diff options
Diffstat (limited to 'manifests/vserver/instance.pp')
-rw-r--r-- | manifests/vserver/instance.pp | 190 |
1 files changed, 190 insertions, 0 deletions
diff --git a/manifests/vserver/instance.pp b/manifests/vserver/instance.pp new file mode 100644 index 0000000..c2ad6e9 --- /dev/null +++ b/manifests/vserver/instance.pp @@ -0,0 +1,190 @@ +# Define a vserver instance +define vserver::instance($context, $ensure = 'running', $proxy = false, + $puppetmaster = false, $gitd = false, $mail = false, + $icecast = false, $sound = false, $tor = false, + $ticket = false, $memory_limit = false, $distro = 'squeeze', + $dns = false, $munin_port = false, $monkeysphere_ssh_port = false, + $jabber = false, $mumble = false, $gobby = false, $yacy = false, $rsync = false) { + + # set instance id + if $context <= 9 { + $id = "0$context" + } else { + $id = $context + } + + # set puppetmaster ssl port + case $puppetmaster_port { + '': { $puppetmaster_port = "8140" } + } + + # set puppetmaster non-ssl port + case $puppetmaster_nonssl_port { + '': { $puppetmaster_nonssl_port = "8141" } + } + + # set tor port + case $tor_port { + '': { $tor_port = "9001" } + } + + vserver { $name: + ensure => $ensure, + context => "$context", + mark => 'default', + distro => $distro, + interface => "eth0:192.168.0.$context/24", + hostname => "$name.$domain", + memory_limit => $memory_limit, + } + + # Some nodes need a lot of space at /tmp otherwise some admin + # tasks like backups might not run. + file { "/etc/vservers/${name}/fstab": + source => [ "puppet:///modules/site-nodo/etc/fstab/vserver/$name", + "puppet:///modules/nodo/etc/fstab/vserver" ], + owner => "root", + group => "root", + mode => 0644, + ensure => present, + notify => Exec["vs_restart_${name}"], + require => Exec["vs_create_${name}"], + } + + # Create a munin virtual resource to be realized in the node + @@munin_node { "$name": + port => $munin_port ? { + false => "49$id", + default => $munin_port, + } + } + + # Create a monkeysphere virtual resource to be realized in the node + @@monkeysphere_host { "$name": + port => $monkeysphere_ssh_port ? { + false => "22$id", + default => $monkeysphere_ssh_port, + } + } + + # Sound support + if $sound { + if !defined(File["/usr/local/sbin/create-sound-devices"]) { + file { "/usr/local/sbin/create-sound-devices": + ensure => present, + source => "puppet:///modules/nodo/sound/devices.sh", + owner => root, + group => root, + mode => 755, + } + } + exec { "/usr/local/sbin/create-sound-devices ${name}": + unless => "/usr/local/sbin/create-sound-devices ${name} --check", + user => root, + require => [ Exec["vs_create_${name}"], File["/usr/local/sbin/create-sound-devices"] ], + } + } + + # SSL computational DoS mitigation + # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html + $firewall_ssl_ratelimit = $firewall_ssl_ratelimit ? { + '' => $firewall_global_ssl_ratelimit ? { + '' => '-', + default => $firewall_global_ssl_ratelimit, + }, + default => $firewall_ssl_ratelimit, + } + + # Apply firewall rules just for running vservers + case $ensure { + 'running': { + firewall::vserver::ssh { "$name": + destination => "192.168.0.$context", + port_orig => "22$id", + port_dest => "22", + } + + firewall::vserver::munin { "$name": + destination => "192.168.0.$context", + port_orig => "49$id", + port_dest => "49$id", + } + + if $proxy { + class { + "firewall::vserver::http": destination => "192.168.0.$context"; + "firewall::vserver::https": destination => "192.168.0.$context"; + } + } + + if $puppetmaster { + class { + "firewall::vserver::puppetmaster": + destination => "192.168.0.$context", + puppetmaster_port => $puppetmaster_port, + puppetmaster_nonssl_port => $puppetmaster_nonssl_port, + } + } + + if $gitd { + class { + "firewall::vserver::gitd": destination => "192.168.0.$context"; + } + } + + if $icecast { + class { + "firewall::vserver::icecast": destination => "192.168.0.$context"; + } + } + + if $mail { + class { + "firewall::vserver::mail": destination => "192.168.0.$context"; + } + } + + if $dns { + class { + "firewall::vserver::dns": destination => "192.168.0.$context"; + } + } + + if $tor { + class { + "firewall::vserver::tor": destination => "192.168.0.$context"; + } + } + + if $jabber { + class { + "firewall::vserver::jabber": destination => "192.168.0.$context"; + } + } + + if $mumble { + class { + "firewall::vserver::mumble": destination => "192.168.0.$context"; + } + } + + if $gobby { + class { + "firewall::vserver::gobby": destination => "192.168.0.$context"; + } + } + + if $yacy { + class { + "firewall::vserver::yacy": destination => "192.168.0.$context"; + } + } + + if $rsync { + class { + "firewall::vserver::rsync": destination => "192.168.0.$context"; + } + } + } + } +} |