summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitmodules24
-rw-r--r--README7
-rw-r--r--config/defaults.yaml7
-rw-r--r--config/eip/cougar.leap.se.yaml10
-rw-r--r--config/eip/defaults.yaml5
-rw-r--r--config/hosts/cougar.leap.se.yaml3
-rwxr-xr-xdeploy.sh23
-rw-r--r--puppet/hiera.yaml23
-rw-r--r--puppet/manifests/site.pp30
m---------puppet/modules/apt0
m---------puppet/modules/common0
m---------puppet/modules/concat0
m---------puppet/modules/git0
m---------puppet/modules/lsb0
m---------puppet/modules/ntp9
m---------puppet/modules/openvpn8
-rw-r--r--puppet/modules/site_openvpn/manifests/init.pp43
-rw-r--r--puppet/modules/site_openvpn/manifests/server_config.pp112
-rw-r--r--puppet/modules/site_sshd/manifests/init.pp1
-rw-r--r--puppet/modules/site_sshd/manifests/ssh_key.pp3
m---------puppet/modules/sshd0
21 files changed, 308 insertions, 0 deletions
diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 00000000..8f2fd482
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,24 @@
+[submodule "puppet/modules/openvpn"]
+ path = puppet/modules/openvpn
+ url = git://github.com/luxflux/puppet-openvpn.git
+[submodule "puppet/modules/concat"]
+ path = puppet/modules/concat
+ url = git://code.leap.se/puppet_concat
+[submodule "puppet/modules/sshd"]
+ path = puppet/modules/sshd
+ url = git://labs.riseup.net/shared-sshd
+[submodule "puppet/modules/apt"]
+ path = puppet/modules/apt
+ url = git://code.leap.se/puppet_apt
+[submodule "puppet/modules/lsb"]
+ path = puppet/modules/lsb
+ url = git://labs.riseup.net/shared-lsb
+[submodule "puppet/modules/ntp"]
+ path = puppet/modules/ntp
+ url = git://github.com/puppetlabs/puppetlabs-ntp.git
+[submodule "puppet/modules/git"]
+ path = puppet/modules/git
+ url = git://code.leap.se/puppet_git
+[submodule "puppet/modules/common"]
+ path = puppet/modules/common
+ url = git://labs.riseup.net/shared-common
diff --git a/README b/README
new file mode 100644
index 00000000..73f219a1
--- /dev/null
+++ b/README
@@ -0,0 +1,7 @@
+...
+
+Installation
+------------
+
+- Edit /etc/leap/hieradata/common.yaml for your needs
+- Run the deploy.sh script as root
diff --git a/config/defaults.yaml b/config/defaults.yaml
new file mode 100644
index 00000000..62f047e3
--- /dev/null
+++ b/config/defaults.yaml
@@ -0,0 +1,7 @@
+---
+testpw: secret
+services: - none
+
+ssh_keys:
+ test_key:
+ key: ssh-rsa random_noiseAAdABIwAAAGEA3FSyQwBI6Z+nCSjUUk8EEAnnkhXlukKoppND/RRClWz2s5TCzIkd3Ou5+Cyz71X0XmazM3l5WgeErvtIwQMyT1KjNoMhoJMrJnWqQPOt5Q8zWd9qG7PBl9+eiH5qV7NZ
diff --git a/config/eip/cougar.leap.se.yaml b/config/eip/cougar.leap.se.yaml
new file mode 100644
index 00000000..2bbd71e0
--- /dev/null
+++ b/config/eip/cougar.leap.se.yaml
@@ -0,0 +1,10 @@
+---
+openvpn_server_configs:
+ port80_tcp:
+ port: 80
+ proto: tcp-server
+ port1194_udp:
+ port: 1194
+ proto: udp
+
+#tor: 'false'
diff --git a/config/eip/defaults.yaml b/config/eip/defaults.yaml
new file mode 100644
index 00000000..29022408
--- /dev/null
+++ b/config/eip/defaults.yaml
@@ -0,0 +1,5 @@
+---
+# make shure 'false' is quoted
+tor: 'false'
+openvpn_server_configs: -
+
diff --git a/config/hosts/cougar.leap.se.yaml b/config/hosts/cougar.leap.se.yaml
new file mode 100644
index 00000000..5cf37bb1
--- /dev/null
+++ b/config/hosts/cougar.leap.se.yaml
@@ -0,0 +1,3 @@
+---
+services: - eip
+ - couchdb
diff --git a/deploy.sh b/deploy.sh
new file mode 100755
index 00000000..0db6cf91
--- /dev/null
+++ b/deploy.sh
@@ -0,0 +1,23 @@
+#!/bin/sh -x
+#
+# missing: header, licence, usage
+
+PUPPET_ENV='--confdir=puppet'
+
+install_prerequisites () {
+ apt-get update
+ apt-get install puppet git
+
+ # lsb is needed for a first puppet run
+ puppet apply $PUPPET_ENV --execute 'include lsb'
