diff options
Diffstat (limited to 'puppet')
| -rw-r--r-- | puppet/manifests/site.pp | 4 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/default.pp | 3 | ||||
| -rw-r--r-- | puppet/modules/site_couchdb/manifests/init.pp | 2 | ||||
| -rw-r--r-- | puppet/modules/site_nagios/manifests/add_service.pp | 9 | ||||
| -rw-r--r-- | puppet/modules/site_shorewall/manifests/couchdb.pp | 22 | ||||
| -rw-r--r-- | puppet/modules/site_shorewall/manifests/defaults.pp | 47 | ||||
| -rw-r--r-- | puppet/modules/site_shorewall/manifests/eip.pp | 76 | ||||
| -rw-r--r-- | puppet/modules/site_shorewall/manifests/ip_forward.pp | 10 | ||||
| -rw-r--r-- | puppet/modules/site_shorewall/manifests/sshd.pp | 23 | ||||
| -rw-r--r-- | puppet/modules/site_shorewall/manifests/tor.pp | 28 | ||||
| -rw-r--r-- | puppet/modules/site_shorewall/manifests/webapp.pp | 13 | ||||
| -rw-r--r-- | puppet/modules/site_tor/manifests/disable_exit.pp | 7 | ||||
| -rw-r--r-- | puppet/modules/site_tor/manifests/init.pp | 28 | ||||
| -rw-r--r-- | puppet/modules/site_webapp/manifests/init.pp | 2 | ||||
| m--------- | puppet/modules/tor | 0 |
15 files changed, 191 insertions, 83 deletions
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 53b452d1..1ec806d9 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -33,3 +33,7 @@ if 'ca' in $services { if 'monitor' in $services { include site_nagios } + +if 'tor' in $services { + include site_tor +} diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index c65c0799..2191e9a1 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -30,4 +30,7 @@ class site_config::default { package { [ 'etckeeper' ]: ensure => installed, } + + # include basic shorewall config + include site_shorewall::defaults } diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 1789dd55..9ecde5e6 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -59,4 +59,6 @@ class site_couchdb { couchdb::create_db { 'client_certificates': readers => "{ \"names\": [], \"roles\": [\"certs\"] }" } + + include site_shorewall::couchdb } diff --git a/puppet/modules/site_nagios/manifests/add_service.pp b/puppet/modules/site_nagios/manifests/add_service.pp index 280cb010..6ef3cbf5 100644 --- a/puppet/modules/site_nagios/manifests/add_service.pp +++ b/puppet/modules/site_nagios/manifests/add_service.pp @@ -2,14 +2,9 @@ define site_nagios::add_service ( $hostname, $ip_address, $openvpn_gw = '', $service) { case $service { - # don't deploy until we fix 1546 - 'openvpn': { - $check_command = "check_openvpn_server_ip_port!$openvpn_gw!1194" - $service_description = 'Openvpn' - } 'webapp': { - $check_command = 'check_https' - $service_description = 'Website' + $check_command = 'check_https_cert' + $service_description = 'Website Certificate' } default: { #notice ("No Nagios service check for service \"$service\"") diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp new file mode 100644 index 00000000..1b7f791d --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -0,0 +1,22 @@ +class site_shorewall::couchdb { + + include site_shorewall::defaults + + $couchdb_port = '6984' + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_couchdb': + content => "PARAM - - tcp $couchdb_port", + notify => Service['shorewall'] + } + + + shorewall::rule { + 'net2fw-couchdb': + source => 'net', + destination => '$FW', + action => 'leap_couchdb(ACCEPT)', + order => 200; + } + +} diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index d5f60ec6..d5639a90 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -1,6 +1,17 @@ class site_shorewall::defaults { include shorewall + # be safe for development + #if ( $::virtual == 'virtualbox') { $shorewall_startup='0' } + + $ip_address = hiera('ip_address') + # a special case for vagrant interfaces + $interface = $::virtual ? { + virtualbox => [ 'eth0', 'eth1' ], + default => getvar("interface_${ip_address}") + } + + # If you want logging: shorewall::params { 'LOG': value => 'debug'; @@ -8,14 +19,36 @@ class site_shorewall::defaults { shorewall::zone {'net': type => 'ipv4'; } - include augeas - augeas { 'enable_ip_forwarding': - changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Service[shorewall], - require => Class[augeas]; + # define interfaces + shorewall::interface { $interface: + zone => 'net', + options => 'tcpflags,blacklist,nosmurfs'; + } + + shorewall::routestopped { $interface: } + + shorewall::policy { + 'fw-to-all': + sourcezone => 'fw', + destinationzone => 'all', + policy => 'ACCEPT', + order => 100; + 'all-to-all': + sourcezone => 'all', + destinationzone => 'all', + policy => 'DROP', + order => 200; + } + + shorewall::rule { + # ping party + 'all2all-ping': + source => 'all', + destination => 'all', + action => 'Ping(ACCEPT)', + order => 200; } + include site_shorewall::sshd } diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index de81aa1d..4e5a5d48 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -1,35 +1,21 @@ class site_shorewall::eip { - # be safe for development - #if ( $::virtual == 'virtualbox') { $shorewall_startup='0' } - include site_shorewall::defaults + include site_shorewall::ip_forward - $ip_address = hiera('ip_address') - # a special case for vagrant interfaces - $interface = $::virtual ? { - virtualbox => [ 'eth0', 'eth1' ], - default => getvar("interface_${ip_address}") - } - $ssh_config = hiera('ssh') - $ssh_port = $ssh_config['port'] $openvpn_config = hiera('openvpn') $openvpn_ports = $openvpn_config['ports'] $openvpn_gateway_address = $site_openvpn::openvpn_gateway_address # define macro for incoming services file { '/etc/shorewall/macro.leap_eip': - content => "PARAM - - tcp 1194,$ssh_port + content => "PARAM - - tcp 1194 PARAM - - udp 1194 -", } - - - # define interfaces - shorewall::interface { $interface: - zone => 'net', - options => 'tcpflags,blacklist,nosmurfs'; +", + notify => Service['shorewall'] } + shorewall::interface { 'tun0': zone => 'eip', @@ -40,11 +26,9 @@ PARAM - - udp 1194 } - shorewall::zone {'eip': + shorewall::zone {'eip': type => 'ipv4'; } - shorewall::routestopped { $interface: } - case $::virtual { 'virtualbox': { shorewall::masq { @@ -56,6 +40,7 @@ PARAM - - udp 1194 source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } } default: { + $interface = $site_shorewall::defaults::interface shorewall::masq { "${interface}_tcp": interface => $interface, @@ -73,61 +58,14 @@ PARAM - - udp 1194 destinationzone => 'all', policy => 'ACCEPT', order => 100; - 'fw-to-all': - sourcezone => '$FW', - destinationzone => 'all', - policy => 'ACCEPT', - order => 100; - 'all-to-all': - sourcezone => 'all', - destinationzone => 'all', - policy => 'DROP', - order => 200; } shorewall::rule { - # ping party - 'all2all-ping': - source => 'all', - destination => 'all', - action => 'Ping(ACCEPT)', - order => 200; - - # outside to server - 'net2fw-ssh': - source => 'net', - destination => '$FW', - action => 'SSH(ACCEPT)', - order => 200; 'net2fw-openvpn': source => 'net', destination => '$FW', action => 'leap_eip(ACCEPT)', order => 200; - - # server to outside - 'fw2all-http': - source => '$FW', - destination => 'all', - action => 'HTTP(ACCEPT)', - order => 200; - 'fw2all-DNS': - source => '$FW', - destination => 'all', - action => 'DNS(ACCEPT)', - order => 200; - 'fw2all-git': - source => '$FW', - destination => 'all', - action => 'Git(ACCEPT)', - order => 200; - - # Webfrontend is running on another server - #'eip2fw-https': - # source => 'eip', - # destination => '$FW', - # action => 'HTTPS(ACCEPT)', - # order => 200; } # create dnat rule for each port diff --git