From 59635ff7904645075bf3ddd30a70a05a58102bed Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Sep 2012 11:21:23 +0200 Subject: added submodule openvpn --- puppet/modules/openvpn | 1 + 1 file changed, 1 insertion(+) create mode 160000 puppet/modules/openvpn (limited to 'puppet') diff --git a/puppet/modules/openvpn b/puppet/modules/openvpn new file mode 160000 index 00000000..25f1fe8d --- /dev/null +++ b/puppet/modules/openvpn @@ -0,0 +1 @@ +Subproject commit 25f1fe8d813f6128068d890a40f5e24be78fb47c -- cgit v1.2.3 From 2c2e3608a251bdb8210767484e05c896f6803d6c Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Sep 2012 11:29:17 +0200 Subject: beginning of openvpn server config --- puppet/manifests/site.pp | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 3a136015..39173f95 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,3 +1,15 @@ -node "default" { - notify {'Hello World':} +node 'cougar.leap.se' { + openvpn::server { + 'cougar.leap.se': + country => 'TR', + province => 'Ankara', + city => 'Ankara', + organization => 'leap.se', + email => 'sysdev@leap.se'; +} + +} + +node 'default' { + notify {'Please specify a host in site.pp!':} } -- cgit v1.2.3 From 670819cbaa3cf78e2fce45aeb030ece78a920a57 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Sep 2012 11:55:35 +0200 Subject: added submodule concat --- puppet/modules/concat | 1 + 1 file changed, 1 insertion(+) create mode 160000 puppet/modules/concat (limited to 'puppet') diff --git a/puppet/modules/concat b/puppet/modules/concat new file mode 160000 index 00000000..abce1280 --- /dev/null +++ b/puppet/modules/concat @@ -0,0 +1 @@ +Subproject commit abce1280e07b544d8455f1572dd870bbd2f14892 -- cgit v1.2.3 From caeac390b217849e8e57ac3afeb4061099e3fec5 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Sep 2012 12:10:21 +0200 Subject: use node default again, more openvpn config --- puppet/manifests/site.pp | 75 ++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 70 insertions(+), 5 deletions(-) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 39173f95..890d2623 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,4 +1,6 @@ -node 'cougar.leap.se' { +node 'default' { + notify {'Please specify a host in site.pp!':} + openvpn::server { 'cougar.leap.se': country => 'TR', @@ -6,10 +8,73 @@ node 'cougar.leap.se' { city => 'Ankara', organization => 'leap.se', email => 'sysdev@leap.se'; -} + } -} +# configure server + + + openvpn::option { + "dev server1": + key => "dev", + value => "tun0", + server => "server1"; + "script-security server1": + key => "script-security", + value => "3", + server => "server1"; + "daemon server1": + key => "daemon", + server => "server1"; + "keepalive server1": + key => "keepalive", + value => "10 60", + server => "server1"; + "ping-timer-rem server1": + key => "ping-timer-rem", + server => "server1"; + "persist-tun server1": + key => "persist-tun", + server => "server1"; + "persist-key server1": + key => "persist-key", + server => "server1"; + "proto server1": + key => "proto", + value => "tcp-server", + server => "server1"; + "cipher server1": + key => "cipher", + value => "BF-CBC", + server => "server1"; + "local server1": + key => "local", + value => $ipaddress, + server => "server1"; + "tls-server server1": + key => "tls-server", + server => "server1"; + "server server1": + key => "server", + value => "10.10.10.0 255.255.255.0", + server => "server1"; + "lport server1": + key => "lport", + value => "1194", + server => "server1"; + "management server1": + key => "management", + value => "/var/run/openvpn-server1.sock unix", + server => "server1"; + "comp-lzo server1": + key => "comp-lzo", + server => "server1"; + "topology server1": + key => "topology", + value => "subnet", + server => "server1"; + "client-to-client server1": + key => "client-to-client", + server => "server1"; + } -node 'default' { - notify {'Please specify a host in site.pp!':} } -- cgit v1.2.3 From 72987f7f86bd322e8ea68ff2633c76a29c6c2f95 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Sep 2012 12:14:06 +0200 Subject: more openvpn config testing --- puppet/manifests/site.pp | 74 +++++++++++++++++++++++++----------------------- 1 file changed, 38 insertions(+), 36 deletions(-) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 890d2623..de551aed 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,8 +1,10 @@ node 'default' { notify {'Please specify a host in site.pp!':} + $openvpn_server='cougar.leap.se' + openvpn::server { - 'cougar.leap.se': + "$openvpn_server": country => 'TR', province => 'Ankara', city => 'Ankara', @@ -14,67 +16,67 @@ node 'default' { openvpn::option { - "dev server1": + "dev $openvpn_server": key => "dev", value => "tun0", - server => "server1"; - "script-security server1": + server => "$openvpn_server"; + "script-security $openvpn_server": key => "script-security", value => "3", - server => "server1"; - "daemon server1": + server => "$openvpn_server"; + "daemon $openvpn_server": key => "daemon", - server => "server1"; - "keepalive server1": + server => "$openvpn_server"; + "keepalive $openvpn_server": key => "keepalive", value => "10 60", - server => "server1"; - "ping-timer-rem server1": + server => "$openvpn_server"; + "ping-timer-rem $openvpn_server": key => "ping-timer-rem", - server => "server1"; - "persist-tun server1": + server => "$openvpn_server"; + "persist-tun $openvpn_server": key => "persist-tun", - server => "server1"; - "persist-key server1": + server => "$openvpn_server"; + "persist-key $openvpn_server": key => "persist-key", - server => "server1"; - "proto server1": + server => "$openvpn_server"; + "proto $openvpn_server": key => "proto", value => "tcp-server", - server => "server1"; - "cipher server1": + server => "$openvpn_server"; + "cipher $openvpn_server": key => "cipher", value => "BF-CBC", - server => "server1"; - "local server1": + server => "$openvpn_server"; + "local $openvpn_server": key => "local", value => $ipaddress, - server => "server1"; - "tls-server server1": + server => "$openvpn_server"; + "tls-server $openvpn_server": key => "tls-server", - server => "server1"; - "server server1": + server => "$openvpn_server"; + "server $openvpn_server": key => "server", value => "10.10.10.0 255.255.255.0", - server => "server1"; - "lport server1": + server => "$openvpn_server"; + "lport $openvpn_server": key => "lport", value => "1194", - server => "server1"; - "management server1": + server => "$openvpn_server"; + "management $openvpn_server": key => "management", - value => "/var/run/openvpn-server1.sock unix", - server => "server1"; - "comp-lzo server1": + value => "/var/run/openvpn-$openvpn_server.sock unix", + server => "$openvpn_server"; + "comp-lzo $openvpn_server": key => "comp-lzo", - server => "server1"; - "topology server1": + server => "$openvpn_server"; + "topology $openvpn_server": key => "topology", value => "subnet", - server => "server1"; - "client-to-client server1": + server => "$openvpn_server"; + "client-to-client $openvpn_server": key => "client-to-client", - server => "server1"; + server => "$openvpn_server"; } } -- cgit v1.2.3 From 852e036263a2473acc4c07e859aca1a2c7860b6e Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Sep 2012 12:49:38 +0200 Subject: main hiera config --- puppet/hiera.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 puppet/hiera.yaml (limited to 'puppet') diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml new file mode 100644 index 00000000..01b0d3b8 --- /dev/null +++ b/puppet/hiera.yaml @@ -0,0 +1,16 @@ +--- +:backends: + - yaml + - puppet + +:logger: console + +:hierarchy: + - "%{location}" + - common + +:yaml: + :datadir: /etc/leap/hieradata + +:puppet: + :datasource: data -- cgit v1.2.3 From bdfcfbb8702748ab013190b0116735fe56f7531e Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Sep 2012 13:06:00 +0200 Subject: use hiere for openvpn CA --- puppet/manifests/site.pp | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index de551aed..0d1f426d 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,15 +1,15 @@ node 'default' { notify {'Please specify a host in site.pp!':} - $openvpn_server='cougar.leap.se' + $openvpn_server=$::fqdn openvpn::server { "$openvpn_server": - country => 'TR', - province => 'Ankara', - city => 'Ankara', - organization => 'leap.se', - email => 'sysdev@leap.se'; + country => hiera("country"), + province => hiera("province"), + city => hiera("city"), + organization => hiera("organization"), + email => hiera("email"); } # configure server -- cgit v1.2.3 From c255a6a8772684397f545a560119428ac44993ca Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 20 Sep 2012 11:49:00 +0200 Subject: use relative path, hieradata outline --- puppet/hiera.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml index 01b0d3b8..76584ad1 100644 --- a/puppet/hiera.yaml +++ b/puppet/hiera.yaml @@ -6,11 +6,14 @@ :logger: console :hierarchy: - - "%{location}" - - common + - hosts/%{fqdn} + - services/%{service} + - defaults +# relative from where puppet is run, so we need to run puppet +# from the root dir of the leap_platform repo :yaml: - :datadir: /etc/leap/hieradata + :datadir: config :puppet: :datasource: data -- cgit v1.2.3 From 429944efaac25766a5999966d8f52f74a0e0292b Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 20 Sep 2012 11:49:52 +0200 Subject: using class site_openvpn --- puppet/manifests/site.pp | 86 ++++-------------------------------------------- 1 file changed, 7 insertions(+), 79 deletions(-) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 0d1f426d..1bfc730e 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,82 +1,10 @@ node 'default' { - notify {'Please specify a host in site.pp!':} - - $openvpn_server=$::fqdn - - openvpn::server { - "$openvpn_server": - country => hiera("country"), - province => hiera("province"), - city => hiera("city"), - organization => hiera("organization"), - email => hiera("email"); - } - -# configure server - - - openvpn::option { - "dev $openvpn_server": - key => "dev", - value => "tun0", - server => "$openvpn_server"; - "script-security $openvpn_server": - key => "script-security", - value => "3", - server => "$openvpn_server"; - "daemon $openvpn_server": - key => "daemon", - server => "$openvpn_server"; - "keepalive $openvpn_server": - key => "keepalive", - value => "10 60", - server => "$openvpn_server"; - "ping-timer-rem $openvpn_server": - key => "ping-timer-rem", - server => "$openvpn_server"; - "persist-tun $openvpn_server": - key => "persist-tun", - server => "$openvpn_server"; - "persist-key $openvpn_server": - key => "persist-key", - server => "$openvpn_server"; - "proto $openvpn_server": - key => "proto", - value => "tcp-server", - server => "$openvpn_server"; - "cipher $openvpn_server": - key => "cipher", - value => "BF-CBC", - server => "$openvpn_server"; - "local $openvpn_server": - key => "local", - value => $ipaddress, - server => "$openvpn_server"; - "tls-server $openvpn_server": - key => "tls-server", - server => "$openvpn_server"; - "server $openvpn_server": - key => "server", - value => "10.10.10.0 255.255.255.0", - server => "$openvpn_server"; - "lport $openvpn_server": - key => "lport", - value => "1194", - server => "$openvpn_server"; - "management $openvpn_server": - key => "management", - value => "/var/run/openvpn-$openvpn_server.sock unix", - server => "$openvpn_server"; - "comp-lzo $openvpn_server": - key => "comp-lzo", - server => "$openvpn_server"; - "topology $openvpn_server": - key => "topology", - value => "subnet", - server => "$openvpn_server"; - "client-to-client $openvpn_server": - key => "client-to-client", - server => "$openvpn_server"; - } + $service='eip' + $password=hiera('testpw') + $openvpn_ports=hiera_array('openvpn_ports') + $tor=hiera('tor') + notify {"Password: $password":} + notify {"Openvpn Config for $fqdn: openvpn_ports=$openvpn_ports, tor=$tor":} + #include site_openvpn } -- cgit v1.2.3 From 075d6fb40ddaace0442a8d5ba9396c9f1849bddc Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 20 Sep 2012 11:50:22 +0200 Subject: beginning of site_openvpn --- puppet/modules/site_openvpn/manifests/init.pp | 81 +++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 puppet/modules/site_openvpn/manifests/init.pp (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp new file mode 100644 index 00000000..3d753af9 --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -0,0 +1,81 @@ +class site_openvpn { + + $openvpn_server=$::fqdn + + openvpn::server { + $openvpn_server: + country => hiera("country"), + province => hiera("province"), + city => hiera("city"), + organization => hiera("organization"), + email => hiera("email"); + } + +# configure server + + + openvpn::option { + "dev $openvpn_server": + key => "dev", + value => "tun0", + server => "$openvpn_server"; + "script-security $openvpn_server": + key => "script-security", + value => "3", + server => "$openvpn_server"; + "daemon $openvpn_server": + key => "daemon", + server => "$openvpn_server"; + "keepalive $openvpn_server": + key => "keepalive", + value => "10 60", + server => "$openvpn_server"; + "ping-timer-rem $openvpn_server": + key => "ping-timer-rem", + server => "$openvpn_server"; + "persist-tun $openvpn_server": + key => "persist-tun", + server => "$openvpn_server"; + "persist-key $openvpn_server": + key => "persist-key", + server => "$openvpn_server"; + "proto $openvpn_server": + key => "proto", + value => "tcp-server", + server => "$openvpn_server"; + "cipher $openvpn_server": + key => "cipher", + value => "BF-CBC", + server => "$openvpn_server"; + "local $openvpn_server": + key => "local", + value => $ipaddress, + server => "$openvpn_server"; + "tls-server $openvpn_server": + key => "tls-server", + server => "$openvpn_server"; + "server $openvpn_server": + key => "server", + value => "10.10.10.0 255.255.255.0", + server => "$openvpn_server"; + "lport $openvpn_server": + key => "lport", + value => "1194", + server => "$openvpn_server"; + "management $openvpn_server": + key => "management", + value => "/var/run/openvpn-$openvpn_server.sock unix", + server => "$openvpn_server"; + "comp-lzo $openvpn_server": + key => "comp-lzo", + server => "$openvpn_server"; + "topology $openvpn_server": + key => "topology", + value => "subnet", + server => "$openvpn_server"; + "client-to-client $openvpn_server": + key => "client-to-client", + server => "$openvpn_server"; + } + +} -- cgit v1.2.3 From 7ad84a65744250098be1e05ef998f32f5c0a0523 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 20 Sep 2012 12:20:15 +0200 Subject: hierachy levels need to be unambiguous, so we can't use services here, as one host could provide multiple services --- puppet/hiera.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml index 76584ad1..764966a2 100644 --- a/puppet/hiera.yaml +++ b/puppet/hiera.yaml @@ -7,7 +7,7 @@ :hierarchy: - hosts/%{fqdn} - - services/%{service} +# - services/%{service} # that's not possible, as hiera needs _one_ target per hierarchy - defaults # relative from where puppet is run, so we need to run puppet -- cgit v1.2.3 From 5c7ce0a1c90ab1c0844369882f7fcdb6ff05c16d Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 20 Sep 2012 13:39:00 +0200 Subject: new config layout --- puppet/hiera.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml index 764966a2..66efa299 100644 --- a/puppet/hiera.yaml +++ b/puppet/hiera.yaml @@ -7,7 +7,10 @@ :hierarchy: - hosts/%{fqdn} -# - services/%{service} # that's not possible, as hiera needs _one_ target per hierarchy + - ca/%{fqdn} + - ca/defaults + - eip/%{fqdn} + - eip/defaults - defaults # relative from where puppet is run, so we need to run puppet -- cgit v1.2.3 From 764ae6f21a8a54af78b29fc14876af36e2dd4651 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 20 Sep 2012 13:39:23 +0200 Subject: parse new config layout --- puppet/manifests/site.pp | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 1bfc730e..bb29e393 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,10 +1,22 @@ +define print() { + notice("The value is: '${name}'") +} + + node 'default' { - $service='eip' - $password=hiera('testpw') - $openvpn_ports=hiera_array('openvpn_ports') - $tor=hiera('tor') - notify {"Password: $password":} - notify {"Openvpn Config for $fqdn: openvpn_ports=$openvpn_ports, tor=$tor":} - #include site_openvpn + #$password=hiera('testpw') + #notify {"Password: $password":} + + $services=hiera_array('services') + notice("Services for $fqdn: $services") + + if 'eip' in $services { + $openvpn_ports=hiera_array('openvpn_ports') + $tor=hiera('tor') + notice("Openvpn Config for $fqdn: openvpn_ports=$openvpn_ports, tor=$tor") + print{$openvpn_ports:} + #include site_openvpn + } + } -- cgit v1.2.3 From 1a0d1907b303c2ab1e8da2a26e061e8a7327241e Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 20 Sep 2012 13:58:03 +0200 Subject: just a comment --- puppet/hiera.yaml | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet') diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml index 66efa299..a992c057 100644 --- a/puppet/hiera.yaml +++ b/puppet/hiera.yaml @@ -11,6 +11,7 @@ - ca/defaults - eip/%{fqdn} - eip/defaults +# more services following - defaults # relative from where puppet is run, so we need to run puppet -- cgit v1.2.3 From 75e57c74d5aa0595e02435ca4de15b9df1cc6002 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 21 Sep 2012 12:45:36 +0200 Subject: parsing of hiera config hash works --- puppet/manifests/site.pp | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index bb29e393..abb81511 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,7 +1,15 @@ define print() { - notice("The value is: '${name}'") + notice("The value is: '${name}'") +} + +define create_openvpn_config($port, $protocol) { + $openvpn_configname=$name + notice("Creating OpenVPN $openvpn_configname: + Port: $port, Protocol: $protocol") + # ... + #include site_openvpn + } - node 'default' { #$password=hiera('testpw') @@ -11,12 +19,9 @@ node 'default' { notice("Services for $fqdn: $services") if 'eip' in $services { - $openvpn_ports=hiera_array('openvpn_ports') + $openvpn=hiera('openvpn') $tor=hiera('tor') - notice("Openvpn Config for $fqdn: openvpn_ports=$openvpn_ports, tor=$tor") - print{$openvpn_ports:} - #include site_openvpn + notice("Tor enabled: $tor") + create_resources('create_openvpn_config', $openvpn) } - - } -- cgit v1.2.3 From 1c5eb8a64426c93d8118acac52870a6a95f73010 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 21 Sep 2012 15:03:08 +0200 Subject: oved things around --- puppet/manifests/site.pp | 18 ++--- puppet/modules/site_openvpn/manifests/init.pp | 79 -------------------- .../site_openvpn/manifests/server_config.pp | 84 ++++++++++++++++++++++ 3 files changed, 89 insertions(+), 92 deletions(-) create mode 100644 puppet/modules/site_openvpn/manifests/server_config.pp (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index abb81511..98e683af 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -2,26 +2,18 @@ define print() { notice("The value is: '${name}'") } -define create_openvpn_config($port, $protocol) { - $openvpn_configname=$name - notice("Creating OpenVPN $openvpn_configname: - Port: $port, Protocol: $protocol") - # ... - #include site_openvpn - -} - node 'default' { - #$password=hiera('testpw') - #notify {"Password: $password":} + $concat_basedir = '/var/lib/puppet/modules/concat' + include concat::setup $services=hiera_array('services') notice("Services for $fqdn: $services") if 'eip' in $services { - $openvpn=hiera('openvpn') $tor=hiera('tor') notice("Tor enabled: $tor") - create_resources('create_openvpn_config', $openvpn) + + $openvpn_config=hiera('openvpn') + create_resources('site_openvpn::server_config', $openvpn_config) } } diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 3d753af9..7d63d569 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,81 +1,2 @@ class site_openvpn { - - $openvpn_server=$::fqdn - - openvpn::server { - $openvpn_server: - country => hiera("country"), - province => hiera("province"), - city => hiera("city"), - organization => hiera("organization"), - email => hiera("email"); - } - -# configure server - - - openvpn::option { - "dev $openvpn_server": - key => "dev", - value => "tun0", - server => "$openvpn_server"; - "script-security $openvpn_server": - key => "script-security", - value => "3", - server => "$openvpn_server"; - "daemon $openvpn_server": - key => "daemon", - server => "$openvpn_server"; - "keepalive $openvpn_server": - key => "keepalive", - value => "10 60", - server => "$openvpn_server"; - "ping-timer-rem $openvpn_server": - key => "ping-timer-rem", - server => "$openvpn_server"; - "persist-tun $openvpn_server": - key => "persist-tun", - server => "$openvpn_server"; - "persist-key $openvpn_server": - key => "persist-key", - server => "$openvpn_server"; - "proto $openvpn_server": - key => "proto", - value => "tcp-server", - server => "$openvpn_server"; - "cipher $openvpn_server": - key => "cipher", - value => "BF-CBC", - server => "$openvpn_server"; - "local $openvpn_server": - key => "local", - value => $ipaddress, - server => "$openvpn_server"; - "tls-server $openvpn_server": - key => "tls-server", - server => "$openvpn_server"; - "server $openvpn_server": - key => "server", - value => "10.10.10.0 255.255.255.0", - server => "$openvpn_server"; - "lport $openvpn_server": - key => "lport", - value => "1194", - server => "$openvpn_server"; - "management $openvpn_server": - key => "management", - value => "/var/run/openvpn-$openvpn_server.sock unix", - server => "$openvpn_server"; - "comp-lzo $openvpn_server": - key => "comp-lzo", - server => "$openvpn_server"; - "topology $openvpn_server": - key => "topology", - value => "subnet", - server => "$openvpn_server"; - "client-to-client $openvpn_server": - key => "client-to-client", - server => "$openvpn_server"; - } - } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp new file mode 100644 index 00000000..e0e8db4f --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -0,0 +1,84 @@ +define site_openvpn::server_config($port, $protocol) { + $openvpn_configname=$name + notice("Creating OpenVPN $openvpn_configname: + Port: $port, Protocol: $protocol") + + $openvpn_server=$::fqdn + # we don't need a ca generated + #openvpn::server { + # $openvpn_configname: + # country => hiera("country"), + # province => hiera("province"), + # city => hiera("city"), + # organization => hiera("organization"), + # email => hiera("email"); + #} + + # configure server + # all config options need to be "hieraized" + + openvpn::option { + "dev $openvpn_configname": + key => "dev", + value => "tun", + server => "$openvpn_server"; + "script-security $openvpn_configname": + key => "script-security", + value => "3", + server => "$openvpn_server"; + "daemon $openvpn_configname": + key => "daemon", + server => "$openvpn_server"; + "keepalive $openvpn_configname": + key => "keepalive", + value => "10 60", + server => "$openvpn_server"; + "ping-timer-rem $openvpn_configname": + key => "ping-timer-rem", + server => "$openvpn_server"; + "persist-tun $openvpn_configname": + key => "persist-tun", + server => "$openvpn_server"; + "persist-key $openvpn_configname": + key => "persist-key", + server => "$openvpn_server"; + "proto $openvpn_configname": + key => "proto", + value => "$proto", + server => "$openvpn_server"; + "cipher $openvpn_configname": + key => "cipher", + value => "BF-CBC", + server => "$openvpn_server"; + "local $openvpn_configname": + key => "local", + value => $ipaddress, + server => "$openvpn_server"; + "tls-server $openvpn_configname": + key => "tls-server", + server => "$openvpn_server"; + "server $openvpn_configname": + key => "server", + value => "$server", + server => "$openvpn_server"; + "lport $openvpn_configname": + key => "lport", + value => "$port", + server => "$openvpn_server"; + "management $openvpn_configname": + key => "management", + value => "/var/run/openvpn-$openvpn_configname.sock unix", + server => "$openvpn_server"; + "comp-lzo $openvpn_configname": + key => "comp-lzo", + server => "$openvpn_server"; + "topology $openvpn_configname": + key => "topology", + value => "subnet", + server => "$openvpn_server"; + "client-to-client $openvpn_configname": + key => "client-to-client", + server => "$openvpn_server"; + } + +} -- cgit v1.2.3 From 276de1e249b25e5e00c49229132215681aee6467 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 21 Sep 2012 20:26:20 +0200 Subject: basic configuration for openvpn server files --- puppet/manifests/site.pp | 13 ++- puppet/modules/site_openvpn/manifests/init.pp | 41 +++++++++ .../site_openvpn/manifests/server_config.pp | 100 +++++++++++++-------- 3 files changed, 111 insertions(+), 43 deletions(-) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 98e683af..f7b7303f 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,19 +1,18 @@ -define print() { - notice("The value is: '${name}'") -} - node 'default' { - $concat_basedir = '/var/lib/puppet/modules/concat' + # $concat_basedir = '/var/lib/puppet/modules/concat' # do we need this ? include concat::setup $services=hiera_array('services') notice("Services for $fqdn: $services") if 'eip' in $services { + include site_openvpn + $tor=hiera('tor') notice("Tor enabled: $tor") - $openvpn_config=hiera('openvpn') - create_resources('site_openvpn::server_config', $openvpn_config) + $openvpn_configs=hiera('openvpn_server_configs') + create_resources('site_openvpn::server_config', $openvpn_configs) + } } diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 7d63d569..c83b98c7 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,2 +1,43 @@ class site_openvpn { + package { + "openvpn": + ensure => installed; + } + service { + "openvpn": + ensure => running, + hasrestart => true, + hasstatus => true, + require => Exec["concat_/etc/default/openvpn"]; + } + file { + "/etc/openvpn": + ensure => directory, + require => Package["openvpn"]; + } + + include concat::setup + + concat { + "/etc/default/openvpn": + owner => root, + group => root, + mode => 644, + warn => true, + notify => Service["openvpn"]; + } + + concat::fragment { + "openvpn.default.header": + content => template("openvpn/etc-default-openvpn.erb"), + target => "/etc/default/openvpn", + order => 01; + } + + concat::fragment { + "openvpn.default.autostart.${name}": + content => "AUTOSTART=all", + target => "/etc/default/openvpn", + order => 10; + } } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index e0e8db4f..4a130d13 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,84 +1,112 @@ -define site_openvpn::server_config($port, $protocol) { +define site_openvpn::server_config($port, $proto) { $openvpn_configname=$name notice("Creating OpenVPN $openvpn_configname: - Port: $port, Protocol: $protocol") + Port: $port, Protocol: $proto") + + file { + "/etc/openvpn/${name}": + ensure => directory, + require => Package["openvpn"]; + } + + concat { + "/etc/openvpn/${openvpn_configname}.conf": + owner => root, + group => root, + mode => 644, + warn => true, + require => File["/etc/openvpn"], + notify => Service["openvpn"]; + } - $openvpn_server=$::fqdn - # we don't need a ca generated - #openvpn::server { - # $openvpn_configname: - # country => hiera("country"), - # province => hiera("province"), - # city => hiera("city"), - # organization => hiera("organization"), - # email => hiera("email"); - #} - # configure server - # all config options need to be "hieraized" openvpn::option { + "ca ${openvpn_configname}": + key => "ca", + value => "/etc/openvpn/ca.crt", + #require => Exec["initca ${openvpn_configname}"], + server => "${openvpn_configname}"; + "cert ${openvpn_configname}": + key => "cert", + value => "/etc/openvpn/${openvpn_configname}/server.crt", + #require => Exec["generate server cert ${openvpn_configname}"], + server => "${openvpn_configname}"; + "key ${openvpn_configname}": + key => "key", + value => "/etc/openvpn/${openvpn_configname}/server.key", + #require => Exec["generate server cert ${openvpn_configname}"], + server => "${openvpn_configname}"; + "dh ${openvpn_configname}": + key => "dh", + value => "/etc/openvpn/dh1024.pem", + #require => Exec["generate dh param ${openvpn_configname}"], + server => "${openvpn_configname}"; "dev $openvpn_configname": key => "dev", value => "tun", - server => "$openvpn_server"; + server => "$openvpn_configname"; + "mode ${openvpn_configname}": + key => 'mode', + value => 'server', + server => $openvpn_configname; "script-security $openvpn_configname": key => "script-security", value => "3", - server => "$openvpn_server"; + server => "$openvpn_configname"; "daemon $openvpn_configname": key => "daemon", - server => "$openvpn_server"; + server => "$openvpn_configname"; "keepalive $openvpn_configname": key => "keepalive", value => "10 60", - server => "$openvpn_server"; + server => "$openvpn_configname"; "ping-timer-rem $openvpn_configname": key => "ping-timer-rem", - server => "$openvpn_server"; + server => "$openvpn_configname"; "persist-tun $openvpn_configname": key => "persist-tun", - server => "$openvpn_server"; + server => "$openvpn_configname"; "persist-key $openvpn_configname": key => "persist-key", - server => "$openvpn_server"; + server => "$openvpn_configname"; "proto $openvpn_configname": key => "proto", value => "$proto", - server => "$openvpn_server"; + server => "$openvpn_configname"; "cipher $openvpn_configname": key => "cipher", value => "BF-CBC", - server => "$openvpn_server"; + server => "$openvpn_configname"; "local $openvpn_configname": key => "local", value => $ipaddress, - server => "$openvpn_server"; + server => "$openvpn_configname"; "tls-server $openvpn_configname": key => "tls-server", - server => "$openvpn_server"; - "server $openvpn_configname": - key => "server", - value => "$server", - server => "$openvpn_server"; + server => "$openvpn_configname"; + #"server $openvpn_configname": + # key => "server", + # value => "$server", + # server => "$openvpn_configname"; "lport $openvpn_configname": key => "lport", value => "$port", - server => "$openvpn_server"; + server => "$openvpn_configname"; "management $openvpn_configname": key => "management", value => "/var/run/openvpn-$openvpn_configname.sock unix", - server => "$openvpn_server"; + server => "$openvpn_configname"; "comp-lzo $openvpn_configname": key => "comp-lzo", - server => "$openvpn_server"; + server => "$openvpn_configname"; "topology $openvpn_configname": key => "topology", value => "subnet", - server => "$openvpn_server"; - "client-to-client $openvpn_configname": - key => "client-to-client", - server => "$openvpn_server"; + server => "$openvpn_configname"; + #"client-to-client $openvpn_configname": + # key => "client-to-client", + # server => "$openvpn_configname"; } } -- cgit v1.2.3 From f6ab238512364ea640dc46e35590d5a5d5de51f3 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Sep 2012 11:55:35 +0200 Subject: added submodule concat --- puppet/modules/concat | 1 + 1 file changed, 1 insertion(+) create mode 160000 puppet/modules/concat (limited to 'puppet') diff --git a/puppet/modules/concat b/puppet/modules/concat new file mode 160000 index 00000000..abce1280 --- /dev/null +++ b/puppet/modules/concat @@ -0,0 +1 @@ +Subproject commit abce1280e07b544d8455f1572dd870bbd2f14892 -- cgit v1.2.3 From 8fb0fcd72bdb357942d5e9adc2092e78ce6e1ee0 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 23 Sep 2012 16:06:56 +0200 Subject: added submodule sshd --- puppet/modules/sshd | 1 + 1 file changed, 1 insertion(+) create mode 160000 puppet/modules/sshd (limited to 'puppet') diff --git a/puppet/modules/sshd b/puppet/modules/sshd new file mode 160000 index 00000000..bd2e283a --- /dev/null +++ b/puppet/modules/sshd @@ -0,0 +1 @@ +Subproject commit bd2e283ab59430a7b3194804f1c8da7a9b58f8ff -- cgit v1.2.3 From 1dba92e9a2d71b7a1259ecb5f627e57e1a8fc7b8 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 23 Sep 2012 19:01:54 +0200 Subject: beginning of site_sshd --- puppet/modules/site_sshd/manifests/init.pp | 1 + puppet/modules/site_sshd/manifests/ssh_key.pp | 3 +++ 2 files changed, 4 insertions(+) create mode 100644 puppet/modules/site_sshd/manifests/init.pp create mode 100644 puppet/modules/site_sshd/manifests/ssh_key.pp (limited to 'puppet') diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp new file mode 100644 index 00000000..630e9bdf --- /dev/null +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -0,0 +1 @@ +class site_sshd {} diff --git a/puppet/modules/site_sshd/manifests/ssh_key.pp b/puppet/modules/site_sshd/manifests/ssh_key.pp new file mode 100644 index 00000000..b47b2ebd --- /dev/null +++ b/puppet/modules/site_sshd/manifests/ssh_key.pp @@ -0,0 +1,3 @@ +define site_sshd::ssh_key($key) { + # ... todo: deploy ssh_key +} -- cgit v1.2.3 From 8320de2fd5bd8fcb429dfc1b68527a1c39a8341f Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 23 Sep 2012 19:02:28 +0200 Subject: reorderd config, include site_sshd --- puppet/manifests/site.pp | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index f7b7303f..a897de11 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -5,6 +5,14 @@ node 'default' { $services=hiera_array('services') notice("Services for $fqdn: $services") + # configure ssh and inculde ssh-keys + #include sshd + $ssh_keys=hiera_hash('ssh_keys') + include site_sshd + notice($ssh_keys) + create_resources('site_sshd::ssh_key', $ssh_keys) + + if 'eip' in $services { include site_openvpn -- cgit v1.2.3 From 967c231e754d769225e26cbd7b2ad3738bce833b Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Sep 2012 17:36:58 +0200 Subject: added submodule apt --- puppet/modules/apt | 1 + 1 file changed, 1 insertion(+) create mode 160000 puppet/modules/apt (limited to 'puppet') diff --git a/puppet/modules/apt b/puppet/modules/apt new file mode 160000 index 00000000..02bd3269 --- /dev/null +++ b/puppet/modules/apt @@ -0,0 +1 @@ +Subproject commit 02bd3269948f1a3c5a586e581a7fec22da69a2cc -- cgit v1.2.3 From 1b52d7de0f6214ceec879382932968fd07212624 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Sep 2012 17:45:08 +0200 Subject: added submodule lsb --- puppet/modules/lsb | 1 + 1 file changed, 1 insertion(+) create mode 160000 puppet/modules/lsb (limited to 'puppet') diff --git a/puppet/modules/lsb b/puppet/modules/lsb new file mode 160000 index 00000000..3742c1a0 --- /dev/null +++ b/puppet/modules/lsb @@ -0,0 +1 @@ +Subproject commit 3742c1a00c5602154a81834443ec5b0ca32c4ca0 -- cgit v1.2.3 From 3fc154d5b495338b7cce2971a0fba2c4faef4ee2 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Sep 2012 17:46:03 +0200 Subject: added submodule ntp --- puppet/modules/ntp | 1 + 1 file changed, 1 insertion(+) create mode 160000 puppet/modules/ntp (limited to 'puppet') diff --git a/puppet/modules/ntp b/puppet/modules/ntp new file mode 160000 index 00000000..27f2bc72 --- /dev/null +++ b/puppet/modules/ntp @@ -0,0 +1 @@ +Subproject commit 27f2bc72110b1001233eb0907aa07e06cdf33194 -- cgit v1.2.3 From 53dea7cd638ebf8d353d052b2d2185940c2056b9 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Sep 2012 17:54:53 +0200 Subject: added submodule git --- puppet/modules/git | 1 + 1 file changed, 1 insertion(+) create mode 160000 puppet/modules/git (limited to 'puppet') diff --git a/puppet/modules/git b/puppet/modules/git new file mode 160000 index 00000000..497a1034 --- /dev/null +++ b/puppet/modules/git @@ -0,0 +1 @@ +Subproject commit 497a1034489e0dc3cab5dab2fb0a857785769734 -- cgit v1.2.3 From b6f07a78502ecbe850c0b798dfdd0fdb60a78425 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Sep 2012 18:32:40 +0200 Subject: include some basic mclasses --- puppet/manifests/site.pp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index a897de11..f70c0673 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,6 +1,10 @@ node 'default' { + + # include some basic classes # $concat_basedir = '/var/lib/puppet/modules/concat' # do we need this ? include concat::setup + include apt,git,lsb + $services=hiera_array('services') notice("Services for $fqdn: $services") @@ -21,6 +25,6 @@ node 'default' { $openvpn_configs=hiera('openvpn_server_configs') create_resources('site_openvpn::server_config', $openvpn_configs) - } + } -- cgit v1.2.3 From bedef1a878698997c5c8490599dc9269fef60c37 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Sep 2012 18:35:38 +0200 Subject: added submodule common --- puppet/modules/common | 1 + 1 file changed, 1 insertion(+) create mode 160000 puppet/modules/common (limited to 'puppet') diff --git a/puppet/modules/common b/puppet/modules/common new file mode 160000 index 00000000..0961ad45 --- /dev/null +++ b/puppet/modules/common @@ -0,0 +1 @@ +Subproject commit 0961ad453b8befb4ea61bbd19f6ecea32b9619c9 -- cgit v1.2.3 From e73a5e34742a63d82ee4b1a84a779403d9f71bd7 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Sep 2012 18:41:37 +0200 Subject: include common --- puppet/manifests/site.