diff options
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/firewall.pp | 214 | ||||
| -rw-r--r-- | manifests/firewire.pp | 17 | ||||
| -rw-r--r-- | manifests/init.pp | 301 | ||||
| -rw-r--r-- | manifests/initramfs.pp | 25 | ||||
| -rw-r--r-- | manifests/lsb.pp | 4 | ||||
| -rw-r--r-- | manifests/motd.pp | 17 | ||||
| -rw-r--r-- | manifests/sudo.pp | 14 | ||||
| -rw-r--r-- | manifests/sysctl.pp | 16 |
8 files changed, 608 insertions, 0 deletions
diff --git a/manifests/firewall.pp b/manifests/firewall.pp new file mode 100644 index 0000000..9083384 --- /dev/null +++ b/manifests/firewall.pp @@ -0,0 +1,214 @@ +# firewall definitions for physical servers +class firewall { + include shorewall + + $rfc1918 = $shorewall_dmz ? { + true => true, + false => false, + default => false, + } + + # + # Interfaces + # + shorewall::interface { 'eth0': + zone => '-', + rfc1918 => $rfc1918, + } + + # + # Policy + # + shorewall::policy { 'vm-net': + sourcezone => 'vm', + destinationzone => 'net', + policy => 'ACCEPT', + order => '1', + } + + shorewall::policy { 'fw-net': + sourcezone => '$FW', + destinationzone => 'net', + policy => 'ACCEPT', + order => '2', + } + + shorewall::policy { 'fw-vm': + sourcezone => '$FW', + destinationzone => 'vm', + policy => 'ACCEPT', + order => '3', + } + + shorewall::policy { 'net-all': + sourcezone => 'net', + destinationzone => 'all', + policy => 'DROP', + order => '4', + } + + shorewall::policy { 'all-all': + sourcezone => 'all', + destinationzone => 'all', + policy => 'REJECT', + order => '5', + } + + # + # Hosts + # + shorewall::host { "eth0-subnet": + name => 'eth0:192.168.0.0/24', + zone => 'vm', + options => '', + order => '1', + } + + shorewall::host { "eth0": + name => 'eth0:0.0.0.0/0', + zone => 'net', + options => '', + order => '2', + } + + shorewall::masq { "eth0": + interface => 'eth0:!192.168.0.0/24', + source => '192.168.0.0/24', + order => '1', + } + + # + # Rules + # + shorewall::rule { 'ssh': + action => 'SSH/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => '100', + } + + shorewall::rule { 'ping': + action => 'Ping/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => '101', + } + + shorewall::rule { 'http': + action => 'HTTP/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => '102', + } + + shorewall::rule { 'https': + action => 'HTTPS/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => '103', + } + + # + # Zones + # + shorewall::zone { 'vm': + type => 'ipv4', + order => '2', + } + + shorewall::zone { 'net': + type => 'ipv4', + order => '3', + } + + # + # Traffic shapping + # + shorewall::tcdevices { "eth0": + in_bandwidth => "2mbit", + out_bandwidth => "1mbit", + } + + shorewall::tcrules { "ssh-tcp": + order => "1", + source => "0.0.0.0/0", + destination => "0.0.0.0/0", + protocol => "tcp", + ports => "22", + } + + shorewall::tcrules { "ssh-udp": + order => "1", + source => "0.0.0.0/0", + destination => "0.0.0.0/0", + protocol => "udp", + ports => "22", + } + + shorewall::tcclasses { "ssh": + order => "1", + interface => "eth0", + rate => "4*full/100", + ceil => "full", + priority => "1", + } + + shorewall::tcclasses { "default": + order => "2", + interface => "eth0", + rate => "6*full/100", + ceil => "full", + priority => "2", + options => "default", + } + + # + # DMZ Configuration + # + if $shorewall_dmz { + shorewall::host { "eth0-dmz": + name => 'eth0:192.168.1.0/24', + zone => 'dmz', + options => '', + order => '3', + } + + shorewall::policy { 'dmz-all': + sourcezone => 'dmz', + destinationzone => 'all', + policy => 'ACCEPT', + order => '6', + } + + shorewall::policy { 'vm-dmz': + sourcezone => 'vm', + destinationzone => 'dmz', + policy => 'ACCEPT', + order => '7', + } + + shorewall::policy { 'fw-dmz': + sourcezone => '$FW', + destinationzone => 'dmz', + policy => 'ACCEPT', + order => '8', + } + + shorewall::zone { 'dmz': + type => 'ipv4', + order => '4', + } + } +} diff --git a/manifests/firewire.pp b/manifests/firewire.pp new file mode 100644 index 0000000..1c9609a --- /dev/null +++ b/manifests/firewire.pp @@ -0,0 +1,17 @@ +class firewire { + # keep firewire disabled + # see http://padrao.sarava.org/trac/wiki/Debian/Firewire + file { "/etc/modprobe.d/blacklist": + owner => "root", + group => "root", + mode => 0644, + ensure => present, + source => "puppet://$server/modules/nodo/etc/modprobe.d/blacklist", + } + + # make sure ohci1394 is not loaded + exec { "rmmod