aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--manifests/desktop.pp63
-rw-r--r--manifests/init.pp653
-rw-r--r--manifests/master.pp48
-rw-r--r--manifests/nodo.pp94
-rw-r--r--manifests/physical.pp41
-rw-r--r--manifests/proxy.pp3
-rw-r--r--manifests/server.pp19
-rw-r--r--manifests/storage.pp4
-rw-r--r--manifests/subsystems/database.pp (renamed from manifests/database.pp)0
-rw-r--r--manifests/subsystems/firewall.pp (renamed from manifests/firewall.pp)0
-rw-r--r--manifests/subsystems/firewire.pp (renamed from manifests/firewire.pp)0
-rw-r--r--manifests/subsystems/initramfs.pp (renamed from manifests/initramfs.pp)0
-rw-r--r--manifests/subsystems/lsb.pp (renamed from manifests/lsb.pp)0
-rw-r--r--manifests/subsystems/motd.pp (renamed from manifests/motd.pp)0
-rw-r--r--manifests/subsystems/munin.pp (renamed from manifests/munin.pp)0
-rw-r--r--manifests/subsystems/sudo.pp (renamed from manifests/sudo.pp)0
-rw-r--r--manifests/subsystems/sysctl.pp (renamed from manifests/sysctl.pp)0
-rw-r--r--manifests/subsystems/ups.pp (renamed from manifests/ups.pp)0
-rw-r--r--manifests/subsystems/utils.pp (renamed from manifests/utils.pp)0
-rw-r--r--manifests/subsystems/websites.pp (renamed from manifests/websites.pp)0
-rw-r--r--manifests/test.pp3
-rw-r--r--manifests/vserver.pp314
-rw-r--r--manifests/web.pp17
23 files changed, 631 insertions, 628 deletions
diff --git a/manifests/desktop.pp b/manifests/desktop.pp
new file mode 100644
index 0000000..686801b
--- /dev/null
+++ b/manifests/desktop.pp
@@ -0,0 +1,63 @@
+class nodo::desktop inherits nodo::physical {
+ include utils::desktop
+
+ # fstab
+ file { "/etc/fstab":
+ source => "puppet://$desktop/modules/nodo/etc/fstab/desktop",
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ }
+
+ # crypttab
+ file { "/etc/crypttab":
+ source => "puppet://$desktop/modules/nodo/etc/crypttab/desktop",
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ }
+
+ # data
+ file { "/var/data":
+ ensure => directory,
+ mode => 0755,
+ }
+
+ # pam - login
+ file { "/etc/pam.d/login":
+ source => "puppet://$desktop/modules/nodo/etc/pam.d/login",
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ }
+
+ # pam - gdm
+ file { "/etc/pam.d/gdm":
+ source => "puppet://$desktop/modules/nodo/etc/pam.d/gdm",
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ }
+
+ # pam - mountpoints
+ file { "/etc/security/pam_mount.conf.xml":
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 0644,
+ source => "puppet://$server/files/etc/security/pam_mount.conf.xml",
+ }
+
+ # xorg
+ file { "/etc/X11/xorg.conf":
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 0644,
+ source => "puppet://$server/files/etc/X11/xorg.conf/$hostname",
+ }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
index fc50a5f..5e597a2 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -2,631 +2,28 @@
# Nodo class definitions
#
-import "firewall.pp"
-import "firewire.pp"
-import "initramfs.pp"
-import "lsb.pp"
-import "motd.pp"
-import "sudo.pp"
-import "sysctl.pp"
-import "ups.pp"
-import "utils.pp"
-import "database.pp"
-import "websites.pp"
-import "munin.pp"
-
-class nodo {
- include lsb
- include puppetd
- include backup
- include exim
- include sudo
- include users::admin
- include motd
- include utils
- include cron
-
- # Set timezone and ntp config
- #
- # We config those here but leave class inclusion elsewhere
- # as ntp config differ from server to vserver.
- #
- $ntp_timezone = "Brazil/East"
- $ntp_pool = "south-america.pool.ntp.org"
- $ntp_servers = [ 'a.ntp.br', 'b.ntp.br', 'c.ntp.br' ]
-
- # Monkeysphere
- #
- # Currently we don't have a defined policy regarding whether
- # to publish all our node keys to public keyservers, so leave
- # automatic publishing disabled for now.
