From fe1c86b8f938283e9dd8196a8b11a9648f4b49e6 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 12 Apr 2013 17:09:03 -0300 Subject: Major refactor --- manifests/appliance.pp | 6 +- manifests/defines/monkeysphere_host.pp | 20 ++ manifests/defines/munin_client.pp | 21 ++ manifests/defines/ssh_config.pp | 26 ++ manifests/defines/ssh_create_key.pp | 11 + manifests/defines/ssh_known_hosts.pp | 50 +++ manifests/desktop.pp | 14 +- manifests/dns.pp | 3 - manifests/host.pp | 16 +- manifests/init.pp | 106 +----- manifests/jabber.pp | 36 -- manifests/kvm.pp | 6 +- manifests/laptop.pp | 14 +- manifests/mail.pp | 3 - manifests/master.pp | 60 ---- manifests/mumble.pp | 3 - manifests/nas.pp | 233 ------------- manifests/nas/share.pp | 2 +- manifests/nodo.pp | 22 +- manifests/personal.pp | 43 --- manifests/physical.pp | 3 +- manifests/plug.pp | 10 +- manifests/proxy.pp | 3 - manifests/role/dns.pp | 3 + manifests/role/jabber.pp | 36 ++ manifests/role/mail.pp | 3 + manifests/role/master.pp | 60 ++++ manifests/role/mumble.pp | 3 + manifests/role/nas.pp | 233 +++++++++++++ manifests/role/personal.pp | 43 +++ manifests/role/proxy.pp | 3 + manifests/role/router.pp | 25 ++ manifests/role/storage.pp | 3 + manifests/role/test.pp | 3 + manifests/role/tor.pp | 4 + manifests/role/web.pp | 49 +++ manifests/role/webdev.pp | 5 + manifests/role/webdev/desktop.pp | 3 + manifests/role/webdev/laptop.pp | 3 + manifests/role/yacy.pp | 34 ++ manifests/server.pp | 6 +- manifests/storage.pp | 3 - manifests/subsystem/crypttab.pp | 15 + manifests/subsystem/dhclient.pp | 17 + manifests/subsystem/firewire.pp | 8 + manifests/subsystem/fstab.pp | 15 + manifests/subsystem/gdm.pp | 66 ++++ manifests/subsystem/gdm/disabled.pp | 18 + manifests/subsystem/gdm3.pp | 20 ++ manifests/subsystem/hosts.pp | 60 ++++ manifests/subsystem/initramfs.pp | 39 +++ manifests/subsystem/keyboard.pp | 22 ++ manifests/subsystem/locales.pp | 28 ++ manifests/subsystem/media/folders.pp | 32 ++ manifests/subsystem/media/groups.pp | 5 + manifests/subsystem/modprobe.pp | 28 ++ manifests/subsystem/monitor.pp | 26 ++ manifests/subsystem/motd.pp | 19 ++ manifests/subsystem/mount.pp | 15 + manifests/subsystem/pam.pp | 40 +++ manifests/subsystem/profile.pp | 46 +++ manifests/subsystem/resolver.pp | 27 ++ manifests/subsystem/ssh_folder.pp | 11 + manifests/subsystem/sudo.pp | 14 + manifests/subsystem/sysctl.pp | 55 ++++ manifests/subsystem/ups.pp | 26 ++ manifests/subsystem/xorg.pp | 13 + manifests/subsystems/crypttab.pp | 15 - manifests/subsystems/database.pp | 52 --- manifests/subsystems/dhclient.pp | 17 - manifests/subsystems/domain.pp | 39 --- manifests/subsystems/firewall.pp | 208 ------------ manifests/subsystems/firewall/local.pp | 47 --- manifests/subsystems/firewall/mpd.pp | 21 -- manifests/subsystems/firewall/nas.pp | 152 --------- manifests/subsystems/firewall/openvpn.pp | 36 -- manifests/subsystems/firewall/ppp.pp | 31 -- manifests/subsystems/firewall/printer.pp | 21 -- manifests/subsystems/firewall/redirect.pp | 14 - manifests/subsystems/firewall/router.pp | 401 ----------------------- manifests/subsystems/firewall/torrent.pp | 21 -- manifests/subsystems/firewall/ups.pp | 11 - manifests/subsystems/firewall/vserver.pp | 524 ------------------------------ manifests/subsystems/firewall/wifi.pp | 50 --- manifests/subsystems/firewire.pp | 9 - manifests/subsystems/fstab.pp | 15 - manifests/subsystems/gdm.pp | 85 ----- manifests/subsystems/gdm3.pp | 20 -- manifests/subsystems/hosts.pp | 60 ---- manifests/subsystems/initramfs.pp | 39 --- manifests/subsystems/keyboard.pp | 22 -- manifests/subsystems/locales.pp | 28 -- manifests/subsystems/media.pp | 38 --- manifests/subsystems/modprobe.pp | 28 -- manifests/subsystems/monitor.pp | 26 -- manifests/subsystems/monkeysphere.pp | 20 -- manifests/subsystems/motd.pp | 19 -- manifests/subsystems/mount.pp | 15 - manifests/subsystems/munin.pp | 21 -- manifests/subsystems/onion.pp | 54 --- manifests/subsystems/pam.pp | 40 --- manifests/subsystems/profile.pp | 46 --- manifests/subsystems/resolver.pp | 27 -- manifests/subsystems/schroot.pp | 26 -- manifests/subsystems/ssh.pp | 101 ------ manifests/subsystems/sudo.pp | 15 - manifests/subsystems/sysctl.pp | 55 ---- manifests/subsystems/tunnel.pp | 148 --------- manifests/subsystems/ups.pp | 26 -- manifests/subsystems/utils.pp | 36 -- manifests/subsystems/utils/debian.pp | 17 - manifests/subsystems/utils/desktop.pp | 6 - manifests/subsystems/utils/development.pp | 28 -- manifests/subsystems/utils/dns.pp | 5 - manifests/subsystems/utils/firmware.pp | 11 - manifests/subsystems/utils/hamradio.pp | 5 - manifests/subsystems/utils/interface.pp | 30 -- manifests/subsystems/utils/java.pp | 18 - manifests/subsystems/utils/laptop.pp | 45 --- manifests/subsystems/utils/multimedia.pp | 67 ---- manifests/subsystems/utils/network.pp | 146 --------- manifests/subsystems/utils/office.pp | 29 -- manifests/subsystems/utils/personal.pp | 20 -- manifests/subsystems/utils/physical.pp | 13 - manifests/subsystems/utils/plug.pp | 6 - manifests/subsystems/utils/ruby.pp | 45 --- manifests/subsystems/utils/security.pp | 13 - manifests/subsystems/utils/storage.pp | 12 - manifests/subsystems/utils/tor.pp | 5 - manifests/subsystems/utils/web.pp | 10 - manifests/subsystems/websites.pp | 151 --------- manifests/subsystems/xorg.pp | 13 - manifests/test.pp | 3 - manifests/tor.pp | 4 - manifests/utils.pp | 36 ++ manifests/utils/desktop.pp | 6 + manifests/utils/development.pp | 15 + manifests/utils/development/virtual.pp | 12 + manifests/utils/dns.pp | 5 + manifests/utils/firmware.pp | 5 + manifests/utils/firmware/iwlwifi.pp | 6 + manifests/utils/firmware/realtek.pp | 5 + manifests/utils/grub.pp | 5 + manifests/utils/hamradio.pp | 5 + manifests/utils/interface.pp | 30 ++ manifests/utils/java.pp | 18 + manifests/utils/laptop.pp | 9 + manifests/utils/laptop/debian.pp | 35 ++ manifests/utils/microcode/intel.pp | 8 + manifests/utils/multimedia.pp | 48 +++ manifests/utils/multimedia/mediacenter.pp | 5 + manifests/utils/multimedia/ripper.pp | 6 + manifests/utils/multimedia/studio.pp | 5 + manifests/utils/network.pp | 80 +++++ manifests/utils/network/analyzer.pp | 5 + manifests/utils/network/irssi.pp | 23 ++ manifests/utils/network/minimal.pp | 17 + manifests/utils/network/nfs.pp | 5 + manifests/utils/network/samba.pp | 5 + manifests/utils/network/torrent.pp | 5 + manifests/utils/office.pp | 29 ++ manifests/utils/personal.pp | 9 + manifests/utils/personal/bundle.pp | 10 + manifests/utils/personal/debian.pp | 17 + manifests/utils/physical.pp | 13 + manifests/utils/plug.pp | 6 + manifests/utils/ruby.pp | 45 +++ manifests/utils/security.pp | 13 + manifests/utils/storage.pp | 6 + manifests/utils/storage/archive.pp | 5 + manifests/utils/thinkpad.pp | 16 + manifests/utils/tor.pp | 5 + manifests/utils/touchpad.pp | 6 + manifests/utils/web.pp | 10 + manifests/web.pp | 49 --- manifests/yacy.pp | 34 -- 176 files changed, 1953 insertions(+), 4003 deletions(-) create mode 100644 manifests/defines/monkeysphere_host.pp create mode 100644 manifests/defines/munin_client.pp create mode 100644 manifests/defines/ssh_config.pp create mode 100644 manifests/defines/ssh_create_key.pp create mode 100644 manifests/defines/ssh_known_hosts.pp delete mode 100644 manifests/dns.pp delete mode 100644 manifests/jabber.pp delete mode 100644 manifests/mail.pp delete mode 100644 manifests/master.pp delete mode 100644 manifests/mumble.pp delete mode 100644 manifests/nas.pp delete mode 100644 manifests/personal.pp delete mode 100644 manifests/proxy.pp create mode 100644 manifests/role/dns.pp create mode 100644 manifests/role/jabber.pp create mode 100644 manifests/role/mail.pp create mode 100644 manifests/role/master.pp create mode 100644 manifests/role/mumble.pp create mode 100644 manifests/role/nas.pp create mode 100644 manifests/role/personal.pp create mode 100644 manifests/role/proxy.pp create mode 100644 manifests/role/router.pp create mode 100644 manifests/role/storage.pp create mode 100644 manifests/role/test.pp create mode 100644 manifests/role/tor.pp create mode 100644 manifests/role/web.pp create mode 100644 manifests/role/webdev.pp create mode 100644 manifests/role/webdev/desktop.pp create mode 100644 manifests/role/webdev/laptop.pp create mode 100644 manifests/role/yacy.pp delete mode 100644 manifests/storage.pp create mode 100644 manifests/subsystem/crypttab.pp create mode 100644 manifests/subsystem/dhclient.pp create mode 100644 manifests/subsystem/firewire.pp create mode 100644 manifests/subsystem/fstab.pp create mode 100644 manifests/subsystem/gdm.pp create mode 100644 manifests/subsystem/gdm/disabled.pp create mode 100644 manifests/subsystem/gdm3.pp create mode 100644 manifests/subsystem/hosts.pp create mode 100644 manifests/subsystem/initramfs.pp create mode 100644 manifests/subsystem/keyboard.pp create mode 100644 manifests/subsystem/locales.pp create mode 100644 manifests/subsystem/media/folders.pp create mode 100644 manifests/subsystem/media/groups.pp create mode 100644 manifests/subsystem/modprobe.pp create mode 100644 manifests/subsystem/monitor.pp create mode 100644 manifests/subsystem/motd.pp create mode 100644 manifests/subsystem/mount.pp create mode 100644 manifests/subsystem/pam.pp create mode 100644 manifests/subsystem/profile.pp create mode 100644 manifests/subsystem/resolver.pp create mode 100644 manifests/subsystem/ssh_folder.pp create mode 100644 manifests/subsystem/sudo.pp create mode 100644 manifests/subsystem/sysctl.pp create mode 100644 manifests/subsystem/ups.pp create mode 100644 manifests/subsystem/xorg.pp delete mode 100644 manifests/subsystems/crypttab.pp delete mode 100644 manifests/subsystems/database.pp delete mode 100644 manifests/subsystems/dhclient.pp delete mode 100644 manifests/subsystems/domain.pp delete mode 100644 manifests/subsystems/firewall.pp delete mode 100644 manifests/subsystems/firewall/local.pp delete mode 100644 manifests/subsystems/firewall/mpd.pp delete mode 100644 manifests/subsystems/firewall/nas.pp delete mode 100644 manifests/subsystems/firewall/openvpn.pp delete mode 100644 manifests/subsystems/firewall/ppp.pp delete mode 100644 manifests/subsystems/firewall/printer.pp delete mode 100644 manifests/subsystems/firewall/redirect.pp delete mode 100644 manifests/subsystems/firewall/router.pp delete mode 100644 manifests/subsystems/firewall/torrent.pp delete mode 100644 manifests/subsystems/firewall/ups.pp delete mode 100644 manifests/subsystems/firewall/vserver.pp delete mode 100644 manifests/subsystems/firewall/wifi.pp delete mode 100644 manifests/subsystems/firewire.pp delete mode 100644 manifests/subsystems/fstab.pp delete mode 100644 manifests/subsystems/gdm.pp delete mode 100644 manifests/subsystems/gdm3.pp delete mode 100644 manifests/subsystems/hosts.pp delete mode 100644 manifests/subsystems/initramfs.pp delete mode 100644 manifests/subsystems/keyboard.pp delete mode 100644 manifests/subsystems/locales.pp delete mode 100644 manifests/subsystems/media.pp delete mode 100644 manifests/subsystems/modprobe.pp delete mode 100644 manifests/subsystems/monitor.pp delete mode 100644 manifests/subsystems/monkeysphere.pp delete mode 100644 manifests/subsystems/motd.pp delete mode 100644 manifests/subsystems/mount.pp delete mode 100644 manifests/subsystems/munin.pp delete mode 100644 manifests/subsystems/onion.pp delete mode 100644 manifests/subsystems/pam.pp delete mode 100644 manifests/subsystems/profile.pp delete mode 100644 manifests/subsystems/resolver.pp delete mode 100644 manifests/subsystems/schroot.pp delete mode 100644 manifests/subsystems/ssh.pp delete mode 100644 manifests/subsystems/sudo.pp delete mode 100644 manifests/subsystems/sysctl.pp delete mode 100644 manifests/subsystems/tunnel.pp delete mode 100644 manifests/subsystems/ups.pp delete mode 100644 manifests/subsystems/utils.pp delete mode 100644 manifests/subsystems/utils/debian.pp delete mode 100644 manifests/subsystems/utils/desktop.pp delete mode 100644 manifests/subsystems/utils/development.pp delete mode 100644 manifests/subsystems/utils/dns.pp delete mode 100644 manifests/subsystems/utils/firmware.pp delete mode 100644 manifests/subsystems/utils/hamradio.pp delete mode 100644 manifests/subsystems/utils/interface.pp delete mode 100644 manifests/subsystems/utils/java.pp delete mode 100644 manifests/subsystems/utils/laptop.pp delete mode 100644 manifests/subsystems/utils/multimedia.pp delete mode 100644 manifests/subsystems/utils/network.pp delete mode 100644 manifests/subsystems/utils/office.pp delete mode 100644 manifests/subsystems/utils/personal.pp delete mode 100644 manifests/subsystems/utils/physical.pp delete mode 100644 manifests/subsystems/utils/plug.pp delete mode 100644 manifests/subsystems/utils/ruby.pp delete mode 100644 manifests/subsystems/utils/security.pp delete mode 100644 manifests/subsystems/utils/storage.pp delete mode 100644 manifests/subsystems/utils/tor.pp delete mode 100644 manifests/subsystems/utils/web.pp delete mode 100644 manifests/subsystems/websites.pp delete mode 100644 manifests/subsystems/xorg.pp delete mode 100644 manifests/test.pp delete mode 100644 manifests/tor.pp create mode 100644 manifests/utils.pp create mode 100644 manifests/utils/desktop.pp create mode 100644 manifests/utils/development.pp create mode 100644 manifests/utils/development/virtual.pp create mode 100644 manifests/utils/dns.pp create mode 100644 manifests/utils/firmware.pp create mode 100644 manifests/utils/firmware/iwlwifi.pp create mode 100644 manifests/utils/firmware/realtek.pp create mode 100644 manifests/utils/grub.pp create mode 100644 manifests/utils/hamradio.pp create mode 100644 manifests/utils/interface.pp create mode 100644 manifests/utils/java.pp create mode 100644 manifests/utils/laptop.pp create mode 100644 manifests/utils/laptop/debian.pp create mode 100644 manifests/utils/microcode/intel.pp create mode 100644 manifests/utils/multimedia.pp create mode 100644 manifests/utils/multimedia/mediacenter.pp create mode 100644 manifests/utils/multimedia/ripper.pp create mode 100644 manifests/utils/multimedia/studio.pp create mode 100644 manifests/utils/network.pp create mode 100644 manifests/utils/network/analyzer.pp create mode 100644 manifests/utils/network/irssi.pp create mode 100644 manifests/utils/network/minimal.pp create mode 100644 manifests/utils/network/nfs.pp create mode 100644 manifests/utils/network/samba.pp create mode 100644 manifests/utils/network/torrent.pp create mode 100644 manifests/utils/office.pp create mode 100644 manifests/utils/personal.pp create mode 100644 manifests/utils/personal/bundle.pp create mode 100644 manifests/utils/personal/debian.pp create mode 100644 manifests/utils/physical.pp create mode 100644 manifests/utils/plug.pp create mode 100644 manifests/utils/ruby.pp create mode 100644 manifests/utils/security.pp create mode 100644 manifests/utils/storage.pp create mode 100644 manifests/utils/storage/archive.pp create mode 100644 manifests/utils/thinkpad.pp create mode 100644 manifests/utils/tor.pp create mode 100644 manifests/utils/touchpad.pp create mode 100644 manifests/utils/web.pp delete mode 100644 manifests/web.pp delete mode 100644 manifests/yacy.pp (limited to 'manifests') diff --git a/manifests/appliance.pp b/manifests/appliance.pp index 41a3660..dea7625 100644 --- a/manifests/appliance.pp +++ b/manifests/appliance.pp @@ -1,11 +1,7 @@ class nodo::appliance inherits nodo::physical { class { 'sysctl::appliance': } - class { 'fstab': - type => 'appliance', - } - - class { 'crypttab': + class { [ 'nodo::subsystem::fstab', 'nodo::subsystem::crypttab' ]: type => 'appliance', } } diff --git a/manifests/defines/monkeysphere_host.pp b/manifests/defines/monkeysphere_host.pp new file mode 100644 index 0000000..b4b21e0 --- /dev/null +++ b/manifests/defines/monkeysphere_host.pp @@ -0,0 +1,20 @@ +define monkeysphere_host( + $port = hiera('nodo::monkeysphere_host::ssh_port', ''), + $mail_recipient = hiera('mail::root_mail_recipient', 'nobody') +) { + include monkeysphere + + # Ensure the server's ssh key is imported into your monkeysphere key ring + monkeysphere::import_key { "ssh": + port => $port, + } + + # TODO + # Currently we don't have a defined policy regarding whether + # to publish all our node keys to public keyservers, so leave + # automatic publishing disabled for now. + #monkeysphere::publish_server_keys { } + + # Email the server key + monkeysphere::email_server_keys { "$mail_recipient": } +} diff --git a/manifests/defines/munin_client.pp b/manifests/defines/munin_client.pp new file mode 100644 index 0000000..770d551 --- /dev/null +++ b/manifests/defines/munin_client.pp @@ -0,0 +1,21 @@ +# Define a munin node +define munin_node( + $port = hiera('nodo::munin_node::port', '4949'), + $allow = hiera('nodo::munin_node::allow', ''), + $host = hiera('nodo::munin_node::host', $::fqdn), + $listen = hiera('nodo::munin_node::listen', '*') +) { + + case $allow { + '': { fail("Please set nodo::munin_node::allow in your config") } + } + + class { 'munin::client': + port => $port, + allow => $allow, + host => $host, + listen => $listen, + } + + munin::plugin { apt_all: ensure => present; } +} diff --git a/manifests/defines/ssh_config.pp b/manifests/defines/ssh_config.pp new file mode 100644 index 0000000..62e1d66 --- /dev/null +++ b/manifests/defines/ssh_config.pp @@ -0,0 +1,26 @@ +# Manage ssh config for a particular user +define ssh_config($owner, $home = '/home/$owner', $ssh_localhost_auth = false) { + include nodo::subsystem::ssh_folder + + file { "${home}/.ssh/config": + ensure => present, + owner => $owner, + group => $group, + mode => 0600, + require => File["${home}/.ssh"], + } + + # The NoHostAuthenticationForLocalhost ssh option might be useful + # for automated deployment environments so your ikiwiki user doesn't + # get stuck with the fingerprint confirmation prompt when pushing + # content via ssh in the first time it runs. + line { 'NoHostAuthenticationForLocalhost-${owner}': + file => "${home}/.ssh/config", + line => "NoHostAuthenticationForLocalhost yes", + ensure => $ssh_localhost_auth ? { + 'auto' => present, + 'fingerprint' => absent, + default => absent, + }, + } +} diff --git a/manifests/defines/ssh_create_key.pp b/manifests/defines/ssh_create_key.pp new file mode 100644 index 0000000..e380b18 --- /dev/null +++ b/manifests/defines/ssh_create_key.pp @@ -0,0 +1,11 @@ +define ssh_create_key($owner, $group, $keyfile = 'id_rsa', $home = '/home/$owner') { + include nodo::subsystem::ssh_folder + + exec { "ssh-keygen-${owner}": + command => "ssh-keygen -t rsa -P '' -f ${home}/.ssh/${keyfile}", + creates => "${home}/.ssh/${keyfile}", + user => $owner, + group => $group, + require => File["${home}/.ssh"], + } +} diff --git a/manifests/defines/ssh_known_hosts.pp b/manifests/defines/ssh_known_hosts.pp new file mode 100644 index 0000000..50ae87e --- /dev/null +++ b/manifests/defines/ssh_known_hosts.pp @@ -0,0 +1,50 @@ +# Manage known_hosts for a particular user +define ssh_known_host($owner, $home = '/home/$owner', $ssh_localhost_auth = false) { + include nodo::subsystem::ssh_folder + + file { "${home}/.ssh/known_hosts": + ensure => present, + owner => $owner, + group => $group, + mode => 0600, + require => File["${home}/.ssh"], + } + + # You can choose to include the host's fingeprints + # directly into the known_hosts file. + if $::sshrsakey != '' { + line { 'known_hosts-localhost-rsa-${owner}': + file => "${home}/.ssh/known_hosts", + line => "localhost ssh-rsa ${::sshrsakey}", + ensure => $ssh_localhost_auth ? { + 'fingerprint' => present, + 'auto' => undef, + default => undef, + }, + } + } + + if $::sshdsakey != '' { + line { 'known_hosts-localhost-dsa-${owner}': + file => "${home}/.ssh/known_hosts", + line => "localhost ssh-dss ${::sshdsakey}", + ensure => $ssh_localhost_auth ? { + 'fingerprint' => present, + 'auto' => undef, + default => undef, + }, + } + } + + if $::sshecdsakey != '' { + line { 'known_hosts-localhost-ecdsa-${owner}': + file => "${home}/.ssh/known_hosts", + line => "localhost ecdsa-sha2-nistp256 ${::sshedsakey}", + ensure => $ssh_localhost_auth ? { + 'fingerprint' => present, + 'auto' => undef, + default => undef, + }, + } + } +} diff --git a/manifests/desktop.pp b/manifests/desktop.pp index 50524d6..7e83732 100644 --- a/manifests/desktop.pp +++ b/manifests/desktop.pp @@ -1,17 +1,7 @@ class nodo::desktop inherits nodo::personal { - include utils::desktop + include nodo::utils::desktop - class { 'fstab': + class { [ 'nodo::subsystem::fstab', 'nodo::subsystem::crypttab' ]: type => 'desktop', } - - class { 'crypttab': - type => 'desktop', - } -} - -class nodo::desktop::webdev inherits nodo::desktop { - include websites::dev - include database - include utils::web } diff --git a/manifests/dns.pp b/manifests/dns.pp deleted file mode 100644 index 1f4a1e1..0000000 --- a/manifests/dns.pp +++ /dev/null @@ -1,3 +0,0 @@ -class nodo::dns inherits nodo::vserver { - include bind -} diff --git a/manifests/host.pp b/manifests/host.pp index aefbb92..19d8f2a 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -1,11 +1,11 @@ # Fully capable node able to host other nodes class nodo::host inherits nodo { - include initramfs - include modprobe - include firewire - include sysctl - include utils::physical - include resolver + include nodo::subsystem::initramfs + include nodo::subsystem::modprobe + include nodo::subsystem::firewire + include nodo::subsystem::sysctl + include nodo::subsystem::resolver + include nodo::utils::physical class { 'syslog-ng': } monkeysphere_host { "${::hostname}": } @@ -37,8 +37,8 @@ class nodo::host inherits nodo { } # Monitoring - if !defined('monitor') { - class { 'monitor': + if !defined('nodo::subsystem::monitor') { + class { 'nodo::subsystem::monitor': type => 'host', use_nagios => hiera('nodo::host::use_nagios', True), } diff --git a/manifests/init.pp b/manifests/init.pp index c17a739..60470da 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -76,94 +76,24 @@ import "pureftpd" import "avahi" import "daap_server" import "infinoted" +import "database" +import "domain_check" +import "firewall" +import "schroot" +import "onion" +import "tunnel" +import "pyroscope" +import "websites" + +# Nodo class +import "nodo.pp" + +# Definitions +import "defines/monkeysphere_host.pp" +import "defines/munin_node.pp" +import "defines/ssh_config.pp" +import "defines/ssh_create_key.pp" +import "defines/ssh_known_hosts.pp" # Import subsystems -import "subsystems/firewire.pp" -import "subsystems/initramfs.pp" -import "subsystems/motd.pp" -import "subsystems/sudo.pp" -import "subsystems/sysctl.pp" -import "subsystems/ups.pp" -import "subsystems/database.pp" -import "subsystems/websites.pp" -import "subsystems/munin.pp" -import "subsystems/pam.pp" -import "subsystems/xorg.pp" -import "subsystems/gdm.pp" -import "subsystems/gdm3.pp" -import "subsystems/modprobe.pp" -import "subsystems/hosts.pp" -import "subsystems/locales.pp" -import "subsystems/onion.pp" -import "subsystems/tunnel.pp" -import "subsystems/media.pp" -import "subsystems/monkeysphere.pp" -import "subsystems/keyboard.pp" -import "subsystems/profile.pp" -import "subsystems/schroot.pp" -import "subsystems/resolver.pp" -import "subsystems/domain.pp" -import "subsystems/dhclient.pp" -import "subsystems/mount.pp" -import "subsystems/monitor.pp" -import "subsystems/fstab.pp" -import "subsystems/crypttab.pp" import "subsystems/ssh.pp" -import "subsystems/utils.pp" -import "subsystems/utils/debian.pp" -import "subsystems/utils/desktop.pp" -import "subsystems/utils/development.pp" -import "subsystems/utils/dns.pp" -import "subsystems/utils/firmware.pp" -import "subsystems/utils/hamradio.pp" -import "subsystems/utils/interface.pp" -import "subsystems/utils/java.pp" -import "subsystems/utils/laptop.pp" -import "subsystems/utils/multimedia.pp" -import "subsystems/utils/network.pp" -import "subsystems/utils/office.pp" -import "subsystems/utils/personal.pp" -import "subsystems/utils/physical.pp" -import "subsystems/utils/plug.pp" -import "subsystems/utils/ruby.pp" -import "subsystems/utils/security.pp" -import "subsystems/utils/storage.pp" -import "subsystems/utils/web.pp" -import "subsystems/utils/tor.pp" -import "subsystems/firewall.pp" -import "subsystems/firewall/printer.pp" -import "subsystems/firewall/router.pp" -import "subsystems/firewall/vserver.pp" -import "subsystems/firewall/torrent.pp" -import "subsystems/firewall/ups.pp" -import "subsystems/firewall/wifi.pp" -import "subsystems/firewall/local.pp" -import "subsystems/firewall/openvpn.pp" -import "subsystems/firewall/ppp.pp" -import "subsystems/firewall/nas.pp" -import "subsystems/firewall/redirect.pp" -import "subsystems/firewall/mpd.pp" - -# Import nodo classes -import "nodo.pp" -import "physical.pp" -import "server.pp" -import "personal.pp" -import "desktop.pp" -import "vserver.pp" -import "web.pp" -import "master.pp" -import "proxy.pp" -import "storage.pp" -import "test.pp" -import "removable.pp" -import "laptop.pp" -import "plug.pp" -import "appliance.pp" -import "dns.pp" -import "tor.pp" -import "kvm.pp" -import "jabber.pp" -import "mumble.pp" -import "yacy.pp" -import "nas.pp" diff --git a/manifests/jabber.pp b/manifests/jabber.pp deleted file mode 100644 index 775987d..0000000 --- a/manifests/jabber.pp +++ /dev/null @@ -1,36 +0,0 @@ -class nodo::jabber inherits nodo::vserver { - include ssl - include ejabberd - - # We can offer jabber web access in a web node, so - # we leave this out. - # - #include websites::setup - # - #package { 'jwchat': - # ensure => present, - #} - - host { "chat": - ensure => present, - ip => "127.0.0.1", - host_aliases => [ "chat.