aboutsummaryrefslogtreecommitdiff
path: root/manifests/subsystems
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/subsystems')
-rw-r--r--manifests/subsystems/database.pp21
-rw-r--r--manifests/subsystems/firewall.pp239
-rw-r--r--manifests/subsystems/firewire.pp17
-rw-r--r--manifests/subsystems/initramfs.pp25
-rw-r--r--manifests/subsystems/lsb.pp4
-rw-r--r--manifests/subsystems/motd.pp17
-rw-r--r--manifests/subsystems/munin.pp19
-rw-r--r--manifests/subsystems/sudo.pp14
-rw-r--r--manifests/subsystems/sysctl.pp16
-rw-r--r--manifests/subsystems/ups.pp13
-rw-r--r--manifests/subsystems/utils.pp75
-rw-r--r--manifests/subsystems/websites.pp127
12 files changed, 587 insertions, 0 deletions
diff --git a/manifests/subsystems/database.pp b/manifests/subsystems/database.pp
new file mode 100644
index 0000000..c2d1fc3
--- /dev/null
+++ b/manifests/subsystems/database.pp
@@ -0,0 +1,21 @@
+class database {
+ include mysql::server
+
+ # Database definitions
+ define instance($password) {
+ mysql_database { "$name":
+ ensure => present,
+ }
+
+ mysql_user { "$name@%":
+ password_hash => mysql_password($password),
+ ensure => present,
+ require => Mysql_database["$name"],
+ }
+
+ mysql_grant { "$name@%/$name":
+ privileges => all,
+ require => Mysql_user["$name@%"],
+ }
+ }
+}
diff --git a/manifests/subsystems/firewall.pp b/manifests/subsystems/firewall.pp
new file mode 100644
index 0000000..765a59f
--- /dev/null
+++ b/manifests/subsystems/firewall.pp
@@ -0,0 +1,239 @@
+# firewall definitions for physical servers
+class firewall {
+ include shorewall
+
+ $rfc1918 = $shorewall_dmz ? {
+ true => true,
+ false => false,
+ default => false,
+ }
+
+ #
+ # Interfaces
+ #
+ shorewall::interface { 'eth0':
+ zone => '-',
+ rfc1918 => $rfc1918,
+ }
+
+ #
+ # Policy
+ #
+ shorewall::policy { 'vm-net':
+ sourcezone => 'vm',
+ destinationzone => 'net',
+ policy => 'ACCEPT',
+ order => '1',
+ }
+
+ shorewall::policy { 'fw-net':
+ sourcezone => '$FW',
+ destinationzone => 'net',
+ policy => 'ACCEPT',
+ order => '2',
+ }
+
+ shorewall::policy { 'fw-vm':
+ sourcezone => '$FW',
+ destinationzone => 'vm',
+ policy => 'ACCEPT',
+ order => '3',
+ }
+
+ shorewall::policy { 'net-all':
+ sourcezone => 'net',
+ destinationzone => 'all',
+ policy => 'DROP',
+ order => '4',
+ }
+
+ shorewall::policy { 'all-all':
+ sourcezone => 'all',
+ destinationzone => 'all',
+ policy => 'REJECT',
+ order => '5',
+ }
+
+ #
+ # Hosts
+ #
+ shorewall::host { "eth0-subnet":
+ name => 'eth0:192.168.0.0/24',
+ zone => 'vm',
+ options => '',
+ order => '1',
+ }
+
+ shorewall::host { "eth0":
+ name => 'eth0:0.0.0.0/0',
+ zone => 'net',
+ options => '',
+ order => '2',
+ }
+
+ shorewall::masq { "eth0":
+ interface => 'eth0:!192.168.0.0/24',
+ source => '192.168.0.0/24',
+ order => '1',
+ }
+
+ #
+ # Rules
+ #
+ shorewall::rule { 'ssh':
+ action => 'SSH/ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => '-',
+ destinationport => '-',
+ ratelimit => '-',
+ order => '100',
+ }
+
+ shorewall::rule { 'ping':
+ action => 'Ping/ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => '-',
+ destinationport => '-',
+ ratelimit => '-',
+ order => '101',
+ }
+
+ shorewall::rule { 'http':
+ action => 'HTTP/ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => '-',
+ destinationport => '-',
+ ratelimit => '-',
+ order => '102',
+ }
+
+ shorewall::rule { 'https':
+ action => 'HTTPS/ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => '-',
+ destinationport => '-',
+ ratelimit => '-',
+ order => '103',
+ }
+
+ $munin_port = $node_munin_port ? {
+ '' => "4900",
+ default => "$node_munin_port",
+ }
+
+ shorewall::rule { "munin":
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => "$munin_port",