- #
- $monkeysphere_publish_key = false
- include monkeysphere
-
- # Apt configuration
- $backports_enabled = true
- $apt_update_method = 'cron'
- include apt
-
- # Default SSH configuration
- $sshd_password_authentication = "yes"
- $sshd_shared_ip = "yes"
-
- file { "/etc/hostname":
- owner => "root",
- group => "root",
- mode => 0644,
- ensure => present,
- content => "$fqdn\n",
- }
-
- host { "$hostname":
- ensure => present,
- ip => "$ipaddress",
- alias => [ "$fqdn" ],
- }
-
- file { "/etc/rc.local":
- source => "puppet://$server/modules/nodo/etc/rc.local",
- owner => "root",
- group => "root",
- mode => 0755,
- ensure => present,
- }
-
- file { "/etc/screenrc":
- source => "puppet://$server/modules/nodo/etc/screenrc",
- owner => "root",
- group => "root",
- mode => 0644,
- ensure => present,
- }
-
- file { "/etc/profile":
- source => "puppet://$server/modules/nodo/etc/profile",
- owner => "root",
- group => "root",
- mode => 0644,
- ensure => present,
- require => File['/usr/local/bin/prompt.sh'],
- }
-
- file { "/etc/bash.bashrc":
- source => "puppet://$server/modules/nodo/etc/bash.bashrc",
- owner => "root",
- group => "root",
- mode => 0644,
- ensure => present,
- require => File['/usr/local/bin/prompt.sh'],
- }
-
- file { "/usr/local/bin/prompt.sh":
- source => "puppet://$server/modules/nodo/bin/prompt.sh",
- owner => "root",
- group => "root",
- mode => 0755,
- ensure => present,
- }
-}
-
-class nodo::physical inherits nodo {
- include syslog-ng
- include firewall
- include vserver::host
- include initramfs
- include firewire
- include sysctl
- include ups
- include utils::physical
- include smartmontools
-
- # Time configuration
- case $ntpdate {
- false: { include timezone }
- default: { include ntpdate }
- }
-
- # DNS resolver
- $resolvconf_domain = "$domain"
- $resolvconf_search = "$fqdn"
- include resolvconf
-
- # SSH Server
- #
- # We need to restrict listen address so multiple instances
- # can live together in the same physical host.
- #
- case $sshd_listen_address {
- '': { $sshd_listen_address = [ "$ipaddress" ] }
- }
- include sshd
-
- backupninja::sys { "sys":
- ensure => present,
- }
-
- # Munin configuration
- munin_node { "$hostname":
- port => '4900',
- }
-}
-
-class nodo::server inherits nodo::physical {
- # fstab
- file { "/etc/fstab":
- source => "puppet://$server/modules/nodo/etc/fstab/server",
- owner => "root",
- group => "root",
- mode => 0644,
- ensure => present,
- }
-
- # crypttab
- file { "/etc/crypttab":
- source => "puppet://$server/modules/nodo/etc/crypttab/server",
- owner => "root",
- group => "root",
- mode => 0644,
- ensure => present,
- }
-}
-
-class nodo::desktop inherits nodo::physical {
- include utils::desktop
-
- # fstab
- file { "/etc/fstab":
- source => "puppet://$desktop/modules/nodo/etc/fstab/desktop",
- owner => "root",
- group => "root",
- mode => 0644,
- ensure => present,
- }
-
- # crypttab
- file { "/etc/crypttab":
- source => "puppet://$desktop/modules/nodo/etc/crypttab/desktop",
- owner => "root",
- group => "root",
- mode => 0644,
- ensure => present,
- }
-
- # data
- file { "/var/data":
- ensure => directory,
- mode => 0755,
- }
-
- # pam - login
- file { "/etc/pam.d/login":
- source => "puppet://$desktop/modules/nodo/etc/pam.d/login",
- owner => "root",
- group => "root",
- mode => 0644,
- ensure => present,
- }
-
- # pam - gdm
- file { "/etc/pam.d/gdm":
- source => "puppet://$desktop/modules/nodo/etc/pam.d/gdm",
- owner => "root",
- group => "root",
- mode => 0644,
- ensure => present,
- }
-
- # pam - mountpoints
- file { "/etc/security/pam_mount.conf.xml":
- ensure => present,
- owner => root,
- group => root,
- mode => 0644,
- source => "puppet://$server/files/etc/security/pam_mount.conf.xml",
- }
-
- # xorg
- file { "/etc/X11/xorg.conf":
- ensure => present,
- owner => root,
- group => root,
- mode => 0644,
- source => "puppet://$server/files/etc/X11/xorg.conf/$hostname",
- }
-}
-
-class nodo::vserver inherits nodo {
- include sshd
- include timezone
- include syslog-ng::vserver
-
- backupninja::sys { "sys":
- ensure => present,
- partitions => false,
- hardware => false,
- dosfdisk => false,
- dohwinfo => false,
- }
-
- $hosting_type = $node_hosting_type ? {
- '' => "direct",
- default => "$node_hosting_type",
- }
-
- case $hosting_type {
- "direct": {
- # Apply munin configuration for this node for
- # directly hosted nodes.