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index f70c0673..5f58a733 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -3,8 +3,8 @@ node 'default' { # include some basic classes # $concat_basedir = '/var/lib/puppet/modules/concat' # do we need this ? include concat::setup - include apt,git,lsb - + include apt, lsb, git + import "common" $services=hiera_array('services') notice("Services for $fqdn: $services") -- cgit v1.2.3 From f7cd516218ccfb5ec1a68f9953dfce6be605b25b Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Sep 2012 21:28:36 +0200 Subject: added submodule couchdb --- puppet/modules/couchdb | 1 + 1 file changed, 1 insertion(+) create mode 160000 puppet/modules/couchdb (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb new file mode 160000 index 00000000..a8052f92 --- /dev/null +++ b/puppet/modules/couchdb @@ -0,0 +1 @@ +Subproject commit a8052f92424ea020250265d89f5bc8df02104c7e -- cgit v1.2.3 From 8c078cbe1c607e0cb2df917196c00eade55b3a01 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Sep 2012 22:20:57 +0200 Subject: test class couchdb --- puppet/manifests/site.pp | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 5f58a733..3b28be2f 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -27,4 +27,9 @@ node 'default' { create_resources('site_openvpn::server_config', $openvpn_configs) } + if 'couchdb' in $services { + class { 'couchdb': + #bind => '0.0.0.0' + } + } } -- cgit v1.2.3 From 97979201818f8f830dba2f001cfb5c8bce3822ed Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Sep 2012 22:56:56 +0200 Subject: deleted submodule couchdb (from Benjamin-D) --- puppet/modules/couchdb | 1 - 1 file changed, 1 deletion(-) delete mode 160000 puppet/modules/couchdb (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb deleted file mode 160000 index a8052f92..00000000 --- a/puppet/modules/couchdb +++ /dev/null @@ -1 +0,0 @@ -Subproject commit a8052f92424ea020250265d89f5bc8df02104c7e -- cgit v1.2.3 From 5486456528dd074b5ce705d23fab1da625043992 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Sep 2012 23:48:00 +0200 Subject: added camptocamp's submodule couchdb --- puppet/modules/couchdb | 1 + 1 file changed, 1 insertion(+) create mode 160000 puppet/modules/couchdb (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb new file mode 160000 index 00000000..e97e4081 --- /dev/null +++ b/puppet/modules/couchdb @@ -0,0 +1 @@ +Subproject commit e97e408116525f28b53162b89e6b582fb71020d2 -- cgit v1.2.3 From e6b33a004b38ee4ebe3b31fd715d32669fbe435a Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Sep 2012 09:57:10 +0200 Subject: use leap's puppet_couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index e97e4081..8daa8625 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit e97e408116525f28b53162b89e6b582fb71020d2 +Subproject commit 8daa862541facd5207a75760f3656e857faf73fd -- cgit v1.2.3 From 49ffa8032c8043e9e47d801ccebb5d0fe1839a78 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 12:39:25 +0200 Subject: added submodule shorewall --- puppet/modules/shorewall | 1 + 1 file changed, 1 insertion(+) create mode 160000 puppet/modules/shorewall (limited to 'puppet') diff --git a/puppet/modules/shorewall b/puppet/modules/shorewall new file mode 160000 index 00000000..911cc18e --- /dev/null +++ b/puppet/modules/shorewall @@ -0,0 +1 @@ +Subproject commit 911cc18e594bb5a3ab642ebb24615a0447050c32 -- cgit v1.2.3 From 2575ccbae4cc5941adce3d101b42471f6b18b504 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 12:40:38 +0200 Subject: added submodule resolvconf --- puppet/modules/resolvconf | 1 + 1 file changed, 1 insertion(+) create mode 160000 puppet/modules/resolvconf (limited to 'puppet') diff --git a/puppet/modules/resolvconf b/puppet/modules/resolvconf new file mode 160000 index 00000000..c7eca077 --- /dev/null +++ b/puppet/modules/resolvconf @@ -0,0 +1 @@ +Subproject commit c7eca077fdda063edc96d3bea02c4774569e4b10 -- cgit v1.2.3 From e5244f7015de9ffd88c20e9b8136996bfbfe0f0d Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 16:08:07 +0200 Subject: added site_config::eip --- puppet/manifests/site.pp | 10 ++-------- puppet/modules/site_config/manifests/eip.pp | 10 ++++++++++ 2 files changed, 12 insertions(+), 8 deletions(-) create mode 100644 puppet/modules/site_config/manifests/eip.pp (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 5f58a733..3ae9ebea 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -4,7 +4,7 @@ node 'default' { # $concat_basedir = '/var/lib/puppet/modules/concat' # do we need this ? include concat::setup include apt, lsb, git - import "common" + import 'common' $services=hiera_array('services') notice("Services for $fqdn: $services") @@ -18,13 +18,7 @@ node 'default' { if 'eip' in $services { - include site_openvpn - - $tor=hiera('tor') - notice("Tor enabled: $tor") - - $openvpn_configs=hiera('openvpn_server_configs') - create_resources('site_openvpn::server_config', $openvpn_configs) + include site_config::eip } } diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp new file mode 100644 index 00000000..56eb1452 --- /dev/null +++ b/puppet/modules/site_config/manifests/eip.pp @@ -0,0 +1,10 @@ +class site_config::eip { + include site_openvpn + + $tor=hiera('tor') + notice("Tor enabled: $tor") + + $openvpn_configs=hiera('openvpn_server_configs') + create_resources('site_openvpn::server_config', $openvpn_configs) + +} -- cgit v1.2.3 From 14305e553c4f71fbeec997d585383c4c6211c1a5 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 17:29:26 +0200 Subject: don't pull openvpn config from hiera --- puppet/modules/site_config/manifests/eip.pp | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 56eb1452..c8677696 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -4,7 +4,15 @@ class site_config::eip { $tor=hiera('tor') notice("Tor enabled: $tor") - $openvpn_configs=hiera('openvpn_server_configs') - create_resources('site_openvpn::server_config', $openvpn_configs) - + #$openvpn_configs=hiera('openvpn_server_configs') + #create_resources('site_openvpn::server_config', $openvpn_configs) + + site_openvpn::server_config { 'tcp_config': + port => '1194', + proto => 'tcp' + } + site_openvpn::server_config { 'udp_config': + port => '1194', + proto => 'udp' + } } -- cgit v1.2.3 From 05fcb0db28279ae7c08b8c76c887f633f78a2947 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 17:38:01 +0200 Subject: cosmetics for server_config.pp --- .../site_openvpn/manifests/server_config.pp | 66 +++++++++++----------- 1 file changed, 33 insertions(+), 33 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 4a130d13..1af08b4a 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,52 +1,52 @@ define site_openvpn::server_config($port, $proto) { $openvpn_configname=$name - notice("Creating OpenVPN $openvpn_configname: + notice("Creating OpenVPN $openvpn_configname: Port: $port, Protocol: $proto") - file { - "/etc/openvpn/${name}": - ensure => directory, - require => Package["openvpn"]; - } + file { + "/etc/openvpn/${name}": + ensure => directory, + require => Package['openvpn']; + } - concat { - "/etc/openvpn/${openvpn_configname}.conf": - owner => root, - group => root, - mode => 644, - warn => true, - require => File["/etc/openvpn"], - notify => Service["openvpn"]; - } + concat { + "/etc/openvpn/$openvpn_configname.conf": + owner => root, + group => root, + mode => 644, + warn => true, + require => File['/etc/openvpn'], + notify => Service['openvpn']; + } openvpn::option { - "ca ${openvpn_configname}": - key => "ca", - value => "/etc/openvpn/ca.crt", - #require => Exec["initca ${openvpn_configname}"], - server => "${openvpn_configname}"; - "cert ${openvpn_configname}": - key => "cert", - value => "/etc/openvpn/${openvpn_configname}/server.crt", - #require => Exec["generate server cert ${openvpn_configname}"], - server => "${openvpn_configname}"; - "key ${openvpn_configname}": + "ca $openvpn_configname": + key => 'ca', + value => '/etc/openvpn/ca.crt', + #require => Exec["initca $openvpn_configname"], + server => $openvpn_configname; + "cert $openvpn_configname": + key => 'cert', + value => "/etc/openvpn/$openvpn_configname/server.crt", + #require => Exec["generate server cert $openvpn_configname"], + server => $openvpn_configname; + "key $openvpn_configname": key => "key", - value => "/etc/openvpn/${openvpn_configname}/server.key", - #require => Exec["generate server cert ${openvpn_configname}"], - server => "${openvpn_configname}"; - "dh ${openvpn_configname}": + value => "/etc/openvpn/$openvpn_configname/server.key", + #require => Exec["generate server cert $openvpn_configname"], + server => "$openvpn_configname"; + "dh $openvpn_configname": key => "dh", value => "/etc/openvpn/dh1024.pem", - #require => Exec["generate dh param ${openvpn_configname}"], - server => "${openvpn_configname}"; + #require => Exec["generate dh param $openvpn_configname"], + server => "$openvpn_configname"; "dev $openvpn_configname": key => "dev", value => "tun", server => "$openvpn_configname"; - "mode ${openvpn_configname}": + "mode $openvpn_configname": key => 'mode', value => 'server', server => $openvpn_configname; -- cgit v1.2.3 From ad018cb7c6b85252783e0f8ae5ce26afcc37d9e8 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 17:58:04 +0200 Subject: seperate config from leap_platform --- puppet/hiera.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml index a992c057..95283394 100644 --- a/puppet/hiera.yaml +++ b/puppet/hiera.yaml @@ -17,7 +17,7 @@ # relative from where puppet is run, so we need to run puppet # from the root dir of the leap_platform repo :yaml: - :datadir: config + :datadir: ../config :puppet: :datasource: data -- cgit v1.2.3 From b7277a8c666248a2a134f1d5b84c994df9904b7c Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 22:34:20 +0200 Subject: moved most includes to site_config --- puppet/manifests/site.pp | 18 ++++++------------ puppet/modules/site_config/manifests/init.pp | 7 +++++++ 2 files changed, 13 insertions(+), 12 deletions(-) create mode 100644 puppet/modules/site_config/manifests/init.pp (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 3ae9ebea..89c97888 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,22 +1,16 @@ node 'default' { + # prerequisites + import 'common' + include concat::setup # include some basic classes - # $concat_basedir = '/var/lib/puppet/modules/concat' # do we need this ? - include concat::setup - include apt, lsb, git - import 'common' + #include site_config + # parse services for host $services=hiera_array('services') notice("Services for $fqdn: $services") - # configure ssh and inculde ssh-keys - #include sshd - $ssh_keys=hiera_hash('ssh_keys') - include site_sshd - notice($ssh_keys) - create_resources('site_sshd::ssh_key', $ssh_keys) - - + # configure eip if 'eip' in $services { include site_config::eip } diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp new file mode 100644 index 00000000..64eb06f4 --- /dev/null +++ b/puppet/modules/site_config/manifests/init.pp @@ -0,0 +1,7 @@ +class site_config { + include apt, lsb, git + + # configure ssh and inculde ssh-keys + include site_config::sshd + +} -- cgit v1.2.3 From fc72260f601fb77b90d9f2f2afd2a43c4d5916f6 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 22:35:16 +0200 Subject: + site_openvpn::keys --- puppet/modules/site_config/manifests/eip.pp | 5 +++-- puppet/modules/site_openvpn/manifests/keys.pp | 23 +++++++++++++++++++++++ 2 files changed, 26 insertions(+), 2 deletions(-) create mode 100644 puppet/modules/site_openvpn/manifests/keys.pp (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index c8677696..6e866b1c 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -1,8 +1,9 @@ class site_config::eip { include site_openvpn + include site_openvpn::keys - $tor=hiera('tor') - notice("Tor enabled: $tor") + #$tor=hiera('tor') + #notice("Tor enabled: $tor") #$openvpn_configs=hiera('openvpn_server_configs') #create_resources('site_openvpn::server_config', $openvpn_configs) diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp new file mode 100644 index 00000000..b31369c9 --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -0,0 +1,23 @@ +class site_openvpn::keys { + $openvpn_keys = hiera_hash('openvpn_keys') + + file { '/etc/openvpn/keys/ca.crt': + content => $openvpn_keys['ca'], + mode => '0644', + } + + file { '/etc/openvpn/keys/dh.pem': + content => $openvpn_keys['dh'], + mode => '0644', + } + + file { '/etc/openvpn/keys/server.key': + content => $openvpn_keys['server_key'], + mode => '0600', + } + + file { '/etc/openvpn/keys/server.crt': + content => $openvpn_keys['server_cert'], + mode => '0644', + } +} -- cgit v1.2.3 From e89082114be280c7fd3c7b62863e19ff5c89df26 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 22:36:12 +0200 Subject: cosmetics --- puppet/modules/site_openvpn/manifests/init.pp | 59 +++++++++++++++------------ 1 file changed, 32 insertions(+), 27 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index c83b98c7..e95e67d5 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,43 +1,48 @@ class site_openvpn { package { - "openvpn": - ensure => installed; + 'openvpn': + ensure => installed; } service { - "openvpn": - ensure => running, - hasrestart => true, - hasstatus => true, - require => Exec["concat_/etc/default/openvpn"]; + 'openvpn': + ensure => running, + hasrestart => true, + hasstatus => true, + require => Exec['concat_/etc/default/openvpn']; } + file { - "/etc/openvpn": - ensure => directory, - require => Package["openvpn"]; + '/etc/openvpn': + ensure => directory, + require => Package['openvpn']; } - include concat::setup + file { + '/etc/openvpn/keys': + ensure => directory, + require => Package['openvpn']; + } concat { - "/etc/default/openvpn": - owner => root, - group => root, - mode => 644, - warn => true, - notify => Service["openvpn"]; + '/etc/default/openvpn': + owner => root, + group => root, + mode => 644, + warn => true, + notify => Service['openvpn']; } concat::fragment { - "openvpn.default.header": - content => template("openvpn/etc-default-openvpn.erb"), - target => "/etc/default/openvpn", - order => 01; + 'openvpn.default.header': + content => template('openvpn/etc-default-openvpn.erb'), + target => '/etc/default/openvpn', + order => 01; } - concat::fragment { - "openvpn.default.autostart.${name}": - content => "AUTOSTART=all", - target => "/etc/default/openvpn", - order => 10; - } + concat::fragment { + "openvpn.default.autostart.${name}": + content => 'AUTOSTART=all', + target => '/etc/default/openvpn', + order => 10; + } } -- cgit v1.2.3 From c067421f34d375c2b39e88a5994353c71ac4c9af Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 22:36:48 +0200 Subject: include openvpn keys --- .../site_openvpn/manifests/server_config.pp | 23 ++++++---------------- 1 file changed, 6 insertions(+), 17 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 1af08b4a..5a47954a 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,14 +1,9 @@ define site_openvpn::server_config($port, $proto) { - $openvpn_configname=$name + $openvpn_configname = $name + notice("Creating OpenVPN $openvpn_configname: Port: $port, Protocol: $proto") - file { - "/etc/openvpn/${name}": - ensure => directory, - require => Package['openvpn']; - } - concat { "/etc/openvpn/$openvpn_configname.conf": owner => root, @@ -19,28 +14,22 @@ define site_openvpn::server_config($port, $proto) { notify => Service['openvpn']; } - - openvpn::option { "ca $openvpn_configname": key => 'ca', - value => '/etc/openvpn/ca.crt', - #require => Exec["initca $openvpn_configname"], + value => '/etc/openvpn/keys/ca.crt', server => $openvpn_configname; "cert $openvpn_configname": key => 'cert', - value => "/etc/openvpn/$openvpn_configname/server.crt", - #require => Exec["generate server cert $openvpn_configname"], + value => "/etc/openvpn/keys/server.crt", server => $openvpn_configname; "key $openvpn_configname": key => "key", - value => "/etc/openvpn/$openvpn_configname/server.key", - #require => Exec["generate server cert $openvpn_configname"], + value => "/etc/openvpn/keys/server.key", server => "$openvpn_configname"; "dh $openvpn_configname": key => "dh", - value => "/etc/openvpn/dh1024.pem", - #require => Exec["generate dh param $openvpn_configname"], + value => "/etc/openvpn/keys/dh1024.pem", server => "$openvpn_configname"; "dev $openvpn_configname": key => "dev", -- cgit v1.2.3 From 9fb0bcc2901bf5cf79d3ac0a46c610d302e0df7b Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 22:38:15 +0200 Subject: + site_config::sshd --- puppet/modules/site_config/manifests/sshd.pp | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 puppet/modules/site_config/manifests/sshd.pp (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/sshd.pp b/puppet/modules/site_config/manifests/sshd.pp new file mode 100644 index 00000000..8e33ca7f --- /dev/null +++ b/puppet/modules/site_config/manifests/sshd.pp @@ -0,0 +1,8 @@ +class site_config::sshd { + # configure ssh and inculde ssh-keys + include sshd + $ssh_keys=hiera_hash('ssh_keys') + include site_sshd + notice($ssh_keys) + create_resources('site_sshd::ssh_key', $ssh_keys) +} -- cgit v1.2.3 From b59ce36a29a770847368773db543b38c62ea55cf Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 23:05:32 +0200 Subject: adopted most static parameters --- .../site_openvpn/manifests/server_config.pp | 137 ++++++++++----------- 1 file changed, 67 insertions(+), 70 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 5a47954a..320a4add 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,8 +1,8 @@ define site_openvpn::server_config($port, $proto) { $openvpn_configname = $name - notice("Creating OpenVPN $openvpn_configname: - Port: $port, Protocol: $proto") + #notice("Creating OpenVPN $openvpn_configname: + # Port: $port, Protocol: $proto") concat { "/etc/openvpn/$openvpn_configname.conf": @@ -21,81 +21,78 @@ define site_openvpn::server_config($port, $proto) { server => $openvpn_configname; "cert $openvpn_configname": key => 'cert', - value => "/etc/openvpn/keys/server.crt", + value => '/etc/openvpn/keys/server.crt', server => $openvpn_configname; "key $openvpn_configname": - key => "key", - value => "/etc/openvpn/keys/server.key", - server => "$openvpn_configname"; + key => 'key', + value => '/etc/openvpn/keys/server.key', + server => $openvpn_configname; "dh $openvpn_configname": - key => "dh", - value => "/etc/openvpn/keys/dh1024.pem", - server => "$openvpn_configname"; + key => 'dh', + value => '/etc/openvpn/keys/dh1024.pem', + server => $openvpn_configname; + "dev $openvpn_configname": - key => "dev", - value => "tun", - server => "$openvpn_configname"; - "mode $openvpn_configname": - key => 'mode', - value => 'server', - server => $openvpn_configname; - "script-security $openvpn_configname": - key => "script-security", - value => "3", - server => "$openvpn_configname"; - "daemon $openvpn_configname": - key => "daemon", - server => "$openvpn_configname"; + key => 'dev', + value => 'tun', + server => $openvpn_configname; + "duplicate-cn $openvpn_configname": + key => 'duplicate-cn', + server => $openvpn_configname; "keepalive $openvpn_configname": - key => "keepalive", - value => "10 60", - server => "$openvpn_configname"; - "ping-timer-rem $openvpn_configname": - key => "ping-timer-rem", - server => "$openvpn_configname"; - "persist-tun $openvpn_configname": - key => "persist-tun", - server => "$openvpn_configname"; - "persist-key $openvpn_configname": - key => "persist-key", - server => "$openvpn_configname"; - "proto $openvpn_configname": - key => "proto", - value => "$proto", - server => "$openvpn_configname"; - "cipher $openvpn_configname": - key => "cipher", - value => "BF-CBC", - server => "$openvpn_configname"; + key => 'keepalive', + value => '5 20', + server => $openvpn_configname; "local $openvpn_configname": - key => "local", - value => $ipaddress, - server => "$openvpn_configname"; - "tls-server $openvpn_configname": - key => "tls-server", - server => "$openvpn_configname"; - #"server $openvpn_configname": - # key => "server", - # value => "$server", - # server => "$openvpn_configname"; - "lport $openvpn_configname": - key => "lport", - value => "$port", - server => "$openvpn_configname"; + key => 'local', + value => $::ipaddress, + server => $openvpn_configname; + "mute $openvpn_configname": + key => 'mute', + value => '5', + server => $openvpn_configname; + "mute-replay-warnings $openvpn_configname": + key => 'mute-replay-warnings', + server => $openvpn_configname; "management $openvpn_configname": - key => "management", - value => "/var/run/openvpn-$openvpn_configname.sock unix", - server => "$openvpn_configname"; - "comp-lzo $openvpn_configname": - key => "comp-lzo", - server => "$openvpn_configname"; + key => 'management', + value => '127.0.0.1 1000', + server => $openvpn_configname; + "proto $openvpn_configname": + key => 'proto', + value => $proto, + server => $openvpn_configname; + "push $openvpn_configname": + key => 'push', + value => "\"redirect-gateway def1\"", + server => $openvpn_configname; + "script-security $openvpn_configname": + key => 'script-security', + value => '2', + server => $openvpn_configname; + "server $openvpn_configname": + key => 'server', + value => "10.42.0.0 255.255.248.0", + server => $openvpn_configname; + "status $openvpn_configname": + key => 'status', + value => '/var/run/openvpn-status 10', + server => $openvpn_configname; + "status-version $openvpn_configname": + key => 'status-version', + value => '3', + server => $openvpn_configname; "topology $openvpn_configname": - key => "topology", - value => "subnet", - server => "$openvpn_configname"; - #"client-to-client $openvpn_configname": - # key => "client-to-client", - # server => "$openvpn_configname"; + key => 'topology', + value => 'subnet', + server => $openvpn_configname; + "up $openvpn_configname": + key => 'up', + value => '/etc/openvpn/server-up.sh', + server => $openvpn_configname; + "verb $openvpn_configname": + key => 'verb', + value => '3', + server => $openvpn_configname; } - } -- cgit v1.2.3 From 1ec1b9b56bc821b81f3797ea158846b41cc03853 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 23:38:57 +0200 Subject: finished site_openvpn::server_config --- puppet/modules/site_config/manifests/eip.pp | 16 +++++++++++----- puppet/modules/site_openvpn/manifests/server_config.pp | 16 +++++++++++----- 2 files changed, 22 insertions(+), 10 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 6e866b1c..e6f80d25 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -7,13 +7,19 @@ class site_config::eip { #$openvpn_configs=hiera('openvpn_server_configs') #create_resources('site_openvpn::server_config', $openvpn_configs) - + site_openvpn::server_config { 'tcp_config': - port => '1194', - proto => 'tcp' + port => '1194', + proto => 'tcp', + local => $::ipaddress_eth0_1, + server => '10.42.0.0 255.255.248.0', + push => '"dhcp-option DNS 10.42.0.1"', } site_openvpn::server_config { 'udp_config': - port => '1194', - proto => 'udp' + port => '1194', + proto => 'udp', + local => $::ipaddress_eth0_1, + server => '10.43.0.0 255.255.248.0', + push => '"dhcp-option DNS 10.43.0.1"', } } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 320a4add..784152b7 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,6 +1,8 @@ -define site_openvpn::server_config($port, $proto) { +define site_openvpn::server_config ($port, $proto, $local, $server, $push ) { + $openvpn_configname = $name + #notice("Creating OpenVPN $openvpn_configname: # Port: $port, Protocol: $proto") @@ -45,7 +47,7 @@ define site_openvpn::server_config($port, $proto) { server => $openvpn_configname; "local $openvpn_configname": key => 'local', - value => $::ipaddress, + value => $local, server => $openvpn_configname; "mute $openvpn_configname": key => 'mute', @@ -62,9 +64,13 @@ define site_openvpn::server_config($port, $proto) { key => 'proto', value => $proto, server => $openvpn_configname; - "push $openvpn_configname": + "push1 $openvpn_configname": + key => 'push', + value => $push, + server => $openvpn_configname; + "push2 $openvpn_configname": key => 'push', - value => "\"redirect-gateway def1\"", + value => '"redirect-gateway def1"', server => $openvpn_configname; "script-security $openvpn_configname": key => 'script-security', @@ -72,7 +78,7 @@ define site_openvpn::server_config($port, $proto) { server => $openvpn_configname; "server $openvpn_configname": key => 'server', - value => "10.42.0.0 255.255.248.0", + value => "$server", server => $openvpn_configname; "status $openvpn_configname": key => 'status', -- cgit v1.2.3 From c9b2c36a5e9327c011af1345bdf54a9c4b84d857 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 23:47:40 +0200 Subject: dh1204.pem -> dh.pen --- puppet/modules/site_openvpn/manifests/server_config.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 784152b7..d8a8bc0b 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -31,7 +31,7 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push ) { server => $openvpn_configname; "dh $openvpn_configname": key => 'dh', - value => '/etc/openvpn/keys/dh1024.pem', + value => '/etc/openvpn/keys/dh.pem', server => $openvpn_configname; "dev $openvpn_configname": -- cgit v1.2.3 From 97e5a3270df10b8fe699a13966ee6b34b864735e Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 23:54:37 +0200 Subject: different parameter for each config --- puppet/modules/site_openvpn/manifests/server_config.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index d8a8bc0b..441a21e3 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,4 +1,4 @@ -define site_openvpn::server_config ($port, $proto, $local, $server, $push ) { +define site_openvpn::server_config ($port, $proto, $local, $server, $push, $management ) { $openvpn_configname = $name @@ -58,7 +58,7 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push ) { server => $openvpn_configname; "management $openvpn_configname": key => 'management', - value => '127.0.0.1 1000', + value => $management, server => $openvpn_configname; "proto $openvpn_configname": key => 'proto', -- cgit v1.2.3 From b49ab6a1a06bcc31984e09a5371510643eef3c87 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 23:55:03 +0200 Subject: use different parameter for each config --- puppet/modules/site_config/manifests/eip.pp | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index e6f80d25..9f1c205c 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -9,17 +9,19 @@ class site_config::eip { #create_resources('site_openvpn::server_config', $openvpn_configs) site_openvpn::server_config { 'tcp_config': - port => '1194', - proto => 'tcp', - local => $::ipaddress_eth0_1, - server => '10.42.0.0 255.255.248.0', - push => '"dhcp-option DNS 10.42.0.1"', + port => '1194', + proto => 'tcp', + local => $::ipaddress_eth0_1, + server => '10.1.0.0 255.255.248.0', + push => '"dhcp-option DNS 10.1.0.1"', + management => 'management 127.0.0.1 1000' } site_openvpn::server_config { 'udp_config': - port => '1194', - proto => 'udp', - local => $::ipaddress_eth0_1, - server => '10.43.0.0 255.255.248.0', - push => '"dhcp-option DNS 10.43.0.1"', + port => '1194', + proto => 'udp', + local => $::ipaddress_eth0_1, + server => '10.2.0.0 255.255.248.0', + push => '"dhcp-option DNS 10.2.0.1"', + management => 'management 127.0.0.1 1001' } } -- cgit v1.2.3 From 76f15950d637a79604f6472ba19f662069e59dc8 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Oct 2012 23:56:36 +0200 Subject: typo in eip.pp --- puppet/modules/site_config/manifests/eip.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 9f1c205c..2c696d21 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -14,7 +14,7 @@ class site_config::eip { local => $::ipaddress_eth0_1, server => '10.1.0.0 255.255.248.0', push => '"dhcp-option DNS 10.1.0.1"', - management => 'management 127.0.0.1 1000' + management => '127.0.0.1 1000' } site_openvpn::server_config { 'udp_config': port => '1194', @@ -22,6 +22,6 @@ class site_config::eip { local => $::ipaddress_eth0_1, server => '10.2.0.0 255.255.248.0', push => '"dhcp-option DNS 10.2.0.1"', - management => 'management 127.0.0.1 1001' + management => '127.0.0.1 1001' } } -- cgit v1.2.3 From c5196bcd0f1e93a1f56cd9b5387577c0e438eda6 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 5 Oct 2012 23:14:15 +0200 Subject: flatten hiera hierarchy --- puppet/hiera.yaml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'puppet') diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml index 95283394..4194c6c9 100644 --- a/puppet/hiera.yaml +++ b/puppet/hiera.yaml @@ -6,13 +6,15 @@ :logger: console :hierarchy: - - hosts/%{fqdn} - - ca/%{fqdn} - - ca/defaults - - eip/%{fqdn} - - eip/defaults + - %{fqdn} +#former hierarchy, not used anymore +# - hosts/%{fqdn} +# - ca/%{fqdn} +# - ca/defaults +# - eip/%{fqdn} +# - eip/defaults # more services following - - defaults +# - defaults # relative from where puppet is run, so we need to run puppet # from the root dir of the leap_platform repo -- cgit v1.2.3 From a2fdea96778a01acabf9f1e40cc8cc295520cd61 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 6 Oct 2012 09:06:20 +0200 Subject: added submodule sysctl --- puppet/modules/sysctl | 1 + 1 file changed, 1 insertion(+) create mode 160000 puppet/modules/sysctl (limited to 'puppet') diff --git a/puppet/modules/sysctl b/puppet/modules/sysctl new file mode 160000 index 00000000..6ad210b3 --- /dev/null +++ b/puppet/modules/sysctl @@ -0,0 +1 @@ +Subproject commit 6ad210b3f90f24878cfccd61c758275e2ab022bd -- cgit v1.2.3 From e373def213a4e55c37c7940195ea9cd33e604f2d Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 21:54:34 +0200 Subject: + site_shorewall::eip --- puppet/modules/site_config/manifests/eip.pp | 2 ++ .../modules/site_shorewall/manifests/defaults.pp | 26 ++++++++++++++ puppet/modules/site_shorewall/manifests/eip.pp | 42 ++++++++++++++++++++++ 3 files changed, 70 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/defaults.pp create mode 100644 puppet/modules/site_shorewall/manifests/eip.pp (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 2c696d21..95f9dbf4 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -24,4 +24,6 @@ class site_config::eip { push => '"dhcp-option DNS 10.2.0.1"', management => '127.0.0.1 1001' } + + include site_shorewall::eip } diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp new file mode 100644 index 00000000..cfe7bae2 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -0,0 +1,26 @@ +class site_shorewall::defaults { + include shorewall + + # If you want logging: + shorewall::params { + 'LOG': value => 'debug'; + } + + shorewall::zone {'net': type => 'ipv4'; } + + shorewall::rule_section { 'NEW': order => 10; } + + case $shorewall_rfc1918_maineth { + '': {$shorewall_rfc1918_maineth = true } + } + + case $shorewall_main_interface { + '': { $shorewall_main_interface = 'eth0' } + } + + shorewall::interface {$shorewall_main_interface: + zone => 'net', + rfc1918 => $shorewall_rfc1918_maineth, + options => 'tcpflags,blacklist,nosmurfs'; + } +} diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp new file mode 100644 index 00000000..bfa77206 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -0,0 +1,42 @@ +class site_shorewall::eip { + + # be safe for development + $shorewall_startup='0' + + include site_shorewall::defaults + + shorewall::interface {'tun0': + zone => 'eip', + rfc1918 => $shorewall_rfc1918_maineth, + options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::zone {'eip': + type => 'ipv4'; } + shorewall::routestopped {'eth0': + interface => 'eth0'; } + + shorewall::policy { + 'all-to-all': + sourcezone => 'all', + destinationzone => 'all', + policy => 'DROP', + order => 200; + } + + shorewall::rule { + 'all2all-ping': + source => 'all', + destination => 'all', + action => 'Ping(ACCEPT)', + order => 200; + 'all2all-ssh': + source => 'all', + destination => 'all', + action => 'SSH(ACCEPT)', + order => 200; + 'all2all-openvpn': + source => 'all', + destination => 'all', + action => 'OpenVPN(ACCEPT)', + order => 200; + } +} -- cgit v1.2.3 From 208ba98de3ab459d49303497587927fddcc30f12 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 22:00:01 +0200 Subject: second if for site_shorewall::eip --- puppet/modules/site_shorewall/manifests/eip.pp | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index bfa77206..1ef0c48f 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -9,8 +9,14 @@ class site_shorewall::eip { zone => 'eip', rfc1918 => $shorewall_rfc1918_maineth, options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::interface {'tun1': + zone => 'eip', + rfc1918 => $shorewall_rfc1918_maineth, + options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::zone {'eip': type => 'ipv4'; } + shorewall::routestopped {'eth0': interface => 'eth0'; } -- cgit v1.2.3 From 949ab1afa57771f44371da6da5e510056ada6d3b Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 22:03:06 +0200 Subject: shorewall: + dns,http --- puppet/modules/site_shorewall/manifests/eip.pp | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 1ef0c48f..1e458b1a 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -44,5 +44,15 @@ class site_shorewall::eip { destination => 'all', action => 'OpenVPN(ACCEPT)', order => 200; + 'fw2all-http': + source => '$FW', + destination => 'all', + action => 'HTTP(ACCEPT)', + order => 200; + 'fw2all-DNS': + source => '$FW', + destination => 'all', + action => 'DNS(ACCEPT)', + order => 200; } } -- cgit v1.2.3 From 492280a9d097fde4c1a9e43d7b0a079d1fe4e10f Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:12:51 +0200 Subject: shorewall: + https, masquerading --- puppet/modules/site_shorewall/manifests/eip.pp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 1e458b1a..9a4454f9 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -20,6 +20,9 @@ class site_shorewall::eip { shorewall::routestopped {'eth0': interface => 'eth0'; } + shorewall::masq {'eth0': + interface => 'eth0'; } + shorewall::policy { 'all-to-all': sourcezone => 'all', @@ -49,10 +52,15 @@ class site_shorewall::eip { destination => 'all', action => 'HTTP(ACCEPT)', order => 200; - 'fw2all-DNS': + 'fw2all-DNS': source => '$FW', destination => 'all', action => 'DNS(ACCEPT)', order => 200; + 'eip2fw-https': + source => 'eip', + destination => '$FW', + action => 'HTTPS(ACCEPT)', + order => 200; } } -- cgit v1.2.3 From 9398b62b4de978a782fd6ba8c8c1bb2237b4fa04 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:18:22 +0200 Subject: shorewall: add empty source for masq --- puppet/modules/site_shorewall/manifests/eip.