+ ratelimit => '-',
+ order => "104",
+ }
+
+ #
+ # Zones
+ #
+ shorewall::zone { 'vm':
+ type => 'ipv4',
+ order => '2',
+ }
+
+ shorewall::zone { 'net':
+ type => 'ipv4',
+ order => '3',
+ }
+
+ #
+ # Traffic shapping
+ #
+ $in_bandwidth = $max_in_bandwidth ? {
+ '' => "2mbit",
+ default => "$max_in_bandwidth",
+ }
+
+ $out_bandwidth = $max_out_bandwidth ? {
+ '' => "2mbit",
+ default => "$max_out_bandwidth",
+ }
+
+ shorewall::tcdevices { "eth0":
+ in_bandwidth => "$in_bandwidth",
+ out_bandwidth => "$out_bandwidth",
+ }
+
+ shorewall::tcrules { "ssh-tcp":
+ order => "1",
+ source => "0.0.0.0/0",
+ destination => "0.0.0.0/0",
+ protocol => "tcp",
+ ports => "22",
+ }
+
+ shorewall::tcrules { "ssh-udp":
+ order => "1",
+ source => "0.0.0.0/0",
+ destination => "0.0.0.0/0",
+ protocol => "udp",
+ ports => "22",
+ }
+
+ shorewall::tcclasses { "ssh":
+ order => "1",
+ interface => "eth0",
+ rate => "4*full/100",
+ ceil => "full",
+ priority => "1",
+ }
+
+ shorewall::tcclasses { "default":
+ order => "2",
+ interface => "eth0",
+ rate => "6*full/100",
+ ceil => "full",
+ priority => "2",
+ options => "default",
+ }
+
+ #
+ # DMZ Configuration
+ #
+ if $shorewall_dmz {
+ shorewall::host { "eth0-dmz":
+ name => 'eth0:192.168.1.0/24',
+ zone => 'dmz',
+ options => '',
+ order => '3',
+ }
+
+ shorewall::policy { 'dmz-all':
+ sourcezone => 'dmz',
+ destinationzone => 'all',
+ policy => 'ACCEPT',
+ order => '6',
+ }
+
+ shorewall::policy { 'vm-dmz':
+ sourcezone => 'vm',
+ destinationzone => 'dmz',
+ policy => 'ACCEPT',
+ order => '7',
+ }
+
+ shorewall::policy { 'fw-dmz':
+ sourcezone => '$FW',
+ destinationzone => 'dmz',
+ policy => 'ACCEPT',
+ order => '8',
+ }
+
+ shorewall::zone { 'dmz':
+ type => 'ipv4',
+ order => '4',
+ }
+ }
+}
diff --git a/manifests/subsystems/firewire.pp b/manifests/subsystems/firewire.pp
new file mode 100644
index 0000000..1c9609a
--- /dev/null
+++ b/manifests/subsystems/firewire.pp
@@ -0,0 +1,17 @@
+class firewire {
+ # keep firewire disabled
+ # see http://padrao.sarava.org/trac/wiki/Debian/Firewire
+ file { "/etc/modprobe.d/blacklist":
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ source => "puppet://$server/modules/nodo/etc/modprobe.d/blacklist",
+ }
+
+ # make sure ohci1394 is not loaded
+ exec { "rmmod ohci1394":
+ unless => "/bin/sh -c 'if `grep -q ^ohci1394 /proc/modules`; then false; else true; fi'",
+ user => "root",
+ }
+}
diff --git a/manifests/subsystems/initramfs.pp b/manifests/subsystems/initramfs.pp
new file mode 100644
index 0000000..3b37f65
--- /dev/null
+++ b/manifests/subsystems/initramfs.pp
@@ -0,0 +1,25 @@
+class initramfs {
+ # initramfs config
+ file { "/etc/kernel-img.conf":
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ content => "do_initrd = Yes\n",
+ }
+
+ # initramfs config
+ file { "/etc/initramfs-tools/modules":
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ source => "puppet://$server/modules/nodo/etc/initramfs-tools/modules",
+ }
+
+ # update initramfs when needed
+ exec { "update-initramfs -v -u":
+ subscribe => [ File["/etc/initramfs-tools/modules"], File["/etc/modprobe.d/blacklist"] ],
+ refreshonly => true,
+ }
+}
diff --git a/manifests/subsystems/lsb.pp b/manifests/subsystems/lsb.pp
new file mode 100644
index 0000000..4516470
--- /dev/null
+++ b/manifests/subsystems/lsb.pp
@@ -0,0 +1,4 @@
+class lsb {
+ package { "lsb-release": ensure => installed, }
+ include assert_lsbdistcodename
+}
diff --git a/manifests/subsystems/motd.pp b/manifests/subsystems/motd.pp
new file mode 100644
index 0000000..c8029bf
--- /dev/null
+++ b/manifests/subsystems/motd.pp
@@ -0,0 +1,17 @@
+class motd {
