aboutsummaryrefslogtreecommitdiff
path: root/manifests
diff options
context:
space:
mode:
Diffstat (limited to 'manifests')
-rw-r--r--manifests/vserver.pp190
-rw-r--r--manifests/vserver/instance.pp190
2 files changed, 190 insertions, 190 deletions
diff --git a/manifests/vserver.pp b/manifests/vserver.pp
index 8cebffe..94c10ee 100644
--- a/manifests/vserver.pp
+++ b/manifests/vserver.pp
@@ -53,194 +53,4 @@ class nodo::vserver inherits nodo {
}
}
- # Define a vserver instance
- define instance($context, $ensure = 'running', $proxy = false,
- $puppetmaster = false, $gitd = false, $mail = false,
- $icecast = false, $sound = false, $tor = false,
- $ticket = false, $memory_limit = false, $distro = 'squeeze',
- $dns = false, $munin_port = false, $monkeysphere_ssh_port = false,
- $jabber = false, $mumble = false, $gobby = false, $yacy = false, $rsync = false) {
-
- # set instance id
- if $context <= 9 {
- $id = "0$context"
- } else {
- $id = $context
- }
-
- # set puppetmaster ssl port
- case $puppetmaster_port {
- '': { $puppetmaster_port = "8140" }
- }
-
- # set puppetmaster non-ssl port
- case $puppetmaster_nonssl_port {
- '': { $puppetmaster_nonssl_port = "8141" }
- }
-
- # set tor port
- case $tor_port {
- '': { $tor_port = "9001" }
- }
-
- vserver { $name:
- ensure => $ensure,
- context => "$context",
- mark => 'default',
- distro => $distro,
- interface => "eth0:192.168.0.$context/24",
- hostname => "$name.$domain",
- memory_limit => $memory_limit,
- }
-
- # Some nodes need a lot of space at /tmp otherwise some admin
- # tasks like backups might not run.
- file { "/etc/vservers/${name}/fstab":
- source => [ "puppet:///modules/site-nodo/etc/fstab/vserver/$name",
- "puppet:///modules/nodo/etc/fstab/vserver" ],
- owner => "root",
- group => "root",
- mode => 0644,
- ensure => present,
- notify => Exec["vs_restart_${name}"],
- require => Exec["vs_create_${name}"],
- }
-
- # Create a munin virtual resource to be realized in the node
- @@munin_node { "$name":
- port => $munin_port ? {
- false => "49$id",
- default => $munin_port,
- }
- }
-
- # Create a monkeysphere virtual resource to be realized in the node
- @@monkeysphere_host { "$name":
- port => $monkeysphere_ssh_port ? {
- false => "22$id",
- default => $monkeysphere_ssh_port,
- }
- }
-
- # Sound support
- if $sound {
- if !defined(File["/usr/local/sbin/create-sound-devices"]) {
- file { "/usr/local/sbin/create-sound-devices":
- ensure => present,
- source => "puppet:///modules/nodo/sound/devices.sh",
- owner => root,
- group => root,
- mode => 755,
- }
- }
- exec { "/usr/local/sbin/create-sound-devices ${name}":
- unless => "/usr/local/sbin/create-sound-devices ${name} --check",
- user => root,
- require => [ Exec["vs_create_${name}"], File["/usr/local/sbin/create-sound-devices"] ],
- }
- }
-
- # SSL computational DoS mitigation
- # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
- $firewall_ssl_ratelimit = $firewall_ssl_ratelimit ? {
- '' => $firewall_global_ssl_ratelimit ? {
- '' => '-',
- default => $firewall_global_ssl_ratelimit,
- },
- default => $firewall_ssl_ratelimit,
- }
-
- # Apply firewall rules just for running vservers
- case $ensure {
- 'running': {
- firewall::vserver::ssh { "$name":
- destination => "192.168.0.$context",
- port_orig => "22$id",
- port_dest => "22",
- }
-
- firewall::vserver::munin { "$name":
- destination => "192.168.0.$context",
- port_orig => "49$id",
- port_dest => "49$id",
- }
-
- if $proxy {
- class {
- "firewall::vserver::http": destination => "192.168.0.$context";
- "firewall::vserver::https": destination => "192.168.0.$context";
- }
- }
-
- if $puppetmaster {
- class {
- "firewall::vserver::puppetmaster":
- destination => "192.168.0.$context",
- puppetmaster_port => $puppetmaster_port,
- puppetmaster_nonssl_port => $puppetmaster_nonssl_port,
- }
- }
-
- if $gitd {
- class {
- "firewall::vserver::gitd": destination => "192.168.0.$context";
- }
- }
-
- if $icecast {
- class {
- "firewall::vserver::icecast": destination => "192.168.0.$context";
- }
- }
-
- if $mail {
- class {
- "firewall::vserver::mail": destination => "192.168.0.$context";
- }
- }
-
- if $dns {
- class {
- "firewall::vserver::dns": destination => "192.168.0.$context";
- }
- }
-
- if $tor {
- class {
- "firewall::vserver::tor": destination => "192.168.0.$context";
- }
- }
-
- if $jabber {
- class {
- "firewall::vserver::jabber": destination => "192.168.0.$context";
- }
- }
-
- if $mumble {
- class {
- "firewall::vserver::mumble": destination => "192.168.0.$context";
- }
- }
-
- if $gobby {
- class {
- "firewall::vserver::gobby": destination => "192.168.0.$context";
- }
- }
-
- if $yacy {
- class {
- "firewall::vserver::yacy": destination => "192.168.0.$context";
- }
- }
-
- if $rsync {
- class {
- "firewall::vserver::rsync": destination => "192.168.0.$context";
- }
- }
- }
- }
- }
}
diff --git a/manifests/vserver/instance.pp b/manifests/vserver/instance.pp
new file mode 100644
index 0000000..c2ad6e9
--- /dev/null
+++ b/manifests/vserver/instance.pp
@@ -0,0 +1,190 @@
+# Define a vserver instance
+define vserver::instance($context, $ensure = 'running', $proxy = false,
+ $puppetmaster = false, $gitd = false, $mail = false,
+ $icecast = false, $sound = false, $tor = false,
+ $ticket = false, $memory_limit = false, $distro = 'squeeze',
+ $dns = false, $munin_port = false, $monkeysphere_ssh_port = false,
+ $jabber = false, $mumble = false, $gobby = false, $yacy = false, $rsync = false) {
+
+ # set instance id
+ if $context <= 9 {
+ $id = "0$context"
+ } else {
+ $id = $context
+ }
+
+ # set puppetmaster ssl port
+ case $puppetmaster_port {
+ '': { $puppetmaster_port = "8140" }
+ }
+
+ # set puppetmaster non-ssl port
+ case $puppetmaster_nonssl_port {
+ '': { $puppetmaster_nonssl_port = "8141" }
+ }
+
+ # set tor port
+ case $tor_port {
+ '': { $tor_port = "9001" }
+ }
+
+ vserver { $name:
+ ensure => $ensure,
+ context => "$context",
+ mark => 'default',
+ distro => $distro,
+ interface => "eth0:192.168.0.$context/24",
+ hostname => "$name.$domain",
+ memory_limit => $memory_limit,
+ }
+
+ # Some nodes need a lot of space at /tmp otherwise some admin
+ # tasks like backups might not run.
