diff options
Diffstat (limited to 'manifests/init.pp')
-rw-r--r-- | manifests/init.pp | 653 |
1 files changed, 25 insertions, 628 deletions
diff --git a/manifests/init.pp b/manifests/init.pp index fc50a5f..5e597a2 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -2,631 +2,28 @@ # Nodo class definitions # -import "firewall.pp" -import "firewire.pp" -import "initramfs.pp" -import "lsb.pp" -import "motd.pp" -import "sudo.pp" -import "sysctl.pp" -import "ups.pp" -import "utils.pp" -import "database.pp" -import "websites.pp" -import "munin.pp" - -class nodo { - include lsb - include puppetd - include backup - include exim - include sudo - include users::admin - include motd - include utils - include cron - - # Set timezone and ntp config - # - # We config those here but leave class inclusion elsewhere - # as ntp config differ from server to vserver. - # - $ntp_timezone = "Brazil/East" - $ntp_pool = "south-america.pool.ntp.org" - $ntp_servers = [ 'a.ntp.br', 'b.ntp.br', 'c.ntp.br' ] - - # Monkeysphere - # - # Currently we don't have a defined policy regarding whether - # to publish all our node keys to public keyservers, so leave - # automatic publishing disabled for now. - # - $monkeysphere_publish_key = false - include monkeysphere - - # Apt configuration - $backports_enabled = true - $apt_update_method = 'cron' - include apt - - # Default SSH configuration - $sshd_password_authentication = "yes" - $sshd_shared_ip = "yes" - - file { "/etc/hostname": - owner => "root", - group => "root", - mode => 0644, - ensure => present, - content => "$fqdn\n", - } - - host { "$hostname": - ensure => present, - ip => "$ipaddress", - alias => [ "$fqdn" ], - } - - file { "/etc/rc.local": - source => "puppet://$server/modules/nodo/etc/rc.local", - owner => "root", - group => "root", - mode => 0755, - ensure => present, - } - - file { "/etc/screenrc": - source => "puppet://$server/modules/nodo/etc/screenrc", - owner => "root", - group => "root", - mode => 0644, - ensure => present, - } - - file { "/etc/profile": - source => "puppet://$server/modules/nodo/etc/profile", - owner => "root", - group => "root", - mode => 0644, - ensure => present, - require => File['/usr/local/bin/prompt.sh'], - } - - file { "/etc/bash.bashrc": - source => "puppet://$server/modules/nodo/etc/bash.bashrc", - owner => "root", - group => "root", - mode => 0644, - ensure => present, - require => File['/usr/local/bin/prompt.sh'], - } - - file { "/usr/local/bin/prompt.sh": - source => "puppet://$server/modules/nodo/bin/prompt.sh", - owner => "root", - group => "root", - mode => 0755, - ensure => present, - } -} - -class nodo::physical inherits nodo { - include syslog-ng - include firewall - include vserver::host - include initramfs - include firewire - include sysctl - include ups - include utils::physical - include smartmontools - - # Time configuration - case $ntpdate { - false: { include timezone } - default: { include ntpdate } - } - - # DNS resolver - $resolvconf_domain = "$domain" - $resolvconf_search = "$fqdn" - include resolvconf - - # SSH Server - # - # We need to restrict listen address so multiple instances - # can live together in the same physical host. - # - case $sshd_listen_address { - '': { $sshd_listen_address = [ "$ipaddress" ] } - } - include sshd - - backupninja::sys { "sys": - ensure => present, - } - - # Munin configuration - munin_node { "$hostname": - port => '4900', - } -} - -class nodo::server inherits nodo::physical { - # fstab - file { "/etc/fstab": - source => "puppet://$server/modules/nodo/etc/fstab/server", - owner => "root", - group => "root", - mode => 0644, - ensure => present, - } - - # crypttab - file { "/etc/crypttab": - source => "puppet://$server/modules/nodo/etc/crypttab/server", - owner => "root", - group => "root", - mode => 0644, - ensure => present, - } -} - -class nodo::desktop inherits nodo::physical { - include utils::desktop - - # fstab - file { "/etc/fstab": - source => "puppet://$desktop/modules/nodo/etc/fstab/desktop", - owner => "root", - group => "root", - mode => 0644, - ensure => present, - } - - # crypttab - file { "/etc/crypttab": - source => "puppet://$desktop/modules/nodo/etc/crypttab/desktop", - owner => "root", - group => "root", - mode => 0644, - ensure => present, - } - - # data - file { "/var/data": - ensure => directory, - mode => 0755, - } - - # pam - login - file { "/etc/pam.d/login": - source => "puppet://$desktop/modules/nodo/etc/pam.d/login", - owner => "root", - group => "root", - mode => 0644, - ensure => present, - } - - # pam - gdm - file { "/etc/pam.d/gdm": - source => "puppet://$desktop/modules/nodo/etc/pam.d/gdm", - owner => "root", - group => "root", - mode => 0644, - ensure => present, - } - - # pam - mountpoints - file { "/etc/security/pam_mount.conf.xml": - ensure => present, - owner => root, - group => root, - mode => 0644, - source => "puppet://$server/files/etc/security/pam_mount.conf.xml", - } - - # xorg - file { "/etc/X11/xorg.conf": - ensure => present, - owner => root, - group => root, - mode => 0644, - source => "puppet://$server/files/etc/X11/xorg.conf/$hostname", - } -} - -class nodo::vserver inherits nodo { - include sshd - include timezone - include syslog-ng::vserver - - backupninja::sys { "sys": - ensure => present, - partitions => false, - hardware => false, - dosfdisk => false, - dohwinfo => false, - } - - $hosting_type = $node_hosting_type ? { - '' => "direct", - default => "$node_hosting_type", - } - - case $hosting_type { - "direct": { - # Apply munin configuration for this node for - # directly hosted nodes. - Munin_node <<| title == $hostname |>> - } - "third-party": { - # Apply munin configuration for this node for third-party - # hosted nodes. - munin_node { "$hostname": } - } - } - - # Define a vserver instance - define instance($context, $ensure = 'running', $proxy = false, - $puppetmaster = false, $gitd = false, - $icecast = false, $sound = false, $ticket = false, - $memory_limit = false) { - - # set instance id - if $context < 9 { - $id = "0$context" - } else { - $id = $context - } - - vserver { $name: - ensure => $ensure, - context => "$context", - mark => 'default', - distro => 'lenny', - interface => "eth0:192.168.0.$context/24", - hostname => "$name.$domain", - memory_limit => $memory_limit, - } - - # Some nodes need a lot of space at /tmp otherwise some admin - # tasks like backups might not run. - file { "/etc/vservers/${name}/fstab": - source => "puppet://$server/modules/nodo/etc/fstab/vserver", - owner => "root", - group => "root", - mode => 0644, - ensure => present, - notify => Exec["vs_restart_${name}"], - require => Exec["vs_create_${name}"], - } - - # Create a munin virtual resource to be realized in the node - @@munin_node { "$name": - port => "49$id", - } - - # Sound support - if $sound { - if !defined(File["/usr/local/sbin/create-sound-devices"]) { - file { "/usr/local/sbin/create-sound-devices": - ensure => present, - source => "puppet://$server/modules/nodo/sound/devices.sh", - owner => root, - group => root, - mode => 755, - } - } - exec { "/usr/local/sbin/create-sound-devices ${name}": - unless => "/usr/local/sbin/create-sound-devices ${name} --check", - user => root, - require => [ Exec["vs_create_${name}"], File["/usr/local/sbin/create-sound-devices"] ], - } - } - - # Apply firewall rules just for running vservers - case $ensure { - 'running': { - - shorewall::rule { "ssh-$context-1": - action => 'DNAT', - source => 'net', - destination => "vm:192.168.0.$context:22", - proto => 'tcp', - destinationport => "22$id", - ratelimit => '-', - order => "2$id", - } - - shorewall::rule { "ssh-$context-2": - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:22", - proto => 'tcp', - destinationport => "22$id", - originaldest => "$ipaddress", - ratelimit => '-', - order => "3$id", - } - - shorewall::rule { "munin-$context-1": - action => 'DNAT', - source => 'net', - destination => "fw:192.168.0.$context:49$id", - proto => 'tcp', - destinationport => "49$id", - ratelimit => '-', - order => "4$id", - } - - shorewall::rule { "munin-$context-2": - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:49$id", - proto => 'tcp', - destinationport => "49$id", - originaldest => "$ipaddress", - ratelimit => '-', - order => "5$id", - } - - if $proxy { - shorewall::rule { 'http-route-1': - action => 'DNAT', - source => 'net', - destination => "vm:192.168.0.$context:80", - proto => 'tcp', - destinationport => '80', - ratelimit => '-', - order => '600', - } - - shorewall::rule { 'http-route-2': - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:80", - proto => 'tcp', - destinationport => '80', - originaldest => "$ipaddress", - ratelimit => '-', - order => '601', - } - - shorewall::rule { 'https-route-1': - action => 'DNAT', - source => 'net', - destination => "vm:192.168.0.$context:443", - proto => 'tcp', - destinationport => '443', - ratelimit => '-', - order => '602', - } - - shorewall::rule { 'https-route-2': - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:443", - proto => 'tcp', - destinationport => '443', - originaldest => "$ipaddress", - ratelimit => '-', - order => '602', - } - } - - if $puppetmaster { - shorewall::rule { 'puppetmaster-1': - action => 'DNAT', - source => 'net', - destination => "fw:192.168.0.$context:8140", - proto => 'tcp', - destinationport => '8140', - ratelimit => '-', - order => '700', - } - - shorewall::rule { 'puppetmaster-2': - action => 'DNAT', - source => 'net', - destination => "fw:192.168.0.