aboutsummaryrefslogtreecommitdiff
path: root/manifests
diff options
context:
space:
mode:
Diffstat (limited to 'manifests')
-rw-r--r--manifests/firewall.pp214
-rw-r--r--manifests/firewire.pp17
-rw-r--r--manifests/init.pp301
-rw-r--r--manifests/initramfs.pp25
-rw-r--r--manifests/lsb.pp4
-rw-r--r--manifests/motd.pp17
-rw-r--r--manifests/sudo.pp14
-rw-r--r--manifests/sysctl.pp16
8 files changed, 608 insertions, 0 deletions
diff --git a/manifests/firewall.pp b/manifests/firewall.pp
new file mode 100644
index 0000000..9083384
--- /dev/null
+++ b/manifests/firewall.pp
@@ -0,0 +1,214 @@
+# firewall definitions for physical servers
+class firewall {
+ include shorewall
+
+ $rfc1918 = $shorewall_dmz ? {
+ true => true,
+ false => false,
+ default => false,
+ }
+
+ #
+ # Interfaces
+ #
+ shorewall::interface { 'eth0':
+ zone => '-',
+ rfc1918 => $rfc1918,
+ }
+
+ #
+ # Policy
+ #
+ shorewall::policy { 'vm-net':
+ sourcezone => 'vm',
+ destinationzone => 'net',
+ policy => 'ACCEPT',
+ order => '1',
+ }
+
+ shorewall::policy { 'fw-net':
+ sourcezone => '$FW',
+ destinationzone => 'net',
+ policy => 'ACCEPT',
+ order => '2',
+ }
+
+ shorewall::policy { 'fw-vm':
+ sourcezone => '$FW',
+ destinationzone => 'vm',
+ policy => 'ACCEPT',
+ order => '3',
+ }
+
+ shorewall::policy { 'net-all':
+ sourcezone => 'net',
+ destinationzone => 'all',
+ policy => 'DROP',
+ order => '4',
+ }
+
+ shorewall::policy { 'all-all':
+ sourcezone => 'all',
+ destinationzone => 'all',
+ policy => 'REJECT',
+ order => '5',
+ }
+
+ #
+ # Hosts
+ #
+ shorewall::host { "eth0-subnet":
+ name => 'eth0:192.168.0.0/24',
+ zone => 'vm',
+ options => '',
+ order => '1',
+ }
+
+ shorewall::host { "eth0":
+ name => 'eth0:0.0.0.0/0',
+ zone => 'net',
+ options => '',
+ order => '2',
+ }
+
+ shorewall::masq { "eth0":
+ interface => 'eth0:!192.168.0.0/24',
+ source => '192.168.0.0/24',
+ order => '1',
+ }
+
+ #
+ # Rules
+ #
+ shorewall::rule { 'ssh':
+ action => 'SSH/ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => '-',
+ destinationport => '-',
+ ratelimit => '-',
+ order => '100',
+ }
+
+ shorewall::rule { 'ping':
+ action => 'Ping/ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => '-',
+ destinationport => '-',
+ ratelimit => '-',
+ order => '101',
+ }
+
+ shorewall::rule { 'http':
+ action => 'HTTP/ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => '-',
+ destinationport => '-',
+ ratelimit => '-',
+ order => '102',
+ }
+
+ shorewall::rule { 'https':
+ action => 'HTTPS/ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => '-',
+ destinationport => '-',
+ ratelimit => '-',
+ order => '103',
+ }
+
+ #
+ # Zones
+ #
+ shorewall::zone { 'vm':
+ type => 'ipv4',
+ order => '2',
+ }
+
+ shorewall::zone { 'net':
+ type => 'ipv4',
+ order => '3',
+ }
+
+ #
+ # Traffic shapping
+ #
+ shorewall::tcdevices { "eth0":
+ in_bandwidth => "2mbit",
+ out_bandwidth => "1mbit",
+ }
+
+ shorewall::tcrules { "ssh-tcp":
+ order => "1",
+ source => "0.0.0.0/0",
+ destination => "0.0.0.0/0",
+ protocol => "tcp",
+ ports => "22",
+ }
+
+ shorewall::tcrules { "ssh-udp":
+ order => "1",
+ source => "0.0.0.0/0",
+ destination => "0.0.0.0/0",
+ protocol => "udp",
+ ports => "22",
+ }
+
+ shorewall::tcclasses { "ssh":
+ order => "1",
+ interface => "eth0",
+ rate => "4*full/100",
+ ceil => "full",
