diff options
-rw-r--r-- | manifests/init.pp | 4 | ||||
-rw-r--r-- | manifests/nas.pp | 235 | ||||
-rw-r--r-- | manifests/nas/share.pp | 59 | ||||
-rw-r--r-- | manifests/subsystems/firewall/mpd.pp | 21 | ||||
-rw-r--r-- | manifests/subsystems/firewall/nas.pp | 152 | ||||
-rw-r--r-- | manifests/subsystems/firewall/redirect.pp | 14 |
6 files changed, 485 insertions, 0 deletions
diff --git a/manifests/init.pp b/manifests/init.pp index 074a78d..eed0e70 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -138,6 +138,9 @@ import "subsystems/firewall/wifi.pp" import "subsystems/firewall/local.pp" import "subsystems/firewall/openvpn.pp" import "subsystems/firewall/ppp.pp" +import "subsystems/firewall/nas.pp" +import "subsystems/firewall/redirect.pp" +import "subsystems/firewall/mpd.pp" # Import nodo classes import "nodo.pp" @@ -161,3 +164,4 @@ import "kvm.pp" import "jabber.pp" import "mumble.pp" import "yacy.pp" +import "nas.pp" diff --git a/manifests/nas.pp b/manifests/nas.pp new file mode 100644 index 0000000..bb4b58a --- /dev/null +++ b/manifests/nas.pp @@ -0,0 +1,235 @@ +class nodo::nas { + # Firewall rules + include firewall::nas + + # DLNA + class { 'minidlna': } + + # + # NFS + # + # References + # https://github.com/arioch/puppet-nfs + # https://github.com/stankevich/puppet-nfs + # https://github.com/camptocamp/puppet-nfs + # https://github.com/haraldsk/puppet-module-nfs/ + # http://git.puppet.immerda.ch/?p=module-nfsd.git;a=summary + # http://wiki.debian.org/NFSServerSetup + # http://www.tldp.org/HOWTO/NFS-HOWTO/ + + # Main class + class { 'nfs': + server => true; + } + + # + # FTP + # + + # References + # https://forge.puppetlabs.com/tags/ftp + # https://forum.openwrt.org/viewtopic.php?id=12976 + # http://download.pureftpd.org/pub/pure-ftpd/doc/FAQ + # http://www.massimilianomarini.com/04/02/2012/how-follow-symbolic-links-pure-ftpd + + # Main class + class { 'pureftpd': + virtualchroot => true, + } + + # Enable anonymous ftp + file { '/etc/pure-ftpd/conf/NoAnonymous': + ensure => present, + owner => root, + group => root, + mode => 0644, + content => "no\n", + notify => Service[$pureftpd::params::service_name], + } + + # + # Samba + # + + # References + # https://github.com/ajjahn/puppet-samba + # https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetworkBrowsing.html#id2583364 + # http://serverfault.com/questions/240217/dd-wrt-bonjour-netbios-etc-on-two-subnets + # http://www.linuxplanet.com/linuxplanet/tutorials/6600/2 + # http://forums.fedoraforum.org/showthread.php?t=260519 + # http://randombio.com/linuxsetup38.html + + # Main class + class { 'samba::server': + workgroup => hiera('nodo::samba::workgroup', 'WORKGROUP'), + server_string => hiera('nodo::samba::server_string', 'Samba Server'), + interfaces => hiera('nodo::samba::interfacesp , 'lo eth0'), + security => hiera('nodo::samba::security', 'share'), + } + + # We are avoiding multicast + # http://bda.ath.cx/blog/2009/01/24/multicast-routing-upnp-traffic-with-linux/ + # http://linux-igd.sourceforge.net/documentation.php + set_samba_option { + # Remote announce won't work since routers don't forward broadcast traffic + #'remote announce': value => hiera('nodo::samba::remote_announce', ''); + 'wins support': value => 'yes'; + 'preferred master': value => 'yes'; + 'domain master': value => 'yes'; + } + + # + # HTTP + # + + # References + # https://github.com/camptocamp/puppet-lighttpd + # https://github.com/example42/puppet-lighttpd + # http://git.puppet.immerda.ch/?p=module-lighttpd.git;a=summary + + # Main class + class { 'lighttpd': } + + # Document root + file { '/var/www/data': + ensure => present, + owner => root, + group => root, + mode => 0755, + } + + # + # TFTP + # + + # Main class + class { 'tftp': + directory => '/srv/tftp', + address => $::ipaddress, + options => '--ipv4 --timeout 60', + inetd => false, + } + + # Rsync + include rsync::server + + # MPD + include mpd + include mpd::client + + # + # CUPS + # + + # References + # https://github.com/mosen/puppet-cups + # https://github.com/camptocamp/puppet-cups + + # Package + package { [ 'cups', 'cups-client' ]: + ensure => installed, + } + + # + # Avahi + # + + # References + # http://nfs-lan.sevka.info/ + # http://en.gentoo-wiki.com/wiki/Avahi + # https://wiki.archlinux.org/index.php/Avahi + # http://packages.debian.org/wheezy/libnss-mdns + # http://packages.debian.org/wheezy/mdns-scan + # http://packages.debian.org/wheezy/avahi-discover + # http://askubuntu.com/questions/19590/how-do-i-share-nfs-mounts-over-zeroconf + # http://sophie.zarb.org/distrib/Mandriva/current/x86_64/rpms/pure-ftpd/files/1 + # https://github.com/stahnma/puppet-module-avahi + # https://github.com/tjfontaine/airprint-generate + # http://mryoung.soundbomb.net/index.php/apple-airprint-with-linux-avahi + # http://lists.freedesktop.org/archives/avahi/2006-July/000824.html + # http://cups.org/documentation.php/doc-1.6/ref-cupsd-conf.html#BrowseLocalProtocols + # http://www.dns-sd.org/ServiceTypes.html + + # Main class + include avahi + + file { '/etc/avahi/services/rsync.service': + ensure => present, + owner => root, + group => root, + mode => 0644, + source => 'puppet:///modules/site_avahi/services/rsync.service', + notify => Service['avahi-daemon'], + } + + file { '/etc/avahi/services/http.service': + ensure => present, + owner => root, + group => root, + mode => 0644, + source => 'puppet:///modules/site_avahi/services/http.service', + notify => Service['avahi-daemon'], + } + + file { '/etc/avahi/services/samba.service': + ensure => present, + owner => root, + group => root, + mode => 0644, + source => 'puppet:///modules/site_avahi/services/samba.service', + notify => Service['avahi-daemon'], + } + + file { '/etc/avahi/services/ftp.service': + ensure => present, + owner => root, + group => root, + mode => 0644, + source => 'puppet:///modules/site_avahi/services/ftp.service', + notify => Service['avahi-daemon'], + } + + # + # Infinote / gobby + # + + # References + # http://gobby.0x539.de/trac/wiki/Infinote/Infinoted + # http://www.webupd8.org/2011/04/how-to-set-up-and-use-gedit.html + + # Package + package { 'infinoted': + ensure => installed, + } + + # + # DAAP + # + + # References + # http://packages.debian.org/stable/forked-daapd + # http://packages.debian.org/squeeze/mt-daapd + # https://github.com/stahnma/puppet-module-daap_server + + # Main class, but package not available on wheezy + #class { 'daap_server': + # collection_name => 'Noise - DAAP', + # music_dir => '/var/cache/media/noise', + #} + + # + # Media folders + # + + # Main class + class { 'media::folders': } + + # Make sure basic media exist, no matter if there is an external disk attached + $cache = hiera('nodo::media::folders', '') + + if $cache != '' { + file { "${cache}": + ensure => directory, + } + } +} diff --git a/manifests/nas/share.pp b/manifests/nas/share.pp new file mode 100644 index 0000000..e29ecbe --- /dev/null +++ b/manifests/nas/share.pp @@ -0,0 +1,59 @@ +# Share a folder pubicly using FTP, Samba, NFS, DLNA, etc. +define share( + $description, + $folder, + $dlna_type = '', + $nfs_export_target = '127.0.0.1', + $nfs_export_options = 'ro,sync,no_subtree_check' +) { + + # DLNA share + if $dlna_type != '' { + minidlna::share { $folder: + type => $dlna_type, + } + } + + # Samba share + samba::server::share { $name: + comment => $description, + path => $folder, + guest_only => true, + guest_ok => true, + browsable => true, + create_mask => 0777, + directory_mask => 0777, + } + + # NFS export + nfs::export { $name: + export_directory => $folder, + export_target => $nfs_export_target, + export_options => $nfs_export_options, + } + + # HTTP and FTP symlinks to media assets + file { [ "/var/www/data/${name}", "/home/ftp/${name}" ]: + ensure => $folder, + require => File['/var/www/data', '/home/ftp'], + } + + # Avahi service + file { "/etc/avahi/services/nfs-${name}.service": + ensure => present, + owner => root, + group => root, + mode => 0644, + source => "puppet:///modules/site_avahi/services/nfs-${name}.service", + notify => Service['avahi-daemon'], + } + + # Make sure basic media exist, no matter which disk is attached + $cache = hiera('nodo::media::folders', '') + + if $cache != '' { + file { [ "${cache}/${name}" ]: + ensure => directory, + } + } +} diff --git a/manifests/subsystems/firewall/mpd.pp b/manifests/subsystems/firewall/mpd.pp new