diff options
Diffstat (limited to 'manifests/subsystems')
-rw-r--r-- | manifests/subsystems/database.pp | 21 | ||||
-rw-r--r-- | manifests/subsystems/firewall.pp | 239 | ||||
-rw-r--r-- | manifests/subsystems/firewire.pp | 17 | ||||
-rw-r--r-- | manifests/subsystems/initramfs.pp | 25 | ||||
-rw-r--r-- | manifests/subsystems/lsb.pp | 4 | ||||
-rw-r--r-- | manifests/subsystems/motd.pp | 17 | ||||
-rw-r--r-- | manifests/subsystems/munin.pp | 19 | ||||
-rw-r--r-- | manifests/subsystems/sudo.pp | 14 | ||||
-rw-r--r-- | manifests/subsystems/sysctl.pp | 16 | ||||
-rw-r--r-- | manifests/subsystems/ups.pp | 13 | ||||
-rw-r--r-- | manifests/subsystems/utils.pp | 75 | ||||
-rw-r--r-- | manifests/subsystems/websites.pp | 127 |
12 files changed, 587 insertions, 0 deletions
diff --git a/manifests/subsystems/database.pp b/manifests/subsystems/database.pp new file mode 100644 index 0000000..c2d1fc3 --- /dev/null +++ b/manifests/subsystems/database.pp @@ -0,0 +1,21 @@ +class database { + include mysql::server + + # Database definitions + define instance($password) { + mysql_database { "$name": + ensure => present, + } + + mysql_user { "$name@%": + password_hash => mysql_password($password), + ensure => present, + require => Mysql_database["$name"], + } + + mysql_grant { "$name@%/$name": + privileges => all, + require => Mysql_user["$name@%"], + } + } +} diff --git a/manifests/subsystems/firewall.pp b/manifests/subsystems/firewall.pp new file mode 100644 index 0000000..765a59f --- /dev/null +++ b/manifests/subsystems/firewall.pp @@ -0,0 +1,239 @@ +# firewall definitions for physical servers +class firewall { + include shorewall + + $rfc1918 = $shorewall_dmz ? { + true => true, + false => false, + default => false, + } + + # + # Interfaces + # + shorewall::interface { 'eth0': + zone => '-', + rfc1918 => $rfc1918, + } + + # + # Policy + # + shorewall::policy { 'vm-net': + sourcezone => 'vm', + destinationzone => 'net', + policy => 'ACCEPT', + order => '1', + } + + shorewall::policy { 'fw-net': + sourcezone => '$FW', + destinationzone => 'net', + policy => 'ACCEPT', + order => '2', + } + + shorewall::policy { 'fw-vm': + sourcezone => '$FW', + destinationzone => 'vm', + policy => 'ACCEPT', + order => '3', + } + + shorewall::policy { 'net-all': + sourcezone => 'net', + destinationzone => 'all', + policy => 'DROP', + order => '4', + } + + shorewall::policy { 'all-all': + sourcezone => 'all', + destinationzone => 'all', + policy => 'REJECT', + order => '5', + } + + # + # Hosts + # + shorewall::host { "eth0-subnet": + name => 'eth0:192.168.0.0/24', + zone => 'vm', + options => '', + order => '1', + } + + shorewall::host { "eth0": + name => 'eth0:0.0.0.0/0', + zone => 'net', + options => '', + order => '2', + } + + shorewall::masq { "eth0": + interface => 'eth0:!192.168.0.0/24', + source => '192.168.0.0/24', + order => '1', + } + + # + # Rules + # + shorewall::rule { 'ssh': + action => 'SSH/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => '100', + } + + shorewall::rule { 'ping': + action => 'Ping/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => '101', + } + + shorewall::rule { 'http': + action => 'HTTP/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => '102', + } + + shorewall::rule { 'https': + action => 'HTTPS/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => '103', + } + + $munin_port = $node_munin_port ? { + '' => "4900", + default => "$node_munin_port", + } + + shorewall::rule { "munin": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => "$munin_port", + ratelimit => '-', + order => "104", + } + + # + # Zones + # + shorewall::zone { 'vm': + type => 'ipv4', + order => '2', + } + + shorewall::zone { 'net': + type => 'ipv4', + order => '3', + } + + # + # Traffic shapping + # + $in_bandwidth = $max_in_bandwidth ? { + '' => "2mbit", + default => "$max_in_bandwidth", + } + + $out_bandwidth = $max_out_bandwidth ? { + '' => "2mbit", + default => "$max_out_bandwidth", + } + + shorewall::tcdevices { "eth0": + in_bandwidth => "$in_bandwidth", + out_bandwidth => "$out_bandwidth", + } + + shorewall::tcrules { "ssh-tcp": + order => "1", + source => "0.0.0.0/0", + destination => "0.0.0.0/0", + protocol => "tcp", + ports => "22", + } + + shorewall::tcrules { "ssh-udp": + order => "1", + source => "0.0.0.0/0", + destination => "0.0.0.0/0", + protocol => "udp", + ports => "22", + } + + shorewall::tcclasses { "ssh": + order => "1", + interface => "eth0", + rate => "4*full/100", + ceil => "full", + priority => "1", + } + + shorewall::tcclasses { "default": + order => "2", + interface => "eth0", + rate => "6*full/100", + ceil => "full", + priority => "2", + options => "default", + } + + # + # DMZ Configuration + # + if $shorewall_dmz { + shorewall::host { "eth0-dmz": + name => 'eth0:192.168.1.0/24', + zone => 'dmz', + options => '', + order => '3', + } + + shorewall::policy { 'dmz-all': + sourcezone => 'dmz', + destinationzone => 'all', + policy => 'ACCEPT', + order => '6', + } + + shorewall::policy { 'vm-dmz': + sourcezone => 'vm', + destinationzone => 'dmz', + policy => 'ACCEPT', + order => '7', + } + + shorewall::policy { 'fw-dmz': + sourcezone => '$FW', + destinationzone => 'dmz', + policy => 'ACCEPT', + order => '8', + } + + shorewall::zone { 'dmz': + type => 'ipv4', + order => '4', + } + } +} diff --git a/manifests/subsystems/firewire.pp b/manifests/subsystems/firewire.pp new file mode 100644 index 0000000..1c9609a --- /dev/null +++ b/manifests/subsystems/firewire.pp @@ -0,0 +1,17 @@ +class firewire { + # keep firewire disabled + # see http://padrao.sarava.org/trac/wiki/Debian/Firewire + file { "/etc/modprobe.d/blacklist": + owner => "root", + group => "root", + mode => 0644, + ensure => present, + source => "puppet://$server/modules/nodo/etc/modprobe.d/blacklist", + } + + # make sure ohci1394 is not loaded + exec { "rmmod ohci1394": + unless => "/bin/sh -c 'if `grep -q ^ohci1394 /proc/modules`; then false; else true; fi'", + user => "root", + } +} diff --git a/manifests/subsystems/initramfs.pp b/manifests/subsystems/initramfs.pp new file mode 100644 index 0000000..3b37f65 --- /dev/null +++ b/manifests/subsystems/initramfs.pp @@ -0,0 +1,25 @@ +class initramfs { + # initramfs config + file { "/etc/kernel-img.conf": + owner => "root", + group => "root", + mode => 0644, + ensure => present, + content => "do_initrd = Yes\n", + } + + # initramfs config + file { "/etc/initramfs-tools/modules": + owner => "root", + group => "root", + mode => 0644, + ensure => present, + source => "puppet://$server/modules/nodo/etc/initramfs-tools/modules", + } + + # update initramfs when needed + exec { "update-initramfs -v -u": + subscribe => [ File["/etc/initramfs-tools/modules"], File["/etc/modprobe.d/blacklist"] ], + refreshonly => true, + } +} diff --git a/manifests/subsystems/lsb.pp b/manifests/subsystems/lsb.pp new file mode 100644 index 0000000..4516470 --- /dev/null +++ b/manifests/subsystems/lsb.pp @@ -0,0 +1,4 @@ +class lsb { + package { "lsb-release": ensure => installed, } + include assert_lsbdistcodename +} diff --git a/manifests/subsystems/motd.pp b/manifests/subsystems/motd.pp new file mode 100644 index 0000000..c8029bf --- /dev/null +++ b/manifests/subsystems/motd.pp @@ -0,0 +1,17 @@ +class motd { + # http://projects.reductivelabs.com/issues/1915 + file { "/var/run/motd": + owner => "root", + group => "root", + mode => 0644, + ensure => file, + content => "This is $fqdn from the $network_name.