From 76ec4642be1a8bc64380c077a5890c4d0f4243e0 Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Fri, 11 Sep 2015 21:16:42 -0300
Subject: Autoload definitions

---
 manifests/subsystem/monitor/munin.pp   | 27 ++++++++++++++++
 manifests/subsystem/monkeysphere.pp    | 20 ++++++++++++
 manifests/subsystem/ssh/config.pp      | 35 ++++++++++++++++++++
 manifests/subsystem/ssh/create_key.pp  | 20 ++++++++++++
 manifests/subsystem/ssh/folder.pp      | 16 ++++++++++
 manifests/subsystem/ssh/known_hosts.pp | 58 ++++++++++++++++++++++++++++++++++
 manifests/subsystem/ssh/local_key.pp   | 43 +++++++++++++++++++++++++
 manifests/subsystem/sysctl/entry.pp    | 19 +++++++++++
 8 files changed, 238 insertions(+)
 create mode 100644 manifests/subsystem/monitor/munin.pp
 create mode 100644 manifests/subsystem/monkeysphere.pp
 create mode 100644 manifests/subsystem/ssh/config.pp
 create mode 100644 manifests/subsystem/ssh/create_key.pp
 create mode 100644 manifests/subsystem/ssh/folder.pp
 create mode 100644 manifests/subsystem/ssh/known_hosts.pp
 create mode 100644 manifests/subsystem/ssh/local_key.pp
 create mode 100644 manifests/subsystem/sysctl/entry.pp

(limited to 'manifests/subsystem')