+ git submodule init
+ git submodule update
+}
+
+# main
+
+# commented for testing purposes
+install_prerequisites
+
+puppet apply $PUPPET_ENV puppet/manifests/site.pp $@
+
diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml
new file mode 100644
index 00000000..a992c057
--- /dev/null
+++ b/puppet/hiera.yaml
@@ -0,0 +1,23 @@
+---
+:backends:
+ - yaml
+ - puppet
+
+:logger: console
+
+:hierarchy:
+ - hosts/%{fqdn}
+ - ca/%{fqdn}
+ - ca/defaults
+ - eip/%{fqdn}
+ - eip/defaults
+# more services following
+ - defaults
+
+# relative from where puppet is run, so we need to run puppet
+# from the root dir of the leap_platform repo
+:yaml:
+ :datadir: config
+
+:puppet:
+ :datasource: data
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
new file mode 100644
index 00000000..5f58a733
--- /dev/null
+++ b/puppet/manifests/site.pp
@@ -0,0 +1,30 @@
+node 'default' {
+
+ # include some basic classes
+ # $concat_basedir = '/var/lib/puppet/modules/concat' # do we need this ?
+ include concat::setup
+ include apt, lsb, git
+ import "common"
+
+ $services=hiera_array('services')
+ notice("Services for $fqdn: $services")
+
+ # configure ssh and inculde ssh-keys
+ #include sshd
+ $ssh_keys=hiera_hash('ssh_keys')
+ include site_sshd
+ notice($ssh_keys)
+ create_resources('site_sshd::ssh_key', $ssh_keys)
+
+
+ if 'eip' in $services {
+ include site_openvpn
+
+ $tor=hiera('tor')
+ notice("Tor enabled: $tor")
+
+ $openvpn_configs=hiera('openvpn_server_configs')
+ create_resources('site_openvpn::server_config', $openvpn_configs)
+ }
+
+}
diff --git a/puppet/modules/apt b/puppet/modules/apt
new file mode 160000
+Subproject 02bd3269948f1a3c5a586e581a7fec22da69a2c
diff --git a/puppet/modules/common b/puppet/modules/common
new file mode 160000
+Subproject 0961ad453b8befb4ea61bbd19f6ecea32b9619c
diff --git a/puppet/modules/concat b/puppet/modules/concat
new file mode 160000
+Subproject abce1280e07b544d8455f1572dd870bbd2f1489
diff --git a/puppet/modules/git b/puppet/modules/git
new file mode 160000
+Subproject 497a1034489e0dc3cab5dab2fb0a85778576973
diff --git a/puppet/modules/lsb b/puppet/modules/lsb
new file mode 160000
+Subproject 3742c1a00c5602154a81834443ec5b0ca32c4ca
diff --git a/puppet/modules/ntp b/puppet/modules/ntp
new file mode 160000
+Subproject 27f2bc72110b1001233eb0907aa07e06cdf3319
diff --git a/puppet/modules/openvpn b/puppet/modules/openvpn
new file mode 160000
+Subproject 25f1fe8d813f6128068d890a40f5e24be78fb47
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
new file mode 100644
index 00000000..c83b98c7
--- /dev/null
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -0,0 +1,43 @@
+class site_openvpn {
+ package {
+ "openvpn":
+ ensure => installed;
+ }
+ service {
+ "openvpn":
+ ensure => running,
+ hasrestart => true,
+ hasstatus => true,
+ require => Exec["concat_/etc/default/openvpn"];
+ }
+ file {
+ "/etc/openvpn":
+ ensure => directory,
+ require => Package["openvpn"];
+ }
+
+ include concat::setup
+
+ concat {
+ "/etc/default/openvpn":
+ owner => root,
+ group => root,
+ mode => 644,
+ warn => true,
+ notify => Service["openvpn"];
+ }
+
+ concat::fragment {
+ "openvpn.default.header":
+ content => template("openvpn/etc-default-openvpn.erb"),
+ target => "/etc/default/openvpn",
+ order => 01;
+ }
+
+ concat::fragment {
+ "openvpn.default.autostart.${name}":
+ content => "AUTOSTART=all",
+ target => "/etc/default/openvpn",
+ order => 10;
+ }
+}
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
new file mode 100644
index 00000000..4a130d13
--- /dev/null
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -0,0 +1,112 @@
+define site_openvpn::server_config($port, $proto) {
+ $openvpn_configname=$name