+ # http://projects.reductivelabs.com/issues/1915
+ file { "/var/run/motd":
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => file,
+ content => "This is $fqdn from the $network_name.\n",
+ }
+
+ file { "/etc/motd":
+ owner => "root",
+ group => "root",
+ ensure => "/var/run/motd",
+ require => File["/var/run/motd"],
+ }
+}
diff --git a/manifests/subsystems/munin.pp b/manifests/subsystems/munin.pp
new file mode 100644
index 0000000..2e32117
--- /dev/null
+++ b/manifests/subsystems/munin.pp
@@ -0,0 +1,19 @@
+# Define a munin node
+define munin_node($port = '4949') {
+
+ case $global_munin_allow {
+ '': { fail("Please set \$global_munin_allow in your site config") }
+ }
+
+ $munin_allow = $node_munin_allow ? {
+ '' => "$global_munin_allow",
+ default => "$node_munin_allow",
+ }
+
+ $munin_port = $node_munin_port ? {
+ '' => "$port",
+ default => "$node_munin_port",
+ }
+
+ include munin::client
+}
diff --git a/manifests/subsystems/sudo.pp b/manifests/subsystems/sudo.pp
new file mode 100644
index 0000000..c5679fd
--- /dev/null
+++ b/manifests/subsystems/sudo.pp
@@ -0,0 +1,14 @@
+class sudo {
+
+ package { "sudo":
+ ensure => "present",
+ }
+
+ file { "/etc/sudoers":
+ source => "puppet://$server/modules/nodo/etc/sudoers",
+ owner => "root",
+ group => "root",
+ mode => 440,
+ require => Package["sudo"],
+ }
+}
diff --git a/manifests/subsystems/sysctl.pp b/manifests/subsystems/sysctl.pp
new file mode 100644
index 0000000..3bd028c
--- /dev/null
+++ b/manifests/subsystems/sysctl.pp
@@ -0,0 +1,16 @@
+class sysctl {
+ # root exploit fix, see http://wiki.debian.org/mmap_min_addr
+ # TODO: remove in the future or use a sysctl puppet module
+ file { "/etc/sysctl.d/mmap_min_addr.conf":
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ content => "vm.mmap_min_addr = 4096\n",
+ }
+
+ exec { "/etc/init.d/procps restart":
+ subscribe => File["/etc/sysctl.d/mmap_min_addr.conf"],
+ refreshonly => true,
+ }
+}
diff --git a/manifests/subsystems/ups.pp b/manifests/subsystems/ups.pp
new file mode 100644
index 0000000..558941e
--- /dev/null
+++ b/manifests/subsystems/ups.pp
@@ -0,0 +1,13 @@
+class ups {
+ include apcupsd
+
+ case $has_ups {
+ true: {
+ apcupsd::ups { "ups0":
+ upstype => 'usb',
+ cable => 'usb',
+ device => '/dev/usb/hiddev0',
+ }
+ }
+ }
+}
diff --git a/manifests/subsystems/utils.pp b/manifests/subsystems/utils.pp
new file mode 100644
index 0000000..92061eb
--- /dev/null
+++ b/manifests/subsystems/utils.pp
@@ -0,0 +1,75 @@
+# Common utilities
+class utils {
+ package { [ 'screen', 'less', 'bzip2', 'openssl', 'lynx', 'wget', 'unzip' ]:
+ ensure => installed,
+ }
+}
+
+# Common utilities for physical
+class utils::physical {
+ package { 'nload':
+ ensure => installed,
+ }
+}
+
+# Common utilities for storage
+class utils::storage {
+ package { 'clamav':
+ ensure => installed,
+ }
+}
+
+# Common utilities for web
+class utils::web {
+ package { 'ffmpeg':
+ ensure => installed,
+ }
+}
+
+# Common utilities for desktop
+class utils::desktop {
+ # Package dosemu used because of the pcf fonts
+ package { [ 'awesome', 'alsa-tools-gui', 'mutt',
+ 'irssi', 'offlineimap', 'wyrd',
+ 'mp3blaster', 'iceweasel', 'eterm',
+ 'libpam-mount', 'locales', 'fluxbox',
+ 'gdm', 'ecryptfs-utils', 'newsbeuter',
+ 'bitlbee', 'nicotine', 'silc',
+ 'irssi-plugin-silc', 'conky', 'rxvt',
+ 'vim-gtk', 'gobby', 'bogofilter',
+ 'gnupg-agent', 'xterm', 'bash-completion',
+ 'fetchmail', 'dosemu', 'xfonts-terminus',
+ 'gnumeric', 'alsa-utils', 'sc',
+ 'gawk', 'telnet', 'fpm',
+ 'procmail', 'msmtp', 'netpbm',
+ 'gqview', 'antiword', 'mairix',
+ 'whois', 'mozilla-plugin-gnash' ]:
+ ensure => installed,
+ }
+
+ # Gem packages
+ package { 'capistrano':
