From 1b44048f33e795162212d2fdc77bcf0d9cdf0533 Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Mon, 22 Mar 2010 22:11:47 -0300
Subject: Module organization

---
 manifests/subsystems/database.pp  |  21 ++++
 manifests/subsystems/firewall.pp  | 239 ++++++++++++++++++++++++++++++++++++++
 manifests/subsystems/firewire.pp  |  17 +++
 manifests/subsystems/initramfs.pp |  25 ++++
 manifests/subsystems/lsb.pp       |   4 +
 manifests/subsystems/motd.pp      |  17 +++
 manifests/subsystems/munin.pp     |  19 +++
 manifests/subsystems/sudo.pp      |  14 +++
 manifests/subsystems/sysctl.pp    |  16 +++
 manifests/subsystems/ups.pp       |  13 +++
 manifests/subsystems/utils.pp     |  75 ++++++++++++
 manifests/subsystems/websites.pp  | 127 ++++++++++++++++++++
 12 files changed, 587 insertions(+)
 create mode 100644 manifests/subsystems/database.pp
 create mode 100644 manifests/subsystems/firewall.pp
 create mode 100644 manifests/subsystems/firewire.pp
 create mode 100644 manifests/subsystems/initramfs.pp
 create mode 100644 manifests/subsystems/lsb.pp
 create mode 100644 manifests/subsystems/motd.pp
 create mode 100644 manifests/subsystems/munin.pp
 create mode 100644 manifests/subsystems/sudo.pp
 create mode 100644 manifests/subsystems/sysctl.pp
 create mode 100644 manifests/subsystems/ups.pp
 create mode 100644 manifests/subsystems/utils.pp
 create mode 100644 manifests/subsystems/websites.pp

(limited to 'manifests/subsystems')

diff --git a/manifests/subsystems/database.pp b/manifests/subsystems/database.pp
new file mode 100644
index 0000000..c2d1fc3
--- /dev/null
+++ b/manifests/subsystems/database.pp
@@ -0,0 +1,21 @@
+class database {
+  include mysql::server
+
+  # Database definitions
+  define instance($password) {
+    mysql_database { "$name":
+      ensure => present,
+    }
+
+    mysql_user { "$name@%":
+      password_hash => mysql_password($password),
+      ensure        => present,
+      require       => Mysql_database["$name"],
+    }
+
+    mysql_grant { "$name@%/$name":
+      privileges => all,
+      require    => Mysql_user["$name@%"],
+    }
+  }
+}
diff --git a/manifests/subsystems/firewall.pp b/manifests/subsystems/firewall.pp
new file mode 100644
index 0000000..765a59f
--- /dev/null
+++ b/manifests/subsystems/firewall.pp
@@ -0,0 +1,239 @@
+# firewall definitions for physical servers
+class firewall {
+  include shorewall
+
+  $rfc1918 = $shorewall_dmz ? {
+    true    => true,
+    false   => false,
+    default => false,
+  }
+
+  #
+  # Interfaces
+  #
+  shorewall::interface { 'eth0':
+   zone    => '-',
+   rfc1918 => $rfc1918,
+  }
+
+  #
+  # Policy
+  #
+  shorewall::policy { 'vm-net':
+    sourcezone      => 'vm',
+    destinationzone => 'net', 
+    policy          => 'ACCEPT',
+    order           => '1',
+  }
+
+  shorewall::policy { 'fw-net':
+    sourcezone      => '$FW',
+    destinationzone => 'net',
+    policy          => 'ACCEPT',
+    order           => '2',
+  }
+
+  shorewall::policy { 'fw-vm':
+    sourcezone      => '$FW',
+    destinationzone => 'vm',
+    policy          => 'ACCEPT',
+    order           => '3',
+  }
+  
+  shorewall::policy { 'net-all':
+    sourcezone      => 'net',
+    destinationzone => 'all', 
+    policy          => 'DROP',
+    order           => '4',
+  }
+
+  shorewall::policy { 'all-all':
+    sourcezone      => 'all',
+    destinationzone => 'all',
+    policy          => 'REJECT',
+    order           => '5',
+  }
+
+  #
+  # Hosts
+  #
+  shorewall::host { "eth0-subnet":
+    name    =>  'eth0:192.168.0.0/24',
+    zone    => 'vm',
