From 01b2048dbf02ac726dabde5e846b9d6ac9aff0e6 Mon Sep 17 00:00:00 2001 From: drebs Date: Fri, 11 Mar 2011 14:53:39 -0300 Subject: initial recommit --- templates/puppet/auth.conf.erb | 94 ++++++++++++++++++++++++++++++++++++ templates/puppet/fileserver.conf.erb | 17 +++++++ templates/puppet/master.pp.erb | 16 ++++++ templates/puppet/modules.pp.erb | 6 +++ templates/puppet/nodes.pp.erb | 6 +++ templates/puppet/proxy.pp.erb | 59 ++++++++++++++++++++++ templates/puppet/puppet.conf.erb | 23 +++++++++ templates/puppet/server.pp.erb | 54 +++++++++++++++++++++ templates/puppet/site.pp.erb | 41 ++++++++++++++++ templates/puppet/storage.pp.erb | 19 ++++++++ templates/puppet/test.pp.erb | 19 ++++++++ templates/puppet/users.pp.erb | 39 +++++++++++++++ templates/puppet/web.pp.erb | 19 ++++++++ templates/puppet/websites.pp.erb | 45 +++++++++++++++++ 14 files changed, 457 insertions(+) create mode 100644 templates/puppet/auth.conf.erb create mode 100644 templates/puppet/fileserver.conf.erb create mode 100644 templates/puppet/master.pp.erb create mode 100644 templates/puppet/modules.pp.erb create mode 100644 templates/puppet/nodes.pp.erb create mode 100644 templates/puppet/proxy.pp.erb create mode 100644 templates/puppet/puppet.conf.erb create mode 100644 templates/puppet/server.pp.erb create mode 100644 templates/puppet/site.pp.erb create mode 100644 templates/puppet/storage.pp.erb create mode 100644 templates/puppet/test.pp.erb create mode 100644 templates/puppet/users.pp.erb create mode 100644 templates/puppet/web.pp.erb create mode 100644 templates/puppet/websites.pp.erb (limited to 'templates/puppet') diff --git a/templates/puppet/auth.conf.erb b/templates/puppet/auth.conf.erb new file mode 100644 index 0000000..431e4b2 --- /dev/null +++ b/templates/puppet/auth.conf.erb @@ -0,0 +1,94 @@ +# This is an example auth.conf file, it mimics the puppetmasterd defaults +# +# The ACL are checked in order of appearance in this file. +# +# Supported syntax: +# This file supports two different syntax depending on how +# you want to express the ACL. +# +# Path syntax (the one used below): +# --------------------------------- +# path /path/to/resource +# [environment envlist] +# [method methodlist] +# [auth[enthicated] {yes|no|on|off|any}] +# allow [host|ip|*] +# deny [host|ip] +# +# The path is matched as a prefix. That is /file match at +# the same time /file_metadat and /file_content. +# +# Regex syntax: +# ------------- +# This one is differenciated from the path one by a '~' +# +# path ~ regex +# [environment envlist] +# [method methodlist] +# [auth[enthicated] {yes|no|on|off|any}] +# allow [host|ip|*] +# deny [host|ip] +# +# The regex syntax is the same as ruby ones. +# +# Ex: +# path ~ .pp$ +# will match every resource ending in .pp (manifests files for instance) +# +# path ~ ^/path/to/resource +# is essentially equivalent to path /path/to/resource +# +# environment:: restrict an ACL to a specific set of environments +# method:: restrict an ACL to a specific set of methods +# auth:: restrict an ACL to an authenticated or unauthenticated request +# the default when unspecified is to restrict the ACL to authenticated requests +# (ie exactly as if auth yes was present). +# + +### Authenticated ACL - those applies only when the client +### has a valid certificate and is thus authenticated + +# allow nodes to retrieve their own catalog (ie their configuration) +path ~ ^/catalog/([^/]+)$ +method find +allow $1 + +# allow all nodes to access the certificates services +path /certificate_revocation_list/ca +method find +allow * + +# allow all nodes to store their reports +path /report +method save +allow * + +# inconditionnally allow access