+ priority => "1",
+ }
+
+ shorewall::tcclasses { "default":
+ order => "2",
+ interface => "eth0",
+ rate => "6*full/100",
+ ceil => "full",
+ priority => "2",
+ options => "default",
+ }
+
+ #
+ # DMZ Configuration
+ #
+ if $shorewall_dmz {
+ shorewall::host { "eth0-dmz":
+ name => 'eth0:192.168.1.0/24',
+ zone => 'dmz',
+ options => '',
+ order => '3',
+ }
+
+ shorewall::policy { 'dmz-all':
+ sourcezone => 'dmz',
+ destinationzone => 'all',
+ policy => 'ACCEPT',
+ order => '6',
+ }
+
+ shorewall::policy { 'vm-dmz':
+ sourcezone => 'vm',
+ destinationzone => 'dmz',
+ policy => 'ACCEPT',
+ order => '7',
+ }
+
+ shorewall::policy { 'fw-dmz':
+ sourcezone => '$FW',
+ destinationzone => 'dmz',
+ policy => 'ACCEPT',
+ order => '8',
+ }
+
+ shorewall::zone { 'dmz':
+ type => 'ipv4',
+ order => '4',
+ }
+ }
+}
diff --git a/manifests/firewire.pp b/manifests/firewire.pp
new file mode 100644
index 0000000..1c9609a
--- /dev/null
+++ b/manifests/firewire.pp
@@ -0,0 +1,17 @@
+class firewire {
+ # keep firewire disabled
+ # see http://padrao.sarava.org/trac/wiki/Debian/Firewire
+ file { "/etc/modprobe.d/blacklist":
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ source => "puppet://$server/modules/nodo/etc/modprobe.d/blacklist",
+ }
+
+ # make sure ohci1394 is not loaded
+ exec { "rmmod ohci1394":
+ unless => "/bin/sh -c 'if `grep -q ^ohci1394 /proc/modules`; then false; else true; fi'",
+ user => "root",
+ }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
new file mode 100644
index 0000000..443e612
--- /dev/null
+++ b/manifests/init.pp
@@ -0,0 +1,301 @@
+#
+# Nodo class definitions
+#
+
+import "firewall.pp"
+import "firewire.pp"
+import "initramfs.pp"
+import "lsb.pp"
+import "motd.pp"
+import "sudo.pp"
+import "sysctl.pp"
+
+class nodo {
+ include lsb
+ include puppetd
+ include backup
+ include exim
+ include sudo
+ include users::admin
+ include motd
+
+ # Set timezone and ntp config
+ #
+ # We config those here but leave class inclusion elsewhere
+ # as ntp config differ from server to vserver.
+ #
+ $ntp_timezone = "Brazil/East"
+ $ntp_pool = "south-america.pool.ntp.org"
+ $ntp_servers = [ 'a.ntp.br', 'b.ntp.br', 'c.ntp.br' ]
+
+ # Monkeysphere
+ #
+ # Currently we don't have a defined policy regarding whether
+ # to publish all our node keys to public keyservers, so leave
+ # automatic publishing disabled for now.
+ #
+ $monkeysphere_publish_key = false
+ include monkeysphere
+
+ # Apt configuration
+ $backports_enabled = true
+ $apt_update_method = cron
+ include apt
+
+ file { "/etc/hostname":
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ content => "$fqdn\n",
+ }
+
+ host { "$hostname":
+ ensure => present,
+ ip => "$ipaddress",
+ alias => [ "$fqdn" ],
+ }
+
+ file { "/etc/rc.local":
+ source => "puppet://$server/modules/nodo/etc/rc.local",
+ owner => "root",
+ group => "root",
+ mode => 0755,
+ ensure => present,
+ }
+}
+
+class nodo::server inherits nodo {
+ include syslog-ng
+ include ntpdate
+ include firewall
+ include vserver::host
+ include initramfs
+ include firewire
+ include sysctl
+
+ # DNS resolver
+ $resolvconf_domain = "$domain"
+ $resolvconf_search = "$fqdn"
+ include resolvconf
+
+ # SSH Server
+ #
+ # We need to restrict listen address so multiple instances
+ # can live together in the same physical host.