+    options => '',
+    order   => '1',
+  }
+
+  shorewall::host { "eth0":
+    name    => 'eth0:0.0.0.0/0',
+    zone    => 'net',
+    options => '',
+    order   => '2',
+  }
+
+  shorewall::masq { "eth0":
+    interface => 'eth0:!192.168.0.0/24',
+    source    => '192.168.0.0/24',
+    order     => '1',
+  }
+
+  #
+  # Rules
+  #
+  shorewall::rule { 'ssh':
+    action          => 'SSH/ACCEPT',
+    source          => 'net',
+    destination     => '$FW',
+    proto           => '-',
+    destinationport => '-',
+    ratelimit       => '-',
+    order           => '100',
+  }
+
+  shorewall::rule { 'ping':
+    action          => 'Ping/ACCEPT',
+    source          => 'net',
+    destination     => '$FW',
+    proto           => '-',
+    destinationport => '-',
+    ratelimit       => '-',
+    order           => '101',
+  }
+
+  shorewall::rule { 'http':
+    action          => 'HTTP/ACCEPT',
+    source          => 'net',
+    destination     => '$FW',
+    proto           => '-',
+    destinationport => '-',
+    ratelimit       => '-',
+    order           => '102',
+  }
+
+  shorewall::rule { 'https':
+    action          => 'HTTPS/ACCEPT',
+    source          => 'net',
+    destination     => '$FW',
+    proto           => '-',
+    destinationport => '-',
+    ratelimit       => '-',
+    order           => '103',
+  }
+
+  $munin_port = $node_munin_port ? {
+    ''      => "4900",
+    default => "$node_munin_port",
+  }
+
+  shorewall::rule { "munin":
+    action          => 'ACCEPT',
+    source          => 'net',
+    destination     => '$FW',
+    proto           => 'tcp',
+    destinationport => "$munin_port",
+    ratelimit       => '-',
+    order           => "104",
+  }
+
+  #
+  # Zones
+  #
+  shorewall::zone { 'vm':
+    type  => 'ipv4',
+    order => '2',
+  }
+
+  shorewall::zone { 'net':
+    type  => 'ipv4',
+    order => '3',
+  }
+
+  #
+  # Traffic shapping
+  #
+  $in_bandwidth = $max_in_bandwidth ? {
+    ''      => "2mbit",
+    default => "$max_in_bandwidth",
+  }
+
+  $out_bandwidth = $max_out_bandwidth ? {
+    ''      => "2mbit",
+    default => "$max_out_bandwidth",
+  }
+
+  shorewall::tcdevices { "eth0":
+    in_bandwidth  => "$in_bandwidth",
+    out_bandwidth => "$out_bandwidth",
+  }
+
+  shorewall::tcrules { "ssh-tcp":
+    order       => "1",
+    source      => "0.0.0.0/0",
+    destination => "0.0.0.0/0", 
+    protocol    => "tcp",
+    ports       => "22",
+  }
+
+  shorewall::tcrules { "ssh-udp":
+    order       => "1",
+    source      => "0.0.0.0/0",
+    destination => "0.0.0.0/0", 
+    protocol    => "udp",
+    ports       => "22",
+  }
+
+  shorewall::tcclasses { "ssh":
+    order     => "1",
+    interface => "eth0",
+    rate      => "4*full/100",
+    ceil      => "full",
+    priority  => "1",
+  }
+
+  shorewall::tcclasses { "default":
+    order     => "2",
+    interface => "eth0",
+    rate      => "6*full/100",
+    ceil      => "full",
+    priority  => "2",
+    options   => "default",
+  }
+
+  #
+  # DMZ Configuration
+  #
+  if $shorewall_dmz {
+    shorewall::host { "eth0-dmz":
+      name    =>  'eth0:192.168.1.0/24',
+      zone    => 'dmz',
+      options => '',
+      order   => '3',
+    }
+  
+    shorewall::policy { 'dmz-all':
+      sourcezone      => 'dmz',
+      destinationzone => 'all',
+      policy          => 'ACCEPT',
+      order           => '6',
+    }
+  
+    shorewall::policy { 'vm-dmz':
+      sourcezone      => 'vm',
+      destinationzone => 'dmz',
+      policy          => 'ACCEPT',
+      order           => '7',
