From 1b44048f33e795162212d2fdc77bcf0d9cdf0533 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 22 Mar 2010 22:11:47 -0300 Subject: Module organization --- manifests/database.pp | 21 -- manifests/desktop.pp | 63 ++++ manifests/firewall.pp | 239 -------------- manifests/firewire.pp | 17 - manifests/init.pp | 653 ++------------------------------------ manifests/initramfs.pp | 25 -- manifests/lsb.pp | 4 - manifests/master.pp | 48 +++ manifests/motd.pp | 17 - manifests/munin.pp | 19 -- manifests/nodo.pp | 94 ++++++ manifests/physical.pp | 41 +++ manifests/proxy.pp | 3 + manifests/server.pp | 19 ++ manifests/storage.pp | 4 + manifests/subsystems/database.pp | 21 ++ manifests/subsystems/firewall.pp | 239 ++++++++++++++ manifests/subsystems/firewire.pp | 17 + manifests/subsystems/initramfs.pp | 25 ++ manifests/subsystems/lsb.pp | 4 + manifests/subsystems/motd.pp | 17 + manifests/subsystems/munin.pp | 19 ++ manifests/subsystems/sudo.pp | 14 + manifests/subsystems/sysctl.pp | 16 + manifests/subsystems/ups.pp | 13 + manifests/subsystems/utils.pp | 75 +++++ manifests/subsystems/websites.pp | 127 ++++++++ manifests/sudo.pp | 14 - manifests/sysctl.pp | 16 - manifests/test.pp | 3 + manifests/ups.pp | 13 - manifests/utils.pp | 75 ----- manifests/vserver.pp | 314 ++++++++++++++++++ manifests/web.pp | 17 + manifests/websites.pp | 127 -------- 35 files changed, 1218 insertions(+), 1215 deletions(-) delete mode 100644 manifests/database.pp create mode 100644 manifests/desktop.pp delete mode 100644 manifests/firewall.pp delete mode 100644 manifests/firewire.pp delete mode 100644 manifests/initramfs.pp delete mode 100644 manifests/lsb.pp create mode 100644 manifests/master.pp delete mode 100644 manifests/motd.pp delete mode 100644 manifests/munin.pp create mode 100644 manifests/nodo.pp create mode 100644 manifests/physical.pp create mode 100644 manifests/proxy.pp create mode 100644 manifests/server.pp create mode 100644 manifests/storage.pp create mode 100644 manifests/subsystems/database.pp create mode 100644 manifests/subsystems/firewall.pp create mode 100644 manifests/subsystems/firewire.pp create mode 100644 manifests/subsystems/initramfs.pp create mode 100644 manifests/subsystems/lsb.pp create mode 100644 manifests/subsystems/motd.pp create mode 100644 manifests/subsystems/munin.pp create mode 100644 manifests/subsystems/sudo.pp create mode 100644 manifests/subsystems/sysctl.pp create mode 100644 manifests/subsystems/ups.pp create mode 100644 manifests/subsystems/utils.pp create mode 100644 manifests/subsystems/websites.pp delete mode 100644 manifests/sudo.pp delete mode 100644 manifests/sysctl.pp create mode 100644 manifests/test.pp delete mode 100644 manifests/ups.pp delete mode 100644 manifests/utils.pp create mode 100644 manifests/vserver.pp create mode 100644 manifests/web.pp delete mode 100644 manifests/websites.pp diff --git a/manifests/database.pp b/manifests/database.pp deleted file mode 100644 index c2d1fc3..0000000 --- a/manifests/database.pp +++ /dev/null @@ -1,21 +0,0 @@ -class database { - include mysql::server - - # Database definitions - define instance($password) { - mysql_database { "$name": - ensure => present, - } - - mysql_user { "$name@%": - password_hash => mysql_password($password), - ensure => present, - require => Mysql_database["$name"], - } - - mysql_grant { "$name@%/$name": - privileges => all, - require => Mysql_user["$name@%"], - } - } -} diff --git a/manifests/desktop.pp b/manifests/desktop.pp new file mode 100644 index 0000000..686801b --- /dev/null +++ b/manifests/desktop.pp @@ -0,0 +1,63 @@ +class nodo::desktop inherits nodo::physical { + include utils::desktop + + # fstab + file { "/etc/fstab": + source => "puppet://$desktop/modules/nodo/etc/fstab/desktop", + owner => "root", + group => "root", + mode => 0644, + ensure => present, + } + + # crypttab + file { "/etc/crypttab": + source => "puppet://$desktop/modules/nodo/etc/crypttab/desktop", + owner => "root", + group => "root", + mode => 0644, + ensure => present, + } + + # data + file { "/var/data": + ensure => directory, + mode => 0755, + } + + # pam - login + file { "/etc/pam.d/login": + source => "puppet://$desktop/modules/nodo/etc/pam.d/login", + owner => "root", + group => "root", + mode => 0644, + ensure => present, + } + + # pam - gdm + file { "/etc/pam.d/gdm": + source => "puppet://$desktop/modules/nodo/etc/pam.d/gdm", + owner => "root", + group => "root", + mode => 0644, + ensure => present, + } + + # pam - mountpoints + file { "/etc/security/pam_mount.conf.xml": + ensure => present, + owner => root, + group => root, + mode => 0644, + source => "puppet://$server/files/etc/security/pam_mount.conf.xml", + } + + # xorg + file { "/etc/X11/xorg.conf": + ensure => present, + owner => root, + group => root, + mode => 0644, + source => "puppet://$server/files/etc/X11/xorg.conf/$hostname", + } +} diff --git a/manifests/firewall.pp b/manifests/firewall.pp deleted file mode 100644 index 765a59f..0000000 --- a/manifests/firewall.pp +++ /dev/null @@ -1,239 +0,0 @@ -# firewall definitions for physical servers -class firewall { - include shorewall - - $rfc1918 = $shorewall_dmz ? { - true => true, - false => false, - default => false, - } - - # - # Interfaces - # - shorewall::interface { 'eth0': - zone => '-', - rfc1918 => $rfc1918, - } - - # - # Policy - # - shorewall::policy { 'vm-net': - sourcezone => 'vm', - destinationzone => 'net', - policy => 'ACCEPT', - order => '1', - } - - shorewall::policy { 'fw-net': - sourcezone => '$FW', - destinationzone => 'net', - policy => 'ACCEPT', - order => '2', - } - - shorewall::policy { 'fw-vm': - sourcezone => '$FW', - destinationzone => 'vm', - policy => 'ACCEPT', - order => '3', - } - - shorewall::policy { 'net-all': - sourcezone => 'net', - destinationzone => 'all', - policy => 'DROP', - order => '4', - } - - shorewall::policy { 'all-all': - sourcezone => 'all', - destinationzone => 'all', - policy => 'REJECT', - order => '5', - } - - # - # Hosts - # - shorewall::host { "eth0-subnet": - name => 'eth0:192.168.0.0/24', - zone => 'vm', - options => '', - order => '1', - } - - shorewall::host { "eth0": - name => 'eth0:0.0.0.0/0', - zone => 'net', - options => '', - order => '2', - } - - shorewall::masq { "eth0": - interface => 'eth0:!192.168.0.0/24', - source => '192.168.0.0/24', - order => '1', - } - - # - # Rules - # - shorewall::rule { 'ssh': - action => 'SSH/ACCEPT', - source => 'net', - destination => '$FW', - proto => '-', - destinationport => '-', - ratelimit => '-', - order => '100', - } - - shorewall::rule { 'ping': - action => 'Ping/ACCEPT', - source => 'net', - destination => '$FW', - proto => '-', - destinationport => '-', - ratelimit => '-', - order => '101', - } - - shorewall::rule { 'http': - action => 'HTTP/ACCEPT', - source => 'net', - destination => '$FW', - proto => '-', - destinationport => '-', - ratelimit => '-', - order => '102', - } - - shorewall::rule { 'https': - action => 'HTTPS/ACCEPT', - source => 'net', - destination => '$FW', - proto => '-', - destinationport => '-', - ratelimit => '-', - order => '103', - } - - $munin_port = $node_munin_port ? { - '' => "4900", - default => "$node_munin_port", - } - - shorewall::rule { "munin": - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => "$munin_port", - ratelimit => '-', - order => "104", - } - - # - # Zones - # - shorewall::zone { 'vm': - type => 'ipv4', - order => '2', - } - - shorewall::zone { 'net': - type => 'ipv4', - order => '3', - } - - # - # Traffic shapping - # - $in_bandwidth = $max_in_bandwidth ? { - '' => "2mbit", - default => "$max_in_bandwidth", - } - - $out_bandwidth = $max_out_bandwidth ? { - '' => "2mbit", - default => "$max_out_bandwidth", - } - - shorewall::tcdevices { "eth0": - in_bandwidth => "$in_bandwidth", - out_bandwidth => "$out_bandwidth", - } - - shorewall::tcrules { "ssh-tcp": - order => "1", - source => "0.0.0.0/0", - destination => "0.0.0.0/0", - protocol => "tcp", - ports => "22", - } - - shorewall::tcrules { "ssh-udp": - order => "1", - source => "0.0.0.0/0", - destination => "0.0.0.0/0", - protocol => "udp", - ports => "22", - } - - shorewall::tcclasses { "ssh": - order => "1", - interface => "eth0", - rate => "4*full/100", - ceil => "full", - priority => "1", - } - - shorewall::tcclasses { "default": - order => "2", - interface => "eth0", - rate => "6*full/100", - ceil => "full", - priority => "2", - options => "default", - } - - # - # DMZ Configuration - # - if $shorewall_dmz { - shorewall::host { "eth0-dmz": - name => 'eth0:192.168.1.0/24', - zone => 'dmz', - options => '', - order => '3', - } - - shorewall::policy { 'dmz-all': - sourcezone => 'dmz', - destinationzone => 'all', - policy => 'ACCEPT', - order => '6', - } - - shorewall::policy { 'vm-dmz': - sourcezone => 'vm', - destinationzone => 'dmz', - policy => 'ACCEPT', - order => '7', - } - - shorewall::policy { 'fw-dmz': - sourcezone => '$FW', - destinationzone => 'dmz', - policy => 'ACCEPT', - order => '8', - } - - shorewall::zone { 'dmz': - type => 'ipv4', - order => '4', - } - } -} diff --git a/manifests/firewire.pp b/manifests/firewire.pp deleted file mode 100644 index 1c9609a..0000000 --- a/manifests/firewire.pp +++ /dev/null @@ -1,17 +0,0 @@ -class firewire { - # keep firewire disabled - # see http://padrao.sarava.org/trac/wiki/Debian/Firewire - file { "/etc/modprobe.d/blacklist": - owner => "root", - group => "root", - mode => 0644, - ensure => present, - source => "puppet://$server/modules/nodo/etc/modprobe.d/blacklist", - } - - # make sure ohci1394 is not loaded - exec { "rmmod ohci1394": - unless => "/bin/sh -c 'if `grep -q ^ohci1394 /proc/modules`; then false; else true; fi'", - user => "root", - } -} diff --git a/manifests/init.pp b/manifests/init.pp index fc50a5f..5e597a2 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -2,631 +2,28 @@ # Nodo class definitions # -import "firewall.pp" -import "firewire.pp" -import "initramfs.pp" -import "lsb.pp" -import "motd.pp" -import "sudo.pp" -import "sysctl.pp" -import "ups.pp" -import "utils.pp" -import "database.pp" -import "websites.pp" -import "munin.pp" - -class nodo { - include lsb - include puppetd - include backup - include exim - include sudo - include users::admin - include motd - include utils - include cron - - # Set timezone and ntp config - # - # We config those here but leave class inclusion elsewhere - # as ntp config differ from server to vserver. - # - $ntp_timezone = "Brazil/East" - $ntp_pool = "south-america.pool.ntp.org" - $ntp_servers = [ 'a.ntp.br', 'b.ntp.br', 'c.ntp.br' ] - - # Monkeysphere - # - # Currently we don't have a defined policy regarding whether - # to publish all our node keys to public keyservers, so leave - # automatic publishing disabled for now. - # - $monkeysphere_publish_key = false - include monkeysphere - - # Apt configuration - $backports_enabled = true - $apt_update_method = 'cron' - include apt - - # Default SSH configuration - $sshd_password_authentication = "yes" - $sshd_shared_ip = "yes" - - file { "/etc/hostname": - owner => "root", - group => "root", - mode => 0644, - ensure => present, - content => "$fqdn\n", - } - - host { "$hostname": - ensure => present, - ip => "$ipaddress", - alias => [ "$fqdn" ], - } - - file { "/etc/rc.local": - source => "puppet://$server/modules/nodo/etc/rc.local", - owner => "root", - group => "root", - mode => 0755, - ensure => present, - } - - file { "/etc/screenrc": - source => "puppet://$server/modules/nodo/etc/screenrc", - owner => "root", - group => "root", - mode => 0644, - ensure => present, - } - - file { "/etc/profile": - source => "puppet://$server/modules/nodo/etc/profile", - owner => "root", - group => "root", - mode => 0644, - ensure => present, - require => File['/usr/local/bin/prompt.sh'], - } - - file { "/etc/bash.bashrc": - source => "puppet://$server/modules/nodo/etc/bash.bashrc", - owner => "root", - group => "root", - mode => 0644, - ensure => present, - require => File['/usr/local/bin/prompt.sh'], - } - - file { "/usr/local/bin/prompt.sh": - source => "puppet://$server/modules/nodo/bin/prompt.sh", - owner => "root", - group => "root", - mode => 0755, - ensure => present, - } -} - -class nodo::physical inherits nodo { - include syslog-ng - include firewall - include vserver::host - include initramfs - include firewire - include sysctl - include ups - include utils::physical - include smartmontools - - # Time configuration - case $ntpdate { - false: { include timezone } - default: { include ntpdate } - } - - # DNS resolver - $resolvconf_domain = "$domain" - $resolvconf_search = "$fqdn" - include resolvconf - - # SSH Server - # - # We need to restrict listen address so multiple instances - # can live together in the same physical host. - # - case $sshd_listen_address { - '': { $sshd_listen_address = [ "$ipaddress" ] } - } - include sshd - - backupninja::sys { "sys": - ensure => present, - } - - # Munin configuration - munin_node { "$hostname": - port => '4900', - } -} - -class nodo::server inherits nodo::physical { - # fstab - file { "/etc/fstab": - source => "puppet://$server/modules/nodo/etc/fstab/server", - owner => "root", - group => "root", - mode => 0644, - ensure => present, - } - - # crypttab - file { "/etc/crypttab": - source => "puppet://$server/modules/nodo/etc/crypttab/server", - owner => "root", - group => "root", - mode => 0644, - ensure => present, - } -} - -class nodo::desktop inherits nodo::physical { - include utils::desktop - - # fstab - file { "/etc/fstab": - source => "puppet://$desktop/modules/nodo/etc/fstab/desktop", - owner => "root", - group => "root", - mode => 0644, - ensure => present, - } - - # crypttab - file { "/etc/crypttab": - source => "puppet://$desktop/modules/nodo/etc/crypttab/desktop", - owner => "root", - group => "root", - mode => 0644, - ensure => present, - } - - # data - file { "/var/data": - ensure => directory, - mode => 0755, - } - - # pam - login - file { "/etc/pam.d/login": - source => "puppet://$desktop/modules/nodo/etc/pam.d/login", - owner => "root", - group => "root", - mode => 0644, - ensure => present, - } - - # pam - gdm - file { "/etc/pam.d/gdm": - source => "puppet://$desktop/modules/nodo/etc/pam.d/gdm", - owner => "root", - group => "root", - mode => 0644, - ensure => present, - } - - # pam - mountpoints - file { "/etc/security/pam_mount.conf.xml": - ensure => present, - owner => root, - group => root, - mode => 0644, - source => "puppet://$server/files/etc/security/pam_mount.conf.xml", - } - - # xorg - file { "/etc/X11/xorg.conf": - ensure => present, - owner => root, - group => root, - mode => 0644, - source => "puppet://$server/files/etc/X11/xorg.conf/$hostname", - } -} - -class nodo::vserver inherits nodo { - include sshd - include timezone - include syslog-ng::vserver - - backupninja::sys { "sys": - ensure => present, - partitions => false, - hardware => false, - dosfdisk => false, - dohwinfo => false, - } - - $hosting_type = $node_hosting_type ? { - '' => "direct", - default => "$node_hosting_type", - } - - case $hosting_type { - "direct": { - # Apply munin configuration for this node for - # directly hosted nodes. - Munin_node <<| title == $hostname |>> - } - "third-party": { - # Apply munin configuration for this node for third-party - # hosted nodes. - munin_node { "$hostname": } - } - } - - # Define a vserver instance - define instance($context, $ensure = 'running', $proxy = false, - $puppetmaster = false, $gitd = false, - $icecast = false, $sound = false, $ticket = false, - $memory_limit = false) { - - # set instance id - if $context < 9 { - $id = "0$context" - } else { - $id = $context - } - - vserver { $name: - ensure => $ensure, - context => "$context", - mark => 'default', - distro => 'lenny', - interface => "eth0:192.168.0.