- Munin_node <<| title == $hostname |>>
- }
- "third-party": {
- # Apply munin configuration for this node for third-party
- # hosted nodes.
- munin_node { "$hostname": }
- }
- }
-
- # Define a vserver instance
- define instance($context, $ensure = 'running', $proxy = false,
- $puppetmaster = false, $gitd = false,
- $icecast = false, $sound = false, $ticket = false,
- $memory_limit = false) {
-
- # set instance id
- if $context < 9 {
- $id = "0$context"
- } else {
- $id = $context
- }
-
- vserver { $name:
- ensure => $ensure,
- context => "$context",
- mark => 'default',
- distro => 'lenny',
- interface => "eth0:192.168.0.$context/24",
- hostname => "$name.$domain",
- memory_limit => $memory_limit,
- }
-
- # Some nodes need a lot of space at /tmp otherwise some admin
- # tasks like backups might not run.
- file { "/etc/vservers/${name}/fstab":
- source => "puppet://$server/modules/nodo/etc/fstab/vserver",
- owner => "root",
- group => "root",
- mode => 0644,
- ensure => present,
- notify => Exec["vs_restart_${name}"],
- require => Exec["vs_create_${name}"],
- }
-
- # Create a munin virtual resource to be realized in the node
- @@munin_node { "$name":
- port => "49$id",
- }
-
- # Sound support
- if $sound {
- if !defined(File["/usr/local/sbin/create-sound-devices"]) {
- file { "/usr/local/sbin/create-sound-devices":
- ensure => present,
- source => "puppet://$server/modules/nodo/sound/devices.sh",
- owner => root,
- group => root,
- mode => 755,
- }
- }
- exec { "/usr/local/sbin/create-sound-devices ${name}":
- unless => "/usr/local/sbin/create-sound-devices ${name} --check",
- user => root,
- require => [ Exec["vs_create_${name}"], File["/usr/local/sbin/create-sound-devices"] ],
- }
- }
-
- # Apply firewall rules just for running vservers
- case $ensure {
- 'running': {
-
- shorewall::rule { "ssh-$context-1":
- action => 'DNAT',
- source => 'net',
- destination => "vm:192.168.0.$context:22",
- proto => 'tcp',
- destinationport => "22$id",
- ratelimit => '-',
- order => "2$id",
- }
-
- shorewall::rule { "ssh-$context-2":
- action => 'DNAT',
- source => '$FW',
- destination => "fw:192.168.0.$context:22",
- proto => 'tcp',
- destinationport => "22$id",
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => "3$id",
- }
-
- shorewall::rule { "munin-$context-1":
- action => 'DNAT',
- source => 'net',
- destination => "fw:192.168.0.$context:49$id",
- proto => 'tcp',
- destinationport => "49$id",
- ratelimit => '-',
- order => "4$id",
- }
-
- shorewall::rule { "munin-$context-2":
- action => 'DNAT',
- source => '$FW',
- destination => "fw:192.168.0.$context:49$id",
- proto => 'tcp',
- destinationport => "49$id",
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => "5$id",
- }
-
- if $proxy {
- shorewall::rule { 'http-route-1':
- action => 'DNAT',
- source => 'net',
- destination => "vm:192.168.0.$context:80",
- proto => 'tcp',
- destinationport => '80',
- ratelimit => '-',
- order => '600',
- }
-
- shorewall::rule { 'http-route-2':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:192.168.0.$context:80",
- proto => 'tcp',
- destinationport => '80',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '601',
- }
-
- shorewall::rule { 'https-route-1':
- action => 'DNAT',
- source => 'net',
- destination => "vm:192.168.0.$context:443",
- proto => 'tcp',
- destinationport => '443',
- ratelimit => '-',
- order => '602',
- }
-
- shorewall::rule { 'https-route-2':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:192.168.0.$context:443",
- proto => 'tcp',
- destinationport => '443',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '602',
