax: +# ------------- +# This one is differenciated from the path one by a '~' +# +# path ~ regex +# [environment envlist] +# [method methodlist] +# [auth[enthicated] {yes|no|on|off|any}] +# allow [host|ip|*] +# deny [host|ip] +# +# The regex syntax is the same as ruby ones. +# +# Ex: +# path ~ .pp$ +# will match every resource ending in .pp (manifests files for instance) +# +# path ~ ^/path/to/resource +# is essentially equivalent to path /path/to/resource +# +# environment:: restrict an ACL to a specific set of environments +# method:: restrict an ACL to a specific set of methods +# auth:: restrict an ACL to an authenticated or unauthenticated request +# the default when unspecified is to restrict the ACL to authenticated requests +# (ie exactly as if auth yes was present). +# + +### Authenticated ACL - those applies only when the client +### has a valid certificate and is thus authenticated + +# allow nodes to retrieve their own catalog (ie their configuration) +path ~ ^/catalog/([^/]+)$ +method find +allow $1 + +# allow all nodes to access the certificates services +path /certificate_revocation_list/ca +method find +allow * + +# allow all nodes to store their reports +path /report +method save +allow * + +# inconditionnally allow access to all files services +# which means in practice that fileserver.conf will +# still be used +path /file +allow * + +### Unauthenticated ACL, for clients for which the current master doesn't +### have a valid certificate + +# allow access to the master CA +path /certificate/ca +auth no +method find +allow * + +path /certificate/ +auth no +method find +allow * + +path /certificate_request +auth no +method find, save +allow * + +# this one is not stricly necessary, but it has the merit +# to show the default policy which is deny everything else +path / +auth any diff --git a/templates/puppet/fileserver.conf.erb b/templates/puppet/fileserver.conf.erb new file mode 100644 index 0000000..b8ad720 --- /dev/null +++ b/templates/puppet/fileserver.conf.erb @@ -0,0 +1,17 @@ +# top-level +[files] + path /etc/puppet/files + allow *.<%= domain %> + +[keys] + path /etc/puppet/files/keys + allow *.<%= domain %> + +# modules +[common] + path /etc/puppet/modules/common/files + allow *.<%= domain %> + +[puppet] + path /etc/puppet/modules/puppet/files + allow *.<%= domain %> diff --git a/templates/puppet/master.pp.erb b/templates/puppet/master.pp.erb new file mode 100644 index 0000000..3f7b4d9 --- /dev/null +++ b/templates/puppet/master.pp.erb @@ -0,0 +1,16 @@ +node '<%= hostname %>-master.<%= domain %>' { + $main_master = true + include nodo::master + + # encrypted local backups + #backup::duplicity { "localhost": + # encryptkey => "ABCDEF12", + # password => 'xxxyyy', + #} + + # encrypted data remote backup + #backup::rdiff { "other-host": + # port => "10102", + #} + +} diff --git a/templates/puppet/modules.pp.erb b/templates/puppet/modules.pp.erb new file mode 100644 index 0000000..ee98397 --- /dev/null +++ b/templates/puppet/modules.pp.erb @@ -0,0 +1,6 @@ +# +# These are the modules we use. +# + +# Nodo automatically import all modules we need. +import "nodo" diff --git a/templates/puppet/nodes.pp.erb b/templates/puppet/nodes.pp.erb new file mode 100644 index 0000000..2cb58b4 --- /dev/null +++ b/templates/puppet/nodes.pp.erb @@ -0,0 +1,6 @@ +import "nodes/<%= hostname %>-server.pp" +import "nodes/<%= hostname %>-master.pp" +import "nodes/<%= hostname %>-proxy.pp" +import "nodes/<%= hostname %>-web.pp" +import "nodes/<%= hostname %>-storage.pp" +import "nodes/<%= hostname %>-test.pp" diff --git a/templates/puppet/proxy.pp.erb b/templates/puppet/proxy.pp.erb new file mode 100644 index 0000000..a108a73 --- /dev/null +++ b/templates/puppet/proxy.pp.erb @@ -0,0 +1,59 @@ +node '<%= hostname %>-proxy.<%= domain %>' { + #$mail_delivery = 'tunnel' + #$mail_hostname = 'mail' + #$mail_ssh_port = '2202' + + include nodo::proxy + + # encrypted local backups + #backup::duplicity { "localhost": + # encryptkey => "ABCDEF12", + # password => 'xxxyyy', + #} + + # encrypted data remote backup + #backup::rdiff { "other-host": + # port => "10102", + #} + + # reference to admin vserver + host { "<%= hostname %>-master": + ensure => present, + ip => "192.168.0.2", + host_aliases => [ "<%= hostname %>-master.