aboutsummaryrefslogtreecommitdiff
path: root/manifests/role
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2013-04-12 17:09:03 -0300
committerSilvio Rhatto <rhatto@riseup.net>2013-04-12 17:09:03 -0300
commitfe1c86b8f938283e9dd8196a8b11a9648f4b49e6 (patch)
treec2d999eca03862a3e4af57e0885397adf6bbc6ec /manifests/role
parentec5c750d12bdc7948bb3c04f0c72817718a0bf47 (diff)
downloadpuppet-nodo-fe1c86b8f938283e9dd8196a8b11a9648f4b49e6.tar.gz
puppet-nodo-fe1c86b8f938283e9dd8196a8b11a9648f4b49e6.tar.bz2
Major refactor
Diffstat (limited to 'manifests/role')
-rw-r--r--manifests/role/dns.pp3
-rw-r--r--manifests/role/jabber.pp36
-rw-r--r--manifests/role/mail.pp3
-rw-r--r--manifests/role/master.pp60
-rw-r--r--manifests/role/mumble.pp3
-rw-r--r--manifests/role/nas.pp233
-rw-r--r--manifests/role/personal.pp43
-rw-r--r--manifests/role/proxy.pp3
-rw-r--r--manifests/role/router.pp25
-rw-r--r--manifests/role/storage.pp3
-rw-r--r--manifests/role/test.pp3
-rw-r--r--manifests/role/tor.pp4
-rw-r--r--manifests/role/web.pp49
-rw-r--r--manifests/role/webdev.pp5
-rw-r--r--manifests/role/webdev/desktop.pp3
-rw-r--r--manifests/role/webdev/laptop.pp3
-rw-r--r--manifests/role/yacy.pp34
17 files changed, 513 insertions, 0 deletions
diff --git a/manifests/role/dns.pp b/manifests/role/dns.pp
new file mode 100644
index 0000000..2faa69b
--- /dev/null
+++ b/manifests/role/dns.pp
@@ -0,0 +1,3 @@
+class nodo::role::dns inherits nodo::vserver {
+ include bind
+}
diff --git a/manifests/role/jabber.pp b/manifests/role/jabber.pp
new file mode 100644
index 0000000..b510ccd
--- /dev/null
+++ b/manifests/role/jabber.pp
@@ -0,0 +1,36 @@
+class nodo::role::jabber inherits nodo::vserver {
+ include ssl
+ include ejabberd
+
+ # We can offer jabber web access in a web node, so
+ # we leave this out.
+ #
+ #include websites::setup
+ #
+ #package { 'jwchat':
+ # ensure => present,
+ #}
+
+ host { "chat":
+ ensure => present,
+ ip => "127.0.0.1",
+ host_aliases => [ "chat.${domain}" ],
+ }
+
+ file { [ "/etc/ejabberd/ssl", "/etc/ejabberd/ssl/certs", "/etc/ejabberd/ssl/private" ]:
+ ensure => directory,
+ owner => "root",
+ group => "ejabberd",
+ mode => 0750,
+ }
+
+ # We use a concatenated cert file
+ # http://site4fast.blogspot.com.br/2011/10/ejabberd-ssl-how-to.html
+ ssl::cert { "cert-concat":
+ owner => 'ejabberd',
+ group => 'ejabberd',
+ base => '/etc/ejabberd/ssl',
+ notify => Service['ejabberd'],
+ require => File['/etc/ejabberd/ssl/private'],
+ }
+}
diff --git a/manifests/role/mail.pp b/manifests/role/mail.pp
new file mode 100644
index 0000000..4c33ed4
--- /dev/null
+++ b/manifests/role/mail.pp
@@ -0,0 +1,3 @@
+class nodo::role::mail {
+ class { [ 'nodo::vserver', 'mail::system' ]: }
+}
diff --git a/manifests/role/master.pp b/manifests/role/master.pp
new file mode 100644
index 0000000..2adb8a5
--- /dev/null
+++ b/manifests/role/master.pp
@@ -0,0 +1,60 @@
+class nodo::role::master {
+ $main = hiera('nodo::role::master::main', false)
+ $db_password = hiera('nodo::role::master::db_password', '')
+
+ case $db_password {
+ '': { fail("Please set nodo::master::db_password in your config") }
+ }
+
+ if $main == true {
+ # Puppetmaster should be included before nodo::vserver
+ class { 'puppet::master':
+ main => true,
+ }
+
+ include munin::host
+ include munin::plugins::muninhost
+
+ # The main master has a host entry pointing to itself, other
+ # masters still retrieve catalogs from the main master.
