diff options
Diffstat (limited to 'manifests/vserver.pp')
-rw-r--r-- | manifests/vserver.pp | 314 |
1 files changed, 314 insertions, 0 deletions
diff --git a/manifests/vserver.pp b/manifests/vserver.pp new file mode 100644 index 0000000..14b1e28 --- /dev/null +++ b/manifests/vserver.pp @@ -0,0 +1,314 @@ +class nodo::vserver inherits nodo { + include sshd + include timezone + include syslog-ng::vserver + + backupninja::sys { "sys": + ensure => present, + partitions => false, + hardware => false, + dosfdisk => false, + dohwinfo => false, + } + + $hosting_type = $node_hosting_type ? { + '' => "direct", + default => "$node_hosting_type", + } + + case $hosting_type { + "direct": { + # Apply munin configuration for this node for + # directly hosted nodes. + Munin_node <<| title == $hostname |>> + } + "third-party": { + # Apply munin configuration for this node for third-party + # hosted nodes. + munin_node { "$hostname": } + } + } + + # Define a vserver instance + define instance($context, $ensure = 'running', $proxy = false, + $puppetmaster = false, $gitd = false, + $icecast = false, $sound = false, $ticket = false, + $memory_limit = false) { + + # set instance id + if $context < 9 { + $id = "0$context" + } else { + $id = $context + } + + vserver { $name: + ensure => $ensure, + context => "$context", + mark => 'default', + distro => 'lenny', + interface => "eth0:192.168.0.$context/24", + hostname => "$name.$domain", + memory_limit => $memory_limit, + } + + # Some nodes need a lot of space at /tmp otherwise some admin + # tasks like backups might not run. + file { "/etc/vservers/${name}/fstab": + source => "puppet://$server/modules/nodo/etc/fstab/vserver", + owner => "root", + group => "root", + mode => 0644, + ensure => present, + notify => Exec["vs_restart_${name}"], + require => Exec["vs_create_${name}"], + } + + # Create a munin virtual resource to be realized in the node + @@munin_node { "$name": + port => "49$id", + } + + # Sound support + if $sound { + if !defined(File["/usr/local/sbin/create-sound-devices"]) { + file { "/usr/local/sbin/create-sound-devices": + ensure => present, + source => "puppet://$server/modules/nodo/sound/devices.sh", + owner => root, + group => root, + mode => 755, + } + } + exec { "/usr/local/sbin/create-sound-devices ${name}": + unless => "/usr/local/sbin/create-sound-devices ${name} --check", + user => root, + require => [ Exec["vs_create_${name}"], File["/usr/local/sbin/create-sound-devices"] ], + } + } + + # Apply firewall rules just for running vservers + case $ensure { + 'running': { + + shorewall::rule { "ssh-$context-1": + action => 'DNAT', + source => 'net', + destination => "vm:192.168.0.$context:22", + proto => 'tcp', + destinationport => "22$id", + ratelimit => '-', + order => "2$id", + } + + shorewall::rule { "ssh-$context-2": + action => 'DNAT', + source => '$FW', + destination => "fw:192.168.0.$context:22", + proto => 'tcp', + destinationport => "22$id", + originaldest => "$ipaddress", + ratelimit => '-', + order => "3$id", + } + + shorewall::rule { "munin-$context-1": + action => 'DNAT', + source => 'net', + destination => "fw:192.168.0.$context:49$id", + proto => 'tcp', + destinationport => "49$id", + ratelimit => '-', + order => "4$id", + } + + shorewall::rule { "munin-$context-2": + action => 'DNAT', + source => '$FW', + destination => "fw:192.168.0.$context:49$id", + proto => 'tcp', + destinationport => "49$id", + originaldest => "$ipaddress", + ratelimit => '-', + order => "5$id", + } + + if $proxy { + shorewall::rule { 'http-route-1': + action => 'DNAT', + source => 'net', + destination => "vm:192.168.0.