1 files changed, 301 insertions, 0 deletions

diff --git a/manifests/init.pp b/manifests/init.pp
new file mode 100644
index 0000000..443e612
--- /dev/null
+++ b/manifests/init.pp
@@ -0,0 +1,301 @@
+#
+# Nodo class definitions
+#
+
+import "firewall.pp"
+import "firewire.pp"
+import "initramfs.pp"
+import "lsb.pp"
+import "motd.pp"
+import "sudo.pp"
+import "sysctl.pp"
+
+class nodo {
+  include lsb
+  include puppetd
+  include backup
+  include exim
+  include sudo
+  include users::admin
+  include motd
+
+  # Set timezone and ntp config
+  #
+  # We config those here but leave class inclusion elsewhere
+  # as ntp config differ from server to vserver.
+  #
+  $ntp_timezone = "Brazil/East"
+  $ntp_pool     = "south-america.pool.ntp.org"
+  $ntp_servers  = [ 'a.ntp.br', 'b.ntp.br', 'c.ntp.br' ]
+
+  # Monkeysphere
+  #
+  # Currently we don't have a defined policy regarding whether
+  # to publish all our node keys to public keyservers, so leave
+  # automatic publishing disabled for now.
+  #
+  $monkeysphere_publish_key = false
+  include monkeysphere
+
+  # Apt configuration
+  $backports_enabled = true
+  $apt_update_method = cron
+  include apt
+
+  file { "/etc/hostname":
+    owner   => "root",
+    group   => "root",
+    mode    => 0644,
+    ensure  => present,
+    content => "$fqdn\n",
+  }
+
+  host { "$hostname":
+    ensure => present,
+    ip     => "$ipaddress",
+    alias  => [ "$fqdn" ],
+  }
+
+  file { "/etc/rc.local":
+    source  => "puppet://$server/modules/nodo/etc/rc.local",
+    owner   => "root",
+    group   => "root",
+    mode    => 0755,
+    ensure  => present,
+  }
+}
+
+class nodo::server inherits nodo {
+  include syslog-ng
+  include ntpdate
+  include firewall
+  include vserver::host
+  include initramfs
+  include firewire
+  include sysctl
+
+  # DNS resolver
+  $resolvconf_domain = "$domain"
+  $resolvconf_search = "$fqdn"
+  include resolvconf
+
+  # SSH Server
+  #
+  # We need to restrict listen address so multiple instances
+  # can live together in the same physical host.
+  #
+  $sshd_listen_address = [ "$ipaddress" ]
+  $sshd_password_authentication = "yes"
+  include sshd
+
+  # Munin
+  #$munin_port = "4901"
+  #include munin::client
+
+  backupninja::sys { "sys":
+    ensure => present,
+  }
+
+  # fstab
+  file { "/etc/fstab":
+    source  => "puppet://$server/modules/nodo/etc/fstab",
+    owner   => "root",
+    group   => "root",
+    mode    => 0644,
+    ensure  => present,
+  }
+
+  # crypttab
+  file { "/etc/crypttab":
+    source  => "puppet://$server/modules/nodo/etc/crypttab",
+    owner   => "root",
+    group   => "root",
+    mode    => 0644,
+    ensure  => present,
+  }
+}
+
+class nodo::vserver inherits nodo {
+  $sshd_password_authentication = "yes"
+  $sshd_internal_ip             = "yes"
+  include sshd
+  include timezone
+  include syslog-ng::vserver
+
+  backupninja::sys { "sys":
+    ensure     => present,
+    partitions => false,
+    hardware   => false,
+    dosfdisk   => false,
+    dohwinfo   => false,
+  }
+
+  define munin($type, $id) {
+    # Use one port for each node
+    $munin_port = "49$id"
+    case $type {
+      'host': {
+        include munin::host
+        include munin::client
+      }
+      'client': {
+        include munin::client
+      }
+    }
+  }
+
+  # Apply the munin configuration for this host
+  #Nodo::vserver::munin <| tag == $name |>
+
+  # Define a vserver instance
+  define instance($context, $ensure = 'running', $proxy = false, $puppetmaster = false, $gitd = false, $munin = 'client') {
+
+    # set instance id
+    if $context < 9 {
+      $id = "0$context"
+    } else {
+      $id = $context
+    }
+
+    # TODO: some nodes need a lot of space at /tmp otherwise some admin
+    # tasks like backups might not run.
