summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.gitmodules3
-rw-r--r--platform.rb2
-rw-r--r--provider_base/services/monitor.json9
m---------puppet/modules/check_mk0
m---------puppet/modules/rubygems0
-rw-r--r--puppet/modules/site_apache/manifests/common.pp26
-rw-r--r--puppet/modules/site_apache/templates/vhosts.d/common.conf.erb (renamed from puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb)11
-rw-r--r--puppet/modules/site_config/manifests/default.pp2
-rw-r--r--puppet/modules/site_nagios/manifests/client.pp9
-rw-r--r--puppet/modules/site_nagios/manifests/server.pp23
-rw-r--r--puppet/modules/site_nagios/manifests/server/apache.pp7
-rw-r--r--puppet/modules/site_nagios/manifests/server/check_mk.pp24
-rw-r--r--puppet/modules/site_sshd/manifests/authorized_keys.pp3
-rw-r--r--puppet/modules/site_webapp/manifests/apache.pp18
14 files changed, 112 insertions, 25 deletions
diff --git a/.gitmodules b/.gitmodules
index cc8afdb5..13b43e88 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -88,3 +88,6 @@
[submodule "puppet/modules/sysctl"]
path = puppet/modules/sysctl
url = https://leap.se/git/puppet_sysctl
+[submodule "puppet/modules/check_mk"]
+ path = puppet/modules/check_mk
+ url = https://git.codecoop.org/varacanero/puppet_check_mk.git
diff --git a/platform.rb b/platform.rb
index ee87789a..95705c76 100644
--- a/platform.rb
+++ b/platform.rb
@@ -3,7 +3,7 @@
#
Leap::Platform.define do
- self.version = "0.3.0"
+ self.version = "0.5rc2"
self.compatible_cli = "1.3.1".."1.99"
#
diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json
index cf117869..9140901b 100644
--- a/provider_base/services/monitor.json
+++ b/provider_base/services/monitor.json
@@ -9,5 +9,14 @@
"username": "= Leap::Platform.monitor_username",
"private_key": "= file(:monitor_priv_key)"
}
+ },
+ "x509": {
+ "use": true,
+ "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
+ "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
+ "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'",
+ "commercial_cert": "= file [:commercial_cert, domain.full_suffix]",
+ "commercial_key": "= file [:commercial_key, domain.full_suffix]",
+ "commercial_ca_cert": "= try_file :commercial_ca_cert"
}
}
diff --git a/puppet/modules/check_mk b/puppet/modules/check_mk
new file mode 160000
+Subproject 382cb6d2ab5fe05b9db7e4178cd16b71685bef5
diff --git a/puppet/modules/rubygems b/puppet/modules/rubygems
-Subproject 1e5ed3dbef9381bb9d5e2a7b4957bb3f5288d6a
+Subproject 7e0240acce5a338e7cc2b55f1f8ba749634c5da
diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp
new file mode 100644
index 00000000..72f24838
--- /dev/null
+++ b/puppet/modules/site_apache/manifests/common.pp
@@ -0,0 +1,26 @@
+class site_apache::common {
+ # installs x509 cert + key and common config
+ # that both nagios + leap webapp use
+
+ $web_domain = hiera('domain')
+ $domain_name = $web_domain['name']
+
+ include x509::variables
+ include site_config::x509::commercial::cert
+ include site_config::x509::commercial::key
+ include site_config::x509::commercial::ca
+
+ Class['Site_config::X509::Commercial::Key'] ~> Service[apache]
+ Class['Site_config::X509::Commercial::Cert'] ~> Service[apache]
+ Class['Site_config::X509::Commercial::Ca'] ~> Service[apache]
+
+ include site_apache::module::rewrite
+
+ class { '::apache': no_default_site => true, ssl => true }
+
+ apache::vhost::file {
+ 'common':
+ content => template('site_apache/vhosts.d/common.conf.erb')
+ }
+
+}
diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
index a001552a..30f0a6b1 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
@@ -23,13 +23,14 @@
RequestHeader set X_FORWARDED_PROTO 'https'
<IfModule mod_headers.c>
-<% if @webapp['secure'] -%>
+<% if (defined? @services) and (@services.include? 'webapp') and (@webapp['secure']) -%>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
<% end -%>
Header always unset X-Powered-By
Header always unset X-Runtime
</IfModule>
+<% if (defined? @services) and (@services.include? 'webapp') -%>
DocumentRoot /srv/leap/webapp/public
RewriteEngine On
@@ -52,16 +53,20 @@
ExpiresActive On
ExpiresDefault "access plus 1 year"
</Location>
+<% end -%>
+
- <% if (defined? @services) and (@services.include? 'monitor') -%>
+<% if (defined? @services) and (@services.include? 'monitor') -%>
<DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3|/etc/nagios3/stylesheets)>