+ host { "puppet":
+ ensure => present,
+ ip => "127.0.0.1",
+ alias => ["puppet.${::domain}"],
+ }
+ } else {
+ class { 'puppet::master':
+ main => false,
+ }
+
+ host { "puppet":
+ ensure => absent,
+ }
+ }
+
+ # These should be included after puppetmaster
+ include nodo::vserver
+ include database
+ include git::daemon
+ include websites::admin
+ include nagios::headless
+ include nagios::defaults
+
+ # Nagios apache workaround
+ file { "/etc/apache2/conf.d/nagios3.conf":
+ ensure => absent,
+ }
+
+ # Update master's puppet.conf if you change here
+ database::instance { "puppet":
+ password => "${db_password}",
+ }
+
+ # Used for trac dependency graphs
+ package { "graphviz":
+ ensure => present,
+ }
+
+ # Check domain registration
+ domain_check::instance { $::domain: }
+}
diff --git a/manifests/role/mumble.pp b/manifests/role/mumble.pp
new file mode 100644
index 0000000..764c0d8
--- /dev/null
+++ b/manifests/role/mumble.pp
@@ -0,0 +1,3 @@
+class nodo::role::mumble inherits nodo::vserver {
+ include mumble::ssl
+}
diff --git a/manifests/role/nas.pp b/manifests/role/nas.pp
new file mode 100644
index 0000000..134216e
--- /dev/null
+++ b/manifests/role/nas.pp
@@ -0,0 +1,233 @@
+class nodo::role::nas {
+ # Firewall rules
+ include firewall::nas
+
+ # DLNA
+ class { 'minidlna': }
+
+ #
+ # NFS
+ #
+ # References
+ # https://github.com/arioch/puppet-nfs
+ # https://github.com/stankevich/puppet-nfs
+ # https://github.com/camptocamp/puppet-nfs
+ # https://github.com/haraldsk/puppet-module-nfs/
+ # http://git.puppet.immerda.ch/?p=module-nfsd.git;a=summary
+ # http://wiki.debian.org/NFSServerSetup
+ # http://www.tldp.org/HOWTO/NFS-HOWTO/
+
+ # Main class
+ class { 'nfs':
+ server => true;
+ }
+
+ #
+ # FTP
+ #
+
+ # References
+ # https://forge.puppetlabs.com/tags/ftp
+ # https://forum.openwrt.org/viewtopic.php?id=12976
+ # http://download.pureftpd.org/pub/pure-ftpd/doc/FAQ
+ # http://www.massimilianomarini.com/04/02/2012/how-follow-symbolic-links-pure-ftpd
+
+ # Main class
+ class { 'pureftpd':
+ virtualchroot => true,
+ }
+
+ # Enable anonymous ftp
+ file { '/etc/pure-ftpd/conf/NoAnonymous':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 0644,
+ content => "no\n",
+ notify => Service[$pureftpd::params::service_name],
+ }
+
+ #
+ # Samba
+ #
+
+ # References
+ # https://github.com/ajjahn/puppet-samba
+ # https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetworkBrowsing.html#id2583364
+ # http://serverfault.com/questions/240217/dd-wrt-bonjour-netbios-etc-on-two-subnets
+ # http://www.linuxplanet.com/linuxplanet/tutorials/6600/2
+ # http://forums.fedoraforum.org/showthread.php?t=260519
+ # http://randombio.com/linuxsetup38.html
+
+ # Main class
+ class { 'samba::server':
+ workgroup => hiera('nodo::samba::workgroup', 'WORKGROUP'),
+ server_string => hiera('nodo::samba::server_string', 'Samba Server'),
+ interfaces => hiera('nodo::samba::interfaces', 'lo eth0'),
+ security => hiera('nodo::samba::security', 'share'),
+ }
+
+ # We are avoiding multicast
+ # http://bda.ath.cx/blog/2009/01/24/multicast-routing-upnp-traffic-with-linux/
+ # http://linux-igd.sourceforge.net/documentation.php
+ set_samba_option {
+ # Remote announce won't work since routers don't forward broadcast traffic