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 9a4454f9..98a39837 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -21,7 +21,8 @@ class site_shorewall::eip { interface => 'eth0'; } shorewall::masq {'eth0': - interface => 'eth0'; } + interface => 'eth0', + source => ''; } shorewall::policy { 'all-to-all': -- cgit v1.2.3 From dd59c82520aba539e15351cc69395ec48fff7999 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:26:29 +0200 Subject: shorewall: policy: accept eip2all --- puppet/modules/site_shorewall/manifests/eip.pp | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 98a39837..9cd332e1 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -25,6 +25,11 @@ class site_shorewall::eip { source => ''; } shorewall::policy { + 'eip-to-all': + sourcezone => 'eip', + destinationzone => 'all', + policy => 'ACCEPT', + order => 200; 'all-to-all': sourcezone => 'all', destinationzone => 'all', -- cgit v1.2.3 From 0bf3dc82f81c8147b2e4e5e32b3515d6ba373aee Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:29:35 +0200 Subject: shorewall: allow git access for --- puppet/modules/site_shorewall/manifests/eip.pp | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 9cd332e1..3edd1bcc 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -53,6 +53,8 @@ class site_shorewall::eip { destination => 'all', action => 'OpenVPN(ACCEPT)', order => 200; + + # eip gw itself to outside 'fw2all-http': source => '$FW', destination => 'all', @@ -63,6 +65,12 @@ class site_shorewall::eip { destination => 'all', action => 'DNS(ACCEPT)', order => 200; + 'fw2all-DNS': + source => '$FW', + destination => 'all', + action => 'Git(ACCEPT)', + order => 200; + 'eip2fw-https': source => 'eip', destination => '$FW', -- cgit v1.2.3 From a11a41c94a8ebfa217f27141268e472858a91feb Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:30:17 +0200 Subject: shorewall: allow git access for --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 3edd1bcc..0806a862 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -65,7 +65,7 @@ class site_shorewall::eip { destination => 'all', action => 'DNS(ACCEPT)', order => 200; - 'fw2all-DNS': + 'fw2all-git': source => '$FW', destination => 'all', action => 'Git(ACCEPT)', -- cgit v1.2.3 From 7f40d1b15e84416bd56e8b6ffbc8e09cda859c87 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:39:49 +0200 Subject: shorewall: reorder policy --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 0806a862..a4d1231d 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -29,7 +29,7 @@ class site_shorewall::eip { sourcezone => 'eip', destinationzone => 'all', policy => 'ACCEPT', - order => 200; + order => 100; 'all-to-all': sourcezone => 'all', destinationzone => 'all', -- cgit v1.2.3 From cf2f7703b615dd4568beeebea59f514a20cf169a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:52:50 +0200 Subject: cleaned defaults.pp --- puppet/modules/site_shorewall/manifests/defaults.pp | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index cfe7bae2..c68b8370 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -10,17 +10,8 @@ class site_shorewall::defaults { shorewall::rule_section { 'NEW': order => 10; } - case $shorewall_rfc1918_maineth { - '': {$shorewall_rfc1918_maineth = true } - } - - case $shorewall_main_interface { - '': { $shorewall_main_interface = 'eth0' } - } - - shorewall::interface {$shorewall_main_interface: + shorewall::interface {'eth0': zone => 'net', - rfc1918 => $shorewall_rfc1918_maineth, options => 'tcpflags,blacklist,nosmurfs'; } } -- cgit v1.2.3 From 912d7103855ba674255d2dbeda87ab358388ecc0 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:53:18 +0200 Subject: cleaned eip.pp, added second main if --- puppet/modules/site_shorewall/manifests/eip.pp | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index a4d1231d..80119ee8 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,13 +5,16 @@ class site_shorewall::eip { include site_shorewall::defaults + shorewall::interface {'eth0:1': + zone => 'net', + options => 'tcpflags,blacklist,nosmurfs'; } shorewall::interface {'tun0': zone => 'eip', - rfc1918 => $shorewall_rfc1918_maineth, + rfc1918 => true, options => 'tcpflags,blacklist,nosmurfs'; } shorewall::interface {'tun1': zone => 'eip', - rfc1918 => $shorewall_rfc1918_maineth, + rfc1918 => true, options => 'tcpflags,blacklist,nosmurfs'; } shorewall::zone {'eip': -- cgit v1.2.3 From acc806b363b5bc5f1b6a994e525d20b65bc06fa8 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:55:31 +0200 Subject: Support for the norfc1918 interface option has been removed from Shorewall --- puppet/modules/site_shorewall/manifests/eip.pp | 2 -- 1 file changed, 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 80119ee8..6ccfff69 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -10,11 +10,9 @@ class site_shorewall::eip { options => 'tcpflags,blacklist,nosmurfs'; } shorewall::interface {'tun0': zone => 'eip', - rfc1918 => true, options => 'tcpflags,blacklist,nosmurfs'; } shorewall::interface {'tun1': zone => 'eip', - rfc1918 => true, options => 'tcpflags,blacklist,nosmurfs'; } shorewall::zone {'eip': -- cgit v1.2.3 From 81c20fd7d39300c27a2d8196871a832767c5623a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 8 Oct 2012 23:57:59 +0200 Subject: no virtual IFs in shorewall --- puppet/modules/site_shorewall/manifests/eip.pp | 3 --- 1 file changed, 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 6ccfff69..590a01ba 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,9 +5,6 @@ class site_shorewall::eip { include site_shorewall::defaults - shorewall::interface {'eth0:1': - zone => 'net', - options => 'tcpflags,blacklist,nosmurfs'; } shorewall::interface {'tun0': zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; } -- cgit v1.2.3 From c716f40cf2011c3141e2e7150fd3f928ffac626a Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Oct 2012 00:46:06 +0200 Subject: shorewall: made rules more precise, use own macro --- puppet/modules/site_shorewall/manifests/eip.pp | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 590a01ba..8624af87 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,6 +5,10 @@ class site_shorewall::eip { include site_shorewall::defaults + # define macro + file { "/etc/shorewall/macro.leap_eip": + content => 'PARAM - - - 53,80,443,1194', } + shorewall::interface {'tun0': zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; } @@ -41,15 +45,16 @@ class site_shorewall::eip { destination => 'all', action => 'Ping(ACCEPT)', order => 200; - 'all2all-ssh': - source => 'all', - destination => 'all', + + 'net2fw-ssh': + source => 'net', + destination => '$FW', action => 'SSH(ACCEPT)', order => 200; - 'all2all-openvpn': - source => 'all', - destination => 'all', - action => 'OpenVPN(ACCEPT)', + 'net2fw-openvpn': + source => 'net', + destination => '$FW', + action => 'leap_eip(ACCEPT)', order => 200; # eip gw itself to outside -- cgit v1.2.3 From a3cd8ac7a637111281f32d6ed5c8e856fe5be973 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Oct 2012 00:48:21 +0200 Subject: shorewall: need to sprecify protocol --- puppet/modules/site_shorewall/manifests/eip.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 8624af87..0902039c 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -7,7 +7,9 @@ class site_shorewall::eip { # define macro file { "/etc/shorewall/macro.leap_eip": - content => 'PARAM - - - 53,80,443,1194', } + content => 'PARAM - - tcp 53,80,443,1194 +PARAM - - udp 53,80,443,1194 +', } shorewall::interface {'tun0': zone => 'eip', -- cgit v1.2.3 From 9fc9b19057fcf322e8d3fcaead0032859f873f53 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 11 Oct 2012 19:49:48 +0200 Subject: renamed hiera keys to work with leap_cli --- puppet/manifests/site.pp | 2 +- puppet/modules/site_openvpn/manifests/keys.pp | 13 +++++++++---- 2 files changed, 10 insertions(+), 5 deletions(-) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 89c97888..d451bdf5 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -11,7 +11,7 @@ node 'default' { notice("Services for $fqdn: $services") # configure eip - if 'eip' in $services { + if 'openvpn' in $services { include site_config::eip } diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index b31369c9..d029fbac 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -1,13 +1,18 @@ class site_openvpn::keys { - $openvpn_keys = hiera_hash('openvpn_keys') + $openvpn_keys = hiera_hash('openvpn') + + file { '/etc/openvpn/keys/ca.key': + content => $openvpn_keys['ca_key'], + mode => '0600', + } file { '/etc/openvpn/keys/ca.crt': - content => $openvpn_keys['ca'], + content => $openvpn_keys['ca_crt'], mode => '0644', } file { '/etc/openvpn/keys/dh.pem': - content => $openvpn_keys['dh'], + content => $openvpn_keys['dh_key'], mode => '0644', } @@ -17,7 +22,7 @@ class site_openvpn::keys { } file { '/etc/openvpn/keys/server.crt': - content => $openvpn_keys['server_cert'], + content => $openvpn_keys['server_crt'], mode => '0644', } } -- cgit v1.2.3 From df1cb1b7445adcabbe355290d1e720040b916f6b Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 12 Oct 2012 14:01:11 +0200 Subject: + site_config::resolvconf --- puppet/modules/site_config/manifests/init.pp | 4 ++++ puppet/modules/site_config/manifests/resolvconf.pp | 13 +++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 puppet/modules/site_config/manifests/resolvconf.pp (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp index 64eb06f4..8aa1b54d 100644 --- a/puppet/modules/site_config/manifests/init.pp +++ b/puppet/modules/site_config/manifests/init.pp @@ -1,7 +1,11 @@ class site_config { + # default class, use by all hosts + include apt, lsb, git # configure ssh and inculde ssh-keys include site_config::sshd + # configure /etc/resolv.conf + include site_config::resolvconf } diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp new file mode 100644 index 00000000..ec3ce9e9 --- /dev/null +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -0,0 +1,13 @@ +class site_config::resolvconf { + package { 'bind9': + ensure => installed, + } + + $domain_hash = hiera('domain') + $domain = $domain_hash['public'] + + $resolvconf_search = $domain + $resolvconf_domain = $domain + $resolvconf_nameservers = '127.0.0.1 # caching-only local bind:87.118.100.175 # http://server.privacyfoundation.de' + include resolvconf +} -- cgit v1.2.3 From 082efdddf4b5a4c741a655e6833b8d86bb717303 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 12 Oct 2012 14:44:05 +0200 Subject: ssh_keys -> ssh_pubkeys for clarity --- puppet/modules/site_config/manifests/sshd.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/sshd.pp b/puppet/modules/site_config/manifests/sshd.pp index 8e33ca7f..4834bb6f 100644 --- a/puppet/modules/site_config/manifests/sshd.pp +++ b/puppet/modules/site_config/manifests/sshd.pp @@ -1,8 +1,8 @@ class site_config::sshd { # configure ssh and inculde ssh-keys include sshd - $ssh_keys=hiera_hash('ssh_keys') + $ssh_pubkeys=hiera_hash('ssh_pubkeys') include site_sshd - notice($ssh_keys) - create_resources('site_sshd::ssh_key', $ssh_keys) + notice($ssh_pubkeys) + create_resources('site_sshd::ssh_key', $ssh_pubkeys) } -- cgit v1.2.3 From 18482bf1a47474771f72bb92e766bff2781ad3fd Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 12 Oct 2012 15:01:34 +0200 Subject: new resolvconf module uses parameterized class --- puppet/modules/site_config/manifests/resolvconf.pp | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index ec3ce9e9..6536969a 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -4,10 +4,13 @@ class site_config::resolvconf { } $domain_hash = hiera('domain') - $domain = $domain_hash['public'] + $domain_public = $domain_hash['public'] - $resolvconf_search = $domain - $resolvconf_domain = $domain - $resolvconf_nameservers = '127.0.0.1 # caching-only local bind:87.118.100.175 # http://server.privacyfoundation.de' - include resolvconf + # 127.0.0.1: caching-only local bind + # 87.118.100.175: http://server.privacyfoundation.de + class { 'resolvconf': + $domain = $domain_public, + $search = $domain_public, + $nameservers = [ '127.0.0.1', '87.118.100.175' ] + } } -- cgit v1.2.3 From dfe67e888d5ab6b74c0dd9cc7e3d738c07b0ae5d Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 12 Oct 2012 15:06:59 +0200 Subject: fixes resolvconf call --- puppet/modules/site_config/manifests/resolvconf.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index 6536969a..dca48b21 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -8,9 +8,9 @@ class site_config::resolvconf { # 127.0.0.1: caching-only local bind # 87.118.100.175: http://server.privacyfoundation.de - class { 'resolvconf': - $domain = $domain_public, - $search = $domain_public, - $nameservers = [ '127.0.0.1', '87.118.100.175' ] + class { '::resolvconf': + domain => $domain_public, + search => $domain_public, + nameservers => [ '127.0.0.1', '87.118.100.175' ] } } -- cgit v1.2.3 From b297dd3c47a9d23eaba6070555ecec47f3acbcc6 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 12 Oct 2012 15:09:40 +0200 Subject: add third dns server (swiss privacy found.) --- puppet/modules/site_config/manifests/resolvconf.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index dca48b21..bd0539b9 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -6,11 +6,12 @@ class site_config::resolvconf { $domain_hash = hiera('domain') $domain_public = $domain_hash['public'] - # 127.0.0.1: caching-only local bind + # 127.0.0.1: caching-only local bind # 87.118.100.175: http://server.privacyfoundation.de + # 62.141.58.13: http://www.privacyfoundation.ch/de/service/server.html class { '::resolvconf': domain => $domain_public, search => $domain_public, - nameservers => [ '127.0.0.1', '87.118.100.175' ] + nameservers => [ '127.0.0.1', '87.118.100.175', '62.141.58.13' ] } } -- cgit v1.2.3 From caea416c370bd2f6aa4c012f4ca40ac312269ad1 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 13 Oct 2012 10:42:49 +0200 Subject: use defaults.yaml as fallback --- puppet/hiera.yaml | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet') diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml index 4194c6c9..af448d57 100644 --- a/puppet/hiera.yaml +++ b/puppet/hiera.yaml @@ -7,6 +7,7 @@ :hierarchy: - %{fqdn} + - defaults #former hierarchy, not used anymore # - hosts/%{fqdn} # - ca/%{fqdn} -- cgit v1.2.3 From 4c5f0726d3eee0caa62f509743762968dc4b544b Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 13 Oct 2012 11:00:17 +0200 Subject: use debian unstable for couchdb --- puppet/modules/site_apt/files/unstable.list | 1 + puppet/modules/site_couchdb/manifests/init.pp | 6 ++++++ 2 files changed, 7 insertions(+) create mode 100644 puppet/modules/site_apt/files/unstable.list create mode 100644 puppet/modules/site_couchdb/manifests/init.pp (limited to 'puppet') diff --git a/puppet/modules/site_apt/files/unstable.list b/puppet/modules/site_apt/files/unstable.list new file mode 100644 index 00000000..0e289136 --- /dev/null +++ b/puppet/modules/site_apt/files/unstable.list @@ -0,0 +1 @@ +deb http://http.debian.net/debian unstable main diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp new file mode 100644 index 00000000..4e347567 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -0,0 +1,6 @@ +class site_config::couchdb { + apt::sources_list { "unstable.list": + source => [ "puppet:///modules/site_apt/unstable.list"], + } + +} -- cgit v1.2.3 From 01732be30c06919f85e4887a500f7e9b11e56e4f Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 13 Oct 2012 11:08:22 +0200 Subject: use site_couchdb --- puppet/manifests/site.pp | 6 ++---- puppet/modules/site_couchdb/manifests/init.pp | 11 ++++++++--- 2 files changed, 10 insertions(+), 7 deletions(-) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index ef5c3a8a..e0b573ce 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -15,9 +15,7 @@ node 'default' { include site_config::eip } - if 'couchdb' in $services { - class { 'couchdb': - #bind => '0.0.0.0' - } + if 'couchdb' in $services { + include site_couchdb } } diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 4e347567..bb14595a 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,6 +1,11 @@ -class site_config::couchdb { - apt::sources_list { "unstable.list": - source => [ "puppet:///modules/site_apt/unstable.list"], +class site_couchdb { + apt::sources_list { 'unstable.list': + source => [ 'puppet:///modules/site_apt/unstable.list'], + } + + + class { 'couchdb': + #bind => '0.0.0.0' } } -- cgit v1.2.3 From 3c244c02f4c6ddd6f361297ab63e41905fac96e5 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 13 Oct 2012 11:14:55 +0200 Subject: include site_config again --- puppet/manifests/site.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index e0b573ce..6abf9b48 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -4,7 +4,7 @@ node 'default' { include concat::setup # include some basic classes - #include site_config + include site_config # parse services for host $services=hiera_array('services') -- cgit v1.2.3 From 06a1546a36698dd75fb500ad2a12e9bbf9b43f03 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 13 Oct 2012 11:30:30 +0200 Subject: install couchdb from unstable, see init.pp --- puppet/modules/site_couchdb/manifests/init.pp | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index bb14595a..06c29181 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,8 +1,15 @@ class site_couchdb { + + # for now, we need to install couchdb from unstable, + # because of this bug while installing: + # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681549 + # can be removed when couchdb/1.2.0-2 is integrated into testing apt::sources_list { 'unstable.list': source => [ 'puppet:///modules/site_apt/unstable.list'], } - + apt::preferences_snippet{ + 'couchdb': release => "unstable", priority => 999; + } class { 'couchdb': #bind => '0.0.0.0' -- cgit v1.2.3 From 69c456f5a16fa4484754a809ded93ddd554b1d16 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Oct 2012 18:25:49 +0200 Subject: hiera config now in /etc/leap/hiera.yaml --- puppet/hiera.yaml | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) (limited to 'puppet') diff --git a/puppet/hiera.yaml b/puppet/hiera.yaml index af448d57..93448e23 100644 --- a/puppet/hiera.yaml +++ b/puppet/hiera.yaml @@ -5,22 +5,11 @@ :logger: console -:hierarchy: - - %{fqdn} - - defaults -#former hierarchy, not used anymore -# - hosts/%{fqdn} -# - ca/%{fqdn} -# - ca/defaults -# - eip/%{fqdn} -# - eip/defaults -# more services following -# - defaults - -# relative from where puppet is run, so we need to run puppet -# from the root dir of the leap_platform repo :yaml: - :datadir: ../config + :datadir: /etc/leap +:hierarchy: + - hiera + :puppet: :datasource: data -- cgit v1.2.3 From b5a5bfb69f62f5f31f8e81bdcb0dcabb7b4082f6 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 25 Oct 2012 15:34:27 +0200 Subject: replace hardcoded interface eth0 with hiera variable --- puppet/modules/site_shorewall/manifests/eip.pp | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 0902039c..31ee3e6c 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,6 +5,8 @@ class site_shorewall::eip { include site_shorewall::defaults + $interface = hiera('interface') + # define macro file { "/etc/shorewall/macro.leap_eip": content => 'PARAM - - tcp 53,80,443,1194 @@ -21,11 +23,11 @@ PARAM - - udp 53,80,443,1194 shorewall::zone {'eip': type => 'ipv4'; } - shorewall::routestopped {'eth0': - interface => 'eth0'; } + shorewall::routestopped {'$interface': + interface => '$interface'; } - shorewall::masq {'eth0': - interface => 'eth0', + shorewall::masq {'$interface': + interface => '$interface', source => ''; } shorewall::policy { -- cgit v1.2.3 From 76bbc01eae893206a8ed0d8d248ee565e3acdc61 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 25 Oct 2012 15:35:24 +0200 Subject: use hiera gateway_address and interface variables --- puppet/modules/site_config/manifests/eip.pp | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 95f9dbf4..df17771a 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -5,13 +5,14 @@ class site_config::eip { #$tor=hiera('tor') #notice("Tor enabled: $tor") - #$openvpn_configs=hiera('openvpn_server_configs') - #create_resources('site_openvpn::server_config', $openvpn_configs) - + $openvpn_config = hiera('openvpn') + $interface = hiera('interface') + $gateway_address = $openvpn_config['gateway_address'] + site_openvpn::server_config { 'tcp_config': port => '1194', proto => 'tcp', - local => $::ipaddress_eth0_1, + local => $gateway_address, server => '10.1.0.0 255.255.248.0', push => '"dhcp-option DNS 10.1.0.1"', management => '127.0.0.1 1000' @@ -19,7 +20,7 @@ class site_config::eip { site_openvpn::server_config { 'udp_config': port => '1194', proto => 'udp', - local => $::ipaddress_eth0_1, + local => $gateway_address, server => '10.2.0.0 255.255.248.0', push => '"dhcp-option DNS 10.2.0.1"', management => '127.0.0.1 1001' -- cgit v1.2.3 From 6146c50f4ae9ef7b0887ee4abff66b5b62a6da9d Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Oct 2012 13:06:35 +0200 Subject: added submoule interfaces, from git://github.com/x-way/puppet-interfaces.git --- puppet/modules/interfaces | 1 + 1 file changed, 1 insertion(+) create mode 160000 puppet/modules/interfaces (limited to 'puppet') diff --git a/puppet/modules/interfaces b/puppet/modules/interfaces new file mode 160000 index 00000000..1d7dc717 --- /dev/null +++ b/puppet/modules/interfaces @@ -0,0 +1 @@ +Subproject commit 1d7dc7178881c56102c043e96763176f66445c1e -- cgit v1.2.3 From 8128fd27d9d3637654ebf924c860a701a4a08911 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Oct 2012 13:14:37 +0200 Subject: beginning config of main interface --- puppet/modules/site_config/manifests/eip.pp | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index df17771a..0077137b 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -5,9 +5,25 @@ class site_config::eip { #$tor=hiera('tor') #notice("Tor enabled: $tor") - $openvpn_config = hiera('openvpn') - $interface = hiera('interface') - $gateway_address = $openvpn_config['gateway_address'] + $ip_address = hiera('ip_address') + $interface = hiera('interface') + $gateway_address = hiera('gateway_address') + $openvpn_config = hiera('openvpn') + $openvpn_gateway_address = $openvpn_config['gateway_address'] + + include interfaces + interfaces::iface { $interface: + family => 'inet', + method => 'static', + options => [ "address $ip_address", + 'netmask 255.255.255.0', + "gateway $gateway", + "up ip addr add $openvpn_gateway_address/24 dev eth0 label", + "down ip addr del $openvpn_gateway_address/24 dev eth0 label", + ], + auto => 1, + allow_hotplug => 1 } + site_openvpn::server_config { 'tcp_config': port => '1194', -- cgit v1.2.3 From 92368db363406ebf47419814e1ac1bfc9f17c44a Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Oct 2012 15:08:15 +0200 Subject: linted, variable updated --- puppet/modules/site_config/manifests/eip.pp | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 0077137b..57b6d831 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -12,16 +12,16 @@ class site_config::eip { $openvpn_gateway_address = $openvpn_config['gateway_address'] include interfaces - interfaces::iface { $interface: - family => 'inet', - method => 'static', - options => [ "address $ip_address", + interfaces::iface { $interface: + family => 'inet', + method => 'static', + options => [ "address $ip_address", 'netmask 255.255.255.0', - "gateway $gateway", + "gateway $gateway_address", "up ip addr add $openvpn_gateway_address/24 dev eth0 label", "down ip addr del $openvpn_gateway_address/24 dev eth0 label", - ], - auto => 1, + ], + auto => 1, allow_hotplug => 1 } -- cgit v1.2.3 From 8253e3ebeb88ba33131365a1b584878a12bbd225 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Oct 2012 15:14:23 +0200 Subject: removed label for ip addr --- puppet/modules/site_config/manifests/eip.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 57b6d831..1beea9ce 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -18,8 +18,8 @@ class site_config::eip { options => [ "address $ip_address", 'netmask 255.255.255.0', "gateway $gateway_address", - "up ip addr add $openvpn_gateway_address/24 dev eth0 label", - "down ip addr del $openvpn_gateway_address/24 dev eth0 label", + "up ip addr add $openvpn_gateway_address/24 dev eth0", + "down ip addr del $openvpn_gateway_address/24 dev eth0", ], auto => 1, allow_hotplug => 1 } -- cgit v1.2.3 From c40a1bce442aab4ba8baf062ffcb65e006ad13e0 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 14:53:06 +0100 Subject: use script to add second ip --- puppet/modules/site_config/manifests/eip.pp | 47 +++++++++++++++++++---------- 1 file changed, 31 insertions(+), 16 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 1beea9ce..c81ad33a 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -18,29 +18,44 @@ class site_config::eip { options => [ "address $ip_address", 'netmask 255.255.255.0', "gateway $gateway_address", - "up ip addr add $openvpn_gateway_address/24 dev eth0", - "down ip addr del $openvpn_gateway_address/24 dev eth0", + "up ip addr add $openvpn_gateway_address/24 dev $interface", + "down ip addr del $openvpn_gateway_address/24 dev $interface", ], auto => 1, allow_hotplug => 1 } - site_openvpn::server_config { 'tcp_config': - port => '1194', - proto => 'tcp', - local => $gateway_address, - server => '10.1.0.0 255.255.248.0', - push => '"dhcp-option DNS 10.1.0.1"', - management => '127.0.0.1 1000' + #site_openvpn::server_config { 'tcp_config': + # port => '1194', + # proto => 'tcp', + # local => $gateway_address, + # server => '10.1.0.0 255.255.248.0', + # push => '"dhcp-option DNS 10.1.0.1"', + # management => '127.0.0.1 1000' + #} + #site_openvpn::server_config { 'udp_config': + # port => '1194', + # proto => 'udp', + # local => $gateway_address, + # server => '10.2.0.0 255.255.248.0', + # push => '"dhcp-option DNS 10.2.0.1"', + # management => '127.0.0.1 1001' + #} + + file { '/usr/local/bin/leap_add_second_ip.sh': + content => '#!/bin/sh + ip addr show dev eth0 | grep -q "$openvpn_gateway_address/24" || ip addr add "$openvpn_gateway_address/24" dev eth0', + mode => '0755', } - site_openvpn::server_config { 'udp_config': - port => '1194', - proto => 'udp', - local => $gateway_address, - server => '10.2.0.0 255.255.248.0', - push => '"dhcp-option DNS 10.2.0.1"', - management => '127.0.0.1 1001' + + exec { '/usr/local/bin/leap_add_second_ip.sh': + subscribe => File['/usr/local/bin/leap_add_second_ip.sh'], } + #exec { "ip addr add $openvpn_gateway_address/24 dev $interface": + # path => '/usr/bin:/sbin', + # unless => "ip addr show dev $interface | grep -q '$interface/24'" + #} + include site_shorewall::eip } -- cgit v1.2.3 From 189e8957c23fb09ef8c130f64e53f58c9da7d3ec Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 14:58:55 +0100 Subject: pass variable to leap_add_second_ip.sh --- puppet/modules/site_config/manifests/eip.pp | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index c81ad33a..ed1d395b 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -11,19 +11,18 @@ class site_config::eip { $openvpn_config = hiera('openvpn') $openvpn_gateway_address = $openvpn_config['gateway_address'] - include interfaces - interfaces::iface { $interface: - family => 'inet', - method => 'static', - options => [ "address $ip_address", - 'netmask 255.255.255.0', - "gateway $gateway_address", - "up ip addr add $openvpn_gateway_address/24 dev $interface", - "down ip addr del $openvpn_gateway_address/24 dev $interface", - ], - auto => 1, - allow_hotplug => 1 } - + #include interfaces + #interfaces::iface { $interface: + # family => 'inet', + # method => 'static', + # options => [ "address $ip_address", + # 'netmask 255.255.255.0', + # "gateway $gateway_address", + # "up ip addr add $openvpn_gateway_address/24 dev $interface", + # "down ip addr del $openvpn_gateway_address/24 dev $interface", + # ], + # auto => 1, + # allow_hotplug => 1 } #site_openvpn::server_config { 'tcp_config': # port => '1194', @@ -43,8 +42,8 @@ class site_config::eip { #} file { '/usr/local/bin/leap_add_second_ip.sh': - content => '#!/bin/sh - ip addr show dev eth0 | grep -q "$openvpn_gateway_address/24" || ip addr add "$openvpn_gateway_address/24" dev eth0', + content => "#!/bin/sh +ip addr show dev $interface | grep -q "$openvpn_gateway_address/24" || ip addr add "$openvpn_gateway_address/24" dev $interface", mode => '0755', } -- cgit v1.2.3 From 7c7c3f6ff9806febe903a9cfdef97c36e3743587 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 18:34:51 +0100 Subject: double double quoting solved --- puppet/modules/site_config/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index ed1d395b..59889a92 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -43,7 +43,7 @@ class site_config::eip { file { '/usr/local/bin/leap_add_second_ip.sh': content => "#!/bin/sh -ip addr show dev $interface | grep -q "$openvpn_gateway_address/24" || ip addr add "$openvpn_gateway_address/24" dev $interface", +ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface", mode => '0755', } -- cgit v1.2.3 From 8d2b6978e809004f4bca38d4fef27149497ad309 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 20:01:48 +0100 Subject: linted --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 31ee3e6c..54f3ea6e 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -8,7 +8,7 @@ class site_shorewall::eip { $interface = hiera('interface') # define macro - file { "/etc/shorewall/macro.leap_eip": + file { '/etc/shorewall/macro.leap_eip': content => 'PARAM - - tcp 53,80,443,1194 PARAM - - udp 53,80,443,1194 ', } -- cgit v1.2.3 From 7f82917633ad444e1a303df5bd02ebe29aa05921 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 20:02:05 +0100 Subject: no need for server-up.sh right now --- puppet/modules/site_openvpn/manifests/server_config.pp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 441a21e3..f4c5237e 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -92,10 +92,11 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana key => 'topology', value => 'subnet', server => $openvpn_configname; - "up $openvpn_configname": - key => 'up', - value => '/etc/openvpn/server-up.sh', - server => $openvpn_configname; + # no need for server-up.sh right now + #"up $openvpn_configname": + # key => 'up', + # value => '/etc/openvpn/server-up.sh', + # server => $openvpn_configname; "verb $openvpn_configname": key => 'verb', value => '3', -- cgit v1.2.3 From 372797b1f0b2a65698e8f4cd52fdf5d93a274965 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 20:04:23 +0100 Subject: reenabled site_openvpn::server_config, leap_add_second_ip.sh @reboot --- puppet/modules/site_config/manifests/eip.pp | 57 +++++++++++------------------ 1 file changed, 21 insertions(+), 36 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 59889a92..498d7eed 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -2,44 +2,28 @@ class site_config::eip { include site_openvpn include site_openvpn::keys - #$tor=hiera('tor') - #notice("Tor enabled: $tor") - $ip_address = hiera('ip_address') $interface = hiera('interface') $gateway_address = hiera('gateway_address') $openvpn_config = hiera('openvpn') $openvpn_gateway_address = $openvpn_config['gateway_address'] - #include interfaces - #interfaces::iface { $interface: - # family => 'inet', - # method => 'static', - # options => [ "address $ip_address", - # 'netmask 255.255.255.0', - # "gateway $gateway_address", - # "up ip addr add $openvpn_gateway_address/24 dev $interface", - # "down ip addr del $openvpn_gateway_address/24 dev $interface", - # ], - # auto => 1, - # allow_hotplug => 1 } - - #site_openvpn::server_config { 'tcp_config': - # port => '1194', - # proto => 'tcp', - # local => $gateway_address, - # server => '10.1.0.0 255.255.248.0', - # push => '"dhcp-option DNS 10.1.0.1"', - # management => '127.0.0.1 1000' - #} - #site_openvpn::server_config { 'udp_config': - # port => '1194', - # proto => 'udp', - # local => $gateway_address, - # server => '10.2.0.0 255.255.248.0', - # push => '"dhcp-option DNS 10.2.0.1"', - # management => '127.0.0.1 1001' - #} + site_openvpn::server_config { 'tcp_config': + port => '1194', + proto => 'tcp', + local => $openvpn_gateway_address, + server => '10.1.0.0 255.255.248.0', + push => '"dhcp-option DNS 10.1.0.1"', + management => '127.0.0.1 1000' + } + site_openvpn::server_config { 'udp_config': + port => '1194', + proto => 'udp', + local => $openvpn_gateway_address, + server => '10.2.0.0 255.255.248.0', + push => '"dhcp-option DNS 10.2.0.1"', + management => '127.0.0.1 1001' + } file { '/usr/local/bin/leap_add_second_ip.sh': content => "#!/bin/sh @@ -51,10 +35,11 @@ ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr a subscribe => File['/usr/local/bin/leap_add_second_ip.sh'], } - #exec { "ip addr add $openvpn_gateway_address/24 dev $interface": - # path => '/usr/bin:/sbin', - # unless => "ip addr show dev $interface | grep -q '$interface/24'" - #} + cron { 'leap_add_second_ip.sh': + command => "/usr/local/bin/leap_add_second_ip.sh", + user => 'root', + special => 'reboot', + } include site_shorewall::eip } -- cgit v1.2.3 From 7361c79e1e864c16450455a3ae374393a04f9eb7 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 20:27:52 +0100 Subject: no need for gateway_address --- puppet/modules/site_config/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 498d7eed..15bf8be2 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -4,7 +4,7 @@ class site_config::eip { $ip_address = hiera('ip_address') $interface = hiera('interface') - $gateway_address = hiera('gateway_address') + #$gateway_address = hiera('gateway_address') $openvpn_config = hiera('openvpn') $openvpn_gateway_address = $openvpn_config['gateway_address'] -- cgit v1.2.3 From c72160f993345c184ce01d7e4c14c9923fc194e9 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 20:48:02 +0100 Subject: move interface definition for eth0 to eip.pp, use variable --- puppet/modules/site_shorewall/manifests/defaults.pp | 4 ---- puppet/modules/site_shorewall/manifests/eip.pp | 8 ++++++++ 2 files changed, 8 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index c68b8370..88981e5f 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -10,8 +10,4 @@ class site_shorewall::defaults { shorewall::rule_section { 'NEW': order => 10; } - shorewall::interface {'eth0': - zone => 'net', - options => 'tcpflags,blacklist,nosmurfs'; - } } diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 54f3ea6e..0c9bfa9c 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -13,6 +13,13 @@ class site_shorewall::eip { PARAM - - udp 53,80,443,1194 ', } + + # define interfaces + shorewall::interface {"$interface": + zone => 'net', + options => 'tcpflags,blacklist,nosmurfs'; + } + shorewall::interface {'tun0': zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; } @@ -20,6 +27,7 @@ PARAM - - udp 53,80,443,1194 zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::zone {'eip': type => 'ipv4'; } -- cgit v1.2.3 From fa31e200b5cbf4ac9b01a864410d535cbf84420d Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 21:07:07 +0100 Subject: put in double quotes --- puppet/modules/site_shorewall/manifests/eip.pp | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 0c9bfa9c..87e1e16f 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -13,9 +13,9 @@ class site_shorewall::eip { PARAM - - udp 53,80,443,1194 ', } - + # define interfaces - shorewall::interface {"$interface": + shorewall::interface { $interface: zone => 'net', options => 'tcpflags,blacklist,nosmurfs'; } @@ -31,11 +31,12 @@ PARAM - - udp 53,80,443,1194 shorewall::zone {'eip': type => 'ipv4'; } - shorewall::routestopped {'$interface': - interface => '$interface'; } + shorewall::routestopped { $interface: + interface => $interface; } + - shorewall::masq {'$interface': - interface => '$interface', + shorewall::masq {"$interface": + interface => $interface, source => ''; } shorewall::policy { -- cgit v1.2.3 From d235cd5292783722653ff34b35ce28ff31d30935 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 21:57:34 +0100 Subject: pass ssh_port to shorewall --- puppet/modules/site_shorewall/manifests/eip.pp | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 87e1e16f..230752dc 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,13 +5,15 @@ class site_shorewall::eip { include site_shorewall::defaults - $interface = hiera('interface') + $interface = hiera('interface') + $ssh_config = hiera('ssh') + $ssh_port = $ssh_config['port'] # define macro file { '/etc/shorewall/macro.leap_eip': - content => 'PARAM - - tcp 53,80,443,1194 + content => "PARAM - - tcp 53,80,443,1194,$ssh_port PARAM - - udp 53,80,443,1194 -', } +", } # define interfaces -- cgit v1.2.3 From c26c2c18d0abb7dec76a748bf0c2c2f9000298da Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 22:17:26 +0100 Subject: openvpn_tcp/udp_network_prefix and openvpn_tcp/udp_netmask variables --- puppet/modules/site_config/manifests/eip.pp | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index 15bf8be2..ecac446b 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -2,26 +2,30 @@ class site_config::eip { include site_openvpn include site_openvpn::keys - $ip_address = hiera('ip_address') - $interface = hiera('interface') - #$gateway_address = hiera('gateway_address') - $openvpn_config = hiera('openvpn') - $openvpn_gateway_address = $openvpn_config['gateway_address'] + $ip_address = hiera('ip_address') + $interface = hiera('interface') + #$gateway_address = hiera('gateway_address') + $openvpn_config = hiera('openvpn') + $openvpn_gateway_address = $openvpn_config['gateway_address'] + $openvpn_tcp_network_prefix = '10.1.0' + $openvpn_tcp_netmask = '255.255.248.0' + $openvpn_udp_network_prefix = '10.2.0' + $openvpn_udp_netmask = '255.255.248.0' site_openvpn::server_config { 'tcp_config': port => '1194', proto => 'tcp', local => $openvpn_gateway_address, - server => '10.1.0.0 255.255.248.0', - push => '"dhcp-option DNS 10.1.0.1"', + server => "$openvpn_tcp_network_prefix.0 $openvpn_tcp_netmask", + push => "\"dhcp-option DNS $openvpn_tcp_network_prefix.1\"", management => '127.0.0.1 1000' } site_openvpn::server_config { 'udp_config': port => '1194', proto => 'udp', + server => "$openvpn_udp_network_prefix.0 $openvpn_udp_netmask", + push => "\"dhcp-option DNS $openvpn_udp_network_prefix.1\"", local => $openvpn_gateway_address, - server => '10.2.0.0 255.255.248.0', - push => '"dhcp-option DNS 10.2.0.1"', management => '127.0.0.1 1001' } -- cgit v1.2.3 From 1e3e9658a2309569e73d6bef72d441a6851d2653 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 22:22:37 +0100 Subject: also provide openvpn_tcp/udp_cidr variable --- puppet/modules/site_config/manifests/eip.pp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index ecac446b..d7a59157 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -9,8 +9,10 @@ class site_config::eip { $openvpn_gateway_address = $openvpn_config['gateway_address'] $openvpn_tcp_network_prefix = '10.1.0' $openvpn_tcp_netmask = '255.255.248.0' + $openvpn_tcp_cidr = '21' $openvpn_udp_network_prefix = '10.2.0' $openvpn_udp_netmask = '255.255.248.0' + $openvpn_udp_cidr = '21' site_openvpn::server_config { 'tcp_config': port => '1194', -- cgit v1.2.3 From 1f7dbac75c5c2a610ca4e6763109fd3e06c9072a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 22:25:11 +0100 Subject: configure tcp masquerading --- puppet/modules/site_shorewall/manifests/eip.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 230752dc..0849d711 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -37,9 +37,9 @@ PARAM - - udp 53,80,443,1194 interface => $interface; } - shorewall::masq {"$interface": + shorewall::masq { $interface: interface => $interface, - source => ''; } + source => "$site_config::eip::openvpn_tcp_netmask.0/$site_config::eip::openvpn_tcp_cidr"; } shorewall::policy { 'eip-to-all': -- cgit v1.2.3 From 0d89ea18da5dd520bf71df42e15b813b706e2189 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 22:46:04 +0100 Subject: configure tcp+udp masquerading --- puppet/modules/site_shorewall/manifests/eip.pp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 0849d711..5105b85a 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -39,7 +39,11 @@ PARAM - - udp 53,80,443,1194 shorewall::masq { $interface: interface => $interface, - source => "$site_config::eip::openvpn_tcp_netmask.0/$site_config::eip::openvpn_tcp_cidr"; } + source => "$site_config::eip::openvpn_tcp_network_prefix.0/$site_config::eip::openvpn_tcp_cidr"; } + + shorewall::masq { $interface: + interface => $interface, + source => "$site_config::eip::openvpn_udp_network_prefix.0/$site_config::eip::openvpn_udp_cidr"; } shorewall::policy { 'eip-to-all': -- cgit v1.2.3 From 04d324a61cb33ff282e2dc3228e25723b564ea1f Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Oct 2012 22:49:14 +0100 Subject: differentiate masq definition names --- puppet/modules/site_shorewall/manifests/eip.