$context/24", - hostname => "$name.$domain", - memory_limit => $memory_limit, - } - - # Some nodes need a lot of space at /tmp otherwise some admin - # tasks like backups might not run. - file { "/etc/vservers/${name}/fstab": - source => "puppet://$server/modules/nodo/etc/fstab/vserver", - owner => "root", - group => "root", - mode => 0644, - ensure => present, - notify => Exec["vs_restart_${name}"], - require => Exec["vs_create_${name}"], - } - - # Create a munin virtual resource to be realized in the node - @@munin_node { "$name": - port => "49$id", - } - - # Sound support - if $sound { - if !defined(File["/usr/local/sbin/create-sound-devices"]) { - file { "/usr/local/sbin/create-sound-devices": - ensure => present, - source => "puppet://$server/modules/nodo/sound/devices.sh", - owner => root, - group => root, - mode => 755, - } - } - exec { "/usr/local/sbin/create-sound-devices ${name}": - unless => "/usr/local/sbin/create-sound-devices ${name} --check", - user => root, - require => [ Exec["vs_create_${name}"], File["/usr/local/sbin/create-sound-devices"] ], - } - } - - # Apply firewall rules just for running vservers - case $ensure { - 'running': { - - shorewall::rule { "ssh-$context-1": - action => 'DNAT', - source => 'net', - destination => "vm:192.168.0.$context:22", - proto => 'tcp', - destinationport => "22$id", - ratelimit => '-', - order => "2$id", - } - - shorewall::rule { "ssh-$context-2": - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:22", - proto => 'tcp', - destinationport => "22$id", - originaldest => "$ipaddress", - ratelimit => '-', - order => "3$id", - } - - shorewall::rule { "munin-$context-1": - action => 'DNAT', - source => 'net', - destination => "fw:192.168.0.$context:49$id", - proto => 'tcp', - destinationport => "49$id", - ratelimit => '-', - order => "4$id", - } - - shorewall::rule { "munin-$context-2": - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:49$id", - proto => 'tcp', - destinationport => "49$id", - originaldest => "$ipaddress", - ratelimit => '-', - order => "5$id", - } - - if $proxy { - shorewall::rule { 'http-route-1': - action => 'DNAT', - source => 'net', - destination => "vm:192.168.0.$context:80", - proto => 'tcp', - destinationport => '80', - ratelimit => '-', - order => '600', - } - - shorewall::rule { 'http-route-2': - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:80", - proto => 'tcp', - destinationport => '80', - originaldest => "$ipaddress", - ratelimit => '-', - order => '601', - } - - shorewall::rule { 'https-route-1': - action => 'DNAT', - source => 'net', - destination => "vm:192.168.0.$context:443", - proto => 'tcp', - destinationport => '443', - ratelimit => '-', - order => '602', - } - - shorewall::rule { 'https-route-2': - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:443", - proto => 'tcp', - destinationport => '443', - originaldest => "$ipaddress", - ratelimit => '-', - order => '602', - } - } - - if $puppetmaster { - shorewall::rule { 'puppetmaster-1': - action => 'DNAT', - source => 'net', - destination => "fw:192.168.0.$context:8140", - proto => 'tcp', - destinationport => '8140', - ratelimit => '-', - order => '700', - } - - shorewall::rule { 'puppetmaster-2': - action => 'DNAT', - source => 'net', - destination => "fw:192.168.0.$context:8140", - proto => 'udp', - destinationport => '8140', - ratelimit => '-', - order => '701', - } - - shorewall::rule { 'puppetmaster-3': - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:8140", - proto => 'tcp', - destinationport => '8140', - originaldest => "$ipaddress", - ratelimit => '-', - order => '702', - } - - shorewall::rule { 'puppetmaster-4': - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:8140", - proto => 'udp', - destinationport => '8140', - originaldest => "$ipaddress", - ratelimit => '-', - order => '703', - } - - shorewall::rule { 'puppetmaster-5': - action => 'DNAT', - source => 'net', - destination => "fw:192.168.0.$context:8141", - proto => 'tcp', - destinationport => '8141', - ratelimit => '-', - order => '704', - } - - shorewall::rule { 'puppetmaster-6': - action => 'DNAT', - source => 'net', - destination => "fw:192.168.0.$context:8141", - proto => 'udp', - destinationport => '8141', - ratelimit => '-', - order => '705', - } - - shorewall::rule { 'puppetmaster-7': - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:8141", - proto => 'tcp', - destinationport => '8141', - originaldest => "$ipaddress", - ratelimit => '-', - order => '706', - } - - shorewall::rule { 'puppetmaster-8': - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:8141", - proto => 'udp', - destinationport => '8141', - originaldest => "$ipaddress", - ratelimit => '-', - order => '707', - } - } - - if $gitd { - shorewall::rule { 'git-daemon-1': - action => 'DNAT', - source => 'net', - destination => "fw:192.168.0.$context:9418", - proto => 'tcp', - destinationport => '9418', - ratelimit => '-', - order => '800', - } - - shorewall::rule { 'git-daemon-2': - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:9418", - proto => 'tcp', - destinationport => '9418', - originaldest => "$ipaddress", - ratelimit => '-', - order => '801', - } - } - - if $icecast { - shorewall::rule { 'icecast-1': - action => 'DNAT', - source => 'net', - destination => "fw:192.168.0.$context:8000", - proto => 'tcp', - destinationport => '8000', - ratelimit => '-', - order => '900', - } - - shorewall::rule { 'icecast-2': - action => 'DNAT', - source => '$FW', - destination => "fw:192.168.0.$context:8000", - proto => 'tcp', - destinationport => '8000', - originaldest => "$ipaddress", - ratelimit => '-', - order => '901', - } - } - } - } - } -} - -class nodo::web inherits nodo::vserver { - include git-daemon - include websites - include database - include users::virtual - include utils::web - - backupninja::svn { "svn": - src => "/var/svn", - } - - backupninja::mysql { "all_databases": - backupdir => '/var/backups/mysql', - compress => true, - sqldump => true, - } -} - -class nodo::master { - # Puppetmaster should be included before nodo::vserver - include puppetmasterd - include nodo::vserver - include database - include gitosis - include websites::admin - - case $main_master { - '': { fail("You need to define if this is the main master! Please set \$main_master in host config") } - } - - if $main_master == true { - include munin::host - - # The main master has a host entry pointing to itself, other - # masters still retrieve catalogs from the main master. - host { "puppet": - ensure => present, - ip => "127.0.0.1", - alias => ["puppet.