${domain}" ], - } - - file { [ "/etc/ejabberd/ssl", "/etc/ejabberd/ssl/certs", "/etc/ejabberd/ssl/private" ]: - ensure => directory, - owner => "root", - group => "ejabberd", - mode => 0750, - } - - # We use a concatenated cert file - # http://site4fast.blogspot.com.br/2011/10/ejabberd-ssl-how-to.html - ssl::cert { "cert-concat": - owner => 'ejabberd', - group => 'ejabberd', - base => '/etc/ejabberd/ssl', - notify => Service['ejabberd'], - require => File['/etc/ejabberd/ssl/private'], - } -} diff --git a/manifests/kvm.pp b/manifests/kvm.pp index 7b3b313..11f3dde 100644 --- a/manifests/kvm.pp +++ b/manifests/kvm.pp @@ -1,9 +1,5 @@ class nodo::kvm inherits nodo::host { - class { 'fstab': - type => 'kvm', - } - - class { 'crypttab': + class { [ 'nodo::subsystem::fstab', 'nodo::subsystem::crypttab' ]: type => 'kvm', } } diff --git a/manifests/laptop.pp b/manifests/laptop.pp index a2420f9..1ed77b7 100644 --- a/manifests/laptop.pp +++ b/manifests/laptop.pp @@ -1,17 +1,17 @@ class nodo::laptop inherits nodo::personal { - include utils::laptop + include nodo::utils::laptop + include nodo::subsystem::dhclient include firewall::wifi include firewall::openvpn include firewall::ppp - include dhclient - class { 'fstab': + class { 'nodo::subsystem::fstab': type => 'laptop', } $hibernate = hiera('nodo::laptop::hibernate', false) - class { 'crypttab': + class { 'nodo::subsystem::crypttab': type => $hibernate ? { false => "laptop", default => "laptop.hibernate", @@ -31,9 +31,3 @@ class nodo::laptop inherits nodo::personal { }, } } - -class nodo::laptop::webdev inherits nodo::laptop { - include websites::dev - include database - include utils::web -} diff --git a/manifests/mail.pp b/manifests/mail.pp deleted file mode 100644 index 9a124c9..0000000 --- a/manifests/mail.pp +++ /dev/null @@ -1,3 +0,0 @@ -class nodo::mail { - class { [ 'nodo::vserver', 'mail::system' ]: } -} diff --git a/manifests/master.pp b/manifests/master.pp deleted file mode 100644 index 819ce43..0000000 --- a/manifests/master.pp +++ /dev/null @@ -1,60 +0,0 @@ -class nodo::master { - $main = hiera('nodo::master::main', false) - $db_password = hiera('nodo::master::db_password', '') - - case $db_password { - '': { fail("Please set nodo::master::db_password in your config") } - } - - if $main == true { - # Puppetmaster should be included before nodo::vserver - class { 'puppet::master': - main => true, - } - - include munin::host - include munin::plugins::muninhost - - # The main master has a host entry pointing to itself, other - # masters still retrieve catalogs from the main master. - host { "puppet": - ensure => present, - ip => "127.0.0.1", - alias => ["puppet.${::domain}"], - } - } else { - class { 'puppet::master': - main => false, - } - - host { "puppet": - ensure => absent, - } - } - - # These should be included after puppetmaster - include nodo::vserver - include database - include git::daemon - include websites::admin - include nagios::headless - include nagios::defaults - - # Nagios apache workaround - file { "/etc/apache2/conf.d/nagios3.conf": - ensure => absent, - } - - # Update master's puppet.conf if you change here - database::instance { "puppet": - password => "${db_password}", - } - - # Used for trac dependency graphs - package { "graphviz": - ensure => present, - } - - # Check domain registration - domain::check { $::domain: } -} diff --git a/manifests/mumble.pp b/manifests/mumble.pp deleted file mode 100644 index 5a9b050..0000000 --- a/manifests/mumble.pp +++ /dev/null @@ -1,3 +0,0 @@ -class nodo::mumble inherits nodo::vserver { - include mumble::ssl -} diff --git a/manifests/nas.pp b/manifests/nas.pp deleted file mode 100644 index ed596a1..0000000 --- a/manifests/nas.pp +++ /dev/null @@ -1,233 +0,0 @@ -class nodo::nas { - # Firewall rules - include firewall::nas - - # DLNA - class { 'minidlna': } - - # - # NFS - # - # References - # https://github.com/arioch/puppet-nfs - # https://github.com/stankevich/puppet-nfs - # https://github.com/camptocamp/puppet-nfs - # https://github.com/haraldsk/puppet-module-nfs/ - # http://git.puppet.immerda.ch/?p=module-nfsd.git;a=summary - # http://wiki.debian.org/NFSServerSetup - # http://www.tldp.org/HOWTO/NFS-HOWTO/ - - # Main class - class { 'nfs': - server => true; - } - - # - # FTP - # - - # References - # https://forge.puppetlabs.com/tags/ftp - # https://forum.openwrt.org/viewtopic.php?id=12976 - # http://download.pureftpd.org/pub/pure-ftpd/doc/FAQ - # http://www.massimilianomarini.com/04/02/2012/how-follow-symbolic-links-pure-ftpd - - # Main class - class { 'pureftpd': - virtualchroot => true, - } - - # Enable anonymous ftp - file { '/etc/pure-ftpd/conf/NoAnonymous': - ensure => present, - owner => root, - group => root, - mode => 0644, - content => "no\n", - notify => Service[$pureftpd::params::service_name], - } - - # - # Samba - # - - # References - # https://github.com/ajjahn/puppet-samba - # https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetworkBrowsing.html#id2583364 - # http://serverfault.com/questions/240217/dd-wrt-bonjour-netbios-etc-on-two-subnets - # http://www.linuxplanet.com/linuxplanet/tutorials/6600/2 - # http://forums.fedoraforum.org/showthread.php?t=260519 - # http://randombio.com/linuxsetup38.html - - # Main class - class { 'samba::server': - workgroup => hiera('nodo::samba::workgroup', 'WORKGROUP'), - server_string => hiera('nodo::samba::server_string', 'Samba Server'), - interfaces => hiera('nodo::samba::interfaces', 'lo eth0'), - security => hiera('nodo::samba::security', 'share'), - } - - # We are avoiding multicast - # http://bda.ath.cx/blog/2009/01/24/multicast-routing-upnp-traffic-with-linux/ - # http://linux-igd.sourceforge.net/documentation.php - set_samba_option { - # Remote announce won't work since routers don't forward broadcast traffic - #'remote announce': value => hiera('nodo::samba::remote_announce', ''); - 'wins support': value => 'yes'; - 'preferred master': value => 'yes'; - 'domain master': value => 'yes'; - 'printing': value => 'cups'; - 'printcap name': value => 'cups'; - } - - # Disable browsing of printer drivers - samba::server::share { 'print$': - comment => 'Printer Drivers', - path => '/var/lib/samba/printers', - browsable => 'no', - read_only => 'yes', - guest_ok => 'no', - } - - # - # HTTP - # - - # References - # https://github.com/camptocamp/puppet-lighttpd - # https://github.com/example42/puppet-lighttpd - # http://git.puppet.immerda.ch/?p=module-lighttpd.git;a=summary - - # Main class - class { 'lighttpd': } - - # Document root - file { '/var/www/data': - ensure => present, - owner => root, - group => root, - mode => 0755, - } - - # - # TFTP - # - - # Main class - class { 'tftp': - directory => '/srv/tftp', - address => $::ipaddress, - options => '--ipv4 --timeout 60', - inetd => false, - } - - # Rsync - include rsync::server - - # MPD - include mpd - include mpd::client - - # - # CUPS - # - - # References - # https://github.com/mosen/puppet-cups - # https://github.com/camptocamp/puppet-cups - - # Package - package { [ 'cups', 'cups-client' ]: - ensure => installed, - } - - # - # Avahi - # - - # References - # http://nfs-lan.sevka.info/ - # http://en.gentoo-wiki.com/wiki/Avahi - # https://wiki.archlinux.org/index.php/Avahi - # http://packages.debian.org/wheezy/libnss-mdns - # http://packages.debian.org/wheezy/mdns-scan - # http://packages.debian.org/wheezy/avahi-discover - # http://askubuntu.com/questions/19590/how-do-i-share-nfs-mounts-over-zeroconf - # http://sophie.zarb.org/distrib/Mandriva/current/x86_64/rpms/pure-ftpd/files/1 - # https://github.com/stahnma/puppet-module-avahi - # https://github.com/tjfontaine/airprint-generate - # http://mryoung.soundbomb.net/index.php/apple-airprint-with-linux-avahi - # http://lists.freedesktop.org/archives/avahi/2006-July/000824.html - # http://cups.org/documentation.php/doc-1.6/ref-cupsd-conf.html#BrowseLocalProtocols - # http://www.dns-sd.org/ServiceTypes.html - - # Main class - include avahi - - file { '/etc/avahi/services/rsync.service': - ensure => present, - owner => root, - group => root, - mode => 0644, - source => 'puppet:///modules/site_avahi/services/rsync.service', - notify => Service['avahi-daemon'], - } - - file { '/etc/avahi/services/http.service': - ensure => present, - owner => root, - group => root, - mode => 0644, - source => 'puppet:///modules/site_avahi/services/http.service', - notify => Service['avahi-daemon'], - } - - file { '/etc/avahi/services/samba.service': - ensure => present, - owner => root, - group => root, - mode => 0644, - source => 'puppet:///modules/site_avahi/services/samba.service', - notify => Service['avahi-daemon'], - } - - file { '/etc/avahi/services/ftp.service': - ensure => present, - owner => root, - group => root, - mode => 0644, - source => 'puppet:///modules/site_avahi/services/ftp.service', - notify => Service['avahi-daemon'], - } - - # - # DAAP - # - - # References - # http://packages.debian.org/stable/forked-daapd - # http://packages.debian.org/squeeze/mt-daapd - # https://github.com/stahnma/puppet-module-daap_server - - # Main class, but package not available on wheezy - #class { 'daap_server': - # collection_name => 'Noise - DAAP', - # music_dir => '/var/cache/media/noise', - #} - - # - # Media folders - # - - # Main classes - class { [ 'media::folders', 'media::groups' ]: } - - # Make sure basic media exist, no matter if there is an external disk attached - $cache = hiera('nodo::media::folders', '') - - if $cache != '' { - file { "${cache}": - ensure => directory, - } - } -} diff --git a/manifests/nas/share.pp b/manifests/nas/share.pp index f50cebd..57a14cb 100644 --- a/manifests/nas/share.pp +++ b/manifests/nas/share.pp @@ -76,7 +76,7 @@ define nodo::nas::share( } # Make sure basic media exist, no matter which disk is attached - $cache = hiera('nodo::media::folders', '') + $cache = hiera('nodo::subsystem::media::folders::cache', '') if $cache != '' { file { [ "${cache}/${name}" ]: diff --git a/manifests/nodo.pp b/manifests/nodo.pp index 5fe4ee1..97ef044 100644 --- a/manifests/nodo.pp +++ b/manifests/nodo.pp @@ -1,19 +1,19 @@ class nodo { include lsb - include sudo + include nodo::subsystem::sudo + include nodo::subsystem::motd + include nodo::subsystem::locales + include nodo::subsystem::profile + include nodo::utils + include tunnel::autossh + include domain_check include users::admin - include motd - include utils - include cron - include locales - include tunnel - include profile - include domain include concat::setup + include cron - class { 'hosts': } + class { 'nodo::subsystem::hosts': } - # then include puppet class + # Include if not defined by nodo::master if !defined('puppet::daemon') { class { 'puppet::daemon': } } @@ -51,7 +51,7 @@ class nodo { case $mail_delivery { 'tunnel': { $mail_hostname = hiera('nodo::mail_hostname') - tunnel::mail { "$mail_hostname": + tunnel::autossh::mail { "$mail_hostname": sshport => hiera('nodo::mail_ssh_port'), } } diff --git a/manifests/personal.pp b/manifests/personal.pp deleted file mode 100644 index 3718cb5..0000000 --- a/manifests/personal.pp +++ /dev/null @@ -1,43 +0,0 @@ -# personal computer -class nodo::personal { - include nodo::physical - include utils::personal - include autossh - - class { 'pam': } - class { 'xorg': } - - if $::lsbdistcodename == 'squeeze' { - include gdm - } - else { - include gdm3 - } - - # Monitoring - class { 'monitor': - type => 'personal', - use_nagios => hiera('nodo::personal::use_nagios', false), - } - - # Media folders and groups - class { [ 'media::folders', 'media::groups' ]: } - - # Mountpoint for encrypted home folders - file { [ '/mnt/crypt/', '/mnt/crypt/home' ]: - ensure => directory, - } - - # Misc user data - file { [ "/var/data/code", "/var/data/crypt", "/var/data/crypt/home", "/var/data/load" ]: - ensure => directory, - mode => 0755, - require => File['/var/cache/media'], - } - - # Development - file { [ "/var/cache/vagrant", "/var/cache/virtualbox" ]: - ensure => directory, - mode => 0755, - } -} diff --git a/manifests/physical.pp b/manifests/physical.pp index 887eb8d..b883e76 100644 --- a/manifests/physical.pp +++ b/manifests/physical.pp @@ -1,6 +1,5 @@ class nodo::physical inherits nodo::host { - include ups - include smartmontools + class { [ 'nodo::subsystem::ups', smartmontools': } # SMART monitoring $munin = hiera('nodo::host::use_munin', True) diff --git a/manifests/plug.pp b/manifests/plug.pp index 577ad35..f9e787b 100644 --- a/manifests/plug.pp +++ b/manifests/plug.pp @@ -1,10 +1,10 @@ class nodo::plug inherits nodo { include syslog-ng - include utils::plug - include utils::physical - include utils::storage::archive - include sysctl - include resolver + include nodo::utils::plug + include nodo::utils::physical + include nodo::utils::storage::archive + include nodo::subsystem::sysctl + include nodo::subsystem::resolver monkeysphere_host { "${::hostname}": } diff --git a/manifests/proxy.pp b/manifests/proxy.pp deleted file mode 100644 index 51dac33..0000000 --- a/manifests/proxy.pp +++ /dev/null @@ -1,3 +0,0 @@ -class nodo::proxy inherits nodo::vserver { - include nginx -} diff --git a/manifests/role/dns.pp b/manifests/role/dns.pp new file mode 100644 index 0000000..2faa69b --- /dev/null +++ b/manifests/role/dns.pp @@ -0,0 +1,3 @@ +class nodo::role::dns inherits nodo::vserver { + include bind +} diff --git a/manifests/role/jabber.pp b/manifests/role/jabber.pp new file mode 100644 index 0000000..b510ccd --- /dev/null +++ b/manifests/role/jabber.pp @@ -0,0 +1,36 @@ +class nodo::role::jabber inherits nodo::vserver { + include ssl + include ejabberd + + # We can offer jabber web access in a web node, so + # we leave this out. + # + #include websites::setup + # + #package { 'jwchat': + # ensure => present, + #} + + host { "chat": + ensure => present, + ip => "127.0.0.1", + host_aliases => [ "chat.${domain}" ], + } + + file { [ "/etc/ejabberd/ssl", "/etc/ejabberd/ssl/certs", "/etc/ejabberd/ssl/private" ]: + ensure => directory, + owner => "root", + group => "ejabberd", + mode => 0750, + } + + # We use a concatenated cert file + # http://site4fast.blogspot.com.br/2011/10/ejabberd-ssl-how-to.html + ssl::cert { "cert-concat": + owner => 'ejabberd', + group => 'ejabberd', + base => '/etc/ejabberd/ssl', + notify => Service['ejabberd'], + require => File['/etc/ejabberd/ssl/private'], + } +} diff --git a/manifests/role/mail.pp b/manifests/role/mail.pp new file mode 100644 index 0000000..4c33ed4 --- /dev/null +++ b/manifests/role/mail.pp @@ -0,0 +1,3 @@ +class nodo::role::mail { + class { [ 'nodo::vserver', 'mail::system' ]: } +} diff --git a/manifests/role/master.pp b/manifests/role/master.pp new file mode 100644 index 0000000..2adb8a5 --- /dev/null +++ b/manifests/role/master.pp @@ -0,0 +1,60 @@ +class nodo::role::master { + $main = hiera('nodo::role::master::main', false) + $db_password = hiera('nodo::role::master::db_password', '') + + case $db_password { + '': { fail("Please set nodo::master::db_password in your config") } + } + + if $main == true { + # Puppetmaster should be included before nodo::vserver + class { 'puppet::master': + main => true, + } + + include munin::host + include munin::plugins::muninhost + + # The main master has a host entry pointing to itself, other + # masters still retrieve catalogs from the main master. + host { "puppet": + ensure => present, + ip => "127.0.0.1", + alias => ["puppet.${::domain}"], + } + } else { + class { 'puppet::master': + main => false, + } + + host { "puppet": + ensure => absent, + } + } + + # These should be included after puppetmaster + include nodo::vserver + include database + include git::daemon + include websites::admin + include nagios::headless + include nagios::defaults + + # Nagios apache workaround + file { "/etc/apache2/conf.d/nagios3.conf": + ensure => absent, + } + + # Update master's puppet.conf if you change here + database::instance { "puppet": + password => "${db_password}", + } + + # Used for trac dependency graphs + package { "graphviz": + ensure => present, + } + + # Check domain registration + domain_check::instance { $::domain: } +} diff --git a/manifests/role/mumble.pp b/manifests/role/mumble.pp new file mode 100644 index 0000000..764c0d8 --- /dev/null +++ b/manifests/role/mumble.pp @@ -0,0 +1,3 @@ +class nodo::role::mumble inherits nodo::vserver { + include mumble::ssl +} diff --git a/manifests/role/nas.pp b/manifests/role/nas.pp new file mode 100644 index 0000000..134216e --- /dev/null +++ b/manifests/role/nas.pp @@ -0,0 +1,233 @@ +class nodo::role::nas { + # Firewall rules + include firewall::nas + + # DLNA + class { 'minidlna': } + + # + # NFS + # + # References + # https://github.com/arioch/puppet-nfs + # https://github.com/stankevich/puppet-nfs + # https://github.com/camptocamp/puppet-nfs + # https://github.com/haraldsk/puppet-module-nfs/ + # http://git.puppet.immerda.ch/?p=module-nfsd.git;a=summary + # http://wiki.debian.org/NFSServerSetup + # http://www.tldp.org/HOWTO/NFS-HOWTO/ + + # Main class + class { 'nfs': + server => true; + } + + # + # FTP + # + + # References + # https://forge.puppetlabs.com/tags/ftp + # https://forum.openwrt.org/viewtopic.php?id=12976 + # http://download.pureftpd.org/pub/pure-ftpd/doc/FAQ + # http://www.massimilianomarini.com/04/02/2012/how-follow-symbolic-links-pure-ftpd + + # Main class + class { 'pureftpd': + virtualchroot => true, + } + + # Enable anonymous ftp + file { '/etc/pure-ftpd/conf/NoAnonymous': + ensure => present, + owner => root, + group => root, + mode => 0644, + content => "no\n", + notify => Service[$pureftpd::params::service_name], + } + + # + # Samba + # + + # References + # https://github.com/ajjahn/puppet-samba + # https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetworkBrowsing.html#id2583364 + # http://serverfault.com/questions/240217/dd-wrt-bonjour-netbios-etc-on-two-subnets + # http://www.linuxplanet.com/linuxplanet/tutorials/6600/2 + # http://forums.fedoraforum.org/showthread.php?t=260519 + # http://randombio.com/linuxsetup38.html + + # Main class + class { 'samba::server': + workgroup => hiera('nodo::samba::workgroup', 'WORKGROUP'), + server_string => hiera('nodo::samba::server_string', 'Samba Server'), + interfaces => hiera('nodo::samba::interfaces', 'lo eth0'), + security => hiera('nodo::samba::security', 'share'), + } + + # We are avoiding multicast + # http://bda.ath.cx/blog/2009/01/24/multicast-routing-upnp-traffic-with-linux/ + # http://linux-igd.sourceforge.net/documentation.php + set_samba_option { + # Remote announce won't work since routers don't forward broadcast traffic + #'remote announce': value => hiera('nodo::samba::remote_announce', ''); + 'wins support': value => 'yes'; + 'preferred master': value => 'yes'; + 'domain master': value => 'yes'; + 'printing': value => 'cups'; + 'printcap name': value => 'cups'; + } + + # Disable browsing of printer drivers + samba::server::share { 'print$': + comment => 'Printer Drivers', + path => '/var/lib/samba/printers', + browsable => 'no', + read_only => 'yes', + guest_ok => 'no', + } + + # + # HTTP + # + + # References + # https://github.com/camptocamp/puppet-lighttpd + # https://github.com/example42/puppet-lighttpd + # http://git.puppet.immerda.ch/?p=module-lighttpd.git;a=summary + + # Main class + class { 'lighttpd': } + + # Document root + file { '/var/www/data': + ensure => present, + owner => root, + group => root, + mode => 0755, + } + + # + # TFTP + # + + # Main class + class { 'tftp': + directory => '/srv/tftp', + address => $::ipaddress, + options => '--ipv4 --timeout 60', + inetd => false, + } + + # Rsync + include rsync::server + + # MPD + include mpd + include mpd::client + + # + # CUPS + # + + # References + # https://github.com/mosen/puppet-cups + # https://github.com/camptocamp/puppet-cups + + # Package + package { [ 'cups', 'cups-client' ]: + ensure => installed, + } + + # + # Avahi + # + + # References + # http://nfs-lan.sevka.info/ + # http://en.gentoo-wiki.com/wiki/Avahi + # https://wiki.archlinux.org/index.php/Avahi + # http://packages.debian.org/wheezy/libnss-mdns + # http://packages.debian.org/wheezy/mdns-scan + # http://packages.debian.org/wheezy/avahi-discover + # http://askubuntu.com/questions/19590/how-do-i-share-nfs-mounts-over-zeroconf + # http://sophie.zarb.org/distrib/Mandriva/current/x86_64/rpms/pure-ftpd/files/1 + # https://github.com/stahnma/puppet-module-avahi + # https://github.com/tjfontaine/airprint-generate + # http://mryoung.soundbomb.net/index.php/apple-airprint-with-linux-avahi + # http://lists.freedesktop.org/archives/avahi/2006-July/000824.html + # http://cups.org/documentation.php/doc-1.6/ref-cupsd-conf.html#BrowseLocalProtocols + # http://www.dns-sd.org/ServiceTypes.html + + # Main class + include avahi + + file { '/etc/avahi/services/rsync.service': + ensure => present, + owner => root, + group => root, + mode => 0644, + source => 'puppet:///modules/site_avahi/services/rsync.service', + notify => Service['avahi-daemon'], + } + + file { '/etc/avahi/services/http.service': + ensure => present, + owner => root, + group => root, + mode => 0644, + source => 'puppet:///modules/site_avahi/services/http.service', + notify => Service['avahi-daemon'], + } + + file { '/etc/avahi/services/samba.service': + ensure => present, + owner => root, + group => root, + mode => 0644, + source => 