$context:8140", - proto => 'udp', - destinationport => '8140', - ratelimit => '-', - order => '701', - } - - shorewall::rule { 'puppetmaster-3': - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:8140", - proto => 'tcp', - destinationport => '8140', - originaldest => "$ipaddress", - ratelimit => '-', - order => '702', - } - - shorewall::rule { 'puppetmaster-4': - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:8140", - proto => 'udp', - destinationport => '8140', - originaldest => "$ipaddress", - ratelimit => '-', - order => '703', - } - - shorewall::rule { 'puppetmaster-5': - action => 'DNAT', - source => 'net', - destination => "fw:192.168.0.$context:8141", - proto => 'tcp', - destinationport => '8141', - ratelimit => '-', - order => '704', - } - - shorewall::rule { 'puppetmaster-6': - action => 'DNAT', - source => 'net', - destination => "fw:192.168.0.$context:8141", - proto => 'udp', - destinationport => '8141', - ratelimit => '-', - order => '705', - } - - shorewall::rule { 'puppetmaster-7': - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:8141", - proto => 'tcp', - destinationport => '8141', - originaldest => "$ipaddress", - ratelimit => '-', - order => '706', - } - - shorewall::rule { 'puppetmaster-8': - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:8141", - proto => 'udp', - destinationport => '8141', - originaldest => "$ipaddress", - ratelimit => '-', - order => '707', - } - } - - if $gitd { - shorewall::rule { 'git-daemon-1': - action => 'DNAT', - source => 'net', - destination => "fw:192.168.0.$context:9418", - proto => 'tcp', - destinationport => '9418', - ratelimit => '-', - order => '800', - } - - shorewall::rule { 'git-daemon-2': - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:9418", - proto => 'tcp', - destinationport => '9418', - originaldest => "$ipaddress", - ratelimit => '-', - order => '801', - } - } - - if $icecast { - shorewall::rule { 'icecast-1': - action => 'DNAT', - source => 'net', - destination => "fw:192.168.0.$context:8000", - proto => 'tcp', - destinationport => '8000', - ratelimit => '-', - order => '900', - } - - shorewall::rule { 'icecast-2': - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:8000", - proto => 'tcp', - destinationport => '8000', - originaldest => "$ipaddress", - ratelimit => '-', - order => '901', - } - } - } - } - } -} - -class nodo::web inherits nodo::vserver { - include git-daemon - include websites - include database - include users::virtual - include utils::web - - backupninja::svn { "svn": - src => "/var/svn", - } - - backupninja::mysql { "all_databases": - backupdir => '/var/backups/mysql', - compress => true, - sqldump => true, - } -} - -class nodo::master { - # Puppetmaster should be included before nodo::vserver - include puppetmasterd - include nodo::vserver - include database - include gitosis - include websites::admin - - case $main_master { - '': { fail("You need to define if this is the main master! Please set \$main_master in host config") } - } - - if $main_master == true { - include munin::host - - # The main master has a host entry pointing to itself, other - # masters still retrieve catalogs from the main master. - host { "puppet": - ensure => present, - ip => "127.0.0.1", - alias => ["puppet.$domain"], - } - } else { - host { "puppet": - ensure => absent, - } - } - - case $puppetmaster_db_password { - '': { fail("Please set \$puppetmaster_db_password in your host config") } - } - - # update master's puppet.conf if you change here - database::instance { "puppet": - password => "$puppetmaster_db_password", - } - - backupninja::mysql { "all_databases": - backupdir => '/var/backups/mysql', - compress => true, - sqldump => true, - } - - # used for trac dependency graphs - package { "graphviz": - ensure => present, - } -} - -class nodo::proxy inherits nodo::vserver { - include nginx -} - -class nodo::storage inherits nodo::vserver { - # Class for backup nodes - include utils::storage -} - -class nodo::test inherits nodo::web { - # Class for test nodes -} +# Import subsystems +import "subsystems/firewall.pp" +import "subsystems/firewire.pp" +import "subsystems/initramfs.pp" +import "subsystems/lsb.pp" +import "subsystems/motd.pp" +import "subsystems/sudo.pp" +import "subsystems/sysctl.pp" +import "subsystems/ups.pp" +import "subsystems/utils.pp" +import "subsystems/database.pp" +import "subsystems/websites.pp" +import "subsystems/munin.pp" + +# Import nodo classes +import "nodo.pp" +import "physical.pp" +import "server.pp" +import "desktop.pp" +import "vserver.pp" +import "web.pp" +import "master.pp" +import "proxy.pp" +import "storage.pp" +import "test.pp" |