a/puppet/modules/site_shorewall/manifests/ip_forward.pp b/puppet/modules/site_shorewall/manifests/ip_forward.pp new file mode 100644 index 00000000..d09d4fd1 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/ip_forward.pp @@ -0,0 +1,10 @@ +class site_shorewall::ip_forward { + include augeas + augeas { 'enable_ip_forwarding': + changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall], + require => Class[augeas]; + } +} diff --git a/puppet/modules/site_shorewall/manifests/sshd.pp b/puppet/modules/site_shorewall/manifests/sshd.pp new file mode 100644 index 00000000..2cf4fd56 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/sshd.pp @@ -0,0 +1,23 @@ +class site_shorewall::sshd { + + $ssh_config = hiera('ssh') + $ssh_port = $ssh_config['port'] + + include shorewall + + # define macro for incoming sshd + file { '/etc/shorewall/macro.leap_sshd': + content => "PARAM - - tcp $ssh_port", + notify => Service['shorewall'] + } + + + shorewall::rule { + # outside to server + 'net2fw-ssh': + source => 'net', + destination => '$FW', + action => 'leap_sshd(ACCEPT)', + order => 200; + } +} diff --git a/puppet/modules/site_shorewall/manifests/tor.pp b/puppet/modules/site_shorewall/manifests/tor.pp new file mode 100644 index 00000000..a72d9dfc --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/tor.pp @@ -0,0 +1,28 @@ +class site_shorewall::tor { + + include site_shorewall::defaults + include site_shorewall::ip_forward + + $tor_port = '9001' + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_tor': + content => "PARAM - - tcp $tor_port ", + notify => Service['shorewall'] + } + + + shorewall::rule { + 'net2fw-tor': + source => 'net', + destination => '$FW', + action => 'leap_tor(ACCEPT)', + order => 200; + 'net2fw-http': + source => 'net', + destination => '$FW', + action => 'HTTP(ACCEPT)', + order => 200; + } + +} diff --git a/puppet/modules/site_shorewall/manifests/webapp.pp b/puppet/modules/site_shorewall/manifests/webapp.pp new file mode 100644 index 00000000..ff9b7646 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/webapp.pp @@ -0,0 +1,13 @@ +class site_shorewall::webapp { + + include site_shorewall::defaults + + shorewall::rule { + 'net2fw-https': + source => 'net', + destination => '$FW', + action => 'HTTPS(ACCEPT)', + order => 200; + } + +} diff --git a/puppet/modules/site_tor/manifests/disable_exit.pp b/puppet/modules/site_tor/manifests/disable_exit.pp new file mode 100644 index 00000000..73016646 --- /dev/null +++ b/puppet/modules/site_tor/manifests/disable_exit.pp @@ -0,0 +1,7 @@ +class site_tor::disable_exit { + tor::daemon::exit_policy { + 'no_exit_at_all': + reject => '*:*'; + } +} + diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp new file mode 100644 index 00000000..dc16f91a --- /dev/null +++ b/puppet/modules/site_tor/manifests/init.pp @@ -0,0 +1,28 @@ +class site_tor { + tag 'leap_service' + + $tor = hiera('tor') + $bandwidth_rate = $tor['bandwidth_rate'] + $tor_type = $tor['type'] + $nickname = $tor['nickname'] + + $contact_email = hiera('contact_email') + $address = hiera('ip_address') + + class { 'tor::daemon': } + tor::daemon::relay { $nickname: + port => 9001, + address => $address, + contact_info => $contact_email, + bandwidth_rate => $bandwidth_rate, + } + + tor::daemon::directory { $::hostname: port => 80 } + + include site_shorewall::tor + + if ( $tor_type != 'exit' ) { + include site_tor::disable_exit + } + +} diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index ff5a3611..f0d6c90a 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -112,4 +112,6 @@ class site_webapp { mode => '0600'; } + include site_shorewall::webapp + } diff --git a/puppet/modules/tor b/puppet/modules/tor new file mode 160000 +Subproject a780e84001177f10a86a7bf824589c0553f513a |