'puppet:///modules/site_avahi/services/samba.service', + notify => Service['avahi-daemon'], + } + + file { '/etc/avahi/services/ftp.service': + ensure => present, + owner => root, + group => root, + mode => 0644, + source => 'puppet:///modules/site_avahi/services/ftp.service', + notify => Service['avahi-daemon'], + } + + # + # DAAP + # + + # References + # http://packages.debian.org/stable/forked-daapd + # http://packages.debian.org/squeeze/mt-daapd + # https://github.com/stahnma/puppet-module-daap_server + + # Main class, but package not available on wheezy + #class { 'daap_server': + # collection_name => 'Noise - DAAP', + # music_dir => '/var/cache/media/noise', + #} + + # + # Media folders + # + + # Main classes + class { [ 'nodo::subsystem::media::folders', 'nodo::subsystem::media::groups' ]: } + + # Make sure basic media exist, no matter if there is an external disk attached + $cache = hiera('nodo::media::folders', '') + + if $cache != '' { + file { "${cache}": + ensure => directory, + } + } +} diff --git a/manifests/role/personal.pp b/manifests/role/personal.pp new file mode 100644 index 0000000..f7afdc0 --- /dev/null +++ b/manifests/role/personal.pp @@ -0,0 +1,43 @@ +# Personal computer +class nodo::role::personal { + include nodo::physical + include nodo::utils::personal + include autossh + + class { 'nodo::subsystem::pam': } + class { 'nodo::subsystem::xorg': } + + if $::lsbdistcodename == 'squeeze' { + include nodo::subsystem::gdm + } + else { + include nodo::subsystem::gdm3 + } + + # Monitoring + class { 'monitor': + type => 'personal', + use_nagios => hiera('nodo::personal::use_nagios', false), + } + + # Media folders and groups + class { [ 'nodo::subsystem::media::folders', 'nodo::subsystem::media::groups' ]: } + + # Mountpoint for encrypted home folders + file { [ '/mnt/crypt/', '/mnt/crypt/home' ]: + ensure => directory, + } + + # Misc user data + file { [ "/var/data/code", "/var/data/crypt", "/var/data/crypt/home", "/var/data/load" ]: + ensure => directory, + mode => 0755, + require => File['/var/cache/media'], + } + + # Development + file { [ "/var/cache/vagrant", "/var/cache/virtualbox" ]: + ensure => directory, + mode => 0755, + } +} diff --git a/manifests/role/proxy.pp b/manifests/role/proxy.pp new file mode 100644 index 0000000..821e975 --- /dev/null +++ b/manifests/role/proxy.pp @@ -0,0 +1,3 @@ +class nodo::role::proxy inherits nodo::vserver { + include nginx +} diff --git a/manifests/role/router.pp b/manifests/role/router.pp new file mode 100644 index 0000000..068837d --- /dev/null +++ b/manifests/role/router.pp @@ -0,0 +1,25 @@ +class nodo::role::router inherits nodo::appliance { + # We use monitor class on the router as the DNS server might by + # inside a vserver and thus cannot access the network devices directly + include nodo::utils::dns + + # Network auditing + include nodo::utils::network::analyzer + + # Enable IP forwarding + augeas { 'enable_ip_forwarding': + changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING On', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall]; + } + + # Make sure shorewall is reloaded after dhcp renew + file { '/etc/dhcp/dhclient-exit-hooks.d/shorewall': + ensure => present, + owner => root, + group => root, + mode => 0644, + source => 'puppet:///modules/site_nodo/dhclient-exit-hooks.d/shorewall' + } +} diff --git a/manifests/role/storage.pp b/manifests/role/storage.pp new file mode 100644 index 0000000..0cf7f60 --- /dev/null +++ b/manifests/role/storage.pp @@ -0,0 +1,3 @@ +class nodo::role::storage inherits nodo::vserver { + include nodo::utils::storage +} diff --git a/manifests/role/test.pp b/manifests/role/test.pp new file mode 100644 index 0000000..330a5ee --- /dev/null +++ b/manifests/role/test.pp @@ -0,0 +1,3 @@ +class nodo::role::test inherits nodo::web { + # Class for test nodes +} diff --git a/manifests/role/tor.pp b/manifests/role/tor.pp new file mode 100644 index 0000000..2d5ff58 --- /dev/null +++ b/manifests/role/tor.pp @@ -0,0 +1,4 @@ +class nodo::role::tor inherits nodo::vserver { + include tor::daemon + include nodo::utils::tor +} diff --git a/manifests/role/web.pp b/manifests/role/web.pp new file mode 100644 index 0000000..7cdd93f --- /dev/null +++ b/manifests/role/web.pp @@ -0,0 +1,49 @@ +class nodo::role::web inherits nodo::vserver { + # Hidden services + $hidden = hiera('apache::site::hidden', false) + if $hidden == true { + include onion + } + + # Classes for web nodes + include websites + include database + include users::virtual + include nodo::utils::web + + # Reprepro configuration + $reprepro = hiera('nodo::web::reprepro', false) + $reprepro_basedir = '/var/reprepro' + + case $reprepro { + true,'enabled': { + class { 'reprepro': + basedir => '/var/reprepro', + uploaders => hiera('nodo::web::reprepro_uploaders', [ ]), + } + + include reprepro::cron + } + 'disabled': { + class { 'reprepro::disabled': + basedir => '/var/reprepro', + } + } + 'purged': { + class { 'reprepro::purged': + basedir => '/var/reprepro', + } + } + false,default: { } + } + + $git_daemon = hiera('nodo::web::git_daemon', True) + + if $git_daemon != false { + class { 'git::daemon': } + } + + backupninja::svn { "svn": + src => "/var/svn", + } +} diff --git a/manifests/role/webdev.pp b/manifests/role/webdev.pp new file mode 100644 index 0000000..6154cc0 --- /dev/null +++ b/manifests/role/webdev.pp @@ -0,0 +1,5 @@ +class nodo::role::webdev { + include websites::dev + include database + include utils::web +} diff --git a/manifests/role/webdev/desktop.pp b/manifests/role/webdev/desktop.pp new file mode 100644 index 0000000..063140a --- /dev/null +++ b/manifests/role/webdev/desktop.pp @@ -0,0 +1,3 @@ +class nodo::role::webdev::desktop inherits nodo::desktop { + include nodo::role::webdev +} diff --git a/manifests/role/webdev/laptop.pp b/manifests/role/webdev/laptop.pp new file mode 100644 index 0000000..e9c1aab --- /dev/null +++ b/manifests/role/webdev/laptop.pp @@ -0,0 +1,3 @@ +class nodo::role::webdev::laptop inherits nodo::laptop { + include nodo::role::webdev +} diff --git a/manifests/role/yacy.pp b/manifests/role/yacy.pp new file mode 100644 index 0000000..379297c --- /dev/null +++ b/manifests/role/yacy.pp @@ -0,0 +1,34 @@ +class nodo::role::yacy inherits nodo::vserver { + class { 'onion': } + + package { 'yacy': + ensure => installed, + } + + service { 'yacy': + ensure => running, + require => Package['yacy'], + } + + # Gracefully restart yacy everyday + cron { "yacy-restart": + command => "/etc/init.d/yacy restart > /dev/null 2>&1", + user => root, + hour => "*/4", + minute => "0", + ensure => present, + require => Service['yacy'], + } + + tor::daemon::hidden_service { 'yacy': + ports => [ '8090 127.0.0.1:8090', '80 127.0.0.1:8090' ], + data_dir => "$tor::daemon::data_dir/hidden", + ensure => present, + } + + # Why they don't sign their releases? + apt::sources_list { "yacy.net.list": + content => "deb http://debian.yacy.net ./\n", + ensure => absent, + } +} diff --git a/manifests/server.pp b/manifests/server.pp index 90bb2ae..6606a49 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,9 +1,5 @@ class nodo::server inherits nodo::physical { - class { 'fstab': - type => 'server', - } - - class { 'crypttab': + class { [ 'nodo::subsystem::fstab', 'nodo::subsystem::crypttab' ]: type => 'server', } } diff --git a/manifests/storage.pp b/manifests/storage.pp deleted file mode 100644 index 13cbdab..0000000 --- a/manifests/storage.pp +++ /dev/null @@ -1,3 +0,0 @@ -class nodo::storage inherits nodo::vserver { - include utils::storage -} diff --git a/manifests/subsystem/crypttab.pp b/manifests/subsystem/crypttab.pp new file mode 100644 index 0000000..749569c --- /dev/null +++ b/manifests/subsystem/crypttab.pp @@ -0,0 +1,15 @@ +class nodo::subsystem::crypttab( + $type, + $manage = hiera('nodo::crypttab::manage', false) +) { + if $manage == true { + file { "/etc/crypttab": + source => "puppet:///modules/nodo/etc/crypttab/${type}", + owner => "root", + group => "root", + mode => 0644, + ensure => present, + notify => Exec['update-initramfs'], + } + } +} diff --git a/manifests/subsystem/dhclient.pp b/manifests/subsystem/dhclient.pp new file mode 100644 index 0000000..332dc34 --- /dev/null +++ b/manifests/subsystem/dhclient.pp @@ -0,0 +1,17 @@ +class nodo::subsystem::dhclient( + $ensure = hiera('nodo::subsystem::dhclient::ensure', 'present'), + $supersede_domain = hiera('nodo::subsystem::dhclient::supersede_domain', $::domain) +) { + package { 'isc-dhcp-client': + ensure => $ensure, + } + + file { '/etc/dhcp/dhclient.conf': + ensure => $ensure, + owner => root, + group => root, + mode => 0644, + require => Package['isc-dhcp-client'], + content => template('nodo/dhcp/dhclient.conf.erb'), + } +} diff --git a/manifests/subsystem/firewire.pp b/manifests/subsystem/firewire.pp new file mode 100644 index 0000000..104d6e9 --- /dev/null +++ b/manifests/subsystem/firewire.pp @@ -0,0 +1,8 @@ +class nodo::subsystem::firewire { + # Make sure ohci1394 is not loaded + # See http://padrao.sarava.org/trac/wiki/Debian/Firewire and the modprobe class + exec { "rmmod ohci1394": + unless => "/bin/sh -c 'if `grep -q ^ohci1394 /proc/modules`; then false; else true; fi'", + user => "root", + } +} diff --git a/manifests/subsystem/fstab.pp b/manifests/subsystem/fstab.pp new file mode 100644 index 0000000..9538f66 --- /dev/null +++ b/manifests/subsystem/fstab.pp @@ -0,0 +1,15 @@ +class nodo::subsystem::fstab( + $type, + $manage = hiera('nodo::subsystem::fstab::manage', false) +) { + if $manage == true { + file { "/etc/fstab": + source => "puppet:///modules/nodo/etc/fstab/${type}", + owner => "root", + group => "root", + mode => 0644, + ensure => present, + notify => Exec['update-initramfs'], + } + } +} diff --git a/manifests/subsystem/gdm.pp b/manifests/subsystem/gdm.pp new file mode 100644 index 0000000..fd36e99 --- /dev/null +++ b/manifests/subsystem/gdm.pp @@ -0,0 +1,66 @@ +class nodo::subsystem::gdm { + package { 'gdm': + ensure => installed, + } + + service { 'gdm': + ensure => running, + require => Package['gdm'], + } + + exec { '/usr/sbin/dpkg-reconfigure gdm': + subscribe => File['/etc/gdm/gdm.conf'], + user => root, + group => root, + refreshonly => true, + require => Service['gdm'], + } + + file { '/etc/gdm/gdm.conf': + ensure => present, + owner => root, + group => root, + mode => 0644, + source => [ "puppet:///modules/site_nodo/etc/gdm/${::domain}/gdm.conf", + "puppet:///modules/nodo/etc/gdm/gdm.conf", ] + } + + file { '/usr/share/gdm/themes/crunchbang': + ensure => directory, + recurse => true, + purge => true, + force => true, + owner => "root", + group => "root", + # This mode will also apply to files from the source directory + mode => 0644, + # Puppet will automatically set +x for directories + source => 'puppet:///modules/nodo/etc/gdm/themes/crunchbang', + } + + file { '/usr/share/gdm/themes/Tuxtastic': + ensure => directory, + recurse => true, + purge => true, + force => true, + owner => "root", + group => "root", + # This mode will also apply to files from the source directory + mode => 0644, + # Puppet will automatically set +x for directories + source => 'puppet:///modules/nodo/etc/gdm/themes/Tuxtastic', + } + + file { '/usr/share/gdm/themes/dasUberMini': + ensure => directory, + recurse => true, + purge => true, + force => true, + owner => "root", + group => "root", + # This mode will also apply to files from the source directory + mode => 0644, + # Puppet will automatically set +x for directories + source => 'puppet:///modules/nodo/etc/gdm/themes/dasUberMini', + } +} diff --git a/manifests/subsystem/gdm/disabled.pp b/manifests/subsystem/gdm/disabled.pp new file mode 100644 index 0000000..d2565ef --- /dev/null +++ b/manifests/subsystem/gdm/disabled.pp @@ -0,0 +1,18 @@ +class nodo::subsystem::gdm::disabled inherits nodo::subsystem::gdm { + File['/usr/share/gdm/themes/dasUberMini', '/usr/share/gdm/themes/Tuxtastic', + '/usr/share/gdm/themes/crunchbang', '/etc/gdm/gdm.conf' ] { + ensure => absent, + } + + Exec['/usr/sbin/dpkg-reconfigure gdm'] { + command => '/bin/true', + } + + Service['gdm'] { + ensure => stopped, + } + + Package['gdm'] { + ensure => absent, + } +} diff --git a/manifests/subsystem/gdm3.pp b/manifests/subsystem/gdm3.pp new file mode 100644 index 0000000..d708f6a --- /dev/null +++ b/manifests/subsystem/gdm3.pp @@ -0,0 +1,20 @@ +class nodo::subsystem::gdm3 { + package { 'gdm3': + ensure => installed, + } + + service { 'gdm3': + ensure => running, + require => Package['gdm3'], + } + + file { '/etc/gdm3/greeter.gsettings': + ensure => present, + owner => root, + group => root, + mode => 0644, + notify => Service['gdm3'], + source => [ "puppet:///modules/site_nodo/etc/gdm3/${::domain}/greeter.gseetings", + "puppet:///modules/nodo/etc/gdm3/greeter.gsettings", ] + } +} diff --git a/manifests/subsystem/hosts.pp b/manifests/subsystem/hosts.pp new file mode 100644 index 0000000..464bc0c --- /dev/null +++ b/manifests/subsystem/hosts.pp @@ -0,0 +1,60 @@ +class nodo::subsystem::hosts( + $custom = hiera('nodo::subsystem::hosts::custom', false) +) { + # Sometimes might be useful to manage the whole + # hosts file, see http://projects.puppetlabs.com/issues/10704 + case $custom { + true: { + file { '/etc/hosts': + ensure => present, + owner => root, + group => root, + mode => 0640, + source => "puppet:///modules/site_nodo/hosts/${::fqdn}", + } + } + default: { + host { "${::hostname}": + ensure => present, + ip => "${::ipaddress}", + host_aliases => [ "${::fqdn}" ], + } + + host { "localhost": + ensure => present, + ip => "127.0.0.1", + } + + host { "ip6-localhost": + ensure => present, + ip => "::1", + host_aliases => [ "ip6-loopback" ], + } + + host { "ip6-localnet": + ensure => present, + ip => "fe00::0", + } + + host { "ip6-mcastprefix": + ensure => present, + ip => "ff00::0", + } + + host { "ip6-allnodes": + ensure => present, + ip => "ff02::1", + } + + host { "ip6-allrouters": + ensure => present, + ip => "ff02::2", + } + + host { "ip6-allhosts": + ensure => present, + ip => "ff02::3", + } + } + } +} diff --git a/manifests/subsystem/initramfs.pp b/manifests/subsystem/initramfs.pp new file mode 100644 index 0000000..acbf1b7 --- /dev/null +++ b/manifests/subsystem/initramfs.pp @@ -0,0 +1,39 @@ +class nodo::subsystem::initramfs( + $keymap = hiera('nodo::initramfs::keymap', 'absent') +) { + # initramfs config + file { "/etc/kernel-img.conf": + owner => "root", + group => "root", + mode => 0644, + ensure => present, + content => "do_initrd = Yes\n", + } + + # initramfs config + file { "/etc/initramfs-tools/modules": + owner => "root", + group => "root", + mode => 0644, + ensure => present, + source => "puppet:///modules/nodo/etc/initramfs-tools/modules", + } + + # keymap + file { "/etc/initramfs-tools/conf.d/keymap.conf": + ensure => $keymap, + content => "KEYMAP=Y\n", + owner => "root", + group => "root", + mode => 0644, + } + + # update initramfs when needed + exec { "update-initramfs -v -t -u": + subscribe => [ File["/etc/initramfs-tools/modules"], + File["/etc/modprobe.d/blacklist"], + File["/etc/initramfs-tools/conf.d/keymap.conf"] ], + refreshonly => true, + alias => 'update-initramfs', + } +} diff --git a/manifests/subsystem/keyboard.pp b/manifests/subsystem/keyboard.pp new file mode 100644 index 0000000..b5241d7 --- /dev/null +++ b/manifests/subsystem/keyboard.pp @@ -0,0 +1,22 @@ +class nodo::subsystem::keyboard { + # Keyboard, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619711 + file { "/etc/default/keyboard": + ensure => present, + owner => "root", + group => "root", + mode => 0644, + source => "puppet:///modules/site_nodo/keyboard/${::hostname}" + } + + package { 'console-common': + ensure => present, + } + + file { '/etc/console/boottime.kmap.gz': + ensure => present, + owner => "root", + group => "root", + mode => 0644, + source => "puppet:///modules/site_nodo/console/boottime.kmap.gz.${::hostname}" + } +} diff --git a/manifests/subsystem/locales.pp b/manifests/subsystem/locales.pp new file mode 100644 index 0000000..c3a1f76 --- /dev/null +++ b/manifests/subsystem/locales.pp @@ -0,0 +1,28 @@ +class nodo::subsystem::locales { + package { "locales": + ensure => installed, + } + + file { "/etc/default/locale": + source => [ "puppet:///modules/site_nodo/etc/default/locale", + "puppet:///modules/nodo/etc/default/locale" ], + ensure => present, + owner => root, + group => root, + mode => 0644, + } + + file { "/etc/locale.gen": + source => [ "puppet:///modules/site_nodo/etc/locale.gen", + "puppet:///modules/nodo/etc/locale.gen" ], + ensure => present, + owner => root, + group => root, + mode => 0644, + } + + exec { "locale-gen": + refreshonly => true, + subscribe => File["/etc/locale.gen"], + } +} diff --git a/manifests/subsystem/media/folders.pp b/manifests/subsystem/media/folders.pp new file mode 100644 index 0000000..2fcc637 --- /dev/null +++ b/manifests/subsystem/media/folders.pp @@ -0,0 +1,32 @@ +class nodo::subsystem::media::folders( + $cache = hiera('nodo::subsystem::media::folders::cache', directory) +) { + # Removable media folder + file { [ "/media/usb", "/media/cdrom", "/media/tablet", "/media/phone" ]: + ensure => directory, + mode => 0755, + } + + # Media cache + file { "/var/cache/media": + ensure => $cache, + mode => 0755, + } + + # Data folder is a cache + file { "/var/data": + ensure => "/var/cache/media", + } + + # Hostname cache for general use + file { "/var/cache/${::hostname}": + ensure => directory, + mode => 0755, + } + + # Link to the media cache, useful to have unique remotes + # for git-annex in removable media + file { "/var/cache/${::hostname}/media": + ensure => "/var/cache/media", + } +} diff --git a/manifests/subsystem/media/groups.pp b/manifests/subsystem/media/groups.pp new file mode 100644 index 0000000..098ae67 --- /dev/null +++ b/manifests/subsystem/media/groups.pp @@ -0,0 +1,5 @@ +class nodo::subsystem::media::groups { + group { 'incoming': + ensure => 'present', + } +} diff --git a/manifests/subsystem/modprobe.pp b/manifests/subsystem/modprobe.pp new file mode 100644 index 0000000..be6ec42 --- /dev/null +++ b/manifests/subsystem/modprobe.pp @@ -0,0 +1,28 @@ +class nodo::subsystem::modprobe { + # Keep firewire disabled among other things + case $lsbdistcodename { + 'lenny': { + file { "/etc/modprobe.d/blacklist": + owner => "root", + group => "root", + mode => 0644, + ensure => present, + source => "puppet:///modules/nodo/etc/modprobe.d/blacklist.conf", + } + } + default: { + # Upgrade from lenny + file { "/etc/modprobe.d/blacklist": + ensure => absent, + } + + file { "/etc/modprobe.d/blacklist.conf": + owner => "root", + group => "root", + mode => 0644, + ensure => present, + source => "puppet:///modules/nodo/etc/modprobe.d/blacklist.conf", + } + } + } +} diff --git a/manifests/subsystem/monitor.pp b/manifests/subsystem/monitor.pp new file mode 100644 index 0000000..d7fa720 --- /dev/null +++ b/manifests/subsystem/monitor.pp @@ -0,0 +1,26 @@ +class nodo::subsystem::monitor( + $type = 'vserver', + $use_nagios = hiera('nodo::subsystem::monitor::use_nagios', True), + $use_fqdn = hiera('nodo::subsystem::monitor::use_nagios_fqdn', false) +) { + + if $use_nagios != false { + + if $type == 'vserver' { + include nagios::target::fqdn + nagios::service::ping { "${::fqdn}": } + } + + if $type == 'host' or $type == 'personal' { + if $use_fqdn == true { + include nagios::target::fqdn + } + else { + include nagios::target + } + nagios::service::ping { "${::fqdn}": } + } + + } + +} diff --git a/manifests/subsystem/motd.pp b/manifests/subsystem/motd.pp new file mode 100644 index 0000000..8561b38 --- /dev/null +++ b/manifests/subsystem/motd.pp @@ -0,0 +1,19 @@ +class nodo::subsystem::motd( + $network_name = hiera('nodo::motd::network_name', 'Nodo') +) { + # http://projects.reductivelabs.com/issues/1915 + file { "/var/run/motd": + owner => "root", + group => "root", + mode => 0644, + ensure => file, + content => "This is ${::fqdn} from the ${network_name}.\n", + } + + file { "/etc/motd": + owner => "root", + group => "root", + ensure => "/var/run/motd", + require => File["/var/run/motd"], + } +} diff --git a/manifests/subsystem/mount.pp b/manifests/subsystem/mount.pp new file mode 100644 index 0000000..4bf3d58 --- /dev/null +++ b/manifests/subsystem/mount.pp @@ -0,0 +1,15 @@ +class subsystem::mount { + class { autofs: } + + file { '/etc/auto.removable': + source => [ "puppet:///modules/site_nodo/etc/${::fqdn}/auto.removable", + "puppet:///modules/site_nodo/etc/${::domain}/auto.removable", + "puppet:///modules/site_nodo/etc/auto.removable", + "puppet:///modules/nodo/etc/auto.removable.${::operatingssystem}", + "puppet:///modules/nodo/etc/auto.removable" ], + notify => Service[autofs], + owner => root, + group => root, + mode => 0644; + } +} diff --git a/manifests/subsystem/pam.pp b/manifests/subsystem/pam.pp new file mode 100644 index 0000000..7186d0b --- /dev/null +++ b/manifests/subsystem/pam.pp @@ -0,0 +1,40 @@ +class nodo::subsystem::pam( + $enable = hiera('nodo::pam::enable', false) +) { + if $enable != false { + + # Squeeze only + if $::lsbdistcodename == 'squeeze' { + # pam - login + file { "/etc/pam.d/login": + source => [ "puppet:///modules/nodo/etc/pam.d/login.${::lsbdistcodename}", + "puppet:///modules/nodo/etc/pam.d/login", + ], + owner => "root", + group => "root", + mode => 0644, + ensure => present, + } + + # pam - gdm + file { "/etc/pam.d/gdm": + source => "puppet:///modules/nodo/etc/pam.d/gdm", + owner => "root", + group => "root", + mode => 0644, + ensure => present, + } + } + + # pam - mountpoints + file { "/etc/security/pam_mount.conf.xml": + ensure => present, + owner => root, + group => root, + mode => 0644, + source => [ "puppet:///modules/site_nodo/security/pam_mount.conf.xml.${::lsbdistcodename}", + "puppet:///modules/site_nodo/security/pam_mount.conf.xml", + ], + } + } +} diff --git a/manifests/subsystem/profile.pp b/manifests/subsystem/profile.pp new file mode 100644 index 0000000..b90ac65 --- /dev/null +++ b/manifests/subsystem/profile.pp @@ -0,0 +1,46 @@ +# Custom configuration for user profiles +class nodo::subsystem::profile { + file { "/etc/screenrc": + source => "puppet:///modules/nodo/etc/screenrc", + owner => "root", + group => "root", + mode => 0644, + ensure => present, + } + + # As of squeeze, custom configuration can be placed directly at + # /etc/profile.d, so in the future this file won't need to be + # managed by puppet anymore. + file { "/etc/profile": + source => [ "puppet:///modules/nodo/etc/profile.