- }
- }
-
- if $puppetmaster {
- shorewall::rule { 'puppetmaster-1':
- action => 'DNAT',
- source => 'net',
- destination => "fw:192.168.0.$context:8140",
- proto => 'tcp',
- destinationport => '8140',
- ratelimit => '-',
- order => '700',
- }
-
- shorewall::rule { 'puppetmaster-2':
- action => 'DNAT',
- source => 'net',
- destination => "fw:192.168.0.$context:8140",
- proto => 'udp',
- destinationport => '8140',
- ratelimit => '-',
- order => '701',
- }
-
- shorewall::rule { 'puppetmaster-3':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:192.168.0.$context:8140",
- proto => 'tcp',
- destinationport => '8140',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '702',
- }
-
- shorewall::rule { 'puppetmaster-4':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:192.168.0.$context:8140",
- proto => 'udp',
- destinationport => '8140',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '703',
- }
-
- shorewall::rule { 'puppetmaster-5':
- action => 'DNAT',
- source => 'net',
- destination => "fw:192.168.0.$context:8141",
- proto => 'tcp',
- destinationport => '8141',
- ratelimit => '-',
- order => '704',
- }
-
- shorewall::rule { 'puppetmaster-6':
- action => 'DNAT',
- source => 'net',
- destination => "fw:192.168.0.$context:8141",
- proto => 'udp',
- destinationport => '8141',
- ratelimit => '-',
- order => '705',
- }
-
- shorewall::rule { 'puppetmaster-7':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:192.168.0.$context:8141",
- proto => 'tcp',
- destinationport => '8141',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '706',
- }
-
- shorewall::rule { 'puppetmaster-8':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:192.168.0.$context:8141",
- proto => 'udp',
- destinationport => '8141',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '707',
- }
- }
-
- if $gitd {
- shorewall::rule { 'git-daemon-1':
- action => 'DNAT',
- source => 'net',
- destination => "fw:192.168.0.$context:9418",
- proto => 'tcp',
- destinationport => '9418',
- ratelimit => '-',
- order => '800',
- }
-
- shorewall::rule { 'git-daemon-2':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:192.168.0.$context:9418",
- proto => 'tcp',
- destinationport => '9418',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '801',
- }
- }
-
- if $icecast {
- shorewall::rule { 'icecast-1':
- action => 'DNAT',
- source => 'net',
- destination => "fw:192.168.0.$context:8000",
- proto => 'tcp',
- destinationport => '8000',
- ratelimit => '-',
- order => '900',
- }
-
- shorewall::rule { 'icecast-2':
- action => 'DNAT',
- source => '$FW',
- destination => "fw:192.168.0.$context:8000",
- proto => 'tcp',
- destinationport => '8000',
- originaldest => "$ipaddress",
- ratelimit => '-',
- order => '901',
- }
- }
- }
- }
- }
-}
-
-class nodo::web inherits nodo::vserver {
- include git-daemon
- include websites
- include database
- include users::virtual
- include utils::web
-
- backupninja::svn { "svn":
- src => "/var/svn",
- }
-
- backupninja::mysql { "all_databases":
- backupdir => '/var/backups/mysql',
- compress => true,
- sqldump => true,
- }
-}
-
-class nodo::master {
- # Puppetmaster should be included before nodo::vserver
- include puppetmasterd
- include nodo::vserver
- include database
- include gitosis
- include websites::admin
-
- case $main_master {
- '': { fail("You need to define if this is the main master! Please set \$main_master in host config") }
- }
-
- if $main_master == true {
- include munin::host
-
- # The main master has a host entry pointing to itself, other
- # masters still retrieve catalogs from the main master.