+ #
+ $sshd_listen_address = [ "$ipaddress" ]
+ $sshd_password_authentication = "yes"
+ include sshd
+
+ # Munin
+ #$munin_port = "4901"
+ #include munin::client
+
+ backupninja::sys { "sys":
+ ensure => present,
+ }
+
+ # fstab
+ file { "/etc/fstab":
+ source => "puppet://$server/modules/nodo/etc/fstab",
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ }
+
+ # crypttab
+ file { "/etc/crypttab":
+ source => "puppet://$server/modules/nodo/etc/crypttab",
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ }
+}
+
+class nodo::vserver inherits nodo {
+ $sshd_password_authentication = "yes"
+ $sshd_internal_ip = "yes"
+ include sshd
+ include timezone
+ include syslog-ng::vserver
+
+ backupninja::sys { "sys":
+ ensure => present,
+ partitions => false,
+ hardware => false,
+ dosfdisk => false,
+ dohwinfo => false,
+ }
+
+ define munin($type, $id) {
+ # Use one port for each node
+ $munin_port = "49$id"
+ case $type {
+ 'host': {
+ include munin::host
+ include munin::client
+ }
+ 'client': {
+ include munin::client
+ }
+ }
+ }
+
+ # Apply the munin configuration for this host
+ #Nodo::vserver::munin <| tag == $name |>
+
+ # Define a vserver instance
+ define instance($context, $ensure = 'running', $proxy = false, $puppetmaster = false, $gitd = false, $munin = 'client') {
+
+ # set instance id
+ if $context < 9 {
+ $id = "0$context"
+ } else {
+ $id = $context
+ }
+
+ # TODO: some nodes need a lot of space at /tmp otherwise some admin
+ # tasks like backups might not run.
+ vserver { $name:
+ ensure => $ensure,
+ context => "$context",
+ mark => 'default',
+ distro => 'lenny',
+ interface => "eth0:192.168.0.$context/24",
+ hostname => "$name.$domain",
+ }
+
+ # Create a munin virtual resource to be realized in the node
+ #@nodo::vserver::munin {
+ # type => $munin,
+ # id => $id,
+ # tag => $name,
+ #}
+
+ # Apply firewall rules just for running vservers
+ case $ensure {
+ 'running': {
+
+ shorewall::rule { "ssh-$context":
+ action => 'DNAT',
+ source => 'net',
+ destination => "vm:192.168.0.$context:22",
+ proto => 'tcp',
+ destinationport => "22$id",
+ ratelimit => '-',
+ order => "2$id",
+ }
+
+ if $proxy {
+ shorewall::rule { 'http-route':
+ action => 'DNAT',
+ source => 'net',
+ destination => "vm:192.168.0.$context:80",
+ proto => 'tcp',
+ destinationport => '80',
+ ratelimit => '-',
+ order => '300',
+ }
+
+ shorewall::rule { 'https-route':
+ action => 'DNAT',
+ source => 'net',
+ destination => "vm:192.168.0.$context:443",
+ proto => 'tcp',
+ destinationport => '443',
+ ratelimit => '-',
+ order => '301',
+ }
+ }
+
+ if $puppetmaster {
+ shorewall::rule { 'puppetmaster-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "fw:192.168.0.$context:8140",
+ proto => 'tcp',
+ destinationport => '8140',
+ ratelimit => '-',
+ order => '302',
+ }
+
+ shorewall::rule { 'puppetmaster-2':
+ action => 'DNAT',
+ source => 'net',
+ destination => "fw:192.168.0.$context:8140",
+ proto => 'udp',
+ destinationport => '8140',
+ ratelimit => '-',
+ order => '303',
+ }
+
+ shorewall::rule { 'puppetmaster-3':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:192.168.0.$context:8140",
+ proto => 'tcp',
+ destinationport => '8140',
+ ratelimit => '-',
+ order => '304',
+ }
+
+ shorewall::rule { 'puppetmaster-4':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "fw:192.168.0.$context:8140",
