diff options
-rw-r--r-- | .gitmodules | 24 | ||||
-rw-r--r-- | README | 7 | ||||
-rw-r--r-- | config/defaults.yaml | 7 | ||||
-rw-r--r-- | config/eip/cougar.leap.se.yaml | 10 | ||||
-rw-r--r-- | config/eip/defaults.yaml | 5 | ||||
-rw-r--r-- | config/hosts/cougar.leap.se.yaml | 3 | ||||
-rwxr-xr-x | deploy.sh | 23 | ||||
-rw-r--r-- | puppet/hiera.yaml | 23 | ||||
-rw-r--r-- | puppet/manifests/site.pp | 30 | ||||
m--------- | puppet/modules/apt | 0 | ||||
m--------- | puppet/modules/common | 0 | ||||
m--------- | puppet/modules/concat | 0 | ||||
m--------- | puppet/modules/git | 0 | ||||
m--------- | puppet/modules/lsb | 0 | ||||
m--------- | puppet/modules/ntp | 9 | ||||
m--------- | puppet/modules/openvpn | 8 | ||||
-rw-r--r-- | puppet/modules/site_openvpn/manifests/init.pp | 43 | ||||
-rw-r--r-- | puppet/modules/site_openvpn/manifests/server_config.pp | 112 | ||||
-rw-r--r-- | puppet/modules/site_sshd/manifests/init.pp | 1 | ||||
-rw-r--r-- | puppet/modules/site_sshd/manifests/ssh_key.pp | 3 | ||||
m--------- | puppet/modules/sshd | 0 |
21 files changed, 308 insertions, 0 deletions
diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 00000000..8f2fd482 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,24 @@ +[submodule "puppet/modules/openvpn"] + path = puppet/modules/openvpn + url = git://github.com/luxflux/puppet-openvpn.git +[submodule "puppet/modules/concat"] + path = puppet/modules/concat + url = git://code.leap.se/puppet_concat +[submodule "puppet/modules/sshd"] + path = puppet/modules/sshd + url = git://labs.riseup.net/shared-sshd +[submodule "puppet/modules/apt"] + path = puppet/modules/apt + url = git://code.leap.se/puppet_apt +[submodule "puppet/modules/lsb"] + path = puppet/modules/lsb + url = git://labs.riseup.net/shared-lsb +[submodule "puppet/modules/ntp"] + path = puppet/modules/ntp + url = git://github.com/puppetlabs/puppetlabs-ntp.git +[submodule "puppet/modules/git"] + path = puppet/modules/git + url = git://code.leap.se/puppet_git +[submodule "puppet/modules/common"] + path = puppet/modules/common + url = git://labs.riseup.net/shared-common @@ -0,0 +1,7 @@ +... + +Installation +------------ + +- Edit /etc/leap/hieradata/common.yaml for your needs +- Run the deploy.sh script as root diff --git a/config/defaults.yaml b/config/defaults.yaml new file mode 100644 index 00000000..62f047e3 --- /dev/null +++ b/config/defaults.yaml @@ -0,0 +1,7 @@ +--- +testpw: secret +services: - none + +ssh_keys: + test_key: + key: ssh-rsa random_noiseAAdABIwAAAGEA3FSyQwBI6Z+nCSjUUk8EEAnnkhXlukKoppND/RRClWz2s5TCzIkd3Ou5+Cyz71X0XmazM3l5WgeErvtIwQMyT1KjNoMhoJMrJnWqQPOt5Q8zWd9qG7PBl9+eiH5qV7NZ diff --git a/config/eip/cougar.leap.se.yaml b/config/eip/cougar.leap.se.yaml new file mode 100644 index 00000000..2bbd71e0 --- /dev/null +++ b/config/eip/cougar.leap.se.yaml @@ -0,0 +1,10 @@ +--- +openvpn_server_configs: + port80_tcp: + port: 80 + proto: tcp-server + port1194_udp: + port: 1194 + proto: udp + +#tor: 'false' diff --git a/config/eip/defaults.yaml b/config/eip/defaults.yaml new file mode 100644 index 00000000..29022408 --- /dev/null +++ b/config/eip/defaults.yaml @@ -0,0 +1,5 @@ +--- +# make shure 'false' is quoted +tor: 'false' +openvpn_server_configs: - + diff --git a/config/hosts/cougar.leap.se.yaml b/config/hosts/cougar.leap.se.yaml new file mode 100644 index 00000000..5cf37bb1 --- /dev/null +++ b/config/hosts/cougar.leap.se.yaml @@ -0,0 +1,3 @@ +--- +services: - eip + - couchdb diff --git a/deploy.sh b/deploy.sh new file mode 100755 index 00000000..0db6cf91 --- /dev/null +++ b/deploy.sh @@ -0,0 +1,23 @@ +#!