add custom puppet manifests to add munin to the openvpn nodes so we can

get data on traffic/vpn usage for reporting purposes

5 files changed, 167 insertions, 0 deletions

diff --git a/files/puppet/modules/custom/init.pp b/files/puppet/modules/custom/init.pp
new file mode 100644
index 0000000..74a688b
--- /dev/null
+++ b/files/puppet/modules/custom/init.pp
@@ -0,0 +1,14 @@
+# Customization init class
+class custom {
+  include site_config::setup
+  include site_config::default
+
+  $services = hiera('services', [])
+
+  include custom_munin_node
+  include custom_shorewall::munin_node
+
+  if member ( $services, 'openvpn') {
+    include custom_munin_node::openvpn
+  }
+}
diff --git a/files/puppet/modules/custom_munin_node/files/munin-node.conf b/files/puppet/modules/custom_munin_node/files/munin-node.conf
new file mode 100644
index 0000000..0c4e458
--- /dev/null
+++ b/files/puppet/modules/custom_munin_node/files/munin-node.conf
@@ -0,0 +1,65 @@
+##########
+########## Managed by puppet
+##########
+
+log_level 4
+log_file /var/log/munin/munin-node.log
+pid_file /var/run/munin/munin-node.pid
+
+background 1
+setsid 1
+
+user root
+group root
+
+# This is the timeout for the whole transaction.
+# Units are in sec. Default is 15 min
+#
+# global_timeout 900
+
+# This is the timeout for each plugin.
+# Units are in sec. Default is 1 min
+#
+# timeout 60
+
+# Regexps for files to ignore
+#ignore_file [\#~]$
+ignore_file DEADJOE$
+ignore_file \.bak$
+ignore_file %$
+ignore_file \.dpkg-(tmp|new|old|dist)$
+ignore_file \.rpm(save|new)$
+ignore_file \.pod$
+
+# Set this if the client doesn't report the correct hostname when
+# telnetting to localhost, port 4949
+#
+#host_name localhost.localdomain
+
+# A list of addresses that are allowed to connect.  This must be a
+# regular expression, since Net::Server does not understand CIDR-style
+# network notation unless the perl module Net::CIDR is installed.  You
+# may repeat the allow line as many times as you'd like
+allow ^127\.0\.0\.1$
+allow ^198\.252\.153\.95$
+allow ^204\.13\.164\.23$
+allow ^199\.254\.238\.23$
+allow ^::1$
+
+
+# If you have installed the Net::CIDR perl module, you can use one or more
+# cidr_allow and cidr_deny address/mask patterns.  A connecting client must
+# match any cidr_allow, and not match any cidr_deny.  Note that a netmask
+# *must* be provided, even if it's /32
+#
+# Example:
+#
+# cidr_allow 127.0.0.1/32
+# cidr_allow 192.0.2.0/24
+# cidr_deny  192.0.2.42/32
+
+# Which address to bind to;
+host *
+
+# And which port
+port 4949
\ No newline at end of file
diff --git a/files/puppet/modules/custom_munin_node/manifests/init.pp b/files/puppet/modules/custom_munin_node/manifests/init.pp
new file mode 100644
index 0000000..449b499
--- /dev/null
+++ b/files/puppet/modules/custom_munin_node/manifests/init.pp
@@ -0,0 +1,30 @@
+# Munin configuration for all nodes
+class custom_munin_node {
+  package { 'munin-node':
+    ensure => installed
+  }
+  
+  service { 'munin-node':
+    ensure      => running,
+    enable      => true,
+    hasstatus   => true,
+    hasrestart  => true,
+    require     => Package[munin-node];
+  }
+  
+  file {'/etc/munin':
+    ensure  => directory,
+    mode    => '0755',
+    owner   => root,
+    group   => 0;
+  }
+
+  file {'/etc/munin/munin-node.conf':
+    source  => 'puppet:///modules/custom_munin_node/munin-node.conf',
+    before  => Package['munin-node'],
+    notify  => Service['munin-node'],
+    mode    => '0644',
+    owner   => root,
+    group   => 0;
+  }
+}
\ No newline at end of file
diff --git a/files/puppet/modules/custom_munin_node/manifests/openvpn.pp b/files/puppet/modules/custom_munin_node/manifests/openvpn.pp
new file mode 100644
index 0000000..84ce219
--- /dev/null
+++ b/files/puppet/modules/custom_munin_node/manifests/openvpn.pp
@@ -0,0 +1,35 @@
+# OpenVPN specific stuff
+class custom_munin_node::openvpn {
+
+  package { 'munin-plugins-core':
+    ensure => installed
+  }
+
+  file {'/etc/munin/plugins':
+    ensure  => directory,
+    mode    => '0755',
+    owner   => root,
+    group   => 0;
+  }
+
+  file {'/etc/munin/plugins/openvpn':
+    ensure  => 'link',
+    target  => '/usr/share/munin/plugins/openvpn',
+    before  => Package['munin-plugins-core'],
+    owner   => root,
+    group   => 0;
+  }
+
+  concat{ '/etc/munin/plugin-conf.d/munin-openvpn':
+    owner => root,
+    group => root,
+    mode  => '0644';
+  }
+
+  concat::fragment{ 'openvpn_udp':
+    target   => '/etc/munin/plugin-conf.d/munin-openvpn',
+    content  => "[openvpn]
+user root
+env.statusfile /var/run/openvpn-status-udp";
+  }
+}
\ No newline at end of file
diff --git a/files/puppet/modules/custom_shorewall/manifests/munin_node.pp b/files/puppet/modules/custom_shorewall/manifests/munin_node.pp
new file mode 100644
index 0000000..ab9799b
--- /dev/null
+++ b/files/puppet/modules/custom_shorewall/manifests/munin_node.pp
@@ -0,0 +1,23 @@
+# Shorewall munin rules
+class custom_shorewall::munin_node {
+
+  include site_shorewall::defaults
+  include site_shorewall::ip_forward
+
+  $node_port = '4949'
+
+  # define macro for incoming services
+  file { '/etc/shorewall/macro.munin_node':
+    content => "PARAM   -       -       tcp    ${node_port} ",
+    notify  => Service['shorewall'],
+    require => Package['shorewall']
+  }
+
+  shorewall::rule {
+      'net2fw-munin_node':
+        source      => 'net',
+        destination => '$FW',
+        action      => 'munin_node(ACCEPT)',
+        order       => 200;
+  }
+}