$domain"], - } - } else { - host { "puppet": - ensure => absent, - } - } - - case $puppetmaster_db_password { - '': { fail("Please set \$puppetmaster_db_password in your host config") } - } - - # update master's puppet.conf if you change here - database::instance { "puppet": - password => "$puppetmaster_db_password", - } - - backupninja::mysql { "all_databases": - backupdir => '/var/backups/mysql', - compress => true, - sqldump => true, - } - - # used for trac dependency graphs - package { "graphviz": - ensure => present, - } -} - -class nodo::proxy inherits nodo::vserver { - include nginx -} - -class nodo::storage inherits nodo::vserver { - # Class for backup nodes - include utils::storage -} - -class nodo::test inherits nodo::web { - # Class for test nodes -} +# Import subsystems +import "subsystems/firewall.pp" +import "subsystems/firewire.pp" +import "subsystems/initramfs.pp" +import "subsystems/lsb.pp" +import "subsystems/motd.pp" +import "subsystems/sudo.pp" +import "subsystems/sysctl.pp" +import "subsystems/ups.pp" +import "subsystems/utils.pp" +import "subsystems/database.pp" +import "subsystems/websites.pp" +import "subsystems/munin.pp" + +# Import nodo classes +import "nodo.pp" +import "physical.pp" +import "server.pp" +import "desktop.pp" +import "vserver.pp" +import "web.pp" +import "master.pp" +import "proxy.pp" +import "storage.pp" +import "test.pp" diff --git a/manifests/initramfs.pp b/manifests/initramfs.pp deleted file mode 100644 index 3b37f65..0000000 --- a/manifests/initramfs.pp +++ /dev/null @@ -1,25 +0,0 @@ -class initramfs { - # initramfs config - file { "/etc/kernel-img.conf": - owner => "root", - group => "root", - mode => 0644, - ensure => present, - content => "do_initrd = Yes\n", - } - - # initramfs config - file { "/etc/initramfs-tools/modules": - owner => "root", - group => "root", - mode => 0644, - ensure => present, - source => "puppet://$server/modules/nodo/etc/initramfs-tools/modules", - } - - # update initramfs when needed - exec { "update-initramfs -v -u": - subscribe => [ File["/etc/initramfs-tools/modules"], File["/etc/modprobe.d/blacklist"] ], - refreshonly => true, - } -} diff --git a/manifests/lsb.pp b/manifests/lsb.pp deleted file mode 100644 index 4516470..0000000 --- a/manifests/lsb.pp +++ /dev/null @@ -1,4 +0,0 @@ -class lsb { - package { "lsb-release": ensure => installed, } - include assert_lsbdistcodename -} diff --git a/manifests/master.pp b/manifests/master.pp new file mode 100644 index 0000000..b07866e --- /dev/null +++ b/manifests/master.pp @@ -0,0 +1,48 @@ +class nodo::master { + # Puppetmaster should be included before nodo::vserver + include puppetmasterd + include nodo::vserver + include database + include gitosis + include websites::admin + + case $main_master { + '': { fail("You need to define if this is the main master! Please set \$main_master in host config") } + } + + if $main_master == true { + include munin::host + + # The main master has a host entry pointing to itself, other + # masters still retrieve catalogs from the main master. + host { "puppet": + ensure => present, + ip => "127.0.0.1", + alias => ["puppet.$domain"], + } + } else { + host { "puppet": + ensure => absent, + } + } + + case $puppetmaster_db_password { + '': { fail("Please set \$puppetmaster_db_password in your host config") } + } + + # update master's puppet.conf if you change here + database::instance { "puppet": + password => "$puppetmaster_db_password", + } + + backupninja::mysql { "all_databases": + backupdir => '/var/backups/mysql', + compress => true, + sqldump => true, + } + + # used for trac dependency graphs + package { "graphviz": + ensure => present, + } +} diff --git a/manifests/motd.pp b/manifests/motd.pp deleted file mode 100644 index c8029bf..0000000 --- a/manifests/motd.pp +++ /dev/null @@ -1,17 +0,0 @@ -class motd { - # http://projects.reductivelabs.com/issues/1915 - file { "/var/run/motd": - owner => "root", - group => "root", - mode => 0644, - ensure => file, - content => "This is $fqdn from the $network_name.\n", - } - - file { "/etc/motd": - owner => "root", - group => "root", - ensure => "/var/run/motd", - require => File["/var/run/motd"], - } -} diff --git a/manifests/munin.pp b/manifests/munin.pp deleted file mode 100644 index 2e32117..0000000 --- a/manifests/munin.pp +++ /dev/null @@ -1,19 +0,0 @@ -# Define a munin node -define munin_node($port = '4949') { - - case $global_munin_allow { - '': { fail("Please set \$global_munin_allow in your site config") } - } - - $munin_allow = $node_munin_allow ? { - '' => "$global_munin_allow", - default => "$node_munin_allow", - } - - $munin_port = $node_munin_port ? { - '' => "$port", - default => "$node_munin_port", - } - - include munin::client -} diff --git a/manifests/nodo.pp b/manifests/nodo.pp new file mode 100644 index 0000000..5e5436e --- /dev/null +++ b/manifests/nodo.pp @@ -0,0 +1,94 @@ +class nodo { + include lsb + include puppetd + include backup + include exim + include sudo + include users::admin + include motd + include utils + include cron + + # Set timezone and ntp config + # + # We config those here but leave class inclusion elsewhere + # as ntp config differ from server to vserver. + # + $ntp_timezone = "Brazil/East" + $ntp_pool = "south-america.pool.ntp.org" + $ntp_servers = [ 'a.ntp.br', 'b.ntp.br', 'c.ntp.br' ] + + # Monkeysphere + # + # Currently we don't have a defined policy regarding whether + # to publish all our node keys to public keyservers, so leave + # automatic publishing disabled for now. + # + $monkeysphere_publish_key = false + include monkeysphere + + # Apt configuration + $backports_enabled = true + $apt_update_method = 'cron' + include apt + + # Default SSH configuration + $sshd_password_authentication = "yes" + $sshd_shared_ip = "yes" + + file { "/etc/hostname": + owner => "root", + group => "root", + mode => 0644, + ensure => present, + content => "$fqdn\n", + } + + host { "$hostname": + ensure => present, + ip => "$ipaddress", + alias => [ "$fqdn" ], + } + + file { "/etc/rc.local": + source => "puppet://$server/modules/nodo/etc/rc.local", + owner => "root", + group => "root", + mode => 0755, + ensure => present, + } + + file { "/etc/screenrc": + source => "puppet://$server/modules/nodo/etc/screenrc", + owner => "root", + group => "root", + mode => 0644, + ensure => present, + } + + file { "/etc/profile": + source => "puppet://$server/modules/nodo/etc/profile", + owner => "root", + group => "root", + mode => 0644, + ensure => present, + require => File['/usr/local/bin/prompt.sh'], + } + + file { "/etc/bash.bashrc": + source => "puppet://$server/modules/nodo/etc/bash.bashrc", + owner => "root", + group => "root", + mode => 0644, + ensure => present, + require => File['/usr/local/bin/prompt.sh'], + } + + file { "/usr/local/bin/prompt.sh": + source => "puppet://$server/modules/nodo/bin/prompt.sh", + owner => "root", + group => "root", + mode => 0755, + ensure => present, + } +} diff --git a/manifests/physical.pp b/manifests/physical.pp new file mode 100644 index 0000000..d1ade0c --- /dev/null +++ b/manifests/physical.pp @@ -0,0 +1,41 @@ +class nodo::physical inherits nodo { + include syslog-ng + include firewall + include vserver::host + include initramfs + include firewire + include sysctl + include ups + include utils::physical + include smartmontools + + # Time configuration + case $ntpdate { + false: { include timezone } + default: { include ntpdate } + } + + # DNS resolver + $resolvconf_domain = "$domain" + $resolvconf_search = "$fqdn" + include resolvconf + + # SSH Server + # + # We need to restrict listen address so multiple instances + # can live together in the same physical host. + # + case $sshd_listen_address { + '': { $sshd_listen_address = [ "$ipaddress" ] } + } + include sshd + + backupninja::sys { "sys": + ensure => present, + } + + # Munin configuration + munin_node { "$hostname": + port => '4900', + } +} diff --git a/manifests/proxy.pp b/manifests/proxy.pp new file mode 100644 index 0000000..51dac33 --- /dev/null +++ b/manifests/proxy.pp @@ -0,0 +1,3 @@ +class nodo::proxy inherits nodo::vserver { + include nginx +} diff --git a/manifests/server.pp b/manifests/server.pp new file mode 100644 index 0000000..2300889 --- /dev/null +++ b/manifests/server.pp @@ -0,0 +1,19 @@ +class nodo::server inherits nodo::physical { + # fstab + file { "/etc/fstab": + source => "puppet://$server/modules/nodo/etc/fstab/server", + owner => "root", + group => "root", + mode => 0644, + ensure => present, + } + + # crypttab + file { "/etc/crypttab": + source => "puppet://$server/modules/nodo/etc/crypttab/server", + owner => "root", + group => "root", + mode => 0644, + ensure => present, + } +} diff --git a/manifests/storage.pp b/manifests/storage.pp new file mode 100644 index 0000000..5bb7e72 --- /dev/null +++ b/manifests/storage.pp @@ -0,0 +1,4 @@ +class nodo::storage inherits nodo::vserver { + # Class for backup nodes + include utils::storage +} diff --git a/manifests/subsystems/database.pp b/manifests/subsystems/database.pp new file mode 100644 index 0000000..c2d1fc3 --- /dev/null +++ b/manifests/subsystems/database.pp @@ -0,0 +1,21 @@ +class database { + include mysql::server + + # Database definitions + define instance($password) { + mysql_database { "$name": + ensure => present, + } + + mysql_user { "$name@%": + password_hash => mysql_password($password), + ensure => present, + require => Mysql_database["$name"], + } + + mysql_grant { "$name@%/$name": + privileges => all, + require => Mysql_user["$name@%"], + } + } +} diff --git a/manifests/subsystems/firewall.pp b/manifests/subsystems/firewall.pp new file mode 100644 index 0000000..765a59f --- /dev/null +++ b/manifests/subsystems/firewall.pp @@ -0,0 +1,239 @@ +# firewall definitions for physical servers +class firewall { + include shorewall + + $rfc1918 = $shorewall_dmz ? { + true => true, + false => false, + default => false, + } + + # + # Interfaces + # + shorewall::interface { 'eth0': + zone => '-', + rfc1918 => $rfc1918, + } + + # + # Policy + # + shorewall::policy { 'vm-net': + sourcezone => 'vm', + destinationzone => 'net', + policy => 'ACCEPT', + order => '1', + } + + shorewall::policy { 'fw-net': + sourcezone => '$FW', + destinationzone => 'net', + policy => 'ACCEPT', + order => '2', + } + + shorewall::policy { 'fw-vm': + sourcezone => '$FW', + destinationzone => 'vm', + policy => 'ACCEPT', + order => '3', + } + + shorewall::policy { 'net-all': + sourcezone => 'net', + destinationzone => 'all', + policy => 'DROP', + order => '4', + } + + shorewall::policy { 'all-all': + sourcezone => 'all', + destinationzone => 'all', + policy => 'REJECT', + order => '5', + } + + # + # Hosts + # + shorewall::host { "eth0-subnet": + name => 'eth0:192.168.0.0/24', + zone => 'vm', + options => '', + order => '1', + } + + shorewall::host { "eth0": + name => 'eth0:0.0.0.0/0', + zone => 'net', + options => '', + order => '2', + } + + shorewall::masq { "eth0": + interface => 'eth0:!192.168.0.0/24', + source => '192.168.0.0/24', + order => '1', + } + + # + # Rules + # + shorewall::rule { 'ssh': + action => 'SSH/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => '100', + } + + shorewall::rule { 'ping': + action => 'Ping/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => '101', + } + + shorewall::rule { 'http': + action => 'HTTP/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => '102', + } + + shorewall::rule { 'https': + action => 'HTTPS/ACCEPT', + source => 'net', + destination => '$FW', + proto => '-', + destinationport => '-', + ratelimit => '-', + order => '103', + } + + $munin_port = $node_munin_port ? { + '' => "4900", + default => "$node_munin_port", + } + + shorewall::rule { "munin": + action => 'ACCEPT', + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => "$munin_port", + ratelimit => '-', + order => "104", + } + + # + # Zones + # + shorewall::zone { 'vm': + type => 'ipv4', + order => '2', + } + + shorewall::zone { 'net': + type => 'ipv4', + order => '3', + } + + # + # Traffic shapping + # + $in_bandwidth = $max_in_bandwidth ? { + '' => "2mbit", + default => "$max_in_bandwidth", + } + + $out_bandwidth = $max_out_bandwidth ? { + '' => "2mbit", + default => "$max_out_bandwidth", + } + + shorewall::tcdevices { "eth0": + in_bandwidth => "$in_bandwidth", + out_bandwidth => "$out_bandwidth", + } + + shorewall::tcrules { "ssh-tcp": + order => "1", + source => "0.0.0.0/0", + destination => "0.0.0.0/0", + protocol => "tcp", + ports => "22", + } + + shorewall::tcrules { "ssh-udp": + order => "1", + source => "0.0.0.0/0", + destination => "0.0.0.0/0", + protocol => "udp", + ports => "22", + } + + shorewall::tcclasses { "ssh": + order => "1", + interface => "eth0", + rate => "4*full/100", + ceil => "full", + priority => "1", + } + + shorewall::tcclasses { "default": + order => "2", + interface => "eth0", + rate => "6*full/100", + ceil => "full", + priority => "2", + options => "default", + } + + # + # DMZ Configuration + # + if $shorewall_dmz { + shorewall::host { "eth0-dmz": + name => 'eth0:192.168.1.0/24', + zone => 'dmz', + options => '', + order => '3', + } + + shorewall::policy { 'dmz-all': + sourcezone => 'dmz', + destinationzone => 'all', + policy => 'ACCEPT', + order => '6', + } + + shorewall::policy { 'vm-dmz': + sourcezone => 'vm', + destinationzone => 'dmz', + policy => 'ACCEPT', + order => '7', + } + + shorewall::policy { 'fw-dmz': + sourcezone => '$FW', + destinationzone => 'dmz', + policy => 'ACCEPT', + order => '8', + } + + shorewall::zone { 'dmz': + type => 'ipv4', + order => '4', + } + } +} diff --git a/manifests/subsystems/firewire.pp b/manifests/subsystems/firewire.pp new file mode 100644 index 0000000..1c9609a --- /dev/null +++ b/manifests/subsystems/firewire.pp @@ -0,0 +1,17 @@ +class firewire { + # keep firewire disabled + # see http://padrao.sarava.org/trac/wiki/Debian/Firewire + file { "/etc/modprobe.d/blacklist": + owner => "root", + group => "root", + mode => 0644, + ensure => present, + source => "puppet://$server/modules/nodo/etc/modprobe.d/blacklist", + } + + # make sure ohci1394 is not loaded + exec { "rmmod ohci1394": + unless => "/bin/sh -c 'if `grep -q ^ohci1394 /proc/modules`; then false; else true; fi'", + user => "root", + } +} diff --git a/manifests/subsystems/initramfs.pp b/manifests/subsystems/initramfs.pp new file mode 100644 index 0000000..3b37f65 --- /dev/null +++ b/manifests/subsystems/initramfs.pp @@ -0,0 +1,25 @@ +class initramfs { + # initramfs config + file { "/etc/kernel-img.conf": + owner => "root", + group => "root", + mode => 0644, + ensure => present, + content => "do_initrd = Yes\n", + } + + # initramfs config + file { "/etc/initramfs-tools/modules": + owner => "root", + group => "root", + mode => 0644, + ensure => present, + source => "puppet://$server/modules/nodo/etc/initramfs-tools/modules", + } + + # update initramfs when needed + exec { "update-initramfs -v -u": + subscribe => [ File["/etc/initramfs-tools/modules"], File["/etc/modprobe.d/blacklist"] ], + refreshonly => true, + } +} diff --git a/manifests/subsystems/lsb.pp b/manifests/subsystems/lsb.pp new file mode 100644 index 0000000..4516470 --- /dev/null +++ b/manifests/subsystems/lsb.pp @@ -0,0 +1,4 @@ +class lsb { + package { "lsb-release": ensure => installed, } + include assert_lsbdistcodename +} diff --git a/manifests/subsystems/motd.pp b/manifests/subsystems/motd.pp new file mode 100644 index 0000000..c8029bf --- /dev/null +++ b/manifests/subsystems/motd.pp @@ -0,0 +1,17 @@ +class motd { + # http://projects.reductivelabs.com/issues/1915 + file { "/var/run/motd": + owner => "root", + group => "root", + mode => 0644, + ensure => file, + content => "This is $fqdn from the $network_name.