/bin/sh -x +# +# missing: header, licence, usage + +PUPPET_ENV='--confdir=puppet' + +install_prerequisites () { + apt-get update + apt-get install puppet git + + # lsb is needed for a first puppet run + puppet apply $PUPPET_ENV --execute 'include lsb' + git submodule init + git submodule update +} + +# main + +# commented for testing purposes +install_prerequisites + +puppet apply $PUPPET_ENV puppet/manifests/site.pp $@ + diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml new file mode 100644 index 00000000..a992c057 --- /dev/null +++ b/puppet/hiera.yaml @@ -0,0 +1,23 @@ +--- +:backends: + - yaml + - puppet + +:logger: console + +:hierarchy: + - hosts/%{fqdn} + - ca/%{fqdn} + - ca/defaults + - eip/%{fqdn} + - eip/defaults +# more services following + - defaults + +# relative from where puppet is run, so we need to run puppet +# from the root dir of the leap_platform repo +:yaml: + :datadir: config + +:puppet: + :datasource: data diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp new file mode 100644 index 00000000..5f58a733 --- /dev/null +++ b/puppet/manifests/site.pp @@ -0,0 +1,30 @@ +node 'default' { + + # include some basic classes + # $concat_basedir = '/var/lib/puppet/modules/concat' # do we need this ? + include concat::setup + include apt, lsb, git + import "common" + + $services=hiera_array('services') + notice("Services for $fqdn: $services") + + # configure ssh and inculde ssh-keys + #include sshd + $ssh_keys=hiera_hash('ssh_keys') + include site_sshd + notice($ssh_keys) + create_resources('site_sshd::ssh_key', $ssh_keys) + + + if 'eip' in $services { + include site_openvpn + + $tor=hiera('tor') + notice("Tor enabled: $tor") + + $openvpn_configs=hiera('openvpn_server_configs') + create_resources('site_openvpn::server_config', $openvpn_configs) + } + +} diff --git a/puppet/modules/apt b/puppet/modules/apt new file mode 160000 +Subproject 02bd3269948f1a3c5a586e581a7fec22da69a2c diff --git a/puppet/modules/common b/puppet/modules/common new file mode 160000 +Subproject 0961ad453b8befb4ea61bbd19f6ecea32b9619c diff --git a/puppet/modules/concat b/puppet/modules/concat new file mode 160000 +Subproject abce1280e07b544d8455f1572dd870bbd2f1489 diff --git a/puppet/modules/git b/puppet/modules/git new file mode 160000 +Subproject 497a1034489e0dc3cab5dab2fb0a85778576973 diff --git a/puppet/modules/lsb b/puppet/modules/lsb new file mode 160000 +Subproject 3742c1a00c5602154a81834443ec5b0ca32c4ca diff --git a/puppet/modules/ntp b/puppet/modules/ntp new file mode 160000 +Subproject 27f2bc72110b1001233eb0907aa07e06cdf3319 diff --git a/puppet/modules/openvpn b/puppet/modules/openvpn new file mode 160000 +Subproject 25f1fe8d813f6128068d890a40f5e24be78fb47 diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp new file mode 100644 index 00000000..c83b98c7 --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -0,0 +1,43 @@ +class site_openvpn { + package { + "openvpn": + ensure => installed; + } + service { + "openvpn": + ensure => running, + hasrestart => true, + hasstatus => true, + require => Exec["concat_/etc/default/openvpn"]; + } + file { + "/etc/openvpn": + ensure => directory, + require => Package["openvpn"]; + } + + include concat::setup + + concat { + "/etc/default/openvpn": + owner => root, + group => root, + mode => 644, + warn => true, + notify => Service["openvpn"]; + } + + concat::fragment { + "openvpn.default.header": + content => template("openvpn/etc-default-openvpn.erb"), + target => "/etc/default/openvpn", + order => 01; + } + + concat::fragment { + "openvpn.default.autostart.