+ #'remote announce': value => hiera('nodo::samba::remote_announce', '');
+ 'wins support': value => 'yes';
+ 'preferred master': value => 'yes';
+ 'domain master': value => 'yes';
+ 'printing': value => 'cups';
+ 'printcap name': value => 'cups';
+ }
+
+ # Disable browsing of printer drivers
+ samba::server::share { 'print$':
+ comment => 'Printer Drivers',
+ path => '/var/lib/samba/printers',
+ browsable => 'no',
+ read_only => 'yes',
+ guest_ok => 'no',
+ }
+
+ #
+ # HTTP
+ #
+
+ # References
+ # https://github.com/camptocamp/puppet-lighttpd
+ # https://github.com/example42/puppet-lighttpd
+ # http://git.puppet.immerda.ch/?p=module-lighttpd.git;a=summary
+
+ # Main class
+ class { 'lighttpd': }
+
+ # Document root
+ file { '/var/www/data':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 0755,
+ }
+
+ #
+ # TFTP
+ #
+
+ # Main class
+ class { 'tftp':
+ directory => '/srv/tftp',
+ address => $::ipaddress,
+ options => '--ipv4 --timeout 60',
+ inetd => false,
+ }
+
+ # Rsync
+ include rsync::server
+
+ # MPD
+ include mpd
+ include mpd::client
+
+ #
+ # CUPS
+ #
+
+ # References
+ # https://github.com/mosen/puppet-cups
+ # https://github.com/camptocamp/puppet-cups
+
+ # Package
+ package { [ 'cups', 'cups-client' ]:
+ ensure => installed,
+ }
+
+ #
+ # Avahi
+ #
+
+ # References
+ # http://nfs-lan.sevka.info/
+ # http://en.gentoo-wiki.com/wiki/Avahi
+ # https://wiki.archlinux.org/index.php/Avahi
+ # http://packages.debian.org/wheezy/libnss-mdns
+ # http://packages.debian.org/wheezy/mdns-scan
+ # http://packages.debian.org/wheezy/avahi-discover
+ # http://askubuntu.com/questions/19590/how-do-i-share-nfs-mounts-over-zeroconf
+ # http://sophie.zarb.org/distrib/Mandriva/current/x86_64/rpms/pure-ftpd/files/1
+ # https://github.com/stahnma/puppet-module-avahi
+ # https://github.com/tjfontaine/airprint-generate
+ # http://mryoung.soundbomb.net/index.php/apple-airprint-with-linux-avahi
+ # http://lists.freedesktop.org/archives/avahi/2006-July/000824.html
+ # http://cups.org/documentation.php/doc-1.6/ref-cupsd-conf.html#BrowseLocalProtocols
+ # http://www.dns-sd.org/ServiceTypes.html
+
+ # Main class
+ include avahi
+
+ file { '/etc/avahi/services/rsync.service':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 0644,
+ source => 'puppet:///modules/site_avahi/services/rsync.service',
+ notify => Service['avahi-daemon'],
+ }
+
+ file { '/etc/avahi/services/http.service':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 0644,
+ source => 'puppet:///modules/site_avahi/services/http.service',
+ notify => Service['avahi-daemon'],
+ }
+
+ file { '/etc/avahi/services/samba.service':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 0644,
+ source => 'puppet:///modules/site_avahi/services/samba.service',
+ notify => Service['avahi-daemon'],
+ }
+
+ file { '/etc/avahi/services/ftp.service':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 0644,
+ source => 'puppet:///modules/site_avahi/services/ftp.service',
+ notify => Service['avahi-daemon'],
+ }
+
+ #
+ # DAAP
+ #
+
+ # References
+ # http://packages.debian.org/stable/forked-daapd
+ # http://packages.debian.org/squeeze/mt-daapd
+ # https://github.com/stahnma/puppet-module-daap_server
+