ohci1394": + unless => "/bin/sh -c 'if `grep -q ^ohci1394 /proc/modules`; then false; else true; fi'", + user => "root", + } +} diff --git a/manifests/init.pp b/manifests/init.pp new file mode 100644 index 0000000..443e612 --- /dev/null +++ b/manifests/init.pp @@ -0,0 +1,301 @@ +# +# Nodo class definitions +# + +import "firewall.pp" +import "firewire.pp" +import "initramfs.pp" +import "lsb.pp" +import "motd.pp" +import "sudo.pp" +import "sysctl.pp" + +class nodo { + include lsb + include puppetd + include backup + include exim + include sudo + include users::admin + include motd + + # Set timezone and ntp config + # + # We config those here but leave class inclusion elsewhere + # as ntp config differ from server to vserver. + # + $ntp_timezone = "Brazil/East" + $ntp_pool = "south-america.pool.ntp.org" + $ntp_servers = [ 'a.ntp.br', 'b.ntp.br', 'c.ntp.br' ] + + # Monkeysphere + # + # Currently we don't have a defined policy regarding whether + # to publish all our node keys to public keyservers, so leave + # automatic publishing disabled for now. + # + $monkeysphere_publish_key = false + include monkeysphere + + # Apt configuration + $backports_enabled = true + $apt_update_method = cron + include apt + + file { "/etc/hostname": + owner => "root", + group => "root", + mode => 0644, + ensure => present, + content => "$fqdn\n", + } + + host { "$hostname": + ensure => present, + ip => "$ipaddress", + alias => [ "$fqdn" ], + } + + file { "/etc/rc.local": + source => "puppet://$server/modules/nodo/etc/rc.local", + owner => "root", + group => "root", + mode => 0755, + ensure => present, + } +} + +class nodo::server inherits nodo { + include syslog-ng + include ntpdate + include firewall + include vserver::host + include initramfs + include firewire + include sysctl + + # DNS resolver + $resolvconf_domain = "$domain" + $resolvconf_search = "$fqdn" + include resolvconf + + # SSH Server + # + # We need to restrict listen address so multiple instances + # can live together in the same physical host. + # + $sshd_listen_address = [ "$ipaddress" ] + $sshd_password_authentication = "yes" + include sshd + + # Munin + #$munin_port = "4901" + #include munin::client + + backupninja::sys { "sys": + ensure => present, + } + + # fstab + file { "/etc/fstab": + source => "puppet://$server/modules/nodo/etc/fstab", + owner => "root", + group => "root", + mode => 0644, + ensure => present, + } + + # crypttab + file { "/etc/crypttab": + source => "puppet://$server/modules/nodo/etc/crypttab", + owner => "root", + group => "root", + mode => 0644, + ensure => present, + } +} + +class nodo::vserver inherits nodo { + $sshd_password_authentication = "yes" + $sshd_internal_ip = "yes" + include sshd + include timezone + include syslog-ng::vserver + + backupninja::sys { "sys": + ensure => present, + partitions => false, + hardware => false, + dosfdisk => false, + dohwinfo => false, + } + + define munin($type, $id) { + # Use one port for each node + $munin_port = "49$id" + case $type { + 'host': { + include munin::host + include munin::client + } + 'client': { + include munin::client + } + } + } + + # Apply the munin configuration for this host + #Nodo::vserver::munin <| tag == $name |> + + # Define a vserver instance + define instance($context, $ensure = 'running', $proxy = false, $puppetmaster = false, $gitd = false, $munin = 'client') { + + # set instance id + if $context < 9 { + $id = "0$context" + } else { + $id = $context + } + + # TODO: some nodes need a lot of space at /tmp otherwise some admin + # tasks like backups might not run. + vserver { $name: + ensure => $ensure, + context => "$context", + mark => 'default', + distro => 'lenny', + interface => "eth0:192.168.0.$context/24", + hostname => "$name.$domain", + } + + # Create a munin virtual resource to be realized in the node + #@nodo::vserver::munin { + # type => $munin, + # id => $id, + # tag => $name, + #} + + # Apply firewall rules just for running vservers + case $ensure { + 'running': { + + shorewall::rule { "ssh-$context": + action => 'DNAT', + source => 'net', + destination => "vm:192.168.0.$context:22", + proto => 'tcp', + destinationport => "22$id", + ratelimit => '-', + order => "2$id", + } + + if $proxy { + shorewall::rule { 'http-route': + action => 'DNAT', + source => 'net', + destination => "vm:192.168.0.$context:80", + proto => 'tcp', + destinationport => '80', + ratelimit => '-', + order => '300', + } + + shorewall::rule { 'https-route': + action => 'DNAT', + source => 'net', + destination => "vm:192.168.0.