- host { "puppet":
- ensure => present,
- ip => "127.0.0.1",
- alias => ["puppet.$domain"],
- }
- } else {
- host { "puppet":
- ensure => absent,
- }
- }
-
- case $puppetmaster_db_password {
- '': { fail("Please set \$puppetmaster_db_password in your host config") }
- }
-
- # update master's puppet.conf if you change here
- database::instance { "puppet":
- password => "$puppetmaster_db_password",
- }
-
- backupninja::mysql { "all_databases":
- backupdir => '/var/backups/mysql',
- compress => true,
- sqldump => true,
- }
-
- # used for trac dependency graphs
- package { "graphviz":
- ensure => present,
- }
-}
-
-class nodo::proxy inherits nodo::vserver {
- include nginx
-}
-
-class nodo::storage inherits nodo::vserver {
- # Class for backup nodes
- include utils::storage
-}
-
-class nodo::test inherits nodo::web {
- # Class for test nodes
-}
+# Import subsystems
+import "subsystems/firewall.pp"
+import "subsystems/firewire.pp"
+import "subsystems/initramfs.pp"
+import "subsystems/lsb.pp"
+import "subsystems/motd.pp"
+import "subsystems/sudo.pp"
+import "subsystems/sysctl.pp"
+import "subsystems/ups.pp"
+import "subsystems/utils.pp"
+import "subsystems/database.pp"
+import "subsystems/websites.pp"
+import "subsystems/munin.pp"
+
+# Import nodo classes
+import "nodo.pp"
+import "physical.pp"
+import "server.pp"
+import "desktop.pp"
+import "vserver.pp"
+import "web.pp"
+import "master.pp"
+import "proxy.pp"
+import "storage.pp"
+import "test.pp"
diff --git a/manifests/master.pp b/manifests/master.pp
new file mode 100644
index 0000000..b07866e
--- /dev/null
+++ b/manifests/master.pp
@@ -0,0 +1,48 @@
+class nodo::master {
+ # Puppetmaster should be included before nodo::vserver
+ include puppetmasterd
+ include nodo::vserver
+ include database
+ include gitosis
+ include websites::admin
+
+ case $main_master {
+ '': { fail("You need to define if this is the main master! Please set \$main_master in host config") }
+ }
+
+ if $main_master == true {
+ include munin::host
+
+ # The main master has a host entry pointing to itself, other
+ # masters still retrieve catalogs from the main master.
+ host { "puppet":
+ ensure => present,
+ ip => "127.0.0.1",
+ alias => ["puppet.$domain"],
+ }
+ } else {
+ host { "puppet":
+ ensure => absent,
+ }
+ }
+
+ case $puppetmaster_db_password {
+ '': { fail("Please set \$puppetmaster_db_password in your host config") }
+ }
+
+ # update master's puppet.conf if you change here
+ database::instance { "puppet":
+ password => "$puppetmaster_db_password",
+ }
+
+ backupninja::mysql { "all_databases":
+ backupdir => '/var/backups/mysql',
+ compress => true,
+ sqldump => true,
+ }
+
+ # used for trac dependency graphs
+ package { "graphviz":
+ ensure => present,
+ }
+}
diff --git a/manifests/nodo.pp b/manifests/nodo.pp
new file mode 100644
index 0000000..5e5436e
--- /dev/null
+++ b/manifests/nodo.pp
@@ -0,0 +1,94 @@
+class nodo {
+ include lsb
+ include puppetd
+ include backup
+ include exim
+ include sudo
+ include users::admin
+ include motd
+ include utils
+ include cron
+
+ # Set timezone and ntp config
+ #
+ # We config those here but leave class inclusion elsewhere
+ # as ntp config differ from server to vserver.
+ #
+ $ntp_timezone = "Brazil/East"
+ $ntp_pool = "south-america.pool.ntp.org"
+ $ntp_servers = [ 'a.ntp.br', 'b.ntp.br', 'c.ntp.br' ]
+
+ # Monkeysphere
+ #
+ # Currently we don't have a defined policy regarding whether
+ # to publish all our node keys to public keyservers, so leave
+ # automatic publishing disabled for now.
+ #
+ $monkeysphere_publish_key = false
+ include monkeysphere
+
+ # Apt configuration
+ $backports_enabled = true
+ $apt_update_method = 'cron'
+ include apt
+
+ # Default SSH configuration
+ $sshd_password_authentication = "yes"
+ $sshd_shared_ip = "yes"
+
+ file { "/etc/hostname":
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ content => "$fqdn\n",
+ }
+
+ host { "$hostname":
+ ensure => present,
+ ip => "$ipaddress",
+ alias => [ "$fqdn" ],
+ }
+
+ file { "/etc/rc.local":
+ source => "puppet://$server/modules/nodo/etc/rc.local",
+ owner => "root",
+ group => "root",
+ mode => 0755,
+ ensure => present,
+ }
+
+ file { "/etc/screenrc":
+ source => "puppet://$server/modules/nodo/etc/screenrc",
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ }
+
+ file { "/etc/profile":
+ source => "puppet://$server/modules/nodo/etc/profile",
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ require => File['/usr/local/bin/prompt.sh'],
+ }
+
+ file { "/etc/bash.bashrc":
+ source => "puppet://$server/modules/nodo/etc/bash.bashrc",
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ require => File['/usr/local/bin/prompt.sh'],
+ }
+
+ file { "/usr/local/bin/prompt.sh":
+ source => "puppet://$server/modules/nodo/bin/prompt.sh",
+ owner => "root",
+ group => "root",
+ mode => 0755,
+ ensure => present,
+ }
+}
diff --git a/manifests/physical.pp b/manifests/physical.pp
new file mode 100644
index 0000000..d1ade0c
--- /dev/null
+++ b/manifests/physical.pp
@@ -0,0 +1,41 @@
+class nodo::physical inherits nodo {
+ include syslog-ng
+ include firewall
+ include vserver::host
+ include initramfs
+ include firewire
+ include sysctl
+ include ups
+ include utils::physical
+ include smartmontools
+
+ # Time configuration
+ case $ntpdate {
+ false: { include timezone }
+ default: { include ntpdate }
+ }
+
+ # DNS resolver
+ $resolvconf_domain = "$domain"
+ $resolvconf_search = "$fqdn"
+ include resolvconf
+
+ # SSH Server
+ #
+ # We need to restrict listen address so multiple instances
+ # can live together in the same physical host.
