From 76ec4642be1a8bc64380c077a5890c4d0f4243e0 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 11 Sep 2015 21:16:42 -0300 Subject: Autoload definitions --- manifests/base/host.pp | 2 +- manifests/base/plug.pp | 2 +- manifests/base/vserver.pp | 6 ++-- manifests/defines/monkeysphere_host.pp | 20 ------------ manifests/defines/munin_node.pp | 27 ---------------- manifests/defines/ssh_config.pp | 35 -------------------- manifests/defines/ssh_create_key.pp | 20 ------------ manifests/defines/ssh_folder.pp | 16 ---------- manifests/defines/ssh_known_hosts.pp | 58 ---------------------------------- manifests/defines/ssh_local_key.pp | 43 ------------------------- manifests/defines/sysctl.pp | 19 ----------- manifests/init.pp | 14 ++------ manifests/role/nas.pp | 2 +- manifests/subsystem/monitor/munin.pp | 27 ++++++++++++++++ manifests/subsystem/monkeysphere.pp | 20 ++++++++++++ manifests/subsystem/ssh/config.pp | 35 ++++++++++++++++++++ manifests/subsystem/ssh/create_key.pp | 20 ++++++++++++ manifests/subsystem/ssh/folder.pp | 16 ++++++++++ manifests/subsystem/ssh/known_hosts.pp | 58 ++++++++++++++++++++++++++++++++++ manifests/subsystem/ssh/local_key.pp | 43 +++++++++++++++++++++++++ manifests/subsystem/sysctl/entry.pp | 19 +++++++++++ manifests/vserver/instance.pp | 4 +-- 22 files changed, 248 insertions(+), 258 deletions(-) delete mode 100644 manifests/defines/monkeysphere_host.pp delete mode 100644 manifests/defines/munin_node.pp delete mode 100644 manifests/defines/ssh_config.pp delete mode 100644 manifests/defines/ssh_create_key.pp delete mode 100644 manifests/defines/ssh_folder.pp delete mode 100644 manifests/defines/ssh_known_hosts.pp delete mode 100644 manifests/defines/ssh_local_key.pp delete mode 100644 manifests/defines/sysctl.pp create mode 100644 manifests/subsystem/monitor/munin.pp create mode 100644 manifests/subsystem/monkeysphere.pp create mode 100644 manifests/subsystem/ssh/config.pp create mode 100644 manifests/subsystem/ssh/create_key.pp create mode 100644 manifests/subsystem/ssh/folder.pp create mode 100644 manifests/subsystem/ssh/known_hosts.pp create mode 100644 manifests/subsystem/ssh/local_key.pp create mode 100644 manifests/subsystem/sysctl/entry.pp diff --git a/manifests/base/host.pp b/manifests/base/host.pp index 799fe20..433364b 100644 --- a/manifests/base/host.pp +++ b/manifests/base/host.pp @@ -49,7 +49,7 @@ class nodo::base::host { # Munin configuration $munin = hiera('nodo::host::use_munin', True) if $munin == true { - munin_node { "$hostname": + nodo::subsystem::monitor::munin { "$hostname": port => '4900', } } diff --git a/manifests/base/plug.pp b/manifests/base/plug.pp index eedd9fe..b71b648 100644 --- a/manifests/base/plug.pp +++ b/manifests/base/plug.pp @@ -20,7 +20,7 @@ class nodo::base::plug { } # Munin configuration - munin_node { "${::hostname}": + nodo::subsystem::monitor::munin { "${::hostname}": port => '4900', } } diff --git a/manifests/base/vserver.pp b/manifests/base/vserver.pp index 0a8b589..f904f32 100644 --- a/manifests/base/vserver.pp +++ b/manifests/base/vserver.pp @@ -16,13 +16,13 @@ class nodo::base::vserver { "direct": { # Apply munin and monkeysphere configuration for # for directly hosted nodes. - Munin_node <<| title == $::hostname |>> - Monkeysphere_host <<| title == $::hostname |>> + Nodo::Subsystem::Monitor::Munin <<| title == $::hostname |>> + Nodo::Subsystem::Monkeysphere <<| title == $::hostname |>> } "third-party": { # Apply munin and monkeysphere configuration for # nodes hosted by third-parties. - munin_node { "${::hostname}": } + nodo::subsystem::monitor::munin { "${::hostname}": } monkeysphere_host { "${::hostname}": port => hiera('nodo::vserver::ssh_port', '22'), } diff --git a/manifests/defines/monkeysphere_host.pp b/manifests/defines/monkeysphere_host.pp deleted file mode 100644 index b4b21e0..0000000 --- a/manifests/defines/monkeysphere_host.pp +++ /dev/null @@ -1,20 +0,0 @@ -define monkeysphere_host( - $port = hiera('nodo::monkeysphere_host::ssh_port', ''), - $mail_recipient = hiera('mail::root_mail_recipient', 'nobody') -) { - include monkeysphere - - # Ensure the server's ssh key is imported into your monkeysphere key ring - monkeysphere::import_key { "ssh": - port => $port, - } - - # TODO - # Currently we don't have a defined policy regarding whether - # to publish all our node keys to public keyservers, so leave - # automatic publishing disabled for now. - #monkeysphere::publish_server_keys { } - - # Email the server key - monkeysphere::email_server_keys { "$mail_recipient": } -} diff --git a/manifests/defines/munin_node.pp b/manifests/defines/munin_node.pp deleted file mode 100644 index f867fd3..0000000 --- a/manifests/defines/munin_node.pp +++ /dev/null @@ -1,27 +0,0 @@ -# Define a munin node -define munin_node( - $port = hiera('nodo::munin_node::port', '4949'), - $allow = hiera('nodo::munin_node::allow', ''), - $host = hiera('nodo::munin_node::host', $::fqdn), - $listen = hiera('nodo::munin_node::listen', '*'), - $config = hiera('nodo::munin_node::config', [ 'use_node_name yes', 'load.load.warning 5', 'load.load.critical 10' ]) -) { - - case $allow { - '': { fail("Please set nodo::munin_node::allow in your config") } - } - - package { "munin-plugins-extra": - ensure => "present", - } - - class { 'munin::client': - port => $port, - allow => $allow, - host => $host, - listen => $listen, - config => $config, - } - - munin::plugin { apt_all: ensure => present; } -} diff --git a/manifests/defines/ssh_config.pp b/manifests/defines/ssh_config.pp deleted file mode 100644 index 5585520..0000000 --- a/manifests/defines/ssh_config.pp +++ /dev/null @@ -1,35 +0,0 @@ -# Manage ssh config for a particular user -define ssh_config( - $owner, - $group, - $home = '/home/$owner', - $ssh_localhost_auth = false -) { - ssh_folder { "ssh-config-${name}": - home => $home, - owner => $owner, - group => $group, - } - - file { "${home}/.ssh/config": - ensure => present, - owner => $owner, - group => $group, - mode => 0600, - require => File["${home}/.ssh"], - } - - # The NoHostAuthenticationForLocalhost ssh option might be useful - # for automated deployment environments so your ikiwiki user doesn't - # get stuck with the fingerprint confirmation prompt when pushing - # content via ssh in the first time it runs. - line { 'NoHostAuthenticationForLocalhost-${owner}': - file => "${home}/.ssh/config", - line => "NoHostAuthenticationForLocalhost yes", - ensure => $ssh_localhost_auth ? { - 'auto' => present, - 'fingerprint' => absent, - default => absent, - }, - } -} diff --git a/manifests/defines/ssh_create_key.pp