$context:80", + proto => 'tcp', + destinationport => '80', + ratelimit => '-', + order => '600', + } + + shorewall::rule { 'http-route-2': + action => 'DNAT', + source => '$FW', + destination => "fw:192.168.0.$context:80", + proto => 'tcp', + destinationport => '80', + originaldest => "$ipaddress", + ratelimit => '-', + order => '601', + } + + shorewall::rule { 'https-route-1': + action => 'DNAT', + source => 'net', + destination => "vm:192.168.0.$context:443", + proto => 'tcp', + destinationport => '443', + ratelimit => '-', + order => '602', + } + + shorewall::rule { 'https-route-2': + action => 'DNAT', + source => '$FW', + destination => "fw:192.168.0.$context:443", + proto => 'tcp', + destinationport => '443', + originaldest => "$ipaddress", + ratelimit => '-', + order => '602', + } + } + + if $puppetmaster { + shorewall::rule { 'puppetmaster-1': + action => 'DNAT', + source => 'net', + destination => "fw:192.168.0.$context:8140", + proto => 'tcp', + destinationport => '8140', + ratelimit => '-', + order => '700', + } + + shorewall::rule { 'puppetmaster-2': + action => 'DNAT', + source => 'net', + destination => "fw:192.168.0.$context:8140", + proto => 'udp', + destinationport => '8140', + ratelimit => '-', + order => '701', + } + + shorewall::rule { 'puppetmaster-3': + action => 'DNAT', + source => '$FW', + destination => "fw:192.168.0.$context:8140", + proto => 'tcp', + destinationport => '8140', + originaldest => "$ipaddress", + ratelimit => '-', + order => '702', + } + + shorewall::rule { 'puppetmaster-4': + action => 'DNAT', + source => '$FW', + destination => "fw:192.168.0.$context:8140", + proto => 'udp', + destinationport => '8140', + originaldest => "$ipaddress", + ratelimit => '-', + order => '703', + } + + shorewall::rule { 'puppetmaster-5': + action => 'DNAT', + source => 'net', + destination => "fw:192.168.0.$context:8141", + proto => 'tcp', + destinationport => '8141', + ratelimit => '-', + order => '704', + } + + shorewall::rule { 'puppetmaster-6': + action => 'DNAT', + source => 'net', + destination => "fw:192.168.0.$context:8141", + proto => 'udp', + destinationport => '8141', + ratelimit => '-', + order => '705', + } + + shorewall::rule { 'puppetmaster-7': + action => 'DNAT', + source => '$FW', + destination => "fw:192.168.0.$context:8141", + proto => 'tcp', + destinationport => '8141', + originaldest => "$ipaddress", + ratelimit => '-', + order => '706', + } + + shorewall::rule { 'puppetmaster-8': + action => 'DNAT', + source => '$FW', + destination => "fw:192.168.0.$context:8141", + proto => 'udp', + destinationport => '8141', + originaldest => "$ipaddress", + ratelimit => '-', + order => '707', + } + } + + if $gitd { + shorewall::rule { 'git-daemon-1': + action => 'DNAT', + source => 'net', + destination => "fw:192.168.0.$context:9418", + proto => 'tcp', + destinationport => '9418', + ratelimit => '-', + order => '800', + } + + shorewall::rule { 'git-daemon-2': + action => 'DNAT', + source => '$FW', + destination => "fw:192.168.0.$context:9418", + proto => 'tcp', + destinationport => '9418', + originaldest => "$ipaddress", + ratelimit => '-', + order => '801', + } + } + + if $icecast { + shorewall::rule { 'icecast-1': + action => 'DNAT', + source => 'net', + destination => "fw:192.168.0.$context:8000", + proto => 'tcp', + destinationport => '8000', + ratelimit => '-', + order => '900', + } + + shorewall::rule { 'icecast-2': + action => 'DNAT', + source => '$FW', + destination => "fw:192.168.0.$context:8000", + proto => 'tcp', + destinationport => '8000', + originaldest => "$ipaddress", + ratelimit => '-', + order => '901', + } + } + } + } + } +} |