aboutsummaryrefslogtreecommitdiff
path: root/manifests/init.pp
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/init.pp')
-rw-r--r--manifests/init.pp301
1 files changed, 301 insertions, 0 deletions
diff --git a/manifests/init.pp b/manifests/init.pp
new file mode 100644
index 0000000..443e612
--- /dev/null
+++ b/manifests/init.pp
@@ -0,0 +1,301 @@
+#
+# Nodo class definitions
+#
+
+import "firewall.pp"
+import "firewire.pp"
+import "initramfs.pp"
+import "lsb.pp"
+import "motd.pp"
+import "sudo.pp"
+import "sysctl.pp"
+
+class nodo {
+ include lsb
+ include puppetd
+ include backup
+ include exim
+ include sudo
+ include users::admin
+ include motd
+
+ # Set timezone and ntp config
+ #
+ # We config those here but leave class inclusion elsewhere
+ # as ntp config differ from server to vserver.
+ #
+ $ntp_timezone = "Brazil/East"
+ $ntp_pool = "south-america.pool.ntp.org"
+ $ntp_servers = [ 'a.ntp.br', 'b.ntp.br', 'c.ntp.br' ]
+
+ # Monkeysphere
+ #
+ # Currently we don't have a defined policy regarding whether
+ # to publish all our node keys to public keyservers, so leave
+ # automatic publishing disabled for now.
+ #
+ $monkeysphere_publish_key = false
+ include monkeysphere
+
+ # Apt configuration
+ $backports_enabled = true
+ $apt_update_method = cron
+ include apt
+
+ file { "/etc/hostname":
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ content => "$fqdn\n",
+ }
+
+ host { "$hostname":
+ ensure => present,
+ ip => "$ipaddress",
+ alias => [ "$fqdn" ],
+ }
+
+ file { "/etc/rc.local":
+ source => "puppet://$server/modules/nodo/etc/rc.local",
+ owner => "root",
+ group => "root",
+ mode => 0755,
+ ensure => present,
+ }
+}
+
+class nodo::server inherits nodo {
+ include syslog-ng
+ include ntpdate
+ include firewall
+ include vserver::host
+ include initramfs
+ include firewire
+ include sysctl
+
+ # DNS resolver
+ $resolvconf_domain = "$domain"
+ $resolvconf_search = "$fqdn"
+ include resolvconf
+
+ # SSH Server
+ #
+ # We need to restrict listen address so multiple instances
+ # can live together in the same physical host.
+ #
+ $sshd_listen_address = [ "$ipaddress" ]
+ $sshd_password_authentication = "yes"
+ include sshd
+
+ # Munin
+ #$munin_port = "4901"
+ #include munin::client
+
+ backupninja::sys { "sys":
+ ensure => present,
+ }
+
+ # fstab
+ file { "/etc/fstab":
+ source => "puppet://$server/modules/nodo/etc/fstab",
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ }
+
+ # crypttab
+ file { "/etc/crypttab":
+ source => "puppet://$server/modules/nodo/etc/crypttab",
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ }
+}
+
+class nodo::vserver inherits nodo {
+ $sshd_password_authentication = "yes"
+ $sshd_internal_ip = "yes"
+ include sshd
+ include timezone
+ include syslog-ng::vserver
+
+ backupninja::sys { "sys":
+ ensure => present,
+ partitions => false,
+ hardware => false,
+ dosfdisk => false,
+ dohwinfo => false,
+ }
+
+ define munin($type, $id) {
+ # Use one port for each node
+ $munin_port = "49$id"
+ case $type {
+ 'host': {
+ include munin::host
+ include munin::client
+ }
+ 'client': {
+ include munin::client
+ }
+ }
+ }
+
+ # Apply the munin configuration for this host
+ #Nodo::vserver::munin <| tag == $name |>
+
+ # Define a vserver instance
+ define instance($context, $ensure = 'running', $proxy = false, $puppetmaster = false, $gitd = false, $munin = 'client') {
+
+ # set instance id
+ if $context < 9 {
+ $id = "0$context"
+ } else {
+ $id = $context
+ }
+
+ # TODO: some nodes need a lot of space at /tmp otherwise some admin
+ # tasks like backups might not run.
+ vserver { $name:
+ ensure => $ensure,
+ context => "$context",
+ mark => 'default',
+ distro => 'lenny',
+ interface => "eth0:192.168.0.$context/24",
+ hostname => "$name.$domain",
+ }
+
+ # Create a munin virtual resource to be realized in the node
+ #@nodo::vserver::munin {
+ # type => $munin,
+ # id => $id,
+ # tag => $name,
+ #}
+
+ # Apply firewall rules just for running vservers
+ case $ensure {
+ 'running': {
+
+ shorewall::rule { "ssh-$context":
+ action => 'DNAT',
+ source => 'net',
+ destination => "vm:192.168.0.$context:22",
+ proto => 'tcp',
+ destinationport => "22$id",
+ ratelimit => '-',
+ order => "2$id",
+ }
+
+ if $proxy {
+ shorewall::rule { 'http-route':
+ action => 'DNAT',
+ source => 'net',
+ destination => "vm:192.168.0.$context:80",
+ proto => 'tcp',
+ destinationport => '80',
+ ratelimit => '-',
+ order => '300',
+ }
+
+ shorewall::rule { 'https-route':
+ action => 'DNAT',
+ source => 'net',
+ destination => "vm:192.168.0.$context:443",
+ proto => 'tcp',
+ destinationport => '443',
+ ratelimit => '-',
+ order => '301',
+ }
+ }
+
+ if $puppetmaster {
+ shorewall::rule { 'puppetmaster-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "fw:192.168.0.$context:8140",
+ proto => 'tcp',
+ destinationport => '8140',
+ ratelimit => '-',
+ order => '302',
+ }
+
+ shorewall::rule { 'puppetmaster-2':
+ action => 'DNAT',
+ source => 'net',
+ destination => "fw:192.168.0.$context:8140",
+ proto => 'udp',
+ destinationport => '8140',
+ ratelimit => '-',
+ order => '303',
+ }
+
+ shorewall::rule { 'puppetmaster-3':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:192.168.0.$context:8140",
+ proto => 'tcp',
+ destinationport => '8140',
+ ratelimit => '-',
+ order => '304',
+ }
+
+ shorewall::rule { 'puppetmaster-4':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:192.168.0.$context:8140",
+ proto => 'udp',
+ destinationport => '8140',
+ ratelimit => '-',
+ order => '305',
+ }
+ }
+
+ if $gitd {
+ shorewall::rule { 'git-daemon-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "fw:192.168.0.$context:9418",
+ proto => 'tcp',
+ destinationport => '9418',
+ ratelimit => '-',
+ order => '306',
+ }
+
+ shorewall::rule { 'git-daemon-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "vm:192.168.0.$context:9418",
+ proto => 'tcp',
+ destinationport => '9418',
+ ratelimit => '-',
+ order => '307',
+ }
+ }
+ }
+ }
+ }
+}
+
+class nodo::web inherits nodo::vserver {
+ include git-daemon
+ include websites
+ include mysql::server
+ include users::virtual
+
+ backupninja::svn { "svn":
+ src => "/var/svn",
+ }
+
+ backupninja::mysql { "all_databases":
+ backupdir => '/var/backups/mysql',
+ compress => true,
+ sqldump => true,
+ }
+}
+
+class nodo::proxy inherits nodo::vserver {
+ include nginx
+}