\n", + } + + file { "/etc/motd": + owner => "root", + group => "root", + ensure => "/var/run/motd", + require => File["/var/run/motd"], + } +} diff --git a/manifests/subsystems/munin.pp b/manifests/subsystems/munin.pp new file mode 100644 index 0000000..2e32117 --- /dev/null +++ b/manifests/subsystems/munin.pp @@ -0,0 +1,19 @@ +# Define a munin node +define munin_node($port = '4949') { + + case $global_munin_allow { + '': { fail("Please set \$global_munin_allow in your site config") } + } + + $munin_allow = $node_munin_allow ? { + '' => "$global_munin_allow", + default => "$node_munin_allow", + } + + $munin_port = $node_munin_port ? { + '' => "$port", + default => "$node_munin_port", + } + + include munin::client +} diff --git a/manifests/subsystems/sudo.pp b/manifests/subsystems/sudo.pp new file mode 100644 index 0000000..c5679fd --- /dev/null +++ b/manifests/subsystems/sudo.pp @@ -0,0 +1,14 @@ +class sudo { + + package { "sudo": + ensure => "present", + } + + file { "/etc/sudoers": + source => "puppet://$server/modules/nodo/etc/sudoers", + owner => "root", + group => "root", + mode => 440, + require => Package["sudo"], + } +} diff --git a/manifests/subsystems/sysctl.pp b/manifests/subsystems/sysctl.pp new file mode 100644 index 0000000..3bd028c --- /dev/null +++ b/manifests/subsystems/sysctl.pp @@ -0,0 +1,16 @@ +class sysctl { + # root exploit fix, see http://wiki.debian.org/mmap_min_addr + # TODO: remove in the future or use a sysctl puppet module + file { "/etc/sysctl.d/mmap_min_addr.conf": + owner => "root", + group => "root", + mode => 0644, + ensure => present, + content => "vm.mmap_min_addr = 4096\n", + } + + exec { "/etc/init.d/procps restart": + subscribe => File["/etc/sysctl.d/mmap_min_addr.conf"], + refreshonly => true, + } +} diff --git a/manifests/subsystems/ups.pp b/manifests/subsystems/ups.pp new file mode 100644 index 0000000..558941e --- /dev/null +++ b/manifests/subsystems/ups.pp @@ -0,0 +1,13 @@ +class ups { + include apcupsd + + case $has_ups { + true: { + apcupsd::ups { "ups0": + upstype => 'usb', + cable => 'usb', + device => '/dev/usb/hiddev0', + } + } + } +} diff --git a/manifests/subsystems/utils.pp b/manifests/subsystems/utils.pp new file mode 100644 index 0000000..92061eb --- /dev/null +++ b/manifests/subsystems/utils.pp @@ -0,0 +1,75 @@ +# Common utilities +class utils { + package { [ 'screen', 'less', 'bzip2', 'openssl', 'lynx', 'wget', 'unzip' ]: + ensure => installed, + } +} + +# Common utilities for physical +class utils::physical { + package { 'nload': + ensure => installed, + } +} + +# Common utilities for storage +class utils::storage { + package { 'clamav': + ensure => installed, + } +} + +# Common utilities for web +class utils::web { + package { 'ffmpeg': + ensure => installed, + } +} + +# Common utilities for desktop +class utils::desktop { + # Package dosemu used because of the pcf fonts + package { [ 'awesome', 'alsa-tools-gui', 'mutt', + 'irssi', 'offlineimap', 'wyrd', + 'mp3blaster', 'iceweasel', 'eterm', + 'libpam-mount', 'locales', 'fluxbox', + 'gdm', 'ecryptfs-utils', 'newsbeuter', + 'bitlbee', 'nicotine', 'silc', + 'irssi-plugin-silc', 'conky', 'rxvt', + 'vim-gtk', 'gobby', 'bogofilter', + 'gnupg-agent', 'xterm', 'bash-completion', + 'fetchmail', 'dosemu', 'xfonts-terminus', + 'gnumeric', 'alsa-utils', 'sc', + 'gawk', 'telnet', 'fpm', + 'procmail', 'msmtp', 'netpbm', + 'gqview', 'antiword', 'mairix', + 'whois', 'mozilla-plugin-gnash' ]: + ensure => installed, + } + + # Gem packages + package { 'capistrano': + ensure => installed, + provider => gem, + require => Package['rubygems'], + } + + if !defined(Package['git-core']) { + package { 'git-core': + ensure => installed, + } + } + + if !defined(Package['ruby']) { + package { 'ruby': + ensure => installed, + } + } + + if !defined(Package['rubygems']) { + package { 'rubygems': + ensure => installed, + require => Package['ruby'], + } + } +} diff --git a/manifests/subsystems/websites.pp b/manifests/subsystems/websites.pp new file mode 100644 index 0000000..b688860 --- /dev/null +++ b/manifests/subsystems/websites.pp @@ -0,0 +1,127 @@ +class websites::setup { + # Configure Apache Web Server + $apache_www_folder = "/var/www/data" + $apache_error_folder = "/var/www/error" + $apache_sites_folder = "/var/sites" + $apache_error_dest = "http://${domain}/missing.html" + $drupal_folder = "${apache_www_folder}/drupal" + + $default_vhost = $apache_server_name ? { + '' => $hostname, + default => $apache_server_name, + } + + # Include apache + include apache + + # The needed apache modules + apache::module { "rewrite": + ensure => present, + } + + # The needed apache modules + apache::module { "alias": + ensure => present, + } + + # Images folder + file { "${apache_www_folder}/images": + ensure => directory, + recurse => true, + purge => true, + force => true, + owner => "root", + group => "root", + # This mode will also apply to files from the source directory + mode => 0644, + # Puppet will automatically set +x for directories + source => "puppet://$server/files/apache/htdocs/images", + } + + # Web index + file { "${apache_www_folder}/index.html": + ensure => present, + owner => "root", + group => "root", + mode => 0644, + source => "puppet://$server/files/apache/htdocs/index.html", + } + + # Missing page + file { "${apache_www_folder}/missing.html": + ensure => present, + owner => "root", + group => "root", + mode => 0644, + source => "puppet://$server/files/apache/htdocs/missing.html", + } + + # Default vhost: can just be applied on the defining host + apache::site { "$default_vhost": + server_alias => "$domain", + docroot => "${apache_www_folder}", + } + + # We have to use 'zzz-error' so it will be the last matched vhost + apache::site { "error": + template => 'apache/error.erb', + docroot => "${apache_error_folder}", + filename => 'zzz-error', + } + + # Index page for error + file { "${apache_error_folder}/index.html": + ensure => "${apache_www_folder}/index.html", + owner => "root", + group => "root", + force => true, + require => File["$apache_error_folder"], + } + + # TODO: this is temporary: remove when all nodes have applied it + # We have to use 'zzz-erro' so it will be the last matched vhost + apache::site { "erro": + ensure => absent, + docroot => '/var/www/erro', + filename => 'zzz-erro', + } + + # TODO: this is temporary: remove when all nodes have applied it + file { "/var/www/erro": + ensure => absent, + recurse => true, + force => true, + } + + # TODO: this is temporary: remove