+ ensure => installed,
+ provider => gem,
+ require => Package['rubygems'],
+ }
+
+ if !defined(Package['git-core']) {
+ package { 'git-core':
+ ensure => installed,
+ }
+ }
+
+ if !defined(Package['ruby']) {
+ package { 'ruby':
+ ensure => installed,
+ }
+ }
+
+ if !defined(Package['rubygems']) {
+ package { 'rubygems':
+ ensure => installed,
+ require => Package['ruby'],
+ }
+ }
+}
diff --git a/manifests/subsystems/websites.pp b/manifests/subsystems/websites.pp
new file mode 100644
index 0000000..b688860
--- /dev/null
+++ b/manifests/subsystems/websites.pp
@@ -0,0 +1,127 @@
+class websites::setup {
+ # Configure Apache Web Server
+ $apache_www_folder = "/var/www/data"
+ $apache_error_folder = "/var/www/error"
+ $apache_sites_folder = "/var/sites"
+ $apache_error_dest = "http://${domain}/missing.html"
+ $drupal_folder = "${apache_www_folder}/drupal"
+
+ $default_vhost = $apache_server_name ? {
+ '' => $hostname,
+ default => $apache_server_name,
+ }
+
+ # Include apache
+ include apache
+
+ # The needed apache modules
+ apache::module { "rewrite":
+ ensure => present,
+ }
+
+ # The needed apache modules
+ apache::module { "alias":
+ ensure => present,
+ }
+
+ # Images folder
+ file { "${apache_www_folder}/images":
+ ensure => directory,
+ recurse => true,
+ purge => true,
+ force => true,
+ owner => "root",
+ group => "root",
+ # This mode will also apply to files from the source directory
+ mode => 0644,
+ # Puppet will automatically set +x for directories
+ source => "puppet://$server/files/apache/htdocs/images",
+ }
+
+ # Web index
+ file { "${apache_www_folder}/index.html":
+ ensure => present,
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ source => "puppet://$server/files/apache/htdocs/index.html",
+ }
+
+ # Missing page
+ file { "${apache_www_folder}/missing.html":
+ ensure => present,
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ source => "puppet://$server/files/apache/htdocs/missing.html",
+ }
+
+ # Default vhost: can just be applied on the defining host
+ apache::site { "$default_vhost":
+ server_alias => "$domain",
+ docroot => "${apache_www_folder}",
+ }
+
+ # We have to use 'zzz-error' so it will be the last matched vhost
+ apache::site { "error":
+ template => 'apache/error.erb',
+ docroot => "${apache_error_folder}",
+ filename => 'zzz-error',
+ }
+
+ # Index page for error
+ file { "${apache_error_folder}/index.html":
+ ensure => "${apache_www_folder}/index.html",
+ owner => "root",
+ group => "root",
+ force => true,
+ require => File["$apache_error_folder"],
+ }
+
+ # TODO: this is temporary: remove when all nodes have applied it
+ # We have to use 'zzz-erro' so it will be the last matched vhost
+ apache::site { "erro":
+ ensure => absent,
+ docroot => '/var/www/erro',
+ filename => 'zzz-erro',
+ }
+
+ # TODO: this is temporary: remove when all nodes have applied it
+ file { "/var/www/erro":
+ ensure => absent,
+ recurse => true,
+ force => true,
+ }
+
+ # TODO: this is temporary: remove when all nodes have applied it
+ # Index page for erro
+ file { "/var/www/erro/index.html":
+ ensure => absent,
+ owner => "root",
+ group => "root",
+ force => true,
+ }
+
+ # TODO: this is temporary: remove when all nodes have applied it
+ file { "/var/www/erro/missing.html":
+ ensure => absent,
+ }
+}
+
+class websites::hosting inherits websites::setup {
+ # Include the needed classes for website hosting
+ include php
+ include drupal
+ include gitweb
+ include trac
+ include websvn
+ include moin
+ include ikiwiki
+ include pmwiki
+}
+
+class websites::hosting::admin inherits websites::setup {
+ # Include the needed classes for admin interfaces
+ include trac
+ include gitweb
+}