to all files services +# which means in practice that fileserver.conf will +# still be used +path /file +allow * + +### Unauthenticated ACL, for clients for which the current master doesn't +### have a valid certificate + +# allow access to the master CA +path /certificate/ca +auth no +method find +allow * + +path /certificate/ +auth no +method find +allow * + +path /certificate_request +auth no +method find, save +allow * + +# this one is not stricly necessary, but it has the merit +# to show the default policy which is deny everything else +path / +auth any diff --git a/templates/puppet/fileserver.conf.erb b/templates/puppet/fileserver.conf.erb new file mode 100644 index 0000000..b8ad720 --- /dev/null +++ b/templates/puppet/fileserver.conf.erb @@ -0,0 +1,17 @@ +# top-level +[files] + path /etc/puppet/files + allow *.<%= domain %> + +[keys] + path /etc/puppet/files/keys + allow *.<%= domain %> + +# modules +[common] + path /etc/puppet/modules/common/files + allow *.<%= domain %> + +[puppet] + path /etc/puppet/modules/puppet/files + allow *.<%= domain %> diff --git a/templates/puppet/master.pp.erb b/templates/puppet/master.pp.erb new file mode 100644 index 0000000..3f7b4d9 --- /dev/null +++ b/templates/puppet/master.pp.erb @@ -0,0 +1,16 @@ +node '<%= hostname %>-master.<%= domain %>' { + $main_master = true + include nodo::master + + # encrypted local backups + #backup::duplicity { "localhost": + # encryptkey => "ABCDEF12", + # password => 'xxxyyy', + #} + + # encrypted data remote backup + #backup::rdiff { "other-host": + # port => "10102", + #} + +} diff --git a/templates/puppet/modules.pp.erb b/templates/puppet/modules.pp.erb new file mode 100644 index 0000000..ee98397 --- /dev/null +++ b/templates/puppet/modules.pp.erb @@ -0,0 +1,6 @@ +# +# These are the modules we use. +# + +# Nodo automatically import all modules we need. +import "nodo" diff --git a/templates/puppet/nodes.pp.erb b/templates/puppet/nodes.pp.erb new file mode 100644 index 0000000..2cb58b4 --- /dev/null +++ b/templates/puppet/nodes.pp.erb @@ -0,0 +1,6 @@ +import "nodes/<%= hostname %>-server.pp" +import "nodes/<%= hostname %>-master.pp" +import "nodes/<%= hostname %>-proxy.pp" +import "nodes/<%= hostname %>-web.pp" +import "nodes/<%= hostname %>-storage.pp" +import "nodes/<%= hostname %>-test.pp" diff --git a/templates/puppet/proxy.pp.erb b/templates/puppet/proxy.pp.erb new file mode 100644 index 0000000..a108a73 --- /dev/null +++ b/templates/puppet/proxy.pp.erb @@ -0,0 +1,59 @@ +node '<%= hostname %>-proxy.<%= domain %>' { + #$mail_delivery = 'tunnel' + #$mail_hostname = 'mail' + #$mail_ssh_port = '2202' + + include nodo::proxy + + # encrypted local backups + #backup::duplicity { "localhost": + # encryptkey => "ABCDEF12", + # password => 'xxxyyy', + #} + + # encrypted data remote backup + #backup::rdiff { "other-host": + # port => "10102", + #} + + # reference to admin vserver + host { "<%= hostname %>-master": + ensure => present, + ip => "192.168.0.2", + host_aliases => [ "<%= hostname %>-master.<%= domain %>", "puppet", "admin" ], + notify => Service["nginx"], + } + + # reference to proxy vserver + #host { "<%= hostname %>-proxy": + # ensure => present, + # ip => "192.168.0.3", + # host_aliases => [ "<%= hostname %>-proxy.<%= domain %>", "<%= hostname %>-proxy" ], + # notify => Service["nginx"], + #} + + # reference to web vserver + host { "<%= hostname %>-web": + ensure => present, + ip => "192.168.0.4", + host_aliases => [ "<%= hostname %>-web.<%= domain %>", "<%= hostname %>-web", "weblocal" ], + notify => Service["nginx"], + } + + # reference to storage vserver + host { "<%= hostname %>-storage": + ensure => present, + ip => "192.168.0.5", + host_aliases => [ "<%= hostname %>-storage.