diff options
Diffstat (limited to 'puppet/modules/site_config/manifests')
35 files changed, 898 insertions, 0 deletions
| diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp new file mode 100644 index 00000000..8bf465c1 --- /dev/null +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -0,0 +1,27 @@ +# deploy local caching resolver +class site_config::caching_resolver { +  tag 'leap_base' + +  class { 'unbound': +    root_hints => false, +    anchor     => false, +    ssl        => false, +    settings   => { +      server => { +        verbosity      => '1', +        interface      => [ '127.0.0.1', '::1' ], +        port           => '53', +        hide-identity  => 'yes', +        hide-version   => 'yes', +        harden-glue    => 'yes', +        access-control => [ '127.0.0.0/8 allow', '::1 allow' ] +      } +    } +  } + +  concat::fragment { 'unbound glob include': +    target  => $unbound::params::config, +    content => "include: /etc/unbound/unbound.conf.d/*.conf\n\n", +    order   => 10 +  } +} diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp new file mode 100644 index 00000000..256de1a1 --- /dev/null +++ b/puppet/modules/site_config/manifests/default.pp @@ -0,0 +1,71 @@ +# common things to set up on every node +class site_config::default { +  tag 'leap_base' + +  $services    = hiera('services', []) +  $domain_hash = hiera('domain') +  include site_config::params +  include site_config::setup + +  # default class, used by all hosts + +  include lsb, git + +  # configure sysctl parameters +  include site_config::sysctl + +  # configure ssh and include ssh-keys +  include site_sshd + +  # include classes for special environments +  # i.e. openstack/aws nodes, vagrant nodes + +  # fix dhclient from changing resolver information +  # facter returns 'true' as string +  # lint:ignore:quoted_booleans +  if $::dhcp_enabled == 'true' { +  # lint:endignore +    include site_config::dhclient +  } + +  # configure /etc/resolv.conf +  include site_config::resolvconf + +  # configure caching, local resolver +  include site_config::caching_resolver + +  # install/configure syslog and core log rotations +  include site_config::syslog + +  # provide a basic level of quality entropy +  include haveged + +  # install/remove base packages +  include site_config::packages + +  # include basic shorewall config +  include site_shorewall::defaults + +  Package['git'] -> Vcsrepo<||> + +  # include basic shell config +  include site_config::shell + +  # set up core leap files and directories +  include site_config::files + +  # remove leftovers from previous deploys +  include site_config::remove + +  if ! member($services, 'mx') { +    include site_postfix::satellite +  } + +  # if class custom exists, include it. +  # possibility for users to define custom puppet recipes +  if defined( '::custom') { +    include ::custom +  } + +  include site_check_mk::agent +} diff --git a/puppet/modules/site_config/manifests/dhclient.pp b/puppet/modules/site_config/manifests/dhclient.pp new file mode 100644 index 00000000..a1f87d41 --- /dev/null +++ b/puppet/modules/site_config/manifests/dhclient.pp @@ -0,0 +1,40 @@ +# Unfortunately, there does not seem to be a way to reload the dhclient.conf +# config file, or a convenient way to disable the modifications to +# /etc/resolv.conf. So the following makes the functions involved noops and +# ships a script to kill and restart dhclient. See the debian bugs: +# #681698, #712796 +class site_config::dhclient { + + +  include site_config::params + +  file { '/usr/local/sbin/reload_dhclient': +    owner   => 0, +    group   => 0, +    mode    => '0755', +    content => template('site_config/reload_dhclient.erb'); +  } + +  exec { 'reload_dhclient': +    refreshonly => true, +    command     => '/usr/local/sbin/reload_dhclient', +    before      => Class['site_config::resolvconf'], +    require     => File['/usr/local/sbin/reload_dhclient'], +  } + +  file { '/etc/dhcp/dhclient-enter-hooks.d': +    ensure => directory, +    mode   => '0755', +    owner  => 'root', +    group  => 'root', +  } + +  file { '/etc/dhcp/dhclient-enter-hooks.d/disable_resolvconf': +    content => 'make_resolv_conf() { : ; } ; set_hostname() { : ; }', +    mode    => '0644', +    