+ notice("Creating OpenVPN $openvpn_configname:
+ Port: $port, Protocol: $proto")
+
+ file {
+ "/etc/openvpn/${name}":
+ ensure => directory,
+ require => Package["openvpn"];
+ }
+
+ concat {
+ "/etc/openvpn/${openvpn_configname}.conf":
+ owner => root,
+ group => root,
+ mode => 644,
+ warn => true,
+ require => File["/etc/openvpn"],
+ notify => Service["openvpn"];
+ }
+
+
+
+ openvpn::option {
+ "ca ${openvpn_configname}":
+ key => "ca",
+ value => "/etc/openvpn/ca.crt",
+ #require => Exec["initca ${openvpn_configname}"],
+ server => "${openvpn_configname}";
+ "cert ${openvpn_configname}":
+ key => "cert",
+ value => "/etc/openvpn/${openvpn_configname}/server.crt",
+ #require => Exec["generate server cert ${openvpn_configname}"],
+ server => "${openvpn_configname}";
+ "key ${openvpn_configname}":
+ key => "key",
+ value => "/etc/openvpn/${openvpn_configname}/server.key",
+ #require => Exec["generate server cert ${openvpn_configname}"],
+ server => "${openvpn_configname}";
+ "dh ${openvpn_configname}":
+ key => "dh",
+ value => "/etc/openvpn/dh1024.pem",
+ #require => Exec["generate dh param ${openvpn_configname}"],
+ server => "${openvpn_configname}";
+ "dev $openvpn_configname":
+ key => "dev",
+ value => "tun",
+ server => "$openvpn_configname";
+ "mode ${openvpn_configname}":
+ key => 'mode',
+ value => 'server',
+ server => $openvpn_configname;
+ "script-security $openvpn_configname":
+ key => "script-security",
+ value => "3",
+ server => "$openvpn_configname";
+ "daemon $openvpn_configname":
+ key => "daemon",
+ server => "$openvpn_configname";
+ "keepalive $openvpn_configname":
+ key => "keepalive",
+ value => "10 60",
+ server => "$openvpn_configname";
+ "ping-timer-rem $openvpn_configname":
+ key => "ping-timer-rem",
+ server => "$openvpn_configname";
+ "persist-tun $openvpn_configname":
+ key => "persist-tun",
+ server => "$openvpn_configname";
+ "persist-key $openvpn_configname":
+ key => "persist-key",
+ server => "$openvpn_configname";
+ "proto $openvpn_configname":
+ key => "proto",
+ value => "$proto",
+ server => "$openvpn_configname";
+ "cipher $openvpn_configname":
+ key => "cipher",
+ value => "BF-CBC",
+ server => "$openvpn_configname";
+ "local $openvpn_configname":
+ key => "local",
+ value => $ipaddress,
+ server => "$openvpn_configname";
+ "tls-server $openvpn_configname":
+ key => "tls-server",
+ server => "$openvpn_configname";
+ #"server $openvpn_configname":
+ # key => "server",
+ # value => "$server",
+ # server => "$openvpn_configname";
+ "lport $openvpn_configname":
+ key => "lport",
+ value => "$port",
+ server => "$openvpn_configname";
+ "management $openvpn_configname":
+ key => "management",
+ value => "/var/run/openvpn-$openvpn_configname.sock unix",
+ server => "$openvpn_configname";
+ "comp-lzo $openvpn_configname":
+ key => "comp-lzo",
+ server => "$openvpn_configname";
+ "topology $openvpn_configname":
+ key => "topology",
+ value => "subnet",
+ server => "$openvpn_configname";
+ #"client-to-client $openvpn_configname":
+ # key => "client-to-client",
+ # server => "$openvpn_configname";
+ }
+
+}
diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp
new file mode 100644
index 00000000..630e9bdf
--- /dev/null
+++ b/puppet/modules/site_sshd/manifests/init.pp
@@ -0,0 +1 @@
+class site_sshd {}
diff --git a/puppet/modules/site_sshd/manifests/ssh_key.pp b/puppet/modules/site_sshd/manifests/ssh_key.pp
new file mode 100644
index 00000000..b47b2ebd
--- /dev/null
+++ b/puppet/modules/site_sshd/manifests/ssh_key.pp
@@ -0,0 +1,3 @@
+define site_sshd::ssh_key($key) {
+ # ... todo: deploy ssh_key
+}
diff --git a/puppet/modules/sshd b/puppet/modules/sshd
new file mode 160000
+Subproject bd2e283ab59430a7b3194804f1c8da7a9b58f8f