+    }
+  
+    shorewall::policy { 'fw-dmz':
+      sourcezone      => '$FW',
+      destinationzone => 'dmz',
+      policy          => 'ACCEPT',
+      order           => '8',
+    }
+  
+    shorewall::zone { 'dmz':
+      type  => 'ipv4',
+      order => '4',
+    }
+  }
+}
diff --git a/manifests/subsystems/firewire.pp b/manifests/subsystems/firewire.pp
new file mode 100644
index 0000000..1c9609a
--- /dev/null
+++ b/manifests/subsystems/firewire.pp
@@ -0,0 +1,17 @@
+class firewire {
+  # keep firewire disabled
+  # see http://padrao.sarava.org/trac/wiki/Debian/Firewire
+  file { "/etc/modprobe.d/blacklist":
+    owner   => "root",
+    group   => "root",
+    mode    => 0644,
+    ensure  => present,
+    source  => "puppet://$server/modules/nodo/etc/modprobe.d/blacklist",
+  }
+
+  # make sure ohci1394 is not loaded
+  exec { "rmmod ohci1394":
+    unless  => "/bin/sh -c 'if `grep -q ^ohci1394 /proc/modules`; then false; else true; fi'",
+    user    => "root",
+  }
+}
diff --git a/manifests/subsystems/initramfs.pp b/manifests/subsystems/initramfs.pp
new file mode 100644
index 0000000..3b37f65
--- /dev/null
+++ b/manifests/subsystems/initramfs.pp
@@ -0,0 +1,25 @@
+class initramfs {
+  # initramfs config
+  file { "/etc/kernel-img.conf":
+    owner   => "root",
+    group   => "root",
+    mode    => 0644,
+    ensure  => present,
+    content => "do_initrd = Yes\n",
+  }
+
+  # initramfs config
+  file { "/etc/initramfs-tools/modules":
+    owner   => "root",
+    group   => "root",
+    mode    => 0644,
+    ensure  => present,
+    source  => "puppet://$server/modules/nodo/etc/initramfs-tools/modules",
+  }
+
+  # update initramfs when needed
+  exec { "update-initramfs -v -u":
+    subscribe   => [ File["/etc/initramfs-tools/modules"], File["/etc/modprobe.d/blacklist"] ],
+    refreshonly => true,
+  }
+}
diff --git a/manifests/subsystems/lsb.pp b/manifests/subsystems/lsb.pp
new file mode 100644
index 0000000..4516470
--- /dev/null
+++ b/manifests/subsystems/lsb.pp
@@ -0,0 +1,4 @@
+class lsb {
+  package { "lsb-release": ensure => installed, }
+  include assert_lsbdistcodename
+}
diff --git a/manifests/subsystems/motd.pp b/manifests/subsystems/motd.pp
new file mode 100644
index 0000000..c8029bf
--- /dev/null
+++ b/manifests/subsystems/motd.pp
@@ -0,0 +1,17 @@
+class motd {
+  # http://projects.reductivelabs.com/issues/1915
+  file { "/var/run/motd":
+    owner   => "root",
+    group   => "root",
+    mode    => 0644,
+    ensure  => file,
+    content => "This is $fqdn from the $network_name.\n",
+  }
+
+  file { "/etc/motd":
+     owner   => "root",
+     group   => "root",
+     ensure  => "/var/run/motd",
+     require => File["/var/run/motd"],
+  }
+}
diff --git a/manifests/subsystems/munin.pp b/manifests/subsystems/munin.pp
new file mode 100644
index 0000000..2e32117
--- /dev/null
+++ b/manifests/subsystems/munin.pp
@@ -0,0 +1,19 @@
+# Define a munin node
+define munin_node($port = '4949') {
+
+  case $global_munin_allow {
+    '': { fail("Please set \$global_munin_allow in your site config") }
+  }
+
+  $munin_allow = $node_munin_allow ? {
+    ''      => "$global_munin_allow",
+    default => "$node_munin_allow",
+  }
+
+  $munin_port = $node_munin_port ? {
+    ''      => "$port",
+    default => "$node_munin_port",
+  }
+
+  include munin::client
+}
diff --git a/manifests/subsystems/sudo.pp b/manifests/subsystems/sudo.pp
new file mode 100644
index 0000000..c5679fd
--- /dev/null
+++ b/manifests/subsystems/sudo.pp
@@ -0,0 +1,14 @@
+class sudo {
+
+  package { "sudo":
+    ensure => "present",
