summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README7
-rw-r--r--config/defaults.yaml7
-rw-r--r--config/eip/cougar.leap.se.yaml10
-rw-r--r--config/eip/defaults.yaml5
-rw-r--r--config/hosts/cougar.leap.se.yaml3
-rwxr-xr-xdeploy.sh38
-rw-r--r--puppet/hiera.yaml23
-rw-r--r--puppet/manifests/site.pp27
-rw-r--r--puppet/modules/site_openvpn/manifests/init.pp43
-rw-r--r--puppet/modules/site_openvpn/manifests/server_config.pp112
-rw-r--r--puppet/modules/site_sshd/manifests/init.pp1
-rw-r--r--puppet/modules/site_sshd/manifests/ssh_key.pp3
12 files changed, 275 insertions, 4 deletions
diff --git a/README b/README
new file mode 100644
index 00000000..73f219a1
--- /dev/null
+++ b/README
@@ -0,0 +1,7 @@
+...
+
+Installation
+------------
+
+- Edit /etc/leap/hieradata/common.yaml for your needs
+- Run the deploy.sh script as root
diff --git a/config/defaults.yaml b/config/defaults.yaml
new file mode 100644
index 00000000..62f047e3
--- /dev/null
+++ b/config/defaults.yaml
@@ -0,0 +1,7 @@
+---
+testpw: secret
+services: - none
+
+ssh_keys:
+ test_key:
+ key: ssh-rsa random_noiseAAdABIwAAAGEA3FSyQwBI6Z+nCSjUUk8EEAnnkhXlukKoppND/RRClWz2s5TCzIkd3Ou5+Cyz71X0XmazM3l5WgeErvtIwQMyT1KjNoMhoJMrJnWqQPOt5Q8zWd9qG7PBl9+eiH5qV7NZ
diff --git a/config/eip/cougar.leap.se.yaml b/config/eip/cougar.leap.se.yaml
new file mode 100644
index 00000000..2bbd71e0
--- /dev/null
+++ b/config/eip/cougar.leap.se.yaml
@@ -0,0 +1,10 @@
+---
+openvpn_server_configs:
+ port80_tcp:
+ port: 80
+ proto: tcp-server
+ port1194_udp:
+ port: 1194
+ proto: udp
+
+#tor: 'false'
diff --git a/config/eip/defaults.yaml b/config/eip/defaults.yaml
new file mode 100644
index 00000000..29022408
--- /dev/null
+++ b/config/eip/defaults.yaml
@@ -0,0 +1,5 @@
+---
+# make shure 'false' is quoted
+tor: 'false'
+openvpn_server_configs: -
+
diff --git a/config/hosts/cougar.leap.se.yaml b/config/hosts/cougar.leap.se.yaml
new file mode 100644
index 00000000..5cf37bb1
--- /dev/null
+++ b/config/hosts/cougar.leap.se.yaml
@@ -0,0 +1,3 @@
+---
+services: - eip
+ - couchdb
diff --git a/deploy.sh b/deploy.sh
index c8f89b90..e6a6c7ea 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -1,3 +1,37 @@
-#!/bin/sh
+#!/bin/sh -x
+#
+# missing: header, licence, usage
+
+
+install_packages ()
+{
+ apt-get install lsb-release git
+
+ # we need puppet from backports
+ dist="`lsb_release -cs`"
+
+ # enable backports for puppet + facter
+ [ -f /etc/apt/sources.list.d/$dist-backports.list ] || echo "deb http://backports.debian.org/debian-backports/ $dist-backports main contrib non-free">/etc/apt/sources.list.d/$dist-backports.list
+
+ # enable debian wheezy for ruby-hiera-puppet
+ if [ "$dist" != "wheezy" ]
+ then
+ cat > /etc/apt/preferences.d/wheezy <<DELIM
+Package: *
+Pin: release o=Debian,n=wheezy
+Pin-Priority: 2
+DELIM
+ fi
+
+ apt-get update
+ apt-get install -y -t $dist-backports facter puppet
+ apt-get install ruby-hiera-puppet ruby-hiera
+}
+
+# main
+
+# commented for testing purposes
+#install_packages
+
+puppet apply --confdir=$PWD/puppet $PWD/puppet/manifests/site.pp $@
-puppet apply --modulepath=$PWD/puppet/modules $PWD/puppet/manifests/site.pp $@
diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml
new file mode 100644
index 00000000..a992c057
--- /dev/null
+++ b/puppet/hiera.yaml
@@ -0,0 +1,23 @@
+---
+:backends:
+ - yaml
+ - puppet
+
+:logger: console
+
+:hierarchy:
+ - hosts/%{fqdn}
+ - ca/%{fqdn}
+ - ca/defaults
+ - eip/%{fqdn}
+ - eip/defaults
+# more services following
+ - defaults
+
+# relative from where puppet is run, so we need to run puppet
+# from the root dir of the leap_platform repo
+:yaml:
+ :datadir: config
+
+:puppet:
+ :datasource: data
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
index 3a136015..a897de11 100644
--- a/puppet/manifests/site.pp
+++ b/puppet/manifests/site.pp
@@ -1,3 +1,26 @@
-node "default" {
- notify {'Hello World':}
+node 'default' {
+ # $concat_basedir = '/var/lib/puppet/modules/concat' # do we need this ?
+ include concat::setup
+
+ $services=hiera_array('services')
+ notice("Services for $fqdn: $services")
+
+ # configure ssh and inculde ssh-keys
+ #include sshd
+ $ssh_keys=hiera_hash('ssh_keys')
+ include site_sshd
+ notice($ssh_keys)
+ create_resources('site_sshd::ssh_key', $ssh_keys)
+
+
+ if 'eip' in $services {
+ include site_openvpn
+
+ $tor=hiera('tor')
+ notice("Tor enabled: $tor")
+
+ $openvpn_configs=hiera('openvpn_server_configs')
+ create_resources('site_openvpn::server_config', $openvpn_configs)
+
+ }
}
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
new file mode 100644
index 00000000..c83b98c7
--- /dev/null
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -0,0 +1,43 @@
+class site_openvpn {
+ package {
+ "openvpn":
+ ensure => installed;
+ }
+ service {
+ "openvpn":
+ ensure => running,
+ hasrestart => true,
+ hasstatus => true,
+ require => Exec["concat_/etc/default/openvpn"];
+ }
+ file {
+ "/etc/openvpn":
+ ensure => directory,
+ require => Package["openvpn"];
+ }
+
+ include concat::setup
+
+ concat {
+ "/etc/default/openvpn":
+ owner => root,
+ group => root,
+ mode => 644,
+ warn => true,
+ notify => Service["openvpn"];
+ }
+
+ concat::fragment {
+ "openvpn.default.header":
+ content => template("openvpn/etc-default-openvpn.erb"),
+ target => "/etc/default/openvpn",
+ order => 01;
+ }
+
+ concat::fragment {
+ "openvpn.default.autostart.${name}":
+ content => "AUTOSTART=all",
+ target => "/etc/default/openvpn",
+ order => 10;
+ }
+}
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
new file mode 100644
index 00000000..4a130d13
--- /dev/null
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -0,0 +1,112 @@
+define site_openvpn::server_config($port, $proto) {
+ $openvpn_configname=$name
+ notice("Creating OpenVPN $openvpn_configname:
+ Port: $port, Protocol: $proto")
+
+ file {
+ "/etc/openvpn/${name}":
+ ensure => directory,
+ require => Package["openvpn"];
+ }
+
+ concat {
+ "/etc/openvpn/${openvpn_configname}.conf":
+ owner => root,
+ group => root,
+ mode => 644,
+ warn => true,
+ require => File["/etc/openvpn"],
+ notify => Service["openvpn"];
+ }
+
+
+
+ openvpn::option {
+ "ca ${openvpn_configname}":
+ key => "ca",
+ value => "/etc/openvpn/ca.crt",