${::lsbdistcodename}", + "puppet:///modules/nodo/etc/profile", + ], + owner => "root", + group => "root", + mode => 0644, + ensure => present, + require => File['/usr/local/bin/prompt.sh'], + } + + file { "/etc/bash.bashrc": + source => "puppet:///modules/nodo/etc/bash.bashrc", + owner => "root", + group => "root", + mode => 0644, + ensure => present, + require => File['/usr/local/bin/prompt.sh'], + } + + file { "/usr/local/bin/prompt.sh": + source => "puppet:///modules/nodo/bin/prompt.sh", + owner => "root", + group => "root", + mode => 0644, + ensure => present, + } + + # This is already being sourced by bash.bashrc. + file { "/etc/profile.d/prompt.sh": + ensure => absent, + } +} diff --git a/manifests/subsystem/resolver.pp b/manifests/subsystem/resolver.pp new file mode 100644 index 0000000..46a03c6 --- /dev/null +++ b/manifests/subsystem/resolver.pp @@ -0,0 +1,27 @@ +class nodo::subsystem::resolver( + $manage = hiera('nodo::subsystem::resolver::manage', false), + $nameservers = hiera('nodo::subsystem::resolver::nameservers', ''), + $domain = hiera('nodo::subsystem::resolver::domain', $::domain), + $search = hiera('nodo::subsystem::resolver::search', $::fqdn) +) { + # DNS resolver + case $manage { + true: { + package { 'resolvconf': + ensure => present, + } + + file { '/etc/resolv.conf': + ensure => '/etc/resolvconf/run/resolv.conf', + require => Package['resolvconf'], + } + } + default: { + class { 'resolvconf': + domain => $domain, + search => $search, + nameservers => $nameservers, + } + } + } +} diff --git a/manifests/subsystem/ssh_folder.pp b/manifests/subsystem/ssh_folder.pp new file mode 100644 index 0000000..1c6ee49 --- /dev/null +++ b/manifests/subsystem/ssh_folder.pp @@ -0,0 +1,11 @@ +# Base class +class nodo::subsystem::ssh_folder { + if !defined(File["${home}/.ssh"]) { + file { "${home}/.ssh": + ensure => directory, + owner => $owner, + group => $group, + mode => 0700, + } + } +} diff --git a/manifests/subsystem/sudo.pp b/manifests/subsystem/sudo.pp new file mode 100644 index 0000000..581f8ab --- /dev/null +++ b/manifests/subsystem/sudo.pp @@ -0,0 +1,14 @@ +class nodo::subsystem::sudo { + package { "sudo": + ensure => "present", + } + + file { "/etc/sudoers": + source => [ "puppet:///modules/site_nodo/etc/sudoers/${::hostname}", + "puppet:///modules/nodo/etc/sudoers" ], + owner => "root", + group => "root", + mode => 440, + require => Package["sudo"], + } +} diff --git a/manifests/subsystem/sysctl.pp b/manifests/subsystem/sysctl.pp new file mode 100644 index 0000000..1df0348 --- /dev/null +++ b/manifests/subsystem/sysctl.pp @@ -0,0 +1,55 @@ +class nodo::subsystem::sysctl { + # Root exploit fix, see http://wiki.debian.org/mmap_min_addr + # Maybe this can be remove in the future or included in a sysctl puppet module + file { "/etc/sysctl.d/mmap_min_addr.conf": + owner => "root", + group => "root", + mode => 0644, + ensure => present, + content => "vm.mmap_min_addr = 4096\n", + } + + # See http://www.linux-vserver.org/Frequently_Asked_Questions + file { "/etc/sysctl.d/net.ipv4.conf.all.promote_secondaries.conf": + owner => "root", + group => "root", + mode => 0644, + ensure => present, + content => "net.ipv4.conf.all.promote_secondaries = 1\n", + } + + exec { "/etc/init.d/procps restart": + subscribe => File["/etc/sysctl.d/mmap_min_addr.conf", "/etc/sysctl.d/net.ipv4.conf.all.promote_secondaries.conf"], + refreshonly => true, + } + + $printk_levels = '3 4 1 3' + + file { "/etc/sysctl.d/kernel.printk.conf": + owner => "root", + group => "root", + mode => 0644, + ensure => present, + content => "kernel.printk = ${printk_levels}\n", + } + + exec { "/bin/echo '${printk_levels}' > /proc/sys/kernel/printk": + subscribe => File["/etc/sysctl.d/kernel.printk.conf"], + refreshonly => true, + } +} + +class sysctl::appliance($kernel_panic = hiera('nodo::sysctl::appliance', '20')) { + file { "/etc/sysctl.d/kernel.panic.conf": + owner => "root", + group => "root", + mode => 0644, + ensure => present, + content => "kernel.panic = ${kernel_panic}\n", + } + + exec { "/bin/echo '${kernel_panic}' > /proc/sys/kernel/panic": + subscribe => File["/etc/sysctl.d/kernel.panic.conf"], + refreshonly => true, + } +} diff --git a/manifests/subsystem/ups.pp b/manifests/subsystem/ups.pp new file mode 100644 index 0000000..d304418 --- /dev/null +++ b/manifests/subsystem/ups.pp @@ -0,0 +1,26 @@ +class nodo::subsystem::ups( + $include = hiera('nodo::subsystem::ups::include', false), + $type = hiera('nodo::subsystem::ups::type', 'usb'), + $cable = hiera('nodo::subsystem::ups::cable', 'usb'), + $dev = hiera('nodo::subsystem::ups::dev', '/dev/usb/hiddev0'), + $nisip = hiera('nodo::subsystem::ups::nisip', '127.0.0.1'), + $polltime = hiera('nodo::subsystem::ups::polltime', '60'), + $onbatterydelay = hiera('nodo::subsystem::ups::onbatterydelay', '6'), + $batterylevel = hiera('nodo::subsystem::ups::batterylevel', '5'), + $minutes = hiera('nodo::subsystem::ups::minutes', '3') +) { + case $include { + true: { + class { "apcupsd": + upstype => $type, + cable => $cable, + device => $dev, + nisip => $nisip, + polltime => $polltime, + onbatterydelay => $onbatterydelay, + batterylevel => $batterylevel, + minutes => $minutes, + } + } + } +} diff --git a/manifests/subsystem/xorg.pp b/manifests/subsystem/xorg.pp new file mode 100644 index 0000000..575ec69 --- /dev/null +++ b/manifests/subsystem/xorg.pp @@ -0,0 +1,13 @@ +class nodo::subsystem::xorg($enable = hiera('nodo::subsystem::xorg::enable', false)) { + if $xorg != false { + file { "/etc/X11/xorg.conf": + ensure => present, + owner => root, + group => root, + mode => 0644, + source => [ "puppet:///modules/site_nodo/X11/xorg.conf/${::hostname}.${::lsbdistcodename}", + "puppet:///modules/site_nodo/X11/xorg.conf/${::hostname}", + "puppet:///modules/site_nodo/X11/xorg.conf.default" ], + } + } +} diff --git a/manifests/subsystems/crypttab.pp b/manifests/subsystems/crypttab.pp deleted file mode 100644 index 0a9a4d1..0000000 --- a/manifests/subsystems/crypttab.pp +++ /dev/null @@ -1,15 +0,0 @@ -class crypttab( - $type, - $manage = hiera('nodo::crypttab::manage', false) -) { - if $manage == true { - file { "/etc/crypttab": - source => "puppet:///modules/nodo/etc/crypttab/${type}", - owner => "root", - group => "root", - mode => 0644, - ensure => present, - notify => Exec['update-initramfs'], - } - } -} diff --git a/manifests/subsystems/database.pp b/manifests/subsystems/database.pp deleted file mode 100644 index beedfa6..0000000 --- a/manifests/subsystems/database.pp +++ /dev/null @@ -1,52 +0,0 @@ -class database { - class { 'mysql::server': } - - # See http://www.smilecouple.org/2011/03/01/fix-out-of-resource-problem-with-mysql - file { '/etc/security/limits.d/mysql.conf': - ensure => absent, - owner => root, - group => root, - mode => 0644, - content => "mysql soft nofile 24000\nmysql hard nofile 32000\n", - } - - # Avoid Errcode: 24 - file { '/etc/mysql/conf.d/mysqld_open_files_limit.cnf': - ensure => present, - owner => root, - group => root, - mode => 0644, - content => "[mysqld]\nopen-files-limit = 500000\n", - notify => Service['mysql'], - } - - backupninja::mysql { "all_databases": - backupdir => '/var/backups/mysql', - compress => true, - sqldump => true, - sqldumpoptions => '--lock-tables --complete-insert --add-drop-table --quick --quote-names --single-transaction', - } - - # Database definitions - define instance($password, $ensure = 'present', $privileges = "all") { - include mysql::server - - mysql_database { "${name}": - ensure => $ensure, - require => Service['mysql'], - } - - mysql_user { "${name}@%": - ensure => $ensure, - password_hash => mysql_password($password), - require => Mysql_database["${name}"], - } - - if $ensure == 'present' { - mysql_grant { "${name}@%/${name}": - privileges => $privileges, - require => Mysql_user["${name}@%"], - } - } - } -} diff --git a/manifests/subsystems/dhclient.pp b/manifests/subsystems/dhclient.pp deleted file mode 100644 index 13e636e..0000000 --- a/manifests/subsystems/dhclient.pp +++ /dev/null @@ -1,17 +0,0 @@ -class dhclient( - $ensure = hiera('nodo::dhclient::manage', 'present'), - $supersede_domain = hiera('nodo::dhclient::supersede_domain', $::domain) -) { - package { 'isc-dhcp-client': - ensure => $ensure, - } - - file { '/etc/dhcp/dhclient.conf': - ensure => $ensure, - owner => root, - group => root, - mode => 0644, - require => Package['isc-dhcp-client'], - content => template('nodo/dhcp/dhclient.conf.erb'), - } -} diff --git a/manifests/subsystems/domain.pp b/manifests/subsystems/domain.pp deleted file mode 100644 index eb3551f..0000000 --- a/manifests/subsystems/domain.pp +++ /dev/null @@ -1,39 +0,0 @@ -# See -# http://prefetch.net/code/domain-check -# http://www.cyberciti.biz/tips/howto-monitor-domain-expiration-renew-date.html -# http://www.cyberciti.biz/tips/domain-check-script.html -class domain { - file { "/usr/local/bin/domain-check": - ensure => present, - owner => "root", - group => "root", - mode => 755, - source => "puppet://$server/modules/nodo/bin/domain-check", - } - - define check($interval = '60', $email = 'root', $hour = '0', - $minute = '0', $weekday = '0', - $file = false, $ensure = present) { - - $cert_check = "/usr/local/bin/domain-check -a -q -x ${interval} -e ${email}" - - case $file { - true: { - $command = "$cert_check -f ${file}" - } - false, default: { - $command = "$cert_check -d ${name}" - } - } - - cron { "domain-check-${name}": - command => "$command >/dev/null 2>&1", - user => root, - hour => $hour, - minute => $minute, - weekday => $weekday, - ensure => $ensure, - require => File["/usr/local/bin/domain-check"], - } - } -} diff --git a/manifests/subsystems/firewall.pp b/manifests/subsystems/firewall.pp deleted file mode 100644 index 221f281..0000000 --- a/manifests/subsystems/firewall.pp +++ /dev/null @@ -1,208 +0,0 @@ -# firewall definitions for physical servers -class firewall( - $local_net = hiera('nodo::firewall::local_net', false), - $in_bandwidth = hiera('nodo::firewall::in_bandwidth', '2mbit'), - $out_bandwidth = hiera('nodo::firewall::out_bandwidth', '2mbit'), - $eth0_options = hiera('nodo::firewall::eth0_options', 'tcpflags,blacklist,routefilter,nosmurfs,logmartians') -) { - class { 'shorewall': } - - $rfc1918 = $local_net ? { - true => true, - false => false, - default => false, - } - - # - # Interfaces - # - shorewall::interface { 'eth0': - zone => '-', - rfc1918 => $rfc1918, - options => $eth0_options, - } - - # - # Policy - # - shorewall::policy { 'vm-net': - sourcezone => 'vm', - destinationzone => 'net', - policy => 'ACCEPT', - order => 1, - } - - shorewall::policy { 'fw-net': - sourcezone => '$FW', - destinationzone => 'net', - policy => 'ACCEPT', - order => 2, - } - - shorewall::policy { 'fw-vm': - sourcezone => '$FW', - destinationzone => 'vm', - policy => 'ACCEPT', - order => 3, - } - - shorewall::policy { 'net-all': - sourcezone => 'net', - destinationzone => 'all', - policy => 'DROP', - order => 4, - } - - shorewall::policy { 'all-all': - sourcezone => 'all', - destinationzone => 'all', - policy => 'REJECT', - order => 90, - } - - # - # Hosts - # - shorewall::host { "eth0-subnet": - name => 'eth0:192.168.0.0/24', - zone => 'vm', - options => '', - order => '1', - } - - shorewall::host { "eth0": - name => 'eth0:0.0.0.0/0', - zone => 'net', - options => '', - order => '2', - } - - shorewall::masq { "eth0": - interface => 'eth0:!192.168.0.0/24', - source => '192.168.0.0/24', - order => '1', - } - - # - # Rules - # - shorewall::rule { 'ssh': - action => 'SSH/ACCEPT', - source => 'net', - destination => '$FW', - proto => '-', - destinationport => '-', - ratelimit => '-', - order => 100, - } - - shorewall::rule { 'ping': - action => 'Ping/ACCEPT', - source => 'net', - destination => '$FW', - proto => '-', - destinationport => '-', - ratelimit => '-', - order => 101, - } - - shorewall::rule { 'http': - action => 'HTTP/ACCEPT', - source => 'net', - destination => '$FW', - proto => '-', - destinationport => '-', - ratelimit => '-', - order => 102, - } - - # SSL computational DoS mitigation - # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html - shorewall::rule { 'https': - action => 'HTTPS/ACCEPT', - source => 'net', - destination => '$FW', - proto => '-', - destinationport => '-', - ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), - order => 103, - } - - $munin_port = $node_munin_port ? { - '' => "4900", - default => "$node_munin_port", - } - - shorewall::rule { "munin": - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => "$munin_port", - ratelimit => '-', - order => 104, - } - - # - # Zones - # - shorewall::zone { 'vm': - type => 'ipv4', - order => '2', - } - - shorewall::zone { 'net': - type => 'ipv4', - order => '3', - } - - shorewall::zone { 'loc': - type => 'ipv4', - order => 4, - } - - # - # Traffic shapping - # - shorewall::tcdevices { "eth0": - in_bandwidth => "$in_bandwidth", - out_bandwidth => "$out_bandwidth", - } - - shorewall::tcrules { "ssh-tcp": - order => "1", - source => "0.0.0.0/0", - destination => "0.0.0.0/0", - protocol => "tcp", - ports => "22", - } - - shorewall::tcrules { "ssh-udp": - order => "1", - source => "0.0.0.0/0", - destination => "0.0.0.0/0", - protocol => "udp", - ports => "22", - } - - shorewall::tcclasses { "ssh": - order => "1", - interface => "eth0", - rate => "4*full/100", - ceil => "full", - priority => "1", - } - - shorewall::tcclasses { "default": - order => "2", - interface => "eth0", - rate => "6*full/100", - ceil => "full", - priority => "2", - options => "default", - } - - if $local_net == true { - class { "firewall::local": } - } -} diff --git a/manifests/subsystems/firewall/local.pp b/manifests/subsystems/firewall/local.pp deleted file mode 100644 index f17680e..0000000 --- a/manifests/subsystems/firewall/local.pp +++ /dev/null @@ -1,47 +0,0 @@ -class firewall::local( - $network = hiera('nodo::firewall::local::network', '192.168.1.0/24'), - $interface = hiera('nodo::firewall::local::interface', 'eth0'), - $manage_host = hiera('nodo::firewall::local::manage_host', True), - $manage_interface = hiera('nodo::firewall::local::manage_iface', false) -) { - - if $manage_host { - shorewall::host { "$interface-loc": - name => "$interface:$network", - zone => 'loc', - options => '', - order => 3, - } - } - - if $manage_interface { - shorewall::interface { "$interface": - zone => 'loc', - rfc1918 => true, - dhcp => true, - options => 'routeback', - } - } - - shorewall::policy { 'loc-all': - sourcezone => 'loc', - destinationzone => 'all', - policy => 'ACCEPT', - order => 5, - } - - shorewall::policy { 'vm-loc': - sourcezone => 'vm', - destinationzone => 'loc', - policy => 'ACCEPT', - order => 6, - } - - shorewall::policy { 'fw-loc': - sourcezone => '$FW', - destinationzone => 'loc', - policy => 'ACCEPT', - order => 7, - } - -} diff --git a/manifests/subsystems/firewall/mpd.pp b/manifests/subsystems/firewall/mpd.pp deleted file mode 100644 index 5724952..0000000 --- a/manifests/subsystems/firewall/mpd.pp +++ /dev/null @@ -1,21 +0,0 @@ -class firewall::mpd { - # MPD http stream - shorewall::rule { 'mpd-http-stream': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '8000', - order => 200, - action => 'ACCEPT'; - } - - # MPD client access - shorewall::rule { 'mpd-daemon': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '6600', - order => 200, - action => 'ACCEPT'; - } -} diff --git a/manifests/subsystems/firewall/nas.pp b/manifests/subsystems/firewall/nas.pp deleted file mode 100644 index c6eaf72..0000000 --- a/manifests/subsystems/firewall/nas.pp +++ /dev/null @@ -1,152 +0,0 @@ -class firewall::nas { - # Basic firewall rules - include shorewall::rules::ftp - include shorewall::rules::tftp - include shorewall::rules::http - include shorewall::rules::nfsd - include shorewall::rules::rsync - include firewall::printer - include firewall::torrent - include firewall::mpd - - # Additional ports needed by NFS - # Got using rpcinfo -p and netstat -ap - shorewall::rule { 'nfs-1': - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '35150,43902,46661,46661,46661,50340,54814,57170,58403,59780', - ratelimit => '-', - order => 100, - } - - shorewall::rule { 'nfs-2': - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '938,38511,43195,53081,53081,53081,38521,45238,52664,52400,60331', - ratelimit => '-', - order => 100, - } - - # See http://www.shorewall.net/samba.htm - shorewall::rule { 'samba': - action => 'SMB/ACCEPT', - source => 'net', - destination => '$FW', - proto => '-', - destinationport => '-', - ratelimit => '-', - order => 100, - } - - shorewall::rule { 'netbios-1': - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '137,138,139', - ratelimit => '-', - order => 100, - } - - shorewall::rule { 'netbios-2': - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '137,138,139', - ratelimit => '-', - order => 100, - } - - # DLNA - # - # https://wiki.archlinux.org/index.php/MiniDLNA - # http://netpatia.blogspot.co.uk/2011/03/setup-your-own-dlna-server.html - # http://wiki.alpinelinux.org/wiki/IPTV_How_To - # http://mediatomb.cc/dokuwiki/faq:faq - # http://packages.debian.org/wheezy/djmount - # http://packages.debian.org/wheezy/gupnp-tools - # - # Optional: - # - # http://www.shorewall.net/UPnP.html - # - # linux-igd package - # /etc/default/linux-igd - # /etc/upnpd.conf - - shorewall::rule { "dlna-1": - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'tcp,udp', - destinationport => "1900", - ratelimit => '-', - order => 102, - } - - shorewall::rule { "dlna-2": - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'tcp,udp', - destinationport => "8200", - ratelimit => '-', - order => 103, - } - - shorewall::rule { "dlna-3": - action => 'allowinUPnP', - source => 'net', - destination => '$FW', - order => 104, - } - - shorewall::rule { "dlna-4": - action => 'forwardUPnP', - source => 'net', - destination => '$FW', - order => 105, - } - - # Enable multicast - augeas { 'enable_multicast': - changes => 'set /files/etc/shorewall/shorewall.conf/MULTICAST Yes', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Service[shorewall]; - } - - # DAAP - shorewall::rule { 'daap-1': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '3689', - order => 300, - action => 'ACCEPT'; - } - - shorewall::rule { 'daap-2': - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '3689', - order => 301, - action => 'ACCEPT'; - } - - # Avahi/mDNS - shorewall::rule { 'mdns': - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '5353', - order => 400, - action => 'ACCEPT'; - } -} diff --git a/manifests/subsystems/firewall/openvpn.pp b/manifests/subsystems/firewall/openvpn.pp deleted file mode 100644 index 2d3e6d1..0000000 --- a/manifests/subsystems/firewall/openvpn.pp +++ /dev/null @@ -1,36 +0,0 @@ -class firewall::openvpn { - shorewall::zone { 'vpn': - type => 'ipv4', - order => 4, - } - - shorewall::interface { 'tun0': - zone => 'vpn', - } - - shorewall::policy { 'loc-vpn': - sourcezone => 'loc', - destinationzone => 'vpn', - policy => 'ACCEPT', - order => 20, - } - - shorewall::policy { 'vpn-loc': - sourcezone => 'vpn', - destinationzone => 'loc', - policy => 'ACCEPT', - order => 21, - } - - shorewall::policy { 'fw-vpn': - sourcezone => '$FW', - destinationzone => 'vpn', - policy => 'ACCEPT', - order => 22, - } - - shorewall::tunnel { 'openvpn': - tunnel_type => 'openvpnclient', - zone => 'net', - } -} diff --git a/manifests/subsystems/firewall/ppp.pp b/manifests/subsystems/firewall/ppp.pp deleted file mode 100644 index 3082e92..0000000 --- a/manifests/subsystems/firewall/ppp.pp +++ /dev/null @@ -1,31 +0,0 @@ -class firewall::ppp { - shorewall::zone { 'ppp': - type => 'ipv4', - order => 4, - } - - shorewall::interface { 'ppp0': - zone => 'ppp', - } - - shorewall::policy { 'loc-ppp': - sourcezone => 'loc', - destinationzone => 'ppp', - policy => 'ACCEPT', - order => 30, - } - - shorewall::policy { 'ppp-loc': - sourcezone => 'ppp', - destinationzone => 'loc', - policy => 'ACCEPT', - order => 31, - } - - shorewall::policy { 'fw-ppp': - sourcezone => '$FW', - destinationzone => 'ppp', - policy => 'ACCEPT', - order => 32, - } -} diff --git a/manifests/subsystems/firewall/printer.pp b/manifests/subsystems/firewall/printer.pp deleted file mode 100644 index b44f65a..0000000 --- a/manifests/subsystems/firewall/printer.pp +++ /dev/null @@ -1,21 +0,0 @@ -class firewall::printer { - shorewall::rule { "cups-tcp": - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => "631", - ratelimit => '-', - order => 200, - } - - shorewall::rule { "cups-udp": - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => "631", - ratelimit => '-', - order => 201, - } -} diff --git a/manifests/subsystems/firewall/redirect.pp b/manifests/subsystems/firewall/redirect.pp deleted file mode 100644 index 7a9734a..0000000 --- a/manifests/subsystems/firewall/redirect.pp +++ /dev/null @@ -1,14 +0,0 @@ -class firewall::redirect::ssh($destinationport) { - # When the box is in an internal network and we want to provide - # and external access through a shared real IP, we have to - # redirect requests coming from another port to port 22. - shorewall::rule { "ssh-redirect-1": - action => 'DNAT', - source => 'net', - destination => "fw:$ipaddress:22", - proto => 'tcp', - destinationport => $destinationport, - ratelimit => '-', - order => $destinationport, - } -} diff --git a/manifests/subsystems/firewall/router.pp b/manifests/subsystems/firewall/router.pp deleted file mode 100644 index 7fa2db3..0000000 --- a/manifests/subsystems/firewall/router.pp +++ /dev/null @@ -1,401 +0,0 @@ -class firewall::router::http($destination, $zone = 'loc', $originaldest = $ipaddress) { - shorewall::rule { 'http-route-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:80", - proto => 'tcp', - destinationport => '80', - ratelimit => '-', - order => 600, - } - - shorewall::rule { 'http-route-2': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:80", - proto => 'tcp', - destinationport => '80', - originaldest => "$originaldest", - ratelimit => '-', - order => 601, - } -} - -class firewall::router::https($destination, $zone = 'loc', $originaldest = $ipaddress) { - shorewall::rule { 'https-route-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:443", - proto => 'tcp', - destinationport => '443', - ratelimit => '-', - order => 602, - } - - shorewall::rule { 'https-route-2': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:443", - proto => 'tcp', - destinationport => '443', - originaldest => "$originaldest", - ratelimit => '-', - order => 602, - } -} - -class firewall::router::puppetmaster($destination, $puppetmaster_port = '8140', - $puppetmaster_nonssl_port = '8141', $zone = 'loc', - $originaldest = $ipaddress) { - shorewall::rule { 'puppetmaster-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:$puppetmaster_port", - proto => 'tcp', - destinationport => "$puppetmaster_port", - ratelimit => '-', - order => 700, - } - - shorewall::rule { 'puppetmaster-2': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:$puppetmaster_port", - proto => 'udp', - destinationport => "$puppetmaster_port", - ratelimit => '-', - order => 701, - } - - shorewall::rule { 'puppetmaster-3': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:$puppetmaster_port", - proto => 'tcp', - destinationport => "$puppetmaster_port", - originaldest => "$originaldest", - ratelimit => '-', - order => 702, - } - - shorewall::rule { 'puppetmaster-4': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:$puppetmaster_port", - proto => 'udp', - destinationport => "$puppetmaster_port", - originaldest => "$originaldest", - ratelimit => '-', - order => 703, - } - - shorewall::rule { 'puppetmaster-5': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:$puppetmaster_nonssl_port", - proto => 'tcp', - destinationport => "$puppetmaster_nonssl_port", - ratelimit => '-', - order => 704, - } - - shorewall::rule { 'puppetmaster-6': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:$puppetmaster_nonssl_port", - proto => 'udp', - destinationport => "$puppetmaster_nonssl_port", - ratelimit => '-', - order => 705, - } - - shorewall::rule { 'puppetmaster-7': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:$puppetmaster_nonssl_port", - proto => 'tcp', - destinationport => "$puppetmaster_nonssl_port", - originaldest => "$originaldest", - ratelimit => '-', - order => 706, - } - - shorewall::rule { 'puppetmaster-8': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:$puppetmaster_nonssl_port", - proto => 