+ proto => 'udp',
+ destinationport => '8140',
+ ratelimit => '-',
+ order => '305',
+ }
+ }
+
+ if $gitd {
+ shorewall::rule { 'git-daemon-1':
+ action => 'DNAT',
+ source => 'net',
+ destination => "fw:192.168.0.$context:9418",
+ proto => 'tcp',
+ destinationport => '9418',
+ ratelimit => '-',
+ order => '306',
+ }
+
+ shorewall::rule { 'git-daemon-2':
+ action => 'DNAT',
+ source => '$FW',
+ destination => "vm:192.168.0.$context:9418",
+ proto => 'tcp',
+ destinationport => '9418',
+ ratelimit => '-',
+ order => '307',
+ }
+ }
+ }
+ }
+ }
+}
+
+class nodo::web inherits nodo::vserver {
+ include git-daemon
+ include websites
+ include mysql::server
+ include users::virtual
+
+ backupninja::svn { "svn":
+ src => "/var/svn",
+ }
+
+ backupninja::mysql { "all_databases":
+ backupdir => '/var/backups/mysql',
+ compress => true,
+ sqldump => true,
+ }
+}
+
+class nodo::proxy inherits nodo::vserver {
+ include nginx
+}
diff --git a/manifests/initramfs.pp b/manifests/initramfs.pp
new file mode 100644
index 0000000..3b37f65
--- /dev/null
+++ b/manifests/initramfs.pp
@@ -0,0 +1,25 @@
+class initramfs {
+ # initramfs config
+ file { "/etc/kernel-img.conf":
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ content => "do_initrd = Yes\n",
+ }
+
+ # initramfs config
+ file { "/etc/initramfs-tools/modules":
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ source => "puppet://$server/modules/nodo/etc/initramfs-tools/modules",
+ }
+
+ # update initramfs when needed
+ exec { "update-initramfs -v -u":
+ subscribe => [ File["/etc/initramfs-tools/modules"], File["/etc/modprobe.d/blacklist"] ],
+ refreshonly => true,
+ }
+}
diff --git a/manifests/lsb.pp b/manifests/lsb.pp
new file mode 100644
index 0000000..4516470
--- /dev/null
+++ b/manifests/lsb.pp
@@ -0,0 +1,4 @@
+class lsb {
+ package { "lsb-release": ensure => installed, }
+ include assert_lsbdistcodename
+}
diff --git a/manifests/motd.pp b/manifests/motd.pp
new file mode 100644
index 0000000..c8029bf
--- /dev/null
+++ b/manifests/motd.pp
@@ -0,0 +1,17 @@
+class motd {
+ # http://projects.reductivelabs.com/issues/1915
+ file { "/var/run/motd":
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => file,
+ content => "This is $fqdn from the $network_name.\n",
+ }
+
+ file { "/etc/motd":
+ owner => "root",
+ group => "root",
+ ensure => "/var/run/motd",
+ require => File["/var/run/motd"],
+ }
+}
diff --git a/manifests/sudo.pp b/manifests/sudo.pp
new file mode 100644
index 0000000..c5679fd
--- /dev/null
+++ b/manifests/sudo.pp
@@ -0,0 +1,14 @@
+class sudo {
+
+ package { "sudo":
+ ensure => "present",
+ }
+
+ file { "/etc/sudoers":
+ source => "puppet://$server/modules/nodo/etc/sudoers",
+ owner => "root",
+ group => "root",
+ mode => 440,
+ require => Package["sudo"],
+ }
+}
diff --git a/manifests/sysctl.pp b/manifests/sysctl.pp
new file mode 100644
index 0000000..3bd028c
--- /dev/null
+++ b/manifests/sysctl.pp
@@ -0,0 +1,16 @@
+class sysctl {
+ # root exploit fix, see http://wiki.debian.org/mmap_min_addr
+ # TODO: remove in the future or use a sysctl puppet module
+ file { "/etc/sysctl.d/mmap_min_addr.conf":
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ content => "vm.mmap_min_addr = 4096\n",
+ }
+
+ exec { "/etc/init.d/procps restart":
+ subscribe => File["/etc/sysctl.d/mmap_min_addr.conf"],
+ refreshonly => true,
+ }
+}