b/manifests/defines/ssh_create_key.pp deleted file mode 100644 index 77d1f00..0000000 --- a/manifests/defines/ssh_create_key.pp +++ /dev/null @@ -1,20 +0,0 @@ -define ssh_create_key( - $owner, - $group, - $keyfile = 'id_rsa', - $home = '/home/$owner' -) { - ssh_folder { "ssh_create_key-${name}": - home => $home, - owner => $owner, - group => $group, - } - - exec { "ssh-keygen-${owner}": - command => "ssh-keygen -t rsa -P '' -f ${home}/.ssh/${keyfile}", - creates => "${home}/.ssh/${keyfile}", - user => $owner, - group => $group, - require => File["${home}/.ssh"], - } -} diff --git a/manifests/defines/ssh_folder.pp b/manifests/defines/ssh_folder.pp deleted file mode 100644 index 41b688a..0000000 --- a/manifests/defines/ssh_folder.pp +++ /dev/null @@ -1,16 +0,0 @@ -# Manage a ssh folder -define ssh_folder( - $home, - $owner, - $group, - $ensure = 'directory', -) { - if !defined(File["${home}/.ssh"]) { - file { "${home}/.ssh": - ensure => $ensure, - owner => $owner, - group => $group, - mode => 0700, - } - } -} diff --git a/manifests/defines/ssh_known_hosts.pp b/manifests/defines/ssh_known_hosts.pp deleted file mode 100644 index c0d7157..0000000 --- a/manifests/defines/ssh_known_hosts.pp +++ /dev/null @@ -1,58 +0,0 @@ -# Manage known_hosts for a particular user -define ssh_known_host( - $owner, - $home = '/home/$owner', - $ssh_localhost_auth = false -) { - ssh_folder { "ssh_known_host-${name}": - home => $home, - owner => $owner, - group => $group, - } - - file { "${home}/.ssh/known_hosts": - ensure => present, - owner => $owner, - group => $group, - mode => 0600, - require => File["${home}/.ssh"], - } - - # You can choose to include the host's fingeprints - # directly into the known_hosts file. - if $::sshrsakey != '' { - line { 'known_hosts-localhost-rsa-${owner}': - file => "${home}/.ssh/known_hosts", - line => "localhost ssh-rsa ${::sshrsakey}", - ensure => $ssh_localhost_auth ? { - 'fingerprint' => present, - 'auto' => undef, - default => undef, - }, - } - } - - if $::sshdsakey != '' { - line { 'known_hosts-localhost-dsa-${owner}': - file => "${home}/.ssh/known_hosts", - line => "localhost ssh-dss ${::sshdsakey}", - ensure => $ssh_localhost_auth ? { - 'fingerprint' => present, - 'auto' => undef, - default => undef, - }, - } - } - - if $::sshecdsakey != '' { - line { 'known_hosts-localhost-ecdsa-${owner}': - file => "${home}/.ssh/known_hosts", - line => "localhost ecdsa-sha2-nistp256 ${::sshedsakey}", - ensure => $ssh_localhost_auth ? { - 'fingerprint' => present, - 'auto' => undef, - default => undef, - }, - } - } -} diff --git a/manifests/defines/ssh_local_key.pp b/manifests/defines/ssh_local_key.pp deleted file mode 100644 index 57bb251..0000000 --- a/manifests/defines/ssh_local_key.pp +++ /dev/null @@ -1,43 +0,0 @@ -# Manage local ssh keys -define ssh_local_key( - $owner = $name, - $group = $name, - $home = "/home/${owner}", - $source = "puppet:///ssh/${name}_id_rsa", - $dest = 'id_rsa', - $ensure = 'present', -) { - ssh_folder { "ssh_local_key-${name}": - home => $home, - owner => $owner, - group => $group, - ensure => $ensure ? { - 'present' => 'directory', - default => 'absent', - }, - } - - file { "${home}/.ssh/${dest}": - ensure => $ensure, - owner => $owner, - group => $group, - mode => 0400, - source => $ensure ? { - 'present' => $source, - default => undef, - }, - require => File["${home}/.ssh"], - } - - file { "${home}/.ssh/${dest}.pub": - ensure => $ensure, - owner => $owner, - group => $group, - mode => 0400, - source => $ensure ? { - 'present' => "${source}.pub", - default => undef, - }, - require => File["${home}/.ssh"], - } -} diff --git a/manifests/defines/sysctl.pp b/manifests/defines/sysctl.pp deleted file mode 100644 index 06f6a14..0000000 --- a/manifests/defines/sysctl.pp +++ /dev/null @@ -1,19 +0,0 @@ -# Simple sysctl definition -define sysctl( - $ensure = present, - $value -) { - file { "/etc/sysctl.d/${name}.conf": - owner => "root", - group => "root", - mode => 0644, - ensure => $ensure, - content => "$name = $value\n", - } - - exec { "sysctl ${name}=${value}": - user => root, - subscribe => File["/etc/sysctl.d/${name}.conf"], - refreshonly => true, - } -} diff --git a/manifests/init.pp b/manifests/init.pp index d97d3f3..1751d9c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -6,18 +6,8 @@ import "common" # Modules that still doesn't support autoloading -#import 'dhcp' -#import 'virtual' - -# Definitions -import "defines/monkeysphere_host.pp" -import "defines/munin_node.pp" -import "defines/ssh_config.pp" -import "defines/ssh_create_key.pp" -import "defines/ssh_known_hosts.pp" -import "defines/ssh_local_key.pp" -import "defines/ssh_folder.pp" -import "defines/sysctl.pp" +import 'dhcp' +import 'virtual' class nodo( $role = hiera('nodo::role', 'default'), diff --git a/manifests/role/nas.pp b/manifests/role/nas.pp index 6b80e5f..536f9ca 100644 --- a/manifests/role/nas.pp +++ b/manifests/role/nas.pp @@ -45,7 +45,7 @@ class nodo::role::nas( if $dlna == true { # See https://wiki.archlinux.org/index.php/MiniDLNA#Automatic_Media_DB_Update - sysctl { 'fs.inotify.max_user_watches': + nodo::subsystem::sysctl::entry { 'fs.inotify.max_user_watches': value => 100000, } diff --git a/manifests/subsystem/monitor/munin.pp b/manifests/subsystem/monitor/munin.pp new file mode 100644 index 0000000..aa70c2f --- /dev/null +++ b/manifests/subsystem/monitor/munin.pp @@ -0,0 +1,27 @@ +# Define a munin node +define nodo::sybsystem::monitor::munin( + $port = hiera('nodo::munin_node::port', '4949'), + $allow = hiera('nodo::munin_node::allow', ''), + $host = hiera('nodo::munin_node::host', $::fqdn), + $listen = hiera('nodo::munin_node::listen', '*'), + $config = hiera('nodo::munin_node::config', [ 'use_node_name yes', 'load.load.warning 5', 'load.load.critical 10' ]) +) { + + case $allow { + '': { fail("Please set nodo::munin_node::allow in your config") } + } + + package { "munin-plugins-extra": + ensure => "present", + } + + class { 'munin::client': + port => $port, + allow => $allow, + host => $host, + listen => $listen, + config => $config, + } + + munin::plugin { apt_all: ensure => present; } +} diff --git a/manifests/subsystem/monkeysphere.pp b/manifests/subsystem/monkeysphere.pp new file mode 100644 index 0000000..c09effe --- /dev/null +++ b/manifests/subsystem/monkeysphere.pp @@ -0,0 +1,20 @@ +define nodo::subsystem::monkeysphere( + $port = hiera('nodo::monkeysphere_host::ssh_port', ''), + $mail_recipient = hiera('mail::root_mail_recipient', 'nobody') +) { + include monkeysphere + + # Ensure the server's ssh key is imported into your monkeysphere key ring + monkeysphere::import_key { "ssh": + port => $port, + } + + # TODO + # Currently we don't have a defined policy regarding whether + # to publish all our node keys to public keyservers, so leave + # automatic publishing disabled for now. + #monkeysphere::publish_server_keys { } + + # Email the server key + monkeysphere::email_server_keys { "$mail_recipient": } +} diff --git a/manifests/subsystem/ssh/config.pp b/manifests/subsystem/ssh/config.pp new file mode 100644 index 0000000..6c9fbc3 --- /dev/null +++ b/manifests/subsystem/ssh/config.pp @@ -0,0 +1,35 @@ +# Manage ssh config for a particular user +define nodo::subsystem::ssh::config( + $owner, + $group, + $home = '/home/$owner', + $ssh_localhost_auth = false +) { + nodo::subsystem::ssh::folder { "ssh-config-${name}": + home => $home, + owner => $owner, + group => $group, + } + + file { "${home}/.ssh/config": + ensure => present, + owner => $owner, + group => $group, + mode => 0600, + require => File["${home}/.ssh"], + } + + # The NoHostAuthenticationForLocalhost ssh option might be useful + # for automated deployment environments so your ikiwiki user doesn't + # get stuck with the fingerprint confirmation prompt when pushing + # content via ssh in the first time it runs. + line { 'NoHostAuthenticationForLocalhost-${owner}': + file => "${home}/.ssh/config", + line => "NoHostAuthenticationForLocalhost yes", + ensure => $ssh_localhost_auth ? { + 'auto' => present, + 'fingerprint' => absent, + default => absent, + }, + } +} diff --git a/manifests/subsystem/ssh/create_key.pp b/manifests/subsystem/ssh/create_key.pp new file mode 100644 index 0000000..881ddda --- /dev/null +++ b/manifests/subsystem/ssh/create_key.pp @@ -0,0 +1,20 @@ +define nodo::subsystem::ssh::create_key( + $owner, + $group, + $keyfile = 'id_rsa', + $home = '/home/$owner' +) { + nodo::subsystem::ssh::folder { "ssh_create_key-${name}": + home => $home, + owner => $owner, + group => $group, + } + + exec { "ssh-keygen-${owner}": + command => "ssh-keygen -t rsa -P '' -f ${home}/.ssh/${keyfile}", + creates => "${home}/.ssh/${keyfile}", + user => $owner, + group => $group, + require => File["${home}/.ssh"], + } +} diff --git a/manifests/subsystem/ssh/folder.pp b/manifests/subsystem/ssh/folder.pp new file mode 100644 index 0000000..462f8fb --- /dev/null +++ b/manifests/subsystem/ssh/folder.pp @@ -0,0 +1,16 @@ +# Manage a ssh folder +define nodo:subsystem::ssh::folder( + $home, + $owner, + $group, + $ensure = 'directory', +) { + if !defined(File["${home}/.ssh"]) { + file { "${home}/.ssh": + ensure => $ensure, + owner => $owner, + group => $group, + mode => 0700, + } + } +} diff --git a/manifests/subsystem/ssh/known_hosts.pp b/manifests/subsystem/ssh/known_hosts.pp new file mode 100644 index 0000000..c20b973 --- /dev/null +++ b/manifests/subsystem/ssh/known_hosts.pp @@ -0,0 +1,58 @@ +# Manage known_hosts for a particular user +define nodo::subsystem::ssh::known_host( + $owner, + $home = '/home/$owner', + $ssh_localhost_auth = false +) { + nodo::subsystem::ssh::folder { "ssh_known_host-${name}": + home => $home, + owner => $owner, + group => $group, + } + + file { "${home}/.ssh/known_hosts": + ensure => present, + owner => $owner, + group => $group, + mode => 0600, + require => File["${home}/.ssh"], + } + + # You can choose to include the host's fingeprints + # directly into the known_hosts file. + if $::sshrsakey != '' { + line { 'known_hosts-localhost-rsa-${owner}': + file => "${home}/.ssh/known_hosts", + line => "localhost ssh-rsa ${::sshrsakey}", + ensure => $ssh_localhost_auth ? { + 'fingerprint' => present, + 'auto' => undef, + default => undef, + }, + } + } + + if $::sshdsakey != '' { + line { 'known_hosts-localhost-dsa-${owner}': + file => "${home}/.ssh/known_hosts", + line => "localhost ssh-dss ${::sshdsakey}", + ensure => $ssh_localhost_auth ? { + 'fingerprint' => present, + 'auto' => undef, + default => undef, + }, + } + } + + if $::sshecdsakey != '' { + line { 'known_hosts-localhost-ecdsa-${owner}': + file => "${home}/.ssh/known_hosts", + line => "localhost ecdsa-sha2-nistp256 ${::sshedsakey}", + ensure => $ssh_localhost_auth ? { + 'fingerprint' => present, + 'auto' => undef, + default => undef, + }, + } + } +} diff --git a/manifests/subsystem/ssh/local_key.pp b/manifests/subsystem/ssh/local_key.pp new file mode 100644 index 0000000..f311ea3 --- /dev/null +++ b/manifests/subsystem/ssh/local_key.pp @@ -0,0 +1,43 @@ +# Manage local ssh keys +define nodo::subsystem::ssh::local_key( + $owner = $name, + $group = $name, + $home = "/home/${owner}", + $source = "puppet:///ssh/${name}_id_rsa", + $dest = 'id_rsa', + $ensure = 'present', +) { + nodo::subsystem::ssh::folder { "ssh_local_key-${name}": + home => $home, + owner => $owner, + group => $group, + ensure => $ensure ? { + 'present' => 'directory', + default => 'absent', + }, + } + + file { "${home}/.ssh/${dest}": + ensure => $ensure, + owner => $owner, + group => $group, + mode => 0400, + source => $ensure ? { + 'present' => $source, + default => undef, + }, + require => File["${home}/.ssh"], + } + + file { "${home}/.ssh/${dest}.pub": + ensure => $ensure, + owner => $owner, + group => $group, + mode => 0400, + source => $ensure ? { + 'present' => "${source}.pub", + default => undef, + }, + require => File["${home}/.ssh"], + } +} diff --git a/manifests/subsystem/sysctl/entry.pp b/manifests/subsystem/sysctl/entry.pp new file mode 100644 index 0000000..ddd6020 --- /dev/null +++ b/manifests/subsystem/sysctl/entry.pp @@ -0,0 +1,19 @@ +# Simple sysctl definition +define nodo::subsystem::sysctl::entry( + $ensure = present, + $value +) { + file { "/etc/sysctl.d/${name}.conf": + owner => "root", + group => "root", + mode => 0644, + ensure => $ensure, + content => "$name = $value\n", + } + + exec { "sysctl ${name}=${value}": + user => root, + subscribe => File["/etc/sysctl.d/${name}.conf"], + refreshonly => true, + } +} diff --git a/manifests/vserver/instance.pp b/manifests/vserver/instance.pp index 2003861..23cebb1 100644 --- a/manifests/vserver/instance.pp +++ b/manifests/vserver/instance.pp @@ -71,7 +71,7 @@ define nodo::vserver::instance( } # Create a munin virtual resource to be realized in the node - @@munin_node { "${name}": + @@nodo::subsystem::monitor::munin { "${name}": port => $munin_port ? { false => "49$id", default => $munin_port, @@ -79,7 +79,7 @@ define nodo::vserver::instance( } # Create a monkeysphere virtual resource to be realized in the node - @@monkeysphere_host { "$name": + @@nodo::subsystem::monkeysphere { "$name": port => $monkeysphere_ssh_port ? { false => "22$id", default => $monkeysphere_ssh_port, -- cgit v1.2.3