diff options
Diffstat (limited to 'manifests/init.pp')
-rw-r--r-- | manifests/init.pp | 301 |
1 files changed, 301 insertions, 0 deletions
diff --git a/manifests/init.pp b/manifests/init.pp new file mode 100644 index 0000000..443e612 --- /dev/null +++ b/manifests/init.pp @@ -0,0 +1,301 @@ +# +# Nodo class definitions +# + +import "firewall.pp" +import "firewire.pp" +import "initramfs.pp" +import "lsb.pp" +import "motd.pp" +import "sudo.pp" +import "sysctl.pp" + +class nodo { + include lsb + include puppetd + include backup + include exim + include sudo + include users::admin + include motd + + # Set timezone and ntp config + # + # We config those here but leave class inclusion elsewhere + # as ntp config differ from server to vserver. + # + $ntp_timezone = "Brazil/East" + $ntp_pool = "south-america.pool.ntp.org" + $ntp_servers = [ 'a.ntp.br', 'b.ntp.br', 'c.ntp.br' ] + + # Monkeysphere + # + # Currently we don't have a defined policy regarding whether + # to publish all our node keys to public keyservers, so leave + # automatic publishing disabled for now. + # + $monkeysphere_publish_key = false + include monkeysphere + + # Apt configuration + $backports_enabled = true + $apt_update_method = cron + include apt + + file { "/etc/hostname": + owner => "root", + group => "root", + mode => 0644, + ensure => present, + content => "$fqdn\n", + } + + host { "$hostname": + ensure => present, + ip => "$ipaddress", + alias => [ "$fqdn" ], + } + + file { "/etc/rc.local": + source => "puppet://$server/modules/nodo/etc/rc.local", + owner => "root", + group => "root", + mode => 0755, + ensure => present, + } +} + +class nodo::server inherits nodo { + include syslog-ng + include ntpdate + include firewall + include vserver::host + include initramfs + include firewire + include sysctl + + # DNS resolver + $resolvconf_domain = "$domain" + $resolvconf_search = "$fqdn" + include resolvconf + + # SSH Server + # + # We need to restrict listen address so multiple instances + # can live together in the same physical host. + # + $sshd_listen_address = [ "$ipaddress" ] + $sshd_password_authentication = "yes" + include sshd + + # Munin + #$munin_port = "4901" + #include munin::client + + backupninja::sys { "sys": + ensure => present, + } + + # fstab + file { "/etc/fstab": + source => "puppet://$server/modules/nodo/etc/fstab", + owner => "root", + group => "root", + mode => 0644, + ensure => present, + } + + # crypttab + file { "/etc/crypttab": + source => "puppet://$server/modules/nodo/etc/crypttab", + owner => "root", + group => "root", + mode => 0644, + ensure => present, + } +} + +class nodo::vserver inherits nodo { + $sshd_password_authentication = "yes" + $sshd_internal_ip = "yes" + include sshd + include timezone + include syslog-ng::vserver + + backupninja::sys { "sys": + ensure => present, + partitions => false, + hardware => false, + dosfdisk => false, + dohwinfo => false, + } + + define munin($type, $id) { + # Use one port for each node + $munin_port = "49$id" + case $type { + 'host': { + include munin::host + include munin::client + } + 'client': { + include munin::client + } + } + } + + # Apply the munin configuration for this host + #Nodo::vserver::munin <| tag == $name |> + + # Define a vserver instance + define instance($context, $ensure = 'running', $proxy = false, $puppetmaster = false, $gitd = false, $munin = 'client') { + + # set instance id + if $context < 9 { + $id = "0$context" + } else { + $id = $context + } + + # TODO: some nodes need a lot of space at /tmp otherwise some admin + # tasks like backups might not run. + vserver { $name: + ensure => $ensure, + context => "$context", + mark => 'default', + distro => 'lenny', + interface => "eth0:192.168.0.$context/24", + hostname => "$name.$domain", + } + + # Create a munin virtual resource to be realized in the node + #@nodo::vserver::munin { + # type => $munin, + # id => $id, + # tag => $name, + #} + + # Apply firewall rules just for running vservers + case $ensure { + 'running': { + + shorewall::rule { "ssh-$context": + action => 'DNAT', + source => 'net', + destination => "vm:192.168.0.$context:22", + proto => 'tcp', + destinationport => "22$id", + ratelimit => '-', + order => "2$id", + } + + if $proxy { + shorewall::rule { 'http-route': + action => 'DNAT', + source => 'net', + destination => "vm:192.168.0.$context:80", + proto => 'tcp', + destinationport => '80', + ratelimit => '-', + order => '300', + } + + shorewall::rule { 'https-route': + action => 'DNAT', + source => 'net', + destination => "vm:192.168.0.$context:443", + proto => 'tcp', + destinationport => '443', + ratelimit => '-', + order => '301', + } + } + + if $puppetmaster { + shorewall::rule { 'puppetmaster-1': + action => 'DNAT', + source => 'net', + destination => "fw:192.168.0.$context:8140", + proto => 'tcp', + destinationport => '8140', + ratelimit => '-', + order => '302', + } + + shorewall::rule { 'puppetmaster-2': + action => 'DNAT', + source => 'net', + destination => "fw:192.168.0.$context:8140", + proto => 'udp', + destinationport => '8140', + ratelimit => '-', + order => '303', + } + + shorewall::rule { 'puppetmaster-3': + action => 'DNAT', + source => '$FW', + destination => "fw:192.168.0.$context:8140", + proto => 'tcp', + destinationport => '8140', + ratelimit => '-', + order => '304', + } + + shorewall::rule { 'puppetmaster-4': + action => 'DNAT', + source => '$FW', + destination => "fw:192.168.0.$context:8140", + proto => 'udp', + destinationport => '8140', + ratelimit => '-', + order => '305', + } + } + + if $gitd { + shorewall::rule { 'git-daemon-1': + action => 'DNAT', + source => 'net', + destination => "fw:192.168.0.$context:9418", + proto => 'tcp', + destinationport => '9418', + ratelimit => '-', + order => '306', + } + + shorewall::rule { 'git-daemon-2': + action => 'DNAT', + source => '$FW', + destination => "vm:192.168.0.$context:9418", + proto => 'tcp', + destinationport => '9418', + ratelimit => '-', + order => '307', + } + } + } + } + } +} + +class nodo::web inherits nodo::vserver { + include git-daemon + include websites + include mysql::server + include users::virtual + + backupninja::svn { "svn": + src => "/var/svn", + } + + backupninja::mysql { "all_databases": + backupdir => '/var/backups/mysql', + compress => true, + sqldump => true, + } +} + +class nodo::proxy inherits nodo::vserver { + include nginx +} |