diff options
-rw-r--r-- | .gitmodules | 3 | ||||
m--------- | puppet/modules/couchdb | 0 | ||||
m--------- | puppet/modules/rsyslog | 0 | ||||
-rw-r--r-- | puppet/modules/site_apt/manifests/init.pp | 9 | ||||
-rw-r--r-- | puppet/modules/site_config/manifests/default.pp | 6 | ||||
-rw-r--r-- | puppet/modules/site_config/manifests/packages/base.pp | 4 | ||||
-rw-r--r-- | puppet/modules/site_config/manifests/params.pp | 4 | ||||
-rw-r--r-- | puppet/modules/site_config/manifests/resolvconf.pp | 9 | ||||
-rw-r--r-- | puppet/modules/site_config/manifests/syslog.pp | 28 | ||||
-rw-r--r-- | puppet/modules/site_openvpn/manifests/init.pp | 6 | ||||
-rw-r--r-- | puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb | 8 |
11 files changed, 57 insertions, 20 deletions
diff --git a/.gitmodules b/.gitmodules index 070cb517..0ab46323 100644 --- a/.gitmodules +++ b/.gitmodules @@ -79,3 +79,6 @@ [submodule "puppet/modules/vcsrepo"] path = puppet/modules/vcsrepo url = https://leap.se/git/puppet_vcsrepo +[submodule "puppet/modules/rsyslog"] + path = puppet/modules/rsyslog + url = https://leap.se/git/puppet_rsyslog diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb -Subproject e5bbb903159a94dc3357344d78060343ef47bac +Subproject d84dfddb0dfc2e5207c90380fb1f7fcf7bc7a72 diff --git a/puppet/modules/rsyslog b/puppet/modules/rsyslog new file mode 160000 +Subproject 20fbda6b91472e656331a9c64630fb207e9f578 diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 3fa9a2b7..9facf4cc 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -1,15 +1,6 @@ class site_apt { - # on couchdb we need to include squeeze in apt preferences, - # so the cloudant package can pull some packages from squeeze - # template() must be unquoted ! - if 'couchdb' in $::services { - $custom_preferences = template("site_apt/preferences.include_squeeze") - } else { - $custom_preferences = '' - } class { 'apt': - custom_preferences => $custom_preferences, custom_key_dir => 'puppet:///modules/site_apt/keys' } diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index a645cb1a..2380066a 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -2,6 +2,7 @@ class site_config::default { tag 'leap_base' $domain_hash = hiera('domain') + include site_config::params # make sure apt is updated before any packages are installed include apt::update @@ -32,7 +33,7 @@ class site_config::default { include site_config::dhclient } - if ( $::virtual == 'virtualbox' ) { + if ( $::site_config::params::environment == 'local' ) { include site_config::vagrant } @@ -47,6 +48,9 @@ class site_config::default { stage => setup, } + # install/configure syslog + include site_config::syslog + # install/remove base packages include site_config::packages::base diff --git a/puppet/modules/site_config/manifests/packages/base.pp b/puppet/modules/site_config/manifests/packages/base.pp index 94ff679b..3e1d4a67 100644 --- a/puppet/modules/site_config/manifests/packages/base.pp +++ b/puppet/modules/site_config/manifests/packages/base.pp @@ -1,5 +1,7 @@ class site_config::packages::base { + include site_config::params + # base set of packages that we want to have installed everywhere package { [ 'etckeeper', 'screen', 'less' ]: ensure => installed, @@ -15,7 +17,7 @@ class site_config::packages::base { ensure => absent; } - if $::virtual == 'virtualbox' or $::services =~ /\bwebapp\b/ { + if $::site_config::params::environment == 'local' or $::services =~ /\bwebapp\b/ { $dev_packages_ensure = present } else { $dev_packages_ensure = absent diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index 59a161e8..2ef391db 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -3,8 +3,10 @@ class site_config::params { $ip_address = hiera('ip_address') $ip_address_interface = getvar("interface_${ip_address}") $ec2_local_ipv4_interface = getvar("interface_${::ec2_local_ipv4}") + $environment = hiera('environment') - if $::virtual == 'virtualbox' { + + if $environment == 'local' { $interface = 'eth1' } elsif hiera('interface','') != '' { diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index 271c5043..b307f18b 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -2,12 +2,13 @@ class site_config::resolvconf { $domain_public = $site_config::default::domain_hash['full_suffix'] - # 127.0.0.1: caching-only local bind - # 87.118.100.175: http://server.privacyfoundation.de - # 62.141.58.13: http://www.privacyfoundation.ch/de/service/server.html class { '::resolvconf': domain => $domain_public, search => $domain_public, - nameservers => [ '127.0.0.1', '87.118.100.175', '62.141.58.13' ] + nameservers => [ + '127.0.0.1 # local caching-only, unbound', + '85.214.20.141 # Digitalcourage, a german privacy organisation: (https://en.wikipedia.org/wiki/Digitalcourage)', + '62.141.58.13 # Swiss privacy Foundation (http://www.privacyfoundation.ch/de/service/server.html)' + ] } } diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp new file mode 100644 index 00000000..73d4f58f --- /dev/null +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -0,0 +1,28 @@ +class site_config::syslog { + + # we need to pull in rsyslog from the leap repository until it is availbale in + # wheezy-backports + apt::preferences_snippet { 'fixed_rsyslog_anon_package': + package => 'rsyslog-*', + priority => '999', + pin => 'release o=leap.se', + before => Class['rsyslog::install'] + } + + apt::preferences_snippet { 'rsyslog_anon_depends': + package => 'libestr0 librelp0', + priority => '999', + pin => 'release a=wheezy-backports', + before => Class['rsyslog::install'] + } + + class { 'rsyslog::client': + log_remote => false, + log_local => true + } + + rsyslog::snippet { '00-anonymize_logs': + content => '$ModLoad mmanon +action(type="mmanon" ipv4.bits="32" mode="rewrite")' + } +} diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 61fefd0a..42146741 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -62,6 +62,12 @@ class site_openvpn { $openvpn_limited_udp_cidr = '21' } + # find out the netmask in cidr format of the primary IF + # thx to https://blog.kumina.nl/tag/puppet-tips-and-tricks/ + # we can do this using an inline_template: + $factname_primary_netmask = "netmask_cidr_${::site_config::params::interface}" + $primary_netmask = inline_template('<%= scope.lookupvar(factname_primary_netmask) %>') + # deploy dh keys include site_openvpn::dh_key diff --git a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb index 05f3d16b..e76b756b 100644 --- a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb +++ b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb @@ -1,11 +1,11 @@ #!/bin/sh -ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_gateway_address %>/24 || - ip addr add <%= @openvpn_gateway_address %>/24 dev <%= scope.lookupvar('site_config::params::interface') %> +ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_gateway_address %>/<%= @primary_netmask %> || + ip addr add <%= @openvpn_gateway_address %>/<%= @primary_netmask %> dev <%= scope.lookupvar('site_config::params::interface') %> <% if @openvpn_second_gateway_address %> -ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_second_gateway_address %>/24 || - ip addr add <%= @openvpn_second_gateway_address %>/24 dev <%= scope.lookupvar('site_config::params::interface') %> +ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_second_gateway_address %>/<%= @primary_netmask %> || + ip addr add <%= @openvpn_second_gateway_address %>/<%= @primary_netmask %> dev <%= scope.lookupvar('site_config::params::interface') %> <% end %> /bin/echo 1 > /proc/sys/net/ipv4/ip_forward |