owner   => 'root', +    group   => 'root', +    require => File['/etc/dhcp/dhclient-enter-hooks.d'], +    notify  => Exec['reload_dhclient']; +  } +} diff --git a/puppet/modules/site_config/manifests/files.pp b/puppet/modules/site_config/manifests/files.pp new file mode 100644 index 00000000..d2ef8a98 --- /dev/null +++ b/puppet/modules/site_config/manifests/files.pp @@ -0,0 +1,24 @@ +# set up core leap files and directories +class site_config::files { + +  file { +    '/srv/leap': +      ensure  => directory, +      owner   => 'root', +      group   => 'root', +      mode    => '0711'; + +    [ '/etc/leap', '/var/lib/leap']: +      ensure => directory, +      owner  => 'root', +      group  => 'root', +      mode   => '0755'; + +    '/var/log/leap': +      ensure => directory, +      owner  => 'root', +      group  => 'adm', +      mode   => '0750'; +  } + +} diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp new file mode 100644 index 00000000..878b6af0 --- /dev/null +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -0,0 +1,44 @@ +class site_config::hosts() { +  $hosts         = hiera('hosts', false) + +  # calculate all the hostname aliases that might be used +  $hostname      = hiera('name') +  $domain_hash   = hiera('domain', {}) +  $dns           = hiera('dns', {}) +  if $dns['aliases'] == undef { +    $dns_aliases = [] +  } else { +    $dns_aliases = $dns['aliases'] +  } +  $my_hostnames = unique(concat( +    [$domain_hash['full'], $hostname, $domain_hash['internal']], $dns_aliases +  )) + +  file { '/etc/hostname': +    ensure  => present, +    content => $hostname +  } + +  exec { "/bin/hostname ${hostname}": +    subscribe   => [ File['/etc/hostname'], File['/etc/hosts'] ], +    refreshonly => true; +  } + +  # we depend on reliable hostnames from /etc/hosts for the stunnel services +  # so restart stunnel service when /etc/hosts is modified +  # because this is done in an early stage, the stunnel module may not +  # have been deployed and will not be available for overriding, so +  # this is handled in an unorthodox manner +  exec { '/etc/init.d/stunnel4 restart': +    subscribe   => File['/etc/hosts'], +    refreshonly => true, +    onlyif      => 'test -f /etc/init.d/stunnel4'; +  } + +  file { '/etc/hosts': +    content => template('site_config/hosts'), +    mode    => '0644', +    owner   => root, +    group   => root; +  } +} diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp new file mode 100644 index 00000000..93cfb847 --- /dev/null +++ b/puppet/modules/site_config/manifests/initial_firewall.pp @@ -0,0 +1,64 @@ +class site_config::initial_firewall { + +  # This class is intended to setup an initial firewall, before shorewall is +  # configured. The purpose of this is for the rare case where shorewall fails +  # to start, we should not expose services to the public. + +  $ssh_config = hiera('ssh') +  $ssh_port   = $ssh_config['port'] + +  package { 'iptables': +    ensure => present +  } + +  file { +    # This firewall enables ssh access, dns lookups and web lookups (for +    # package installation) but otherwise restricts all outgoing and incoming +    # ports +    '/etc/network/ipv4firewall_up.rules': +      content => template('site_config/ipv4firewall_up.rules.erb'), +      owner   => root, +      group   => 0, +      mode    => '0644'; + +    # This firewall denys all ipv6 traffic - we will need to change this +    # when we begin to support ipv6 +    '/etc/network/ipv6firewall_up.rules': +      content => template('site_config/ipv6firewall_up.rules.erb'), +      owner   => root, +      group   => 0, +      mode    => '0644'; + +    # Run the iptables-restore in if-pre-up so that the network is locked down +    # until the correct interfaces and ips are connected +    '/etc/network/if-pre-up.d/ipv4tables': +      content => "#!/bin/sh\n/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules\n", +      owner   => root, +      group   => 0, +      mode    => '0744'; + +    # Same as above for IPv6 +    '/etc/network/if-pre-up.d/ipv6tables': +      content => "#!