<%= domain %>", "puppet", "admin" ], + notify => Service["nginx"], + } + + # reference to proxy vserver + #host { "<%= hostname %>-proxy": + # ensure => present, + # ip => "192.168.0.3", + # host_aliases => [ "<%= hostname %>-proxy.<%= domain %>", "<%= hostname %>-proxy" ], + # notify => Service["nginx"], + #} + + # reference to web vserver + host { "<%= hostname %>-web": + ensure => present, + ip => "192.168.0.4", + host_aliases => [ "<%= hostname %>-web.<%= domain %>", "<%= hostname %>-web", "weblocal" ], + notify => Service["nginx"], + } + + # reference to storage vserver + host { "<%= hostname %>-storage": + ensure => present, + ip => "192.168.0.5", + host_aliases => [ "<%= hostname %>-storage.<%= domain %>", "<%= hostname %>-storage" ], + notify => Service["nginx"], + } + + # reference to test vserver + host { "<%= hostname %>-test": + ensure => present, + ip => "192.168.0.6", + host_aliases => [ "<%= hostname %>-test.<%= domain %>", "<%= hostname %>-test" ], + notify => Service["nginx"], + } + +} diff --git a/templates/puppet/puppet.conf.erb b/templates/puppet/puppet.conf.erb new file mode 100644 index 0000000..ae642de --- /dev/null +++ b/templates/puppet/puppet.conf.erb @@ -0,0 +1,23 @@ +[main] +logdir = /var/log/puppet +rundir = /var/run/puppet +factpath = $vardir/lib/facter +pluginsync = true + +[master] +vardir = /var/lib/puppet +ssldir = $vardir/ssl +autosign = false +#storeconfigs = true +#dbadapter = mysql +#dbserver = localhost +#dbuser = puppet +#dbpassword = +#dbconnections = 15 + +[agent] +server = puppet.<%= domain%> +vardir = /var/lib/puppet +ssldir = $vardir/ssl +runinterval = 1800 +puppetport = 8139 diff --git a/templates/puppet/server.pp.erb b/templates/puppet/server.pp.erb new file mode 100644 index 0000000..ca0ab50 --- /dev/null +++ b/templates/puppet/server.pp.erb @@ -0,0 +1,54 @@ +node '<%= hostname %>.<%= domain %>' { + #$mail_delivery = 'tunnel' + #$mail_hostname = 'mail' + #$mail_ssh_port = '2202' + $shorewall_dmz = true + $resolvconf_nameservers = $opendns_nameservers + $has_ups = false + include nodo::server + + host { "puppet": + ensure => present, + ip => "127.0.0.1", + host_aliases => [ "puppet.<%= domain %>" ], + } + + # + # Linux-VServers + # + #nodo::vserver::instance { "<%= hostname %>-master": + # context => '2', + # puppetmaster => true, + #} + + #nodo::vserver::instance { "<%= hostname %>-proxy": + # context => '3', + # proxy => true, + #} + + #nodo::vserver::instance { "<%= hostname %>-web": + # context => '4', + # gitd => true, + #} + + #nodo::vserver::instance { "<%= hostname %>-storage": + # context => '5', + #} + + #nodo::vserver::instance { "<%= hostname %>-test": + # context => '6', + # memory_limit => 500, + #} + + # encrypted local backups + #backup::duplicity { "localhost": + # encryptkey => "ABCDEF12", + # password => 'xxxyyy', + #} + + # encrypted data remote backup + #backup::rdiff { "other-host": + # port => "10105", + #} + +} diff --git a/templates/puppet/site.pp.erb b/templates/puppet/site.pp.erb new file mode 100644 index 0000000..273f2c7 --- /dev/null +++ b/templates/puppet/site.pp.erb @@ -0,0 +1,41 @@ +# +# Puppet site configuration. +# +import "classes/users.pp" +import "classes/websites.pp" +import "modules.pp" +import "nodes.pp" + +# Default execution path +Exec { path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" } + +# Fileserver backup +filebucket { server: server => "admin.<%= domain %>" } +File { backup => server } + +# General configuration +$network_name = '<%= domain %> cloud' + +# MySQL password +$mysql_rootpw = '<%= mysql_rootpw %>' + +# Puppetmaster db password +$puppetmaster_db_password = '<%= puppetmaster_db_password %>' + +# OpenDNS nameservers in case we need on DNS outages +$opendns_nameservers = '208.67.222.222:208.67.220.220' + +# Munin +$global_munin_allow = '192.168.0.