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 5105b85a..a5af0dde 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -37,11 +37,11 @@ PARAM - - udp 53,80,443,1194 interface => $interface; } - shorewall::masq { $interface: + shorewall::masq { "${interface}_tcp": interface => $interface, source => "$site_config::eip::openvpn_tcp_network_prefix.0/$site_config::eip::openvpn_tcp_cidr"; } - shorewall::masq { $interface: + shorewall::masq { "${interface}_udp": interface => $interface, source => "$site_config::eip::openvpn_udp_network_prefix.0/$site_config::eip::openvpn_udp_cidr"; } -- cgit v1.2.3 From 2f747b961a1fd5f7197e63dde58b64ab465ac39d Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Oct 2012 12:16:49 +0100 Subject: commenting --- puppet/modules/site_config/manifests/eip.pp | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp index d7a59157..4280fb67 100644 --- a/puppet/modules/site_config/manifests/eip.pp +++ b/puppet/modules/site_config/manifests/eip.pp @@ -1,7 +1,6 @@ class site_config::eip { - include site_openvpn - include site_openvpn::keys + # parse hiera config $ip_address = hiera('ip_address') $interface = hiera('interface') #$gateway_address = hiera('gateway_address') @@ -14,6 +13,12 @@ class site_config::eip { $openvpn_udp_netmask = '255.255.248.0' $openvpn_udp_cidr = '21' + include site_openvpn + + # deploy ca + server keys + include site_openvpn::keys + + # create 2 openvpn config files, one for tcp, one for udp site_openvpn::server_config { 'tcp_config': port => '1194', proto => 'tcp', @@ -31,6 +36,7 @@ class site_config::eip { management => '127.0.0.1 1001' } + # add second IP on given interface file { '/usr/local/bin/leap_add_second_ip.sh': content => "#!/bin/sh ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface", -- cgit v1.2.3 From 038380e042289a9586141d7154febea2a2a6a56c Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Oct 2012 12:18:06 +0100 Subject: prettyfying --- puppet/modules/site_openvpn/manifests/server_config.pp | 4 ---- 1 file changed, 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index f4c5237e..482c6ab7 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -2,10 +2,6 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana $openvpn_configname = $name - - #notice("Creating OpenVPN $openvpn_configname: - # Port: $port, Protocol: $proto") - concat { "/etc/openvpn/$openvpn_configname.conf": owner => root, -- cgit v1.2.3 From 9586f6ec95b6bdba7ca3df4135055f2cced9e972 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Oct 2012 12:41:17 +0100 Subject: start shorewall by default --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index a5af0dde..34268125 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -1,7 +1,7 @@ class site_shorewall::eip { # be safe for development - $shorewall_startup='0' + #$shorewall_startup='0' include site_shorewall::defaults -- cgit v1.2.3 From b4a32c98e5bd2184f6fc5fef1300e35ab36dbb99 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Oct 2012 15:14:06 +0100 Subject: no need for configuring authorized_keys as leap_cli cares for that --- puppet/modules/site_config/manifests/sshd.pp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/sshd.pp b/puppet/modules/site_config/manifests/sshd.pp index 4834bb6f..944dbce2 100644 --- a/puppet/modules/site_config/manifests/sshd.pp +++ b/puppet/modules/site_config/manifests/sshd.pp @@ -1,8 +1,9 @@ class site_config::sshd { - # configure ssh and inculde ssh-keys + # configure sshd include sshd - $ssh_pubkeys=hiera_hash('ssh_pubkeys') include site_sshd - notice($ssh_pubkeys) - create_resources('site_sshd::ssh_key', $ssh_pubkeys) + # no need for configuring authorized_keys as leap_cli cares for that + #$ssh_pubkeys=hiera_hash('ssh_pubkeys') + #notice($ssh_pubkeys) + #create_resources('site_sshd::ssh_key', $ssh_pubkeys) } -- cgit v1.2.3 From 69ba8553f483d99782775e8ed5ab01cd45a75e72 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Oct 2012 16:01:41 +0100 Subject: configure unstable pinning for couchdb before install --- puppet/modules/site_couchdb/manifests/init.pp | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 06c29181..a9e6343a 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,18 +1,5 @@ class site_couchdb { - # for now, we need to install couchdb from unstable, - # because of this bug while installing: - # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681549 - # can be removed when couchdb/1.2.0-2 is integrated into testing - apt::sources_list { 'unstable.list': - source => [ 'puppet:///modules/site_apt/unstable.list'], - } - apt::preferences_snippet{ - 'couchdb': release => "unstable", priority => 999; - } - - class { 'couchdb': - #bind => '0.0.0.0' - } + class {'site_couchdb::package':} -> class {'site_couchdb::configure':} } -- cgit v1.2.3 From 761e87e8ab93bfab4bd81b25125c1c8fb554c8a5 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Oct 2012 16:41:51 +0100 Subject: try explicit class relation --- puppet/modules/site_couchdb/manifests/init.pp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index a9e6343a..57b1d038 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,5 +1,10 @@ class site_couchdb { - class {'site_couchdb::package':} -> class {'site_couchdb::configure':} + # install couchdb package first, then configure it + + Class[site_couchdb::package] -> Class[site_couchdb::configure] + + include site_couchdb::package + include site_couchdb::configure } -- cgit v1.2.3 From 139fe307ebc544e95f7c84bc921bbed3d9f20857 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Oct 2012 16:42:00 +0100 Subject: try explicit class relation --- puppet/modules/site_couchdb/manifests/configure.pp | 7 +++++++ puppet/modules/site_couchdb/manifests/package.pp | 13 +++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 puppet/modules/site_couchdb/manifests/configure.pp create mode 100644 puppet/modules/site_couchdb/manifests/package.pp (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp new file mode 100644 index 00000000..969e2e4d --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/configure.pp @@ -0,0 +1,7 @@ +class site_couchdb::configure { + #Class[site_couchdb::package] -> Class[site_couchdb::configure] + class { 'couchdb': + #bind => '0.0.0.0' + } + +} diff --git a/puppet/modules/site_couchdb/manifests/package.pp b/puppet/modules/site_couchdb/manifests/package.pp new file mode 100644 index 00000000..c091316a --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/package.pp @@ -0,0 +1,13 @@ +class site_couchdb::package { + + # for now, we need to install couchdb from unstable, + # because of this bug while installing: + # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681549 + # can be removed when couchdb/1.2.0-2 is integrated into testing + apt::sources_list { 'unstable.list': + source => [ 'puppet:///modules/site_apt/unstable.list'], + } + apt::preferences_snippet{ + 'couchdb': release => 'unstable', priority => 999; + } +} -- cgit v1.2.3 From b9141fa98a3d22ee738ad7add3fed445a9576346 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Oct 2012 22:25:08 +0100 Subject: add dnat rule to redirect other ports to port 1194 --- .../modules/site_shorewall/manifests/dnat_rule.pp | 25 +++++++++++++ puppet/modules/site_shorewall/manifests/eip.pp | 42 ++++++++++++---------- 2 files changed, 49 insertions(+), 18 deletions(-) create mode 100644 puppet/modules/site_shorewall/manifests/dnat_rule.pp (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp new file mode 100644 index 00000000..4fc62f85 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp @@ -0,0 +1,25 @@ +define site_shorewall::dnat_rule { + + $port = $name + if $port != 1194 { + shorewall::rule { + "dnat_tcp_port_$port": + action => 'DNAT', + source => 'net', + destination => "\$FW:${site_config::eip::openvpn_gateway_address}:1194", + proto => 'tcp', + destinationport => $port, + order => 100; + } + + shorewall::rule { + "dnat_udp_port_$port": + action => 'DNAT', + source => 'net', + destination => "\$FW:${site_config::eip::openvpn_gateway_address}:1194", + proto => 'udp', + destinationport => $port, + order => 100; + } + } +} diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 34268125..7a86db21 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -1,18 +1,24 @@ class site_shorewall::eip { # be safe for development - #$shorewall_startup='0' + $shorewall_startup='0' include site_shorewall::defaults - $interface = hiera('interface') - $ssh_config = hiera('ssh') - $ssh_port = $ssh_config['port'] + $interface = hiera('interface') + $ssh_config = hiera('ssh') + $ssh_port = $ssh_config['port'] + $openvpn_config = hiera('openvpn') + $openvpn_ports = $openvpn_config['ports'] + $openvpn_gateway_address = $site_config::eip::openvpn_gateway_address - # define macro + notify {"openvpn: $openvpn":} + notify {"openvpn_ports: $openvpn_ports":} + + # define macro, allowing incoming openvpn and ssh file { '/etc/shorewall/macro.leap_eip': - content => "PARAM - - tcp 53,80,443,1194,$ssh_port -PARAM - - udp 53,80,443,1194 + content => "PARAM - - tcp 1194,$ssh_port +PARAM - - udp 1194 ", } @@ -65,12 +71,7 @@ PARAM - - udp 53,80,443,1194 action => 'Ping(ACCEPT)', order => 200; - 'net2fw-ssh': - source => 'net', - destination => '$FW', - action => 'SSH(ACCEPT)', - order => 200; - 'net2fw-openvpn': + 'net2fw-openvpn_ssh': source => 'net', destination => '$FW', action => 'leap_eip(ACCEPT)', @@ -93,10 +94,15 @@ PARAM - - udp 53,80,443,1194 action => 'Git(ACCEPT)', order => 200; - 'eip2fw-https': - source => 'eip', - destination => '$FW', - action => 'HTTPS(ACCEPT)', - order => 200; + #'eip2fw-https': + # source => 'eip', + # destination => '$FW', + # action => 'HTTPS(ACCEPT)', + # order => 200; } + + # create dnat rule for each port + #create_resources('site_shorewall::dnat_rule', $openvpn_ports) + site_shorewall::dnat_rule { $openvpn_ports: } + } -- cgit v1.2.3 From ffc0bba5390b30093b0cfdf9f927ba1f7db66ee8 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 1 Nov 2012 09:15:54 +0100 Subject: another try of class relationships --- puppet/modules/site_couchdb/manifests/configure.pp | 4 ++-- puppet/modules/site_couchdb/manifests/init.pp | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp index 969e2e4d..3ab87e1e 100644 --- a/puppet/modules/site_couchdb/manifests/configure.pp +++ b/puppet/modules/site_couchdb/manifests/configure.pp @@ -1,7 +1,7 @@ class site_couchdb::configure { - #Class[site_couchdb::package] -> Class[site_couchdb::configure] + Class[site_couchdb::package] -> Class[couchdb] class { 'couchdb': + require => Class['site_couchdb::package'] #bind => '0.0.0.0' } - } diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 57b1d038..e27bdd59 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,10 +1,10 @@ class site_couchdb { # install couchdb package first, then configure it - - Class[site_couchdb::package] -> Class[site_couchdb::configure] + Class['site_couchdb::package'] -> Class['site_couchdb::configure'] include site_couchdb::package include site_couchdb::configure + include couchdb::deploy_config } -- cgit v1.2.3 From 659f145711fefd0bf1046088ce89aa70448fe6f9 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 1 Nov 2012 09:18:07 +0100 Subject: custom local.ini with ssl support --- puppet/modules/site_couchdb/files/local.ini | 84 +++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 puppet/modules/site_couchdb/files/local.ini (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/files/local.ini b/puppet/modules/site_couchdb/files/local.ini new file mode 100644 index 00000000..0da2fb44 --- /dev/null +++ b/puppet/modules/site_couchdb/files/local.ini @@ -0,0 +1,84 @@ +; CouchDB Configuration Settings + +; Custom settings should be made in this file. They will override settings +; in default.ini, but unlike changes made to default.ini, this file won't be +; overwritten on server upgrade. + +[couchdb] +;max_document_size = 4294967296 ; bytes + +[httpd] +;port = 5984 +;bind_address = 127.0.0.1 +; Options for the MochiWeb HTTP server. +;server_options = [{backlog, 128}, {acceptor_pool_size, 16}] +; For more socket options, consult Erlang's module 'inet' man page. +;socket_options = [{recbuf, 262144}, {sndbuf, 262144}, {nodelay, true}] + +; Uncomment next line to trigger basic-auth popup on unauthorized requests. +;WWW-Authenticate = Basic realm="administrator" + +; Uncomment next line to set the configuration modification whitelist. Only +; whitelisted values may be changed via the /_config URLs. To allow the admin +; to change this value over HTTP, remember to include {httpd,config_whitelist} +; itself. Excluding it from the list would require editing this file to update +; the whitelist. +;config_whitelist = [{httpd,config_whitelist}, {log,level}, {etc,etc}] + +[httpd_global_handlers] +;_google = {couch_httpd_proxy, handle_proxy_req, <<"http://www.google.com">>} + +[couch_httpd_auth] +; If you set this to true, you should also uncomment the WWW-Authenticate line +; above. If you don't configure a WWW-Authenticate header, CouchDB will send +; Basic realm="server" in order to prevent you getting logged out. +; require_valid_user = false + +[log] +;level = debug + +[os_daemons] +; For any commands listed here, CouchDB will attempt to ensure that +; the process remains alive while CouchDB runs as well as shut them +; down when CouchDB exits. +;foo = /path/to/command -with args + +[daemons] +; enable SSL support by uncommenting the following line and supply the PEM's below. +; the default ssl port CouchDB listens on is 6984 +httpsd = {couch_httpd, start_link, [https]} + +[ssl] +cert_file = /etc/couchdb/server_cert.pem +key_file = /etc/couchdb/server_key.pem +;password = somepassword +; set to true to validate peer certificates +verify_ssl_certificates = false +; Path to file containing PEM encoded CA certificates (trusted +; certificates used for verifying a peer certificate). May be omitted if +; you do not want to verify the peer. +;cacert_file = /full/path/to/cacertf +; The verification fun (optionnal) if not specidied, the default +; verification fun will be used. +;verify_fun = {Module, VerifyFun} +ssl_certificate_max_depth = 1 +; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to +; the Virual Host will be redirected to the path. In the example below all requests +; to http://example.com/ are redirected to /database. +; If you run CouchDB on a specific port, include the port number in the vhost: +; example.com:5984 = /database + +[vhosts] +;example.com = /database/ + +[update_notification] +;unique notifier name=/full/path/to/exe -with "cmd line arg" + +; To create an admin account uncomment the '[admins]' section below and add a +; line in the format 'username = password'. When you next start CouchDB, it +; will change the password to a hash (so that your passwords don't linger +; around in plain-text files). You can add more admin accounts with more +; 'username = password' lines. Don't forget to restart CouchDB after +; changing this. +[admins] +;admin = mysecretpassword -- cgit v1.2.3 From f94788ce35c564babedb987e2c01d44021898739 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 1 Nov 2012 09:23:55 +0100 Subject: automatic update of submodule puppet_couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 8daa8625..3fbdba6f 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 8daa862541facd5207a75760f3656e857faf73fd +Subproject commit 3fbdba6f03758337350f3e43352f993b74ff72a8 -- cgit v1.2.3 From 628b60f3db3f9150ae456f976a44916affd08e20 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 1 Nov 2012 09:33:15 +0100 Subject: automatic update of submodule puppet_couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 3fbdba6f..8ccd0565 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 3fbdba6f03758337350f3e43352f993b74ff72a8 +Subproject commit 8ccd0565c9afdee9dd9d916063a98c209940716d -- cgit v1.2.3 From ced30b2e8eb182fa099d407e2d969288bb07b0dd Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 1 Nov 2012 09:39:37 +0100 Subject: deploy ssl certs --- puppet/modules/site_couchdb/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index e27bdd59..8865bde8 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -6,5 +6,6 @@ class site_couchdb { include site_couchdb::package include site_couchdb::configure + include couchdb::ssl::deploy_certs include couchdb::deploy_config } -- cgit v1.2.3 From 4b26a17f6e2e01e7c9fd810cbae2e01be24b8438 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 1 Nov 2012 09:54:15 +0100 Subject: automatic update of submodule puppet_couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 8ccd0565..293e609c 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 8ccd0565c9afdee9dd9d916063a98c209940716d +Subproject commit 293e609c70157cbe73e9a7962b6bc9b5393b3778 -- cgit v1.2.3 From 60c9f0ed9cb957efcbd9972512f5a17a5d828651 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 1 Nov 2012 10:05:46 +0100 Subject: automatic update of submodule puppet_couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 293e609c..fd8c6d94 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 293e609c70157cbe73e9a7962b6bc9b5393b3778 +Subproject commit fd8c6d9481910d7ee587cbd1098346da868f5068 -- cgit v1.2.3 From 9f7a64ab2813e2c475a776efff4ad9a380ca6cc1 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 1 Nov 2012 10:09:37 +0100 Subject: deploy ssl cert working --- puppet/modules/site_couchdb/manifests/init.pp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 8865bde8..f1cca46f 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,11 +1,19 @@ class site_couchdb { + $couchdb_config = hiera('couchdb') + $key = $couchdb_config['key'] + $cert = $couchdb_config['crt'] + # install couchdb package first, then configure it Class['site_couchdb::package'] -> Class['site_couchdb::configure'] include site_couchdb::package include site_couchdb::configure - include couchdb::ssl::deploy_certs + + couchdb::ssl::deploy_cert { 'cert': + key => $key, + cert => $cert, + } include couchdb::deploy_config } -- cgit v1.2.3 From 6a2453574e45b6778bfc66fc12a47421669d1614 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 1 Nov 2012 15:15:11 +0100 Subject: use couchdb x509 hiera values --- puppet/modules/site_couchdb/manifests/init.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index f1cca46f..e3f5e59f 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,8 +1,8 @@ class site_couchdb { - $couchdb_config = hiera('couchdb') - $key = $couchdb_config['key'] - $cert = $couchdb_config['crt'] + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] # install couchdb package first, then configure it Class['site_couchdb::package'] -> Class['site_couchdb::configure'] -- cgit v1.2.3 From 7a9b7bed9cd8e2f2c02c4ce3627c874350d954f7 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 2 Nov 2012 16:19:04 +0100 Subject: accept all outgoing traffic on eip gw --- puppet/modules/site_shorewall/manifests/eip.pp | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 34268125..e94c7db4 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -7,9 +7,9 @@ class site_shorewall::eip { $interface = hiera('interface') $ssh_config = hiera('ssh') - $ssh_port = $ssh_config['port'] + $ssh_port = $ssh_config['port'] - # define macro + # define macro for incoming services file { '/etc/shorewall/macro.leap_eip': content => "PARAM - - tcp 53,80,443,1194,$ssh_port PARAM - - udp 53,80,443,1194 @@ -51,6 +51,11 @@ PARAM - - udp 53,80,443,1194 destinationzone => 'all', policy => 'ACCEPT', order => 100; + 'fw-to-all': + sourcezone => '$FW', + destinationzone => 'all', + policy => 'ACCEPT', + order => 100; 'all-to-all': sourcezone => 'all', destinationzone => 'all', @@ -59,12 +64,14 @@ PARAM - - udp 53,80,443,1194 } shorewall::rule { + # ping party 'all2all-ping': source => 'all', destination => 'all', action => 'Ping(ACCEPT)', order => 200; + # outside to server 'net2fw-ssh': source => 'net', destination => '$FW', @@ -76,7 +83,7 @@ PARAM - - udp 53,80,443,1194 action => 'leap_eip(ACCEPT)', order => 200; - # eip gw itself to outside + # server to outside 'fw2all-http': source => '$FW', destination => 'all', @@ -93,10 +100,11 @@ PARAM - - udp 53,80,443,1194 action => 'Git(ACCEPT)', order => 200; - 'eip2fw-https': - source => 'eip', - destination => '$FW', - action => 'HTTPS(ACCEPT)', - order => 200; + # Webfrontend is running on another server + #'eip2fw-https': + # source => 'eip', + # destination => '$FW', + # action => 'HTTPS(ACCEPT)', + # order => 200; } } -- cgit v1.2.3 From 82c21f345c78c4f06e4aa78ab6020f1393816812 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 3 Nov 2012 10:18:38 +0100 Subject: added local.d/admin.ini to set admin pw --- puppet/modules/site_couchdb/manifests/configure.pp | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp index 3ab87e1e..0d0eb24f 100644 --- a/puppet/modules/site_couchdb/manifests/configure.pp +++ b/puppet/modules/site_couchdb/manifests/configure.pp @@ -1,7 +1,18 @@ class site_couchdb::configure { - Class[site_couchdb::package] -> Class[couchdb] + Class[site_couchdb::package] -> Class[couchdb] + class { 'couchdb': - require => Class['site_couchdb::package'] - #bind => '0.0.0.0' + require => Class['site_couchdb::package'], + } + + $adminpw = hiera('couchdb_adminpw') + file { '/etc/couchdb/local.d/admin.ini': + content => "[admins] +admin = $adminpw +", + mode => '0600', + owner => 'couchdb', + group => 'couchdb', + notify => Service[couchdb] } } -- cgit v1.2.3 From 5abce06ff562fb508504af4370c0cc8eda266b56 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 3 Nov 2012 10:19:24 +0100 Subject: [admins] section moved to local.d/admin.ini --- puppet/modules/site_couchdb/files/local.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/files/local.ini b/puppet/modules/site_couchdb/files/local.ini index 0da2fb44..79dd112e 100644 --- a/puppet/modules/site_couchdb/files/local.ini +++ b/puppet/modules/site_couchdb/files/local.ini @@ -80,5 +80,5 @@ ssl_certificate_max_depth = 1 ; around in plain-text files). You can add more admin accounts with more ; 'username = password' lines. Don't forget to restart CouchDB after ; changing this. -[admins] +;[admins] ;admin = mysecretpassword -- cgit v1.2.3 From 16f007c540d56c2e64c1f73bd1ff49674bd0afeb Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 3 Nov 2012 10:21:49 +0100 Subject: added submodule apache from git://labs.riseup.net/shared-apache --- puppet/modules/apache | 1 + 1 file changed, 1 insertion(+) create mode 160000 puppet/modules/apache (limited to 'puppet') diff --git a/puppet/modules/apache b/puppet/modules/apache new file mode 160000 index 00000000..9f12e863 --- /dev/null +++ b/puppet/modules/apache @@ -0,0 +1 @@ +Subproject commit 9f12e8635b4253955e19ed6b18d90142ed27d2f8 -- cgit v1.2.3 From 5493d362f7b3abd6c8aa9350341a551c53622604 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 3 Nov 2012 11:33:38 +0100 Subject: configure apache ssl proxy for couchdb --- puppet/modules/site-apache | 1 + .../site_apache/files/vhosts.d/couchdb_proxy.conf | 10 ++++++++++ puppet/modules/site_couchdb/files/local.ini | 10 +++++----- puppet/modules/site_couchdb/manifests/init.pp | 18 +++++++++++++----- 4 files changed, 29 insertions(+), 10 deletions(-) create mode 120000 puppet/modules/site-apache create mode 100644 puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf (limited to 'puppet') diff --git a/puppet/modules/site-apache b/puppet/modules/site-apache new file mode 120000 index 00000000..f0517fa5 --- /dev/null +++ b/puppet/modules/site-apache @@ -0,0 +1 @@ +site_apache \ No newline at end of file diff --git a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf new file mode 100644 index 00000000..79ad931d --- /dev/null +++ b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf @@ -0,0 +1,10 @@ +Listen 0.0.0.0:6984 + + + SSLEngine On + SSLProxyEngine On + SSLCertificateKeyFile /etc/couchdb/server_key.pem + SSLCertificateFile /etc/couchdb/server_cert.pem + ProxyPass / http://127.0.0.1:5984/ + ProxyPassReverse / http://127.0.0.1:5984/ + diff --git a/puppet/modules/site_couchdb/files/local.ini b/puppet/modules/site_couchdb/files/local.ini index 79dd112e..485c9a29 100644 --- a/puppet/modules/site_couchdb/files/local.ini +++ b/puppet/modules/site_couchdb/files/local.ini @@ -46,14 +46,14 @@ [daemons] ; enable SSL support by uncommenting the following line and supply the PEM's below. ; the default ssl port CouchDB listens on is 6984 -httpsd = {couch_httpd, start_link, [https]} +;httpsd = {couch_httpd, start_link, [https]} [ssl] -cert_file = /etc/couchdb/server_cert.pem -key_file = /etc/couchdb/server_key.pem +;cert_file = /etc/couchdb/server_cert.pem +;key_file = /etc/couchdb/server_key.pem ;password = somepassword ; set to true to validate peer certificates -verify_ssl_certificates = false +;verify_ssl_certificates = false ; Path to file containing PEM encoded CA certificates (trusted ; certificates used for verifying a peer certificate). May be omitted if ; you do not want to verify the peer. @@ -61,7 +61,7 @@ verify_ssl_certificates = false ; The verification fun (optionnal) if not specidied, the default ; verification fun will be used. ;verify_fun = {Module, VerifyFun} -ssl_certificate_max_depth = 1 +;ssl_certificate_max_depth = 1 ; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to ; the Virual Host will be redirected to the path. In the example below all requests ; to http://example.com/ are redirected to /database. diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index e3f5e59f..b296279c 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -9,11 +9,19 @@ class site_couchdb { include site_couchdb::package include site_couchdb::configure + include couchdb::deploy_config - couchdb::ssl::deploy_cert { 'cert': - key => $key, - cert => $cert, - } - include couchdb::deploy_config + #couchdb::ssl::deploy_cert { 'cert': + # key => $key, + # cert => $cert, + #} + + include apache::ssl + apache::module { + 'rewrite': ensure => present; + 'proxy': ensure => present; + 'proxy_http': ensure => present; + } + apache::vhost::file { 'couchdb_proxy': } } -- cgit v1.2.3 From 5981a73edce0a64f26bb8abb799c180b856abbbd Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 3 Nov 2012 11:43:58 +0100 Subject: overwrite /etc/apache2/ports.conf so 0-default.conf and 0-default_ssl.conf don't start on port 80/443 --- puppet/modules/site_couchdb/manifests/init.pp | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index b296279c..4c923b35 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -16,12 +16,20 @@ class site_couchdb { # key => $key, # cert => $cert, #} - + include apache::ssl - apache::module { - 'rewrite': ensure => present; - 'proxy': ensure => present; - 'proxy_http': ensure => present; - } + apache::module { + 'rewrite': ensure => present; + 'proxy': ensure => present; + 'proxy_http': ensure => present; + } apache::vhost::file { 'couchdb_proxy': } + # prevent 0-default.conf and 0-default_ssl.conf from apache module + # from starting on port 80 / 443 + file { '/etc/apache2/ports.conf': + content => '', + mode => '0644', + owner => 'root', + group => 'root', + } } -- cgit v1.2.3 From b7d3bd9c119ce70f1823ffd06567a127c390c4f0 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 3 Nov 2012 12:16:22 +0100 Subject: deploy server_cert.pem + server_key.pem, notify apache --- puppet/modules/site_couchdb/manifests/init.pp | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 4c923b35..04b46bf6 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -11,12 +11,6 @@ class site_couchdb { include site_couchdb::configure include couchdb::deploy_config - - #couchdb::ssl::deploy_cert { 'cert': - # key => $key, - # cert => $cert, - #} - include apache::ssl apache::module { 'rewrite': ensure => present; @@ -32,4 +26,21 @@ class site_couchdb { owner => 'root', group => 'root', } + + file { '/etc/couchdb/server_cert.pem': + mode => '0644', + owner => 'couchdb', + group => 'couchdb', + content => $cert, + notify => Service[apache], + } + + file { '/etc/couchdb/server_key.pem': + mode => '0600', + owner => 'couchdb', + group => 'couchdb', + content => $key, + notify => Service[apache], + } + } -- cgit v1.2.3 From 995bde9b3c1c54b70b5884e2d06534a5cf38d654 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 3 Nov 2012 21:34:54 +0100 Subject: query hiera adminpw in site_couchdb --- puppet/modules/site_couchdb/manifests/configure.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp index 0d0eb24f..3adce785 100644 --- a/puppet/modules/site_couchdb/manifests/configure.pp +++ b/puppet/modules/site_couchdb/manifests/configure.pp @@ -5,7 +5,7 @@ class site_couchdb::configure { require => Class['site_couchdb::package'], } - $adminpw = hiera('couchdb_adminpw') + $adminpw = $site_couchdb::adminpw file { '/etc/couchdb/local.d/admin.ini': content => "[admins] admin = $adminpw -- cgit v1.2.3 From 8f0ea9039310a348ade5e1e5637aa62fce01579f Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 3 Nov 2012 21:44:12 +0100 Subject: install apache_ssl_proxy, add users, create DBs + security roles --- puppet/modules/site_couchdb/manifests/init.pp | 58 ++++++++++++++------------- 1 file changed, 30 insertions(+), 28 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 04b46bf6..26e5cdfd 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,8 +1,16 @@ class site_couchdb { - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $adminpw = hiera('couchdb_adminpw') + $couchdb_leap_web_user = hiera('couchdb_leap_web_user') + $couchdb_leap_web_username = $couchdb_leap_web_user['user'] + $couchdb_leap_web_pw = $couchdb_leap_web_user['pw'] + $couchdb_leap_ca_user = hiera('couchdb_leap_ca_user') + $couchdb_leap_ca_username = $couchdb_leap_ca_user['user'] + $couchdb_leap_ca_pw = $couchdb_leap_ca_user['pw'] + $couchdb_host = "admin:$adminpw@127.0.0.1:5984" # install couchdb package first, then configure it Class['site_couchdb::package'] -> Class['site_couchdb::configure'] @@ -11,36 +19,30 @@ class site_couchdb { include site_couchdb::configure include couchdb::deploy_config - include apache::ssl - apache::module { - 'rewrite': ensure => present; - 'proxy': ensure => present; - 'proxy_http': ensure => present; + site_couchdb::apache_ssl_proxy { 'apache_ssl_proxy': + key => $key, + cert => $cert } - apache::vhost::file { 'couchdb_proxy': } - # prevent 0-default.conf and 0-default_ssl.conf from apache module - # from starting on port 80 / 443 - file { '/etc/apache2/ports.conf': - content => '', - mode => '0644', - owner => 'root', - group => 'root', + + couchdb::add_user { $couchdb_leap_web_username: + host => $couchdb_host, + roles => '["certs"]', + pw => $couchdb_leap_web_pw } - file { '/etc/couchdb/server_cert.pem': - mode => '0644', - owner => 'couchdb', - group => 'couchdb', - content => $cert, - notify => Service[apache], + couchdb::add_user { $couchdb_leap_ca_username: + host => $couchdb_host, + roles => '["certs"]', + pw => $couchdb_leap_ca_pw } - file { '/etc/couchdb/server_key.pem': - mode => '0600', - owner => 'couchdb', - group => 'couchdb', - content => $key, - notify => Service[apache], + couchdb::create_db { 'leap_web': + host => $couchdb_host, + readers => "{ \"names\": [\"leap_web\"], \"roles\": [] }" } + couchdb::create_db { 'leap_ca': + host => $couchdb_host, + readers => "{ \"names\": [], \"roles\": [\"certs\"] }" + } } -- cgit v1.2.3 From a555f779fb90e5b817319eca478d517696898789 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 3 Nov 2012 21:47:42 +0100 Subject: automatic update of submodule puppet_couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index fd8c6d94..3ae28de3 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit fd8c6d9481910d7ee587cbd1098346da868f5068 +Subproject commit 3ae28de3ba018d5064122dbceb31af336a090167 -- cgit v1.2.3 From b1a4e8c8b31e7b648b4eb5e7ef0e165a23a3110b Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 3 Nov 2012 21:48:35 +0100 Subject: added apache_ssl_proxy.pp --- .../site_couchdb/manifests/apache_ssl_proxy.pp | 35 ++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp new file mode 100644 index 00000000..87b21e62 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp @@ -0,0 +1,35 @@ +define site_couchdb::apache_ssl_proxy ($key, $cert) { + + include apache::ssl + apache::module { + 'rewrite': ensure => present; + 'proxy': ensure => present; + 'proxy_http': ensure => present; + } + apache::vhost::file { 'couchdb_proxy': } + # prevent 0-default.conf and 0-default_ssl.conf from apache module + # from starting on port 80 / 443 + file { '/etc/apache2/ports.conf': + content => '', + mode => '0644', + owner => 'root', + group => 'root', + } + + file { '/etc/couchdb/server_cert.pem': + mode => '0644', + owner => 'couchdb', + group => 'couchdb', + content => $cert, + notify => Service[apache], + } + + file { '/etc/couchdb/server_key.pem': + mode => '0600', + owner => 'couchdb', + group => 'couchdb', + content => $key, + notify => Service[apache], + } + +} -- cgit v1.2.3 From 65dd85c494580170799d3ca0746d5ef6996919f5 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 3 Nov 2012 21:51:29 +0100 Subject: automatic update of submodule puppet_couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 3ae28de3..110fed8a 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 3ae28de3ba018d5064122dbceb31af336a090167 +Subproject commit 110fed8abd8c2d7ef4f73bd1a6d0e0f3665190cf -- cgit v1.2.3 From a58524af8a97d6c2eee8d26ccdf192fecb855fe9 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 4 Nov 2012 18:53:24 +0100 Subject: provide coustom couchdb initscript to ensure stop/restart is working --- puppet/modules/site_couchdb/files/couchdb | 160 ++++++++++++++++++++++++++++++ 1 file changed, 160 insertions(+) create mode 100755 puppet/modules/site_couchdb/files/couchdb (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/files/couchdb b/puppet/modules/site_couchdb/files/couchdb new file mode 100755 index 00000000..ccdfe716 --- /dev/null +++ b/puppet/modules/site_couchdb/files/couchdb @@ -0,0 +1,160 @@ +#!