'udp', - destinationport => "$puppetmaster_nonssl_port", - originaldest => "$originaldest", - ratelimit => '-', - order => 707, - } -} - -class firewall::router::gitd($destination, $zone = 'loc', $originaldest = $ipaddress) { - shorewall::rule { 'git-daemon-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:9418", - proto => 'tcp', - destinationport => '9418', - ratelimit => '-', - order => 800, - } - - shorewall::rule { 'git-daemon-2': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:9418", - proto => 'tcp', - destinationport => '9418', - originaldest => "$originaldest", - ratelimit => '-', - order => 801, - } -} - -class firewall::router::icecast($destination, $zone = 'loc', $originaldest = $ipaddress) { - shorewall::rule { 'icecast-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:8000", - proto => 'tcp', - destinationport => '8000', - ratelimit => '-', - order => 900, - } - - shorewall::rule { 'icecast-2': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:8000", - proto => 'tcp', - destinationport => '8000', - originaldest => "$originaldest", - ratelimit => '-', - order => 901, - } -} - -class firewall::router::mail($destination, $zone = 'loc', $originaldest = $ipaddress) { - shorewall::rule { 'mail-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:25", - proto => 'tcp', - destinationport => '25', - ratelimit => '-', - order => 1000, - } - - shorewall::rule { 'mail-2': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:25", - proto => 'tcp', - destinationport => '25', - originaldest => "$originaldest", - ratelimit => '-', - order => 1001, - } - - shorewall::rule { 'mail-3': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:993", - proto => 'tcp', - destinationport => '993', - ratelimit => '-', - order => 1002, - } - - shorewall::rule { 'mail-4': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:993", - proto => 'tcp', - destinationport => '993', - originaldest => "$originaldest", - ratelimit => '-', - order => 1003, - } - - shorewall::rule { 'mail-5': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:587", - proto => 'tcp', - destinationport => '587', - ratelimit => '-', - order => 1004, - } - - shorewall::rule { 'mail-6': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:587", - proto => 'tcp', - destinationport => '587', - originaldest => "$originaldest", - ratelimit => '-', - order => 1005, - } -} - -define firewall::router::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'loc', - $originaldest = $ipaddress) { - shorewall::rule { "ssh-$name-1": - action => 'DNAT', - source => 'net', - destination => $port_dest ? { - '' => "$zone:$destination", - default => "$zone:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - ratelimit => '-', - order => "2$port_orig", - } - - shorewall::rule { "ssh-$name-2": - action => 'DNAT', - source => '$FW', - destination => $port_dest ? { - '' => "$zone:$destination", - default => "$zone:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - originaldest => "$originaldest", - ratelimit => '-', - order => "2$port_orig", - } -} - -define firewall::router::munin($destination, $port_orig, $port_dest = '', $zone = 'loc', - $order = '400', $originaldest = $ipaddress) { - shorewall::rule { "munin-$name-1": - action => 'DNAT', - source => 'net', - destination => $port_dest ? { - '' => "$zone:$destination", - default => "$zone:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - ratelimit => '-', - order => $order, - } - - shorewall::rule { "munin-$name-2": - action => 'DNAT', - source => '$FW', - destination => $port_dest ? { - '' => "$zone:$destination", - default => "$zone:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - originaldest => "$originaldest", - ratelimit => '-', - order => $order, - } -} - -class firewall::router::torrent($destination, $zone = 'loc', $originaldest = $ipaddress) { - shorewall::rule { "torrent-tcp-1": - action => 'DNAT', - source => 'net', - destination => "$zone:$destination", - proto => 'tcp', - destinationport => "6881:6999", - ratelimit => '-', - order => 200, - } - - shorewall::rule { "torrent-tcp-2": - action => 'DNAT', - source => 'all', - destination => "$zone:$destination", - proto => 'tcp', - destinationport => "6881:6999", - originaldest => "$originaldest", - ratelimit => '-', - order => 200, - } - - shorewall::rule { "torrent-udp-1": - action => 'DNAT', - source => 'net', - destination => "$zone:$destination", - proto => 'udp', - destinationport => "6881:6999", - ratelimit => '-', - order => 201, - } - - shorewall::rule { "torrent-udp-2": - action => 'DNAT', - source => 'all', - destination => "$zone:$destination", - proto => 'udp', - destinationport => "6881:6999", - originaldest => "$originaldest", - ratelimit => '-', - order => 201, - } -} - -class firewall::router::gobby($destination, $zone = 'loc', $originaldest = $ipaddress) { - shorewall::rule { 'gobby-route-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:6523", - proto => 'tcp', - destinationport => '6523', - ratelimit => '-', - order => 600, - } - - shorewall::rule { 'gobby-route-2': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:6523", - proto => 'tcp', - destinationport => '6523', - originaldest => "$originaldest", - ratelimit => '-', - order => 601, - } -} - -# See http://www.shorewall.net/FAQ.htm#faq2 -define firewall::router::hairpinning($order = '5000', $proto = 'tcp', $port = 'www', - $external_ip = '$ETH0_IP', $interface = 'eth1', - $destination = '192.168.1.100', $source = 'eth1', - $source_zone = 'loc', $dest_zone = 'loc', - $port_dest = '') { - shorewall::masq { "routeback-$name": - interface => "$interface:$destination", - source => $source, - address => $external_ip, - proto => $proto, - port => $port, - order => $order, - } - - shorewall::rule { "routeback-$name": - action => 'DNAT', - source => $source_zone, - destination => $port_dest ? { - '' => "$dest_zone:$destination", - default => "$dest_zone:$destination:$port_dest", - }, - proto => $proto, - destinationport => $port, - ratelimit => '-', - order => $order, - originaldest => $external_ip, - } -} diff --git a/manifests/subsystems/firewall/torrent.pp b/manifests/subsystems/firewall/torrent.pp deleted file mode 100644 index 2dc8451..0000000 --- a/manifests/subsystems/firewall/torrent.pp +++ /dev/null @@ -1,21 +0,0 @@ -class firewall::torrent { - shorewall::rule { "torrent-tcp": - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => "6881:6999", - ratelimit => '-', - order => 200, - } - - shorewall::rule { "torrent-udp": - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => "6881:6999", - ratelimit => '-', - order => 201, - } -} diff --git a/manifests/subsystems/firewall/ups.pp b/manifests/subsystems/firewall/ups.pp deleted file mode 100644 index 042fcdc..0000000 --- a/manifests/subsystems/firewall/ups.pp +++ /dev/null @@ -1,11 +0,0 @@ -class firewall::ups { - shorewall::rule { "ups": - action => 'ACCEPT', - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => "3551", - ratelimit => '-', - order => 200, - } -} diff --git a/manifests/subsystems/firewall/vserver.pp b/manifests/subsystems/firewall/vserver.pp deleted file mode 100644 index 702acc9..0000000 --- a/manifests/subsystems/firewall/vserver.pp +++ /dev/null @@ -1,524 +0,0 @@ -class firewall::vserver::http($destination, $zone = 'vm') { - shorewall::rule { 'http-route-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:80", - proto => 'tcp', - destinationport => '80', - ratelimit => '-', - order => 600, - } - - shorewall::rule { 'http-route-2': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:80", - proto => 'tcp', - destinationport => '80', - originaldest => "$ipaddress", - ratelimit => '-', - order => 601, - } -} - -class firewall::vserver::https($destination, $zone = 'vm') { - shorewall::rule { 'https-route-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:443", - proto => 'tcp', - destinationport => '443', - ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), - order => 602, - } - - shorewall::rule { 'https-route-2': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:443", - proto => 'tcp', - destinationport => '443', - originaldest => "$ipaddress", - ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), - order => 602, - } -} - -class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140', $puppetmaster_nonssl_port = '8141', $zone = 'fw') { - shorewall::rule { 'puppetmaster-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:$puppetmaster_port", - proto => 'tcp', - destinationport => "$puppetmaster_port", - ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), - order => 700, - } - - shorewall::rule { 'puppetmaster-2': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:$puppetmaster_port", - proto => 'udp', - destinationport => "$puppetmaster_port", - ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), - order => 701, - } - - shorewall::rule { 'puppetmaster-3': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:$puppetmaster_port", - proto => 'tcp', - destinationport => "$puppetmaster_port", - originaldest => "$ipaddress", - ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), - order => 702, - } - - shorewall::rule { 'puppetmaster-4': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:$puppetmaster_port", - proto => 'udp', - destinationport => "$puppetmaster_port", - originaldest => "$ipaddress", - ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), - order => 703, - } - - shorewall::rule { 'puppetmaster-5': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:$puppetmaster_nonssl_port", - proto => 'tcp', - destinationport => "$puppetmaster_nonssl_port", - ratelimit => '-', - order => 704, - } - - shorewall::rule { 'puppetmaster-6': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:$puppetmaster_nonssl_port", - proto => 'udp', - destinationport => "$puppetmaster_nonssl_port", - ratelimit => '-', - order => 705, - } - - shorewall::rule { 'puppetmaster-7': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:$puppetmaster_nonssl_port", - proto => 'tcp', - destinationport => "$puppetmaster_nonssl_port", - originaldest => "$ipaddress", - ratelimit => '-', - order => 706, - } - - shorewall::rule { 'puppetmaster-8': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:$puppetmaster_nonssl_port", - proto => 'udp', - destinationport => "$puppetmaster_nonssl_port", - originaldest => "$ipaddress", - ratelimit => '-', - order => 707, - } -} - -class firewall::vserver::gitd($destination, $zone = 'fw') { - shorewall::rule { 'git-daemon-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:9418", - proto => 'tcp', - destinationport => '9418', - ratelimit => '-', - order => 800, - } - - shorewall::rule { 'git-daemon-2': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:9418", - proto => 'tcp', - destinationport => '9418', - originaldest => "$ipaddress", - ratelimit => '-', - order => 801, - } -} - -class firewall::vserver::icecast($destination, $zone = 'fw') { - shorewall::rule { 'icecast-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:8000", - proto => 'tcp', - destinationport => '8000', - ratelimit => '-', - order => 900, - } - - shorewall::rule { 'icecast-2': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:8000", - proto => 'tcp', - destinationport => '8000', - originaldest => "$ipaddress", - ratelimit => '-', - order => 901, - } -} - -class firewall::vserver::mail($destination, $zone = 'fw') { - shorewall::rule { 'mail-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:25", - proto => 'tcp', - destinationport => '25', - ratelimit => '-', - order => 1000, - } - - shorewall::rule { 'mail-2': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:25", - proto => 'tcp', - destinationport => '25', - originaldest => "$ipaddress", - ratelimit => '-', - order => 1001, - } - - shorewall::rule { 'mail-3': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:993", - proto => 'tcp', - destinationport => '993', - ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), - order => 1002, - } - - shorewall::rule { 'mail-4': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:993", - proto => 'tcp', - destinationport => '993', - originaldest => "$ipaddress", - ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), - order => 1003, - } - - shorewall::rule { 'mail-5': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:587", - proto => 'tcp', - destinationport => '587', - ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), - order => 1004, - } - - shorewall::rule { 'mail-6': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:587", - proto => 'tcp', - destinationport => '587', - originaldest => "$ipaddress", - ratelimit => hiera("nodo::firewall::ssl_ratelimit", '-'), - order => 1005, - } -} - -define firewall::vserver::ssh($destination, $port_orig = '22', $port_dest = '', $zone = 'vm') { - shorewall::rule { "ssh-$name-1": - action => 'DNAT', - source => 'net', - destination => $port_dest ? { - '' => "$zone:$destination", - default => "$zone:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - ratelimit => '-', - order => "2$port_orig", - } - - shorewall::rule { "ssh-$name-2": - action => 'DNAT', - source => '$FW', - destination => $port_dest ? { - '' => "fw:$destination", - default => "fw:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - originaldest => "$ipaddress", - ratelimit => '-', - order => "2$port_orig", - } -} - -define firewall::vserver::munin($destination, $port_orig, $port_dest = '', $order = '400', $zone = 'fw') { - shorewall::rule { "munin-$name-1": - action => 'DNAT', - source => 'net', - destination => $port_dest ? { - '' => "$zone:$destination", - default => "$zone:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - ratelimit => '-', - order => $order, - } - - shorewall::rule { "munin-$name-2": - action => 'DNAT', - source => '$FW', - destination => $port_dest ? { - '' => "$zone:$destination", - default => "$zone:$destination:$port_dest", - }, - proto => 'tcp', - destinationport => "$port_orig", - originaldest => "$ipaddress", - ratelimit => '-', - order => $order, - } -} - -class firewall::vserver::dns($destination, $zone = 'vm') { - shorewall::rule { 'dns-route-0': - action => 'DNS/ACCEPT', - source => 'net', - destination => '$FW', - proto => '-', - destinationport => '-', - ratelimit => '-', - order => 2000, - } - - shorewall::rule { 'dns-route-1': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:53", - proto => 'tcp', - destinationport => '53', - ratelimit => '-', - order => 2001, - } - - shorewall::rule { 'dns-route-2': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:53", - proto => 'tcp', - destinationport => '53', - originaldest => "$ipaddress", - ratelimit => '-', - order => 2002, - } - - shorewall::rule { 'dns-route-3': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:53", - proto => 'udp', - destinationport => '53', - ratelimit => '-', - order => 2003, - } - - shorewall::rule { 'dns-route-4': - action => 'DNAT', - source => '$FW', - destination => "fw:$destination:53", - proto => 'udp', - destinationport => '53', - originaldest => "$ipaddress", - ratelimit => '-', - order => 2004, - } -} - -class firewall::vserver::tor($destination, $zone = 'fw') { - shorewall::rule { 'tor-0': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:9001", - proto => 'tcp', - destinationport => '9001', - ratelimit => '-', - order => 2100, - } - - shorewall::rule { 'tor-1': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:9001", - proto => 'tcp', - destinationport => '9001', - originaldest => "$ipaddress", - ratelimit => '-', - order => 2101, - } - - shorewall::rule { 'tor-2': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:9030", - proto => 'tcp', - destinationport => '9030', - ratelimit => '-', - order => 2102, - } - - shorewall::rule { 'tor-3': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:9030", - proto => 'tcp', - destinationport => '9030', - originaldest => "$ipaddress", - ratelimit => '-', - order => 2103, - } -} - -class firewall::vserver::jabber($destination, $zone = 'fw') { - shorewall::rule { 'jabber-0': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:5222", - proto => 'tcp', - destinationport => '5222', - ratelimit => '-', - order => 2200, - } - - shorewall::rule { 'jabber-1': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:5223", - proto => 'tcp', - destinationport => '5223', - originaldest => "$ipaddress", - ratelimit => '-', - order => 2201, - } - - shorewall::rule { 'jabber-2': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:5269", - proto => 'tcp', - destinationport => '5269', - ratelimit => '-', - order => 2202, - } - - shorewall::rule { 'jabber-3': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:4369", - proto => 'tcp', - destinationport => '4369', - originaldest => "$ipaddress", - ratelimit => '-', - order => 2203, - } - - shorewall::rule { 'jabber-4': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:4370", - proto => 'tcp', - destinationport => '4370:4375', - originaldest => "$ipaddress", - ratelimit => '-', - order => 2204, - } -} - -class firewall::vserver::mumble($destination, $zone = 'fw') { - shorewall::rule { 'mumble-0': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:64738", - proto => 'tcp', - destinationport => '64738', - ratelimit => '-', - order => 2300, - } - - shorewall::rule { 'mumble-1': - action => 'DNAT', - source => '$FW', - destination => "$zone:$destination:64738", - proto => 'udp', - destinationport => '64738', - originaldest => "$ipaddress", - ratelimit => '-', - order => 2301, - } -} - -class firewall::vserver::gobby($destination, $zone = 'fw') { - shorewall::rule { 'gobby-0': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:6523", - proto => 'tcp', - destinationport => '6523', - ratelimit => '-', - order => 2400, - } -} - -class firewall::vserver::yacy($destination, $zone = 'fw') { - shorewall::rule { 'yacy-0': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:8090", - proto => 'tcp', - destinationport => '8090', - ratelimit => '-', - order => 2500, - } -} - -class firewall::vserver::rsync($destination, $zone = 'fw') { - shorewall::rule { 'rsync-0': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:873", - proto => 'tcp', - destinationport => '873', - ratelimit => '-', - order => 2600, - } -} - -class firewall::vserver::mdns($destination, $zone = 'fw') { - shorewall::rule { 'mdns-0': - action => 'DNAT', - source => 'net', - destination => "$zone:$destination:5353", - proto => 'tcp', - destinationport => '5353', - ratelimit => '-', - order => 2700, - } -} diff --git a/manifests/subsystems/firewall/wifi.pp b/manifests/subsystems/firewall/wifi.pp deleted file mode 100644 index 161d402..0000000 --- a/manifests/subsystems/firewall/wifi.pp +++ /dev/null @@ -1,50 +0,0 @@ -class firewall::wifi { - $rfc1918 = $shorewall_local_net ? { - true => true, - false => false, - default => false, - } - - # Default device depends if madwifi or - # built-in kernel driver is being used - $wifi_default_device = $lsbdistcodename ? { - 'lenny' => 'ath0', - default => 'wlan0', - } - - $wifi_dev = $wifi_device ? { - '' => $wifi_default_device, - default => $wifi_device, - } - - # - # Interfaces - # - shorewall::interface { "$wifi_dev": - zone => '-', - rfc1918 => $rfc1918, - } - - # - # Hosts - # - shorewall::host { "$wifi_dev-subnet": - name => "$wifi_dev:192.168.0.0/24", - zone => 'vm', - options => '', - order => 1, - } - - shorewall::host { "$wifi_dev": - name => "$wifi_dev:0.0.0.0/0", - zone => 'net', - options => '', - order => 2, - } - - shorewall::masq { "$wifi_dev": - interface => "$wifi_dev:!192.168.0.0/24", - source => '192.168.0.0/24', - order => 1, - } -} diff --git a/manifests/subsystems/firewire.pp b/manifests/subsystems/firewire.pp deleted file mode 100644 index 088e194..0000000 --- a/manifests/subsystems/firewire.pp +++ /dev/null @@ -1,9 +0,0 @@ -class firewire { - # make sure ohci1394 is not loaded - # see http://padrao.sarava.org/trac/wiki/Debian/Firewire - # see also the modprobe class - exec { "rmmod ohci1394": - unless => "/bin/sh -c 'if `grep -q ^ohci1394 /proc/modules`; then false; else true; fi'", - user => "root", - } -} diff --git a/manifests/subsystems/fstab.pp b/manifests/subsystems/fstab.pp deleted file mode 100644 index c6f2ecd..0000000 --- a/manifests/subsystems/fstab.pp +++ /dev/null @@ -1,15 +0,0 @@ -class fstab( - $type, - $manage = hiera('nodo::fstab::manage', false) -) { - if $manage == true { - file { "/etc/fstab": - source => "puppet:///modules/nodo/etc/fstab/${type}", - owner => "root", - group => "root", - mode => 0644, - ensure => present, - notify => Exec['update-initramfs'], - } - } -} diff --git a/manifests/subsystems/gdm.pp b/manifests/subsystems/gdm.pp deleted file mode 100644 index 8e7cefc..0000000 --- a/manifests/subsystems/gdm.pp +++ /dev/null @@ -1,85 +0,0 @@ -class gdm { - package { 'gdm': - ensure => installed, - } - - service { 'gdm': - ensure => running, - require => Package['gdm'], - } - - exec { '/usr/sbin/dpkg-reconfigure gdm': - subscribe => File['/etc/gdm/gdm.conf'], - user => root, - group => root, - refreshonly => true, - require => Service['gdm'], - } - - file { '/etc/gdm/gdm.conf': - ensure => present, - owner => root, - group => root, - mode => 0644, - source => [ "puppet:///modules/site_nodo/etc/gdm/${::domain}/gdm.conf", - "puppet:///modules/nodo/etc/gdm/gdm.conf", ] - } - - file { '/usr/share/gdm/themes/crunchbang': - ensure => directory, - recurse => true, - purge => true, - force => true, - owner => "root", - group => "root", - # This mode will also apply to files from the source directory - mode => 0644, - # Puppet will automatically set +x for directories - source => 'puppet:///modules/nodo/etc/gdm/themes/crunchbang', - } - - file { '/usr/share/gdm/themes/Tuxtastic': - ensure => directory, - recurse => true, - purge => true, - force => true, - owner => "root", - group => "root", - # This mode will also apply to files from the source directory - mode => 0644, - # Puppet will automatically set +x for directories - source => 'puppet:///modules/nodo/etc/gdm/themes/Tuxtastic', - } - - file { '/usr/share/gdm/themes/dasUberMini': - ensure => directory, - recurse => true, - purge => true, - force => true, - owner => "root", - group => "root", - # This mode will also apply to files from the source directory - mode => 0644, - # Puppet will automatically set +x for directories - source => 'puppet:///modules/nodo/etc/gdm/themes/dasUberMini', - } -} - -class gdm::disabled inherits gdm { - File['/usr/share/gdm/themes/dasUberMini', '/usr/share/gdm/themes/Tuxtastic', - '/usr/share/gdm/themes/crunchbang', '/etc/gdm/gdm.conf' ] { - ensure => absent, - } - - Exec['/usr/sbin/dpkg-reconfigure gdm'] { - command => '/bin/true', - } - - Service['gdm'] { - ensure => stopped, - } - - Package['gdm'] { - ensure => absent, - } -} diff --git a/manifests/subsystems/gdm3.pp b/manifests/subsystems/gdm3.pp deleted file mode 100644 index 0dfda11..0000000 --- a/manifests/subsystems/gdm3.pp +++ /dev/null @@ -1,20 +0,0 @@ -class gdm3 { - package { 'gdm3': - ensure => installed, - } - - service { 'gdm3': - ensure => running, - require => Package['gdm3'], - } - - file { '/etc/gdm3/greeter.gsettings': - ensure => present, - owner => root, - group => root, - mode => 0644, - notify => Service['gdm3'], - source => [ "puppet:///modules/site_nodo/etc/gdm3/${::domain}/greeter.gseetings", - "puppet:///modules/nodo/etc/gdm3/greeter.gsettings", ] - } -} diff --git a/manifests/subsystems/hosts.pp b/manifests/subsystems/hosts.pp deleted file mode 100644 index 9453853..0000000 --- a/manifests/subsystems/hosts.pp +++ /dev/null @@ -1,60 +0,0 @@ -class hosts( - $custom = hiera('nodo::hosts::custom', false) -) { - # Sometimes might be useful to manage the whole - # hosts file, see http://projects.puppetlabs.com/issues/10704 - case $custom { - true: { - file { '/etc/hosts': - ensure => present, - owner => root, - group => root, - mode => 0640, - source => "puppet:///modules/site_nodo/hosts/${::fqdn}", - } - } - default: { - host { "${::hostname}": - ensure => present, - ip => "${::ipaddress}", - host_aliases => [ "${::fqdn}" ], - } - - host { "localhost": - ensure => present, - ip => "127.0.0.1", - } - - host { "ip6-localhost": - ensure => present, - ip => "::1", - host_aliases => [ "ip6-loopback" ], - } - - host { "ip6-localnet": - ensure => present, - ip => "fe00::0", - } - - host { "ip6-mcastprefix": - ensure => present, - ip => "ff00::0", - } - - host { "ip6-allnodes": - ensure => present, - ip => "ff02::1", - } - - host { "ip6-allrouters": - ensure => present, - ip => "ff02::2", - } - - host { "ip6-allhosts": - ensure => present, - ip => "ff02::3", - } - } - } -} diff --git a/manifests/subsystems/initramfs.pp b/manifests/subsystems/initramfs.pp deleted file mode 100644 index 17296a2..0000000 --- a/manifests/subsystems/initramfs.pp +++ /dev/null @@ -1,39 +0,0 @@ -class initramfs( - $keymap = hiera('nodo::initramfs::keymap', 'absent') -) { - # initramfs config - file { "/etc/kernel-img.conf": - owner => "root", - group => "root", - mode => 0644, - ensure => present, - content => "do_initrd = Yes\n", - } - - # initramfs config - file { "/etc/initramfs-tools/modules": - owner => "root", - group => "root", - mode => 0644, - ensure => present, - source => "puppet:///modules/nodo/etc/initramfs-tools/modules", - } - - # keymap - file { "/etc/initramfs-tools/conf.d/keymap.conf": - ensure => $keymap, - content => "KEYMAP=Y\n", - owner => "root", - group => "root", - mode => 0644, - } - - # update initramfs when needed - exec { "update-initramfs -v -t -u": - subscribe => [ File["/etc/initramfs-tools/modules"], - File["/etc/modprobe.d/blacklist"], - File["/etc/initramfs-tools/conf.d/keymap.conf"] ], - refreshonly => true, - alias => 'update-initramfs', - } -} diff --git a/manifests/subsystems/keyboard.pp b/manifests/subsystems/keyboard.pp deleted file mode 100644 index 440f552..0000000 --- a/manifests/subsystems/keyboard.pp +++ /dev/null @@ -1,22 +0,0 @@ -class keyboard { - # Keyboard, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619711 - file { "/etc/default/keyboard": - ensure => present, - owner => "root", - group => "root", - mode => 0644, - source => "puppet:///modules/site_nodo/keyboard/${::hostname}" - } - - package { 'console-common': - ensure => present, - } - - file { '/etc/console/boottime.kmap.gz': - ensure => present, - owner => "root", - group => "root", - mode => 0644, - source => "puppet:///modules/site_nodo/console/boottime.kmap.gz.