[0-9]*' + +# We want puppet to manage it's certificates +$puppetmaster_manage_ca = false + +# Reprepro +#$reprepro_uploaders = [ '' ] + +# Mail configuration +#$root_mail_recipient = 'messages@lists.project' +#$postfix_mynetworks = '127.0.0.0/8, 192.168.0.0/28' +#$postfixadmin_database_password = '' +#$postfixadmin_setup_hash = '' diff --git a/templates/puppet/storage.pp.erb b/templates/puppet/storage.pp.erb new file mode 100644 index 0000000..ab3ddc9 --- /dev/null +++ b/templates/puppet/storage.pp.erb @@ -0,0 +1,19 @@ +node '<%= hostname %>-storage.<%= domain %>' { + #$mail_delivery = 'tunnel' + #$mail_hostname = 'mail' + #$mail_ssh_port = '2202' + + include nodo::storage + + # encrypted local backups + #backup::duplicity { "localhost": + # encryptkey => "ABCDEF12", + # password => 'xxxyyy', + #} + + # encrypted data remote backup + #backup::rdiff { "other-host": + # port => "10102", + #} + +} diff --git a/templates/puppet/test.pp.erb b/templates/puppet/test.pp.erb new file mode 100644 index 0000000..0440ee4 --- /dev/null +++ b/templates/puppet/test.pp.erb @@ -0,0 +1,19 @@ +node '<%= hostname %>-test.<%= domain %>' { + #$mail_delivery = 'tunnel' + #$mail_hostname = 'mail' + #$mail_ssh_port = '2202' + + include nodo::test + + # encrypted local backups + #backup::duplicity { "localhost": + # encryptkey => "ABCDEF12", + # password => 'xxxyyy', + #} + + # encrypted data remote backup + #backup::rdiff { "other-host": + # port => "10102", + #} + +} diff --git a/templates/puppet/users.pp.erb b/templates/puppet/users.pp.erb new file mode 100644 index 0000000..4ec5604 --- /dev/null +++ b/templates/puppet/users.pp.erb @@ -0,0 +1,39 @@ +class users::virtual inherits user { + # define custom users here +} + +class users::backup inherits user { + # define third-party hosted backup users here +} + +class users::admin inherits user { + + # reprepro group needed for web nodes + #if !defined(Group["reprepro"]) { + # group { "reprepro": + # ensure => present, + # } + #} + + # fucked up password for root + user::manage { "root": + tag => "admin", + homedir => '/root', + password => '$5$9jXNrc7jaVIe.dOz$A0L8MwtKOeZqVPQZVEoYm8lhVwBxPyRsBMHpNRLyF/7', + } + + # TODO: temporary cleanup; remove after all nodes have applied it + file { '/home/root': + ensure => absent, + recurse => true, + force => true, + } + + user::manage { "<%= first_user %>": + tag => "admin", + groups => [ "sudo", ], + password => '<%= first_user_password %>', + sshkey => [ "<%= first_user_sshkey %>" ], + } + +} diff --git a/templates/puppet/web.pp.erb b/templates/puppet/web.pp.erb new file mode 100644 index 0000000..098ec9c --- /dev/null +++ b/templates/puppet/web.pp.erb @@ -0,0 +1,19 @@ +node '<%= hostname %>-web.<%= domain %>' { + #$mail_delivery = 'tunnel' + #$mail_hostname = 'mail' + #$mail_ssh_port = '2202' + + include nodo::web + + # encrypted local backups + #backup::duplicity { "localhost": + # encryptkey => "ABCDEF12", + # password => 'xxxyyy', + #} + + # encrypted data remote backup + #backup::rdiff { "other-host": + # port => "10102", + #} + +} diff --git a/templates/puppet/websites.pp.erb b/templates/puppet/websites.pp.erb new file mode 100644 index 0000000..75dcd0b --- /dev/null +++ b/templates/puppet/websites.pp.erb @@ -0,0 +1,45 @@ +class websites::admin inherits websites::hosting::admin { + #apache::site { "admin": + # ticket => '64', + # docroot => "${apache_sites_folder}/admin/trac/htdocs", + # use => [ "Trac admin" ], + # redirect_match => "trac", + # mpm => false, + #} + + #apache::site { "munin": + # ticket => '153', + # docroot => '/var/www/munin', + # owner => "munin", + # group => "munin", + # mpm => false, + #} + + #apache::site { "nagios": + # source => true, + # docroot => '/usr/share/nagios3/htdocs', + # mpm => false, + #} +} + +class websites inherits websites::hosting { + # Website definitions + # + # TODO: + # + # - Use virtual resources: + # - Tags by locations where the site can be hosted. + # - Possible integration with cache proxies. + # + + #apache::site { "site": + # source => true, + # ticket => '001', + # docroot => '/var/www/site', + #} + + #database::instance { "site": + # password => 'xxx', + #} + +} diff --git a/templates/shorewall/shorewall.conf.erb b/templates/shorewall/shorewall.conf.erb new file mode 100644 index 0000000..1aa18ee --- /dev/null +++ b/templates/shorewall/shorewall.conf.erb @@ -0,0 +1,189 @@ +############################################################################### +# /etc/shorewall/shorewall.conf V4.0 - Change the following variables to +# match your setup +# +# This program is under GPL +# [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] +# +# This file should be placed in /etc/shorewall +# +# (c) 1999,2000,2001,2002,2003,2004,2005, +# 2006,2007 - Tom Eastep (teastep@shorewall.net) +# +# For information about the settings in this file, type "man shorewall.conf" +# +# Additional information is available at +# http://www.shorewall.net/Documentation.htm#Conf +############################################################################### +# S T A R T U P E N A B L E D +############################################################################### + +STARTUP_ENABLED=Yes + +############################################################################### +# V E R B O S I T Y +############################################################################### + +VERBOSITY=1 + +############################################################################### +# C O M P I L E R +# (setting this to 'perl' requires installation of Shorewall-perl) +############################################################################### + +SHOREWALL_COMPILER= + +############################################################################### +# L O G G I N G +############################################################################### + +LOGFILE=/var/log/messages + +LOGFORMAT="Shorewall:%s:%s:" + +LOGTAGONLY=No + +LOGRATE= + +LOGBURST= + +LOGALLNEW= + +BLACKLIST_LOGLEVEL= + +MACLIST_LOG_LEVEL=info + +TCP_FLAGS_LOG_LEVEL=info + +RFC1918_LOG_LEVEL=info + +SMURF_LOG_LEVEL=info + +LOG_MARTIANS=No + +############################################################################### +# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S +############################################################################### + +IPTABLES= + +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin + +SHOREWALL_SHELL=/bin/sh + +SUBSYSLOCK="" + +MODULESDIR= + +CONFIG_PATH=/etc/shorewall:/usr/share/shorewall:/var/lib/puppet/modules/shorewall + +RESTOREFILE= + +IPSECFILE=zones + +LOCKFILE= + +############################################################################### +# D E F A U L T A C T I O N S / M A C R O S +############################################################################### + +DROP_DEFAULT="Drop" +REJECT_DEFAULT="Reject" +ACCEPT_DEFAULT="none" +QUEUE_DEFAULT="none" +NFQUEUE_DEFAULT="none" + +############################################################################### +# R S H / R C P C O M M A N D S +############################################################################### + +RSH_COMMAND='ssh ${root}@${system} ${command}' +RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' + +############################################################################### +# F I R E W A L L O P T I O N S +############################################################################### + +IP_FORWARDING=Yes + +ADD_IP_ALIASES=Yes + +ADD_SNAT_ALIASES=No + +RETAIN_ALIASES=No + +TC_ENABLED=Internal + +TC_EXPERT=No + +CLEAR_TC=Yes + +MARK_IN_FORWARD_CHAIN=No + +CLAMPMSS=No + +ROUTE_FILTER=Yes + +DETECT_DNAT_IPADDRS=No + +MUTEX_TIMEOUT=60 + +ADMINISABSENTMINDED=Yes + +BLACKLISTNEWONLY=Yes + +DELAYBLACKLISTLOAD=No + +MODULE_SUFFIX= + +DISABLE_IPV6=Yes + +BRIDGING=No + +DYNAMIC_ZONES=No + +PKTTYPE=Yes + +RFC1918_STRICT=No + +MACLIST_TABLE=filter + +MACLIST_TTL= + +SAVE_IPSETS=No + +MAPOLDACTIONS=No + +FASTACCEPT=No + +IMPLICIT_CONTINUE=Yes + +HIGH_ROUTE_MARKS=No + +USE_ACTIONS=Yes + +OPTIMIZE=0 + +EXPORTPARAMS=Yes + +EXPAND_POLICIES=Yes + +KEEP_RT_TABLES=No + +DELETE_THEN_ADD=Yes + +MULTICAST=No + +DONT_LOAD= + +############################################################################### +# P A C K E T D I S P O S I T I O N +############################################################################### + +BLACKLIST_DISPOSITION=DROP + +MACLIST_DISPOSITION=REJECT + +TCP_FLAGS_DISPOSITION=DROP + +#LAST LINE -- DO NOT REMOVE |