/bin/sh\n/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules\n", +      owner   => root, +      group   => 0, +      mode    => '0744'; +  } + +  # Immediately setup these firewall rules, but only if shorewall is not running +  exec { +    'default_ipv4_firewall': +      command   => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', +      logoutput => true, +      unless    => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status', +      subscribe => File['/etc/network/ipv4firewall_up.rules'], +      require   => File['/etc/network/ipv4firewall_up.rules']; + +    'default_ipv6_firewall': +      command   => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', +      logoutput => true, +      unless    => 'test -x /etc/init.d/shorewall6 && /etc/init.d/shorewall6 status', +      subscribe => File['/etc/network/ipv6firewall_up.rules'], +      require   => File['/etc/network/ipv6firewall_up.rules']; +  } +} diff --git a/puppet/modules/site_config/manifests/packages.pp b/puppet/modules/site_config/manifests/packages.pp new file mode 100644 index 00000000..140189a4 --- /dev/null +++ b/puppet/modules/site_config/manifests/packages.pp @@ -0,0 +1,32 @@ +# install default packages and remove unwanted packages +class site_config::packages { + + +  # base set of packages that we want to have installed everywhere +  package { [ 'etckeeper', 'screen', 'less', 'ntp' ]: +    ensure => installed, +  } + +  # base set of packages that we want to remove everywhere +  package { [ +    'acpi', 'build-essential', +    'cpp', 'cpp-4.6', 'cpp-4.7', 'cpp-4.8', 'cpp-4.9', +    'eject', 'ftp', +    'g++', 'g++-4.6', 'g++-4.7', 'g++-4.8', 'g++-4.9', +    'gcc', 'gcc-4.6', 'gcc-4.7', 'gcc-4.8', 'gcc-4.9', +    'laptop-detect', 'libc6-dev', 'libssl-dev', 'lpr', 'make', +    'pppconfig', 'pppoe', 'pump', 'qstat', +    'samba-common', 'samba-common-bin', 'smbclient', +    'tcl8.5', 'tk8.5', 'os-prober', 'unzip', 'xauth', 'x11-common', +    'x11-utils', 'xterm' ]: +      ensure => purged; +  } + +  # leave a few packages installed on local environments +  # vagrant i.e. needs them for mounting shared folders +    if $::site_config::params::environment != 'local' { +    package { [ 'nfs-common', 'nfs-kernel-server', 'rpcbind', 'portmap' ]: +      ensure => purged; +    } +  } +} diff --git a/puppet/modules/site_config/manifests/packages/build_essential.pp b/puppet/modules/site_config/manifests/packages/build_essential.pp new file mode 100644 index 00000000..2b3e13b9 --- /dev/null +++ b/puppet/modules/site_config/manifests/packages/build_essential.pp @@ -0,0 +1,28 @@ +# +# include this whenever you want to ensure build-essential package and related compilers are installed. +# +class site_config::packages::build_essential inherits ::site_config::packages { + +  # NICKSERVER CODE NOTE: in order to support TLS, libssl-dev must be installed +  # before EventMachine gem is built/installed. +  Package[ 'gcc', 'make', 'g++', 'cpp', 'libssl-dev', 'libc6-dev' ] { +    ensure => present +  } + +  case $::operatingsystemrelease { +    /^8.*/: { +      Package[ 'gcc-4.9','g++-4.9', 'cpp-4.9' ] { +        ensure => present +      } +    } + +    /^7.*/: { +      Package[ 'gcc-4.7','g++-4.7', 'cpp-4.7' ] { +        ensure => present +      } +    } + +    default:  { } +  } + +} diff --git a/puppet/modules/site_config/manifests/packages/gnutls.pp b/puppet/modules/site_config/manifests/packages/gnutls.pp new file mode 100644 index 00000000..b1f17480 --- /dev/null +++ b/puppet/modules/site_config/manifests/packages/gnutls.pp @@ -0,0 +1,5 @@ +class site_config::packages::gnutls { + +  package { 'gnutls-bin': ensure => installed } + +} diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp new file mode 100644 index 00000000..012b3ce0 --- /dev/null +++ b/puppet/modules/site_config/manifests/params.pp @@ -0,0 +1,35 @@ +class site_config::params { + +  $ip_address               = hiera('ip_address') +  $ip_address_interface     = getvar("interface_${ip_address}") +  $ec2_local_ipv4_interface = getvar("interface_${::ec2_local_ipv4}") +  $environment              = hiera('environment', undef) + + +  if $environment == 'local' { +    $interface = 'eth1' +    include site_config::packages::build_essential +  } +  elsif hiera('interface','') != '' { +    $interface = hiera('interface') +  } +  elsif $ip_address_interface != '' { +    $interface = $ip_address_interface +  } +  elsif $ec2_local_ipv4_interface != '' { +    $interface = $ec2_local_ipv4_interface +  } +  elsif $::interfaces =~ /eth0/ { +    $interface = 'eth0' +  } +  else { +    fail("unable to determine a valid interface, please set a valid interface for this node in nodes/${::hostname}.json") +  } + +  $ca_name              = 'leap_ca' +  $client_ca_name       = 'leap_client_ca' +  $ca_bundle_name       = 'leap_ca_bundle' +  $cert_name            = 'leap' +  $commercial_ca_name   = 'leap_commercial_ca' +  $commercial_cert_name = 'leap_commercial' +} diff --git a/puppet/modules/site_config/manifests/remove.pp b/puppet/modules/site_config/manifests/remove.pp new file mode 100644 index 00000000..443df9c2 --- /dev/null +++ b/puppet/modules/site_config/manifests/remove.pp @@ -0,0 +1,11 @@ +# remove leftovers from previous deploys +class site_config::remove { +  include site_config::remove::files + +  case $::operatingsystemrelease { +    /^8.*/: { +      include site_config::remove::jessie +    } +    default:  { } +  } +} diff --git a/puppet/modules/site_config/manifests/remove/bigcouch.pp b/puppet/modules/site_config/manifests/remove/bigcouch.pp new file mode 100644 index 00000000..3535c3c1 --- /dev/null +++ b/puppet/modules/site_config/manifests/remove/bigcouch.pp @@ -0,0 +1,42 @@ +# remove bigcouch leftovers from previous installations +class site_config::remove::bigcouch { + +  # Don't use check_mk logwatch to watch bigcouch logs anymore +  # see https://leap.se/code/issues/7375 for more details +  file { '/etc/check_mk/logwatch.d/bigcouch.cfg': +    ensure => absent, +    notify => [ +      Exec['remove_bigcouch_logwatch_stateline'] +    ] +  } + +  exec { 'remove_bigcouch_logwatch_stateline': +    command     => "sed -i '/bigcouch.log/d' /etc/check_mk/logwatch.state", +    refreshonly => true, +  } + +  cron { 'compact_all_shards': +    ensure => absent +  } + + +  exec { 'kill_bigcouch_stunnel_procs': +    refreshonly => true, +    command     => '/usr/bin/pkill -f "/usr/bin/stunnel4 /etc/stunnel/(ednp|epmd)_server.conf"' +  } + +  # 'tidy' doesn't notify other resources, so we need to use file here instead +  # see https://tickets.puppetlabs.com/browse/PUP-6021 +  file { +    [ '/etc/stunnel/ednp_server.conf', '/etc/stunnel/epmd_server.conf']: +      ensure => absent, +      # notifying Service[stunnel] doesn't work here because the config +      # files contain the pid of the procs to stop/start. +      # If we remove the config, and restart stunnel then it will only +      # stop/start the procs for which config files are found and the stale +      # service will continue to run. +      # So we simply kill them. +      notify => Exec['kill_bigcouch_stunnel_procs'] +  } + +} diff --git a/puppet/modules/site_config/manifests/remove/files.pp b/puppet/modules/site_config/manifests/remove/files.pp new file mode 100644 index 00000000..41d6462e --- /dev/null +++ b/puppet/modules/site_config/manifests/remove/files.pp @@ -0,0 +1,56 @@ +# +# Sometimes when we upgrade the platform, we need to ensure that files that +# the platform previously created will get removed. +# +# These file removals don't need to be kept forever: we only need to remove +# files that are present in the prior platform release. +# +# We can assume that the every node is upgraded from the previous platform +# release. +# + +class site_config::remove::files { + +  # Platform 0.8 removals +  tidy { +    '/etc/default/leap_mx':; +    '/etc/logrotate.d/mx':; +    '/etc/rsyslog.d/50-mx.conf':; +    '/etc/apt/preferences.d/openvpn':; +    '/etc/apt/sources.list.d/secondary.list.disabled.list':; +  } + +  # +  # Platform 0.7 removals +  # + +  tidy { +    '/etc/rsyslog.d/99-tapicero.conf':; +    '/etc/rsyslog.d/01-webapp.conf':; +    '/etc/rsyslog.d/50-stunnel.conf':; +    '/etc/logrotate.d/stunnel':; +    '/var/log/stunnel4/stunnel.log':; +    'leap_mx': +      path => '/var/log/', +      recurse => true, +      matches => ['leap_mx*', 'mx.log.[1-5]', 'mx.log.[6-9](.gz)?', +                  'mx.log.