${name}": + content => "AUTOSTART=all", + target => "/etc/default/openvpn", + order => 10; + } +} diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp new file mode 100644 index 00000000..4a130d13 --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -0,0 +1,112 @@ +define site_openvpn::server_config($port, $proto) { + $openvpn_configname=$name + notice("Creating OpenVPN $openvpn_configname: + Port: $port, Protocol: $proto") + + file { + "/etc/openvpn/${name}": + ensure => directory, + require => Package["openvpn"]; + } + + concat { + "/etc/openvpn/${openvpn_configname}.conf": + owner => root, + group => root, + mode => 644, + warn => true, + require => File["/etc/openvpn"], + notify => Service["openvpn"]; + } + + + + openvpn::option { + "ca ${openvpn_configname}": + key => "ca", + value => "/etc/openvpn/ca.crt", + #require => Exec["initca ${openvpn_configname}"], + server => "${openvpn_configname}"; + "cert ${openvpn_configname}": + key => "cert", + value => "/etc/openvpn/${openvpn_configname}/server.crt", + #require => Exec["generate server cert ${openvpn_configname}"], + server => "${openvpn_configname}"; + "key ${openvpn_configname}": + key => "key", + value => "/etc/openvpn/${openvpn_configname}/server.key", + #require => Exec["generate server cert ${openvpn_configname}"], + server => "${openvpn_configname}"; + "dh ${openvpn_configname}": + key => "dh", + value => "/etc/openvpn/dh1024.pem", + #require => Exec["generate dh param ${openvpn_configname}"], + server => "${openvpn_configname}"; + "dev $openvpn_configname": + key => "dev", + value => "tun", + server => "$openvpn_configname"; + "mode ${openvpn_configname}": + key => 'mode', + value => 'server', + server => $openvpn_configname; + "script-security $openvpn_configname": + key => "script-security", + value => "3", + server => "$openvpn_configname"; + "daemon $openvpn_configname": + key => "daemon", + server => "$openvpn_configname"; + "keepalive $openvpn_configname": + key => "keepalive", + value => "10 60", + server => "$openvpn_configname"; + "ping-timer-rem $openvpn_configname": + key => "ping-timer-rem", + server => "$openvpn_configname"; + "persist-tun $openvpn_configname": + key => "persist-tun", + server => "$openvpn_configname"; + "persist-key $openvpn_configname": + key => "persist-key", + server => "$openvpn_configname"; + "proto $openvpn_configname": + key => "proto", + value => "$proto", + server => "$openvpn_configname"; + "cipher $openvpn_configname": + key => "cipher", + value => "BF-CBC", + server => "$openvpn_configname"; + "local $openvpn_configname": + key => "local", + value => $ipaddress, + server => "$openvpn_configname"; + "tls-server $openvpn_configname": + key => "tls-server", + server => "$openvpn_configname"; + #"server $openvpn_configname": + # key => "server", + # value => "$server", + # server => "$openvpn_configname"; + "lport $openvpn_configname": + key => "lport", + value => "$port", + server => "$openvpn_configname"; + "management $openvpn_configname": + key => "management", + value => "/var/run/openvpn-$openvpn_configname.sock unix", + server => "$openvpn_configname"; + "comp-lzo $openvpn_configname": + key => "comp-lzo", + server => "$openvpn_configname"; + "topology $openvpn_configname": + key => "topology", + value => "subnet", + server => "$openvpn_configname"; + #"client-to-client $openvpn_configname": + # key => "client-to-client", + # server => "$openvpn_configname"; + } + +} diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp new file mode 100644 index 00000000..630e9bdf --- /dev/null +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -0,0 +1 @@ +class site_sshd {} diff --git a/puppet/modules/site_sshd/manifests/ssh_key.pp b/puppet/modules/site_sshd/manifests/ssh_key.pp new file mode 100644 index 00000000..b47b2ebd --- /dev/null +++ b/puppet/modules/site_sshd/manifests/ssh_key.pp @@ -0,0 +1,3 @@ +define site_sshd::ssh_key($key) { + # ... todo: deploy ssh_key +} diff --git a/puppet/modules/sshd b/puppet/modules/sshd new file mode 160000 +Subproject bd2e283ab59430a7b3194804f1c8da7a9b58f8f |