diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2013-04-12 17:09:03 -0300 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2013-04-12 17:09:03 -0300 |
commit | fe1c86b8f938283e9dd8196a8b11a9648f4b49e6 (patch) | |
tree | c2d999eca03862a3e4af57e0885397adf6bbc6ec /manifests/role | |
parent | ec5c750d12bdc7948bb3c04f0c72817718a0bf47 (diff) | |
download | puppet-nodo-fe1c86b8f938283e9dd8196a8b11a9648f4b49e6.tar.gz puppet-nodo-fe1c86b8f938283e9dd8196a8b11a9648f4b49e6.tar.bz2 |
Major refactor
Diffstat (limited to 'manifests/role')
-rw-r--r-- | manifests/role/dns.pp | 3 | ||||
-rw-r--r-- | manifests/role/jabber.pp | 36 | ||||
-rw-r--r-- | manifests/role/mail.pp | 3 | ||||
-rw-r--r-- | manifests/role/master.pp | 60 | ||||
-rw-r--r-- | manifests/role/mumble.pp | 3 | ||||
-rw-r--r-- | manifests/role/nas.pp | 233 | ||||
-rw-r--r-- | manifests/role/personal.pp | 43 | ||||
-rw-r--r-- | manifests/role/proxy.pp | 3 | ||||
-rw-r--r-- | manifests/role/router.pp | 25 | ||||
-rw-r--r-- | manifests/role/storage.pp | 3 | ||||
-rw-r--r-- | manifests/role/test.pp | 3 | ||||
-rw-r--r-- | manifests/role/tor.pp | 4 | ||||
-rw-r--r-- | manifests/role/web.pp | 49 | ||||
-rw-r--r-- | manifests/role/webdev.pp | 5 | ||||
-rw-r--r-- | manifests/role/webdev/desktop.pp | 3 | ||||
-rw-r--r-- | manifests/role/webdev/laptop.pp | 3 | ||||
-rw-r--r-- | manifests/role/yacy.pp | 34 |
17 files changed, 513 insertions, 0 deletions
diff --git a/manifests/role/dns.pp b/manifests/role/dns.pp new file mode 100644 index 0000000..2faa69b --- /dev/null +++ b/manifests/role/dns.pp @@ -0,0 +1,3 @@ +class nodo::role::dns inherits nodo::vserver { + include bind +} diff --git a/manifests/role/jabber.pp b/manifests/role/jabber.pp new file mode 100644 index 0000000..b510ccd --- /dev/null +++ b/manifests/role/jabber.pp @@ -0,0 +1,36 @@ +class nodo::role::jabber inherits nodo::vserver { + include ssl + include ejabberd + + # We can offer jabber web access in a web node, so + # we leave this out. + # + #include websites::setup + # + #package { 'jwchat': + # ensure => present, + #} + + host { "chat": + ensure => present, + ip => "127.0.0.1", + host_aliases => [ "chat.${domain}" ], + } + + file { [ "/etc/ejabberd/ssl", "/etc/ejabberd/ssl/certs", "/etc/ejabberd/ssl/private" ]: + ensure => directory, + owner => "root", + group => "ejabberd", + mode => 0750, + } + + # We use a concatenated cert file + # http://site4fast.blogspot.com.br/2011/10/ejabberd-ssl-how-to.html + ssl::cert { "cert-concat": + owner => 'ejabberd', + group => 'ejabberd', + base => '/etc/ejabberd/ssl', + notify => Service['ejabberd'], + require => File['/etc/ejabberd/ssl/private'], + } +} diff --git a/manifests/role/mail.pp b/manifests/role/mail.pp new file mode 100644 index 0000000..4c33ed4 --- /dev/null +++ b/manifests/role/mail.pp @@ -0,0 +1,3 @@ +class nodo::role::mail { + class { [ 'nodo::vserver', 'mail::system' ]: } +} diff --git a/manifests/role/master.pp b/manifests/role/master.pp new file mode 100644 index 0000000..2adb8a5 --- /dev/null +++ b/manifests/role/master.pp @@ -0,0 +1,60 @@ +class nodo::role::master { + $main = hiera('nodo::role::master::main', false) + $db_password = hiera('nodo::role::master::db_password', '') + + case $db_password { + '': { fail("Please set nodo::master::db_password in your config") } + } + + if $main == true { + # Puppetmaster should be included before nodo::vserver + class { 'puppet::master': + main => true, + } + + include munin::host + include munin::plugins::muninhost + + # The main master has a host entry pointing to itself, other + # masters still retrieve catalogs from the main master. + host { "puppet": + ensure => present, + ip => "127.0.0.1", + alias => ["puppet.