+ #
+ case $sshd_listen_address {
+ '': { $sshd_listen_address = [ "$ipaddress" ] }
+ }
+ include sshd
+
+ backupninja::sys { "sys":
+ ensure => present,
+ }
+
+ # Munin configuration
+ munin_node { "$hostname":
+ port => '4900',
+ }
+}
diff --git a/manifests/proxy.pp b/manifests/proxy.pp
new file mode 100644
index 0000000..51dac33
--- /dev/null
+++ b/manifests/proxy.pp
@@ -0,0 +1,3 @@
+class nodo::proxy inherits nodo::vserver {
+ include nginx
+}
diff --git a/manifests/server.pp b/manifests/server.pp
new file mode 100644
index 0000000..2300889
--- /dev/null
+++ b/manifests/server.pp
@@ -0,0 +1,19 @@
+class nodo::server inherits nodo::physical {
+ # fstab
+ file { "/etc/fstab":
+ source => "puppet://$server/modules/nodo/etc/fstab/server",
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ }
+
+ # crypttab
+ file { "/etc/crypttab":
+ source => "puppet://$server/modules/nodo/etc/crypttab/server",
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ }
+}
diff --git a/manifests/storage.pp b/manifests/storage.pp
new file mode 100644
index 0000000..5bb7e72
--- /dev/null
+++ b/manifests/storage.pp
@@ -0,0 +1,4 @@
+class nodo::storage inherits nodo::vserver {
+ # Class for backup nodes
+ include utils::storage
+}
diff --git a/manifests/database.pp b/manifests/subsystems/database.pp
index c2d1fc3..c2d1fc3 100644
--- a/manifests/database.pp
+++ b/manifests/subsystems/database.pp
diff --git a/manifests/firewall.pp b/manifests/subsystems/firewall.pp
index 765a59f..765a59f 100644
--- a/manifests/firewall.pp
+++ b/manifests/subsystems/firewall.pp
diff --git a/manifests/firewire.pp b/manifests/subsystems/firewire.pp
index 1c9609a..1c9609a 100644
--- a/manifests/firewire.pp
+++ b/manifests/subsystems/firewire.pp
diff --git a/manifests/initramfs.pp b/manifests/subsystems/initramfs.pp
index 3b37f65..3b37f65 100644
--- a/manifests/initramfs.pp
+++ b/manifests/subsystems/initramfs.pp
diff --git a/manifests/lsb.pp b/manifests/subsystems/lsb.pp
index 4516470..4516470 100644
--- a/manifests/lsb.pp
+++ b/manifests/subsystems/lsb.pp
diff --git a/manifests/motd.pp b/manifests/subsystems/motd.pp
index c8029bf..c8029bf 100644
--- a/manifests/motd.pp
+++ b/manifests/subsystems/motd.pp
diff --git a/manifests/munin.pp b/manifests/subsystems/munin.pp
index 2e32117..2e32117 100644
--- a/manifests/munin.pp
+++ b/manifests/subsystems/munin.pp
diff --git a/manifests/sudo.pp b/manifests/subsystems/sudo.pp
index c5679fd..c5679fd 100644
--- a/manifests/sudo.pp
+++ b/manifests/subsystems/sudo.pp
diff --git a/manifests/sysctl.pp b/manifests/subsystems/sysctl.pp
index 3bd028c..3bd028c 100644
--- a/manifests/sysctl.pp
+++ b/manifests/subsystems/sysctl.pp
diff --git a/manifests/ups.pp b/manifests/subsystems/ups.pp
index 558941e..558941e 100644
--- a/manifests/ups.pp
+++ b/manifests/subsystems/ups.pp
diff --git a/manifests/utils.pp b/manifests/subsystems/utils.pp
index 92061eb..92061eb 100644
--- a/manifests/utils.pp
+++ b/manifests/subsystems/utils.pp
diff --git a/manifests/websites.pp b/manifests/subsystems/websites.pp
index b688860..b688860 100644
--- a/manifests/websites.pp
+++ b/manifests/subsystems/websites.pp
diff --git a/manifests/test.pp b/manifests/test.pp
new file mode 100644
index 0000000..7195fc2
--- /dev/null
+++ b/manifests/test.pp
@@ -0,0 +1,3 @@
+class nodo::test inherits nodo::web {
+ # Class for test nodes
+}
diff --git a/manifests/vserver.pp b/manifests/vserver.pp
new file mode 100644
index 0000000..14b1e28
--- /dev/null
+++ b/manifests/vserver.pp
@@ -0,0 +1,314 @@
+class nodo::vserver inherits nodo {
+ include sshd
+ include timezone