+ <% if (defined? @services) and (@services.include? 'webapp') -%>
PassengerEnabled off
+ <% end -%>
AllowOverride all
# Nagios won't work with setting this option to "DENY",
# as set in conf.d/security (#4169). Therefor we allow
# it here, only for nagios.
Header set X-Frame-Options: "ALLOW"
</DirectoryMatch>
- <% end -%>
+<% end -%>
</VirtualHost>
diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp
index d85d9c8f..a09a30d2 100644
--- a/puppet/modules/site_config/manifests/default.pp
+++ b/puppet/modules/site_config/manifests/default.pp
@@ -86,4 +86,6 @@ class site_config::default {
if defined( '::site_custom') {
include ::site_custom
}
+
+ include site_nagios::client
}
diff --git a/puppet/modules/site_nagios/manifests/client.pp b/puppet/modules/site_nagios/manifests/client.pp
new file mode 100644
index 00000000..82063dc3
--- /dev/null
+++ b/puppet/modules/site_nagios/manifests/client.pp
@@ -0,0 +1,9 @@
+class site_nagios::client {
+ class { 'check_mk::agent':
+ agent_package_name => 'check-mk-agent',
+ agent_logwatch_package_name => 'check-mk-agent-logwatch',
+ method => 'ssh',
+ homedir => '/etc/nagios/check_mk',
+ register_agent => false
+ }
+}
diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp
index 3e1ef7e7..6ade7d06 100644
--- a/puppet/modules/site_nagios/manifests/server.pp
+++ b/puppet/modules/site_nagios/manifests/server.pp
@@ -11,18 +11,32 @@ class site_nagios::server inherits nagios::base {
include nagios::defaults
include nagios::base
- #Class ['nagios'] -> Class ['nagios::defaults']
- class {'nagios::apache':
+ class {'nagios':
+ # don't manage apache class from nagios, cause we already include
+ # it in site_apache::common
+ httpd => 'absent',
allow_external_cmd => true,
stored_config => false,
- #before => Class ['nagios::defaults']
}
+ # - [monitor2] err: /Stage[main]/Site_nagios::Server/Apache::Config::Global[nagios3.conf]/Apache::Config::File[nagios3.conf]/File[apache_nagios3.conf]/ensure: change from absent to link failed: Cannot create a symlink without a target at /srv/leap/puppet/modules/apache/manifests/config/file.pp:32
+ #apache::config::global { 'nagios3.conf':
+ # ensure => link,
+ # target => '/usr/share/doc/nagios3-common/examples/apache2.conf',
+ #}
+
+ file { '/etc/apache2/conf.d/nagios3.conf':
+ ensure => link,
+ target => '/usr/share/doc/nagios3-common/examples/apache2.conf',
+ notify => Service['apache']
+ }
+
+ include site_apache::common
include site_apache::module::headers
File ['nagios_htpasswd'] {
source => undef,
- content => "nagiosadmin:$nagiosadmin_pw",
+ content => "nagiosadmin:${nagiosadmin_pw}",
mode => '0640',
}
@@ -37,5 +51,6 @@ class site_nagios::server inherits nagios::base {
create_resources ( site_nagios::add_host, $hosts )
+ include site_nagios::apache
include site_shorewall::monitor
}
diff --git a/puppet/modules/site_nagios/manifests/server/apache.pp b/puppet/modules/site_nagios/manifests/server/apache.pp
new file mode 100644
index 00000000..8dbc7e9b
--- /dev/null
+++ b/puppet/modules/site_nagios/manifests/server/apache.pp
@@ -0,0 +1,7 @@
+class site_nagios::server::apache {
+ include x509::variables
+ include site_config::x509::commercial::cert
+ include site_config::x509::commercial::key
+ include site_config::x509::commercial::ca
+
+}
diff --git a/puppet/modules/site_nagios/manifests/server/check_mk.pp b/puppet/modules/site_nagios/manifests/server/check_mk.pp
new file mode 100644
index 00000000..c6676d76
--- /dev/null
+++ b/puppet/modules/site_nagios/manifests/server/check_mk.pp
@@ -0,0 +1,24 @@
+class site_nagios::server::check_mk {
+
+ # override paths to use the system check_mk rather than OMD
+ class { 'check_mk::config':
+ site => '',
+ etc_dir => '/etc',
+ bin_dir => '/usr/bin',
+ host_groups => undef
+ }
+
+ file {
+ '/etc/nagios/check_mk':
+ ensure => directory,
+ owner => root,
+ group => root,
+ mode => '0755';
+
+ '/etc/nagios/check_mk/.ssh':
+ ensure => directory,
+ owner => root,
+ group => root,
+ mode => '0755';
+ }
+}
diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp
index c18f691c..f36fe20f 100644
--- a/puppet/modules/site_sshd/manifests/authorized_keys.pp
+++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp
@@ -1,4 +1,7 @@
define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') {
+ # We use a custom define here to deploy the authorized_keys file
+ # cause puppet doesn't allow purgin before populating this file
+ # (see https://tickets.puppetlabs.com/browse/PUP-1174)
# This line allows default homedir based on $title variable.
# If $home is empty, the default is used.
$homedir = $home ? {'' => "/home/${title}", default => $home}
diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp
index d327877a..21243d34 100644
--- a/puppet/modules/site_webapp/manifests/apache.pp
+++ b/puppet/modules/site_webapp/manifests/apache.pp
@@ -7,19 +7,8 @@ class site_webapp::apache {
$web_domain = hiera('domain')
$domain_name = $web_domain['name']
- include x509::variables
- include site_config::x509::commercial::cert
- include site_config::x509::commercial::key
- include site_config::x509::commercial::ca
-
- Class['Site_config::X509::Commercial::Key'] ~> Service[apache]
- Class['Site_config::X509::Commercial::Cert'] ~> Service[apache]
- Class['Site_config::X509::Commercial::Ca'] ~> Service[apache]
-
- class { '::apache': no_default_site => true, ssl => true }
-
+ include site_apache::common
include site_apache::module::headers
- include site_apache::module::rewrite
include site_apache::module::alias
include site_apache::module::expires
include site_apache::module::removeip
@@ -27,11 +16,6 @@ class site_webapp::apache {
class { 'passenger': use_munin => false }
apache::vhost::file {
- 'leap_webapp':
- content => template('site_apache/vhosts.d/leap_webapp.conf.erb')
- }
-
- apache::vhost::file {
'api':
content => template('site_apache/vhosts.d/api.conf.erb')
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-09 14:36:29 +0000