${::domain}"], + } + } else { + class { 'puppet::master': + main => false, + } + + host { "puppet": + ensure => absent, + } + } + + # These should be included after puppetmaster + include nodo::vserver + include database + include git::daemon + include websites::admin + include nagios::headless + include nagios::defaults + + # Nagios apache workaround + file { "/etc/apache2/conf.d/nagios3.conf": + ensure => absent, + } + + # Update master's puppet.conf if you change here + database::instance { "puppet": + password => "${db_password}", + } + + # Used for trac dependency graphs + package { "graphviz": + ensure => present, + } + + # Check domain registration + domain_check::instance { $::domain: } +} diff --git a/manifests/role/mumble.pp b/manifests/role/mumble.pp new file mode 100644 index 0000000..764c0d8 --- /dev/null +++ b/manifests/role/mumble.pp @@ -0,0 +1,3 @@ +class nodo::role::mumble inherits nodo::vserver { + include mumble::ssl +} diff --git a/manifests/role/nas.pp b/manifests/role/nas.pp new file mode 100644 index 0000000..134216e --- /dev/null +++ b/manifests/role/nas.pp @@ -0,0 +1,233 @@ +class nodo::role::nas { + # Firewall rules + include firewall::nas + + # DLNA + class { 'minidlna': } + + # + # NFS + # + # References + # https://github.com/arioch/puppet-nfs + # https://github.com/stankevich/puppet-nfs + # https://github.com/camptocamp/puppet-nfs + # https://github.com/haraldsk/puppet-module-nfs/ + # http://git.puppet.immerda.ch/?p=module-nfsd.git;a=summary + # http://wiki.debian.org/NFSServerSetup + # http://www.tldp.org/HOWTO/NFS-HOWTO/ + + # Main class + class { 'nfs': + server => true; + } + + # + # FTP + # + + # References + # https://forge.puppetlabs.com/tags/ftp + # https://forum.openwrt.org/viewtopic.php?id=12976 + # http://download.pureftpd.org/pub/pure-ftpd/doc/FAQ + # http://www.massimilianomarini.com/04/02/2012/how-follow-symbolic-links-pure-ftpd + + # Main class + class { 'pureftpd': + virtualchroot => true, + } + + # Enable anonymous ftp + file { '/etc/pure-ftpd/conf/NoAnonymous': + ensure => present, + owner => root, + group => root, + mode => 0644, + content => "no\n", + notify => Service[$pureftpd::params::service_name], + } + + # + # Samba + # + + # References + # https://github.com/ajjahn/puppet-samba + # https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetworkBrowsing.html#id2583364 + # http://serverfault.com/questions/240217/dd-wrt-bonjour-netbios-etc-on-two-subnets + # http://www.linuxplanet.com/linuxplanet/tutorials/6600/2 + # http://forums.fedoraforum.org/showthread.php?t=260519 + # http://randombio.com/linuxsetup38.html + + # Main class + class { 'samba::server': + workgroup => hiera('nodo::samba::workgroup', 'WORKGROUP'), + server_string => hiera('nodo::samba::server_string', 'Samba Server'), + interfaces => hiera('nodo::samba::interfaces', 'lo eth0'), + security => hiera('nodo::samba::security', 'share'), + } + + # We are avoiding multicast + # http://bda.ath.cx/blog/2009/01/24/multicast-routing-upnp-traffic-with-linux/ + # http://linux-igd.sourceforge.net/documentation.php + set_samba_option { + # Remote announce won't work since routers don't forward broadcast traffic + #'remote announce': value => hiera('nodo::samba::remote_announce', ''); + 'wins support': value => 'yes'; + 'preferred master': value => 'yes'; + 'domain master': value => 'yes'; + 'printing': value => 'cups'; + 'printcap name': value => 'cups'; + } + + # Disable browsing of printer drivers + samba::server::share { 'print$': + comment => 'Printer Drivers', + path => '/var/lib/samba/printers', + browsable => 'no', + read_only => 'yes', + guest_ok => 'no', + } + + # + # HTTP + # + + # References + # https://github.com/camptocamp/puppet-lighttpd + # https://github.com/example42/puppet-lighttpd + # http://git.puppet.immerda.ch/?p=module-lighttpd.git;a=summary + + # Main class + class { 'lighttpd': } + + # Document root + file { '/var/www/data': + ensure => present, + owner => root, + group => root, + mode => 0755, + } + + # + # TFTP + # + + # Main class + class { 'tftp': + directory => '/srv/tftp', + address => $::ipaddress, + options => '--ipv4 --timeout 60', + inetd => false, + } + + # Rsync + include rsync::server + + # MPD + include mpd + include mpd::client + + # + # CUPS + # + + # References + # https://github.com/mosen/puppet-cups + # https://github.com/camptocamp/puppet-cups + + # Package + package { [ 'cups', 'cups-client' ]: + ensure => installed, + } + + # + # Avahi + # + + # References + # http://nfs-lan.sevka.info/ + # http://en.gentoo-wiki.com/wiki/Avahi + # https://wiki.archlinux.org/index.php/Avahi + # http://packages.debian.org/wheezy/libnss-mdns + # http://packages.debian.org/wheezy/mdns-scan + # http://packages.debian.org/wheezy/avahi-discover + # http://askubuntu.com/questions/19590/how-do-i-share-nfs-mounts-over-zeroconf + # http://sophie.zarb.org/distrib/Mandriva/current/x86_64/rpms/pure-ftpd/files/1 + # https://github.com/stahnma/puppet-module-avahi + # https://github.com/tjfontaine/airprint-generate + # http://mryoung.soundbomb.net/index.php/apple-airprint-with-linux-avahi + # http://lists.freedesktop.org/archives/avahi/2006-July/000824.html + # http://cups.org/documentation.php/doc-1.6/ref-cupsd-conf.html#BrowseLocalProtocols + # http://www.dns-sd.org/ServiceTypes.html + + # Main class + include avahi + + file { '/etc/avahi/services/rsync.service': + ensure => present, + owner => root, + group => root, + mode => 0644, + source => 'puppet:///modules/site_avahi/services/rsync.service', + notify => Service['avahi-daemon'], + } + + file { '/etc/avahi/services/http.service': + ensure => present, + owner => root, + group => root, + mode => 0644, + source => 'puppet:///modules/site_avahi/services/http.service', + notify => Service['avahi-daemon'], + } + + file { '/etc/avahi/services/samba.service': + ensure => present, + owner => root, + group => root, + mode => 0644, + source => 'puppet:///modules/site_avahi/services/samba.service', + notify => Service['avahi-daemon'], + } + + file { '/etc/avahi/services/ftp.service': + ensure => present, + owner => root, + group => root, + mode => 0644, + source => 'puppet:///modules/site_avahi/services/ftp.service', + notify => Service['avahi-daemon'], + } + + # + # DAAP + # + + # References + # http://packages.debian.org/stable/forked-daapd + # http://packages.debian.org/squeeze/mt-daapd + # https://github.com/stahnma/puppet-module-daap_server + + # Main class, but package not available on wheezy + #class { 'daap_server': + # collection_name => 'Noise - DAAP', + # music_dir => '/var/cache/media/noise', + #} + + # + # Media folders + # + + # Main classes + class { [ 'nodo::subsystem::media::folders', 'nodo::subsystem::media::groups' ]: } + + # Make sure basic media exist, no matter if there is an external disk attached + $cache = hiera('nodo::media::folders', '') + + if $cache != '' { + file { "${cache}": + ensure => directory, + } + } +} diff --git a/manifests/role/personal.pp b/manifests/role/personal.pp new file mode 100644 index 0000000..f7afdc0 --- /dev/null +++ b/manifests/role/personal.pp @@ -0,0 +1,43 @@ +# Personal computer +class nodo::role::personal { + include nodo::physical + include nodo::utils::personal + include autossh + + class { 'nodo::subsystem::pam': } + class { 'nodo::subsystem::xorg': } + + if $::lsbdistcodename == 'squeeze' { + include nodo::subsystem::gdm + } + else { + include nodo::subsystem::gdm3 + } + + # Monitoring + class { 'monitor': + type => 'personal', + use_nagios => hiera('nodo::personal::use_nagios', false), + } + + # Media folders and groups + class { [ 'nodo::subsystem::media::folders', 'nodo::subsystem::media::groups' ]: } + + # Mountpoint for encrypted home folders + file { [ '/mnt/crypt/', '/mnt/crypt/home' ]: + ensure => directory, + } + + # Misc user data + file { [ "/var/data/code", "/var/data/crypt", "/var/data/crypt/home", "/var/data/load" ]: + ensure => directory, + mode => 0755, + require => File['/var/cache/media'], + } + + # Development + file { [ "/var/cache/vagrant", "/var/cache/virtualbox" ]: + ensure => directory, + mode => 0755, + } +} diff --git a/manifests/role/proxy.pp b/manifests/role/proxy.pp new file mode 100644 index 0000000..821e975 --- /dev/null +++ b/manifests/role/proxy.pp @@ -0,0 +1,3 @@ +class nodo::role::proxy inherits nodo::vserver { + include nginx +} diff --git a/manifests/role/router.pp b/manifests/role/router.pp new file mode 100644 index 0000000..068837d --- /dev/null +++ b/manifests/role/router.pp @@ -0,0 +1,25 @@ +class nodo::role::router inherits nodo::appliance { + # We use monitor class on the router as the DNS server might by + # inside a vserver and thus cannot access the network devices directly + include nodo::utils::dns + + # Network auditing + include nodo::utils::network::analyzer + + # Enable IP forwarding + augeas { 'enable_ip_forwarding': + changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING On', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall]; + } + + # Make sure shorewall is reloaded after dhcp renew + file { '/etc/dhcp/dhclient-exit-hooks.d/shorewall': + ensure => present, + owner => root, + group => root, + mode => 0644, + source => 'puppet:///modules/site_nodo/dhclient-exit-hooks.d/shorewall' + } +} diff --git a/manifests/role/storage.pp b/manifests/role/storage.pp new file mode 100644 index 0000000..0cf7f60 --- /dev/null +++ b/manifests/role/storage.pp @@ -0,0 +1,3 @@ +class nodo::role::storage inherits nodo::vserver { + include nodo::utils::storage +} diff --git a/manifests/role/test.pp b/manifests/role/test.pp new file mode 100644 index 0000000..330a5ee --- /dev/null +++ b/manifests/role/test.pp @@ -0,0 +1,3 @@ +class nodo::role::test inherits nodo::web { + # Class for test nodes +} diff --git a/manifests/role/tor.pp b/manifests/role/tor.pp new file mode 100644 index 0000000..2d5ff58 --- /dev/null +++ b/manifests/role/tor.pp @@ -0,0 +1,4 @@ +class nodo::role::tor inherits nodo::vserver { + include tor::daemon + include nodo::utils::tor +} diff --git a/manifests/role/web.pp b/manifests/role/web.pp new file mode 100644 index 0000000..7cdd93f --- /dev/null +++ b/manifests/role/web.pp @@ -0,0 +1,49 @@ +class nodo::role::web inherits nodo::vserver { + # Hidden services + $hidden = hiera('apache::site::hidden', false) + if $hidden == true { + include onion + } + + # Classes for web nodes + include websites + include database + include users::virtual + include nodo::utils::web + + # Reprepro configuration + $reprepro = hiera('nodo::web::reprepro', false) + $reprepro_basedir = '/var/reprepro' + + case $reprepro { + true,'enabled': { + class { 'reprepro': + basedir => '/var/reprepro', + uploaders => hiera('nodo::web::reprepro_uploaders', [ ]), + } + + include reprepro::cron + } + 'disabled': { + class { 'reprepro::disabled': + basedir => '/var/reprepro', + } + } + 'purged': { + class { 'reprepro::purged': + basedir => '/var/reprepro', + } + } + false,default: { } + } + + $git_daemon = hiera('nodo::web::git_daemon', True) + + if $git_daemon != false { + class { 'git::daemon': } + } + + backupninja::svn { "svn": + src => "/var/svn", + } +} diff --git a/manifests/role/webdev.pp b/manifests/role/webdev.pp new file mode 100644 index 0000000..6154cc0 --- /dev/null +++ b/manifests/role/webdev.pp @@ -0,0 +1,5 @@ +class nodo::role::webdev { + include websites::dev + include database + include utils::web +} diff --git a/manifests/role/webdev/desktop.pp b/manifests/role/webdev/desktop.pp new file mode 100644 index 0000000..063140a --- /dev/null +++ b/manifests/role/webdev/desktop.pp @@ -0,0 +1,3 @@ +class nodo::role::webdev::desktop inherits nodo::desktop { + include nodo::role::webdev +} diff --git a/manifests/role/webdev/laptop.pp b/manifests/role/webdev/laptop.pp new file mode 100644 index 0000000..e9c1aab --- /dev/null +++ b/manifests/role/webdev/laptop.pp @@ -0,0 +1,3 @@ +class nodo::role::webdev::laptop inherits nodo::laptop { + include nodo::role::webdev +} diff --git a/manifests/role/yacy.pp b/manifests/role/yacy.pp new file mode 100644 index 0000000..379297c --- /dev/null +++ b/manifests/role/yacy.pp @@ -0,0 +1,34 @@ +class nodo::role::yacy inherits nodo::vserver { + class { 'onion': } + + package { 'yacy': + ensure => installed, + } + + service { 'yacy': + ensure => running, + require => Package['yacy'], + } + + # Gracefully restart yacy everyday + cron { "yacy-restart": + command => "/etc/init.d/yacy restart > /dev/null 2>&1", + user => root, + hour => "*/4", + minute => "0", + ensure => present, + require => Service['yacy'], + } + + tor::daemon::hidden_service { 'yacy': + ports => [ '8090 127.0.0.1:8090', '80 127.0.0.1:8090' ], + data_dir => "$tor::daemon::data_dir/hidden", + ensure => present, + } + + # Why they don't sign their releases? + apt::sources_list { "yacy.net.list": + content => "deb http://debian.yacy.net ./\n", + ensure => absent, + } +} |