[0-9][0-9](.gz)?']; +    '/srv/leap/webapp/public/provider.json':; +    '/srv/leap/couchdb/designs/tmp_users': +      recurse => true, +      rmdirs => true; +    '/etc/leap/soledad-server.conf':; +    '/var/log/leap/openvpn.log':; +    '/etc/rsyslog.d/50-openvpn.conf':; +  } + +  # leax-mx logged to /var/log/leap_mx.log in the past +  # we need to use a dumb exec here because file_line doesn't +  # allow removing lines that match a regex in the current version +  # of stdlib, see https://tickets.puppetlabs.com/browse/MODULES-1903 +  exec { 'rm_old_leap_mx_log_destination': +      command => "/bin/sed -i '/leap_mx.log/d' /etc/check_mk/logwatch.state", +      onlyif  => "/bin/grep -qe 'leap_mx.log' /etc/check_mk/logwatch.state" +  } + +} diff --git a/puppet/modules/site_config/manifests/remove/jessie.pp b/puppet/modules/site_config/manifests/remove/jessie.pp new file mode 100644 index 00000000..e9497baf --- /dev/null +++ b/puppet/modules/site_config/manifests/remove/jessie.pp @@ -0,0 +1,14 @@ +# remove possible leftovers after upgrading from wheezy to jessie +class site_config::remove::jessie { + +  tidy { +    '/etc/apt/preferences.d/rsyslog_anon_depends': +      notify => Exec['apt_updated']; +  } + +  apt::preferences_snippet { +    [ 'facter', 'obfsproxy', 'python-twisted', 'unbound' ]: +      ensure => absent; +  } + +} diff --git a/puppet/modules/site_config/manifests/remove/monitoring.pp b/puppet/modules/site_config/manifests/remove/monitoring.pp new file mode 100644 index 00000000..18e2949b --- /dev/null +++ b/puppet/modules/site_config/manifests/remove/monitoring.pp @@ -0,0 +1,13 @@ +# remove leftovers on monitoring nodes +class site_config::remove::monitoring { + +  # Remove check_mk loggwatch spoolfiles for +  # tapicero and bigcouch +  tidy { +    'remove_logwatch_spoolfiles': +      path    => '/var/lib/check_mk/logwatch', +      recurse => true, +      matches => [ '*tapicero.log', '*bigcouch.log']; +  } + +} diff --git a/puppet/modules/site_config/manifests/remove/tapicero.pp b/puppet/modules/site_config/manifests/remove/tapicero.pp new file mode 100644 index 00000000..07c3c6c6 --- /dev/null +++ b/puppet/modules/site_config/manifests/remove/tapicero.pp @@ -0,0 +1,72 @@ +# remove tapicero leftovers from previous deploys on couchdb nodes +class site_config::remove::tapicero { + +  ensure_packages('curl') + +  # remove tapicero couchdb user +  $couchdb_config = hiera('couch') +  $couchdb_mode   = $couchdb_config['mode'] + +  if $couchdb_mode == 'multimaster' +  { +    $port = 5986 +  } else { +    $port = 5984 +  } + +  exec { 'remove_couchdb_user': +    onlyif  => "/usr/bin/curl -s 127.0.0.1:${port}/_users/org.couchdb.user:tapicero | grep -qv 'not_found'", +    command => "/usr/local/bin/couch-doc-update --host 127.0.0.1:${port} --db _users --id org.couchdb.user:tapicero --delete", +    require => Package['curl'] +  } + + +  exec { 'kill_tapicero': +    onlyif  => '/usr/bin/test -s /var/run/tapicero.pid', +    command => '/usr/bin/pkill --pidfile /var/run/tapicero.pid' +  } + +  user { 'tapicero': +    ensure  => absent; +  } + +  group { 'tapicero': +    ensure => absent, +    require => User['tapicero']; +  } + +  tidy { +    '/srv/leap/tapicero': +      recurse => true, +      require   => [ Exec['kill_tapicero'] ]; +    '/var/lib/leap/tapicero': +      require   => [ Exec['kill_tapicero'] ]; +    '/var/run/tapicero': +      require   => [ Exec['kill_tapicero'] ]; +    '/etc/leap/tapicero.yaml': +      require   => [ Exec['kill_tapicero'] ]; +    '/etc/init.d/tapicero': +      require   => [ Exec['kill_tapicero'] ]; +    'tapicero_logs': +      path    => '/var/log/leap', +      recurse => true, +      matches => 'tapicero*', +      require   => [ Exec['kill_tapicero'] ]; +    '/etc/check_mk/logwatch.d/tapicero.cfg':; +  } + +  # remove local nagios plugin checks via mrpe +  augeas { +    'Tapicero_Procs': +      incl    => '/etc/check_mk/mrpe.cfg', +      lens    => 'Spacevars.lns', +      changes => 'rm /files/etc/check_mk/mrpe.cfg/Tapicero_Procs', +      require => File['/etc/check_mk/mrpe.cfg']; +    'Tapicero_Heartbeat': +      incl    => '/etc/check_mk/mrpe.cfg', +      lens    => 'Spacevars.lns', +      changes => 'rm Tapicero_Heartbeat', +      require => File['/etc/check_mk/mrpe.cfg']; +  } + +} diff --git a/puppet/modules/site_config/manifests/remove/webapp.pp b/puppet/modules/site_config/manifests/remove/webapp.pp new file mode 100644 index 00000000..58f59815 --- /dev/null +++ b/puppet/modules/site_config/manifests/remove/webapp.pp @@ -0,0 +1,7 @@ +# remove leftovers on webapp nodes +class site_config::remove::webapp { +  tidy { +    '/etc/apache/sites-enabled/leap_webapp.conf': +      notify => Service['apache']; +  } +} diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp new file mode 100644 index 00000000..09f0b405 --- /dev/null +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -0,0 +1,14 @@ +class site_config::resolvconf { + +  $domain_public = $site_config::default::domain_hash['full_suffix'] + +  class { '::resolvconf': +    domain      => $domain_public, +    search      => $domain_public, +    nameservers => [ +      '127.0.0.1      # local caching-only, unbound', +      '85.214.20.141  # Digitalcourage, a german privacy organisation: (https://en.wikipedia.org/wiki/Digitalcourage)', +      '172.81.176.146 # OpenNIC (https://servers.opennicproject.org/edit.php?srv=ns1.tor.ca.dns.opennic.glue)' +    ] +  } +} diff --git a/puppet/modules/site_config/manifests/ruby.pp b/puppet/modules/site_config/manifests/ruby.pp new file mode 100644 index 00000000..5c13233d --- /dev/null +++ b/puppet/modules/site_config/manifests/ruby.pp @@ -0,0 +1,8 @@ +# install ruby, rubygems and bundler +# configure ruby settings common to all servers +class site_config::ruby { +  Class[Ruby] -> Class[rubygems] -> Class[bundler::install] +  class { '::ruby': } +  class { 'bundler::install': install_method => 'package' } +  include rubygems +} diff --git a/puppet/modules/site_config/manifests/ruby/dev.pp b/puppet/modules/site_config/manifests/ruby/dev.pp new file mode 100644 index 00000000..2b0b106d --- /dev/null +++ b/puppet/modules/site_config/manifests/ruby/dev.pp @@ -0,0 +1,8 @@ +# install ruby dev packages needed for building some gems +class site_config::ruby::dev { +  include site_config::ruby +  include ::ruby::devel + +  # building gems locally probably requires build-essential and gcc: +  include site_config::packages::build_essential +} diff --git a/puppet/modules/site_config/manifests/setup.pp b/puppet/modules/site_config/manifests/setup.pp new file mode 100644 index 00000000..82dfe76d --- /dev/null +++ b/puppet/modules/site_config/manifests/setup.pp @@ -0,0 +1,50 @@ +# common things to set up on every node +# leftover from the past, where we did two puppetruns +# after another. We should consolidate this into site_config::default +# in the future. +class site_config::setup { +  tag 'leap_base' + +  # +  # this is applied before each run of site.pp +  # + +  Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } + +  include site_config::params + +  include concat::setup +  include stdlib + +  # configure /etc/hosts +  class { 'site_config::hosts': } + +  include site_config::initial_firewall + +  include site_apt + +  package { 'facter': +    ensure  => latest +  } + +  # if squid_deb_proxy_client is set to true, install and configure +  # squid_deb_proxy_client for apt caching +  if hiera('squid_deb_proxy_client', false) { +    include site_squid_deb_proxy::client +  } + +  # shorewall is installed/half-configured during setup.pp (Bug #3871) +  # we need to include shorewall::interface{eth0} in setup.pp so +  # packages can be installed during main puppetrun, even before shorewall +  # is configured completly +  if ( $::site_config::params::environment == 'local' ) { +    include site_config::vagrant +  } + +  # if class site_custom::setup exists, include it. +  # possibility for users to define custom puppet recipes +  if defined( '::site_custom::setup') { +    include ::site_custom::setup +  } + +} diff --git a/puppet/modules/site_config/manifests/shell.pp b/puppet/modules/site_config/manifests/shell.pp new file mode 100644 index 00000000..5b8c025d --- /dev/null +++ b/puppet/modules/site_config/manifests/shell.pp @@ -0,0 +1,22 @@ +class site_config::shell { + +  file { +    '/etc/profile.d/leap_path.sh': +      content => 'PATH=$PATH:/srv/leap/bin', +      mode    => '0644', +      owner   => root, +      group   => root; +  } + +  ## +  ## XTERM TITLE +  ## + +  file { '/etc/profile.d/xterm-title.sh': +    source => 'puppet:///modules/site_config/xterm-title.sh', +    owner  => root, +    group  => 0, +    mode   => '0644'; +  } + +} diff --git a/puppet/modules/site_config/manifests/slow.pp