+ file { "/etc/vservers/${name}/fstab":
+ source => [ "puppet:///modules/site-nodo/etc/fstab/vserver/$name",
+ "puppet:///modules/nodo/etc/fstab/vserver" ],
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ notify => Exec["vs_restart_${name}"],
+ require => Exec["vs_create_${name}"],
+ }
+
+ # Create a munin virtual resource to be realized in the node
+ @@munin_node { "$name":
+ port => $munin_port ? {
+ false => "49$id",
+ default => $munin_port,
+ }
+ }
+
+ # Create a monkeysphere virtual resource to be realized in the node
+ @@monkeysphere_host { "$name":
+ port => $monkeysphere_ssh_port ? {
+ false => "22$id",
+ default => $monkeysphere_ssh_port,
+ }
+ }
+
+ # Sound support
+ if $sound {
+ if !defined(File["/usr/local/sbin/create-sound-devices"]) {
+ file { "/usr/local/sbin/create-sound-devices":
+ ensure => present,
+ source => "puppet:///modules/nodo/sound/devices.sh",
+ owner => root,
+ group => root,
+ mode => 755,
+ }
+ }
+ exec { "/usr/local/sbin/create-sound-devices ${name}":
+ unless => "/usr/local/sbin/create-sound-devices ${name} --check",
+ user => root,
+ require => [ Exec["vs_create_${name}"], File["/usr/local/sbin/create-sound-devices"] ],
+ }
+ }
+
+ # SSL computational DoS mitigation
+ # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
+ $firewall_ssl_ratelimit = $firewall_ssl_ratelimit ? {
+ '' => $firewall_global_ssl_ratelimit ? {
+ '' => '-',
+ default => $firewall_global_ssl_ratelimit,
+ },
+ default => $firewall_ssl_ratelimit,
+ }
+
+ # Apply firewall rules just for running vservers
+ case $ensure {
+ 'running': {
+ firewall::vserver::ssh { "$name":
+ destination => "192.168.0.$context",
+ port_orig => "22$id",
+ port_dest => "22",
+ }
+
+ firewall::vserver::munin { "$name":
+ destination => "192.168.0.$context",
+ port_orig => "49$id",
+ port_dest => "49$id",
+ }
+
+ if $proxy {
+ class {
+ "firewall::vserver::http": destination => "192.168.0.$context";
+ "firewall::vserver::https": destination => "192.168.0.$context";
+ }
+ }
+
+ if $puppetmaster {
+ class {
+ "firewall::vserver::puppetmaster":
+ destination => "192.168.0.$context",
+ puppetmaster_port => $puppetmaster_port,
+ puppetmaster_nonssl_port => $puppetmaster_nonssl_port,
+ }
+ }
+
+ if $gitd {
+ class {
+ "firewall::vserver::gitd": destination => "192.168.0.$context";
+ }
+ }
+
+ if $icecast {
+ class {
+ "firewall::vserver::icecast": destination => "192.168.0.$context";
+ }
+ }
+
+ if $mail {
+ class {
+ "firewall::vserver::mail": destination => "192.168.0.$context";
+ }
+ }
+
+ if $dns {
+ class {
+ "firewall::vserver::dns": destination => "192.168.0.$context";
+ }
+ }
+
+ if $tor {
+ class {
+ "firewall::vserver::tor": destination => "192.168.0.$context";
+ }
+ }
+
+ if $jabber {
+ class {
+ "firewall::vserver::jabber": destination => "192.168.0.$context";
+ }
+ }
+
+ if $mumble {
+ class {
+ "firewall::vserver::mumble": destination => "192.168.0.$context";
+ }
+ }
+
+ if $gobby {
+ class {
+ "firewall::vserver::gobby": destination => "192.168.0.$context";
+ }
+ }
+
+ if $yacy {
+ class {
+ "firewall::vserver::yacy": destination => "192.168.0.$context";
+ }
+ }
+
+ if $rsync {
+ class {
+ "firewall::vserver::rsync": destination => "192.168.0.$context";
+ }
+ }
+ }
+ }
+}