<%= domain %>", "<%= hostname %>-storage" ], + notify => Service["nginx"], + } + + # reference to test vserver + host { "<%= hostname %>-test": + ensure => present, + ip => "192.168.0.6", + host_aliases => [ "<%= hostname %>-test.<%= domain %>", "<%= hostname %>-test" ], + notify => Service["nginx"], + } + +} diff --git a/templates/puppet/puppet.conf.erb b/templates/puppet/puppet.conf.erb new file mode 100644 index 0000000..ae642de --- /dev/null +++ b/templates/puppet/puppet.conf.erb @@ -0,0 +1,23 @@ +[main] +logdir = /var/log/puppet +rundir = /var/run/puppet +factpath = $vardir/lib/facter +pluginsync = true + +[master] +vardir = /var/lib/puppet +ssldir = $vardir/ssl +autosign = false +#storeconfigs = true +#dbadapter = mysql +#dbserver = localhost +#dbuser = puppet +#dbpassword = +#dbconnections = 15 + +[agent] +server = puppet.<%= domain%> +vardir = /var/lib/puppet +ssldir = $vardir/ssl +runinterval = 1800 +puppetport = 8139 diff --git a/templates/puppet/server.pp.erb b/templates/puppet/server.pp.erb new file mode 100644 index 0000000..ca0ab50 --- /dev/null +++ b/templates/puppet/server.pp.erb @@ -0,0 +1,54 @@ +node '<%= hostname %>.<%= domain %>' { + #$mail_delivery = 'tunnel' + #$mail_hostname = 'mail' + #$mail_ssh_port = '2202' + $shorewall_dmz = true + $resolvconf_nameservers = $opendns_nameservers + $has_ups = false + include nodo::server + + host { "puppet": + ensure => present, + ip => "127.0.0.1", + host_aliases => [ "puppet.<%= domain %>" ], + } + + # + # Linux-VServers + # + #nodo::vserver::instance { "<%= hostname %>-master": + # context => '2', + # puppetmaster => true, + #} + + #nodo::vserver::instance { "<%= hostname %>-proxy": + # context => '3', + # proxy => true, + #} + + #nodo::vserver::instance { "<%= hostname %>-web": + # context => '4', + # gitd => true, + #} + + #nodo::vserver::instance { "<%= hostname %>-storage": + # context => '5', + #} + + #nodo::vserver::instance { "<%= hostname %>-test": + # context => '6', + # memory_limit => 500, + #} + + # encrypted local backups + #backup::duplicity { "localhost": + # encryptkey => "ABCDEF12", + # password => 'xxxyyy', + #} + + # encrypted data remote backup + #backup::rdiff { "other-host": + # port => "10105", + #} + +} diff --git a/templates/puppet/site.pp.erb b/templates/puppet/site.pp.erb new file mode 100644 index 0000000..273f2c7 --- /dev/null +++ b/templates/puppet/site.pp.erb @@ -0,0 +1,41 @@ +# +# Puppet site configuration. +# +import "classes/users.pp" +import "classes/websites.pp" +import "modules.pp" +import "nodes.pp" + +# Default execution path +Exec { path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" } + +# Fileserver backup +filebucket { server: server => "admin.<%= domain %>" } +File { backup => server } + +# General configuration +$network_name = '<%= domain %> cloud' + +# MySQL password +$mysql_rootpw = '<%= mysql_rootpw %>' + +# Puppetmaster db password +$puppetmaster_db_password = '<%= puppetmaster_db_password %>' + +# OpenDNS nameservers in case we need on DNS outages +$opendns_nameservers = '208.67.222.222:208.67.220.220' + +# Munin +$global_munin_allow = '192.168.0.[0-9]*' + +# We want puppet to manage it's certificates +$puppetmaster_manage_ca = false + +# Reprepro +#$reprepro_uploaders = [ '' ] + +# Mail configuration +#$root_mail_recipient = 'messages@lists.project' +#$postfix_mynetworks = '127.0.0.0/8, 192.168.0.0/28' +#$postfixadmin_database_password = '' +#$postfixadmin_setup_hash = '' diff --git a/templates/puppet/storage.pp.erb b/templates/puppet/storage.pp.erb new file mode 100644 index 0000000..ab3ddc9 --- /dev/null +++ b/templates/puppet/storage.pp.erb @@ -0,0 +1,19 @@ +node '<%= hostname %>-storage.