\n", + } + + file { "/etc/motd": + owner => "root", + group => "root", + ensure => "/var/run/motd", + require => File["/var/run/motd"], + } +} diff --git a/manifests/subsystems/munin.pp b/manifests/subsystems/munin.pp new file mode 100644 index 0000000..2e32117 --- /dev/null +++ b/manifests/subsystems/munin.pp @@ -0,0 +1,19 @@ +# Define a munin node +define munin_node($port = '4949') { + + case $global_munin_allow { + '': { fail("Please set \$global_munin_allow in your site config") } + } + + $munin_allow = $node_munin_allow ? { + '' => "$global_munin_allow", + default => "$node_munin_allow", + } + + $munin_port = $node_munin_port ? { + '' => "$port", + default => "$node_munin_port", + } + + include munin::client +} diff --git a/manifests/subsystems/sudo.pp b/manifests/subsystems/sudo.pp new file mode 100644 index 0000000..c5679fd --- /dev/null +++ b/manifests/subsystems/sudo.pp @@ -0,0 +1,14 @@ +class sudo { + + package { "sudo": + ensure => "present", + } + + file { "/etc/sudoers": + source => "puppet://$server/modules/nodo/etc/sudoers", + owner => "root", + group => "root", + mode => 440, + require => Package["sudo"], + } +} diff --git a/manifests/subsystems/sysctl.pp b/manifests/subsystems/sysctl.pp new file mode 100644 index 0000000..3bd028c --- /dev/null +++ b/manifests/subsystems/sysctl.pp @@ -0,0 +1,16 @@ +class sysctl { + # root exploit fix, see http://wiki.debian.org/mmap_min_addr + # TODO: remove in the future or use a sysctl puppet module + file { "/etc/sysctl.d/mmap_min_addr.conf": + owner => "root", + group => "root", + mode => 0644, + ensure => present, + content => "vm.mmap_min_addr = 4096\n", + } + + exec { "/etc/init.d/procps restart": + subscribe => File["/etc/sysctl.d/mmap_min_addr.conf"], + refreshonly => true, + } +} diff --git a/manifests/subsystems/ups.pp b/manifests/subsystems/ups.pp new file mode 100644 index 0000000..558941e --- /dev/null +++ b/manifests/subsystems/ups.pp @@ -0,0 +1,13 @@ +class ups { + include apcupsd + + case $has_ups { + true: { + apcupsd::ups { "ups0": + upstype => 'usb', + cable => 'usb', + device => '/dev/usb/hiddev0', + } + } + } +} diff --git a/manifests/subsystems/utils.pp b/manifests/subsystems/utils.pp new file mode 100644 index 0000000..92061eb --- /dev/null +++ b/manifests/subsystems/utils.pp @@ -0,0 +1,75 @@ +# Common utilities +class utils { + package { [ 'screen', 'less', 'bzip2', 'openssl', 'lynx', 'wget', 'unzip' ]: + ensure => installed, + } +} + +# Common utilities for physical +class utils::physical { + package { 'nload': + ensure => installed, + } +} + +# Common utilities for storage +class utils::storage { + package { 'clamav': + ensure => installed, + } +} + +# Common utilities for web +class utils::web { + package { 'ffmpeg': + ensure => installed, + } +} + +# Common utilities for desktop +class utils::desktop { + # Package dosemu used because of the pcf fonts + package { [ 'awesome', 'alsa-tools-gui', 'mutt', + 'irssi', 'offlineimap', 'wyrd', + 'mp3blaster', 'iceweasel', 'eterm', + 'libpam-mount', 'locales', 'fluxbox', + 'gdm', 'ecryptfs-utils', 'newsbeuter', + 'bitlbee', 'nicotine', 'silc', + 'irssi-plugin-silc', 'conky', 'rxvt', + 'vim-gtk', 'gobby', 'bogofilter', + 'gnupg-agent', 'xterm', 'bash-completion', + 'fetchmail', 'dosemu', 'xfonts-terminus', + 'gnumeric', 'alsa-utils', 'sc', + 'gawk', 'telnet', 'fpm', + 'procmail', 'msmtp', 'netpbm', + 'gqview', 'antiword', 'mairix', + 'whois', 'mozilla-plugin-gnash' ]: + ensure => installed, + } + + # Gem packages + package { 'capistrano': + ensure => installed, + provider => gem, + require => Package['rubygems'], + } + + if !defined(Package['git-core']) { + package { 'git-core': + ensure => installed, + } + } + + if !defined(Package['ruby']) { + package { 'ruby': + ensure => installed, + } + } + + if !defined(Package['rubygems']) { + package { 'rubygems': + ensure => installed, + require => Package['ruby'], + } + } +} diff --git a/manifests/subsystems/websites.pp b/manifests/subsystems/websites.pp new file mode 100644 index 0000000..b688860 --- /dev/null +++ b/manifests/subsystems/websites.pp @@ -0,0 +1,127 @@ +class websites::setup { + # Configure Apache Web Server + $apache_www_folder = "/var/www/data" + $apache_error_folder = "/var/www/error" + $apache_sites_folder = "/var/sites" + $apache_error_dest = "http://${domain}/missing.html" + $drupal_folder = "${apache_www_folder}/drupal" + + $default_vhost = $apache_server_name ? { + '' => $hostname, + default => $apache_server_name, + } + + # Include apache + include apache + + # The needed apache modules + apache::module { "rewrite": + ensure => present, + } + + # The needed apache modules + apache::module { "alias": + ensure => present, + } + + # Images folder + file { "${apache_www_folder}/images": + ensure => directory, + recurse => true, + purge => true, + force => true, + owner => "root", + group => "root", + # This mode will also apply to files from the source directory + mode => 0644, + # Puppet will automatically set +x for directories + source => "puppet://$server/files/apache/htdocs/images", + } + + # Web index + file { "${apache_www_folder}/index.html": + ensure => present, + owner => "root", + group => "root", + mode => 0644, + source => "puppet://$server/files/apache/htdocs/index.html", + } + + # Missing page + file { "${apache_www_folder}/missing.html": + ensure => present, + owner => "root", + group => "root", + mode => 0644, + source => "puppet://$server/files/apache/htdocs/missing.html", + } + + # Default vhost: can just be applied on the defining host + apache::site { "$default_vhost": + server_alias => "$domain", + docroot => "${apache_www_folder}", + } + + # We have to use 'zzz-error' so it will be the last matched vhost + apache::site { "error": + template => 'apache/error.erb', + docroot => "${apache_error_folder}", + filename => 'zzz-error', + } + + # Index page for error + file { "${apache_error_folder}/index.html": + ensure => "${apache_www_folder}/index.html", + owner => "root", + group => "root", + force => true, + require => File["$apache_error_folder"], + } + + # TODO: this is temporary: remove when all nodes have applied it + # We have to use 'zzz-erro' so it will be the last matched vhost + apache::site { "erro": + ensure => absent, + docroot => '/var/www/erro', + filename => 'zzz-erro', + } + + # TODO: this is temporary: remove when all nodes have applied it + file { "/var/www/erro": + ensure => absent, + recurse => true, + force => true, + } + + # TODO: this is temporary: remove when all nodes have applied it + # Index page for erro + file { "/var/www/erro/index.html": + ensure => absent, + owner => "root", + group => "root", + force => true, + } + + # TODO: this is temporary: remove when all nodes have applied it + file { "/var/www/erro/missing.html": + ensure => absent, + } +} + +class websites::hosting inherits websites::setup { + # Include the needed classes for website hosting + include php + include drupal + include gitweb + include trac + include websvn + include moin + include ikiwiki + include pmwiki +} + +class websites::hosting::admin inherits websites::setup { + # Include the needed classes for admin interfaces + include trac + include gitweb +} |