/bin/sh -e + +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy of +# the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations under +# the License. + +### BEGIN INIT INFO +# Provides: couchdb +# Required-Start: $local_fs $remote_fs +# Required-Stop: $local_fs $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Apache CouchDB init script +# Description: Apache CouchDB init script for the database server. +### END INIT INFO + +SCRIPT_OK=0 +SCRIPT_ERROR=1 + +DESCRIPTION="database server" +NAME=couchdb +SCRIPT_NAME=`basename $0` +COUCHDB=/usr/bin/couchdb +CONFIGURATION_FILE=/etc/default/couchdb +RUN_DIR=/var/run/couchdb +LSB_LIBRARY=/lib/lsb/init-functions + +if test ! -x $COUCHDB; then + exit $SCRIPT_ERROR +fi + +if test -r $CONFIGURATION_FILE; then + . $CONFIGURATION_FILE +fi + +log_daemon_msg () { + # Dummy function to be replaced by LSB library. + + echo $@ +} + +log_end_msg () { + # Dummy function to be replaced by LSB library. + + if test "$1" != "0"; then + echo "Error with $DESCRIPTION: $NAME" + fi + return $1 +} + +if test -r $LSB_LIBRARY; then + . $LSB_LIBRARY +fi + +run_command () { + command="$1" + if test -n "$COUCHDB_OPTIONS"; then + command="$command $COUCHDB_OPTIONS" + fi + if test -n "$COUCHDB_USER"; then + if su $COUCHDB_USER -c "$command"; then + return $SCRIPT_OK + else + return $SCRIPT_ERROR + fi + else + if $command; then + return $SCRIPT_OK + else + return $SCRIPT_ERROR + fi + fi +} + +start_couchdb () { + # Start Apache CouchDB as a background process. + + mkdir -p "$RUN_DIR" + chown -R "$COUCHDB_USER" "$RUN_DIR" + command="$COUCHDB -b" + if test -n "$COUCHDB_STDOUT_FILE"; then + command="$command -o $COUCHDB_STDOUT_FILE" + fi + if test -n "$COUCHDB_STDERR_FILE"; then + command="$command -e $COUCHDB_STDERR_FILE" + fi + if test -n "$COUCHDB_RESPAWN_TIMEOUT"; then + command="$command -r $COUCHDB_RESPAWN_TIMEOUT" + fi + run_command "$command" > /dev/null +} + +stop_couchdb () { + # Stop the running Apache CouchDB process. + + run_command "$COUCHDB -d" > /dev/null + pkill -u couchdb + # always return true even if no remaining couchdb procs got killed + /bin/true +} + +display_status () { + # Display the status of the running Apache CouchDB process. + + run_command "$COUCHDB -s" +} + +parse_script_option_list () { + # Parse arguments passed to the script and take appropriate action. + + case "$1" in + start) + log_daemon_msg "Starting $DESCRIPTION" $NAME + if start_couchdb; then + log_end_msg $SCRIPT_OK + else + log_end_msg $SCRIPT_ERROR + fi + ;; + stop) + log_daemon_msg "Stopping $DESCRIPTION" $NAME + if stop_couchdb; then + log_end_msg $SCRIPT_OK + else + log_end_msg $SCRIPT_ERROR + fi + ;; + restart|force-reload) + log_daemon_msg "Restarting $DESCRIPTION" $NAME + if stop_couchdb; then + if start_couchdb; then + log_end_msg $SCRIPT_OK + else + log_end_msg $SCRIPT_ERROR + fi + else + log_end_msg $SCRIPT_ERROR + fi + ;; + status) + display_status + ;; + *) + cat << EOF >&2 +Usage: $SCRIPT_NAME {start|stop|restart|force-reload|status} +EOF + exit $SCRIPT_ERROR + ;; + esac +} + +parse_script_option_list $@ -- cgit v1.2.3 From 0a3fdfff7bd8c11d6099f23aef505fbd5333ba99 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 4 Nov 2012 20:45:53 +0100 Subject: deploy couchdb initscript, restart couchdb after config file change --- puppet/modules/site_couchdb/manifests/configure.pp | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp index 3adce785..4343cc2b 100644 --- a/puppet/modules/site_couchdb/manifests/configure.pp +++ b/puppet/modules/site_couchdb/manifests/configure.pp @@ -2,10 +2,17 @@ class site_couchdb::configure { Class[site_couchdb::package] -> Class[couchdb] class { 'couchdb': - require => Class['site_couchdb::package'], + require => Class['site_couchdb::package'], } + + + file { '/etc/init.d/couchdb': + source => 'puppet:///modules/site_couchdb/couchdb', + mode => '0755', + owner => 'root', + group => 'root', } - $adminpw = $site_couchdb::adminpw + $adminpw = $site_couchdb::adminpw file { '/etc/couchdb/local.d/admin.ini': content => "[admins] admin = $adminpw @@ -15,4 +22,12 @@ admin = $adminpw group => 'couchdb', notify => Service[couchdb] } + + + exec { '/etc/init.d/couchdb restart; sleep 3': + path => ['/bin', '/usr/bin',], + subscribe => File['/etc/couchdb/local.d/admin.ini', + '/etc/couchdb/local.ini'], + refreshonly => true + } } -- cgit v1.2.3 From 41a10e2475d056a621964f17757b28581661b053 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 4 Nov 2012 20:47:25 +0100 Subject: working resource relationships for deployment --- puppet/modules/site_couchdb/manifests/init.pp | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 26e5cdfd..e4d97e34 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -12,8 +12,16 @@ class site_couchdb { $couchdb_leap_ca_pw = $couchdb_leap_ca_user['pw'] $couchdb_host = "admin:$adminpw@127.0.0.1:5984" - # install couchdb package first, then configure it - Class['site_couchdb::package'] -> Class['site_couchdb::configure'] + Class['site_couchdb::package'] + -> Package ['couchdb'] + -> File['/etc/init.d/couchdb'] + -> File['/etc/couchdb/local.ini'] + -> File['/etc/couchdb/local.d/admin.ini'] + -> Couchdb::Create_db[leap_web] + -> Couchdb::Create_db[leap_ca] + -> Couchdb::Add_user[leap_web] + -> Couchdb::Add_user[leap_ca] + -> Site_couchdb::Apache_ssl_proxy['apache_ssl_proxy'] include site_couchdb::package include site_couchdb::configure -- cgit v1.2.3 From a2bd420ac47ac7292204d3b9af191b29ca878e74 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 4 Nov 2012 20:53:43 +0100 Subject: changed submodule remote for apache to use leap one --- puppet/modules/apache | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/apache b/puppet/modules/apache index 9f12e863..a2874ab6 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit 9f12e8635b4253955e19ed6b18d90142ed27d2f8 +Subproject commit a2874ab6b1bab2c0a75ad9c62a77490d37846e0f -- cgit v1.2.3 From 5bfc45558090fe41085f9db29e32b4515626cc6e Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 4 Nov 2012 21:16:31 +0100 Subject: automatic update of submodule puppet_apache --- puppet/modules/apache | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/apache b/puppet/modules/apache index a2874ab6..9eea95a3 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit a2874ab6b1bab2c0a75ad9c62a77490d37846e0f +Subproject commit 9eea95a38b9c03d9d769de2f9cc2e2820e3d4cb3 -- cgit v1.2.3 From 0fdf251c78891cee9a95f93954a43876d0399be6 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 4 Nov 2012 21:30:37 +0100 Subject: automatic update of submodule puppet_apache --- puppet/modules/apache | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/apache b/puppet/modules/apache index 9eea95a3..104b2e09 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit 9eea95a38b9c03d9d769de2f9cc2e2820e3d4cb3 +Subproject commit 104b2e09399e02a8aa9687df0de795644e4b83e0 -- cgit v1.2.3 From 561ea1c6dace320455990b880d8a7da421fcb8bc Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 6 Nov 2012 10:36:18 +0100 Subject: sleep some more after couchdb restart, adopt new hiera creditials --- puppet/modules/site_couchdb/manifests/configure.pp | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp index 4343cc2b..25ea7a0b 100644 --- a/puppet/modules/site_couchdb/manifests/configure.pp +++ b/puppet/modules/site_couchdb/manifests/configure.pp @@ -12,10 +12,9 @@ class site_couchdb::configure { group => 'root', } - $adminpw = $site_couchdb::adminpw file { '/etc/couchdb/local.d/admin.ini': content => "[admins] -admin = $adminpw +admin = $site_couchdb::couchdb_admin_pw ", mode => '0600', owner => 'couchdb', @@ -24,7 +23,7 @@ admin = $adminpw } - exec { '/etc/init.d/couchdb restart; sleep 3': + exec { '/etc/init.d/couchdb restart; sleep 6': path => ['/bin', '/usr/bin',], subscribe => File['/etc/couchdb/local.d/admin.ini', '/etc/couchdb/local.ini'], -- cgit v1.2.3 From a5b8f30cdb68997e523c0f9fac65d894acddf40f Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 6 Nov 2012 10:36:45 +0100 Subject: adopt new hiera creditials --- puppet/modules/site_couchdb/manifests/init.pp | 51 +++++++++++++++------------ 1 file changed, 29 insertions(+), 22 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index e4d97e34..30ce7f54 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,28 +1,33 @@ class site_couchdb { - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $adminpw = hiera('couchdb_adminpw') - $couchdb_leap_web_user = hiera('couchdb_leap_web_user') - $couchdb_leap_web_username = $couchdb_leap_web_user['user'] - $couchdb_leap_web_pw = $couchdb_leap_web_user['pw'] - $couchdb_leap_ca_user = hiera('couchdb_leap_ca_user') - $couchdb_leap_ca_username = $couchdb_leap_ca_user['user'] - $couchdb_leap_ca_pw = $couchdb_leap_ca_user['pw'] - $couchdb_host = "admin:$adminpw@127.0.0.1:5984" + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $couchdb_config = hiera('couch') + $couchdb_users = $couchdb_config['users'] + $couchdb_admin = $couchdb_users['admin'] + $couchdb_admin_user = $couchdb_admin['username'] + $couchdb_admin_pw = $couchdb_admin['password'] + $couchdb_webapp = $couchdb_users['webapp'] + $couchdb_webapp_user = $couchdb_webapp['username'] + $couchdb_webapp_pw = $couchdb_webapp['password'] + $couchdb_ca_daemon = $couchdb_users['ca_daemon'] + $couchdb_ca_daemon_user = $couchdb_ca_daemon['username'] + $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password'] Class['site_couchdb::package'] -> Package ['couchdb'] -> File['/etc/init.d/couchdb'] -> File['/etc/couchdb/local.ini'] -> File['/etc/couchdb/local.d/admin.ini'] + -> File['/etc/couchdb/couchdb.netrc'] -> Couchdb::Create_db[leap_web] -> Couchdb::Create_db[leap_ca] - -> Couchdb::Add_user[leap_web] - -> Couchdb::Add_user[leap_ca] + -> Couchdb::Add_user[$couchdb_webapp_user] + -> Couchdb::Add_user[$couchdb_ca_daemon_user] -> Site_couchdb::Apache_ssl_proxy['apache_ssl_proxy'] + # Setup couchdb include site_couchdb::package include site_couchdb::configure include couchdb::deploy_config @@ -32,25 +37,27 @@ class site_couchdb { cert => $cert } - couchdb::add_user { $couchdb_leap_web_username: - host => $couchdb_host, + couchdb::query::setup { 'localhost': + user => $couchdb_admin_user, + pw => $couchdb_admin_pw + } + + # Populate couchdb + couchdb::add_user { $couchdb_webapp_user: roles => '["certs"]', - pw => $couchdb_leap_web_pw + pw => $couchdb_webapp_pw } - couchdb::add_user { $couchdb_leap_ca_username: - host => $couchdb_host, + couchdb::add_user { $couchdb_ca_daemon_user: roles => '["certs"]', - pw => $couchdb_leap_ca_pw + pw => $couchdb_ca_daemon_pw } couchdb::create_db { 'leap_web': - host => $couchdb_host, - readers => "{ \"names\": [\"leap_web\"], \"roles\": [] }" + readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }" } couchdb::create_db { 'leap_ca': - host => $couchdb_host, readers => "{ \"names\": [], \"roles\": [\"certs\"] }" } } -- cgit v1.2.3 From 7ca4f22e4cd76d986fece61674f487809d1369c6 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 6 Nov 2012 10:39:27 +0100 Subject: automatic update of submodule puppet_couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 110fed8a..b598e7d2 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 110fed8abd8c2d7ef4f73bd1a6d0e0f3665190cf +Subproject commit b598e7d2a4be7ee863ae70450a73bfcda381634e -- cgit v1.2.3 From e6d9dca1e6c695e52f5052cb6877787e13bb0fb2 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 6 Nov 2012 10:54:19 +0100 Subject: automatic update of submodule puppet_couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 8daa8625..b598e7d2 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 8daa862541facd5207a75760f3656e857faf73fd +Subproject commit b598e7d2a4be7ee863ae70450a73bfcda381634e -- cgit v1.2.3 From b08f959aa17f05821a6a4a58266b9250cdc59cbb Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 6 Nov 2012 11:14:28 +0100 Subject: fixed unseen merge conflicts --- puppet/modules/site_shorewall/manifests/eip.pp | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 7dee6b7a..20e22cb3 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -75,9 +75,6 @@ PARAM - - udp 1194 action => 'Ping(ACCEPT)', order => 200; -<<<<<<< HEAD - 'net2fw-openvpn_ssh': -======= # outside to server 'net2fw-ssh': source => 'net', @@ -85,7 +82,6 @@ PARAM - - udp 1194 action => 'SSH(ACCEPT)', order => 200; 'net2fw-openvpn': ->>>>>>> feature/couchdb source => 'net', destination => '$FW', action => 'leap_eip(ACCEPT)', @@ -108,14 +104,9 @@ PARAM - - udp 1194 action => 'Git(ACCEPT)', order => 200; -<<<<<<< HEAD - #'eip2fw-https': - # source => 'eip', -======= # Webfrontend is running on another server #'eip2fw-https': - # source => 'eip', ->>>>>>> feature/couchdb + # source => 'eip', # destination => '$FW', # action => 'HTTPS(ACCEPT)', # order => 200; -- cgit v1.2.3 From 6022635279a4c6481b1f53fcad43c3b179405405 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 6 Nov 2012 11:23:10 +0100 Subject: duplicate definition after merge --- puppet/modules/site_shorewall/manifests/eip.pp | 1 - 1 file changed, 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 20e22cb3..086bf75a 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -11,7 +11,6 @@ class site_shorewall::eip { $openvpn_config = hiera('openvpn') $openvpn_ports = $openvpn_config['ports'] $openvpn_gateway_address = $site_config::eip::openvpn_gateway_address - $interface = hiera('interface') # define macro for incoming services file { '/etc/shorewall/macro.leap_eip': -- cgit v1.2.3 From 18141b30287738e9891d6be7ca589ffb219d4bca Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 8 Nov 2012 22:26:02 +0100 Subject: automatic update of submodule puppet_apache --- puppet/modules/apache | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/apache b/puppet/modules/apache index 104b2e09..077d4d15 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit 104b2e09399e02a8aa9687df0de795644e4b83e0 +Subproject commit 077d4d1508b9ff3355f73ff8597991043b3ba5d9 -- cgit v1.2.3 From f1f6803eb12065ec7bc248241d781669f8c94579 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 8 Nov 2012 23:49:48 +0100 Subject: = true --- puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp index 87b21e62..92170780 100644 --- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp +++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp @@ -1,5 +1,6 @@ define site_couchdb::apache_ssl_proxy ($key, $cert) { + $apache_no_default_site = true include apache::ssl apache::module { 'rewrite': ensure => present; -- cgit v1.2.3 From b6eeb5d59f7b298002dbad06c29c0f4ddb609375 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 9 Nov 2012 00:15:53 +0100 Subject: removed submodule "puppet/modules/sysctl" (url: git://github.com/luxflux/puppet-sysctl.git) --- puppet/modules/sysctl | 1 - 1 file changed, 1 deletion(-) delete mode 160000 puppet/modules/sysctl (limited to 'puppet') diff --git a/puppet/modules/sysctl b/puppet/modules/sysctl deleted file mode 160000 index 6ad210b3..00000000 --- a/puppet/modules/sysctl +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 6ad210b3f90f24878cfccd61c758275e2ab022bd -- cgit v1.2.3 From bc5906cacdd6cfd236a66a717dcba7263ff39605 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 9 Nov 2012 00:16:03 +0100 Subject: removed submodule "puppet/modules/interfaces" (url: git://github.com/x-way/puppet-interfaces.git) --- puppet/modules/interfaces | 1 - 1 file changed, 1 deletion(-) delete mode 160000 puppet/modules/interfaces (limited to 'puppet') diff --git a/puppet/modules/interfaces b/puppet/modules/interfaces deleted file mode 160000 index 1d7dc717..00000000 --- a/puppet/modules/interfaces +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 1d7dc7178881c56102c043e96763176f66445c1e -- cgit v1.2.3 From ddd6fd82cc9e81d7ff912e390d956d6b2d958d8d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 20 Nov 2012 21:20:52 -0500 Subject: add bundler, ruby, rubygems and vcsrepo submodules --- puppet/modules/bundler | 1 + puppet/modules/ruby | 1 + puppet/modules/rubygems | 1 + puppet/modules/vcsrepo | 1 + 4 files changed, 4 insertions(+) create mode 160000 puppet/modules/bundler create mode 160000 puppet/modules/ruby create mode 160000 puppet/modules/rubygems create mode 160000 puppet/modules/vcsrepo (limited to 'puppet') diff --git a/puppet/modules/bundler b/puppet/modules/bundler new file mode 160000 index 00000000..b91d6abf --- /dev/null +++ b/puppet/modules/bundler @@ -0,0 +1 @@ +Subproject commit b91d6abfa931b8ef63594092d841701d3ee23280 diff --git a/puppet/modules/ruby b/puppet/modules/ruby new file mode 160000 index 00000000..e4de25d7 --- /dev/null +++ b/puppet/modules/ruby @@ -0,0 +1 @@ +Subproject commit e4de25d78eefc7df70a35dee22a3e0dc1b7e1d0b diff --git a/puppet/modules/rubygems b/puppet/modules/rubygems new file mode 160000 index 00000000..1e5ed3db --- /dev/null +++ b/puppet/modules/rubygems @@ -0,0 +1 @@ +Subproject commit 1e5ed3dbef9381bb9d5e2a7b4957bb3f5288d6a8 diff --git a/puppet/modules/vcsrepo b/puppet/modules/vcsrepo new file mode 160000 index 00000000..04851c28 --- /dev/null +++ b/puppet/modules/vcsrepo @@ -0,0 +1 @@ +Subproject commit 04851c28b12973c679fc9f234fd0f5a193df9d7a -- cgit v1.2.3 From 515ca5ce0d19ac29fff6397c7b146ddabc123f05 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 20 Nov 2012 16:24:38 -0500 Subject: add initial site_webapp module --- puppet/modules/site_webapp/manifests/init.pp | 50 ++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 puppet/modules/site_webapp/manifests/init.pp (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp new file mode 100644 index 00000000..107aa617 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -0,0 +1,50 @@ +class site_webapp { + + Class[Ruby] -> Class[rubygems] -> Class[bundler::install] + + class { 'ruby': ruby_version => '1.9.3' } + + include rubygems + + class { 'bundler::install': install_method => '' } + + group { 'leap-webapp': + ensure => present, + allowdupe => false; + } + + user { 'leap-webapp': + ensure => present, + allowdupe => false, + gid => 'leap-webapp', + home => '/srv/leap-webapp', + require => [ Group['leap-webapp'] ]; + } + + file { '/srv/leap-webapp': + ensure => present, + owner => 'leap-webapp', + group => 'leap-webapp', + require => User['leap-webapp']; + } + + vcsrepo { '/srv/leap-webapp': + ensure => present, + revision => 'master', + provider => git, + source => 'git://code.leap.se/leap_web', + owner => 'leap-webapp', + group => 'leap-webapp', + require => [ User['leap-webapp'], Group['leap-webapp'] ], + notify => Exec['bundler_update'] + } + + exec { 'bundler_update': + cwd => '/srv/leap-webapp', + command => '/bin/bash -c \"/usr/bin/bundle check || /usr/bin/bundle install\"', + unless => '/usr/bin/bundle check', + require => [ Class['bundler::install'], Vcsrepo['/srv/leap-webapp'] ]; + } +} + + -- cgit v1.2.3 From b1c8c57b1fb028ea4ce8c8954bfdad9b9e7f2766 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 20 Nov 2012 16:20:37 -0500 Subject: setup webapp in site.pp --- puppet/manifests/site.pp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 6abf9b48..70c97030 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -18,4 +18,8 @@ node 'default' { if 'couchdb' in $services { include site_couchdb } + + if 'webapp' in $services { + include site_webapp + } } -- cgit v1.2.3 From a6daa12966867acae7885f48bc2cdee4553f9099 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 21 Nov 2012 17:29:54 +0100 Subject: hiera variable for openvpn dh parameters changed --- puppet/modules/site_openvpn/manifests/keys.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index d029fbac..47d0fa26 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -12,7 +12,7 @@ class site_openvpn::keys { } file { '/etc/openvpn/keys/dh.pem': - content => $openvpn_keys['dh_key'], + content => $openvpn_keys['dh'], mode => '0644', } -- cgit v1.2.3 From c2d57624c15dfaff038f9991f04ade46b5ad1d40 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 21 Nov 2012 17:45:44 +0100 Subject: move site_config::eip to site_openvpn (Feature #943) --- puppet/manifests/site.pp | 2 +- puppet/modules/site_config/manifests/eip.pp | 57 ---------------------- puppet/modules/site_openvpn/manifests/init.pp | 55 +++++++++++++++++++++ .../modules/site_shorewall/manifests/dnat_rule.pp | 4 +- puppet/modules/site_shorewall/manifests/eip.pp | 6 +-- 5 files changed, 61 insertions(+), 63 deletions(-) delete mode 100644 puppet/modules/site_config/manifests/eip.pp (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 6abf9b48..0ae86f8e 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -12,7 +12,7 @@ node 'default' { # configure eip if 'openvpn' in $services { - include site_config::eip + include site_openvpn } if 'couchdb' in $services { diff --git a/puppet/modules/site_config/manifests/eip.pp b/puppet/modules/site_config/manifests/eip.pp deleted file mode 100644 index 4280fb67..00000000 --- a/puppet/modules/site_config/manifests/eip.pp +++ /dev/null @@ -1,57 +0,0 @@ -class site_config::eip { - - # parse hiera config - $ip_address = hiera('ip_address') - $interface = hiera('interface') - #$gateway_address = hiera('gateway_address') - $openvpn_config = hiera('openvpn') - $openvpn_gateway_address = $openvpn_config['gateway_address'] - $openvpn_tcp_network_prefix = '10.1.0' - $openvpn_tcp_netmask = '255.255.248.0' - $openvpn_tcp_cidr = '21' - $openvpn_udp_network_prefix = '10.2.0' - $openvpn_udp_netmask = '255.255.248.0' - $openvpn_udp_cidr = '21' - - include site_openvpn - - # deploy ca + server keys - include site_openvpn::keys - - # create 2 openvpn config files, one for tcp, one for udp - site_openvpn::server_config { 'tcp_config': - port => '1194', - proto => 'tcp', - local => $openvpn_gateway_address, - server => "$openvpn_tcp_network_prefix.0 $openvpn_tcp_netmask", - push => "\"dhcp-option DNS $openvpn_tcp_network_prefix.1\"", - management => '127.0.0.1 1000' - } - site_openvpn::server_config { 'udp_config': - port => '1194', - proto => 'udp', - server => "$openvpn_udp_network_prefix.0 $openvpn_udp_netmask", - push => "\"dhcp-option DNS $openvpn_udp_network_prefix.1\"", - local => $openvpn_gateway_address, - management => '127.0.0.1 1001' - } - - # add second IP on given interface - file { '/usr/local/bin/leap_add_second_ip.sh': - content => "#!/bin/sh -ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface", - mode => '0755', - } - - exec { '/usr/local/bin/leap_add_second_ip.sh': - subscribe => File['/usr/local/bin/leap_add_second_ip.sh'], - } - - cron { 'leap_add_second_ip.sh': - command => "/usr/local/bin/leap_add_second_ip.sh", - user => 'root', - special => 'reboot', - } - - include site_shorewall::eip -} diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index e95e67d5..7268fe76 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,4 +1,59 @@ class site_openvpn { + # parse hiera config + $ip_address = hiera('ip_address') + $interface = hiera('interface') + #$gateway_address = hiera('gateway_address') + $openvpn_config = hiera('openvpn') + $openvpn_gateway_address = $openvpn_config['gateway_address'] + $openvpn_tcp_network_prefix = '10.1.0' + $openvpn_tcp_netmask = '255.255.248.0' + $openvpn_tcp_cidr = '21' + $openvpn_udp_network_prefix = '10.2.0' + $openvpn_udp_netmask = '255.255.248.0' + $openvpn_udp_cidr = '21' + + include site_openvpn + + # deploy ca + server keys + include site_openvpn::keys + + # create 2 openvpn config files, one for tcp, one for udp + site_openvpn::server_config { 'tcp_config': + port => '1194', + proto => 'tcp', + local => $openvpn_gateway_address, + server => "$openvpn_tcp_network_prefix.0 $openvpn_tcp_netmask", + push => "\"dhcp-option DNS $openvpn_tcp_network_prefix.1\"", + management => '127.0.0.1 1000' + } + site_openvpn::server_config { 'udp_config': + port => '1194', + proto => 'udp', + server => "$openvpn_udp_network_prefix.0 $openvpn_udp_netmask", + push => "\"dhcp-option DNS $openvpn_udp_network_prefix.1\"", + local => $openvpn_gateway_address, + management => '127.0.0.1 1001' + } + + # add second IP on given interface + file { '/usr/local/bin/leap_add_second_ip.sh': + content => "#!/bin/sh +ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface", + mode => '0755', + } + + exec { '/usr/local/bin/leap_add_second_ip.sh': + subscribe => File['/usr/local/bin/leap_add_second_ip.sh'], + } + + cron { 'leap_add_second_ip.sh': + command => "/usr/local/bin/leap_add_second_ip.sh", + user => 'root', + special => 'reboot', + } + + include site_shorewall::eip + package { 'openvpn': ensure => installed; diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp index 4fc62f85..68f480d8 100644 --- a/puppet/modules/site_shorewall/manifests/dnat_rule.pp +++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp @@ -6,7 +6,7 @@ define site_shorewall::dnat_rule { "dnat_tcp_port_$port": action => 'DNAT', source => 'net', - destination => "\$FW:${site_config::eip::openvpn_gateway_address}:1194", + destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194", proto => 'tcp', destinationport => $port, order => 100; @@ -16,7 +16,7 @@ define site_shorewall::dnat_rule { "dnat_udp_port_$port": action => 'DNAT', source => 'net', - destination => "\$FW:${site_config::eip::openvpn_gateway_address}:1194", + destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194", proto => 'udp', destinationport => $port, order => 100; diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 086bf75a..57dc17e9 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -10,7 +10,7 @@ class site_shorewall::eip { $ssh_port = $ssh_config['port'] $openvpn_config = hiera('openvpn') $openvpn_ports = $openvpn_config['ports'] - $openvpn_gateway_address = $site_config::eip::openvpn_gateway_address + $openvpn_gateway_address = $site_openvpn::openvpn_gateway_address # define macro for incoming services file { '/etc/shorewall/macro.leap_eip': @@ -42,11 +42,11 @@ PARAM - - udp 1194 shorewall::masq { "${interface}_tcp": interface => $interface, - source => "$site_config::eip::openvpn_tcp_network_prefix.0/$site_config::eip::openvpn_tcp_cidr"; } + source => "$site_openvpn::openvpn_tcp_network_prefix.0/$site_openvpn::openvpn_tcp_cidr"; } shorewall::masq { "${interface}_udp": interface => $interface, - source => "$site_config::eip::openvpn_udp_network_prefix.0/$site_config::eip::openvpn_udp_cidr"; } + source => "$site_openvpn::openvpn_udp_network_prefix.0/$site_openvpn::openvpn_udp_cidr"; } shorewall::policy { 'eip-to-all': -- cgit v1.2.3 From 0d1ac3dc005721858623ca2e9f0a1d4bf50fff42 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 22 Nov 2012 11:06:26 -0500 Subject: remove escaping double-quotes, it turns out these are passed directly to the command causing it to fail --- puppet/modules/site_webapp/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 107aa617..b44ef01a 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -41,7 +41,7 @@ class site_webapp { exec { 'bundler_update': cwd => '/srv/leap-webapp', - command => '/bin/bash -c \"/usr/bin/bundle check || /usr/bin/bundle install\"', + command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install"', unless => '/usr/bin/bundle check', require => [ Class['bundler::install'], Vcsrepo['/srv/leap-webapp'] ]; } -- cgit v1.2.3 From 96d60568648555e28effd1398a791241a7ad3f7a Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 22 Nov 2012 17:07:08 +0100 Subject: deploy openvpn server.crt and server.key --- puppet/modules/site_openvpn/manifests/init.pp | 1 + puppet/modules/site_openvpn/manifests/keys.pp | 11 +++++------ 2 files changed, 6 insertions(+), 6 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 7268fe76..ae24b276 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -11,6 +11,7 @@ class site_openvpn { $openvpn_udp_network_prefix = '10.2.0' $openvpn_udp_netmask = '255.255.248.0' $openvpn_udp_cidr = '21' + $x509_config = hiera('x509') include site_openvpn diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index 47d0fa26..e198cbf8 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -1,28 +1,27 @@ class site_openvpn::keys { - $openvpn_keys = hiera_hash('openvpn') file { '/etc/openvpn/keys/ca.key': - content => $openvpn_keys['ca_key'], + content => $site_openvpn::openvpn_config['ca_key'], mode => '0600', } file { '/etc/openvpn/keys/ca.crt': - content => $openvpn_keys['ca_crt'], + content => $site_openvpn::openvpn_config['ca_crt'], mode => '0644', } file { '/etc/openvpn/keys/dh.pem': - content => $openvpn_keys['dh'], + content => $site_openvpn::openvpn_config['dh'], mode => '0644', } file { '/etc/openvpn/keys/server.key': - content => $openvpn_keys['server_key'], + content => $site_openvpn::x509_config['key'], mode => '0600', } file { '/etc/openvpn/keys/server.crt': - content => $openvpn_keys['server_crt'], + content => $site_openvpn::x509_config['cert'], mode => '0644', } } -- cgit v1.2.3 From 2944b31e5cd4203938317076c895f0500f7bcf62 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 22 Nov 2012 11:26:50 -0500 Subject: switch to the develop branch for the webapp git repository for deployment/testing. when released, this should track a stable release --- puppet/modules/site_webapp/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index b44ef01a..de8c070a 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -30,7 +30,7 @@ class site_webapp { vcsrepo { '/srv/leap-webapp': ensure => present, - revision => 'master', + revision => 'develop', provider => git, source => 'git://code.leap.se/leap_web', owner => 'leap-webapp', -- cgit v1.2.3 From 7b803d54a625e13f52a33e1c7a9264b344474df8 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 22 Nov 2012 17:48:29 +0100 Subject: call refresh_apt before installing couchdb, solves https://leap.se/code/issues/994 --- puppet/modules/site_couchdb/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 30ce7f54..10408094 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -16,6 +16,7 @@ class site_couchdb { $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password'] Class['site_couchdb::package'] + -> Exec['refresh_apt'] -> Package ['couchdb'] -> File['/etc/init.d/couchdb'] -> File['/etc/couchdb/local.ini'] -- cgit v1.2.3 From 74600045dacbdcfc3479f566e997320db5443908 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 22 Nov 2012 20:07:31 +0100 Subject: use origin/develop instead of develop as revision --- puppet/modules/site_webapp/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index de8c070a..99f6df6c 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -30,7 +30,7 @@ class site_webapp { vcsrepo { '/srv/leap-webapp': ensure => present, - revision => 'develop', + revision => 'origin/develop', provider => git, source => 'git://code.leap.se/leap_web', owner => 'leap-webapp', -- cgit v1.2.3 From f3704fc0ac81ca6ccb7e7d19ae931d9c391f3975 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 22 Nov 2012 11:43:23 -0800 Subject: clean up openvpn and x509 paths --- puppet/modules/site_openvpn/manifests/keys.pp | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index e198cbf8..12c1bd8f 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -1,17 +1,12 @@ class site_openvpn::keys { - file { '/etc/openvpn/keys/ca.key': - content => $site_openvpn::openvpn_config['ca_key'], - mode => '0600', - } - file { '/etc/openvpn/keys/ca.crt': - content => $site_openvpn::openvpn_config['ca_crt'], + content => $site_openvpn::x509_config['ca_cert'], mode => '0644', } file { '/etc/openvpn/keys/dh.pem': - content => $site_openvpn::openvpn_config['dh'], + content => $site_openvpn::x509_config['dh'], mode => '0644', } -- cgit v1.2.3 From e172773fa29275853649bec14d906d2899bf1de7 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 23 Nov 2012 01:55:05 -0800 Subject: openvpn -- enforce certain cipher choices on the server --- .../site_openvpn/manifests/server_config.pp | 67 +++++++++++++++++++++- 1 file changed, 66 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 482c6ab7..6fc3a3c2 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -1,3 +1,57 @@ +# +# Cipher discussion +# ================================ +# +# We want to specify explicit values for the crypto options to prevent a MiTM from forcing +# a weaker cipher. These should be set in both the server and the client ('auth' and 'cipher' +# MUST be the same on both ends or no data will get transmitted). +# +# tls-cipher DHE-RSA-AES128-SHA +# +# dkg: For the TLS control channel, we want to make sure we choose a +# key exchange mechanism that has PFS (meaning probably some form of ephemeral +# Diffie-Hellman key exchange), and that uses a standard, well-tested cipher +# (I recommend AES, and 128 bits is probably fine, since there are some known +# weaknesses in the 192- and 256-bit key schedules). That leaves us with the +# choice of public key algorithms: /usr/sbin/openvpn --show-tls | grep DHE | +# grep AES128 | grep GCM. +# +# elijah: +# I could not get any of these working: +# * openvpn --show-tls | grep GCM +# * openvpn --show-tls | grep DHE | grep AES128 | grep SHA256 +# so, i went with this: +# * openvpn --show-tls | grep DHE | grep AES128 | grep -v SHA256 | grep -v GCM +# Also, i couldn't get any of the elliptical curve algorithms to work. Not sure how +# our cert generation interacts with the tls-cipher algorithms. +# +# note: in my tests, DHE-RSA-AES256-SHA is the one it negotiates if no value is set. +# +# auth SHA1 +# +# dkg: For HMAC digest to authenticate packets, we just want SHA256. OpenVPN lists +# a number of “digest” with names like “RSA-SHA256”, but this are legacy and +# should be avoided. +# +# elijah: i am not so sure that the digest algo matters for 'auth' option, because +# i think an attacker would have to forge the digest in real time, which is still far from +# a possibility for SHA1. So, i am leaving the default for now (SHA1). +# +# cipher AES-128-CBC +# +# dkg: For the choice of cipher, we need to select an algorithm and a +# cipher mode. OpenVPN defaults to Blowfish, which is a fine algorithm — but +# our control channel is already relying on AES not being broken; if the +# control channel is cracked, then the key material for the tunnel is exposed, +# and the choice of algorithm is moot. So it makes more sense to me to rely on +# the same cipher here: AES128. As for the cipher mode, OFB seems cleaner to +# me, but CBC is more well-tested, and the OpenVPN man page (at least as of +# version 2.2.1) says “CBC is recommended and CFB and OFB should be considered +# advanced modes.” +# +# note: the default is BF-CBC (blowfish) +# + define site_openvpn::server_config ($port, $proto, $local, $server, $push, $management ) { $openvpn_configname = $name @@ -29,7 +83,18 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana key => 'dh', value => '/etc/openvpn/keys/dh.pem', server => $openvpn_configname; - + "tls-cipher $openvpn_configname": + key => 'tls-cipher', + value => 'DHE-RSA-AES128-SHA', + server => $openvpn_configname; + "auth $openvpn_configname": + key => 'auth', + value => 'SHA1', + server => $openvpn_configname; + "cipher $openvpn_configname": + key => 'cipher', + value => 'AES-128-CBC', + server => $openvpn_configname; "dev $openvpn_configname": key => 'dev', value => 'tun', -- cgit v1.2.3 From d70b723f17a6ff7d22a044fe57f1e8438eef5ae7 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 23 Nov 2012 19:37:22 +0100 Subject: enable ip_forwarding #1029 --- puppet/modules/site_openvpn/manifests/init.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index ae24b276..548d1df2 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -39,7 +39,9 @@ class site_openvpn { # add second IP on given interface file { '/usr/local/bin/leap_add_second_ip.sh': content => "#!/bin/sh -ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface", +ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface +/bin/echo 1 > /proc/sys/net/ipv4/ip_forward +", mode => '0755', } -- cgit v1.2.3 From d5596882123891ea1b3e3c9ddc1a1f683f213771 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 12:17:00 -0500 Subject: add passenger and x509 submodules --- puppet/modules/passenger | 1 + puppet/modules/x509 | 1 + 2 files changed, 2 insertions(+) create mode 160000 puppet/modules/passenger create mode 160000 puppet/modules/x509 (limited to 'puppet') diff --git a/puppet/modules/passenger b/puppet/modules/passenger new file mode 160000 index 00000000..d1b46de8 --- /dev/null +++ b/puppet/modules/passenger @@ -0,0 +1 @@ +Subproject commit d1b46de84acf4d9e3582b64e019935fb1125f9bb diff --git a/puppet/modules/x509 b/puppet/modules/x509 new file mode 160000 index 00000000..d7a252b7 --- /dev/null +++ b/puppet/modules/x509 @@ -0,0 +1 @@ +Subproject commit d7a252b77db843e800ed9fc92a56d5214f432026 -- cgit v1.2.3 From da0d9f3c407ffdae0d7583ef148d7e37cbbc20ad Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 11:12:17 -0500 Subject: add hiera keys for provider include site_webapp::apache --- puppet/modules/site_webapp/manifests/init.pp | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 99f6df6c..08b7f92c 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -1,13 +1,17 @@ class site_webapp { + $definition_files = hiera('definition_files') + $provider = $definition_files['provider'] + Class[Ruby] -> Class[rubygems] -> Class[bundler::install] class { 'ruby': ruby_version => '1.9.3' } - include rubygems - class { 'bundler::install': install_method => '' } + include rubygems + include site_webapp::apache + group { 'leap-webapp': ensure => present, allowdupe => false; @@ -46,5 +50,3 @@ class site_webapp { require => [ Class['bundler::install'], Vcsrepo['/srv/leap-webapp'] ]; } } - - -- cgit v1.2.3 From a2e2f558bcfc4b35c7d81f282d73e06f78590113 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 11:12:43 -0500 Subject: place the provider.json and ca.crt in the webroot --- puppet/modules/site_webapp/manifests/init.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 08b7f92c..22f69e7a 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -49,4 +49,15 @@ class site_webapp { unless => '/usr/bin/bundle check', require => [ Class['bundler::install'], Vcsrepo['/srv/leap-webapp'] ]; } + + file { + '/srv/leap-webapp/public/provider.json': + content => $provider, + owner => leap-webapp, group => leap-webapp, mode => '0644'; + + '/srv/leap-webapp/public/ca.crt': + content => $cert_root, + owner => leap-webapp, group => leap-webapp, mode => '0644'; + } + } -- cgit v1.2.3 From 0876cc7c712f273991cbb1177d7416afd0a1462d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 11:49:08 -0500 Subject: add site_webapp class to install the certs/keys/CAs and virtual host configurations --- .../site_apache/templates/vhosts.d/api.conf.erb | 36 +++++++++++++ .../templates/vhosts.d/leap_webapp.conf.erb | 39 ++++++++++++++ puppet/modules/site_webapp/manifests/apache.pp | 61 ++++++++++++++++++++++ 3 files changed, 136 insertions(+) create mode 100644 puppet/modules/site_apache/templates/vhosts.d/api.conf.erb create mode 100644 puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb create mode 100644 puppet/modules/site_webapp/manifests/apache.pp (limited to 'puppet') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb new file mode 100644 index 00000000..fc26190c --- /dev/null +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -0,0 +1,36 @@ + + ServerName <%= api_domain %> + RewriteEngine On + RewriteRule ^.*$ https://<%= api_domain -%>%{REQUEST_URI} [R=permanent,L] + + + + ServerName <%= api_domain %> + + SSLEngine on + SSLProtocol -all +SSLv3 +TLSv1 + SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLHonorCipherOrder on + + SSLCACertificatePath /etc/ssl/certs + SSLCertificateChainFile /etc/ssl/certs/leap_api.crt + SSLCertificateKeyFile /etc/x509/keys/leap_api.key + SSLCertificateFile /etc/x509/certs/leap_api.crt + + RequestHeader set X_FORWARDED_PROTO 'https' + + DocumentRoot /srv/leap_webapp/public + + # Check for maintenance file and redirect all requests + RewriteEngine On + RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f + RewriteCond %{SCRIPT_FILENAME} !maintenance.html + RewriteCond %{REQUEST_URI} !/images/maintenance.jpg + RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L] + + # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt + AllowEncodedSlashes on + PassengerAllowEncodedSlashes on + PassengerFriendlyErrorPages off + SetEnv TMPDIR /var/tmp + diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb new file mode 100644 index 00000000..bb035cd2 --- /dev/null +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -0,0 +1,39 @@ + + ServerName <%= domain %> + ServerAlias www.