class nodo::vserver inherits nodo { include timezone include syslog-ng::vserver class { 'sshd': listen_address => $sshd_listen_address, password_authentication => $ssh_password_authentication, shared_ip => $ssh_shared_ip, tcp_forwarding => $ssh_tcp_forwarding, hardened_ssl => $ssh_hardened_ssl, print_motd => $ssh_print_motd, } backupninja::sys { "sys": ensure => present, partitions => false, hardware => false, dosfdisk => false, dohwinfo => false, } $hosting_type = $node_hosting_type ? { '' => "direct", default => "$node_hosting_type", } case $hosting_type { "direct": { # Apply munin and monkeysphere configuration for # for directly hosted nodes. Munin_node <<| title == $hostname |>> Monkeysphere_host <<| title == $hostname |>> # Set proxy configuration $apache_https_proxy = 'yes' } "third-party": { # Apply munin and monkeysphere configuration for # nodes hosted by third-parties. munin_node { "$hostname": } monkeysphere_host { "$hostname": port => $node_ssh_port, } # Nagios configuration if $use_nagios != false { include nagios::target::fqdn nagios::service::ping { "$fqdn": } } } } # Define a vserver instance define instance($context, $ensure = 'running', $proxy = false, $puppetmaster = false, $gitd = false, $mail = false, $icecast = false, $sound = false, $tor = false, $ticket = false, $memory_limit = false, $distro = 'squeeze', $dns = false, $munin_port = false, $monkeysphere_ssh_port = false, $jabber = false, $mumble = false, $gobby = false, $yacy = false, $rsync = false) { # set instance id if $context <= 9 { $id = "0$context" } else { $id = $context } # set puppetmaster ssl port case $puppetmaster_port { '': { $puppetmaster_port = "8140" } } # set puppetmaster non-ssl port case $puppetmaster_nonssl_port { '': { $puppetmaster_nonssl_port = "8141" } } # set tor port case $tor_port { '': { $tor_port = "9001" } } vserver { $name: ensure => $ensure, context => "$context", mark => 'default', distro => $distro, interface => "eth0:192.168.0.$context/24", hostname => "$name.$domain", memory_limit => $memory_limit, } # Some nodes need a lot of space at /tmp otherwise some admin # tasks like backups might not run. file { "/etc/vservers/${name}/fstab": source => [ "puppet:///modules/site-nodo/etc/fstab/vserver/$name", "puppet:///modules/nodo/etc/fstab/vserver" ], owner => "root", group => "root", mode => 0644, ensure => present, notify => Exec["vs_restart_${name}"], require => Exec["vs_create_${name}"], } # Create a munin virtual resource to be realized in the node @@munin_node { "$name": port => $munin_port ? { false => "49$id", default => $munin_port, } } # Create a monkeysphere virtual resource to be realized in the node @@monkeysphere_host { "$name": port => $monkeysphere_ssh_port ? { false => "22$id", default => $monkeysphere_ssh_port, } } # Sound support if $sound { if !defined(File["/usr/local/sbin/create-sound-devices"]) { file { "/usr/local/sbin/create-sound-devices": ensure => present, source => "puppet:///modules/nodo/sound/devices.sh", owner => root, group => root, mode => 755, } } exec { "/usr/local/sbin/create-sound-devices ${name}": unless => "/usr/local/sbin/create-sound-devices ${name} --check", user => root, require => [ Exec["vs_create_${name}"], File["/usr/local/sbin/create-sound-devices"] ], } } # SSL computational DoS mitigation # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html $firewall_ssl_ratelimit = $firewall_ssl_ratelimit ? { '' => $firewall_global_ssl_ratelimit ? { '' => '-', default => $firewall_global_ssl_ratelimit, }, default => $firewall_ssl_ratelimit, } # Apply firewall rules just for running vservers case $ensure { 'running': { firewall::vserver::ssh { "$name": destination => "192.168.0.$context", port_orig => "22$id", port_dest => "22", } firewall::vserver::munin { "$name": destination => "192.168.0.$context", port_orig => "49$id", port_dest => "49$id", } if $proxy { class { "firewall::vserver::http": destination => "192.168.0.$context"; "firewall::vserver::https": destination => "192.168.0.$context"; } } if $puppetmaster { class { "firewall::vserver::puppetmaster": destination => "192.168.0.$context", puppetmaster_port => $puppetmaster_port, puppetmaster_nonssl_port => $puppetmaster_nonssl_port, } } if $gitd { class { "firewall::vserver::gitd": destination => "192.168.0.$context"; } } if $icecast { class { "firewall::vserver::icecast": destination => "192.168.0.$context"; } } if $mail { class { "firewall::vserver::mail": destination => "192.168.0.$context"; } } if $dns { class { "firewall::vserver::dns": destination => "192.168.0.$context"; } } if $tor { class { "firewall::vserver::tor": destination => "192.168.0.$context"; } } if $jabber { class { "firewall::vserver::jabber": destination => "192.168.0.$context"; } } if $mumble { class { "firewall::vserver::mumble": destination => "192.168.0.$context"; } } if $gobby { class { "firewall::vserver::gobby": destination => "192.168.0.$context"; } } if $yacy { class { "firewall::vserver::yacy": destination => "192.168.0.$context"; } } if $rsync { class { "firewall::vserver::rsync": destination => "192.168.0.$context"; } } } } } }