${::hostname}" - } -} diff --git a/manifests/subsystems/locales.pp b/manifests/subsystems/locales.pp deleted file mode 100644 index f52f100..0000000 --- a/manifests/subsystems/locales.pp +++ /dev/null @@ -1,28 +0,0 @@ -class locales { - package { "locales": - ensure => installed, - } - - file { "/etc/default/locale": - source => [ "puppet:///modules/site_nodo/etc/default/locale", - "puppet:///modules/nodo/etc/default/locale" ], - ensure => present, - owner => root, - group => root, - mode => 0644, - } - - file { "/etc/locale.gen": - source => [ "puppet:///modules/site_nodo/etc/locale.gen", - "puppet:///modules/nodo/etc/locale.gen" ], - ensure => present, - owner => root, - group => root, - mode => 0644, - } - - exec { "locale-gen": - refreshonly => true, - subscribe => File["/etc/locale.gen"], - } -} diff --git a/manifests/subsystems/media.pp b/manifests/subsystems/media.pp deleted file mode 100644 index cbe89b9..0000000 --- a/manifests/subsystems/media.pp +++ /dev/null @@ -1,38 +0,0 @@ -class media::folders( - $ensure_cache = hiera('nodo::media::folders', directory) -) { - # Removable media folder - file { [ "/media/usb", "/media/cdrom", "/media/tablet", "/media/phone" ]: - ensure => directory, - mode => 0755, - } - - # Media cache - file { "/var/cache/media": - ensure => $ensure_cache, - mode => 0755, - } - - # Data folder is a cache - file { "/var/data": - ensure => "/var/cache/media", - } - - # Hostname cache for general use - file { "/var/cache/${::hostname}": - ensure => directory, - mode => 0755, - } - - # Link to the media cache, useful to have unique remotes - # for git-annex in removable media - file { "/var/cache/${::hostname}/media": - ensure => "/var/cache/media", - } -} - -class media::groups { - group { 'incoming': - ensure => 'present', - } -} diff --git a/manifests/subsystems/modprobe.pp b/manifests/subsystems/modprobe.pp deleted file mode 100644 index 99f7879..0000000 --- a/manifests/subsystems/modprobe.pp +++ /dev/null @@ -1,28 +0,0 @@ -class modprobe { - # keep firewire disabled among other things - case $lsbdistcodename { - 'lenny': { - file { "/etc/modprobe.d/blacklist": - owner => "root", - group => "root", - mode => 0644, - ensure => present, - source => "puppet:///modules/nodo/etc/modprobe.d/blacklist.conf", - } - } - default: { - # upgrade from lenny - file { "/etc/modprobe.d/blacklist": - ensure => absent, - } - - file { "/etc/modprobe.d/blacklist.conf": - owner => "root", - group => "root", - mode => 0644, - ensure => present, - source => "puppet:///modules/nodo/etc/modprobe.d/blacklist.conf", - } - } - } -} diff --git a/manifests/subsystems/monitor.pp b/manifests/subsystems/monitor.pp deleted file mode 100644 index 45608a9..0000000 --- a/manifests/subsystems/monitor.pp +++ /dev/null @@ -1,26 +0,0 @@ -class monitor( - $type = 'vserver', - $use_nagios = hiera('nodo::monitor::use_nagios', True), - $use_fqdn = hiera('nodo::monitor::use_nagios_fqdn', false) -) { - - if $use_nagios != false { - - if $type == 'vserver' { - include nagios::target::fqdn - nagios::service::ping { "${::fqdn}": } - } - - if $type == 'host' or $type == 'personal' { - if $use_fqdn == true { - include nagios::target::fqdn - } - else { - include nagios::target - } - nagios::service::ping { "${::fqdn}": } - } - - } - -} diff --git a/manifests/subsystems/monkeysphere.pp b/manifests/subsystems/monkeysphere.pp deleted file mode 100644 index b4b21e0..0000000 --- a/manifests/subsystems/monkeysphere.pp +++ /dev/null @@ -1,20 +0,0 @@ -define monkeysphere_host( - $port = hiera('nodo::monkeysphere_host::ssh_port', ''), - $mail_recipient = hiera('mail::root_mail_recipient', 'nobody') -) { - include monkeysphere - - # Ensure the server's ssh key is imported into your monkeysphere key ring - monkeysphere::import_key { "ssh": - port => $port, - } - - # TODO - # Currently we don't have a defined policy regarding whether - # to publish all our node keys to public keyservers, so leave - # automatic publishing disabled for now. - #monkeysphere::publish_server_keys { } - - # Email the server key - monkeysphere::email_server_keys { "$mail_recipient": } -} diff --git a/manifests/subsystems/motd.pp b/manifests/subsystems/motd.pp deleted file mode 100644 index f9ece2d..0000000 --- a/manifests/subsystems/motd.pp +++ /dev/null @@ -1,19 +0,0 @@ -class motd( - $network_name = hiera('nodo::motd::network_name', 'Nodo') -) { - # http://projects.reductivelabs.com/issues/1915 - file { "/var/run/motd": - owner => "root", - group => "root", - mode => 0644, - ensure => file, - content => "This is ${::fqdn} from the ${network_name}.\n", - } - - file { "/etc/motd": - owner => "root", - group => "root", - ensure => "/var/run/motd", - require => File["/var/run/motd"], - } -} diff --git a/manifests/subsystems/mount.pp b/manifests/subsystems/mount.pp deleted file mode 100644 index 3fcee58..0000000 --- a/manifests/subsystems/mount.pp +++ /dev/null @@ -1,15 +0,0 @@ -class mount { - class { autofs: } - - file { '/etc/auto.removable': - source => [ "puppet:///modules/site_nodo/etc/${::fqdn}/auto.removable", - "puppet:///modules/site_nodo/etc/${::domain}/auto.removable", - "puppet:///modules/site_nodo/etc/auto.removable", - "puppet:///modules/nodo/etc/auto.removable.${::operatingssystem}", - "puppet:///modules/nodo/etc/auto.removable" ], - notify => Service[autofs], - owner => root, - group => root, - mode => 0644; - } -} diff --git a/manifests/subsystems/munin.pp b/manifests/subsystems/munin.pp deleted file mode 100644 index 770d551..0000000 --- a/manifests/subsystems/munin.pp +++ /dev/null @@ -1,21 +0,0 @@ -# Define a munin node -define munin_node( - $port = hiera('nodo::munin_node::port', '4949'), - $allow = hiera('nodo::munin_node::allow', ''), - $host = hiera('nodo::munin_node::host', $::fqdn), - $listen = hiera('nodo::munin_node::listen', '*') -) { - - case $allow { - '': { fail("Please set nodo::munin_node::allow in your config") } - } - - class { 'munin::client': - port => $port, - allow => $allow, - host => $host, - listen => $listen, - } - - munin::plugin { apt_all: ensure => present; } -} diff --git a/manifests/subsystems/onion.pp b/manifests/subsystems/onion.pp deleted file mode 100644 index 64a41f8..0000000 --- a/manifests/subsystems/onion.pp +++ /dev/null @@ -1,54 +0,0 @@ -class onion { - class { 'tor::daemon': } - - # It's important to use a subdir from the tor datadir - # to ease backup/restore procedures as we don't mix - # hidden service data with other tor files. - file { "${tor::daemon::data_dir}/hidden": - ensure => directory, - owner => 'debian-tor', - group => 'debian-tor', - mode => 0700, - } -} - -class onion::socks inherits onion { - # Default tor daemon configuration - tor::daemon::socks { 'socks': - port => 9050, - listen_addresses => [ '127.0.0.1' ], - } -} - -class onion::freenode inherits onion::socks { - # Freenode via Tor - # http://freenode.net/irc_servers.shtml - # http://pthree.org/2010/01/31/freenode-ssl-and-sasl-authentication-with-irssi/ - # http://freenode.net/sasl/sasl-irssi.shtml - # https://wiki.archlinux.org/index.php/Tor - tor::daemon::map_address { 'freenode': - address => '10.40.40.40', - newaddress => 'p4fsi4ockecnea7l.onion', - } -} - -class onion::ssh { - tor::daemon::hidden_service { 'ssh': - ports => [ "22 127.0.0.1:22" ], - data_dir => "${tor::daemon::data_dir}/hidden", - ensure => present, - } -} - -class onion::full inherits onion::freenode { - include onion::ssh - - # Currently tor management just works for debian - case $::operatingsystem { - debian: { - include tor::polipo - } - default: { } - } - -} diff --git a/manifests/subsystems/pam.pp b/manifests/subsystems/pam.pp deleted file mode 100644 index 206a5c3..0000000 --- a/manifests/subsystems/pam.pp +++ /dev/null @@ -1,40 +0,0 @@ -class pam( - $enable = hiera('nodo::pam::enable', false) -) { - if $enable != false { - - # Squeeze only - if $::lsbdistcodename == 'squeeze' { - # pam - login - file { "/etc/pam.d/login": - source => [ "puppet:///modules/nodo/etc/pam.d/login.${::lsbdistcodename}", - "puppet:///modules/nodo/etc/pam.d/login", - ], - owner => "root", - group => "root", - mode => 0644, - ensure => present, - } - - # pam - gdm - file { "/etc/pam.d/gdm": - source => "puppet:///modules/nodo/etc/pam.d/gdm", - owner => "root", - group => "root", - mode => 0644, - ensure => present, - } - } - - # pam - mountpoints - file { "/etc/security/pam_mount.conf.xml": - ensure => present, - owner => root, - group => root, - mode => 0644, - source => [ "puppet:///modules/site_nodo/security/pam_mount.conf.xml.${::lsbdistcodename}", - "puppet:///modules/site_nodo/security/pam_mount.conf.xml", - ], - } - } -} diff --git a/manifests/subsystems/profile.pp b/manifests/subsystems/profile.pp deleted file mode 100644 index cc84ae0..0000000 --- a/manifests/subsystems/profile.pp +++ /dev/null @@ -1,46 +0,0 @@ -# Custom configuration for user profiles -class profile { - file { "/etc/screenrc": - source => "puppet:///modules/nodo/etc/screenrc", - owner => "root", - group => "root", - mode => 0644, - ensure => present, - } - - # As of squeeze, custom configuration can be placed directly at - # /etc/profile.d, so in the future this file won't need to be - # managed by puppet anymore. - file { "/etc/profile": - source => [ "puppet:///modules/nodo/etc/profile.${::lsbdistcodename}", - "puppet:///modules/nodo/etc/profile", - ], - owner => "root", - group => "root", - mode => 0644, - ensure => present, - require => File['/usr/local/bin/prompt.sh'], - } - - file { "/etc/bash.bashrc": - source => "puppet:///modules/nodo/etc/bash.bashrc", - owner => "root", - group => "root", - mode => 0644, - ensure => present, - require => File['/usr/local/bin/prompt.sh'], - } - - file { "/usr/local/bin/prompt.sh": - source => "puppet:///modules/nodo/bin/prompt.sh", - owner => "root", - group => "root", - mode => 0644, - ensure => present, - } - - # This is already being sourced by bash.bashrc. - file { "/etc/profile.d/prompt.sh": - ensure => absent, - } -} diff --git a/manifests/subsystems/resolver.pp b/manifests/subsystems/resolver.pp deleted file mode 100644 index 94c9cb9..0000000 --- a/manifests/subsystems/resolver.pp +++ /dev/null @@ -1,27 +0,0 @@ -class resolver( - $manage = hiera('nodo::resolver::manage', false), - $nameservers = hiera('nodo::resolver::nameservers', ''), - $domain = hiera('nodo::resolver::domain', $::domain), - $search = hiera('nodo::resolver::search', $::fqdn) -) { - # DNS resolver - case $manage { - true: { - package { 'resolvconf': - ensure => present, - } - - file { '/etc/resolv.conf': - ensure => '/etc/resolvconf/run/resolv.conf', - require => Package['resolvconf'], - } - } - default: { - class { 'resolvconf': - domain => $domain, - search => $search, - nameservers => $nameservers, - } - } - } -} diff --git a/manifests/subsystems/schroot.pp b/manifests/subsystems/schroot.pp deleted file mode 100644 index 58d6dee..0000000 --- a/manifests/subsystems/schroot.pp +++ /dev/null @@ -1,26 +0,0 @@ -class schroot { - package { 'schroot': - ensure => installed, - } - - file { '/etc/schroot/default/fstab': - ensure => present, - owner => root, - group => root, - mode => 0644, - require => Package['schroot'], - source => [ "puppet:///modules/site_nodo/etc/schroot/default/${::fqdn}/fstab", - "puppet:///modules/nodo/etc/schroot/default/fstab" ] - } - - define instance($instance_type = 'plain', $description, $directory, $users, $groups, $aliases, $ensure = present) { - file { "/etc/schroot/chroot.d/${name}": - ensure => $ensure, - owner => root, - group => root, - mode => 0644, - require => Package['schroot'], - content => template('nodo/schroot/schroot.conf.erb'), - } - } -} diff --git a/manifests/subsystems/ssh.pp b/manifests/subsystems/ssh.pp deleted file mode 100644 index f15931d..0000000 --- a/manifests/subsystems/ssh.pp +++ /dev/null @@ -1,101 +0,0 @@ -# Base class -class ssh_folder { - if !defined(File["${home}/.ssh"]) { - file { "${home}/.ssh": - ensure => directory, - owner => $owner, - group => $group, - mode => 0700, - } - } -} - -# Manage ssh config for a particular user -define ssh_config($owner, $home = '/home/$owner', $ssh_localhost_auth = false) { - include ssh_folder - - file { "${home}/.ssh/config": - ensure => present, - owner => $owner, - group => $group, - mode => 0600, - require => File["${home}/.ssh"], - } - - # The NoHostAuthenticationForLocalhost ssh option might be useful - # for automated deployment environments so your ikiwiki user doesn't - # get stuck with the fingerprint confirmation prompt when pushing - # content via ssh in the first time it runs. - line { 'NoHostAuthenticationForLocalhost-${owner}': - file => "${home}/.ssh/config", - line => "NoHostAuthenticationForLocalhost yes", - ensure => $ssh_localhost_auth ? { - 'auto' => present, - 'fingerprint' => absent, - default => absent, - }, - } -} - -# Manage known_hosts for a particular user -define ssh_known_host($owner, $home = '/home/$owner', $ssh_localhost_auth = false) { - include ssh_folder - - file { "${home}/.ssh/known_hosts": - ensure => present, - owner => $owner, - group => $group, - mode => 0600, - require => File["${home}/.ssh"], - } - - # You can choose to include the host's fingeprints - # directly into the known_hosts file. - if $::sshrsakey != '' { - line { 'known_hosts-localhost-rsa-${owner}': - file => "${home}/.ssh/known_hosts", - line => "localhost ssh-rsa ${::sshrsakey}", - ensure => $ssh_localhost_auth ? { - 'fingerprint' => present, - 'auto' => undef, - default => undef, - }, - } - } - - if $::sshdsakey != '' { - line { 'known_hosts-localhost-dsa-${owner}': - file => "${home}/.ssh/known_hosts", - line => "localhost ssh-dss ${::sshdsakey}", - ensure => $ssh_localhost_auth ? { - 'fingerprint' => present, - 'auto' => undef, - default => undef, - }, - } - } - - if $::sshecdsakey != '' { - line { 'known_hosts-localhost-ecdsa-${owner}': - file => "${home}/.ssh/known_hosts", - line => "localhost ecdsa-sha2-nistp256 ${::sshedsakey}", - ensure => $ssh_localhost_auth ? { - 'fingerprint' => present, - 'auto' => undef, - default => undef, - }, - } - } -} - -define ssh_create_key($owner, $group, $keyfile = 'id_rsa', $home = '/home/$owner') { - include ssh_folder - - exec { "ssh-keygen-${owner}": - command => "ssh-keygen -t rsa -P '' -f ${home}/.ssh/${keyfile}", - creates => "${home}/.ssh/${keyfile}", - user => $owner, - group => $group, - require => File["${home}/.ssh"], - } -} diff --git a/manifests/subsystems/sudo.pp b/manifests/subsystems/sudo.pp deleted file mode 100644 index 4ec615c..0000000 --- a/manifests/subsystems/sudo.pp +++ /dev/null @@ -1,15 +0,0 @@ -class sudo { - - package { "sudo": - ensure => "present", - } - - file { "/etc/sudoers": - source => [ "puppet:///modules/site_nodo/etc/sudoers/${::hostname}", - "puppet:///modules/nodo/etc/sudoers" ], - owner => "root", - group => "root", - mode => 440, - require => Package["sudo"], - } -} diff --git a/manifests/subsystems/sysctl.pp b/manifests/subsystems/sysctl.pp deleted file mode 100644 index e434008..0000000 --- a/manifests/subsystems/sysctl.pp +++ /dev/null @@ -1,55 +0,0 @@ -class sysctl { - # root exploit fix, see http://wiki.debian.org/mmap_min_addr - # TODO: remove in the future or use a sysctl puppet module - file { "/etc/sysctl.d/mmap_min_addr.conf": - owner => "root", - group => "root", - mode => 0644, - ensure => present, - content => "vm.mmap_min_addr = 4096\n", - } - - # see http://www.linux-vserver.org/Frequently_Asked_Questions - file { "/etc/sysctl.d/net.ipv4.conf.all.promote_secondaries.conf": - owner => "root", - group => "root", - mode => 0644, - ensure => present, - content => "net.ipv4.conf.all.promote_secondaries = 1\n", - } - - exec { "/etc/init.d/procps restart": - subscribe => File["/etc/sysctl.d/mmap_min_addr.conf", "/etc/sysctl.d/net.ipv4.conf.all.promote_secondaries.conf"], - refreshonly => true, - } - - $printk_levels = '3 4 1 3' - - file { "/etc/sysctl.d/kernel.printk.conf": - owner => "root", - group => "root", - mode => 0644, - ensure => present, - content => "kernel.printk = ${printk_levels}\n", - } - - exec { "/bin/echo '${printk_levels}' > /proc/sys/kernel/printk": - subscribe => File["/etc/sysctl.d/kernel.printk.conf"], - refreshonly => true, - } -} - -class sysctl::appliance($kernel_panic = hiera('nodo::sysctl::appliance', '20')) { - file { "/etc/sysctl.d/kernel.panic.conf": - owner => "root", - group => "root", - mode => 0644, - ensure => present, - content => "kernel.panic = ${kernel_panic}\n", - } - - exec { "/bin/echo '${kernel_panic}' > /proc/sys/kernel/panic": - subscribe => File["/etc/sysctl.d/kernel.panic.conf"], - refreshonly => true, - } -} diff --git a/manifests/subsystems/tunnel.pp b/manifests/subsystems/tunnel.pp deleted file mode 100644 index 47384df..0000000 --- a/manifests/subsystems/tunnel.pp +++ /dev/null @@ -1,148 +0,0 @@ -# autossh tunnel interface -# -# TODO: User handling should be put somewhere. Here we are duplicating -# code from backupninja module. Further developments should consider -# have an unified user handling, maybe at puppet-user. -# -# For now, it's important to preserve the 'backupninja-' like tag -# otherwise the behavior of this code will conflict with backupninja -# and we'll see strange things like exported resources not being -# realized. - -# this define realizes all needed resources for a hosted tunnel -define tunnel_server_realize($host) { - User <<| tag == "backupninja-${host}" |>> - File <<| tag == "backupninja-${host}" |>> - Ssh_authorized_key <<| tag == "backupninja-${host}" |>> -} - -class tunnel { - - # collect all resources from hosted tunnels - Tunnel_server_realize <<| tag == "${::fqdn}" |>> - - define setup($ensure = present, $user = $hostname, $host, $localport, $hostport, $sshport = '22', $keytype = 'rsa', $root_mail_recipient = hiera('mail::root_mail_recipient', 'nobody')) { - $dir = "/var/backups/remote/${user}.${::domain}" - $tag = "backupninja-${::fqdn}" - $ssh_dir = "${dir}/.ssh" - - autossh::tunnel { $name: - ensure => $ensure, - user => 'root', - remote_user => $user, - port => $localport, - hostport => $hostport, - host => $host, - remote_host => $host, - sshport => $sshport, - } - - if !defined(Tunnel_server_realize["${::hostname}@${host}"]) { - # this defines just maps that $host host an user environment for $fdqn - @@tunnel_server_realize { "${::hostname}@${host}": - host => $::fqdn, - tag => $host, - } - } - - if !defined(File["${dir}"]) { - @@file { "${dir}": - ensure => directory, - mode => 0750, - owner => $user, - group => 0, - tag => "${tag}", - } - } - - if !defined(File["${ssh_dir}"]) { - @@file { "${ssh_dir}": - ensure => directory, - mode => 0700, - owner => $user, - group => 0, - require => [User[$user], File["${dir}"]], - tag => "${tag}", - } - } - - if !defined(File["${ssh_dir}/authorized_keys"]) { - @@file { "${ssh_dir}/authorized_keys": - ensure => present, - mode => 0644, - owner => 0, - group => 0, - source => "puppet:///modules/site_keys/${user}_id_${keytype}.pub", - require => File["${ssh_dir}"], - tag => "${tag}", - } - } - - if !defined(User["{$user}"]) { - @@user { "${user}": - ensure => "present", - comment => "${user} backup sandbox", - home => "${dir}", - gid => "backupninjas", - managehome => true, - shell => "/bin/sh", - password => '*', - require => Group['backupninjas'], - tag => "${tag}" - } - } - } - - define mail ($sshport = '22') { - package { "nullmailer": - ensure => installed, - } - - service { "nullmailer": - ensure => 'running', - require => Package['nullmailer'], - } - - file { "/etc/mailname": - ensure => present, - owner => root, - group => root, - mode => 0644, - content => "${::fqdn}\n", - notify => Service["nullmailer"], - } - - file { "/etc/nullmailer": - ensure => directory, - owner => root, - group => root, - mode => 0755, - } - - file { "/etc/nullmailer/remotes": - ensure => present, - owner => root, - group => root, - mode => 0644, - content => "localhost smtp --port=2525\n", - notify => Service["nullmailer"], - require => File["/etc/nullmailer"], - } - - file { "/etc/nullmailer/adminaddr": - ensure => present, - owner => root, - group => root, - mode => 0644, - content => "$root_mail_recipient\n", - require => File["/etc/nullmailer"], - } - - tunnel::setup { "smtp": - host => "${name}.