<%= domain %> + RewriteEngine On + RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L] + + + + ServerName <%= domain %> + ServerAlias www.<%= domain %> + + SSLEngine on + SSLProtocol -all +SSLv3 +TLSv1 + SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLHonorCipherOrder on + + SSLCACertificatePath /etc/ssl/certs + SSLCertificateChainFile /etc/ssl/certs/leap_webapp.crt + SSLCertificateKeyFile /etc/x509/keys/leap_webapp.key + SSLCertificateFile /etc/x509/certs/leap_webapp.crt + + RequestHeader set X_FORWARDED_PROTO 'https' + + DocumentRoot /srv/leap_webapp/public + + # Check for maintenance file and redirect all requests + RewriteEngine On + RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f + RewriteCond %{SCRIPT_FILENAME} !maintenance.html + RewriteCond %{REQUEST_URI} !/images/maintenance.jpg + RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L] + + # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt + AllowEncodedSlashes on + PassengerAllowEncodedSlashes on + PassengerFriendlyErrorPages off + SetEnv TMPDIR /var/tmp + + diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp new file mode 100644 index 00000000..d6470186 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -0,0 +1,61 @@ +class site_webapp::apache { + + $api_domain = hiera('api_domain') + $x509 = hiera('x509') + $commercial_key = $x509['commercial_key'] + $commercial_cert = $x509['commercial_cert'] + $commercial_root = $x509['commercial_ca_cert'] + $api_key = $x509['key'] + $api_cert = $x509['cert'] + $api_root = $x509['ca_cert'] + + $apache_no_default_site = true + include apache::ssl + + apache::module { + 'rewrite': ensure => present; + 'headers': ensure => present; + } + + class { 'passenger': use_munin => false } + + apache::vhost::file { + 'leap_webapp': + content => template('site_apache/vhosts.d/leap_webapp.conf.erb') + } + + apache::vhost::file { + 'api': + content => template('site_apache/vhosts.d/api.conf.erb') + } + + x509::key { + 'leap_webapp': + content => $commercial_key, + notify => Service[apache]; + + 'leap_api': + content => $api_key, + notify => Service[apache]; + } + + x509::cert { + 'leap_webapp': + content => $commercial_cert, + notify => Service[apache]; + + 'leap_api': + content => $api_cert, + notify => Service[apache]; + } + + x509::ca { + 'leap_webapp': + content => $commercial_root, + notify => Service[apache]; + + 'leap_api': + content => $api_root, + notify => Service[apache]; + } +} -- cgit v1.2.3 From e49f4038b9a5c6b8b0d3f0eed8735abf5ef54c0e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 14:40:10 -0500 Subject: map /1 -> document root --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 1 + puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 3 ++- puppet/modules/site_webapp/manifests/apache.pp | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index fc26190c..49bd5c79 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -20,6 +20,7 @@ RequestHeader set X_FORWARDED_PROTO 'https' DocumentRoot /srv/leap_webapp/public + Alias /1 /srv/leap_webapp/public # Check for maintenance file and redirect all requests RewriteEngine On diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index bb035cd2..f2b43928 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -22,9 +22,10 @@ RequestHeader set X_FORWARDED_PROTO 'https' DocumentRoot /srv/leap_webapp/public + Alias /1 /srv/leap_webapp/public - # Check for maintenance file and redirect all requests RewriteEngine On + # Check for maintenance file and redirect all requests RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f RewriteCond %{SCRIPT_FILENAME} !maintenance.html RewriteCond %{REQUEST_URI} !/images/maintenance.jpg diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index d6470186..8532cc38 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -13,6 +13,7 @@ class site_webapp::apache { include apache::ssl apache::module { + 'alias': ensure => present; 'rewrite': ensure => present; 'headers': ensure => present; } -- cgit v1.2.3 From 140975a265b971b14805370dc704e5a10806cd5f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 15:26:58 -0500 Subject: make sure the webapp/public/config directory exists and the eip-service.json is provided there --- puppet/modules/site_webapp/manifests/init.pp | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 22f69e7a..5eaf9dc1 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -2,6 +2,7 @@ class site_webapp { $definition_files = hiera('definition_files') $provider = $definition_files['provider'] + $eap_service = $definition_files['eap_service'] Class[Ruby] -> Class[rubygems] -> Class[bundler::install] @@ -58,6 +59,14 @@ class site_webapp { '/srv/leap-webapp/public/ca.crt': content => $cert_root, owner => leap-webapp, group => leap-webapp, mode => '0644'; + + '/srv/leap-webapp/public/config': + ensure => directory, + owner => leap-webapp, group => leap-webapp, mode => '0755'; + + '/srv/leap-webapp/public/config/eip-service.json': + content => $eap_service, + owner => leap-webapp, group => leap-webapp, mode => '0644'; } } -- cgit v1.2.3 From 6272b9f72808afc4f5b93616df313d079580fbf7 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 15:27:43 -0500 Subject: setup the couchdb class to provide the couchdb connection parameters --- puppet/modules/site_webapp/manifests/couchdb.pp | 16 ++++++++++++++++ puppet/modules/site_webapp/manifests/init.pp | 1 + 2 files changed, 17 insertions(+) create mode 100644 puppet/modules/site_webapp/manifests/couchdb.pp (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp new file mode 100644 index 00000000..caa4f19b --- /dev/null +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -0,0 +1,16 @@ +class site_webapp::couchdb { + + $webapp = hiera_array('webapp') + $couchdb_host = $webapp['couchdb_hosts'] + $couchdb_user = $webapp['couchdb_user']['username'] + $couchdb_password = $webapp['couchdb_user']['password'] + + file { + '/srv/leap-webapp/config/couchdb.yml': + content => template('couchdb.yml.erb'), + owner => leap-webapp, + group => leap-webapp, + mode => '0600'; + } + +} diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 5eaf9dc1..3c374d93 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -12,6 +12,7 @@ class site_webapp { include rubygems include site_webapp::apache + include site_webapp::couchdb group { 'leap-webapp': ensure => present, -- cgit v1.2.3 From e47e7fc15183a5ba4f879c2046ab29515f528903 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 15:34:22 -0500 Subject: add the couchdb configuration template --- puppet/modules/site_webapp/templates/couchdb.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 puppet/modules/site_webapp/templates/couchdb.yml (limited to 'puppet') diff --git a/puppet/modules/site_webapp/templates/couchdb.yml b/puppet/modules/site_webapp/templates/couchdb.yml new file mode 100644 index 00000000..f5132599 --- /dev/null +++ b/puppet/modules/site_webapp/templates/couchdb.yml @@ -0,0 +1,7 @@ +production: + protocol: 'https' + host: <%= couchdb_host %> + port: 443 + username: <%= couchdb_user %> + password: <%= couchdb_password %> + -- cgit v1.2.3 From c1bc263947c3265d4e9e5b2780765351036f756a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 16:01:40 -0500 Subject: fix name of couchdb.yml template --- puppet/modules/site_webapp/templates/couchdb.yml | 7 ------- puppet/modules/site_webapp/templates/couchdb.yml.erb | 7 +++++++ 2 files changed, 7 insertions(+), 7 deletions(-) delete mode 100644 puppet/modules/site_webapp/templates/couchdb.yml create mode 100644 puppet/modules/site_webapp/templates/couchdb.yml.erb (limited to 'puppet') diff --git a/puppet/modules/site_webapp/templates/couchdb.yml b/puppet/modules/site_webapp/templates/couchdb.yml deleted file mode 100644 index f5132599..00000000 --- a/puppet/modules/site_webapp/templates/couchdb.yml +++ /dev/null @@ -1,7 +0,0 @@ -production: - protocol: 'https' - host: <%= couchdb_host %> - port: 443 - username: <%= couchdb_user %> - password: <%= couchdb_password %> - diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb new file mode 100644 index 00000000..f5132599 --- /dev/null +++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb @@ -0,0 +1,7 @@ +production: + protocol: 'https' + host: <%= couchdb_host %> + port: 443 + username: <%= couchdb_user %> + password: <%= couchdb_password %> + -- cgit v1.2.3 From 77368affb8773cf91755f47e25c378c7472fb50b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 16:02:05 -0500 Subject: fix name of eip_service --- puppet/modules/site_webapp/manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 3c374d93..c5f33b5a 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -2,7 +2,7 @@ class site_webapp { $definition_files = hiera('definition_files') $provider = $definition_files['provider'] - $eap_service = $definition_files['eap_service'] + $eip_service = $definition_files['eip_service'] Class[Ruby] -> Class[rubygems] -> Class[bundler::install] @@ -66,7 +66,7 @@ class site_webapp { owner => leap-webapp, group => leap-webapp, mode => '0755'; '/srv/leap-webapp/public/config/eip-service.json': - content => $eap_service, + content => $eip_service, owner => leap-webapp, group => leap-webapp, mode => '0644'; } -- cgit v1.2.3 From a706fff9f79d6f57eff4ec238c3f316c33ae278a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 16:02:44 -0500 Subject: fix location of couchdb.yml template --- puppet/modules/site_webapp/manifests/couchdb.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index caa4f19b..38057bf6 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -7,7 +7,7 @@ class site_webapp::couchdb { file { '/srv/leap-webapp/config/couchdb.yml': - content => template('couchdb.yml.erb'), + content => template('site_webapp/couchdb.yml.erb'), owner => leap-webapp, group => leap-webapp, mode => '0600'; -- cgit v1.2.3 From 6f7f760f7f17da7cb0ff362eac3f78ab042f132d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 16:02:56 -0500 Subject: switch from hiera_array to just hiera --- puppet/modules/site_webapp/manifests/couchdb.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 38057bf6..6cac666f 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -1,6 +1,6 @@ class site_webapp::couchdb { - $webapp = hiera_array('webapp') + $webapp = hiera('webapp') $couchdb_host = $webapp['couchdb_hosts'] $couchdb_user = $webapp['couchdb_user']['username'] $couchdb_password = $webapp['couchdb_user']['password'] -- cgit v1.2.3 From ea60af41f4a5a7bdd67fd7da129716c8f698cf1a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 16:03:16 -0500 Subject: fix location of SSLCertificateChainFile location --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 2 +- puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 49bd5c79..37c4a727 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -13,7 +13,7 @@ SSLHonorCipherOrder on SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile /etc/ssl/certs/leap_api.crt + SSLCertificateChainFile /etc/ssl/certs/leap_api.pem SSLCertificateKeyFile /etc/x509/keys/leap_api.key SSLCertificateFile /etc/x509/certs/leap_api.crt diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index f2b43928..85e7289b 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -15,7 +15,7 @@ SSLHonorCipherOrder on SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile /etc/ssl/certs/leap_webapp.crt + SSLCertificateChainFile /etc/ssl/certs/leap_webapp.pem SSLCertificateKeyFile /etc/x509/keys/leap_webapp.key SSLCertificateFile /etc/x509/certs/leap_webapp.crt -- cgit v1.2.3 From 737d286fdfb8036e8b1078efbec4f9902bc1108e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 29 Nov 2012 15:54:46 -0500 Subject: updated bundler module to accept 'package' to install_method to be a little more obvious how it is operating --- puppet/modules/bundler | 2 +- puppet/modules/site_webapp/manifests/init.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/bundler b/puppet/modules/bundler index b91d6abf..b4a4a843 160000 --- a/puppet/modules/bundler +++ b/puppet/modules/bundler @@ -1 +1 @@ -Subproject commit b91d6abfa931b8ef63594092d841701d3ee23280 +Subproject commit b4a4a8434616247156e59b860b47cc6256ead8d1 diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index c5f33b5a..644cca98 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -8,7 +8,7 @@ class site_webapp { class { 'ruby': ruby_version => '1.9.3' } - class { 'bundler::install': install_method => '' } + class { 'bundler::install': install_method => 'package' } include rubygems include site_webapp::apache -- cgit v1.2.3 From ec7c030c73ab0215bca60494ff310d8b4a5a744d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 29 Nov 2012 15:55:29 -0500 Subject: change ensure parameter to explicit 'directory' for /srv/leap-webapp --- puppet/modules/site_webapp/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 644cca98..4da6242c 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -28,7 +28,7 @@ class site_webapp { } file { '/srv/leap-webapp': - ensure => present, + ensure => directory, owner => 'leap-webapp', group => 'leap-webapp', require => User['leap-webapp']; -- cgit v1.2.3 From 2727291d734ab5f45be3905982d42192119dce86 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 29 Nov 2012 15:56:14 -0500 Subject: change api CA cert deployment to just symlink to the already deployed file --- puppet/modules/site_webapp/manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 4da6242c..6a60ab15 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -58,8 +58,8 @@ class site_webapp { owner => leap-webapp, group => leap-webapp, mode => '0644'; '/srv/leap-webapp/public/ca.crt': - content => $cert_root, - owner => leap-webapp, group => leap-webapp, mode => '0644'; + ensure => link, + target => '/usr/local/share/ca-certificates/leap_api.crt'; '/srv/leap-webapp/public/config': ensure => directory, -- cgit v1.2.3 From 2ac79162239266b6dd0038b54903852675e7c54f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 29 Nov 2012 15:57:18 -0500 Subject: disable apt pdiffs, they are slow on fast links --- puppet/modules/site_config/manifests/apt.pp | 6 ++++++ puppet/modules/site_config/manifests/init.pp | 9 ++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) create mode 100644 puppet/modules/site_config/manifests/apt.pp (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/apt.pp b/puppet/modules/site_config/manifests/apt.pp new file mode 100644 index 00000000..c7490337 --- /dev/null +++ b/puppet/modules/site_config/manifests/apt.pp @@ -0,0 +1,6 @@ +class site_config::apt { + + apt::apt_conf { '90disable-pdiffs': + content => 'Acquire::PDiffs "false";'; + } +} diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp index 8aa1b54d..7f67ad4e 100644 --- a/puppet/modules/site_config/manifests/init.pp +++ b/puppet/modules/site_config/manifests/init.pp @@ -1,9 +1,12 @@ class site_config { - # default class, use by all hosts + # default class, used by all hosts - include apt, lsb, git + include lsb, git - # configure ssh and inculde ssh-keys + # configure apt + include site_config::apt + + # configure ssh and include ssh-keys include site_config::sshd # configure /etc/resolv.conf -- cgit v1.2.3 From 138dcd8cea024d79923e9ae89df975396ed6cac7 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 29 Nov 2012 17:13:36 -0500 Subject: include apt in the site_config/apt class --- puppet/modules/site_config/manifests/apt.pp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/apt.pp b/puppet/modules/site_config/manifests/apt.pp index c7490337..4f611ac8 100644 --- a/puppet/modules/site_config/manifests/apt.pp +++ b/puppet/modules/site_config/manifests/apt.pp @@ -1,5 +1,7 @@ class site_config::apt { + include ::apt + apt::apt_conf { '90disable-pdiffs': content => 'Acquire::PDiffs "false";'; } -- cgit v1.2.3 From 6f6d29c43da75b1bd8d2068f8c7cf3ffd0064580 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 4 Dec 2012 14:18:24 +0100 Subject: use site_ca --- puppet/manifests/site.pp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 9da2174c..304e989d 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -22,4 +22,8 @@ node 'default' { if 'webapp' in $services { include site_webapp } + + if 'ca' in $services { + include site_ca + } } -- cgit v1.2.3 From a8fce0ab83d64b963f5a0f9848c9a0a255038f96 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 4 Dec 2012 15:31:19 -0500 Subject: changed shorewall submodule location, this requires you do a git submodule sync --- puppet/modules/augeas | 1 + puppet/modules/shorewall | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) create mode 160000 puppet/modules/augeas (limited to 'puppet') diff --git a/puppet/modules/augeas b/puppet/modules/augeas new file mode 160000 index 00000000..c1e385f5 --- /dev/null +++ b/puppet/modules/augeas @@ -0,0 +1 @@ +Subproject commit c1e385f55f11c81772e243ebb9a7277769d40f92 diff --git a/puppet/modules/shorewall b/puppet/modules/shorewall index 911cc18e..cf0f8bb5 160000 --- a/puppet/modules/shorewall +++ b/puppet/modules/shorewall @@ -1 +1 @@ -Subproject commit 911cc18e594bb5a3ab642ebb24615a0447050c32 +Subproject commit cf0f8bb58178df4b7ce54abab3684a2240c43855 -- cgit v1.2.3 From 22e658810e6e47a7d10d06a28610a634a38877b8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 4 Dec 2012 15:49:12 -0500 Subject: update shorewall module to latest revision, fixing a bug on the shorewall.conf sources --- puppet/modules/shorewall | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/shorewall b/puppet/modules/shorewall index cf0f8bb5..29e80fe6 160000 --- a/puppet/modules/shorewall +++ b/puppet/modules/shorewall @@ -1 +1 @@ -Subproject commit cf0f8bb58178df4b7ce54abab3684a2240c43855 +Subproject commit 29e80fe61983821dc50ea54a05013c351206d5bd -- cgit v1.2.3 From 3bc680557ca4a70887c99ab9d53cd446730ec00d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 4 Dec 2012 15:50:08 -0500 Subject: set ip_forwarding using augeas --- puppet/modules/site_shorewall/manifests/defaults.pp | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index 88981e5f..0ee20744 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -10,4 +10,13 @@ class site_shorewall::defaults { shorewall::rule_section { 'NEW': order => 10; } + include augeas + + augeas { 'enable_ip_forwarding': + changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall]; + } + } -- cgit v1.2.3 From 8d50b9ded53420fc4824b77933ce9357b11a5a45 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 4 Dec 2012 22:35:30 -0500 Subject: Stop the [warn] NameVirtualHost *:443 has no VirtualHosts errors When we include apache::ssl it ships the ssl.conf file which sets up the NameVirtualHost *:443, so we just do what that class does fixes: https://leap.se/code/issues/944 --- puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp index 92170780..21db3f56 100644 --- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp +++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp @@ -1,9 +1,10 @@ define site_couchdb::apache_ssl_proxy ($key, $cert) { $apache_no_default_site = true - include apache::ssl + include apache apache::module { 'rewrite': ensure => present; + 'ssl': ensure => present; 'proxy': ensure => present; 'proxy_http': ensure => present; } -- cgit v1.2.3 From 8b7ca862253b1212ae392c58099df9b6feaa0ca2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 4 Dec 2012 22:36:14 -0500 Subject: alphabetize the apache modules --- puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp index 21db3f56..a2ca9618 100644 --- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp +++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp @@ -3,10 +3,10 @@ define site_couchdb::apache_ssl_proxy ($key, $cert) { $apache_no_default_site = true include apache apache::module { - 'rewrite': ensure => present; - 'ssl': ensure => present; 'proxy': ensure => present; 'proxy_http': ensure => present; + 'rewrite': ensure => present; + 'ssl': ensure => present; } apache::vhost::file { 'couchdb_proxy': } # prevent 0-default.conf and 0-default_ssl.conf from apache module -- cgit v1.2.3 From 2a9dbd931e095c933831edd19337607f5f356ae5 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 4 Dec 2012 22:36:34 -0500 Subject: remove no longer needed removal of the ports.conf file --- puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp | 8 -------- 1 file changed, 8 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp index a2ca9618..fb3477db 100644 --- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp +++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp @@ -9,14 +9,6 @@ define site_couchdb::apache_ssl_proxy ($key, $cert) { 'ssl': ensure => present; } apache::vhost::file { 'couchdb_proxy': } - # prevent 0-default.conf and 0-default_ssl.conf from apache module - # from starting on port 80 / 443 - file { '/etc/apache2/ports.conf': - content => '', - mode => '0644', - owner => 'root', - group => 'root', - } file { '/etc/couchdb/server_cert.pem': mode => '0644', -- cgit v1.2.3 From 51f37d8132a44e25350db66b7156892980d3e4fa Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Dec 2012 14:48:55 +0100 Subject: ca -> ca_daemon in site.pp and services/ca.json --- puppet/manifests/site.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 304e989d..c8502bc7 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -24,6 +24,6 @@ node 'default' { } if 'ca' in $services { - include site_ca + include site_ca_daemon } } -- cgit v1.2.3 From 528aaee2f24b2b1b57435df6db42b89af6ba76de Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Dec 2012 14:49:22 +0100 Subject: added module site_ca_daemon --- puppet/modules/site_ca_daemon/manifests/apache.pp | 62 ++++++++++++++++++++++ puppet/modules/site_ca_daemon/manifests/couchdb.pp | 16 ++++++ puppet/modules/site_ca_daemon/manifests/init.pp | 55 +++++++++++++++++++ .../site_ca_daemon/templates/couchdb.yml.erb | 7 +++ 4 files changed, 140 insertions(+) create mode 100644 puppet/modules/site_ca_daemon/manifests/apache.pp create mode 100644 puppet/modules/site_ca_daemon/manifests/couchdb.pp create mode 100644 puppet/modules/site_ca_daemon/manifests/init.pp create mode 100644 puppet/modules/site_ca_daemon/templates/couchdb.yml.erb (limited to 'puppet') diff --git a/puppet/modules/site_ca_daemon/manifests/apache.pp b/puppet/modules/site_ca_daemon/manifests/apache.pp new file mode 100644 index 00000000..ab6b08fd --- /dev/null +++ b/puppet/modules/site_ca_daemon/manifests/apache.pp @@ -0,0 +1,62 @@ +class site_ca_daemon::apache { + + $api_domain = hiera('api_domain') + $x509 = hiera('x509') + $commercial_key = $x509['commercial_key'] + $commercial_cert = $x509['commercial_cert'] + $commercial_root = $x509['commercial_ca_cert'] + $api_key = $x509['key'] + $api_cert = $x509['cert'] + $api_root = $x509['ca_cert'] + + $apache_no_default_site = true + include apache::ssl + + apache::module { + 'alias': ensure => present; + 'rewrite': ensure => present; + 'headers': ensure => present; + } + + class { 'passenger': use_munin => false } + + apache::vhost::file { + 'leap_ca_daemon': + content => template('site_apache/vhosts.d/leap_ca_daemon.conf.erb') + } + + apache::vhost::file { + 'api': + content => template('site_apache/vhosts.d/api.conf.erb') + } + + x509::key { + 'leap_ca_daemon': + content => $commercial_key, + notify => Service[apache]; + + 'leap_api': + content => $api_key, + notify => Service[apache]; + } + + x509::cert { + 'leap_ca_daemon': + content => $commercial_cert, + notify => Service[apache]; + + 'leap_api': + content => $api_cert, + notify => Service[apache]; + } + + x509::ca { + 'leap_ca_daemon': + content => $commercial_root, + notify => Service[apache]; + + 'leap_api': + content => $api_root, + notify => Service[apache]; + } +} diff --git a/puppet/modules/site_ca_daemon/manifests/couchdb.pp b/puppet/modules/site_ca_daemon/manifests/couchdb.pp new file mode 100644 index 00000000..b5a1d2d4 --- /dev/null +++ b/puppet/modules/site_ca_daemon/manifests/couchdb.pp @@ -0,0 +1,16 @@ +class site_ca_daemon::couchdb { + + $ca = hiera('ca_daemon') + $couchdb_host = $ca['couchdb_hosts'] + $couchdb_user = $ca['couchdb_user']['username'] + $couchdb_password = $ca['couchdb_user']['password'] + + file { + '/srv/leap_ca_daemon/config/couchdb.yml': + content => template('site_ca_daemon/couchdb.yml.erb'), + owner => leap_ca_daemon, + group => leap_ca_daemon, + mode => '0600'; + } + +} diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp new file mode 100644 index 00000000..c749da12 --- /dev/null +++ b/puppet/modules/site_ca_daemon/manifests/init.pp @@ -0,0 +1,55 @@ +class site_ca_daemon { + + #$definition_files = hiera('definition_files') + #$provider = $definition_files['provider'] + #$eip_service = $definition_files['eip_service'] + + Class[Ruby] -> Class[rubygems] -> Class[bundler::install] + + class { 'ruby': ruby_version => '1.9.3' } + + class { 'bundler::install': install_method => 'package' } + + include rubygems + #include site_ca_daemon::apache + include site_ca_daemon::couchdb + + group { 'leap_ca_daemon': + ensure => present, + allowdupe => false; + } + + user { 'leap_ca_daemon': + ensure => present, + allowdupe => false, + gid => 'leap_ca_daemon', + home => '/srv/leap_ca_daemon', + require => [ Group['leap_ca_daemon'] ]; + } + + file { '/srv/leap_ca_daemon': + ensure => directory, + owner => 'leap_ca_daemon', + group => 'leap_ca_daemon', + require => User['leap_ca_daemon']; + } + + vcsrepo { '/srv/leap_ca_daemon': + ensure => present, + revision => 'origin/deploy', + provider => git, + source => 'git://code.leap.se/leap_ca', + owner => 'leap_ca_daemon', + group => 'leap_ca_daemon', + require => [ User['leap_ca_daemon'], Group['leap_ca_daemon'] ], + notify => Exec['bundler_update'] + } + + exec { 'bundler_update': + cwd => '/srv/leap_ca_daemon', + command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install"', + unless => '/usr/bin/bundle check', + require => [ Class['bundler::install'], Vcsrepo['/srv/leap_ca_daemon'] ]; + } + +} diff --git a/puppet/modules/site_ca_daemon/templates/couchdb.yml.erb b/puppet/modules/site_ca_daemon/templates/couchdb.yml.erb new file mode 100644 index 00000000..f5132599 --- /dev/null +++ b/puppet/modules/site_ca_daemon/templates/couchdb.yml.erb @@ -0,0 +1,7 @@ +production: + protocol: 'https' + host: <%= couchdb_host %> + port: 443 + username: <%= couchdb_user %> + password: <%= couchdb_password %> + -- cgit v1.2.3 From febd4532872d8b3b6b6e846a6399a63152fac9a0 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Dec 2012 16:39:18 +0100 Subject: removed pinning couchdb to unstable because 1.2.0-3 is in wheezy, finally --- puppet/modules/site_couchdb/manifests/configure.pp | 5 ----- puppet/modules/site_couchdb/manifests/init.pp | 8 +++----- puppet/modules/site_couchdb/manifests/package.pp | 13 ------------- 3 files changed, 3 insertions(+), 23 deletions(-) delete mode 100644 puppet/modules/site_couchdb/manifests/package.pp (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp index 25ea7a0b..333511b5 100644 --- a/puppet/modules/site_couchdb/manifests/configure.pp +++ b/puppet/modules/site_couchdb/manifests/configure.pp @@ -1,9 +1,4 @@ class site_couchdb::configure { - Class[site_couchdb::package] -> Class[couchdb] - - class { 'couchdb': - require => Class['site_couchdb::package'], } - file { '/etc/init.d/couchdb': source => 'puppet:///modules/site_couchdb/couchdb', diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 10408094..3f577d8b 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,5 +1,7 @@ class site_couchdb { + include couchdb + $x509 = hiera('x509') $key = $x509['key'] $cert = $x509['cert'] @@ -15,9 +17,7 @@ class site_couchdb { $couchdb_ca_daemon_user = $couchdb_ca_daemon['username'] $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password'] - Class['site_couchdb::package'] - -> Exec['refresh_apt'] - -> Package ['couchdb'] + Package ['couchdb'] -> File['/etc/init.d/couchdb'] -> File['/etc/couchdb/local.ini'] -> File['/etc/couchdb/local.d/admin.ini'] @@ -28,8 +28,6 @@ class site_couchdb { -> Couchdb::Add_user[$couchdb_ca_daemon_user] -> Site_couchdb::Apache_ssl_proxy['apache_ssl_proxy'] - # Setup couchdb - include site_couchdb::package include site_couchdb::configure include couchdb::deploy_config diff --git a/puppet/modules/site_couchdb/manifests/package.pp b/puppet/modules/site_couchdb/manifests/package.pp deleted file mode 100644 index c091316a..00000000 --- a/puppet/modules/site_couchdb/manifests/package.pp +++ /dev/null @@ -1,13 +0,0 @@ -class site_couchdb::package { - - # for now, we need to install couchdb from unstable, - # because of this bug while installing: - # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681549 - # can be removed when couchdb/1.2.0-2 is integrated into testing - apt::sources_list { 'unstable.list': - source => [ 'puppet:///modules/site_apt/unstable.list'], - } - apt::preferences_snippet{ - 'couchdb': release => 'unstable', priority => 999; - } -} -- cgit v1.2.3 From b525a1799808959f702441b330ff3ab5de8fdf75 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Dec 2012 17:12:10 +0100 Subject: new names for couchdb DBs --- puppet/modules/site_couchdb/manifests/init.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 3f577d8b..04f2ca1a 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -22,8 +22,8 @@ class site_couchdb { -> File['/etc/couchdb/local.ini'] -> File['/etc/couchdb/local.d/admin.ini'] -> File['/etc/couchdb/couchdb.netrc'] - -> Couchdb::Create_db[leap_web] - -> Couchdb::Create_db[leap_ca] + -> Couchdb::Create_db['users'] + -> Couchdb::Create_db['client_certificates'] -> Couchdb::Add_user[$couchdb_webapp_user] -> Couchdb::Add_user[$couchdb_ca_daemon_user] -> Site_couchdb::Apache_ssl_proxy['apache_ssl_proxy'] @@ -52,11 +52,11 @@ class site_couchdb { pw => $couchdb_ca_daemon_pw } - couchdb::create_db { 'leap_web': + couchdb::create_db { 'users': readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }" } - couchdb::create_db { 'leap_ca': + couchdb::create_db { 'client_certificates': readers => "{ \"names\": [], \"roles\": [\"certs\"] }" } } -- cgit v1.2.3 From d54dabff2726e728da6a9d31588bc2a52783a9a6 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 10 Dec 2012 15:54:32 +0100 Subject: include site_apt::dist_upgrade (fixes #1107) --- puppet/modules/site_apt/manifests/dist_upgrade.pp | 10 ++++++++++ puppet/modules/site_config/manifests/apt.pp | 2 ++ 2 files changed, 12 insertions(+) create mode 100644 puppet/modules/site_apt/manifests/dist_upgrade.pp (limited to 'puppet') diff --git a/puppet/modules/site_apt/manifests/dist_upgrade.pp b/puppet/modules/site_apt/manifests/dist_upgrade.pp new file mode 100644 index 00000000..5ae9297f --- /dev/null +++ b/puppet/modules/site_apt/manifests/dist_upgrade.pp @@ -0,0 +1,10 @@ +class site_apt::dist_upgrade inherits apt::dist_upgrade { + + # really upgrade on every puppetrun + Exec["apt_dist-upgrade"]{ + refreshonly => false, + } + + # Ensure apt-get upgrade has been run before installing any packages + Exec["apt_dist-upgrade"] -> Package <| name != 'lsb-release' |> +} diff --git a/puppet/modules/site_config/manifests/apt.pp b/puppet/modules/site_config/manifests/apt.pp index 4f611ac8..f7ba9ac9 100644 --- a/puppet/modules/site_config/manifests/apt.pp +++ b/puppet/modules/site_config/manifests/apt.pp @@ -1,8 +1,10 @@ class site_config::apt { include ::apt + include site_apt::dist_upgrade apt::apt_conf { '90disable-pdiffs': content => 'Acquire::PDiffs "false";'; } + } -- cgit v1.2.3 From 62381f11d920a738db6fa673ea29cf4cddd8ebe0 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 10 Dec 2012 22:32:16 +0100 Subject: use leap_ca master branch --- puppet/modules/site_ca_daemon/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp index c749da12..0bbc9030 100644 --- a/puppet/modules/site_ca_daemon/manifests/init.pp +++ b/puppet/modules/site_ca_daemon/manifests/init.pp @@ -36,7 +36,7 @@ class site_ca_daemon { vcsrepo { '/srv/leap_ca_daemon': ensure => present, - revision => 'origin/deploy', + revision => 'origin/master', provider => git, source => 'git://code.leap.se/leap_ca', owner => 'leap_ca_daemon', -- cgit v1.2.3 From c8dda5249aa146239dd681db98da2c273dd07d77 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 10 Dec 2012 22:54:47 +0100 Subject: updated leap_ca_daemon config file, deploying x509 cert+key --- puppet/modules/site_ca_daemon/manifests/couchdb.pp | 4 +-- puppet/modules/site_ca_daemon/manifests/init.pp | 16 +++++++++++ .../site_ca_daemon/templates/couchdb.yml.erb | 7 ----- .../site_ca_daemon/templates/leap_ca.yaml.erb | 31 ++++++++++++++++++++++ 4 files changed, 49 insertions(+), 9 deletions(-) delete mode 100644 puppet/modules/site_ca_daemon/templates/couchdb.yml.erb create mode 100644 puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb (limited to 'puppet') diff --git a/puppet/modules/site_ca_daemon/manifests/couchdb.pp b/puppet/modules/site_ca_daemon/manifests/couchdb.pp index b5a1d2d4..f446a05b 100644 --- a/puppet/modules/site_ca_daemon/manifests/couchdb.pp +++ b/puppet/modules/site_ca_daemon/manifests/couchdb.pp @@ -6,8 +6,8 @@ class site_ca_daemon::couchdb { $couchdb_password = $ca['couchdb_user']['password'] file { - '/srv/leap_ca_daemon/config/couchdb.yml': - content => template('site_ca_daemon/couchdb.yml.erb'), + '/etc/leap/leap_ca.yaml': + content => template('site_ca_daemon/leap_ca.yaml.erb'), owner => leap_ca_daemon, group => leap_ca_daemon, mode => '0600'; diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp index 0bbc9030..aa9219c1 100644 --- a/puppet/modules/site_ca_daemon/manifests/init.pp +++ b/puppet/modules/site_ca_daemon/manifests/init.pp @@ -3,6 +3,7 @@ class site_ca_daemon { #$definition_files = hiera('definition_files') #$provider = $definition_files['provider'] #$eip_service = $definition_files['eip_service'] + $x509 = hiera('x509') Class[Ruby] -> Class[rubygems] -> Class[bundler::install] @@ -27,6 +28,19 @@ class site_ca_daemon { require => [ Group['leap_ca_daemon'] ]; } + + x509::key { + 'leap_ca_daemon': + content => $x509['cert'], + #notify => Service[apache]; + } + + x509::cert { + 'leap_ca_daemon': + content => $x509['key'], + #notify => Service[apache]; + } + file { '/srv/leap_ca_daemon': ensure => directory, owner => 'leap_ca_daemon', @@ -52,4 +66,6 @@ class site_ca_daemon { require => [ Class['bundler::install'], Vcsrepo['/srv/leap_ca_daemon'] ]; } + + } diff --git a/puppet/modules/site_ca_daemon/templates/couchdb.yml.erb b/puppet/modules/site_ca_daemon/templates/couchdb.yml.erb deleted file mode 100644 index f5132599..00000000 --- a/puppet/modules/site_ca_daemon/templates/couchdb.yml.erb +++ /dev/null @@ -1,7 +0,0 @@ -production: - protocol: 'https' - host: <%= couchdb_host %> - port: 443 - username: <%= couchdb_user %> - password: <%= couchdb_password %> - diff --git a/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb b/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb new file mode 100644 index 00000000..e0b95278 --- /dev/null +++ b/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb @@ -0,0 +1,31 @@ +# +# Default configuration options for LEAP Certificate Authority Daemon +# + +# +# Certificate Authority +# +ca_key_path: "/etc/x509/keys/leap_ca_daemon.key" +ca_key_password: nil +ca_cert_path: "/etc/x509/certs/leap_ca_daemon.crt" + +# +# Certificate pool +# +max_pool_size: 100 +client_cert_lifespan: 2 +client_cert_bit_size: 2024 +client_cert_hash: "SHA256" + +# +# Database +# +db_name: "client_certificates" +couch_connection: + protocol: "https" + host: <%= couchdb_host %> + port: 6984 + username: <%= couchdb_user %> + password: <%= couchdb_password %> + prefix: "" + suffix: "" -- cgit v1.2.3 From 3c52477a6c0cb4d4cc3caee2aea350acc51a5c8a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 10 Dec 2012 23:16:27 +0100 Subject: also deploy ca_cert --- puppet/modules/site_ca_daemon/manifests/init.pp | 33 ++++++++++++++----------- 1 file changed, 19 insertions(+), 14 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp index aa9219c1..db76e0fb 100644 --- a/puppet/modules/site_ca_daemon/manifests/init.pp +++ b/puppet/modules/site_ca_daemon/manifests/init.pp @@ -3,7 +3,7 @@ class site_ca_daemon { #$definition_files = hiera('definition_files') #$provider = $definition_files['provider'] #$eip_service = $definition_files['eip_service'] - $x509 = hiera('x509') + $x509 = hiera('x509') Class[Ruby] -> Class[rubygems] -> Class[bundler::install] @@ -29,17 +29,24 @@ class site_ca_daemon { } - x509::key { - 'leap_ca_daemon': - content => $x509['cert'], - #notify => Service[apache]; - } - - x509::cert { - 'leap_ca_daemon': - content => $x509['key'], - #notify => Service[apache]; - } + x509::key { + 'leap_ca_daemon': + content => $x509['key'], + #notify => Service[apache]; + } + + x509::cert { + 'leap_ca_daemon': + content => $x509['cert'], + #notify => Service[apache]; + } + + x509::ca { + 'leap_ca_daemon': + content => $x509['ca_cert'], + #notify => Service[apache]; + } + file { '/srv/leap_ca_daemon': ensure => directory, @@ -66,6 +73,4 @@ class site_ca_daemon { require => [ Class['bundler::install'], Vcsrepo['/srv/leap_ca_daemon'] ]; } - - } -- cgit v1.2.3 From 3f0bbccb1b0020530ae4e4a0682fbf9f5f401e3b Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 10 Dec 2012 23:36:48 +0100 Subject: couchdb: use x509 module to deploy certs (fixes #1063) --- .../site_apache/files/vhosts.d/couchdb_proxy.conf | 4 ++-- .../site_couchdb/manifests/apache_ssl_proxy.pp | 20 ++++++++------------ 2 files changed, 10 insertions(+), 14 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf index 79ad931d..0dff2cd6 100644 --- a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf +++ b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf @@ -3,8 +3,8 @@ Listen 0.0.0.0:6984 SSLEngine On SSLProxyEngine On - SSLCertificateKeyFile /etc/couchdb/server_key.pem - SSLCertificateFile /etc/couchdb/server_cert.pem + SSLCertificateKeyFile /etc/x509/keys/leap_couchdb.key + SSLCertificateFile /etc/x509/certs/leap_couchdb.crt ProxyPass / http://127.0.0.1:5984/ ProxyPassReverse / http://127.0.0.1:5984/ diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp index fb3477db..02aae0c3 100644 --- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp +++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp @@ -10,20 +10,16 @@ define site_couchdb::apache_ssl_proxy ($key, $cert) { } apache::vhost::file { 'couchdb_proxy': } - file { '/etc/couchdb/server_cert.pem': - mode => '0644', - owner => 'couchdb', - group => 'couchdb', - content => $cert, - notify => Service[apache], + x509::key { + 'leap_couchdb': + content => $x509['key'], + notify => Service[apache]; } - file { '/etc/couchdb/server_key.pem': - mode => '0600', - owner => 'couchdb', - group => 'couchdb', - content => $key, - notify => Service[apache], + x509::cert { + 'leap_couchdb': + content => $x509['cert'], + notify => Service[apache]; } } -- cgit v1.2.3 From e8f28cf269fe706ed556f84d6e03d6a574dfa26d Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 10 Dec 2012 23:45:05 +0100 Subject: openvpn: use x509 module to deploy certs (fixes #1064) --- puppet/modules/site_openvpn/manifests/keys.pp | 26 +++++++++++++--------- .../site_openvpn/manifests/server_config.pp | 6 ++--- 2 files changed, 18 insertions(+), 14 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index 12c1bd8f..4c43ec05 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -1,22 +1,26 @@ class site_openvpn::keys { - file { '/etc/openvpn/keys/ca.crt': - content => $site_openvpn::x509_config['ca_cert'], - mode => '0644', + x509::key { + 'leap_openvpn': + content => $site_openvpn::x509_config['key'], + notify => Service[openvpn]; } - file { '/etc/openvpn/keys/dh.pem': - content => $site_openvpn::x509_config['dh'], - mode => '0644', + x509::cert { + 'leap_openvpn': + content => $site_openvpn::x509_config['cert'], + notify => Service[openvpn]; } - file { '/etc/openvpn/keys/server.key': - content => $site_openvpn::x509_config['key'], - mode => '0600', + x509::ca { + 'leap_openvpn': + content => $site_openvpn::x509_config['ca_cert'], + notify => Service[openvpn]; } - file { '/etc/openvpn/keys/server.crt': - content => $site_openvpn::x509_config['cert'], + file { '/etc/openvpn/keys/dh.pem': + content => $site_openvpn::x509_config['dh'], mode => '0644', } + } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 6fc3a3c2..c4f64225 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -69,15 +69,15 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana openvpn::option { "ca $openvpn_configname": key => 'ca', - value => '/etc/openvpn/keys/ca.crt', + value => '/usr/local/share/ca-certificates/leap_openvpn.crt', server => $openvpn_configname; "cert $openvpn_configname": key => 'cert', - value => '/etc/openvpn/keys/server.crt', + value => '/etc/x509/certs/leap_openvpn.crt', server => $openvpn_configname; "key $openvpn_configname": key => 'key', - value => '/etc/openvpn/keys/server.key', + value => '/etc/x509/keys/leap_openvpn.key', server => $openvpn_configname; "dh $openvpn_configname": key => 'dh', -- cgit v1.2.3 From 090dca27921efe22fdc39c8598356bfb74e5fe99 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 11 Dec 2012 13:10:30 -0500 Subject: setup /etc/hosts based on a template and the hiera value 'hosts' This will replace the existing /etc/hosts, so we will want to make this more smart later --- puppet/modules/site_config/manifests/hosts.pp | 7 +++++++ puppet/modules/site_config/manifests/init.pp | 3 +++ puppet/modules/site_config/templates/hosts | 11 +++++++++++ 3 files changed, 21 insertions(+) create mode 100644 puppet/modules/site_config/manifests/hosts.pp create mode 100644 puppet/modules/site_config/templates/hosts (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp new file mode 100644 index 00000000..08890a5d --- /dev/null +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -0,0 +1,7 @@ +class site_config::hosts { + + file { '/etc/hosts': + content => template('site_config/hosts'), + mode => '0644', owner => root, group => root; + } +} diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp index 7f67ad4e..268ff2fc 100644 --- a/puppet/modules/site_config/manifests/init.pp +++ b/puppet/modules/site_config/manifests/init.pp @@ -11,4 +11,7 @@ class site_config { # configure /etc/resolv.conf include site_config::resolvconf + + # configure /etc/hosts + include site_config::hosts } diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts new file mode 100644 index 00000000..1a12addc --- /dev/null +++ b/puppet/modules/site_config/templates/hosts @@ -0,0 +1,11 @@ +# This file is managed by puppet, any changes will be overwritten! + +127.0.0.1 localhost +<%= scope.function_hiera('hosts') %> + +# The following lines are desirable for IPv6 capable hosts +::1 ip6-localhost ip6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters -- cgit v1.2.3 From 7391fac4a03a9db9655ca992dfed91a51f080f25 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 11 Dec 2012 13:17:06 -0500 Subject: update augeas submodule to try and resolve unreferenced commit --- puppet/modules/augeas | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/augeas b/puppet/modules/augeas index c1e385f5..44e84a98 160000 --- a/puppet/modules/augeas +++ b/puppet/modules/augeas @@ -1 +1 @@ -Subproject commit c1e385f55f11c81772e243ebb9a7277769d40f92 +Subproject commit 44e84a988b859622e7b3583ac27331cf816017ed -- cgit v1.2.3 From cbb834da5de7e2abe7399e34766492bfab48fa9c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 11 Dec 2012 15:37:15 -0500 Subject: test to see if the hosts value is empty before trying to reference it in a template also set the hostname to what the hiera 'name' is set to --- puppet/modules/site_config/manifests/hosts.pp | 10 ++++++++++ puppet/modules/site_config/templates/hosts | 6 ++++-- 2 files changed, 14 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index 08890a5d..5269bf35 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -1,5 +1,15 @@ class site_config::hosts { + $hosts = hiera('hosts','') + $hostname = hiera('name') + + exec { "/bin/hostname $hostname ": } + + file { "/etc/hostname": + ensure => present, + content => $hostname + } + file { '/etc/hosts': content => template('site_config/hosts'), mode => '0644', owner => root, group => root; diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts index 1a12addc..c516eaf8 100644 --- a/puppet/modules/site_config/templates/hosts +++ b/puppet/modules/site_config/templates/hosts @@ -1,7 +1,9 @@ # This file is managed by puppet, any changes will be overwritten! -127.0.0.1 localhost -<%= scope.function_hiera('hosts') %> +127.0.0.1 localhost +<%- if hosts.to_s != '' then -%> +<%= hosts %> +<% end -%> # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback -- cgit v1.2.3 From 73de38e401dd5e1253d07d3419b74be2605016b1 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 11 Dec 2012 15:54:55 -0500 Subject: remove extra space in hostname exec --- puppet/modules/site_config/manifests/hosts.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index 5269bf35..dd8d7e47 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -3,7 +3,7 @@ class site_config::hosts { $hosts = hiera('hosts','') $hostname = hiera('name') - exec { "/bin/hostname $hostname ": } + exec { "/bin/hostname $hostname": } file { "/etc/hostname": ensure => present, -- cgit v1.2.3 From efb434fff348ee38ce688851791a91a1814240e7 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 11 Dec 2012 16:04:18 -0500 Subject: replace Documentroot path from - to _ --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 4 ++-- puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 37c4a727..05d5f69d 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -19,8 +19,8 @@ RequestHeader set X_FORWARDED_PROTO 'https' - DocumentRoot /srv/leap_webapp/public - Alias /1 /srv/leap_webapp/public + DocumentRoot /srv/leap-webapp/public + Alias /1 /srv/leap-webapp/public # Check for maintenance file and redirect all requests RewriteEngine On diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 85e7289b..8c820788 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -21,8 +21,8 @@ RequestHeader set X_FORWARDED_PROTO 'https' - DocumentRoot /srv/leap_webapp/public - Alias /1 /srv/leap_webapp/public + DocumentRoot /srv/leap-webapp/public + Alias /1 /srv/leap-webapp/public RewriteEngine On # Check for maintenance file and redirect all requests -- cgit v1.2.3 From a3f11bff64069e61df895d8bb9d5d80fdde0e7eb Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 11 Dec 2012 16:25:11 -0500 Subject: set up an 'initial' run stage to happen before the 'main' run stage and put the site_config::hosts to be in the initial run stage to make sure the hostname is set before anything else. --- puppet/modules/site_config/manifests/hosts.pp | 2 +- puppet/modules/site_config/manifests/init.pp | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index dd8d7e47..1312f870 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -1,4 +1,4 @@ -class site_config::hosts { +class site_config::hosts() { $hosts = hiera('hosts','') $hostname = hiera('name') diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp index 268ff2fc..bab186d0 100644 --- a/puppet/modules/site_config/manifests/init.pp +++ b/puppet/modules/site_config/manifests/init.pp @@ -13,5 +13,11 @@ class site_config { include site_config::resolvconf # configure /etc/hosts - include site_config::hosts + stage { 'initial': + before => Stage['main'], + } + + class { 'site_config::hosts': + stage => initial, + } } -- cgit v1.2.3 From 8d4e198fc0aa750128230659f6eb68d5a74f0f2a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 11 Dec 2012 16:32:56 -0500 Subject: change hostname exec to only apply when either the /etc/hostname or /etc/hosts files are changed (otherwise it runs on every run) --- puppet/modules/site_config/manifests/hosts.pp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index 1312f870..e3408b27 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -3,13 +3,15 @@ class site_config::hosts() { $hosts = hiera('hosts','') $hostname = hiera('name') - exec { "/bin/hostname $hostname": } - file { "/etc/hostname": ensure => present, content => $hostname } + exec { "/bin/hostname $hostname": + subscribe => [ File['/etc/hostname'], File['/etc/hosts'] ] + } + file { '/etc/hosts': content => template('site_config/hosts'), mode => '0644', owner => root, group => root; -- cgit v1.2.3 From be2c1c97db09d8db7ebfdc4b6d8e0341f15bce8e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 11 Dec 2012 16:41:01 -0500 Subject: neglected to add the 'refreshonly' parameter to the exec in previous commit --- puppet/modules/site_config/manifests/hosts.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index e3408b27..06cd5c01 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -9,9 +9,10 @@ class site_config::hosts() { } exec { "/bin/hostname $hostname": - subscribe => [ File['/etc/hostname'], File['/etc/hosts'] ] + subscribe => [ File['/etc/hostname'], File['/etc/hosts'] ], + refreshonly => true; } - + file { '/etc/hosts': content => template('site_config/hosts'), mode => '0644', owner => root, group => root; -- cgit v1.2.3 From 51bbe9d6d5ce7e780c25fe31d5250047c97b05e2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 11 Dec 2012 16:45:56 -0500 Subject: fix couchdb port --- puppet/modules/site_webapp/templates/couchdb.yml.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb index f5132599..be33770b 100644 --- a/puppet/modules/site_webapp/templates/couchdb.yml.erb +++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb @@ -1,7 +1,7 @@ production: protocol: 'https' host: <%= couchdb_host %> - port: 443 + port: 6984 username: <%= couchdb_user %> password: <%= couchdb_password %> -- cgit v1.2.3 From 70e4ca82f79e64a59e85c849092ad217d07fc1d5 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 11 Dec 2012 18:51:57 -0500 Subject: update shorewall submodule to fix the shorewall.conf problem --- puppet/modules/shorewall | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/shorewall b/puppet/modules/shorewall index 29e80fe6..e511291a 160000 --- a/puppet/modules/shorewall +++ b/puppet/modules/shorewall @@ -1 +1 @@ -Subproject commit 29e80fe61983821dc50ea54a05013c351206d5bd +Subproject commit e511291a111db7a7d88a8820c5423aa5b92304e0 -- cgit v1.2.3 From 063f3329cb6ff5769ea4667516d2f8c63cd236b6 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 11 Dec 2012 18:55:41 -0500 Subject: add prefix to couchdb.yaml --- puppet/modules/site_webapp/templates/couchdb.yml.erb | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb index be33770b..e5678680 100644 --- a/puppet/modules/site_webapp/templates/couchdb.yml.erb +++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb @@ -1,4 +1,5 @@ production: + prefix: "" protocol: 'https' host: <%= couchdb_host %> port: 6984 -- cgit v1.2.3 From 221976d2814009710b1a392a451fc4684004c971 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 14 Dec 2012 13:14:49 +0100 Subject: no need for sections in shorewall rules from the shorewall-rules manpage: "If no Section Headers appear in the file then all rules are assumed to be in the NEW section." --- puppet/modules/site_shorewall/manifests/defaults.pp | 2 -- 1 file changed, 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index 0ee20744..d348bf00 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -8,8 +8,6 @@ class site_shorewall::defaults { shorewall::zone {'net': type => 'ipv4'; } - shorewall::rule_section { 'NEW': order => 10; } - include augeas augeas { 'enable_ip_forwarding': -- cgit v1.2.3 From 4639b19a10d0fc2e1562a2135fe1b33b70571155 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 14 Dec 2012 16:20:29 +0100 Subject: moved site_config::apt to site_apt --- puppet/modules/site_apt/manifests/init.pp | 8 ++++++++ puppet/modules/site_config/manifests/apt.pp | 8 -------- puppet/modules/site_config/manifests/init.pp | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) create mode 100644 puppet/modules/site_apt/manifests/init.pp delete mode 100644 puppet/modules/site_config/manifests/apt.pp (limited to 'puppet') diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp new file mode 100644 index 00000000..7f8b09a1 --- /dev/null +++ b/puppet/modules/site_apt/manifests/init.pp @@ -0,0 +1,8 @@ +class site_apt { + + include ::apt + + apt::apt_conf { '90disable-pdiffs': + content => 'Acquire::PDiffs "false";'; + } +} diff --git a/puppet/modules/site_config/manifests/apt.pp b/puppet/modules/site_config/manifests/apt.pp deleted file mode 100644 index 4f611ac8..00000000 --- a/puppet/modules/site_config/manifests/apt.pp +++ /dev/null @@ -1,8 +0,0 @@ -class site_config::apt { - - include ::apt - - apt::apt_conf { '90disable-pdiffs': - content => 'Acquire::PDiffs "false";'; - } -} diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp index bab186d0..ef4ffbd3 100644 --- a/puppet/modules/site_config/manifests/init.pp +++ b/puppet/modules/site_config/manifests/init.pp @@ -4,7 +4,7 @@ class site_config { include lsb, git # configure apt - include site_config::apt + include site_apt # configure ssh and include ssh-keys include site_config::sshd -- cgit v1.2.3 From e074a620b3b661a46469f3bba43e699ec77c1a27 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 14 Dec 2012 16:58:51 +0100 Subject: leftover apt sources file, see commit febd45328 --- puppet/modules/site_apt/files/unstable.list | 1 - 1 file changed, 1 deletion(-) delete mode 100644 puppet/modules/site_apt/files/unstable.list (limited to 'puppet') diff --git a/puppet/modules/site_apt/files/unstable.list b/puppet/modules/site_apt/files/unstable.list deleted file mode 100644 index 0e289136..00000000 --- a/puppet/modules/site_apt/files/unstable.list +++ /dev/null @@ -1 +0,0 @@ -deb http://http.debian.net/debian unstable main -- cgit v1.2.3 From d0e49a478584b6ac6e18846e2f0b9b4c0d1c5b21 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 14 Dec 2012 16:59:21 +0100 Subject: deploy custom unettended upgrade file --- puppet/modules/site_apt/files/50unattended-upgrades | 13 +++++++++++++ puppet/modules/site_apt/manifests/init.pp | 2 ++ 2 files changed, 15 insertions(+) create mode 100644 puppet/modules/site_apt/files/50unattended-upgrades (limited to 'puppet') diff --git a/puppet/modules/site_apt/files/50unattended-upgrades b/puppet/modules/site_apt/files/50unattended-upgrades new file mode 100644 index 00000000..1639e68a --- /dev/null +++ b/puppet/modules/site_apt/files/50unattended-upgrades @@ -0,0 +1,13 @@ +Unattended-Upgrade::Origins-Pattern { + "o=${distro_id},n=${distro_codename}"; + "o=${distro_id},n=${distro_codename}-updates"; + "o=${distro_id},n=${distro_codename}-proposed-updates"; + "o=${dis tro_id},n=${distro_codename},l=Debian-security"; +}; + + +Unattended-Upgrade::Mail "root"; + +Unattended-Upgrade::MailOnlyOnError "true"; + + diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 7f8b09a1..7d1d039c 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -5,4 +5,6 @@ class site_apt { apt::apt_conf { '90disable-pdiffs': content => 'Acquire::PDiffs "false";'; } + + include ::apt::unattended_upgrades } -- cgit v1.2.3 From af7885a5a4b59985f55d8b28200fc750eb72ddbc Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 16 Dec 2012 11:17:10 +0100 Subject: no need for custom 50unattended-upgrades with new unattended_upgrades class --- puppet/modules/site_apt/files/50unattended-upgrades | 13 ------------- 1 file changed, 13 deletions(-) delete mode 100644 puppet/modules/site_apt/files/50unattended-upgrades (limited to 'puppet') diff --git a/puppet/modules/site_apt/files/50unattended-upgrades b/puppet/modules/site_apt/files/50unattended-upgrades deleted file mode 100644 index 1639e68a..00000000 --- a/puppet/modules/site_apt/files/50unattended-upgrades +++ /dev/null @@ -1,13 +0,0 @@ -Unattended-Upgrade::Origins-Pattern { - "o=${distro_id},n=${distro_codename}"; - "o=${distro_id},n=${distro_codename}-updates"; - "o=${distro_id},n=${distro_codename}-proposed-updates"; - "o=${dis tro_id},n=${distro_codename},l=Debian-security"; -}; - - -Unattended-Upgrade::Mail "root"; - -Unattended-Upgrade::MailOnlyOnError "true"; - - -- cgit v1.2.3 From cf5d685d01edd77f73fa4f21488dcaf1fe782996 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 16 Dec 2012 11:17:36 +0100 Subject: automatic update of submodule puppet_apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/apt b/puppet/modules/apt index 02bd3269..0d5311b1 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 02bd3269948f1a3c5a586e581a7fec22da69a2cc +Subproject commit 0d5311b1a9fa82e4e423a9e7ce7f5eb919bab40d -- cgit v1.2.3 From c32c92e18d98ed936e55d2aff29afebe49d58d7d Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 16 Dec 2012 14:11:18 +0100 Subject: /usr/local/bin/leap_ca_daemon symlink --- puppet/modules/site_ca_daemon/manifests/init.pp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp index db76e0fb..34b2c522 100644 --- a/puppet/modules/site_ca_daemon/manifests/init.pp +++ b/puppet/modules/site_ca_daemon/manifests/init.pp @@ -73,4 +73,8 @@ class site_ca_daemon { require => [ Class['bundler::install'], Vcsrepo['/srv/leap_ca_daemon'] ]; } + file { '/usr/local/bin/leap_ca_daemon': + ensure => link, + target => '/srv/leap_ca_daemon/bin/leap_ca', + } } -- cgit v1.2.3 From 98063e47889ad7a1b2fbb63513b428c2d53bd1f3 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 16 Dec 2012 14:45:28 +0100 Subject: bind: use local, ipv4 only name-caching resolver (fixes #1171) --- puppet/modules/site_config/files/bind9 | 8 ++++++++ puppet/modules/site_config/files/named.options | 6 ++++++ puppet/modules/site_config/manifests/resolvconf.pp | 21 +++++++++++++++++++++ 3 files changed, 35 insertions(+) create mode 100644 puppet/modules/site_config/files/bind9 create mode 100644 puppet/modules/site_config/files/named.options (limited to 'puppet') diff --git a/puppet/modules/site_config/files/bind9 b/puppet/modules/site_config/files/bind9 new file mode 100644 index 00000000..50d8ed14 --- /dev/null +++ b/puppet/modules/site_config/files/bind9 @@ -0,0 +1,8 @@ +# managed by puppet + +# run resolvconf? +RESOLVCONF=no + +# startup options for the server +OPTIONS="-u bind -4" + diff --git a/puppet/modules/site_config/files/named.options b/puppet/modules/site_config/files/named.options new file mode 100644 index 00000000..47df6c5d --- /dev/null +++ b/puppet/modules/site_config/files/named.options @@ -0,0 +1,6 @@ +options { + allow-query { 127.0.0.1; }; + allow-transfer { none; }; + listen-on { 127.0.0.1; }; +}; + diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index bd0539b9..b70dfa1c 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -1,8 +1,29 @@ class site_config::resolvconf { + + # bind9 package { 'bind9': ensure => installed, } + service { 'bind9': + ensure => running, + require => Package['bind9'], + } + + file { '/etc/default/bind9': + source => 'puppet:///modules/site_config/bind9', + require => Package['bind9'], + notify => Service['bind9'], + } + + file { '/etc/bind/named.options': + source => 'puppet:///modules/site_config/named.options', + require => Package['bind9'], + notify => Service['bind9'], + } + + + $domain_hash = hiera('domain') $domain_public = $domain_hash['public'] -- cgit v1.2.3 From 28745a2d4a0cdcf088af5240c67c77f0cde16bb4 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 16 Dec 2012 15:07:38 +0100 Subject: named.options -> named.conf.options --- puppet/modules/site_config/files/named.conf.options | 6 ++++++ puppet/modules/site_config/files/named.options | 6 ------ puppet/modules/site_config/manifests/resolvconf.pp | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) create mode 100644 puppet/modules/site_config/files/named.conf.options delete mode 100644 puppet/modules/site_config/files/named.options (limited to 'puppet') diff --git a/puppet/modules/site_config/files/named.conf.options b/puppet/modules/site_config/files/named.conf.options new file mode 100644 index 00000000..47df6c5d --- /dev/null +++ b/puppet/modules/site_config/files/named.conf.options @@ -0,0 +1,6 @@ +options { + allow-query { 127.0.0.1; }; + allow-transfer { none; }; + listen-on { 127.0.0.1; }; +}; + diff --git a/puppet/modules/site_config/files/named.options b/puppet/modules/site_config/files/named.options deleted file mode 100644 index 47df6c5d..00000000 --- a/puppet/modules/site_config/files/named.options +++ /dev/null @@ -1,6 +0,0 @@ -options { - allow-query { 127.0.0.1; }; - allow-transfer { none; }; - listen-on { 127.0.0.1; }; -}; - diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index b70dfa1c..78f83a62 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -16,8 +16,8 @@ class site_config::resolvconf { notify => Service['bind9'], } - file { '/etc/bind/named.options': - source => 'puppet:///modules/site_config/named.options', + file { '/etc/bind/named.conf.options': + source => 'puppet:///modules/site_config/named.conf.options', require => Package['bind9'], notify => Service['bind9'], } -- cgit v1.2.3 From cded90f839871cf6258d7dc28d3ce81cf7f9cf6c Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 18 Dec 2012 10:26:57 -0800 Subject: ca daemon -- ca daemon needs the x509 cert/key for the CA, not for the server. --- puppet/modules/site_ca_daemon/manifests/init.pp | 30 +++++++++++++++++-------- 1 file changed, 21 insertions(+), 9 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp index 34b2c522..29a70df8 100644 --- a/puppet/modules/site_ca_daemon/manifests/init.pp +++ b/puppet/modules/site_ca_daemon/manifests/init.pp @@ -31,21 +31,33 @@ class site_ca_daemon { x509::key { 'leap_ca_daemon': - content => $x509['key'], - #notify => Service[apache]; + content => $x509['ca_key']; + #notify => Service['leap_ca_daemon']; <== no service yet for leap_ca_daemon } x509::cert { 'leap_ca_daemon': - content => $x509['cert'], - #notify => Service[apache]; + content => $x509['ca_cert']; + #notify => Service['leap_ca_daemon']; <== no service yet for leap_ca_daemon } - x509::ca { - 'leap_ca_daemon': - content => $x509['ca_cert'], - #notify => Service[apache]; - } + # + # Does CA need a server key/cert? I think not now. + # + # x509::key { + # 'server': + # content => $x509['key']; + # } + # + # x509::cert { + # 'server': + # content => $x509['cert']; + # } + + # x509::ca { + # 'leap_ca_daemon': + # content => $x509['ca_cert']; + # } file { '/srv/leap_ca_daemon': -- cgit v1.2.3 From 9115e761133cd06e369a22cc357ba718f1fa6020 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 19 Dec 2012 10:07:07 +0100 Subject: automatic update of submodule puppet_apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/apt b/puppet/modules/apt index 0d5311b1..ffb44c91 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 0d5311b1a9fa82e4e423a9e7ce7f5eb919bab40d +Subproject commit ffb44c91db24d30bb9584eb27d52f76958d6b732 -- cgit v1.2.3 From e97a022b52291a2593ee0efbab4c1b8f9d60be01 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 19 Dec 2012 10:56:06 +0100 Subject: move apt-get upgrade to inital stage --- puppet/modules/site_apt/manifests/dist_upgrade.pp | 3 ++- puppet/modules/site_apt/manifests/init.pp | 2 +- puppet/modules/site_config/manifests/init.pp | 5 +++++ 3 files changed, 8 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_apt/manifests/dist_upgrade.pp b/puppet/modules/site_apt/manifests/dist_upgrade.pp index 5ae9297f..4baabc77 100644 --- a/puppet/modules/site_apt/manifests/dist_upgrade.pp +++ b/puppet/modules/site_apt/manifests/dist_upgrade.pp @@ -6,5 +6,6 @@ class site_apt::dist_upgrade inherits apt::dist_upgrade { } # Ensure apt-get upgrade has been run before installing any packages - Exec["apt_dist-upgrade"] -> Package <| name != 'lsb-release' |> + # Disables because apt-get update is moved to stage initial + # Exec["apt_dist-upgrade"] -> Package <| name != 'lsb-release' |> } diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 631f5742..99bcce4f 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -1,7 +1,7 @@ class site_apt { include ::apt - include site_apt::dist_upgrade + #include site_apt::dist_upgrade apt::apt_conf { '90disable-pdiffs': content => 'Acquire::PDiffs "false";'; diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp index ef4ffbd3..69ff2523 100644 --- a/puppet/modules/site_config/manifests/init.pp +++ b/puppet/modules/site_config/manifests/init.pp @@ -6,6 +6,7 @@ class site_config { # configure apt include site_apt + # configure ssh and include ssh-keys include site_config::sshd @@ -20,4 +21,8 @@ class site_config { class { 'site_config::hosts': stage => initial, } + + class { 'site_apt::dist_upgrade': + stage => initial, + } } -- cgit v1.2.3 From 2f4fe239515e5aee60f8a04358efd1fc0214ceb9 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 19 Dec 2012 16:22:36 +0100 Subject: added ca_daemon initscript for later --- puppet/modules/site_couchdb/files/leap_ca_daemon | 157 +++++++++++++++++++++++ 1 file changed, 157 insertions(+) create mode 100755 puppet/modules/site_couchdb/files/leap_ca_daemon (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/files/leap_ca_daemon b/puppet/modules/site_couchdb/files/leap_ca_daemon new file mode 100755 index 00000000..9a1a0bc7 --- /dev/null +++ b/puppet/modules/site_couchdb/files/leap_ca_daemon @@ -0,0 +1,157 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: leap_ca_daemon +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: leap_ca_daemon initscript +# Description: Controls leap_ca_daemon (see https://github.com/leapcode/leap_ca +# for more information. +### END INIT INFO + +# Author: varac +# + +# Do NOT "set -e" + +# PATH should only include /usr/* if it runs after the mountnfs.sh script +PATH=/sbin:/usr/sbin:/bin:/usr/bin +DESC="leap_ca_daemon initscript" +NAME=leap_ca_daemon +DAEMON=/usr/local/bin/$NAME +DAEMON_ARGS="run " +PIDFILE=/var/run/$NAME.pid +SCRIPTNAME=/etc/init.d/$NAME + +# Exit if the package is not installed +[ -x "$DAEMON" ] || exit 0 + +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME + +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.2-14) to ensure that this file is present +# and status_of_proc is working. +. /lib/lsb/init-functions + +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ + || return 1 + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \ + $DAEMON_ARGS \ + || return 2 + # Add code here, if necessary, that waits for the process to be ready + # to handle requests from services started subsequently which depend + # on this one. As a last resort, sleep for some time. +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + # Wait for children to finish too if this is a daemon that forks + # and if the daemon is only ever run from this initscript. + # If the above conditions are not satisfied then add some other code + # that waits for the process to drop all resources that could be + # needed by services started subsequently. A last resort is to + # sleep for some time. + start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON + [ "$?" = 2 ] && return 2 + # Many daemons don't delete their pidfiles when they exit. + rm -f $PIDFILE + return "$RETVAL" +} + +# +# Function that sends a SIGHUP to the daemon/service +# +do_reload() { + # + # If the daemon can reload its configuration without + # restarting (for example, when it is sent a SIGHUP), + # then implement that here. + # + start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME + return 0 +} + +case "$1" in + start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" + do_start + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + status) + status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? + ;; + #reload|force-reload) + # + # If do_reload() is not implemented then leave this commented out + # and leave 'force-reload' as an alias for 'restart'. + # + #log_daemon_msg "Reloading $DESC" "$NAME" + #do_reload + #log_end_msg $? + #;; + restart|force-reload) + # + # If the "reload" option is implemented then remove the + # 'force-reload' alias + # + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) log_end_msg 0 ;; + 1) log_end_msg 1 ;; # Old process is still running + *) log_end_msg 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + log_end_msg 1 + ;; + esac + ;; + *) + #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 + echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 + exit 3 + ;; +esac + +: -- cgit v1.2.3 From 109334ec46ffdde3a96119fd6108080bd1d45c8a Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 19 Dec 2012 17:39:13 +0100 Subject: automatic update of submodule puppet_apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/apt b/puppet/modules/apt index ffb44c91..507d5448 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit ffb44c91db24d30bb9584eb27d52f76958d6b732 +Subproject commit 507d5448c85904d6471e829d3afe00cff89e7520 -- cgit v1.2.3 From c3c23bbc27dee3fdcdf9aec6addcc816ad7b52ba Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 19 Dec 2012 12:12:16 -0800 Subject: webapp api now uses a customizable port (so that we don't try to rely on SNI for hosting two TLS domains on one IP). --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 6 ++++-- puppet/modules/site_webapp/manifests/apache.pp | 5 ++++- 2 files changed, 8 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 05d5f69d..cdfcbd68 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -1,10 +1,12 @@ ServerName <%= api_domain %> RewriteEngine On - RewriteRule ^.*$ https://<%= api_domain -%>%{REQUEST_URI} [R=permanent,L] + RewriteRule ^.