+ # Main class, but package not available on wheezy
+ #class { 'daap_server':
+ # collection_name => 'Noise - DAAP',
+ # music_dir => '/var/cache/media/noise',
+ #}
+
+ #
+ # Media folders
+ #
+
+ # Main classes
+ class { [ 'nodo::subsystem::media::folders', 'nodo::subsystem::media::groups' ]: }
+
+ # Make sure basic media exist, no matter if there is an external disk attached
+ $cache = hiera('nodo::media::folders', '')
+
+ if $cache != '' {
+ file { "${cache}":
+ ensure => directory,
+ }
+ }
+}
diff --git a/manifests/role/personal.pp b/manifests/role/personal.pp
new file mode 100644
index 0000000..f7afdc0
--- /dev/null
+++ b/manifests/role/personal.pp
@@ -0,0 +1,43 @@
+# Personal computer
+class nodo::role::personal {
+ include nodo::physical
+ include nodo::utils::personal
+ include autossh
+
+ class { 'nodo::subsystem::pam': }
+ class { 'nodo::subsystem::xorg': }
+
+ if $::lsbdistcodename == 'squeeze' {
+ include nodo::subsystem::gdm
+ }
+ else {
+ include nodo::subsystem::gdm3
+ }
+
+ # Monitoring
+ class { 'monitor':
+ type => 'personal',
+ use_nagios => hiera('nodo::personal::use_nagios', false),
+ }
+
+ # Media folders and groups
+ class { [ 'nodo::subsystem::media::folders', 'nodo::subsystem::media::groups' ]: }
+
+ # Mountpoint for encrypted home folders
+ file { [ '/mnt/crypt/', '/mnt/crypt/home' ]:
+ ensure => directory,
+ }
+
+ # Misc user data
+ file { [ "/var/data/code", "/var/data/crypt", "/var/data/crypt/home", "/var/data/load" ]:
+ ensure => directory,
+ mode => 0755,
+ require => File['/var/cache/media'],
+ }
+
+ # Development
+ file { [ "/var/cache/vagrant", "/var/cache/virtualbox" ]:
+ ensure => directory,
+ mode => 0755,
+ }
+}
diff --git a/manifests/role/proxy.pp b/manifests/role/proxy.pp
new file mode 100644
index 0000000..821e975
--- /dev/null
+++ b/manifests/role/proxy.pp
@@ -0,0 +1,3 @@
+class nodo::role::proxy inherits nodo::vserver {
+ include nginx
+}
diff --git a/manifests/role/router.pp b/manifests/role/router.pp
new file mode 100644
index 0000000..068837d
--- /dev/null
+++ b/manifests/role/router.pp
@@ -0,0 +1,25 @@
+class nodo::role::router inherits nodo::appliance {
+ # We use monitor class on the router as the DNS server might by
+ # inside a vserver and thus cannot access the network devices directly
+ include nodo::utils::dns
+
+ # Network auditing
+ include nodo::utils::network::analyzer
+
+ # Enable IP forwarding
+ augeas { 'enable_ip_forwarding':
+ changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING On',
+ lens => 'Shellvars.lns',
+ incl => '/etc/shorewall/shorewall.conf',
+ notify => Service[shorewall];
+ }
+
+ # Make sure shorewall is reloaded after dhcp renew
+ file { '/etc/dhcp/dhclient-exit-hooks.d/shorewall':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 0644,
+ source => 'puppet:///modules/site_nodo/dhclient-exit-hooks.d/shorewall'
+ }
+}
diff --git a/manifests/role/storage.pp b/manifests/role/storage.pp
new file mode 100644
index 0000000..0cf7f60
--- /dev/null
+++ b/manifests/role/storage.pp
@@ -0,0 +1,3 @@
+class nodo::role::storage inherits nodo::vserver {
+ include nodo::utils::storage
+}
diff --git a/manifests/role/test.pp b/manifests/role/test.pp
new file mode 100644
index 0000000..330a5ee
--- /dev/null