+  }
+
+  file { "/etc/sudoers":
+    source  => "puppet://$server/modules/nodo/etc/sudoers",
+    owner   => "root",
+    group   => "root",
+    mode    => 440,
+    require => Package["sudo"],
+  }
+}
diff --git a/manifests/subsystems/sysctl.pp b/manifests/subsystems/sysctl.pp
new file mode 100644
index 0000000..3bd028c
--- /dev/null
+++ b/manifests/subsystems/sysctl.pp
@@ -0,0 +1,16 @@
+class sysctl {
+  # root exploit fix, see http://wiki.debian.org/mmap_min_addr
+  # TODO: remove in the future or use a sysctl puppet module
+  file { "/etc/sysctl.d/mmap_min_addr.conf":
+    owner   => "root",
+    group   => "root",
+    mode    => 0644,
+    ensure  => present,
+    content => "vm.mmap_min_addr = 4096\n",
+  }
+
+  exec { "/etc/init.d/procps restart":
+    subscribe   => File["/etc/sysctl.d/mmap_min_addr.conf"],
+    refreshonly => true,
+  }
+}
diff --git a/manifests/subsystems/ups.pp b/manifests/subsystems/ups.pp
new file mode 100644
index 0000000..558941e
--- /dev/null
+++ b/manifests/subsystems/ups.pp
@@ -0,0 +1,13 @@
+class ups {
+  include apcupsd
+
+  case $has_ups {
+    true: {
+      apcupsd::ups { "ups0":
+        upstype => 'usb',
+        cable   => 'usb',
+        device  => '/dev/usb/hiddev0',
+      }
+    }
+  }
+}
diff --git a/manifests/subsystems/utils.pp b/manifests/subsystems/utils.pp
new file mode 100644
index 0000000..92061eb
--- /dev/null
+++ b/manifests/subsystems/utils.pp
@@ -0,0 +1,75 @@
+# Common utilities
+class utils {
+  package { [ 'screen', 'less', 'bzip2', 'openssl', 'lynx', 'wget', 'unzip' ]:
+    ensure => installed,
+  }
+}
+
+# Common utilities for physical
+class utils::physical {
+  package { 'nload':
+    ensure => installed,
+  }
+}
+
+# Common utilities for storage
+class utils::storage {
+  package { 'clamav':
+    ensure => installed,
+  }
+}
+
+# Common utilities for web
+class utils::web {
+  package { 'ffmpeg':
+    ensure => installed,
+  }
+}
+
+# Common utilities for desktop
+class utils::desktop {
+  # Package dosemu used because of the pcf fonts
+  package { [ 'awesome',           'alsa-tools-gui', 'mutt',
+              'irssi',             'offlineimap',    'wyrd',
+              'mp3blaster',        'iceweasel',      'eterm',
+              'libpam-mount',      'locales',        'fluxbox',
+              'gdm',               'ecryptfs-utils', 'newsbeuter',
+              'bitlbee',           'nicotine',       'silc',
+              'irssi-plugin-silc', 'conky',          'rxvt',
+              'vim-gtk',           'gobby',          'bogofilter',
+              'gnupg-agent',       'xterm',          'bash-completion',
+              'fetchmail',         'dosemu',         'xfonts-terminus',
+              'gnumeric',          'alsa-utils',     'sc',
+              'gawk',              'telnet',         'fpm',
+              'procmail',          'msmtp',          'netpbm',
+              'gqview',            'antiword',       'mairix',
+              'whois',             'mozilla-plugin-gnash' ]:
+    ensure => installed,
+  }
+
+  # Gem packages
+  package { 'capistrano':
+    ensure   => installed,
+    provider => gem,
+    require  => Package['rubygems'],
+  }
+
+  if !defined(Package['git-core']) {
+    package { 'git-core':
+      ensure => installed,
+    }
+  }
+
+  if !defined(Package['ruby']) {
+    package { 'ruby':
+      ensure => installed,
+    }
+  }
+
+  if !defined(Package['rubygems']) {
+    package { 'rubygems':
+      ensure  => installed,
+      require => Package['ruby'],
+    }
+  }
+}