when all nodes have applied it + # Index page for erro + file { "/var/www/erro/index.html": + ensure => absent, + owner => "root", + group => "root", + force => true, + } + + # TODO: this is temporary: remove when all nodes have applied it + file { "/var/www/erro/missing.html": + ensure => absent, + } +} + +class websites::hosting inherits websites::setup { + # Include the needed classes for website hosting + include php + include drupal + include gitweb + include trac + include websvn + include moin + include ikiwiki + include pmwiki +} + +class websites::hosting::admin inherits websites::setup { + # Include the needed classes for admin interfaces + include trac + include gitweb +} diff --git a/manifests/sudo.pp b/manifests/sudo.pp deleted file mode 100644 index c5679fd..0000000 --- a/manifests/sudo.pp +++ /dev/null @@ -1,14 +0,0 @@ -class sudo { - - package { "sudo": - ensure => "present", - } - - file { "/etc/sudoers": - source => "puppet://$server/modules/nodo/etc/sudoers", - owner => "root", - group => "root", - mode => 440, - require => Package["sudo"], - } -} diff --git a/manifests/sysctl.pp b/manifests/sysctl.pp deleted file mode 100644 index 3bd028c..0000000 --- a/manifests/sysctl.pp +++ /dev/null @@ -1,16 +0,0 @@ -class sysctl { - # root exploit fix, see http://wiki.debian.org/mmap_min_addr - # TODO: remove in the future or use a sysctl puppet module - file { "/etc/sysctl.d/mmap_min_addr.conf": - owner => "root", - group => "root", - mode => 0644, - ensure => present, - content => "vm.mmap_min_addr = 4096\n", - } - - exec { "/etc/init.d/procps restart": - subscribe => File["/etc/sysctl.d/mmap_min_addr.conf"], - refreshonly => true, - } -} diff --git a/manifests/test.pp b/manifests/test.pp new file mode 100644 index 0000000..7195fc2 --- /dev/null +++ b/manifests/test.pp @@ -0,0 +1,3 @@ +class nodo::test inherits nodo::web { + # Class for test nodes +} diff --git a/manifests/ups.pp b/manifests/ups.pp deleted file mode 100644 index 558941e..0000000 --- a/manifests/ups.pp +++ /dev/null @@ -1,13 +0,0 @@ -class ups { - include apcupsd - - case $has_ups { - true: { - apcupsd::ups { "ups0": - upstype => 'usb', - cable => 'usb', - device => '/dev/usb/hiddev0', - } - } - } -} diff --git a/manifests/utils.pp b/manifests/utils.pp deleted file mode 100644 index 92061eb..0000000 --- a/manifests/utils.pp +++ /dev/null @@ -1,75 +0,0 @@ -# Common utilities -class utils { - package { [ 'screen', 'less', 'bzip2', 'openssl', 'lynx', 'wget', 'unzip' ]: - ensure => installed, - } -} - -# Common utilities for physical -class utils::physical { - package { 'nload': - ensure => installed, - } -} - -# Common utilities for storage -class utils::storage { - package { 'clamav': - ensure => installed, - } -} - -# Common utilities for web -class utils::web { - package { 'ffmpeg': - ensure => installed, - } -} - -# Common utilities for desktop -class utils::desktop { - # Package dosemu used because of the pcf fonts - package { [ 'awesome', 'alsa-tools-gui', 'mutt', - 'irssi', 'offlineimap', 'wyrd', - 'mp3blaster', 'iceweasel', 'eterm', - 'libpam-mount', 'locales', 'fluxbox', - 'gdm', 'ecryptfs-utils', 'newsbeuter', - 'bitlbee', 'nicotine', 'silc', - 'irssi-plugin-silc', 'conky', 'rxvt', - 'vim-gtk', 'gobby', 'bogofilter', - 'gnupg-agent', 'xterm', 'bash-completion', - 'fetchmail', 'dosemu', 'xfonts-terminus', - 'gnumeric', 'alsa-utils', 'sc', - 'gawk', 'telnet', 'fpm', - 'procmail', 'msmtp', 'netpbm', - 'gqview', 'antiword', 'mairix', - 'whois', 'mozilla-plugin-gnash' ]: - ensure => installed, - } - - # Gem packages - package { 'capistrano': - ensure => installed, - provider => gem, - require => Package['rubygems'], - } - - if !defined(Package['git-core']) { - package { 'git-core': - ensure => installed, - } - } - - if !defined(Package['ruby']) { - package { 'ruby': - ensure => installed, - } - } - - if !defined(Package['rubygems']) { - package { 'rubygems': - ensure => installed, - require => Package['ruby'], - } - } -} diff --git a/manifests/vserver.pp b/manifests/vserver.pp new file mode 100644 index 0000000..14b1e28 --- /dev/null +++ b/manifests/vserver.pp @@ -0,0 +1,314 @@ +class nodo::vserver inherits nodo { + include sshd + include timezone + include syslog-ng::vserver + + backupninja::sys { "sys": + ensure => present, + partitions => false, + hardware => false, + dosfdisk => false, + dohwinfo => false, + } + + $hosting_type = $node_hosting_type ? { + '' => "direct", + default => "$node_hosting_type", + } + + case $hosting_type { + "direct": { + # Apply munin configuration for this node for + # directly hosted nodes. + Munin_node <<| title == $hostname |>> + } + "third-party": { + # Apply munin configuration for this node for third-party + # hosted nodes. + munin_node { "$hostname": } + } + } + + # Define a vserver instance + define instance($context, $ensure = 'running', $proxy = false, + $puppetmaster = false, $gitd = false, + $icecast = false, $sound = false, $ticket = false, + $memory_limit = false) { + + # set instance id + if $context < 9 { + $id = "0$context" + } else { + $id = $context + } + + vserver { $name: + ensure => $ensure, + context => "$context", + mark => 'default', + distro => 'lenny', + interface => "eth0:192.168.0.$context/24", + hostname => "$name.$domain", + memory_limit => $memory_limit, + } + + # Some nodes need a lot of space at /tmp otherwise some admin + # tasks like backups might not run. + file { "/etc/vservers/${name}/fstab": + source => "puppet://$server/modules/nodo/etc/fstab/vserver", + owner => "root", + group => "root", + mode => 0644, + ensure => present, + notify => Exec["vs_restart_${name}"], + require => Exec["vs_create_${name}"], + } + + # Create a munin virtual resource to be realized in the node + @@munin_node { "$name": + port => "49$id", + } + + # Sound support + if $sound { + if !defined(File["/usr/local/sbin/create-sound-devices"]) { + file { "/usr/local/sbin/create-sound-devices": + ensure => present, + source => "puppet://$server/modules/nodo/sound/devices.sh", + owner => root, + group => root, + mode => 755, + } + } + exec { "/usr/local/sbin/create-sound-devices ${name}": + unless => "/usr/local/sbin/create-sound-devices ${name} --check", + user => root, + require => [ Exec["vs_create_${name}"], File["/usr/local/sbin/create-sound-devices"] ], + } + } + + # Apply firewall rules just for running vservers + case $ensure { + 'running': { + + shorewall::rule { "ssh-$context-1": + action => 'DNAT', + source => 'net', + destination => "vm:192.168.0.$context:22", + proto => 'tcp', + destinationport => "22$id", + ratelimit => '-', + order => "2$id", + } + + shorewall::rule { "ssh-$context-2": + action => 'DNAT', + source => '$FW', + destination => "fw:192.168.0.$context:22", + proto => 'tcp', + destinationport => "22$id", + originaldest => "$ipaddress", + ratelimit => '-', + order => "3$id", + } + + shorewall::rule { "munin-$context-1": + action => 'DNAT', + source => 'net', + destination => "fw:192.168.0.$context:49$id", + proto => 'tcp', + destinationport => "49$id", + ratelimit => '-', + order => "4$id", + } + + shorewall::rule { "munin-$context-2": + action => 'DNAT', + source => '$FW', + destination => "fw:192.168.0.$context:49$id", + proto => 'tcp', + destinationport => "49$id", + originaldest => "$ipaddress", + ratelimit => '-', + order => "5$id", + } + + if $proxy { + shorewall::rule { 'http-route-1': + action => 'DNAT', + source => 'net', + destination => "vm:192.168.0.