$context:443", + proto => 'tcp', + destinationport => '443', + ratelimit => '-', + order => '301', + } + } + + if $puppetmaster { + shorewall::rule { 'puppetmaster-1': + action => 'DNAT', + source => 'net', + destination => "fw:192.168.0.$context:8140", + proto => 'tcp', + destinationport => '8140', + ratelimit => '-', + order => '302', + } + + shorewall::rule { 'puppetmaster-2': + action => 'DNAT', + source => 'net', + destination => "fw:192.168.0.$context:8140", + proto => 'udp', + destinationport => '8140', + ratelimit => '-', + order => '303', + } + + shorewall::rule { 'puppetmaster-3': + action => 'DNAT', + source => '$FW', + destination => "fw:192.168.0.$context:8140", + proto => 'tcp', + destinationport => '8140', + ratelimit => '-', + order => '304', + } + + shorewall::rule { 'puppetmaster-4': + action => 'DNAT', + source => '$FW', + destination => "fw:192.168.0.$context:8140", + proto => 'udp', + destinationport => '8140', + ratelimit => '-', + order => '305', + } + } + + if $gitd { + shorewall::rule { 'git-daemon-1': + action => 'DNAT', + source => 'net', + destination => "fw:192.168.0.$context:9418", + proto => 'tcp', + destinationport => '9418', + ratelimit => '-', + order => '306', + } + + shorewall::rule { 'git-daemon-2': + action => 'DNAT', + source => '$FW', + destination => "vm:192.168.0.$context:9418", + proto => 'tcp', + destinationport => '9418', + ratelimit => '-', + order => '307', + } + } + } + } + } +} + +class nodo::web inherits nodo::vserver { + include git-daemon + include websites + include mysql::server + include users::virtual + + backupninja::svn { "svn": + src => "/var/svn", + } + + backupninja::mysql { "all_databases": + backupdir => '/var/backups/mysql', + compress => true, + sqldump => true, + } +} + +class nodo::proxy inherits nodo::vserver { + include nginx +} diff --git a/manifests/initramfs.pp b/manifests/initramfs.pp new file mode 100644 index 0000000..3b37f65 --- /dev/null +++ b/manifests/initramfs.pp @@ -0,0 +1,25 @@ +class initramfs { + # initramfs config + file { "/etc/kernel-img.conf": + owner => "root", + group => "root", + mode => 0644, + ensure => present, + content => "do_initrd = Yes\n", + } + + # initramfs config + file { "/etc/initramfs-tools/modules": + owner => "root", + group => "root", + mode => 0644, + ensure => present, + source => "puppet://$server/modules/nodo/etc/initramfs-tools/modules", + } + + # update initramfs when needed + exec { "update-initramfs -v -u": + subscribe => [ File["/etc/initramfs-tools/modules"], File["/etc/modprobe.d/blacklist"] ], + refreshonly => true, + } +} diff --git a/manifests/lsb.pp b/manifests/lsb.pp new file mode 100644 index 0000000..4516470 --- /dev/null +++ b/manifests/lsb.pp @@ -0,0 +1,4 @@ +class lsb { + package { "lsb-release": ensure => installed, } + include assert_lsbdistcodename +} diff --git a/manifests/motd.pp b/manifests/motd.pp new file mode 100644 index 0000000..c8029bf --- /dev/null +++ b/manifests/motd.pp @@ -0,0 +1,17 @@ +class motd { + # http://projects.reductivelabs.com/issues/1915 + file { "/var/run/motd": + owner => "root", + group => "root", + mode => 0644, + ensure => file, + content => "This is $fqdn from the $network_name.\n", + } + + file { "/etc/motd": + owner => "root", + group => "root", + ensure => "/var/run/motd", + require => File["/var/run/motd"], + } +} diff --git a/manifests/sudo.pp b/manifests/sudo.pp new file mode 100644 index 0000000..c5679fd --- /dev/null +++ b/manifests/sudo.pp @@ -0,0 +1,14 @@ +class sudo { + + package { "sudo": + ensure => "present", + } + + file { "/etc/sudoers": + source => "puppet://$server/modules/nodo/etc/sudoers", + owner => "root", + group => "root", + mode => 440, + require => Package["sudo"], + } +} diff --git a/manifests/sysctl.pp b/manifests/sysctl.pp new file mode 100644 index 0000000..3bd028c --- /dev/null +++ b/manifests/sysctl.pp @@ -0,0 +1,16 @@ +class sysctl { + # root exploit fix, see http://wiki.debian.org/mmap_min_addr + # TODO: remove in the future or use a sysctl puppet module + file { "/etc/sysctl.d/mmap_min_addr.conf": + owner => "root", + group => "root", + mode => 0644, + ensure => present, + content => "vm.mmap_min_addr = 4096\n", + } + + exec { "/etc/init.d/procps restart": + subscribe => File["/etc/sysctl.d/mmap_min_addr.conf"], + refreshonly => true, + } +} |