diff --git a/manifests/subsystems/websites.pp b/manifests/subsystems/websites.pp
new file mode 100644
index 0000000..b688860
--- /dev/null
+++ b/manifests/subsystems/websites.pp
@@ -0,0 +1,127 @@
+class websites::setup {
+  # Configure Apache Web Server
+  $apache_www_folder   = "/var/www/data"
+  $apache_error_folder = "/var/www/error"
+  $apache_sites_folder = "/var/sites"
+  $apache_error_dest   = "http://${domain}/missing.html"
+  $drupal_folder       = "${apache_www_folder}/drupal"
+
+  $default_vhost = $apache_server_name ? {
+    ''      => $hostname,
+    default => $apache_server_name,
+  }
+
+  # Include apache
+  include apache
+
+  # The needed apache modules
+  apache::module { "rewrite":
+    ensure  => present,
+  }
+
+  # The needed apache modules
+  apache::module { "alias":
+    ensure  => present,
+  }
+
+  # Images folder
+  file { "${apache_www_folder}/images":
+    ensure  => directory,
+    recurse => true,
+    purge   => true,
+    force   => true,
+    owner   => "root",
+    group   => "root",
+    # This mode will also apply to files from the source directory
+    mode    => 0644,
+    # Puppet will automatically set +x for directories
+    source  => "puppet://$server/files/apache/htdocs/images",
+  }
+
+  # Web index
+  file { "${apache_www_folder}/index.html":
+    ensure  => present,
+    owner   => "root",
+    group   => "root",
+    mode    => 0644,
+    source  => "puppet://$server/files/apache/htdocs/index.html",
+  }
+
+  # Missing page
+  file { "${apache_www_folder}/missing.html":
+    ensure  => present,
+    owner   => "root",
+    group   => "root",
+    mode    => 0644,
+    source  => "puppet://$server/files/apache/htdocs/missing.html",
+  }
+
+  # Default vhost: can just be applied on the defining host
+  apache::site { "$default_vhost":
+    server_alias => "$domain",
+    docroot      => "${apache_www_folder}",
+  }
+
+  # We have to use 'zzz-error' so it will be the last matched vhost
+  apache::site { "error":
+    template       => 'apache/error.erb',
+    docroot        => "${apache_error_folder}",
+    filename       => 'zzz-error',
+  }
+
+  # Index page for error
+  file { "${apache_error_folder}/index.html":
+    ensure  => "${apache_www_folder}/index.html",
+    owner   => "root",
+    group   => "root",
+    force   => true,
+    require => File["$apache_error_folder"],
+  }
+
+  # TODO: this is temporary: remove when all nodes have applied it
+  # We have to use 'zzz-erro' so it will be the last matched vhost
+  apache::site { "erro":
+    ensure         => absent,
+    docroot        => '/var/www/erro',
+    filename       => 'zzz-erro',
+  }
+
+  # TODO: this is temporary: remove when all nodes have applied it
+  file { "/var/www/erro":
+    ensure  => absent,
+    recurse => true,
+    force   => true,
+  }
+
+  # TODO: this is temporary: remove when all nodes have applied it
+  # Index page for erro
+  file { "/var/www/erro/index.html":
+    ensure  => absent,
+    owner   => "root",
+    group   => "root",
+    force   => true,
+  }
+
+  # TODO: this is temporary: remove when all nodes have applied it
+  file { "/var/www/erro/missing.html":
+    ensure  => absent,
+  }
+}
+
+class websites::hosting inherits websites::setup {
+  # Include the needed classes for website hosting
+  include php
+  include drupal
+  include gitweb
+  include trac
+  include websvn
+  include moin
+  include ikiwiki
+  include pmwiki
+}
+
+class websites::hosting::admin inherits websites::setup {
+  # Include the needed classes for admin interfaces
+  include trac
+  include gitweb
+}
-- 
cgit v1.2.3