${::domain}", - sshport => "${sshport}", - localport => '2525', - hostport => '25', - } - } -} diff --git a/manifests/subsystems/ups.pp b/manifests/subsystems/ups.pp deleted file mode 100644 index 184be46..0000000 --- a/manifests/subsystems/ups.pp +++ /dev/null @@ -1,26 +0,0 @@ -class ups( - $include = hiera('nodo::ups::include', false), - $type = hiera('nodo::ups::type', 'usb'), - $cable = hiera('nodo::ups::cable', 'usb'), - $dev = hiera('nodo::ups::dev', '/dev/usb/hiddev0'), - $nisip = hiera('nodo::ups::nisip', '127.0.0.1'), - $polltime = hiera('nodo::ups::polltime', '60'), - $onbatterydelay = hiera('nodo::ups::onbatterydelay', '6'), - $batterylevel = hiera('nodo::ups::batterylevel', '5'), - $minutes = hiera('nodo::ups::minutes', '3') -) { - case $include { - true: { - class { "apcupsd": - upstype => $type, - cable => $cable, - device => $dev, - nisip => $nisip, - polltime => $polltime, - onbatterydelay => $onbatterydelay, - batterylevel => $batterylevel, - minutes => $minutes, - } - } - } -} diff --git a/manifests/subsystems/utils.pp b/manifests/subsystems/utils.pp deleted file mode 100644 index 09487bd..0000000 --- a/manifests/subsystems/utils.pp +++ /dev/null @@ -1,36 +0,0 @@ -# Common utilities -class utils { - package { [ 'screen', 'less', 'bzip2', 'openssl', 'lynx', 'wget', 'unzip', - 'nmap', 'telnet', 'tree', 'whois', 'dosfstools', 'dnsutils', 'logcheck-database', - 'bc', 'lsof', 'wipe', 'vrms', 'nsca-client', 'logcheck', 'vim-nox' ]: - ensure => installed, - } - - if !defined(Package['git-core']) { - package { 'git-core': - ensure => installed, - } - } - - # Editor alternative - file { "/etc/alternatives/editor": - ensure => "/usr/bin/vi", - owner => root, - group => root, - } - - # Ensure we have the minimum augeas version required by shorewall module - package { - 'libaugeas0': - ensure => $::lsbdistcodename ? { - 'squeeze' => '0.10.0-1~bpo60+3', - default => installed, - }; - 'augeas-tools': - ensure => $::lsbdistcodename ? { - 'squeeze' => '0.10.0-1~bpo60+3', - default => installed, - }, - require => Package['libaugeas0']; - } -} diff --git a/manifests/subsystems/utils/debian.pp b/manifests/subsystems/utils/debian.pp deleted file mode 100644 index be4b4ad..0000000 --- a/manifests/subsystems/utils/debian.pp +++ /dev/null @@ -1,17 +0,0 @@ -class utils::personal::debian { - # System - package { [ 'libpam-mount', 'ecryptfs-utils', 'gawk', - 'laptop-detect', 'syslinux', 'ack-grep', 'mtp-tools' ]: - ensure => installed, - } - - # Misc - package { [ 'fortunes-br', 'recode', 'p7zip-full', 'funcoeszz', 'detox' ]: - ensure => installed, - } - - # Non-free, old, buggy or absent in newer releases - package { [ 'mtpfs', 'unrar', 'figlet' ]: - ensure => purged, - } -} diff --git a/manifests/subsystems/utils/desktop.pp b/manifests/subsystems/utils/desktop.pp deleted file mode 100644 index 22dd2ed..0000000 --- a/manifests/subsystems/utils/desktop.pp +++ /dev/null @@ -1,6 +0,0 @@ -# Common utilities for desktop -class utils::desktop { - package { 'cups': - ensure => installed, - } -} diff --git a/manifests/subsystems/utils/development.pp b/manifests/subsystems/utils/development.pp deleted file mode 100644 index 7d1e19a..0000000 --- a/manifests/subsystems/utils/development.pp +++ /dev/null @@ -1,28 +0,0 @@ -class utils::development { - # Development - package { [ 'debhelper', 'gitk', 'git-gui', 'subversion', 'python-stdeb', - 'fakeroot', 'dupload', 'autotools-dev', 'dh-make', 'doxygen', - 'tig', 'mercurial', 'exuberant-ctags', 'reportbug', 'debian-keyring', - 'devscripts', 'pbuilder', 'build-essential', 'pnopaste-cli', 'agave', - 'cdbs', 'dh-buildinfo', 'quilt', 'dpatch', 'dput', - 'bzr', 'debian-goodies', 'debirf', 'xorriso', 'dh-autoreconf', - 'unetbootin', 'git-buildpackage', 'gem2deb', 'python-setuptools', 'python-virtualenv', - 'ditz', 'mr', 'puppet-lint', 'kpartx', 'openocd' ]: - ensure => installed, - } - - include utils::storage::archive -} - -class utils::development::virtual { - package { 'vagrant': - ensure => $::lsbdistcodename ? { - 'squeeze' => absent, - default => present, - } - } - - package { [ 'virtualbox-guest-additions-iso', 'virtualbox-fuse', 'qemu', 'qemu-kvm' ]: - ensure => present, - } -} diff --git a/manifests/subsystems/utils/dns.pp b/manifests/subsystems/utils/dns.pp deleted file mode 100644 index 3c7c422..0000000 --- a/manifests/subsystems/utils/dns.pp +++ /dev/null @@ -1,5 +0,0 @@ -class utils::dns { - package { 'dnstop': - ensure => installed, - } -} diff --git a/manifests/subsystems/utils/firmware.pp b/manifests/subsystems/utils/firmware.pp deleted file mode 100644 index b0bf9ca..0000000 --- a/manifests/subsystems/utils/firmware.pp +++ /dev/null @@ -1,11 +0,0 @@ -class utils::firmware { - package { 'firmware-linux': - ensure => installed, - } -} - -class utils::firmware::realtek { - package { 'firmware-realtek': - ensure => installed, - } -} diff --git a/manifests/subsystems/utils/hamradio.pp b/manifests/subsystems/utils/hamradio.pp deleted file mode 100644 index e4ded0a..0000000 --- a/manifests/subsystems/utils/hamradio.pp +++ /dev/null @@ -1,5 +0,0 @@ -class utils::hamradio { - package { 'aldo': - ensure => present, - } -} diff --git a/manifests/subsystems/utils/interface.pp b/manifests/subsystems/utils/interface.pp deleted file mode 100644 index b19456d..0000000 --- a/manifests/subsystems/utils/interface.pp +++ /dev/null @@ -1,30 +0,0 @@ -class utils::interface { - # Interface - package { [ 'awesome', 'eterm', 'weather-util', 'gnome-terminal', 'conky', - 'xterm', 'bash-completion', 'tmux', 'xscreensaver', 'thunar', - 'mc', 'gtk-theme-switch', 'gtk-smooth-themes', 'rxvt', 'lxappearance', - 'xtitle', 'xclip', 'pcmanfm', 'awesome-extra', 'numlockx', - 'x11-apps' ]: - ensure => installed, - } - - # Old stuff - package { [ 'conkyforecast', 'fluxbox' ]: - ensure => absent, - } - - # Fonts - package { [ 'xfonts-terminus', 'ttf-bitstream-vera', 'ttf-inconsolata' ]: - ensure => installed, - } - - package { 'rxvt-unicode': - ensure => present, - # We need a workaround for this: - # http://packages.debian.org/search?keywords=screen&searchon=names&suite=all§ion=all&sourceid=mozilla-search - #name => $lsbdistcodename ? { - # 'squeeze' => 'rxvt-unicode', - # default => 'rxvt-unicode-256color', - #} - } -} diff --git a/manifests/subsystems/utils/java.pp b/manifests/subsystems/utils/java.pp deleted file mode 100644 index 15668c3..0000000 --- a/manifests/subsystems/utils/java.pp +++ /dev/null @@ -1,18 +0,0 @@ -class utils::java { - # Java - package { [ 'sun-java6-jre' ]: - ensure => absent, - } - - package { 'default-jre': - ensure => present, - } - - # Java alternative - file { "/etc/alternatives/java": - ensure => "/usr/lib/jvm/java-6-openjdk/jre/bin/java", - owner => root, - group => root, - require => Package['default-jre'], - } -} diff --git a/manifests/subsystems/utils/laptop.pp b/manifests/subsystems/utils/laptop.pp deleted file mode 100644 index 1f962d3..0000000 --- a/manifests/subsystems/utils/laptop.pp +++ /dev/null @@ -1,45 +0,0 @@ -# Common utilities for laptop -class utils::laptop { - case $::operatingsystem { - debian: { - include utils::laptop::debian - } - default: { } - } -} - -# Common utilities for debian laptops -class utils::laptop::debian { - package { [ 'cpufrequtils', 'module-assistant', 'wireless-tools', - 'wpasupplicant', 'ekiga', 'mumble', - 'revelation', 'arp-scan', 'usb-modeswitch', - 'iw', 'wvdial', 'wavemon', - 'btscanner', 'laptop-mode-tools', 'acpi-support', - 'tftp', 'sharutils', 'wireshark', - 'macchanger', 'weplab', 'wpagui', - 'gnokii' ]: - ensure => installed, - } - - # Wicd - package { [ 'wicd', 'wicd-curses', 'wicd-gtk' ]: - ensure => installed, - } - - # Wheezy specific packages - package { 'network-manager': - ensure => $::lsbdistcodename ? { - 'squeeze' => absent, - default => absent, - } - } - - # Squeeze specific packages - package { [ 'kismet' ]: - ensure => $::lsbdistcodename ? { - 'squeeze' => installed, - default => absent, - } - } - -} diff --git a/manifests/subsystems/utils/multimedia.pp b/manifests/subsystems/utils/multimedia.pp deleted file mode 100644 index 83bd70e..0000000 --- a/manifests/subsystems/utils/multimedia.pp +++ /dev/null @@ -1,67 +0,0 @@ -# Multimedia utilities -class utils::multimedia::studio { - package { [ 'ardour', 'hydrogen', ]: - ensure => installed, - } -} - -class utils::multimedia::ripper { - # CD writers and extractors - package { [ 'ripit', 'asunder', 'wodim', 'genisoimage', 'dvd+rw-tools' ]: - ensure => installed, - } -} - -class utils::multimedia { - # Multimedia - package { [ 'alsa-tools-gui', 'mp3blaster', 'alsa-utils', 'netpbm', - 'gqview', 'mpg123', 'audacious', 'qjackctl', - 'gimp', 'xine-ui', 'v4l-utils', 'inkscape', - 'easytag', 'gstreamer-tools', 'vlc', 'audacity', - 'opencubicplayer', 'youtube-dl', 'mencoder', 'libasound2-plugins', - 'cbrpager', 'llgal', 'darksnow', 'mplayer', - 'picard', 'ffmpeg2theora', 'oggfwd', 'jhead', - 'pavucontrol' ]: - ensure => installed, - } - - # Old stuff - package { [ 'flashplugin-nonfree', 'amarok', 'moc', 'cmus' ]: - ensure => purged, - } - - # Squeeze only - package { [ 'tucan', 'orpheus' ]: - ensure => $::lsbdistcodename ? { - 'squeeze' => installed, - default => purged, - } - } - - # Wheezy onwards - package { 'landell': - ensure => $::lsbdistcodename ? { - 'squeeze' => absent, - default => installed, - } - } - - # Flash - package { 'browser-plugin-gnash': - ensure => installed, - } - - # Flash alternative - file { "/etc/alternatives/flash-mozilla.so": - ensure => "/usr/lib/gnash/libgnashplugin.so", - owner => root, - group => root, - require => Package['flashplugin-nonfree'], - } -} - -class utils::multimedia::mediacenter { - package { [ 'xbmc', 'upnp-inspector', 'gupnp-tools' ]: - ensure => present, - } -} diff --git a/manifests/subsystems/utils/network.pp b/manifests/subsystems/utils/network.pp deleted file mode 100644 index 9c60341..0000000 --- a/manifests/subsystems/utils/network.pp +++ /dev/null @@ -1,146 +0,0 @@ -class utils::network::irssi { - package { [ 'irssi', 'bitlbee', 'irssi-scripts' ]: - ensure => installed, - } - - # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695150 - #package { 'irssi-plugin-otr': - # ensure => installed, - #} - - # These are needed by the cap_sasl.pl irssi plugin - package { [ 'libcrypt-blowfish-perl', 'libcrypt-dh-perl', 'libcrypt-openssl-bignum-perl' ]: - ensure => installed, - } - - # Not on wheezy - package { 'irssi-plugin-silc': - ensure => $::lsbdistcodename ? { - 'wheezy' => absent, - default => present, - } - } -} - -class utils::network::torrent { - package { [ 'rtorrent' ]: - ensure => installed, - } -} - -class utils::network::minimal { - include utils::network::irssi - include utils::network::torrent - - package { 'unison': - ensure => installed, - } - - # For backwards compatibility - # See addversionno unison config parameter - package { 'unison2.32.52': - ensure => $::lsbdistcodename ? { - 'wheezy' => present, - default => absent, - } - } -} - -class utils::network inherits utils::network::minimal { - # Network - package { [ 'mutt', 'offlineimap', - 'newsbeuter', 'nicotine', 'sshfs', - 'bogofilter', 'fetchmail', 'procmail', - 'msmtp', 'mairix', 'notmuch-mutt', - 'links', 'gftp', 'iceweasel', - 'openvpn', 'pssh', 'mutt-patched', - 'pidgin', 'pidgin-encryption', 'pidgin-openpgp', - 'pidgin-otr', 'pidgin-privacy-please', 'pidgin-plugin-pack', - 'sslscan', 'muttprofile', 'connect-proxy', - 'avahi-discover', 'mdns-scan' ]: - ensure => installed, - } - - # Fix: ensure that fetchmail is not a service - service { 'fetchmail': - ensure => stopped, - enable => false, - require => Package['fetchmail'], - } - - # Old packages - # About firegpg, see http://tails.boum.org/bugs/FireGPG_may_be_unsafe/ - package { [ 'silc', 'twinkle', 'konqueror', 'transmission', 'amule', 'epiphany-browser', - 'bittorrent', 'bittornado', 'xul-ext-firegpg' ]: - ensure => absent, - } - - # Squeeze (or newer) packages - if $::lsbdistcodename != 'lenny' { - package { [ 'xul-ext-monkeysphere', 'chromium-browser', 'libical-parser-perl', - 'maildir-utils', 'icedtea6-plugin', 'xul-ext-adblock-plus', - 'xul-ext-noscript', 'xul-ext-firebug' ]: - ensure => installed, - } - - # Not using right now - package { [ 'xul-ext-torbutton', 'vidalia', 'xul-ext-perspectives', 'xul-ext-greasemonkey' ]: - ensure => absent, - } - } - - # Wheezy (or newer) packages - if $::lsbdistcodename != 'squeeze' { - package { [ 'xul-ext-pentadactyl', 'xul-ext-https-everywhere', 'xul-ext-certificatepatrol', - 'xul-ext-cookie-monster', 'xul-ext-refcontrol', 'xul-ext-quickproxy', - 'xul-ext-requestpolicy' ]: - ensure => installed, - } - - package { [ 'torchat' ]: - ensure => installed, - } - } - - # Lenny only - package { [ 'mozilla-firefox-adblock' ]: - ensure => $::lsbdistcodename ? { - 'lenny' => present, - default => absent, - }, - } - - # Browser alternative - file { "/etc/alternatives/x-www-browser": - ensure => "/usr/bin/iceweasel", - owner => root, - group => root, - require => Package['iceweasel'], - } - - # Browser alternative: manpage - file { "/etc/alternatives/x-www-browser.1.gz": - ensure => "/usr/share/man/man1/iceweasel.1.gz", - owner => root, - group => root, - require => Package['iceweasel'], - } -} - -class utils::network::analyzer { - package { [ 'tshark' ]: - ensure => installed, - } -} - -class utils::network::samba { - package { [ 'smbclient', 'cifs-utils' ]: - ensure => installed, - } -} - -class utils::network::nfs { - package { 'nfs-common': - ensure => installed, - } -} diff --git a/manifests/subsystems/utils/office.pp b/manifests/subsystems/utils/office.pp deleted file mode 100644 index 0b4ca19..0000000 --- a/manifests/subsystems/utils/office.pp +++ /dev/null @@ -1,29 +0,0 @@ -class utils::office { - # Office - package { [ 'wyrd', 'vim-gtk', 'gobby', - 'sc', 'antiword', 'dia', - 'kalarm', 'texlive-latex-base', 'texlive-latex-recommended', - 'texlive-latex-extra', 'pandoc', 'gnumeric', - 'cups-client', 'hplip', 'cups-bsd', - 'gnucash', 'worklog', 'pdftk', - 'calibre', 'fbreader', 'gobby-0.5', - 'mat', 'evince-gtk', 'jekyll' ]: - ensure => installed, - } - - # Squeeze only - package { 'broffice.org': - ensure => $::lsbdistcodename ? { - 'squeeze' => installed, - default => absent, - } - } - - # Wheezy onwards - package { 'libreoffice': - ensure => $::lsbdistcodename ? { - 'squeeze' => absent, - default => installed, - } - } -} diff --git a/manifests/subsystems/utils/personal.pp b/manifests/subsystems/utils/personal.pp deleted file mode 100644 index fe6fb89..0000000 --- a/manifests/subsystems/utils/personal.pp +++ /dev/null @@ -1,20 +0,0 @@ -# Common utilities for personal -class utils::personal { - case $::operatingsystem { - debian: { - include utils::personal::debian - } - default: { } - } -} - -class utils::personal::bundle { - include utils::office - include utils::interface - include utils::network - include utils::development - include utils::security - include utils::multimedia - include utils::ruby - include utils::java -} diff --git a/manifests/subsystems/utils/physical.pp b/manifests/subsystems/utils/physical.pp deleted file mode 100644 index 3fbd28c..0000000 --- a/manifests/subsystems/utils/physical.pp +++ /dev/null @@ -1,13 +0,0 @@ -# Common utilities for physical -class utils::physical { - package { [ 'nload', 'acpid', 'slurm', 'ethtool', 'parted', 'iftop', 'iptraf', 'htop', 'sdparm' ]: - ensure => installed, - } - - package { 'acpi': - ensure => $::architecture ? { - 'armv5tel' => absent, - default => present, - } - } -} diff --git a/manifests/subsystems/utils/plug.pp b/manifests/subsystems/utils/plug.pp deleted file mode 100644 index e018f10..0000000 --- a/manifests/subsystems/utils/plug.pp +++ /dev/null @@ -1,6 +0,0 @@ -# Common utilities for plug computers -class utils::plug { - package { [ 'mtd-utils', 'cryptsetup', 'u-boot', 'smartmontools' ]: - ensure => installed, - } -} diff --git a/manifests/subsystems/utils/ruby.pp b/manifests/subsystems/utils/ruby.pp deleted file mode 100644 index 8923ff0..0000000 --- a/manifests/subsystems/utils/ruby.pp +++ /dev/null @@ -1,45 +0,0 @@ -class utils::ruby { - # Gem packages - package { 'capistrano': - ensure => installed, - provider => $::lsbdistcodename ? { - 'squeeze' => gem, - default => apt, - }, - require => Package['rubygems'], - } - - # Gem packages - package { 'slideshow': - ensure => installed, - provider => gem, - require => Package['rubygems'], - } - - if !defined(Package['ruby']) { - package { 'ruby': - ensure => installed, - } - } - - if !defined(Package['rubygems']) { - package { 'rubygems': - ensure => installed, - require => Package['ruby'], - } - } - - if !defined(Package['ruby-dev']) { - package { 'ruby-dev': - ensure => installed, - require => Package['ruby'], - } - } - - if !defined(Package['libgpgme-ruby1.8']) { - package { 'libgpgme-ruby1.8': - ensure => installed, - require => Package['ruby'], - } - } -} diff --git a/manifests/subsystems/utils/security.pp b/manifests/subsystems/utils/security.pp deleted file mode 100644 index 9e4f362..0000000 --- a/manifests/subsystems/utils/security.pp +++ /dev/null @@ -1,13 +0,0 @@ -class utils::security { - # Security - package { [ 'apg', 'gnupg-agent', 'makepasswd', 'pwgen', 'fpm2', 'encfs', - 'signing-party', 'libnss3-tools', 'ssss', 'libgfshare-bin' ]: - ensure => installed, - } - - if $::lsbdistcodename != 'squeeze' { - package { [ 'kedpm', 'kedpm-gtk' ]: - ensure => installed, - } - } -} diff --git a/manifests/subsystems/utils/storage.pp b/manifests/subsystems/utils/storage.pp deleted file mode 100644 index 6a52e16..0000000 --- a/manifests/subsystems/utils/storage.pp +++ /dev/null @@ -1,12 +0,0 @@ -# Common utilities for storage -class utils::storage { - package { 'clamav': - ensure => installed, - } -} - -class utils::storage::archive { - package { 'git-annex': - ensure => installed, - } -} diff --git a/manifests/subsystems/utils/tor.pp b/manifests/subsystems/utils/tor.pp deleted file mode 100644 index 1a696c4..0000000 --- a/manifests/subsystems/utils/tor.pp +++ /dev/null @@ -1,5 +0,0 @@ -class utils::tor { - package { 'tor-arm': - ensure => installed, - } -} diff --git a/manifests/subsystems/utils/web.pp b/manifests/subsystems/utils/web.pp deleted file mode 100644 index 8b0eba9..0000000 --- a/manifests/subsystems/utils/web.pp +++ /dev/null @@ -1,10 +0,0 @@ -# Common utilities for web -class utils::web { - package { [ 'ffmpeg', 'flvtool2', 'curl', 'rake', - 'libxml2', 'libxml2-dev', 'libxslt1-dev', 'libmysqlclient-dev', - 'g++', 'libcurl4-openssl-dev', 'apache2-prefork-dev' ]: - ensure => installed, - } - - include utils::storage::archive -} diff --git a/manifests/subsystems/websites.pp b/manifests/subsystems/websites.pp deleted file mode 100644 index 6fa764b..0000000 --- a/manifests/subsystems/websites.pp +++ /dev/null @@ -1,151 +0,0 @@ -class websites::setup { - # Third-party hosted nodes generally aren't behind an https proxy - $hosting_type = hiera('nodo::vserver::hosting_type', 'direct') - - # Include apache - class { 'apache': - https_proxy => $hosting_type ? { - 'direct' => 'yes', - default => false, - }, - } - - # The needed apache modules - apache::module { "alias": - ensure => present, - } - - # Images folder - file { "${apache::www_folder}/images": - ensure => directory, - recurse => true, - purge => true, - force => true, - owner => "root", - group => "root", - # This mode will also apply to files from the source directory - mode => 0644, - # Puppet will automatically set +x for directories - source => [ "puppet:///modules/site_apache/htdocs/${::domain}/images", - "puppet:///modules/nodo/htdocs/images", ] - } - - # Web index - file { "${apache::www_folder}/index.html": - ensure => present, - owner => "root", - group => "root", - mode => 0644, - source => [ "puppet:///modules/site_apache/htdocs/${::domain}/index.html", - "puppet:///modules/nodo/htdocs/index.html", ] - } - - # Missing page - file { "${apache::www_folder}/missing.html": - ensure => present, - owner => "root", - group => "root", - mode => 0644, - source => [ "puppet:///modules/site_apache/htdocs/${::domain}/missing.html", - "puppet:///modules/nodo/htdocs/missing.html", ] - } - - # Make sure that a top level index exists - file { "/var/www/index.html": - ensure => present, - } - - # Default vhost: can just be applied on the defining host - apache::site { "${apache::server_name}": - server_alias => "${::domain}", - docroot => "${apache::www_folder}", - mpm => false, - tag => 'all', - } - - # We have to use 'zzz-error' so it will be the last matched vhost - apache::site { "error": - template => 'apache/error.erb', - docroot => "${apache::error_folder}", - filename => 'zzz-error', - mpm => false, - tag => 'all', - } - - # Index page for error - file { "${apache::error_folder}/index.html": - ensure => "${apache::www_folder}/index.html", - owner => "root", - group => "root", - force => true, - require => File["${apache::error_folder}"], - } - - # Images folder for error - file { "${apache::error_folder}/images": - ensure => "${apache::www_folder}/images", - owner => "root", - group => "root", - force => true, - require => File["${apache::error_folder}", "${apache::www_folder}/images"], - } - -} - -class websites::hosting inherits websites::setup { - # Include the needed classes for website hosting - include php - include trac - include websvn - include moin - include apache::rails - - # Declare the needed classes for website hosting - class { [ 'drupal', 'ikiwiki', 'pmwiki', 'hotglue', 'wordpress' ]: } - class { - 'viewvc': - root_parents => "/var/svn : svn"; - } - - $git_daemon = hiera('nodo::web::git_daemon', True) - - if $git_daemon != false { - class { 'gitweb': } - } - - apache::site { "images": - docroot => "${apache::www_folder}/images", - mpm => false, - tag => 'all', - } - - # Remove untagged site instances - Apache::Site <| tag != $::hostname and tag != 'all' |> { - ensure => absent, - } - - # Remove untagged database instances - Database::Instance <| tag != $::hostname and tag != 'all' |> { - ensure => absent, - } - - # Remove untagged ikiwiki instances - Ikiwiki::Instance <| tag != $::hostname and tag != 'all' |> { - ensure => absent, - } -} - -class websites::hosting::admin inherits websites::setup { - # Include the needed classes for admin interfaces - include trac - include gitweb -} - -class websites::dev::setup inherits websites::setup { - # Include the needed classes for website development - include php - include apache::rails - - # Declare the needed classes for website development - class { 'drupal': } -} diff --git a/manifests/subsystems/xorg.pp b/manifests/subsystems/xorg.pp deleted file mode 100644 index 7009707..0000000 --- a/manifests/subsystems/xorg.pp +++ /dev/null @@ -1,13 +0,0 @@ -class xorg($enable = hiera('nodo::xorg::enable', false)) { - if $xorg != false { - file { "/etc/X11/xorg.conf": - ensure => present, - owner => root, - group => root, - mode => 0644, - source => [ "puppet:///modules/site_nodo/X11/xorg.conf/${::hostname}.