file mode 100644 index 0000000..5724952 --- /dev/null +++ b/manifests/subsystems/firewall/mpd.pp @@ -0,0 +1,21 @@ +class firewall::mpd { + # MPD http stream + shorewall::rule { 'mpd-http-stream': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '8000', + order => 200, + action => 'ACCEPT'; + } + + # MPD client access + shorewall::rule { 'mpd-daemon': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '6600', + order => 200, + action => 'ACCEPT'; + } +} diff --git a/manifests/subsystems/firewall/nas.pp b/manifests/subsystems/firewall/nas.pp new file mode 100644 index 0000000..c6eaf72 --- /dev/null +++ b/manifests/subsystems/firewall/nas.pp @@ -0,0 +1,152 @@ +class firewall::nas { + # Basic firewall rules + include shorewall::rules::ftp + include shorewall::rules::tftp + include shorewall::rules::http + include shorewall::rules::nfsd + include shorewall::rules::rsync + include firewall::printer + include firewall::torrent + include firewall::mpd + + # Additional ports needed by NFS + # Got using rpcinfo -p and netstat -ap + shorewall::rule { 'nfs-1': + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '35150,43902,46661,46661,46661,50340,54814,57170,58403,59780', + ratelimit => '-', + order => 100, + } + + shorewall::rule { 'nfs-2': + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '938,38511,43195,53081,53081,53081,38521,45238,52664,52400,60331', + ratelimit => '-', + order => 100, + } + + # See http://www.shorewall.net/samba.htm + shorewall::rule { 'samba': + action => 'SMB/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => 100, + } + + shorewall::rule { 'netbios-1': + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '137,138,139', + ratelimit => '-', + order => 100, + } + + shorewall::rule { 'netbios-2': + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '137,138,139', + ratelimit => '-', + order => 100, + } + + # DLNA + # + # https://wiki.archlinux.org/index.php/MiniDLNA + # http://netpatia.blogspot.co.uk/2011/03/setup-your-own-dlna-server.html + # http://wiki.alpinelinux.org/wiki/IPTV_How_To + # http://mediatomb.cc/dokuwiki/faq:faq + # http://packages.debian.org/wheezy/djmount + # http://packages.debian.org/wheezy/gupnp-tools + # + # Optional: + # + # http://www.shorewall.net/UPnP.html + # + # linux-igd package + # /etc/default/linux-igd + # /etc/upnpd.conf + + shorewall::rule { "dlna-1": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp,udp', + destinationport => "1900", + ratelimit => '-', + order => 102, + } + + shorewall::rule { "dlna-2": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp,udp', + destinationport => "8200", + ratelimit => '-', + order => 103, + } + + shorewall::rule { "dlna-3": + action => 'allowinUPnP', + source => 'net', + destination => '$FW', + order => 104, + } + + shorewall::rule { "dlna-4": + action => 'forwardUPnP', + source => 'net', + destination => '$FW', + order => 105, + } + + # Enable multicast + augeas { 'enable_multicast': + changes => 'set /files/etc/shorewall/shorewall.conf/MULTICAST Yes', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall]; + } + + # DAAP + shorewall::rule { 'daap-1': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '3689', + order => 300, + action => 'ACCEPT'; + } + + shorewall::rule { 'daap-2': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '3689', + order => 301, + action => 'ACCEPT'; + } + + # Avahi/mDNS + shorewall::rule { 'mdns': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '5353', + order => 400, + action => 'ACCEPT'; + } +} diff --git a/manifests/subsystems/firewall/redirect.pp b/manifests/subsystems/firewall/redirect.pp new file mode 100644 index 0000000..7a9734a --- /dev/null +++ b/manifests/subsystems/firewall/redirect.pp @@ -0,0 +1,14 @@ +class firewall::redirect::ssh($destinationport) { + # When the box is in an internal network and we want to provide + # and external access through a shared real IP, we have to + # redirect requests coming from another port to port 22. + shorewall::rule { "ssh-redirect-1": + action => 'DNAT', + source => 'net', + destination => "fw:$ipaddress:22", + proto => 'tcp', + destinationport => $destinationport, + ratelimit => '-', + order => $destinationport, + } +} |