diff --git a/manifests/subsystem/monitor/munin.pp b/manifests/subsystem/monitor/munin.pp
new file mode 100644
index 0000000..aa70c2f
--- /dev/null
+++ b/manifests/subsystem/monitor/munin.pp
@@ -0,0 +1,27 @@
+# Define a munin node
+define nodo::sybsystem::monitor::munin(
+  $port          = hiera('nodo::munin_node::port',   '4949'),
+  $allow         = hiera('nodo::munin_node::allow',  ''),
+  $host          = hiera('nodo::munin_node::host',    $::fqdn),
+  $listen        = hiera('nodo::munin_node::listen', '*'),
+  $config        = hiera('nodo::munin_node::config', [ 'use_node_name yes', 'load.load.warning 5', 'load.load.critical 10' ])
+) {
+
+  case $allow {
+    '': { fail("Please set nodo::munin_node::allow in your config") }
+  }
+
+  package { "munin-plugins-extra":
+    ensure => "present",
+  }
+
+  class { 'munin::client':
+    port   => $port,
+    allow  => $allow,
+    host   => $host,
+    listen => $listen,
+    config => $config,
+  }
+
+  munin::plugin { apt_all: ensure => present; }
+}
diff --git a/manifests/subsystem/monkeysphere.pp b/manifests/subsystem/monkeysphere.pp
new file mode 100644
index 0000000..c09effe
--- /dev/null
+++ b/manifests/subsystem/monkeysphere.pp
@@ -0,0 +1,20 @@
+define nodo::subsystem::monkeysphere(
+  $port           = hiera('nodo::monkeysphere_host::ssh_port', ''),
+  $mail_recipient = hiera('mail::root_mail_recipient', 'nobody')
+) {
+  include monkeysphere
+
+  # Ensure the server's ssh key is imported into your monkeysphere key ring
+  monkeysphere::import_key { "ssh":
+    port => $port,
+  }
+
+  # TODO
+  # Currently we don't have a defined policy regarding whether
+  # to publish all our node keys to public keyservers, so leave
+  # automatic publishing disabled for now.
+  #monkeysphere::publish_server_keys { } 
+  
+  # Email the server key
+  monkeysphere::email_server_keys { "$mail_recipient": }
+}
diff --git a/manifests/subsystem/ssh/config.pp b/manifests/subsystem/ssh/config.pp
new file mode 100644
index 0000000..6c9fbc3
--- /dev/null
+++ b/manifests/subsystem/ssh/config.pp
@@ -0,0 +1,35 @@
+# Manage ssh config for a particular user
+define nodo::subsystem::ssh::config(
+  $owner,
+  $group,
+  $home               = '/home/$owner',
+  $ssh_localhost_auth = false
+) {
+  nodo::subsystem::ssh::folder { "ssh-config-${name}":
+    home  => $home,
+    owner => $owner,
+    group => $group,
+  }
+
+  file { "${home}/.ssh/config":
+    ensure  => present,
+    owner   => $owner,
+    group   => $group,
+    mode    => 0600,
+    require => File["${home}/.ssh"],
+  }
+
+  # The NoHostAuthenticationForLocalhost ssh option might be useful
+  # for automated deployment environments so your ikiwiki user doesn't
+  # get stuck with the fingerprint confirmation prompt when pushing
+  # content via ssh in the first time it runs.
+  line { 'NoHostAuthenticationForLocalhost-${owner}':
+    file   => "${home}/.ssh/config",
+    line   => "NoHostAuthenticationForLocalhost yes",
+    ensure => $ssh_localhost_auth ? {
+      'auto'        => present,
+      'fingerprint' => absent,
+      default       => absent,
+    },
+  }
+}
diff --git a/manifests/subsystem/ssh/create_key.pp b/manifests/subsystem/ssh/create_key.pp
new file mode 100644
index 0000000..881ddda
--- /dev/null
+++ b/manifests/subsystem/ssh/create_key.pp
@@ -0,0 +1,20 @@
+define nodo::subsystem::ssh::create_key(
+  $owner,
+  $group,
+  $keyfile = 'id_rsa',
+  $home    = '/home/$owner'
+) {
+  nodo::subsystem::ssh::folder { "ssh_create_key-${name}":
+    home  => $home,
+    owner => $owner,
+    group => $group,
+  }
+
+  exec { "ssh-keygen-${owner}":
+    command => "ssh-keygen -t rsa -P '' -f ${home}/.ssh/${keyfile}",
+    creates => "${home}/.ssh/${keyfile}",
+    user    => $owner,
+    group   => $group,
+    require => File["${home}/.ssh"],
+  }
+}
diff --git a/manifests/subsystem/ssh/folder.pp b/manifests/subsystem/ssh/folder.pp
new file mode 100644
index 0000000..462f8fb
--- /dev/null
+++ b/manifests/subsystem/ssh/folder.pp
@@ -0,0 +1,16 @@
+# Manage a ssh folder
+define nodo:subsystem::ssh::folder(
+  $home,
+  $owner,
+  $group,
+  $ensure = 'directory',
+) {
+  if !defined(File["${home}/.ssh"]) {
+    file { "${home}/.ssh":
+      ensure  => $ensure,
+      owner   => $owner,
+      group   => $group,
+      mode    => 0700,
+    }
+  }
+}
diff --git a/manifests/subsystem/ssh/known_hosts.pp b/manifests/subsystem/ssh/known_hosts.pp
new file mode 100644
index 0000000..c20b973
--- /dev/null
+++ b/manifests/subsystem/ssh/known_hosts.pp
@@ -0,0 +1,58 @@
+# Manage known_hosts for a particular user
+define nodo::subsystem::ssh::known_host(
+  $owner,
+  $home               = '/home/$owner',
+  $ssh_localhost_auth = false
+) {
+  nodo::subsystem::ssh::folder { "ssh_known_host-${name}":
+    home  => $home,
+    owner => $owner,
+    group => $group,
+  }
+
+  file { "${home}/.ssh/known_hosts":
+    ensure  => present,
+    owner   => $owner,
+    group   => $group,
+    mode    => 0600,
+    require => File["${home}/.ssh"],
+  }
+
+  # You can choose to include the host's fingeprints
+  # directly into the known_hosts file.
+  if $::sshrsakey != '' {
+    line { 'known_hosts-localhost-rsa-${owner}':
+      file   => "${home}/.ssh/known_hosts",
+      line   => "localhost ssh-rsa ${::sshrsakey}",
+      ensure => $ssh_localhost_auth ? {
+        'fingerprint' => present,
+        'auto'        => undef,
+        default       => undef,
+      },
+    }
+  }
+
+  if $::sshdsakey != '' {
+    line { 'known_hosts-localhost-dsa-${owner}':
+      file   => "${home}/.ssh/known_hosts",
+      line   => "localhost ssh-dss ${::sshdsakey}",
+      ensure => $ssh_localhost_auth ? {
+        'fingerprint' => present,
+        'auto'        => undef,
+        default       => undef,
+      },
+    }
+  }
+
+  if $::sshecdsakey != '' {
+    line { 'known_hosts-localhost-ecdsa-${owner}':
+      file   => "${home}/.ssh/known_hosts",
+      line   => "localhost ecdsa-sha2-nistp256 ${::sshedsakey}",
+      ensure => $ssh_localhost_auth ? {
+        'fingerprint' => present,
+        'auto'        => undef,
+        default       => undef,
+      },
+    }
+  }
+}
diff --git a/manifests/subsystem/ssh/local_key.pp b/manifests/subsystem/ssh/local_key.pp
new file mode 100644
index 0000000..f311ea3
--- /dev/null
+++ b/manifests/subsystem/ssh/local_key.pp
@@ -0,0 +1,43 @@
+# Manage local ssh keys
+define nodo::subsystem::ssh::local_key(
+  $owner  = $name,
+  $group  = $name,
+  $home   = "/home/${owner}",
+  $source = "puppet:///ssh/${name}_id_rsa",
+  $dest   = 'id_rsa',
+  $ensure = 'present',
+) {
+  nodo::subsystem::ssh::folder { "ssh_local_key-${name}":
+    home   => $home,
+    owner  => $owner,
+    group  => $group,
+    ensure => $ensure ? {
+      'present' => 'directory',
+       default  => 'absent',
+    },
+  }
+
+  file { "${home}/.ssh/${dest}":
+    ensure  => $ensure,
+    owner   => $owner,
+    group   => $group,
+    mode    => 0400,
+    source  => $ensure ? {
+      'present' => $source,
+       default  => undef,
+    },
+    require => File["${home}/.ssh"],
+  }
+
+  file { "${home}/.ssh/${dest}.pub":
+    ensure  => $ensure,
+    owner   => $owner,
+    group   => $group,
+    mode    => 0400,
+    source  => $ensure ? {
+      'present' => "${source}.pub",
+       default  => undef,
+    },
+    require => File["${home}/.ssh"],
+  }
+}
diff --git a/manifests/subsystem/sysctl/entry.pp b/manifests/subsystem/sysctl/entry.pp
new file mode 100644
index 0000000..ddd6020
--- /dev/null
+++ b/manifests/subsystem/sysctl/entry.pp
@@ -0,0 +1,19 @@
+# Simple sysctl definition
+define nodo::subsystem::sysctl::entry(
+  $ensure = present,
+  $value
+) {
+  file { "/etc/sysctl.d/${name}.conf":
+    owner   => "root",
+    group   => "root",
+    mode    => 0644,
+    ensure  => $ensure,
+    content => "$name = $value\n",
+  }
+
+  exec { "sysctl ${name}=${value}":
+    user        => root,
+    subscribe   => File["/etc/sysctl.d/${name}.conf"],
+    refreshonly => true,
+  }
+}
-- 
cgit v1.2.3