$context:80", + proto => 'tcp', + destinationport => '80', + ratelimit => '-', + order => '600', + } + + shorewall::rule { 'http-route-2': + action => 'DNAT', + source => '$FW', + destination => "fw:192.168.0.$context:80", + proto => 'tcp', + destinationport => '80', + originaldest => "$ipaddress", + ratelimit => '-', + order => '601', + } + + shorewall::rule { 'https-route-1': + action => 'DNAT', + source => 'net', + destination => "vm:192.168.0.$context:443", + proto => 'tcp', + destinationport => '443', + ratelimit => '-', + order => '602', + } + + shorewall::rule { 'https-route-2': + action => 'DNAT', + source => '$FW', + destination => "fw:192.168.0.$context:443", + proto => 'tcp', + destinationport => '443', + originaldest => "$ipaddress", + ratelimit => '-', + order => '602', + } + } + + if $puppetmaster { + shorewall::rule { 'puppetmaster-1': + action => 'DNAT', + source => 'net', + destination => "fw:192.168.0.$context:8140", + proto => 'tcp', + destinationport => '8140', + ratelimit => '-', + order => '700', + } + + shorewall::rule { 'puppetmaster-2': + action => 'DNAT', + source => 'net', + destination => "fw:192.168.0.$context:8140", + proto => 'udp', + destinationport => '8140', + ratelimit => '-', + order => '701', + } + + shorewall::rule { 'puppetmaster-3': + action => 'DNAT', + source => '$FW', + destination => "fw:192.168.0.$context:8140", + proto => 'tcp', + destinationport => '8140', + originaldest => "$ipaddress", + ratelimit => '-', + order => '702', + } + + shorewall::rule { 'puppetmaster-4': + action => 'DNAT', + source => '$FW', + destination => "fw:192.168.0.$context:8140", + proto => 'udp', + destinationport => '8140', + originaldest => "$ipaddress", + ratelimit => '-', + order => '703', + } + + shorewall::rule { 'puppetmaster-5': + action => 'DNAT', + source => 'net', + destination => "fw:192.168.0.$context:8141", + proto => 'tcp', + destinationport => '8141', + ratelimit => '-', + order => '704', + } + + shorewall::rule { 'puppetmaster-6': + action => 'DNAT', + source => 'net', + destination => "fw:192.168.0.$context:8141", + proto => 'udp', + destinationport => '8141', + ratelimit => '-', + order => '705', + } + + shorewall::rule { 'puppetmaster-7': + action => 'DNAT', + source => '$FW', + destination => "fw:192.168.0.$context:8141", + proto => 'tcp', + destinationport => '8141', + originaldest => "$ipaddress", + ratelimit => '-', + order => '706', + } + + shorewall::rule { 'puppetmaster-8': + action => 'DNAT', + source => '$FW', + destination => "fw:192.168.0.$context:8141", + proto => 'udp', + destinationport => '8141', + originaldest => "$ipaddress", + ratelimit => '-', + order => '707', + } + } + + if $gitd { + shorewall::rule { 'git-daemon-1': + action => 'DNAT', + source => 'net', + destination => "fw:192.168.0.$context:9418", + proto => 'tcp', + destinationport => '9418', + ratelimit => '-', + order => '800', + } + + shorewall::rule { 'git-daemon-2': + action => 'DNAT', + source => '$FW', + destination => "fw:192.168.0.$context:9418", + proto => 'tcp', + destinationport => '9418', + originaldest => "$ipaddress", + ratelimit => '-', + order => '801', + } + } + + if $icecast { + shorewall::rule { 'icecast-1': + action => 'DNAT', + source => 'net', + destination => "fw:192.168.0.$context:8000", + proto => 'tcp', + destinationport => '8000', + ratelimit => '-', + order => '900', + } + + shorewall::rule { 'icecast-2': + action => 'DNAT', + source => '$FW', + destination => "fw:192.168.0.$context:8000", + proto => 'tcp', + destinationport => '8000', + originaldest => "$ipaddress", + ratelimit => '-', + order => '901', + } + } + } + } + } +} diff --git a/manifests/web.pp b/manifests/web.pp new file mode 100644 index 0000000..09aec4d --- /dev/null +++ b/manifests/web.pp @@ -0,0 +1,17 @@ +class nodo::web inherits nodo::vserver { + include git-daemon + include websites + include database + include users::virtual + include utils::web + + backupninja::svn { "svn": + src => "/var/svn", + } + + backupninja::mysql { "all_databases": + backupdir => '/var/backups/mysql', + compress => true, + sqldump => true, + } +} diff --git a/manifests/websites.pp b/manifests/websites.pp deleted file mode 100644 index b688860..0000000 --- a/manifests/websites.pp +++ /dev/null @@ -1,127 +0,0 @@ -class websites::setup { - # Configure Apache Web Server - $apache_www_folder = "/var/www/data" - $apache_error_folder = "/var/www/error" - $apache_sites_folder = "/var/sites" - $apache_error_dest = "http://${domain}/missing.html" - $drupal_folder = "${apache_www_folder}/drupal" - - $default_vhost = $apache_server_name ? { - '' => $hostname, - default => $apache_server_name, - } - - # Include apache - include apache - - # The needed apache modules - apache::module { "rewrite": - ensure => present, - } - - # The needed apache modules - apache::module { "alias": - ensure => present, - } - - # Images folder - file { "${apache_www_folder}/images": - ensure => directory, - recurse => true, - purge => true, - force => true, - owner => "root", - group => "root", - # This mode will also apply to files from the source directory - mode => 0644, - # Puppet will automatically set +x for directories - source => "puppet://$server/files/apache/htdocs/images", - } - - # Web index - file { "${apache_www_folder}/index.html": - ensure => present, - owner => "root", - group => "root", - mode => 0644, - source => "puppet://$server/files/apache/htdocs/index.html", - } - - # Missing page - file { "${apache_www_folder}/missing.html": - ensure => present, - owner => "root", - group => "root", - mode => 0644, - source => "puppet://$server/files/apache/htdocs/missing.html", - } - - # Default vhost: can just be applied on the defining host - apache::site { "$default_vhost": - server_alias => "$domain", - docroot => "${apache_www_folder}", - } - - # We have to use 'zzz-error' so it will be the last matched vhost - apache::site { "error": - template => 'apache/error.erb', - docroot => "${apache_error_folder}", - filename => 'zzz-error', - } - - # Index page for error - file { "${apache_error_folder}/index.html": - ensure => "${apache_www_folder}/index.html", - owner => "root", - group => "root", - force => true, - require => File["$apache_error_folder"], - } - - # TODO: this is temporary: remove when all nodes have applied it - # We have to use 'zzz-erro' so it will be the last matched vhost - apache::site { "erro": - ensure => absent, - docroot => '/var/www/erro', - filename => 'zzz-erro', - } - - # TODO: this is temporary: remove when all nodes have applied it - file { "/var/www/erro": - ensure => absent, - recurse => true, - force => true, - } - - # TODO: this is temporary: remove when all nodes have applied it - # Index page for erro - file { "/var/www/erro/index.html": - ensure => absent, - owner => "root", - group => "root", - force => true, - } - - # TODO: this is temporary: remove when all nodes have applied it - file { "/var/www/erro/missing.html": - ensure => absent, - } -} - -class websites::hosting inherits websites::setup { - # Include the needed classes for website hosting - include php - include drupal - include gitweb - include trac - include websvn - include moin - include ikiwiki - include pmwiki -} - -class websites::hosting::admin inherits websites::setup { - # Include the needed classes for admin interfaces - include trac - include gitweb -} -- cgit v1.2.3