aboutsummaryrefslogtreecommitdiff
path: root/manifests/vserver
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/vserver')
-rw-r--r--manifests/vserver/instance.pp190
1 files changed, 190 insertions, 0 deletions
diff --git a/manifests/vserver/instance.pp b/manifests/vserver/instance.pp
new file mode 100644
index 0000000..c2ad6e9
--- /dev/null
+++ b/manifests/vserver/instance.pp
@@ -0,0 +1,190 @@
+# Define a vserver instance
+define vserver::instance($context, $ensure = 'running', $proxy = false,
+ $puppetmaster = false, $gitd = false, $mail = false,
+ $icecast = false, $sound = false, $tor = false,
+ $ticket = false, $memory_limit = false, $distro = 'squeeze',
+ $dns = false, $munin_port = false, $monkeysphere_ssh_port = false,
+ $jabber = false, $mumble = false, $gobby = false, $yacy = false, $rsync = false) {
+
+ # set instance id
+ if $context <= 9 {
+ $id = "0$context"
+ } else {
+ $id = $context
+ }
+
+ # set puppetmaster ssl port
+ case $puppetmaster_port {
+ '': { $puppetmaster_port = "8140" }
+ }
+
+ # set puppetmaster non-ssl port
+ case $puppetmaster_nonssl_port {
+ '': { $puppetmaster_nonssl_port = "8141" }
+ }
+
+ # set tor port
+ case $tor_port {
+ '': { $tor_port = "9001" }
+ }
+
+ vserver { $name:
+ ensure => $ensure,
+ context => "$context",
+ mark => 'default',
+ distro => $distro,
+ interface => "eth0:192.168.0.$context/24",
+ hostname => "$name.$domain",
+ memory_limit => $memory_limit,
+ }
+
+ # Some nodes need a lot of space at /tmp otherwise some admin
+ # tasks like backups might not run.
+ file { "/etc/vservers/${name}/fstab":
+ source => [ "puppet:///modules/site-nodo/etc/fstab/vserver/$name",
+ "puppet:///modules/nodo/etc/fstab/vserver" ],
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ notify => Exec["vs_restart_${name}"],
+ require => Exec["vs_create_${name}"],
+ }
+
+ # Create a munin virtual resource to be realized in the node
+ @@munin_node { "$name":
+ port => $munin_port ? {
+ false => "49$id",
+ default => $munin_port,
+ }
+ }
+
+ # Create a monkeysphere virtual resource to be realized in the node
+ @@monkeysphere_host { "$name":
+ port => $monkeysphere_ssh_port ? {
+ false => "22$id",
+ default => $monkeysphere_ssh_port,
+ }
+ }
+
+ # Sound support
+ if $sound {
+ if !defined(File["/usr/local/sbin/create-sound-devices"]) {
+ file { "/usr/local/sbin/create-sound-devices":
+ ensure => present,
+ source => "puppet:///modules/nodo/sound/devices.sh",
+ owner => root,
+ group => root,
+ mode => 755,
+ }
+ }
+ exec { "/usr/local/sbin/create-sound-devices ${name}":
+ unless => "/usr/local/sbin/create-sound-devices ${name} --check",
+ user => root,
+ require => [ Exec["vs_create_${name}"], File["/usr/local/sbin/create-sound-devices"] ],
+ }
+ }
+
+ # SSL computational DoS mitigation
+ # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
+ $firewall_ssl_ratelimit = $firewall_ssl_ratelimit ? {
+ '' => $firewall_global_ssl_ratelimit ? {
+ '' => '-',
+ default => $firewall_global_ssl_ratelimit,
+ },
+ default => $firewall_ssl_ratelimit,
+ }
+
+ # Apply firewall rules just for running vservers
+ case $ensure {
+ 'running': {
+ firewall::vserver::ssh { "$name":
+ destination => "192.168.0.$context",
+ port_orig => "22$id",
+ port_dest => "22",
+ }
+
+ firewall::vserver::munin { "$name":
+ destination => "192.168.0.$context",
+ port_orig => "49$id",
+ port_dest => "49$id",
+ }
+
+ if $proxy {
+ class {
+ "firewall::vserver::http": destination => "192.168.0.$context";
+ "firewall::vserver::https": destination => "192.168.0.$context";
+ }
+ }
+
+ if $puppetmaster {
+ class {
+ "firewall::vserver::puppetmaster":
+ destination => "192.168.0.$context",
+ puppetmaster_port => $puppetmaster_port,
+ puppetmaster_nonssl_port => $puppetmaster_nonssl_port,
+ }
+ }
+
+ if $gitd {
+ class {
+ "firewall::vserver::gitd": destination => "192.168.0.$context";
+ }
+ }
+
+ if $icecast {
+ class {
+ "firewall::vserver::icecast": destination => "192.168.0.$context";
+ }
+ }
+
+ if $mail {
+ class {
+ "firewall::vserver::mail": destination => "192.168.0.$context";
+ }
+ }
+
+ if $dns {
+ class {
+ "firewall::vserver::dns": destination => "192.168.0.$context";
+ }
+ }
+
+ if $tor {
+ class {
+ "firewall::vserver::tor": destination => "192.168.0.$context";
+ }
+ }
+
+ if $jabber {
+ class {
+ "firewall::vserver::jabber": destination => "192.168.0.$context";
+ }
+ }
+
+ if $mumble {
+ class {
+ "firewall::vserver::mumble": destination => "192.168.0.$context";
+ }
+ }
+
+ if $gobby {
+ class {
+ "firewall::vserver::gobby": destination => "192.168.0.$context";
+ }
+ }
+
+ if $yacy {
+ class {
+ "firewall::vserver::yacy": destination => "192.168.0.$context";
+ }
+ }
+
+ if $rsync {
+ class {
+ "firewall::vserver::rsync": destination => "192.168.0.$context";
+ }
+ }
+ }
+ }
+}