+    vserver { $name:
+      ensure    => $ensure,
+      context   => "$context",
+      mark      => 'default',
+      distro    => 'lenny',
+      interface => "eth0:192.168.0.$context/24",
+      hostname  => "$name.$domain",
+    }
+
+    # Create a munin virtual resource to be realized in the node
+    #@nodo::vserver::munin {
+    #  type => $munin,
+    #  id   => $id,
+    #  tag  => $name,
+    #}
+
+    # Apply firewall rules just for running vservers
+    case $ensure {
+      'running': {
+
+        shorewall::rule { "ssh-$context":
+          action          => 'DNAT',
+          source          => 'net',
+          destination     => "vm:192.168.0.$context:22",
+          proto           => 'tcp',
+          destinationport => "22$id",
+          ratelimit       => '-',
+          order           => "2$id",
+        }
+
+        if $proxy {
+          shorewall::rule { 'http-route':
+            action          => 'DNAT',
+            source          => 'net',
+            destination     => "vm:192.168.0.$context:80",
+            proto           => 'tcp',
+            destinationport => '80',
+            ratelimit       => '-',
+            order           => '300',
+          }
+
+          shorewall::rule { 'https-route':
+            action          => 'DNAT',
+            source          => 'net',
+            destination     => "vm:192.168.0.$context:443",
+            proto           => 'tcp',
+            destinationport => '443',
+            ratelimit       => '-',
+            order           => '301',
+          }
+        }
+
+        if $puppetmaster {
+          shorewall::rule { 'puppetmaster-1':
+            action          => 'DNAT',
+            source          => 'net',
+            destination     => "fw:192.168.0.$context:8140",
+            proto           => 'tcp',
+            destinationport => '8140',
+            ratelimit       => '-',
+            order           => '302',
+          }
+
+          shorewall::rule { 'puppetmaster-2':
+            action          => 'DNAT',
+            source          => 'net',
+            destination     => "fw:192.168.0.$context:8140",
+            proto           => 'udp',
+            destinationport => '8140',
+            ratelimit       => '-',
+            order           => '303',
+          }
+
+          shorewall::rule { 'puppetmaster-3':
+            action          => 'DNAT',
+            source          => '$FW',
+            destination     => "fw:192.168.0.$context:8140",
+            proto           => 'tcp',
+            destinationport => '8140',
+            ratelimit       => '-',
+            order           => '304',
+          }
+
+          shorewall::rule { 'puppetmaster-4':
+            action          => 'DNAT',
+            source          => '$FW',
+            destination     => "fw:192.168.0.$context:8140",
+            proto           => 'udp',
+            destinationport => '8140',
+            ratelimit       => '-',
+            order           => '305',
+          }
+        }
+
+        if $gitd {
+          shorewall::rule { 'git-daemon-1':
+            action          => 'DNAT',
+            source          => 'net',
+            destination     => "fw:192.168.0.$context:9418",
+            proto           => 'tcp',
+            destinationport => '9418',
+            ratelimit       => '-',
+            order           => '306',
+          }
+
+          shorewall::rule { 'git-daemon-2':
+            action          => 'DNAT',
+            source          => '$FW',
+            destination     => "vm:192.168.0.$context:9418",
+            proto           => 'tcp',
+            destinationport => '9418',
+            ratelimit       => '-',
+            order           => '307',
+          }
+        }
+      }
+    }
+  }
+}
+
+class nodo::web inherits nodo::vserver {
+  include git-daemon
+  include websites
+  include mysql::server
+  include users::virtual
+
+  backupninja::svn { "svn":
+    src => "/var/svn",
+  }
+
+  backupninja::mysql { "all_databases":
+  	backupdir => '/var/backups/mysql',
+  	compress  => true,
+  	sqldump   => true,
+  }
+}
+
+class nodo::proxy inherits nodo::vserver {
+  include nginx
+}