<%= domain %>' { + #$mail_delivery = 'tunnel' + #$mail_hostname = 'mail' + #$mail_ssh_port = '2202' + + include nodo::storage + + # encrypted local backups + #backup::duplicity { "localhost": + # encryptkey => "ABCDEF12", + # password => 'xxxyyy', + #} + + # encrypted data remote backup + #backup::rdiff { "other-host": + # port => "10102", + #} + +} diff --git a/templates/puppet/test.pp.erb b/templates/puppet/test.pp.erb new file mode 100644 index 0000000..0440ee4 --- /dev/null +++ b/templates/puppet/test.pp.erb @@ -0,0 +1,19 @@ +node '<%= hostname %>-test.<%= domain %>' { + #$mail_delivery = 'tunnel' + #$mail_hostname = 'mail' + #$mail_ssh_port = '2202' + + include nodo::test + + # encrypted local backups + #backup::duplicity { "localhost": + # encryptkey => "ABCDEF12", + # password => 'xxxyyy', + #} + + # encrypted data remote backup + #backup::rdiff { "other-host": + # port => "10102", + #} + +} diff --git a/templates/puppet/users.pp.erb b/templates/puppet/users.pp.erb new file mode 100644 index 0000000..4ec5604 --- /dev/null +++ b/templates/puppet/users.pp.erb @@ -0,0 +1,39 @@ +class users::virtual inherits user { + # define custom users here +} + +class users::backup inherits user { + # define third-party hosted backup users here +} + +class users::admin inherits user { + + # reprepro group needed for web nodes + #if !defined(Group["reprepro"]) { + # group { "reprepro": + # ensure => present, + # } + #} + + # fucked up password for root + user::manage { "root": + tag => "admin", + homedir => '/root', + password => '$5$9jXNrc7jaVIe.dOz$A0L8MwtKOeZqVPQZVEoYm8lhVwBxPyRsBMHpNRLyF/7', + } + + # TODO: temporary cleanup; remove after all nodes have applied it + file { '/home/root': + ensure => absent, + recurse => true, + force => true, + } + + user::manage { "<%= first_user %>": + tag => "admin", + groups => [ "sudo", ], + password => '<%= first_user_password %>', + sshkey => [ "<%= first_user_sshkey %>" ], + } + +} diff --git a/templates/puppet/web.pp.erb b/templates/puppet/web.pp.erb new file mode 100644 index 0000000..098ec9c --- /dev/null +++ b/templates/puppet/web.pp.erb @@ -0,0 +1,19 @@ +node '<%= hostname %>-web.<%= domain %>' { + #$mail_delivery = 'tunnel' + #$mail_hostname = 'mail' + #$mail_ssh_port = '2202' + + include nodo::web + + # encrypted local backups + #backup::duplicity { "localhost": + # encryptkey => "ABCDEF12", + # password => 'xxxyyy', + #} + + # encrypted data remote backup + #backup::rdiff { "other-host": + # port => "10102", + #} + +} diff --git a/templates/puppet/websites.pp.erb b/templates/puppet/websites.pp.erb new file mode 100644 index 0000000..75dcd0b --- /dev/null +++ b/templates/puppet/websites.pp.erb @@ -0,0 +1,45 @@ +class websites::admin inherits websites::hosting::admin { + #apache::site { "admin": + # ticket => '64', + # docroot => "${apache_sites_folder}/admin/trac/htdocs", + # use => [ "Trac admin" ], + # redirect_match => "trac", + # mpm => false, + #} + + #apache::site { "munin": + # ticket => '153', + # docroot => '/var/www/munin', + # owner => "munin", + # group => "munin", + # mpm => false, + #} + + #apache::site { "nagios": + # source => true, + # docroot => '/usr/share/nagios3/htdocs', + # mpm => false, + #} +} + +class websites inherits websites::hosting { + # Website definitions + # + # TODO: + # + # - Use virtual resources: + # - Tags by locations where the site can be hosted. + # - Possible integration with cache proxies. + # + + #apache::site { "site": + # source => true, + # ticket => '001', + # docroot => '/var/www/site', + #} + + #database::instance { "site": + # password => 'xxx', + #} + +} -- cgit v1.2.3