${::lsbdistcodename}", - "puppet:///modules/site_nodo/X11/xorg.conf/${::hostname}", - "puppet:///modules/site_nodo/X11/xorg.conf.default" ], - } - } -} diff --git a/manifests/test.pp b/manifests/test.pp deleted file mode 100644 index 7195fc2..0000000 --- a/manifests/test.pp +++ /dev/null @@ -1,3 +0,0 @@ -class nodo::test inherits nodo::web { - # Class for test nodes -} diff --git a/manifests/tor.pp b/manifests/tor.pp deleted file mode 100644 index 11ba480..0000000 --- a/manifests/tor.pp +++ /dev/null @@ -1,4 +0,0 @@ -class nodo::tor inherits nodo::vserver { - include tor::daemon - include utils::tor -} diff --git a/manifests/utils.pp b/manifests/utils.pp new file mode 100644 index 0000000..9f499af --- /dev/null +++ b/manifests/utils.pp @@ -0,0 +1,36 @@ +# Common utilities +class nodo::utils { + package { [ 'screen', 'less', 'bzip2', 'openssl', 'lynx', 'wget', 'unzip', + 'nmap', 'telnet', 'tree', 'whois', 'dosfstools', 'dnsutils', 'logcheck-database', + 'bc', 'lsof', 'wipe', 'vrms', 'nsca-client', 'logcheck', 'vim-nox' ]: + ensure => installed, + } + + if !defined(Package['git-core']) { + package { 'git-core': + ensure => installed, + } + } + + # Editor alternative + file { "/etc/alternatives/editor": + ensure => "/usr/bin/vi", + owner => root, + group => root, + } + + # Ensure we have the minimum augeas version required by shorewall module + package { + 'libaugeas0': + ensure => $::lsbdistcodename ? { + 'squeeze' => '0.10.0-1~bpo60+3', + default => installed, + }; + 'augeas-tools': + ensure => $::lsbdistcodename ? { + 'squeeze' => '0.10.0-1~bpo60+3', + default => installed, + }, + require => Package['libaugeas0']; + } +} diff --git a/manifests/utils/desktop.pp b/manifests/utils/desktop.pp new file mode 100644 index 0000000..9001b59 --- /dev/null +++ b/manifests/utils/desktop.pp @@ -0,0 +1,6 @@ +# Common utilities for desktop +class nodo::utils::desktop { + package { 'cups': + ensure => installed, + } +} diff --git a/manifests/utils/development.pp b/manifests/utils/development.pp new file mode 100644 index 0000000..6c85bef --- /dev/null +++ b/manifests/utils/development.pp @@ -0,0 +1,15 @@ +class nodo::utils::development { + # Development + package { [ 'debhelper', 'gitk', 'git-gui', 'subversion', 'python-stdeb', + 'fakeroot', 'dupload', 'autotools-dev', 'dh-make', 'doxygen', + 'tig', 'mercurial', 'exuberant-ctags', 'reportbug', 'debian-keyring', + 'devscripts', 'pbuilder', 'build-essential', 'pnopaste-cli', 'agave', + 'cdbs', 'dh-buildinfo', 'quilt', 'dpatch', 'dput', + 'bzr', 'debian-goodies', 'debirf', 'xorriso', 'dh-autoreconf', + 'unetbootin', 'git-buildpackage', 'gem2deb', 'python-setuptools', 'python-virtualenv', + 'ditz', 'mr', 'puppet-lint', 'kpartx', 'openocd' ]: + ensure => installed, + } + + include nodo::utils::storage::archive +} diff --git a/manifests/utils/development/virtual.pp b/manifests/utils/development/virtual.pp new file mode 100644 index 0000000..011253e --- /dev/null +++ b/manifests/utils/development/virtual.pp @@ -0,0 +1,12 @@ +class nodo::utils::development::virtual { + package { 'vagrant': + ensure => $::lsbdistcodename ? { + 'squeeze' => absent, + default => present, + } + } + + package { [ 'virtualbox-guest-additions-iso', 'virtualbox-fuse', 'qemu', 'qemu-kvm' ]: + ensure => present, + } +} diff --git a/manifests/utils/dns.pp b/manifests/utils/dns.pp new file mode 100644 index 0000000..57bb992 --- /dev/null +++ b/manifests/utils/dns.pp @@ -0,0 +1,5 @@ +class nodo::utils::dns { + package { 'dnstop': + ensure => installed, + } +} diff --git a/manifests/utils/firmware.pp b/manifests/utils/firmware.pp new file mode 100644 index 0000000..ccdae37 --- /dev/null +++ b/manifests/utils/firmware.pp @@ -0,0 +1,5 @@ +class nodo::utils::firmware { + package { 'firmware-linux': + ensure => installed, + } +} diff --git a/manifests/utils/firmware/iwlwifi.pp b/manifests/utils/firmware/iwlwifi.pp new file mode 100644 index 0000000..0dd761a --- /dev/null +++ b/manifests/utils/firmware/iwlwifi.pp @@ -0,0 +1,6 @@ +# Wireless support +class nodo::utils::firmware::iwlwifi { + package { 'firmware-iwlwifi': + ensure => present, + } +} diff --git a/manifests/utils/firmware/realtek.pp b/manifests/utils/firmware/realtek.pp new file mode 100644 index 0000000..77d916a --- /dev/null +++ b/manifests/utils/firmware/realtek.pp @@ -0,0 +1,5 @@ +class nodo::utils::firmware::realtek { + package { 'firmware-realtek': + ensure => installed, + } +} diff --git a/manifests/utils/grub.pp b/manifests/utils/grub.pp new file mode 100644 index 0000000..1d24458 --- /dev/null +++ b/manifests/utils/grub.pp @@ -0,0 +1,5 @@ +class nodo::utils::grub { + package { 'grub2': + ensure => installed, + } +} diff --git a/manifests/utils/hamradio.pp b/manifests/utils/hamradio.pp new file mode 100644 index 0000000..6915650 --- /dev/null +++ b/manifests/utils/hamradio.pp @@ -0,0 +1,5 @@ +class nodo::utils::hamradio { + package { 'aldo': + ensure => present, + } +} diff --git a/manifests/utils/interface.pp b/manifests/utils/interface.pp new file mode 100644 index 0000000..c43bad7 --- /dev/null +++ b/manifests/utils/interface.pp @@ -0,0 +1,30 @@ +class nodo::utils::interface { + # Interface + package { [ 'awesome', 'eterm', 'weather-util', 'gnome-terminal', 'conky', + 'xterm', 'bash-completion', 'tmux', 'xscreensaver', 'thunar', + 'mc', 'gtk-theme-switch', 'gtk-smooth-themes', 'rxvt', 'lxappearance', + 'xtitle', 'xclip', 'pcmanfm', 'awesome-extra', 'numlockx', + 'x11-apps' ]: + ensure => installed, + } + + # Old stuff + package { [ 'conkyforecast', 'fluxbox' ]: + ensure => absent, + } + + # Fonts + package { [ 'xfonts-terminus', 'ttf-bitstream-vera', 'ttf-inconsolata' ]: + ensure => installed, + } + + package { 'rxvt-unicode': + ensure => present, + # We need a workaround for this: + # http://packages.debian.org/search?keywords=screen&searchon=names&suite=all§ion=all&sourceid=mozilla-search + #name => $lsbdistcodename ? { + # 'squeeze' => 'rxvt-unicode', + # default => 'rxvt-unicode-256color', + #} + } +} diff --git a/manifests/utils/java.pp b/manifests/utils/java.pp new file mode 100644 index 0000000..a14635f --- /dev/null +++ b/manifests/utils/java.pp @@ -0,0 +1,18 @@ +class nodo::utils::java { + # Java + package { [ 'sun-java6-jre' ]: + ensure => absent, + } + + package { 'default-jre': + ensure => present, + } + + # Java alternative + file { "/etc/alternatives/java": + ensure => "/usr/lib/jvm/java-6-openjdk/jre/bin/java", + owner => root, + group => root, + require => Package['default-jre'], + } +} diff --git a/manifests/utils/laptop.pp b/manifests/utils/laptop.pp new file mode 100644 index 0000000..9a1e42c --- /dev/null +++ b/manifests/utils/laptop.pp @@ -0,0 +1,9 @@ +# Common utilities for laptop +class nodo::utils::laptop { + case $::operatingsystem { + debian: { + include utils::laptop::debian + } + default: { } + } +} diff --git a/manifests/utils/laptop/debian.pp b/manifests/utils/laptop/debian.pp new file mode 100644 index 0000000..e4c769c --- /dev/null +++ b/manifests/utils/laptop/debian.pp @@ -0,0 +1,35 @@ +# Common utilities for debian laptops +class nodo::utils::laptop::debian { + package { [ 'cpufrequtils', 'module-assistant', 'wireless-tools', + 'wpasupplicant', 'ekiga', 'mumble', + 'revelation', 'arp-scan', 'usb-modeswitch', + 'iw', 'wvdial', 'wavemon', + 'btscanner', 'laptop-mode-tools', 'acpi-support', + 'tftp', 'sharutils', 'wireshark', + 'macchanger', 'weplab', 'wpagui', + 'gnokii' ]: + ensure => installed, + } + + # Wicd + package { [ 'wicd', 'wicd-curses', 'wicd-gtk' ]: + ensure => installed, + } + + # Wheezy specific packages + package { 'network-manager': + ensure => $::lsbdistcodename ? { + 'squeeze' => absent, + default => absent, + } + } + + # Squeeze specific packages + package { [ 'kismet' ]: + ensure => $::lsbdistcodename ? { + 'squeeze' => installed, + default => absent, + } + } + +} diff --git a/manifests/utils/microcode/intel.pp b/manifests/utils/microcode/intel.pp new file mode 100644 index 0000000..b4d12bc --- /dev/null +++ b/manifests/utils/microcode/intel.pp @@ -0,0 +1,8 @@ +class nodo::utils::microcode::intel { + # Microcode + # See https://wiki.archlinux.org/index.php/Microcode + # http://en.gentoo-wiki.com/wiki/Intel_Microcode + package { 'intel-microcode': + ensure => present, + } +} diff --git a/manifests/utils/multimedia.pp b/manifests/utils/multimedia.pp new file mode 100644 index 0000000..d1a498f --- /dev/null +++ b/manifests/utils/multimedia.pp @@ -0,0 +1,48 @@ +# Multimedia utilities +class nodo::utils::multimedia { + # Multimedia + package { [ 'alsa-tools-gui', 'mp3blaster', 'alsa-utils', 'netpbm', + 'gqview', 'mpg123', 'audacious', 'qjackctl', + 'gimp', 'xine-ui', 'v4l-utils', 'inkscape', + 'easytag', 'gstreamer-tools', 'vlc', 'audacity', + 'opencubicplayer', 'youtube-dl', 'mencoder', 'libasound2-plugins', + 'cbrpager', 'llgal', 'darksnow', 'mplayer', + 'picard', 'ffmpeg2theora', 'oggfwd', 'jhead', + 'pavucontrol' ]: + ensure => installed, + } + + # Old stuff + package { [ 'flashplugin-nonfree', 'amarok', 'moc', 'cmus' ]: + ensure => purged, + } + + # Squeeze only + package { [ 'tucan', 'orpheus' ]: + ensure => $::lsbdistcodename ? { + 'squeeze' => installed, + default => purged, + } + } + + # Wheezy onwards + package { 'landell': + ensure => $::lsbdistcodename ? { + 'squeeze' => absent, + default => installed, + } + } + + # Flash + package { 'browser-plugin-gnash': + ensure => installed, + } + + # Flash alternative + file { "/etc/alternatives/flash-mozilla.so": + ensure => "/usr/lib/gnash/libgnashplugin.so", + owner => root, + group => root, + require => Package['flashplugin-nonfree'], + } +} diff --git a/manifests/utils/multimedia/mediacenter.pp b/manifests/utils/multimedia/mediacenter.pp new file mode 100644 index 0000000..3d8f241 --- /dev/null +++ b/manifests/utils/multimedia/mediacenter.pp @@ -0,0 +1,5 @@ +class nodo::utils::multimedia::mediacenter { + package { [ 'xbmc', 'upnp-inspector', 'gupnp-tools' ]: + ensure => present, + } +} diff --git a/manifests/utils/multimedia/ripper.pp b/manifests/utils/multimedia/ripper.pp new file mode 100644 index 0000000..83d7029 --- /dev/null +++ b/manifests/utils/multimedia/ripper.pp @@ -0,0 +1,6 @@ +class nodo::utils::multimedia::ripper { + # CD writers and extractors + package { [ 'ripit', 'asunder', 'wodim', 'genisoimage', 'dvd+rw-tools' ]: + ensure => installed, + } +} diff --git a/manifests/utils/multimedia/studio.pp b/manifests/utils/multimedia/studio.pp new file mode 100644 index 0000000..3d9966d --- /dev/null +++ b/manifests/utils/multimedia/studio.pp @@ -0,0 +1,5 @@ +class nodo::utils::multimedia::studio { + package { [ 'ardour', 'hydrogen', ]: + ensure => installed, + } +} diff --git a/manifests/utils/network.pp b/manifests/utils/network.pp new file mode 100644 index 0000000..196038a --- /dev/null +++ b/manifests/utils/network.pp @@ -0,0 +1,80 @@ +class nodo::utils::network inherits nodo::utils::network::minimal { + # Network + package { [ 'mutt', 'offlineimap', + 'newsbeuter', 'nicotine', 'sshfs', + 'bogofilter', 'fetchmail', 'procmail', + 'msmtp', 'mairix', 'notmuch-mutt', + 'links', 'gftp', 'iceweasel', + 'openvpn', 'pssh', 'mutt-patched', + 'pidgin', 'pidgin-encryption', 'pidgin-openpgp', + 'pidgin-otr', 'pidgin-privacy-please', 'pidgin-plugin-pack', + 'sslscan', 'muttprofile', 'connect-proxy', + 'avahi-discover', 'mdns-scan' ]: + ensure => installed, + } + + # Fix: ensure that fetchmail is not a service + service { 'fetchmail': + ensure => stopped, + enable => false, + require => Package['fetchmail'], + } + + # Old packages + # About firegpg, see http://tails.boum.org/bugs/FireGPG_may_be_unsafe/ + package { [ 'silc', 'twinkle', 'konqueror', 'transmission', 'amule', 'epiphany-browser', + 'bittorrent', 'bittornado', 'xul-ext-firegpg' ]: + ensure => absent, + } + + # Squeeze (or newer) packages + if $::lsbdistcodename != 'lenny' { + package { [ 'xul-ext-monkeysphere', 'chromium-browser', 'libical-parser-perl', + 'maildir-utils', 'icedtea6-plugin', 'xul-ext-adblock-plus', + 'xul-ext-noscript', 'xul-ext-firebug' ]: + ensure => installed, + } + + # Not using right now + package { [ 'xul-ext-torbutton', 'vidalia', 'xul-ext-perspectives', 'xul-ext-greasemonkey' ]: + ensure => absent, + } + } + + # Wheezy (or newer) packages + if $::lsbdistcodename != 'squeeze' { + package { [ 'xul-ext-pentadactyl', 'xul-ext-https-everywhere', 'xul-ext-certificatepatrol', + 'xul-ext-cookie-monster', 'xul-ext-refcontrol', 'xul-ext-quickproxy', + 'xul-ext-requestpolicy' ]: + ensure => installed, + } + + package { [ 'torchat' ]: + ensure => installed, + } + } + + # Lenny only + package { [ 'mozilla-firefox-adblock' ]: + ensure => $::lsbdistcodename ? { + 'lenny' => present, + default => absent, + }, + } + + # Browser alternative + file { "/etc/alternatives/x-www-browser": + ensure => "/usr/bin/iceweasel", + owner => root, + group => root, + require => Package['iceweasel'], + } + + # Browser alternative: manpage + file { "/etc/alternatives/x-www-browser.1.gz": + ensure => "/usr/share/man/man1/iceweasel.1.gz", + owner => root, + group => root, + require => Package['iceweasel'], + } +} diff --git a/manifests/utils/network/analyzer.pp b/manifests/utils/network/analyzer.pp new file mode 100644 index 0000000..64ed803 --- /dev/null +++ b/manifests/utils/network/analyzer.pp @@ -0,0 +1,5 @@ +class nodo::utils::network::analyzer { + package { [ 'tshark' ]: + ensure => installed, + } +} diff --git a/manifests/utils/network/irssi.pp b/manifests/utils/network/irssi.pp new file mode 100644 index 0000000..e476a0d --- /dev/null +++ b/manifests/utils/network/irssi.pp @@ -0,0 +1,23 @@ +class nodo::utils::network::irssi { + package { [ 'irssi', 'bitlbee', 'irssi-scripts' ]: + ensure => installed, + } + + # See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695150 + #package { 'irssi-plugin-otr': + # ensure => installed, + #} + + # These are needed by the cap_sasl.pl irssi plugin + package { [ 'libcrypt-blowfish-perl', 'libcrypt-dh-perl', 'libcrypt-openssl-bignum-perl' ]: + ensure => installed, + } + + # Not on wheezy + package { 'irssi-plugin-silc': + ensure => $::lsbdistcodename ? { + 'wheezy' => absent, + default => present, + } + } +} diff --git a/manifests/utils/network/minimal.pp b/manifests/utils/network/minimal.pp new file mode 100644 index 0000000..51c4efe --- /dev/null +++ b/manifests/utils/network/minimal.pp @@ -0,0 +1,17 @@ +class nodo::utils::network::minimal { + include nodo::utils::network::irssi + include nodo::utils::network::torrent + + package { 'unison': + ensure => installed, + } + + # For backwards compatibility + # See addversionno unison config parameter + package { 'unison2.32.52': + ensure => $::lsbdistcodename ? { + 'wheezy' => present, + default => absent, + } + } +} diff --git a/manifests/utils/network/nfs.pp b/manifests/utils/network/nfs.pp new file mode 100644 index 0000000..9abe38e --- /dev/null +++ b/manifests/utils/network/nfs.pp @@ -0,0 +1,5 @@ +class nodo::utils::network::nfs { + package { 'nfs-common': + ensure => installed, + } +} diff --git a/manifests/utils/network/samba.pp b/manifests/utils/network/samba.pp new file mode 100644 index 0000000..c53e5e5 --- /dev/null +++ b/manifests/utils/network/samba.pp @@ -0,0 +1,5 @@ +class nodo::utils::network::samba { + package { [ 'smbclient', 'cifs-utils' ]: + ensure => installed, + } +} diff --git a/manifests/utils/network/torrent.pp b/manifests/utils/network/torrent.pp new file mode 100644 index 0000000..154b24c --- /dev/null +++ b/manifests/utils/network/torrent.pp @@ -0,0 +1,5 @@ +class nodo::utils::network::torrent { + package { [ 'rtorrent' ]: + ensure => installed, + } +} diff --git a/manifests/utils/office.pp b/manifests/utils/office.pp new file mode 100644 index 0000000..4c96670 --- /dev/null +++ b/manifests/utils/office.pp @@ -0,0 +1,29 @@ +class nodo::utils::office { + # Office + package { [ 'wyrd', 'vim-gtk', 'gobby', + 'sc', 'antiword', 'dia', + 'kalarm', 'texlive-latex-base', 'texlive-latex-recommended', + 'texlive-latex-extra', 'pandoc', 'gnumeric', + 'cups-client', 'hplip', 'cups-bsd', + 'gnucash', 'worklog', 'pdftk', + 'calibre', 'fbreader', 'gobby-0.5', + 'mat', 'evince-gtk', 'jekyll' ]: + ensure => installed, + } + + # Squeeze only + package { 'broffice.org': + ensure => $::lsbdistcodename ? { + 'squeeze' => installed, + default => absent, + } + } + + # Wheezy onwards + package { 'libreoffice': + ensure => $::lsbdistcodename ? { + 'squeeze' => absent, + default => installed, + } + } +} diff --git a/manifests/utils/personal.pp b/manifests/utils/personal.pp new file mode 100644 index 0000000..5202216 --- /dev/null +++ b/manifests/utils/personal.pp @@ -0,0 +1,9 @@ +# Common utilities for personal +class nodo::utils::personal { + case $::operatingsystem { + debian: { + include nodo::utils::personal::debian + } + default: { } + } +} diff --git a/manifests/utils/personal/bundle.pp b/manifests/utils/personal/bundle.pp new file mode 100644 index 0000000..e8cf4b9 --- /dev/null +++ b/manifests/utils/personal/bundle.pp @@ -0,0 +1,10 @@ +class nodo::utils::personal::bundle { + include nodo::utils::office + include nodo::utils::interface + include nodo::utils::network + include nodo::utils::development + include nodo::utils::security + include nodo::utils::multimedia + include nodo::utils::ruby + include nodo::utils::java +} diff --git a/manifests/utils/personal/debian.pp b/manifests/utils/personal/debian.pp new file mode 100644 index 0000000..592ed3e --- /dev/null +++ b/manifests/utils/personal/debian.pp @@ -0,0 +1,17 @@ +class nodo::utils::personal::debian { + # System + package { [ 'libpam-mount', 'ecryptfs-utils', 'gawk', + 'laptop-detect', 'syslinux', 'ack-grep', 'mtp-tools' ]: + ensure => installed, + } + + # Misc + package { [ 'fortunes-br', 'recode', 'p7zip-full', 'funcoeszz', 'detox' ]: + ensure => installed, + } + + # Non-free, old, buggy or absent in newer releases + package { [ 'mtpfs', 'unrar', 'figlet' ]: + ensure => purged, + } +} diff --git a/manifests/utils/physical.pp b/manifests/utils/physical.pp new file mode 100644 index 0000000..78ff767 --- /dev/null +++ b/manifests/utils/physical.pp @@ -0,0 +1,13 @@ +# Common utilities for physical +class nodo::utils::physical { + package { [ 'nload', 'acpid', 'slurm', 'ethtool', 'parted', 'iftop', 'iptraf', 'htop', 'sdparm' ]: + ensure => installed, + } + + package { 'acpi': + ensure => $::architecture ? { + 'armv5tel' => absent, + default => present, + } + } +} diff --git a/manifests/utils/plug.pp b/manifests/utils/plug.pp new file mode 100644 index 0000000..861c346 --- /dev/null +++ b/manifests/utils/plug.pp @@ -0,0 +1,6 @@ +# Common utilities for plug computers +class nodo::utils::plug { + package { [ 'mtd-utils', 'cryptsetup', 'u-boot', 'smartmontools' ]: + ensure => installed, + } +} diff --git a/manifests/utils/ruby.pp b/manifests/utils/ruby.pp new file mode 100644 index 0000000..14c770d --- /dev/null +++ b/manifests/utils/ruby.pp @@ -0,0 +1,45 @@ +class nodo::utils::ruby { + # Gem packages + package { 'capistrano': + ensure => installed, + provider => $::lsbdistcodename ? { + 'squeeze' => gem, + default => apt, + }, + require => Package['rubygems'], + } + + # Gem packages + package { 'slideshow': + ensure => installed, + provider => gem, + require => Package['rubygems'], + } + + if !defined(Package['ruby']) { + package { 'ruby': + ensure => installed, + } + } + + if !defined(Package['rubygems']) { + package { 'rubygems': + ensure => installed, + require => Package['ruby'], + } + } + + if !defined(Package['ruby-dev']) { + package { 'ruby-dev': + ensure => installed, + require => Package['ruby'], + } + } + + if !defined(Package['libgpgme-ruby1.8']) { + package { 'libgpgme-ruby1.8': + ensure => installed, + require => Package['ruby'], + } + } +} diff --git a/manifests/utils/security.pp b/manifests/utils/security.pp new file mode 100644 index 0000000..0f26688 --- /dev/null +++ b/manifests/utils/security.pp @@ -0,0 +1,13 @@ +class nodo::utils::security { + # Security + package { [ 'apg', 'gnupg-agent', 'makepasswd', 'pwgen', 'fpm2', 'encfs', + 'signing-party', 'libnss3-tools', 'ssss', 'libgfshare-bin' ]: + ensure => installed, + } + + if $::lsbdistcodename != 'squeeze' { + package { [ 'kedpm', 'kedpm-gtk' ]: + ensure => installed, + } + } +} diff --git a/manifests/utils/storage.pp b/manifests/utils/storage.pp new file mode 100644 index 0000000..d4a40e6 --- /dev/null +++ b/manifests/utils/storage.pp @@ -0,0 +1,6 @@ +# Common utilities for storage +class nodo::utils::storage { + package { 'clamav': + ensure => installed, + } +} diff --git a/manifests/utils/storage/archive.pp b/manifests/utils/storage/archive.pp new file mode 100644 index 0000000..e310bf5 --- /dev/null +++ b/manifests/utils/storage/archive.pp @@ -0,0 +1,5 @@ +class nodo::utils::storage::archive { + package { 'git-annex': + ensure => installed, + } +} diff --git a/manifests/utils/thinkpad.pp b/manifests/utils/thinkpad.pp new file mode 100644 index 0000000..d595dbc --- /dev/null +++ b/manifests/utils/thinkpad.pp @@ -0,0 +1,16 @@ +class nodo::utils::thinkpad { + # Keyboard + package { 'tpb': + ensure => installed, + } + + # Thinkfan + package { 'thinkfan': + ensure => installed + } + + # HDAPS + package { 'hdapsd': + ensure => installed, + } +} diff --git a/manifests/utils/tor.pp b/manifests/utils/tor.pp new file mode 100644 index 0000000..f9475a3 --- /dev/null +++ b/manifests/utils/tor.pp @@ -0,0 +1,5 @@ +class nodo::utils::tor { + package { 'tor-arm': + ensure => installed, + } +} diff --git a/manifests/utils/touchpad.pp b/manifests/utils/touchpad.pp new file mode 100644 index 0000000..a5390dd --- /dev/null +++ b/manifests/utils/touchpad.pp @@ -0,0 +1,6 @@ +class nodo::utils::touchpad { + # Touchpad + package { 'gpointing-device-settings': + ensure => present, + } +} diff --git a/manifests/utils/web.pp b/manifests/utils/web.pp new file mode 100644 index 0000000..9c2cd71 --- /dev/null +++ b/manifests/utils/web.pp @@ -0,0 +1,10 @@ +# Common utilities for web +class nodo::utils::web { + package { [ 'ffmpeg', 'flvtool2', 'curl', 'rake', + 'libxml2', 'libxml2-dev', 'libxslt1-dev', 'libmysqlclient-dev', + 'g++', 'libcurl4-openssl-dev', 'apache2-prefork-dev' ]: + ensure => installed, + } + + include nodo::utils::storage::archive +} diff --git a/manifests/web.pp b/manifests/web.pp deleted file mode 100644 index 24318cc..0000000 --- a/manifests/web.pp +++ /dev/null @@ -1,49 +0,0 @@ -class nodo::web inherits nodo::vserver { - # Hidden services - $hidden = hiera('apache::site::hidden', false) - if $hidden == true { - include onion - } - - # Classes for web nodes - include websites - include database - include users::virtual - include utils::web - - # Reprepro configuration - $reprepro = hiera('nodo::web::reprepro', false) - $reprepro_basedir = '/var/reprepro' - - case $reprepro { - true,'enabled': { - class { 'reprepro': - basedir => '/var/reprepro', - uploaders => hiera('nodo::web::reprepro_uploaders', [ ]), - } - - include reprepro::cron - } - 'disabled': { - class { 'reprepro::disabled': - basedir => '/var/reprepro', - } - } - 'purged': { - class { 'reprepro::purged': - basedir => '/var/reprepro', - } - } - false,default: { } - } - - $git_daemon = hiera('nodo::web::git_daemon', True) - - if $git_daemon != false { - class { 'git::daemon': } - } - - backupninja::svn { "svn": - src => "/var/svn", - } -} diff --git a/manifests/yacy.pp b/manifests/yacy.pp deleted file mode 100644 index 76aff1c..0000000 --- a/manifests/yacy.pp +++ /dev/null @@ -1,34 +0,0 @@ -class nodo::yacy inherits nodo::vserver { - class { 'onion': } - - package { 'yacy': - ensure => installed, - } - - service { 'yacy': - ensure => running, - require => Package['yacy'], - } - - # Gracefully restart yacy everyday - cron { "yacy-restart": - command => "/etc/init.d/yacy restart > /dev/null 2>&1", - user => root, - hour => "*/4", - minute => "0", - ensure => present, - require => Service['yacy'], - } - - tor::daemon::hidden_service { 'yacy': - ports => [ '8090 127.0.0.1:8090', '80 127.0.0.1:8090' ], - data_dir => "$tor::daemon::data_dir/hidden", - ensure => present, - } - - # Why they don't sign their releases? - apt::sources_list { "yacy.net.list": - content => "deb http://debian.yacy.net ./\n", - ensure => absent, - } -} -- cgit v1.2.3