+ include syslog-ng::vserver
+
+ backupninja::sys { "sys":
+ ensure => present,
+ partitions => false,
+ hardware => false,
+ dosfdisk => false,
+ dohwinfo => false,
+ }
+
+ $hosting_type = $node_hosting_type ? {
+ '' => "direct",
+ default => "$node_hosting_type",
+ }
+
+ case $hosting_type {
+ "direct": {
+ # Apply munin configuration for this node for
+ # directly hosted nodes.
+ Munin_node <<| title == $hostname |>>
+ }
+ "third-party": {
+ # Apply munin configuration for this node for third-party
+ # hosted nodes.
+ munin_node { "$hostname": }
+ }
+ }
+
+ # Define a vserver instance
+ define instance($context, $ensure = 'running', $proxy = false,
+ $puppetmaster = false, $gitd = false,
+ $icecast = false, $sound = false, $ticket = false,
+ $memory_limit = false) {
+
+ # set instance id
+ if $context < 9 {
+ $id = "0$context"
+ } else {
+ $id = $context
+ }
+
+ vserver { $name:
+ ensure => $ensure,
+ context => "$context",
+ mark => 'default',
+ distro => 'lenny',
+ interface => "eth0:192.168.0.$context/24",
+ hostname => "$name.$domain",
+ memory_limit => $memory_limit,
+ }
+
+ # Some nodes need a lot of space at /tmp otherwise some admin
+ # tasks like backups might not run.
+ file { "/etc/vservers/${name}/fstab":
+ source => "puppet://$server/modules/nodo/etc/fstab/vserver",
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ notify => Exec["vs_restart_${name}"],
+ require => Exec["vs_create_${name}"],
+ }
+
+ # Create a munin virtual resource to be realized in the node
+ @@munin_node { "$name":
+ port => "49$id",
+ }
+
+ # Sound support
+ if $sound {
+ if !defined(File["/usr/local/sbin/create-sound-devices"]) {
+ file { "/usr/local/sbin/create-sound-devices":
+ ensure => present,
+ source => "puppet://$server/modules/nodo/sound/devices.sh",
+ owner => root,
+ group => root,
+ mode => 755,
+ }
+ }
+ exec { "/usr/local/sbin/create-sound-devices ${name}":
+ unless => "/usr/local/sbin/create-sound-devices ${name} --check",
+ user => root,
+ require => [ Exec["vs_create_${name}"], File["/usr/local/sbin/create-sound-devices"] ],
+ }
+ }
+
+ # Apply firewall rules just for running vservers
+ case $ensure {
+ 'running': {
+
+ shorewall::rule { "ssh-$context-1":
+ action => 'DNAT',
+ source => 'net',
+ destination => "vm:192.168.0.$context:22",
+ proto => 'tcp',
+ destinationport => "22$id",
+ ratelimit => '-',
+ order => "2$id",
+ }
+
+ shorewall::rule { "ssh-$context-2":
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:192.168.0.$context:22",
+ proto => 'tcp',
+ destinationport => "22$id",
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => "3$id",
+ }
+
+ shorewall::rule { "munin-$context-1":
+ action => 'DNAT',
+ source => 'net',
+ destination => "fw:192.168.0.$context:49$id",
+ proto => 'tcp',
+ destinationport => "49$id",
+ ratelimit => '-',
+ order => "4$id",
+ }
+
+ shorewall::rule { "munin-$context-2":
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:192.168.0.$context:49$id",
+ proto => 'tcp',
+ destinationport => "49$id",
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => "5$id",
+ }
+
+ if $proxy {
+ shorewall::rule { 'http-route-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "vm:192.168.0.$context:80",
+ proto => 'tcp',
+ destinationport => '80',
+ ratelimit => '-',
+ order => '600',
+ }
+
+ shorewall::rule { 'http-route-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:192.168.0.$context:80",
+ proto => 'tcp',
+ destinationport => '80',
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => '601',
+ }
+
+ shorewall::rule { 'https-route-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "vm:192.168.0.$context:443",