b/puppet/modules/site_config/manifests/slow.pp new file mode 100644 index 00000000..8e9b7035 --- /dev/null +++ b/puppet/modules/site_config/manifests/slow.pp @@ -0,0 +1,10 @@ +# this class is run by default, but can be excluded +# for testing purposes by calling "leap deploy" with +# the "--fast" parameter +class site_config::slow { +  tag 'leap_slow' + +  include site_config::default +  include apt::update +  class { 'site_apt::dist_upgrade': } +} diff --git a/puppet/modules/site_config/manifests/sysctl.pp b/puppet/modules/site_config/manifests/sysctl.pp new file mode 100644 index 00000000..99f75123 --- /dev/null +++ b/puppet/modules/site_config/manifests/sysctl.pp @@ -0,0 +1,8 @@ +class site_config::sysctl { + +  sysctl::config { +    'net.ipv4.ip_nonlocal_bind': +      value   => 1, +      comment => 'Allow applications to bind to an address when link is down (see https://leap.se/code/issues/4506)' +  } +} diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp new file mode 100644 index 00000000..591e0601 --- /dev/null +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -0,0 +1,62 @@ +# configure rsyslog on all nodes +class site_config::syslog { + +  # only pin rsyslog packages to backports on wheezy +  case $::operatingsystemrelease { +    /^7.*/: { +      include ::site_apt::preferences::rsyslog +    } +    # on jessie+ systems, systemd and journald are enabled, +    # and journald logs IP addresses, so we need to disable +    # it until a solution is found, (#7863): +    # https://github.com/systemd/systemd/issues/2447 +    default: { +      include ::journald +      augeas { +        'disable_journald': +          incl    => '/etc/systemd/journald.conf', +          lens    => 'Puppet.lns', +          changes => 'set /files/etc/systemd/journald.conf/Journal/Storage \'none\'', +          notify  => Service['systemd-journald']; +      } +    } +  } + +  class { '::rsyslog::client': +    log_remote    => false, +    log_local     => true, +    custom_config => 'site_rsyslog/client.conf.erb' +  } + +  rsyslog::snippet { '00-anonymize_logs': +    content => '$ModLoad mmanon +action(type="mmanon" ipv4.bits="32" mode="rewrite")' +  } + +  augeas { +    'logrotate_leap_deploy': +      context => '/files/etc/logrotate.d/leap_deploy/rule', +      changes => [ +        'set file /var/log/leap/deploy.log', +        'set rotate 5', +        'set size 1M', +        'set compress compress', +        'set missingok missingok', +        'set copytruncate copytruncate' ]; + +    # NOTE: +    # the puppet_command script requires the option delaycompress +    # be set on the summary log file. + +    'logrotate_leap_deploy_summary': +      context => '/files/etc/logrotate.d/leap_deploy_summary/rule', +      changes => [ +        'set file /var/log/leap/deploy-summary.log', +        'set rotate 5', +        'set size 100k', +        'set delaycompress delaycompress', +        'set compress compress', +        'set missingok missingok', +        'set copytruncate copytruncate' ] +  } +} diff --git a/puppet/modules/site_config/manifests/vagrant.pp b/puppet/modules/site_config/manifests/vagrant.pp new file mode 100644 index 00000000..8f50b305 --- /dev/null +++ b/puppet/modules/site_config/manifests/vagrant.pp @@ -0,0 +1,11 @@ +class site_config::vagrant { +  # class for vagrant nodes + +  include site_shorewall::defaults +  # eth0 on vagrant nodes is the uplink if +  shorewall::interface { 'eth0': +    zone      => 'net', +    options   => 'tcpflags,blacklist,nosmurfs'; +  } + +} diff --git a/puppet/modules/site_config/manifests/x509/ca.pp b/puppet/modules/site_config/manifests/x509/ca.pp new file mode 100644 index 00000000..2880ecaf --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/ca.pp @@ -0,0 +1,11 @@ +class site_config::x509::ca { + +  include ::site_config::params + +  $x509      = hiera('x509') +  $ca        = $x509['ca_cert'] + +  x509::ca { $site_config::params::ca_name: +    content => $ca +  } +} diff --git a/puppet/modules/site_config/manifests/x509/ca_bundle.pp b/puppet/modules/site_config/manifests/x509/ca_bundle.pp new file mode 100644 index 00000000..5808e29e --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/ca_bundle.pp @@ -0,0 +1,17 @@ +class site_config::x509::ca_bundle { + +  # CA bundle -- we want to have the possibility of allowing multiple CAs. +  # For now, the reason is to transition to using client CA. In the future, +  # we will want to be able to smoothly phase out one CA and phase in another. +  # I tried "--capath" for this, but it did not work. + +  include ::site_config::params + +  $x509      = hiera('x509') +  $ca        = $x509['ca_cert'] +  $client_ca = $x509['client_ca_cert'] + +  x509::ca { $site_config::params::ca_bundle_name: +    content => "${ca}${client_ca}" +  } +} diff --git a/puppet/modules/site_config/manifests/x509/cert.pp b/puppet/modules/site_config/manifests/x509/cert.pp new file mode 100644 index 00000000..7e5a36b9 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/cert.pp @@ -0,0 +1,12 @@ +class site_config::x509::cert { + +  include ::site_config::params + +  $x509      = hiera('x509') +  $cert      = $x509['cert'] + +  x509::cert { $site_config::params::cert_name: +    content => $cert +  } + +} diff --git a/puppet/modules/site_config/manifests/x509/client_ca/ca.pp b/puppet/modules/site_config/manifests/x509/client_ca/ca.pp new file mode 100644 index 00000000..3fbafa98 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/client_ca/ca.pp @@ -0,0 +1,16 @@ +class site_config::x509::client_ca::ca { + +  ## +  ## This is for the special CA that is used exclusively for generating +  ## client certificates by the webapp. +  ## + +  include ::site_config::params + +  $x509 = hiera('x509') +  $cert = $x509['client_ca_cert'] + +  x509::ca { $site_config::params::client_ca_name: +    content => $cert +  } +} diff --git a/puppet/modules/site_config/manifests/x509/client_ca/key.pp b/puppet/modules/site_config/manifests/x509/client_ca/key.pp new file mode 100644 index 00000000..0b537e76 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/client_ca/key.pp @@ -0,0 +1,16 @@ +class site_config::x509::client_ca::key { + +  ## +  ## This is for the special CA that is used exclusively for generating +  ## client certificates by the webapp. +  ## + +  include ::site_config::params + +  $x509 = hiera('x509') +  $key  = $x509['client_ca_key'] + +  x509::key { $site_config::params::client_ca_name: +    content => $key +  } +} diff --git a/puppet/modules/site_config/manifests/x509/commercial/ca.pp b/puppet/modules/site_config/manifests/x509/commercial/ca.pp new file mode 100644 index 00000000..c76a9dbb --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/commercial/ca.pp @@ -0,0 +1,11 @@ +class site_config::x509::commercial::ca { + +  include ::site_config::params + +  $x509      = hiera('x509') +  $ca        = $x509['commercial_ca_cert'] + +  x509::ca { $site_config::params::commercial_ca_name: +    content => $ca +  } +} diff --git a/puppet/modules/site_config/manifests/x509/commercial/cert.pp b/puppet/modules/site_config/manifests/x509/commercial/cert.pp new file mode 100644 index 00000000..9dd6ffcd --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/commercial/cert.pp @@ -0,0 +1,15 @@ +class site_config::x509::commercial::cert { + +  include ::site_config::params + +  $x509      = hiera('x509') +  $cert      = $x509['commercial_cert'] +  $ca        = $x509['commercial_ca_cert'] + +  $cafile = "${cert}\n${ca}" + +  x509::cert { $site_config::params::commercial_cert_name: +    content => $cafile +  } + +} diff --git a/puppet/modules/site_config/manifests/x509/commercial/key.pp b/puppet/modules/site_config/manifests/x509/commercial/key.pp new file mode 100644 index 00000000..2be439fd --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/commercial/key.pp @@ -0,0 +1,11 @@ +class site_config::x509::commercial::key { + +  include ::site_config::params + +  $x509      = hiera('x509') +  $key       = $x509['commercial_key'] + +  x509::key { $site_config::params::commercial_cert_name: +    content => $key +  } +} diff --git a/puppet/modules/site_config/manifests/x509/key.pp b/puppet/modules/site_config/manifests/x509/key.pp new file mode 100644 index 00000000..448dc6a6 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/key.pp @@ -0,0 +1,11 @@ +class site_config::x509::key { + +  include ::site_config::params + +  $x509      = hiera('x509') +  $key       = $x509['key'] + +  x509::key { $site_config::params::cert_name: +    content => $key +  } +} | 