+ #require => Exec["initca ${openvpn_configname}"],
+ server => "${openvpn_configname}";
+ "cert ${openvpn_configname}":
+ key => "cert",
+ value => "/etc/openvpn/${openvpn_configname}/server.crt",
+ #require => Exec["generate server cert ${openvpn_configname}"],
+ server => "${openvpn_configname}";
+ "key ${openvpn_configname}":
+ key => "key",
+ value => "/etc/openvpn/${openvpn_configname}/server.key",
+ #require => Exec["generate server cert ${openvpn_configname}"],
+ server => "${openvpn_configname}";
+ "dh ${openvpn_configname}":
+ key => "dh",
+ value => "/etc/openvpn/dh1024.pem",
+ #require => Exec["generate dh param ${openvpn_configname}"],
+ server => "${openvpn_configname}";
+ "dev $openvpn_configname":
+ key => "dev",
+ value => "tun",
+ server => "$openvpn_configname";
+ "mode ${openvpn_configname}":
+ key => 'mode',
+ value => 'server',
+ server => $openvpn_configname;
+ "script-security $openvpn_configname":
+ key => "script-security",
+ value => "3",
+ server => "$openvpn_configname";
+ "daemon $openvpn_configname":
+ key => "daemon",
+ server => "$openvpn_configname";
+ "keepalive $openvpn_configname":
+ key => "keepalive",
+ value => "10 60",
+ server => "$openvpn_configname";
+ "ping-timer-rem $openvpn_configname":
+ key => "ping-timer-rem",
+ server => "$openvpn_configname";
+ "persist-tun $openvpn_configname":
+ key => "persist-tun",
+ server => "$openvpn_configname";
+ "persist-key $openvpn_configname":
+ key => "persist-key",
+ server => "$openvpn_configname";
+ "proto $openvpn_configname":
+ key => "proto",
+ value => "$proto",
+ server => "$openvpn_configname";
+ "cipher $openvpn_configname":
+ key => "cipher",
+ value => "BF-CBC",
+ server => "$openvpn_configname";
+ "local $openvpn_configname":
+ key => "local",
+ value => $ipaddress,
+ server => "$openvpn_configname";
+ "tls-server $openvpn_configname":
+ key => "tls-server",
+ server => "$openvpn_configname";
+ #"server $openvpn_configname":
+ # key => "server",
+ # value => "$server",
+ # server => "$openvpn_configname";
+ "lport $openvpn_configname":
+ key => "lport",
+ value => "$port",
+ server => "$openvpn_configname";
+ "management $openvpn_configname":
+ key => "management",
+ value => "/var/run/openvpn-$openvpn_configname.sock unix",
+ server => "$openvpn_configname";
+ "comp-lzo $openvpn_configname":
+ key => "comp-lzo",
+ server => "$openvpn_configname";
+ "topology $openvpn_configname":
+ key => "topology",
+ value => "subnet",
+ server => "$openvpn_configname";
+ #"client-to-client $openvpn_configname":
+ # key => "client-to-client",
+ # server => "$openvpn_configname";
+ }
+
+}
diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp
new file mode 100644
index 00000000..630e9bdf
--- /dev/null
+++ b/puppet/modules/site_sshd/manifests/init.pp
@@ -0,0 +1 @@
+class site_sshd {}
diff --git a/puppet/modules/site_sshd/manifests/ssh_key.pp b/puppet/modules/site_sshd/manifests/ssh_key.pp
new file mode 100644
index 00000000..b47b2ebd
--- /dev/null
+++ b/puppet/modules/site_sshd/manifests/ssh_key.pp
@@ -0,0 +1,3 @@
+define site_sshd::ssh_key($key) {
+ # ... todo: deploy ssh_key
+}