diff options
Diffstat (limited to 'config')
-rw-r--r-- | config/common.yaml | 65 | ||||
-rw-r--r-- | config/hiera.yaml | 38 | ||||
-rw-r--r-- | config/node/box.example.org.yaml | 53 |
3 files changed, 156 insertions, 0 deletions
diff --git a/config/common.yaml b/config/common.yaml new file mode 100644 index 0000000..936420d --- /dev/null +++ b/config/common.yaml @@ -0,0 +1,65 @@ +--- +# +# General +# +nodo::subsystem::apt::include_src : false +nodo::subsystem::apt::use_next_release : false +nodo::subsystem::monitor::use_nagios : false +nodo::subsystem::monitor::address : "%{::fqdn}" + +# +# Firewall +# +firewall::ssl_ratelimit : "s:ssl:200/sec:20" +firewall::local_net : false +firewall::local::manage_host : true +firewall::local::manage_iface : false + +# +# Mail +# +mail::sympa::subdomain : "listas" +mail::sympa::lang : "pt_BR" + +# +# Monitoring +# +nodo::munin_node::allow: '127.0.0.1:192.168.0.[0-9]*:192.168.1.[0-9]*' + +# +# Timezone and ntp +# +ntp::zone : "Brazil/East" +ntp::pool : "south-america.pool.ntp.org" +ntp::servers : + - 'a.ntp.br' + - 'b.ntp.br' + - 'c.ntp.br' + +# +# Nameservers +# +# OpenDNS +nodo::subsystem::resolver::nameservers: + - '208.67.222.222' + - '208.67.220.220' + +# +# OpenSSH +# +sshd::use_storedconfigs : false +sshd::manage_nagios : false +sshd::listen_address : [ "%{::ipaddress}", '127.0.0.1' ] +sshd::password_authentication : 'yes' +sshd::shared_ip : 'yes' +sshd::tcp_forwarding : 'yes' +sshd::x11_forwarding : 'no' +sshd::hardened : 'yes' +sshd::print_motd : 'no' +sshd::ports : [ 22 ] +sshd::use_pam : 'no' + +# +# Backup +# +backupninja::keystore: '' diff --git a/config/hiera.yaml b/config/hiera.yaml new file mode 100644 index 0000000..14e393d --- /dev/null +++ b/config/hiera.yaml @@ -0,0 +1,38 @@ +--- +version: 5 +defaults: + datadir: "config" + data_hash: "yaml_data" +hierarchy: + # + # Put in the secrets folder all sensitive information that + # wont be spread into every system if you"re using the Hydra Suite. + # + # We also recommend to leave only encrypted data in your hiera config. + # + - name: "encrypted secrets" + path: "secrets/node/%{facts.fqdn}.yaml" + lookup_key: eyaml_lookup_key + options: + # If using the pkcs7 encryptor (default) + pkcs7_private_key: "%{settings::confdir}/keys/private_key.pkcs7.pem" + pkcs7_public_key: "%{settings::confdir}/keys/public_key.pkcs7.pem" + + - name: "regular secrets" + paths: + - "secrets/role/%{facts.role}.yaml" + - "secrets/location/%{facts.location}.yaml" + - "secrets/domain/%{facts.domain}.yaml" + + # + # All other stuff goes in regular YAML files. + # + - name: "public" + paths: + - "node/%{facts.fqdn}.yaml" + - "role/%{facts.role}.yaml" + - "virtual/%{facts.virtual}.yaml" + - "location/%{facts.location}.yaml" + - "domain/%{facts.domain}.yaml" + - "compiled.yaml" + - "common.yaml" diff --git a/config/node/box.example.org.yaml b/config/node/box.example.org.yaml new file mode 100644 index 0000000..657bce1 --- /dev/null +++ b/config/node/box.example.org.yaml @@ -0,0 +1,53 @@ +--- +# +# Nodo +# +nodo::role: 'dev::virtual' + +# +# Classes +# +#classes: +# - 'database' +# - 'apache' + +# +# MySQL +# +# The following password is public information and therefore +# shall not be user on production. +mysql::server::rootpw: '9pRfteNbSFFyrHhackme' + +# +# Backup +# +nodo::subsystem::backup::localhost : false +nodo::subsystem::backup::encryptkey : 'none' +nodo::subsystem::backup::password : 'hackme' + +# +# Websites +# +#websites::default_db : 'dbname' +#websites::default_db::password : 'hackme' + +# +# Apache +# +#apache::default_folder : '/srv/kvmx' +#apache::default_user : 'user' +#apache::default_group : 'user' + +# Manage your app +#apache::sites: +# myapp: +# docroot : "/vagrant/" +# server_alias : 'myapp vagrant localhost' +# use : [ "Site myapp" ] +# tag : 'all' +# owner : vagrant +# group : vagrant +# mpm_user : vagrant +# mpm_group : vagrant +# password : '$5$NZfZqcdyZ3Xt$.kfZejriEJP3fc6RU0gBGEzMPQ/c3XiowVImB6VDrtD' +# shell : '/bin/bash' |