+++ b/manifests/role/test.pp
@@ -0,0 +1,3 @@
+class nodo::role::test inherits nodo::web {
+ # Class for test nodes
+}
diff --git a/manifests/role/tor.pp b/manifests/role/tor.pp
new file mode 100644
index 0000000..2d5ff58
--- /dev/null
+++ b/manifests/role/tor.pp
@@ -0,0 +1,4 @@
+class nodo::role::tor inherits nodo::vserver {
+ include tor::daemon
+ include nodo::utils::tor
+}
diff --git a/manifests/role/web.pp b/manifests/role/web.pp
new file mode 100644
index 0000000..7cdd93f
--- /dev/null
+++ b/manifests/role/web.pp
@@ -0,0 +1,49 @@
+class nodo::role::web inherits nodo::vserver {
+ # Hidden services
+ $hidden = hiera('apache::site::hidden', false)
+ if $hidden == true {
+ include onion
+ }
+
+ # Classes for web nodes
+ include websites
+ include database
+ include users::virtual
+ include nodo::utils::web
+
+ # Reprepro configuration
+ $reprepro = hiera('nodo::web::reprepro', false)
+ $reprepro_basedir = '/var/reprepro'
+
+ case $reprepro {
+ true,'enabled': {
+ class { 'reprepro':
+ basedir => '/var/reprepro',
+ uploaders => hiera('nodo::web::reprepro_uploaders', [ ]),
+ }
+
+ include reprepro::cron
+ }
+ 'disabled': {
+ class { 'reprepro::disabled':
+ basedir => '/var/reprepro',
+ }
+ }
+ 'purged': {
+ class { 'reprepro::purged':
+ basedir => '/var/reprepro',
+ }
+ }
+ false,default: { }
+ }
+
+ $git_daemon = hiera('nodo::web::git_daemon', True)
+
+ if $git_daemon != false {
+ class { 'git::daemon': }
+ }
+
+ backupninja::svn { "svn":
+ src => "/var/svn",
+ }
+}
diff --git a/manifests/role/webdev.pp b/manifests/role/webdev.pp
new file mode 100644
index 0000000..6154cc0
--- /dev/null
+++ b/manifests/role/webdev.pp
@@ -0,0 +1,5 @@
+class nodo::role::webdev {
+ include websites::dev
+ include database
+ include utils::web
+}
diff --git a/manifests/role/webdev/desktop.pp b/manifests/role/webdev/desktop.pp
new file mode 100644
index 0000000..063140a
--- /dev/null
+++ b/manifests/role/webdev/desktop.pp
@@ -0,0 +1,3 @@
+class nodo::role::webdev::desktop inherits nodo::desktop {
+ include nodo::role::webdev
+}
diff --git a/manifests/role/webdev/laptop.pp b/manifests/role/webdev/laptop.pp
new file mode 100644
index 0000000..e9c1aab
--- /dev/null
+++ b/manifests/role/webdev/laptop.pp
@@ -0,0 +1,3 @@
+class nodo::role::webdev::laptop inherits nodo::laptop {
+ include nodo::role::webdev
+}
diff --git a/manifests/role/yacy.pp b/manifests/role/yacy.pp
new file mode 100644
index 0000000..379297c
--- /dev/null
+++ b/manifests/role/yacy.pp
@@ -0,0 +1,34 @@
+class nodo::role::yacy inherits nodo::vserver {
+ class { 'onion': }
+
+ package { 'yacy':
+ ensure => installed,
+ }
+
+ service { 'yacy':
+ ensure => running,
+ require => Package['yacy'],
+ }
+
+ # Gracefully restart yacy everyday
+ cron { "yacy-restart":
+ command => "/etc/init.d/yacy restart > /dev/null 2>&1",
+ user => root,
+ hour => "*/4",
+ minute => "0",
+ ensure => present,
+ require => Service['yacy'],
+ }
+
+ tor::daemon::hidden_service { 'yacy':
+ ports => [ '8090 127.0.0.1:8090', '80 127.0.0.1:8090' ],
+ data_dir => "$tor::daemon::data_dir/hidden",
+ ensure => present,
+ }
+
+ # Why they don't sign their releases?
+ apt::sources_list { "yacy.net.list":
+ content => "deb http://debian.yacy.net ./\n",
+ ensure => absent,
+ }
+}