+ proto => 'tcp',
+ destinationport => '443',
+ ratelimit => '-',
+ order => '602',
+ }
+
+ shorewall::rule { 'https-route-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:192.168.0.$context:443",
+ proto => 'tcp',
+ destinationport => '443',
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => '602',
+ }
+ }
+
+ if $puppetmaster {
+ shorewall::rule { 'puppetmaster-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "fw:192.168.0.$context:8140",
+ proto => 'tcp',
+ destinationport => '8140',
+ ratelimit => '-',
+ order => '700',
+ }
+
+ shorewall::rule { 'puppetmaster-2':
+ action => 'DNAT',
+ source => 'net',
+ destination => "fw:192.168.0.$context:8140",
+ proto => 'udp',
+ destinationport => '8140',
+ ratelimit => '-',
+ order => '701',
+ }
+
+ shorewall::rule { 'puppetmaster-3':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:192.168.0.$context:8140",
+ proto => 'tcp',
+ destinationport => '8140',
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => '702',
+ }
+
+ shorewall::rule { 'puppetmaster-4':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:192.168.0.$context:8140",
+ proto => 'udp',
+ destinationport => '8140',
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => '703',
+ }
+
+ shorewall::rule { 'puppetmaster-5':
+ action => 'DNAT',
+ source => 'net',
+ destination => "fw:192.168.0.$context:8141",
+ proto => 'tcp',
+ destinationport => '8141',
+ ratelimit => '-',
+ order => '704',
+ }
+
+ shorewall::rule { 'puppetmaster-6':
+ action => 'DNAT',
+ source => 'net',
+ destination => "fw:192.168.0.$context:8141",
+ proto => 'udp',
+ destinationport => '8141',
+ ratelimit => '-',
+ order => '705',
+ }
+
+ shorewall::rule { 'puppetmaster-7':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:192.168.0.$context:8141",
+ proto => 'tcp',
+ destinationport => '8141',
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => '706',
+ }
+
+ shorewall::rule { 'puppetmaster-8':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:192.168.0.$context:8141",
+ proto => 'udp',
+ destinationport => '8141',
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => '707',
+ }
+ }
+
+ if $gitd {
+ shorewall::rule { 'git-daemon-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "fw:192.168.0.$context:9418",
+ proto => 'tcp',
+ destinationport => '9418',
+ ratelimit => '-',
+ order => '800',
+ }
+
+ shorewall::rule { 'git-daemon-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:192.168.0.$context:9418",
+ proto => 'tcp',
+ destinationport => '9418',
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => '801',
+ }
+ }
+
+ if $icecast {
+ shorewall::rule { 'icecast-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "fw:192.168.0.$context:8000",
+ proto => 'tcp',
+ destinationport => '8000',
+ ratelimit => '-',
+ order => '900',
+ }
+
+ shorewall::rule { 'icecast-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:192.168.0.$context:8000",
+ proto => 'tcp',
+ destinationport => '8000',
+ originaldest => "$ipaddress",
+ ratelimit => '-',
+ order => '901',
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/manifests/web.pp b/manifests/web.pp
new file mode 100644
index 0000000..09aec4d
--- /dev/null
+++ b/manifests/web.pp
@@ -0,0 +1,17 @@
+class nodo::web inherits nodo::vserver {
+ include git-daemon
+ include websites
+ include database
+ include users::virtual
+ include utils::web
+
+ backupninja::svn { "svn":
+ src => "/var/svn",
+ }
+
+ backupninja::mysql { "all_databases":
+ backupdir => '/var/backups/mysql',
+ compress => true,
+ sqldump => true,
+ }
+}