*$ https://<%= api_domain -%>:<%= api_port -%>%{REQUEST_URI} [R=permanent,L] - +Listen 0.0.0.0:<%= api_port %> + +> ServerName <%= api_domain %> SSLEngine on diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 8532cc38..554b9147 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -1,6 +1,9 @@ class site_webapp::apache { - $api_domain = hiera('api_domain') + $web_api = hiera('api') + $api_domain = $web_api['domain'] + $api_port = $web_api['port'] + $x509 = hiera('x509') $commercial_key = $x509['commercial_key'] $commercial_cert = $x509['commercial_cert'] -- cgit v1.2.3 From a1fae6722d541fe52d45deb690785562d0751265 Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 3 Jan 2013 11:02:10 +0100 Subject: using master branch for webapp now. develop branch is no longer used in webapp dev and will be removed. --- puppet/modules/site_webapp/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 6a60ab15..ebe58c95 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -36,7 +36,7 @@ class site_webapp { vcsrepo { '/srv/leap-webapp': ensure => present, - revision => 'origin/develop', + revision => 'origin/master', provider => git, source => 'git://code.leap.se/leap_web', owner => 'leap-webapp', -- cgit v1.2.3 From 886063ca1db3a4ce8fbd72e4ead9b5f2371979a5 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 11 Jan 2013 17:12:49 -0800 Subject: configure webapp with correct domain --- puppet/modules/site_webapp/manifests/init.pp | 10 ++++++++++ puppet/modules/site_webapp/templates/config.yml.erb | 3 +++ puppet/modules/site_webapp/templates/couchdb.yml.erb | 6 +++--- 3 files changed, 16 insertions(+), 3 deletions(-) create mode 100644 puppet/modules/site_webapp/templates/config.yml.erb (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index ebe58c95..22695966 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -3,6 +3,8 @@ class site_webapp { $definition_files = hiera('definition_files') $provider = $definition_files['provider'] $eip_service = $definition_files['eip_service'] + $node_domain = hiera('domain') + $provider_domain = $node_domain['full_suffix'] Class[Ruby] -> Class[rubygems] -> Class[bundler::install] @@ -70,4 +72,12 @@ class site_webapp { owner => leap-webapp, group => leap-webapp, mode => '0644'; } + file { + '/srv/leap-webapp/config/config.yml': + content => template('site_webapp/config.yml.erb'), + owner => leap-webapp, + group => leap-webapp, + mode => '0600'; + } + } diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb new file mode 100644 index 00000000..5e223a58 --- /dev/null +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -0,0 +1,3 @@ +production: + admins: [admin] + domain: <%= @provider_domain %> diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb index e5678680..ee521713 100644 --- a/puppet/modules/site_webapp/templates/couchdb.yml.erb +++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb @@ -1,8 +1,8 @@ production: prefix: "" protocol: 'https' - host: <%= couchdb_host %> + host: <%= @couchdb_host %> port: 6984 - username: <%= couchdb_user %> - password: <%= couchdb_password %> + username: <%= @couchdb_user %> + password: <%= @couchdb_password %> -- cgit v1.2.3 From ec6c48ab589d4174dc192a01c4b99833227c5942 Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 13 Jan 2013 20:30:24 -0800 Subject: added ability to customize the webapp appearance --- puppet/modules/site_webapp/manifests/init.pp | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 22695966..f7c6565e 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -5,6 +5,7 @@ class site_webapp { $eip_service = $definition_files['eip_service'] $node_domain = hiera('domain') $provider_domain = $node_domain['full_suffix'] + $webapp = hiera('webapp') Class[Ruby] -> Class[rubygems] -> Class[bundler::install] @@ -70,6 +71,22 @@ class site_webapp { '/srv/leap-webapp/public/config/eip-service.json': content => $eip_service, owner => leap-webapp, group => leap-webapp, mode => '0644'; + + '/srv/leap-webapp/public/favicon.ico': + ensure => 'link', + target => $webapp['favicon']; + + '/srv/leap-webapp/app/assets/stylesheets/tail.scss': + ensure => 'link', + target => $webapp['tail_scss']; + + '/srv/leap-webapp/app/assets/stylesheets/head.scss': + ensure => 'link', + target => $webapp['head_scss']; + + '/srv/leap-webapp/public/img': + ensure => 'link', + target => $webapp['img_dir']; } file { -- cgit v1.2.3 From 2ea357f5214762005d0bdc0b97d95af3d18a94b3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 15 Jan 2013 16:59:28 -0500 Subject: add stdlib and unbound submodules --- puppet/modules/stdlib | 1 + puppet/modules/unbound | 1 + 2 files changed, 2 insertions(+) create mode 160000 puppet/modules/stdlib create mode 160000 puppet/modules/unbound (limited to 'puppet') diff --git a/puppet/modules/stdlib b/puppet/modules/stdlib new file mode 160000 index 00000000..2df66c04 --- /dev/null +++ b/puppet/modules/stdlib @@ -0,0 +1 @@ +Subproject commit 2df66c041109ecca1099bf3977657572cc32ad24 diff --git a/puppet/modules/unbound b/puppet/modules/unbound new file mode 160000 index 00000000..d8bf530e --- /dev/null +++ b/puppet/modules/unbound @@ -0,0 +1 @@ +Subproject commit d8bf530ec42fdc4d2281169234964d28d8a689ac -- cgit v1.2.3 From e9ddc9e157ca6491594ac3434d1838a51daa0218 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Jan 2013 10:53:37 -0500 Subject: remove unnecessary include that was left over from c2d57624c15dfaff038f9991f04ade46b5ad1d40: --- puppet/modules/site_openvpn/manifests/init.pp | 2 -- 1 file changed, 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 548d1df2..5505b8fc 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -13,8 +13,6 @@ class site_openvpn { $openvpn_udp_cidr = '21' $x509_config = hiera('x509') - include site_openvpn - # deploy ca + server keys include site_openvpn::keys -- cgit v1.2.3 From 5385602a435acb92e1588f74296b6a5339385199 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Jan 2013 10:54:32 -0500 Subject: setup site_unbound with a basic caching-only configuration and include that on the openvpn gateway (see #1172) --- puppet/modules/site_openvpn/manifests/init.pp | 2 ++ puppet/modules/site_unbound/manifests/init.pp | 20 ++++++++++++++++++++ 2 files changed, 22 insertions(+) create mode 100644 puppet/modules/site_unbound/manifests/init.pp (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 5505b8fc..d3c3e387 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -13,6 +13,8 @@ class site_openvpn { $openvpn_udp_cidr = '21' $x509_config = hiera('x509') + include site_unbound + # deploy ca + server keys include site_openvpn::keys diff --git a/puppet/modules/site_unbound/manifests/init.pp b/puppet/modules/site_unbound/manifests/init.pp new file mode 100644 index 00000000..6a210ab2 --- /dev/null +++ b/puppet/modules/site_unbound/manifests/init.pp @@ -0,0 +1,20 @@ +class site_unbound { + + class { 'unbound': + root_hints => false, + anchor => false, + ssl => false + settings => { + server => { + verbosity => '1', + interface => [ '127.0.0.1', '::1' ], + port => '53', + hide-identity => 'yes', + hide-version => 'yes', + harden-glue => 'yes', + access-control => [ '127.0.0.0/8 allow', '::1 allow' ] + } + } + } + +} -- cgit v1.2.3 From 06757bf230dc616832cf2eb560ee9c1570cc1a07 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Jan 2013 10:59:42 -0500 Subject: fix syntax error --- puppet/modules/site_unbound/manifests/init.pp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_unbound/manifests/init.pp b/puppet/modules/site_unbound/manifests/init.pp index 6a210ab2..a968ac62 100644 --- a/puppet/modules/site_unbound/manifests/init.pp +++ b/puppet/modules/site_unbound/manifests/init.pp @@ -3,7 +3,7 @@ class site_unbound { class { 'unbound': root_hints => false, anchor => false, - ssl => false + ssl => false, settings => { server => { verbosity => '1', @@ -16,5 +16,4 @@ class site_unbound { } } } - } -- cgit v1.2.3 From 4e0021dede8aae43760b3e9a4b2317c3ed4c1e0d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Jan 2013 13:08:24 -0500 Subject: Swtich from bind9 as the local caching resolver to unbound. This will enable us to do tor lookups over DNS on servers, if tor services are defined. To do this, we remove the bind9 configurations from site_config::resolvconf.pp and replace it with site_config::caching_resolver with a basic unbound configuration that can be used everywhere. The unbound configuration enables a /etc/unbound/conf.d directory for additional config snippits that can be dropped in from other places. This will be used for setting up different interfaces in the vpn gateway, for example. There will be a set of transition package/file absent blocks to clean up providers. --- puppet/modules/site_config/files/bind9 | 8 ----- .../modules/site_config/files/named.conf.options | 6 ---- .../site_config/manifests/caching_resolver.pp | 35 ++++++++++++++++++++++ puppet/modules/site_config/manifests/init.pp | 3 ++ puppet/modules/site_config/manifests/resolvconf.pp | 14 +++------ puppet/modules/site_unbound/manifests/init.pp | 19 ------------ 6 files changed, 42 insertions(+), 43 deletions(-) delete mode 100644 puppet/modules/site_config/files/bind9 delete mode 100644 puppet/modules/site_config/files/named.conf.options create mode 100644 puppet/modules/site_config/manifests/caching_resolver.pp delete mode 100644 puppet/modules/site_unbound/manifests/init.pp (limited to 'puppet') diff --git a/puppet/modules/site_config/files/bind9 b/puppet/modules/site_config/files/bind9 deleted file mode 100644 index 50d8ed14..00000000 --- a/puppet/modules/site_config/files/bind9 +++ /dev/null @@ -1,8 +0,0 @@ -# managed by puppet - -# run resolvconf? -RESOLVCONF=no - -# startup options for the server -OPTIONS="-u bind -4" - diff --git a/puppet/modules/site_config/files/named.conf.options b/puppet/modules/site_config/files/named.conf.options deleted file mode 100644 index 47df6c5d..00000000 --- a/puppet/modules/site_config/files/named.conf.options +++ /dev/null @@ -1,6 +0,0 @@ -options { - allow-query { 127.0.0.1; }; - allow-transfer { none; }; - listen-on { 127.0.0.1; }; -}; - diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp new file mode 100644 index 00000000..e4374d8f --- /dev/null +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -0,0 +1,35 @@ +class site_config::caching_resolver { + + # Setup a conf.d directory to place additional unbound configuration files + # there must be at least one file in the directory, or unbound will not + # start, so create an empty placeholder to ensure this + file { + '/etc/unbound/conf.d': + ensure => directory, + owner => root, group => root, mode => '0755'; + + '/etc/unbound/conf.d/placeholder': + ensure => present, + content => '', + owner => root, group => root, mode => '0644'; + } + + class { 'unbound': + root_hints => false, + anchor => false, + ssl => false, + require => File['/etc/unbound/conf.d/placeholder'], + settings => { + server => { + verbosity => '1', + interface => [ '127.0.0.1', '::1' ], + port => '53', + hide-identity => 'yes', + hide-version => 'yes', + harden-glue => 'yes', + access-control => [ '127.0.0.0/8 allow', '::1 allow' ], + include => '/etc/unbound/conf.d/*' + } + } + } +} diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp index 69ff2523..f05bca1c 100644 --- a/puppet/modules/site_config/manifests/init.pp +++ b/puppet/modules/site_config/manifests/init.pp @@ -13,6 +13,9 @@ class site_config { # configure /etc/resolv.conf include site_config::resolvconf + # configure caching, local resolver + include site_config::caching_resolver + # configure /etc/hosts stage { 'initial': before => Stage['main'], diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index 78f83a62..3579aaf2 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -2,28 +2,22 @@ class site_config::resolvconf { # bind9 package { 'bind9': - ensure => installed, + ensure => absent, } service { 'bind9': - ensure => running, + ensure => stopped, require => Package['bind9'], } file { '/etc/default/bind9': - source => 'puppet:///modules/site_config/bind9', - require => Package['bind9'], - notify => Service['bind9'], + ensure => absent; } file { '/etc/bind/named.conf.options': - source => 'puppet:///modules/site_config/named.conf.options', - require => Package['bind9'], - notify => Service['bind9'], + ensure => absent; } - - $domain_hash = hiera('domain') $domain_public = $domain_hash['public'] diff --git a/puppet/modules/site_unbound/manifests/init.pp b/puppet/modules/site_unbound/manifests/init.pp deleted file mode 100644 index a968ac62..00000000 --- a/puppet/modules/site_unbound/manifests/init.pp +++ /dev/null @@ -1,19 +0,0 @@ -class site_unbound { - - class { 'unbound': - root_hints => false, - anchor => false, - ssl => false, - settings => { - server => { - verbosity => '1', - interface => [ '127.0.0.1', '::1' ], - port => '53', - hide-identity => 'yes', - hide-version => 'yes', - harden-glue => 'yes', - access-control => [ '127.0.0.0/8 allow', '::1 allow' ] - } - } - } -} -- cgit v1.2.3 From 6375cda36fc21687c59095e4750189b65a2c3b52 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Jan 2013 14:53:09 -0500 Subject: update unbound submodule to fix infinite service restart problem --- puppet/modules/site_openvpn/manifests/init.pp | 5 +++-- puppet/modules/site_openvpn/manifests/resolver.pp | 8 ++++++++ puppet/modules/unbound | 2 +- 3 files changed, 12 insertions(+), 3 deletions(-) create mode 100644 puppet/modules/site_openvpn/manifests/resolver.pp (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index d3c3e387..4606179c 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -13,8 +13,6 @@ class site_openvpn { $openvpn_udp_cidr = '21' $x509_config = hiera('x509') - include site_unbound - # deploy ca + server keys include site_openvpn::keys @@ -55,6 +53,9 @@ ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr a special => 'reboot', } + # setup the resolver to listen on the vpn IP + include site_openvpn::resolver + include site_shorewall::eip package { diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp new file mode 100644 index 00000000..0f0510c1 --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -0,0 +1,8 @@ +class site_openvpn::resolver { + + file { '/etc/unbound/conf.d/vpn_resolver': + content => "interface: $openvpn_gateway_address\n", + owner => root, group => root, mode => '0644', + require => Exec['/usr/local/bin/leap_add_second_ip.sh']; + } +} diff --git a/puppet/modules/unbound b/puppet/modules/unbound index d8bf530e..ca7eb732 160000 --- a/puppet/modules/unbound +++ b/puppet/modules/unbound @@ -1 +1 @@ -Subproject commit d8bf530ec42fdc4d2281169234964d28d8a689ac +Subproject commit ca7eb732064ce29fc83d4c32a4df7d9512d45802 -- cgit v1.2.3 From 4c649b08e215b229c280d0f15730418033b13fb9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Jan 2013 14:54:49 -0500 Subject: setup openvpn gateway resolver to listen on the udp/tcp virtual network ips so that queries can be made from clients on the vpn --- puppet/modules/site_openvpn/manifests/resolver.pp | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index 0f0510c1..eaa765fe 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -1,8 +1,14 @@ class site_openvpn::resolver { - file { '/etc/unbound/conf.d/vpn_resolver': - content => "interface: $openvpn_gateway_address\n", - owner => root, group => root, mode => '0644', - require => Exec['/usr/local/bin/leap_add_second_ip.sh']; + file { + '/etc/unbound/conf.d/vpn_udp_resolver': + content => "interface: ${openvpn_udp_network_prefix}.1\naccess-control: ${openvpn_udp_network_prefix}.0/${openvpn_udp_netmask}\n", + owner => root, group => root, mode => '0644', + require => Service['openvpn']; + + '/etc/unbound/conf.d/vpn_tcp_resolver': + content => "interface: ${openvpn_tcp_network_prefix}.1\naccess-control: ${openvpn_tcp_network_prefix}.0/${openvpn_tcp_netmask}\n", + owner => root, group => root, mode => '0644', + require => Service['openvpn']; } } -- cgit v1.2.3 From 03d2b1aec2a9ccd61f4804277c80541698f1dab8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 13:56:47 -0500 Subject: fix unbound access control --- puppet/modules/site_openvpn/manifests/resolver.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index eaa765fe..57a2d147 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -2,12 +2,12 @@ class site_openvpn::resolver { file { '/etc/unbound/conf.d/vpn_udp_resolver': - content => "interface: ${openvpn_udp_network_prefix}.1\naccess-control: ${openvpn_udp_network_prefix}.0/${openvpn_udp_netmask}\n", + content => "interface: ${openvpn_udp_network_prefix}.1\naccess-control: ${openvpn_udp_network_prefix}.0/${openvpn_udp_netmask} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; '/etc/unbound/conf.d/vpn_tcp_resolver': - content => "interface: ${openvpn_tcp_network_prefix}.1\naccess-control: ${openvpn_tcp_network_prefix}.0/${openvpn_tcp_netmask}\n", + content => "interface: ${openvpn_tcp_network_prefix}.1\naccess-control: ${openvpn_tcp_network_prefix}.0/${openvpn_tcp_netmask} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; } -- cgit v1.2.3 From ad3da4a59aebb6b7facc2e6616d8b81039b29892 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 14:17:18 -0500 Subject: unfortunately the version of unbound that is in wheezy does not support wildcard include directives, so this commit works around this by doing something less elegant than before. When we have the newer unbound available, we should switch to that method instead. --- .../site_config/manifests/caching_resolver.pp | 15 ++++++++++----- puppet/modules/site_openvpn/manifests/resolver.pp | 20 ++++++++++++++++++++ 2 files changed, 30 insertions(+), 5 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index e4374d8f..ab2f52d1 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -1,8 +1,14 @@ class site_config::caching_resolver { - # Setup a conf.d directory to place additional unbound configuration files - # there must be at least one file in the directory, or unbound will not - # start, so create an empty placeholder to ensure this + # Setup a conf.d directory to place additional unbound configuration files. + # There must be at least one file in the directory, or unbound will not start, + # so create an empty placeholder to ensure this. + + # Note: the version of unbound we are working with does not accept a wildcard + # for an include directive, so we are not able to use this. When we can use + # the newer unbound, then we will add 'include: /etc/unbound.d/*' to the + # configuration file + file { '/etc/unbound/conf.d': ensure => directory, @@ -27,8 +33,7 @@ class site_config::caching_resolver { hide-identity => 'yes', hide-version => 'yes', harden-glue => 'yes', - access-control => [ '127.0.0.0/8 allow', '::1 allow' ], - include => '/etc/unbound/conf.d/*' + access-control => [ '127.0.0.0/8 allow', '::1 allow' ] } } } diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index 57a2d147..c8ef729c 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -1,5 +1,25 @@ class site_openvpn::resolver { + # this is an unfortunate way to get around the fact that the version of + # unbound we are working with does not accept a wildcard include directive + # (/etc/unbound/conf.d/*), when it does, these line definitions should + # go away and instead the caching_resolver should be configured to + # include: /etc/unbound/conf.d/* + + line { + 'add_tcp_resolver': + ensure => present, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver', + notify => Service['unbound']; + + 'add_udp_resolver': + ensure => present, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_udp_resolver', + notify => Service['unbound']; + } + file { '/etc/unbound/conf.d/vpn_udp_resolver': content => "interface: ${openvpn_udp_network_prefix}.1\naccess-control: ${openvpn_udp_network_prefix}.0/${openvpn_udp_netmask} allow\n", -- cgit v1.2.3 From 7444310ba919a871cbe646501c784af3f81f3d47 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 14:21:15 -0500 Subject: fully qualify the variables that are used in the vpn gateway resolver --- puppet/modules/site_openvpn/manifests/resolver.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index c8ef729c..c695b49a 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -22,12 +22,12 @@ class site_openvpn::resolver { file { '/etc/unbound/conf.d/vpn_udp_resolver': - content => "interface: ${openvpn_udp_network_prefix}.1\naccess-control: ${openvpn_udp_network_prefix}.0/${openvpn_udp_netmask} allow\n", + content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_netmask} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; '/etc/unbound/conf.d/vpn_tcp_resolver': - content => "interface: ${openvpn_tcp_network_prefix}.1\naccess-control: ${openvpn_tcp_network_prefix}.0/${openvpn_tcp_netmask} allow\n", + content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_netmask} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; } -- cgit v1.2.3 From ff1c732fbe76abe8fcb39e82233ad76e6acf3ab8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 14:31:24 -0500 Subject: set a default exec path for all nodes --- puppet/manifests/site.pp | 3 +++ 1 file changed, 3 insertions(+) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index c8502bc7..a1917d6e 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,3 +1,6 @@ +# set a default exec path +Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } + node 'default' { # prerequisites import 'common' -- cgit v1.2.3 From 9d66c6712028c95212dba7a8d5a870efc70ce204 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 14:33:22 -0500 Subject: change to using the CIDR notation for unbound access list --- puppet/modules/site_openvpn/manifests/resolver.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index c695b49a..d77fd8b0 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -22,12 +22,12 @@ class site_openvpn::resolver { file { '/etc/unbound/conf.d/vpn_udp_resolver': - content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_netmask} allow\n", + content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cdr} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; '/etc/unbound/conf.d/vpn_tcp_resolver': - content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_netmask} allow\n", + content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cdr} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; } -- cgit v1.2.3 From 1c348dee62a30e33f7e00b9584629c89dcac016a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 14:35:14 -0500 Subject: fix typo in cidr variable name --- puppet/modules/site_openvpn/manifests/resolver.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index d77fd8b0..590af8ac 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -22,12 +22,12 @@ class site_openvpn::resolver { file { '/etc/unbound/conf.d/vpn_udp_resolver': - content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cdr} allow\n", + content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; '/etc/unbound/conf.d/vpn_tcp_resolver': - content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cdr} allow\n", + content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; } -- cgit v1.2.3 From fdcc33d4491470d88e1ab7e9869a3236d1e2c5fe Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 14:38:11 -0500 Subject: notify unbound when these configuration files change --- puppet/modules/site_openvpn/manifests/resolver.pp | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index 590af8ac..d3963c95 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -23,12 +23,14 @@ class site_openvpn::resolver { file { '/etc/unbound/conf.d/vpn_udp_resolver': content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr} allow\n", - owner => root, group => root, mode => '0644', - require => Service['openvpn']; + owner => root, group => root, mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; '/etc/unbound/conf.d/vpn_tcp_resolver': content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr} allow\n", - owner => root, group => root, mode => '0644', - require => Service['openvpn']; + owner => root, group => root, mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; } } -- cgit v1.2.3 From f9eb0d17ac2fabd8688201d9816a9a575d3b8d6a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 17:18:24 -0500 Subject: require the augeas class before doing any augeas operations (#1215) --- puppet/modules/site_shorewall/manifests/defaults.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index d348bf00..d5f60ec6 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -14,7 +14,8 @@ class site_shorewall::defaults { changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes', lens => 'Shellvars.lns', incl => '/etc/shorewall/shorewall.conf', - notify => Service[shorewall]; + notify => Service[shorewall], + require => Class[augeas]; } } -- cgit v1.2.3 From b81891c036f4573a8bc314e11d3be61fbbbd9aff Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 18 Jan 2013 16:37:39 +0100 Subject: create cronjob for leap_ca --- puppet/modules/site_ca_daemon/manifests/init.pp | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp index 29a70df8..4ec5b00b 100644 --- a/puppet/modules/site_ca_daemon/manifests/init.pp +++ b/puppet/modules/site_ca_daemon/manifests/init.pp @@ -87,6 +87,16 @@ class site_ca_daemon { file { '/usr/local/bin/leap_ca_daemon': ensure => link, - target => '/srv/leap_ca_daemon/bin/leap_ca', + target => '/srv/leap_ca_daemon/bin/leap_ca_daemon', } + + file { '/etc/cron.hourly/leap_ca': + ensure => present, + content => "#/bin/sh\n/srv/leap_ca_daemon/bin/leap_ca_daemon --run-once > /dev/null", + owner => 'root', + group => 0, + mode => '0755', + } + + } -- cgit v1.2.3 From 27651e6188325880244fe17d3bf82c3068095e8a Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 18 Jan 2013 22:32:47 +0100 Subject: linted --- puppet/modules/site_apt/manifests/dist_upgrade.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_apt/manifests/dist_upgrade.pp b/puppet/modules/site_apt/manifests/dist_upgrade.pp index 4baabc77..adf165bd 100644 --- a/puppet/modules/site_apt/manifests/dist_upgrade.pp +++ b/puppet/modules/site_apt/manifests/dist_upgrade.pp @@ -1,11 +1,11 @@ class site_apt::dist_upgrade inherits apt::dist_upgrade { # really upgrade on every puppetrun - Exec["apt_dist-upgrade"]{ - refreshonly => false, + Exec['apt_dist-upgrade']{ + refreshonly => false, } # Ensure apt-get upgrade has been run before installing any packages # Disables because apt-get update is moved to stage initial - # Exec["apt_dist-upgrade"] -> Package <| name != 'lsb-release' |> + # Exec["apt_dist-upgrade"] -> Package <| name != 'lsb-release' |> } -- cgit v1.2.3 From fc59f6c6a22a4659cefa29e18a658c852c6e89f7 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 20 Jan 2013 14:09:50 +0100 Subject: configure fqdn for host --- puppet/modules/site_config/templates/hosts | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts index c516eaf8..05fb56b9 100644 --- a/puppet/modules/site_config/templates/hosts +++ b/puppet/modules/site_config/templates/hosts @@ -1,6 +1,8 @@ # This file is managed by puppet, any changes will be overwritten! 127.0.0.1 localhost +127.0.1.1 <%= hostname %>.<%= domain %> <%= hostname %> + <%- if hosts.to_s != '' then -%> <%= hosts %> <% end -%> -- cgit v1.2.3 From 1d9f25303a58f15feec071d81ddf13291fdd6002 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 20 Jan 2013 15:07:33 +0100 Subject: remove bind9 service stop (#1421) --- puppet/modules/site_config/manifests/resolvconf.pp | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index 3579aaf2..a525d8c6 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -1,19 +1,12 @@ class site_config::resolvconf { - # bind9 + # bind9 purging can be taken out after some time package { 'bind9': ensure => absent, } - - service { 'bind9': - ensure => stopped, - require => Package['bind9'], - } - file { '/etc/default/bind9': ensure => absent; } - file { '/etc/bind/named.conf.options': ensure => absent; } -- cgit v1.2.3 From d7f7bad9b6d4a45aa06c74a1f630b38a534092e0 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 20 Jan 2013 15:26:26 +0100 Subject: configure fqdn for host --- puppet/modules/site_config/manifests/hosts.pp | 2 ++ puppet/modules/site_config/manifests/init.pp | 2 ++ puppet/modules/site_config/manifests/resolvconf.pp | 3 +-- puppet/modules/site_config/templates/hosts | 2 +- 4 files changed, 6 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index 06cd5c01..80619e33 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -3,6 +3,8 @@ class site_config::hosts() { $hosts = hiera('hosts','') $hostname = hiera('name') + $domain_public = $domain_hash['full_suffix'] + file { "/etc/hostname": ensure => present, content => $hostname diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp index f05bca1c..c27074ed 100644 --- a/puppet/modules/site_config/manifests/init.pp +++ b/puppet/modules/site_config/manifests/init.pp @@ -1,4 +1,6 @@ class site_config { + $domain_hash = hiera('domain') + # default class, used by all hosts include lsb, git diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index a525d8c6..adecb838 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -11,8 +11,7 @@ class site_config::resolvconf { ensure => absent; } - $domain_hash = hiera('domain') - $domain_public = $domain_hash['public'] + $domain_public = $domain_hash['full_suffix'] # 127.0.0.1: caching-only local bind # 87.118.100.175: http://server.privacyfoundation.de diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts index 05fb56b9..00cc6a79 100644 --- a/puppet/modules/site_config/templates/hosts +++ b/puppet/modules/site_config/templates/hosts @@ -1,7 +1,7 @@ # This file is managed by puppet, any changes will be overwritten! 127.0.0.1 localhost -127.0.1.1 <%= hostname %>.<%= domain %> <%= hostname %> +127.0.1.1 <%= hostname %>.<%= @domain_public %> <%= hostname %> <%- if hosts.to_s != '' then -%> <%= hosts %> -- cgit v1.2.3 From 5fdcfd3b80a038a18aba9a975270acc686efd185 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 20 Jan 2013 17:47:03 +0100 Subject: don't run if another apt-get process is running --- puppet/modules/site_apt/manifests/dist_upgrade.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_apt/manifests/dist_upgrade.pp b/puppet/modules/site_apt/manifests/dist_upgrade.pp index adf165bd..87a2fc00 100644 --- a/puppet/modules/site_apt/manifests/dist_upgrade.pp +++ b/puppet/modules/site_apt/manifests/dist_upgrade.pp @@ -1,11 +1,11 @@ class site_apt::dist_upgrade inherits apt::dist_upgrade { - # really upgrade on every puppetrun + if $::apt_running == 'true' { + fail ('apt-get is running in background - Please wait until it finishes. Exiting.') + } + # ensue dist-upgrade on every puppetrun Exec['apt_dist-upgrade']{ refreshonly => false, } - # Ensure apt-get upgrade has been run before installing any packages - # Disables because apt-get update is moved to stage initial - # Exec["apt_dist-upgrade"] -> Package <| name != 'lsb-release' |> } -- cgit v1.2.3 From 9ae011f2cbedfae166281f2f6a097acec35c943b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 21 Jan 2013 12:14:43 -0500 Subject: update augeas submodule to get new upstream lints and package fixes for wheezy --- puppet/modules/augeas | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/augeas b/puppet/modules/augeas index 44e84a98..4d8c8ba3 160000 --- a/puppet/modules/augeas +++ b/puppet/modules/augeas @@ -1 +1 @@ -Subproject commit 44e84a988b859622e7b3583ac27331cf816017ed +Subproject commit 4d8c8ba362cc57c12451e581f27feea97797e8c0 -- cgit v1.2.3 From 306a0e6c21d0e27035ba48530392eede59537516 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 21 Jan 2013 22:41:51 -0800 Subject: client ca -- configure the webapp with the client ca --- puppet/modules/site_webapp/manifests/client_ca.pp | 24 ++++++++++++++++++++++ puppet/modules/site_webapp/manifests/init.pp | 1 + .../modules/site_webapp/templates/config.yml.erb | 2 ++ 3 files changed, 27 insertions(+) create mode 100644 puppet/modules/site_webapp/manifests/client_ca.pp (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/client_ca.pp b/puppet/modules/site_webapp/manifests/client_ca.pp new file mode 100644 index 00000000..53c49d69 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/client_ca.pp @@ -0,0 +1,24 @@ +## +## This is for the special CA that is used exclusively for generating +## client certificates by the webapp. +## + +class site_webapp::client_ca { + include x509::variables + + $x509 = hiera('x509') + $cert_path = "${x509::variables::certs}/leap_client_ca.crt" + $key_path = "${x509::variables::keys}/leap_client_ca.key" + + x509::key { + 'leap_client_ca': + source => $x509['client_ca_key'], + notify => Service[apache]; + } + + x509::cert { + 'leap_client_ca': + source => $x509['client_ca_cert'], + notify => Service[apache]; + } +} diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index f7c6565e..717a9477 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -16,6 +16,7 @@ class site_webapp { include rubygems include site_webapp::apache include site_webapp::couchdb + include site_webapp::client_ca group { 'leap-webapp': ensure => present, diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 5e223a58..9cf85f0c 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -1,3 +1,5 @@ production: admins: [admin] domain: <%= @provider_domain %> + client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %> + client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %> -- cgit v1.2.3 From cde779720059965b4caf968c132c315821dd9b66 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 23 Jan 2013 10:39:34 -0500 Subject: require that the unbound package is installed before attempting to make sub-directories under /etc/unbound (#1412) --- puppet/modules/site_config/manifests/caching_resolver.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index ab2f52d1..922c394f 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -12,7 +12,8 @@ class site_config::caching_resolver { file { '/etc/unbound/conf.d': ensure => directory, - owner => root, group => root, mode => '0755'; + owner => root, group => root, mode => '0755', + require => Package['unbound']; '/etc/unbound/conf.d/placeholder': ensure => present, -- cgit v1.2.3 From 00252d3e425bb385135faf6bda4c462bcce75e59 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 24 Jan 2013 16:12:24 -0500 Subject: update shorewall module to latest release for fixes --- puppet/modules/shorewall | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/shorewall b/puppet/modules/shorewall index e511291a..614ee152 160000 --- a/puppet/modules/shorewall +++ b/puppet/modules/shorewall @@ -1 +1 @@ -Subproject commit e511291a111db7a7d88a8820c5423aa5b92304e0 +Subproject commit 614ee152c39bbc66c82a52022e2c05aa7856cd4b -- cgit v1.2.3 From 65d28a5e43ce3005b0560763809a09f64bfcfea7 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 26 Jan 2013 18:41:56 +0100 Subject: apply site_nagios::server --- puppet/manifests/site.pp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index a1917d6e..94835f61 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -29,4 +29,8 @@ node 'default' { if 'ca' in $services { include site_ca_daemon } + + if 'monitoring' in $services { + include site_nagios::server + } } -- cgit v1.2.3 From 3d6b0c7e852f83a0bc38f1b13cc8914b4768a59d Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 26 Jan 2013 18:42:17 +0100 Subject: added submodule nagios --- puppet/modules/nagios | 1 + 1 file changed, 1 insertion(+) create mode 160000 puppet/modules/nagios (limited to 'puppet') diff --git a/puppet/modules/nagios b/puppet/modules/nagios new file mode 160000 index 00000000..256cf866 --- /dev/null +++ b/puppet/modules/nagios @@ -0,0 +1 @@ +Subproject commit 256cf866cb3cc9e88e8cd89dd59ac24ab24e1366 -- cgit v1.2.3 From 440ca230359e28195ba44c452b462c5e69efff65 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 26 Jan 2013 18:52:31 +0100 Subject: beginning of puppet/modules/site_nagios --- puppet/modules/site_nagios/manifests/server.pp | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 puppet/modules/site_nagios/manifests/server.pp (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp new file mode 100644 index 00000000..e11ffd48 --- /dev/null +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -0,0 +1,7 @@ +class site_nagios::server { + class {'nagios': + allow_external_cmd => true + } + #include nagios::defaults + +} -- cgit v1.2.3 From 078bc9674c247cc2c3ad715eec57903138e481e1 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 27 Jan 2013 11:15:36 +0100 Subject: added 'development' hiera hash to exclude certain class for better testing --- puppet/manifests/site.pp | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 94835f61..1a76e3bd 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -6,8 +6,13 @@ node 'default' { import 'common' include concat::setup - # include some basic classes - include site_config + $development = hiera('development') + if $development['site_config'] == true { + # include some basic classes + include site_config + } else { + notice ('NOT applying site_config') + } # parse services for host $services=hiera_array('services') @@ -30,7 +35,7 @@ node 'default' { include site_ca_daemon } - if 'monitoring' in $services { + if 'monitor' in $services { include site_nagios::server } } -- cgit v1.2.3 From 51369107eefffca0c50784b2ad2b51bf56c53512 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 27 Jan 2013 14:42:04 +0100 Subject: site_nagios: add hosts + services --- .../parser/functions/create_resources_hash_from.rb | 116 +++++++++++++++++++++ puppet/modules/site_nagios/manifests/add_host.pp | 30 ++++++ .../modules/site_nagios/manifests/add_service.pp | 22 ++++ puppet/modules/site_nagios/manifests/server.pp | 17 ++- 4 files changed, 182 insertions(+), 3 deletions(-) create mode 100644 puppet/lib/puppet/parser/functions/create_resources_hash_from.rb create mode 100644 puppet/modules/site_nagios/manifests/add_host.pp create mode 100644 puppet/modules/site_nagios/manifests/add_service.pp (limited to 'puppet') diff --git a/puppet/lib/puppet/parser/functions/create_resources_hash_from.rb b/puppet/lib/puppet/parser/functions/create_resources_hash_from.rb new file mode 100644 index 00000000..47d0df9c --- /dev/null +++ b/puppet/lib/puppet/parser/functions/create_resources_hash_from.rb @@ -0,0 +1,116 @@ +# +# create_resources_hash_from.rb +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +module Puppet::Parser::Functions + newfunction(:create_resources_hash_from, :type => :rvalue, :doc => <<-EOS +Given: + A formatted string (to use as the resource name) + An array to loop through (because puppet cannot loop) + A hash defining the parameters for a resource + And optionally an hash of parameter names to add to the resource and an + associated formatted string that should be configured with the current + element of the loop array + +This function will return a hash of hashes that can be used with the +create_resources function. + +*Examples:* + $allowed_hosts = ['10.0.0.0/8', '192.168.0.0/24'] + $resource_name = "100 allow %s to apache on ports 80" + $my_resource_hash = { + 'proto' => 'tcp', + 'action' => 'accept', + 'dport' => 80 + } + $dynamic_parameters = { + 'source' => '%s' + } + + $created_resource_hash = create_resources_hash_from($resource_name, $allowed_hosts, $my_resource_hash, $dynamic_parameters) + +$created_resource_hash would equal: + { + '100 allow 10.0.0.0/8 to apache on ports 80' => { + 'proto' => 'tcp', + 'action' => 'accept', + 'dport' => 80, + 'source' => '10.0.0.0/8' + }, + '100 allow 192.168.0.0/24 to apache on ports 80' => { + 'proto' => 'tcp', + 'action' => 'accept', + 'dport' => 80, + 'source' => '192.168.0.0/24' + } + } + +$created_resource_hash could then be used with create_resources + + create_resources(firewall, $created_resource_hash) + +To create a bunch of resources in a way that would only otherwise be possible +with a loop of some description. + EOS + ) do |arguments| + + raise Puppet::ParseError, "create_resources_hash_from(): Wrong number of arguments " + + "given (#{arguments.size} for 3 or 4)" if arguments.size < 3 or arguments.size > 4 + + formatted_string = arguments[0] + + unless formatted_string.is_a?(String) + raise(Puppet::ParseError, 'create_resources_hash_from(): first argument must be a string') + end + + loop_array = arguments[1] + + unless loop_array.is_a?(Array) + raise(Puppet::ParseError, 'create_resources_hash_from(): second argument must be an array') + end + + resource_hash = arguments[2] + unless resource_hash.is_a?(Hash) + raise(Puppet::ParseError, 'create_resources_hash_from(): third argument must be a hash') + end + + if arguments.size == 4 + dynamic_parameters = arguments[3] + unless dynamic_parameters.is_a?(Hash) + raise(Puppet::ParseError, 'create_resources_hash_from(): fourth argument must be a hash') + end + end + + result = {} + + loop_array.each do |i| + my_resource_hash = resource_hash.clone + if dynamic_parameters + dynamic_parameters.each do |param, value| + if my_resource_hash.member?(param) + raise(Puppet::ParseError, "create_resources_hash_from(): dynamic_parameter '#{param}' already exists in resource hash") + end + my_resource_hash[param] = sprintf(value,[i]) + end + end + result[sprintf(formatted_string,[i])] = my_resource_hash + end + + result + end +end + +# vim: set ts=2 sw=2 et : +# encoding: utf-8 diff --git a/puppet/modules/site_nagios/manifests/add_host.pp b/puppet/modules/site_nagios/manifests/add_host.pp new file mode 100644 index 00000000..5148048d --- /dev/null +++ b/puppet/modules/site_nagios/manifests/add_host.pp @@ -0,0 +1,30 @@ +define site_nagios::add_host ($ip, $services='' ) { + + $nagios_hostname = $name + + #notice ("$nagios_hostname $ip $services") + + nagios_host { $nagios_hostname: + address => $ip, + use => 'generic-host', + } + + # turn serice array into hash + # https://github.com/ashak/puppet-resource-looping + $nagios_service_hashpart = { + 'host' => $nagios_hostname, + 'ip' => $ip, + } + $dynamic_parameters = { + 'service' => '%s' + } + + #$nagios_services = ['one', 'two'] + $nagios_servicename = "${nagios_hostname}_%s" + + $nagios_service_hash = create_resources_hash_from($nagios_servicename, $services, $nagios_service_hashpart, $dynamic_parameters) + #notice ($created_resource_hash) + + + create_resources ( site_nagios::add_service, $nagios_service_hash ) +} diff --git a/puppet/modules/site_nagios/manifests/add_service.pp b/puppet/modules/site_nagios/manifests/add_service.pp new file mode 100644 index 00000000..5a5b344f --- /dev/null +++ b/puppet/modules/site_nagios/manifests/add_service.pp @@ -0,0 +1,22 @@ +define site_nagios::add_service ($host, $ip, $service) { + + notice ('$name $host $ip $service') + + case $service { + 'openvpn': { + $check_command = 'check_openvpn!...' + $service_description = 'Openvpn' + } + 'webapp': { + $check_command = 'check_http!...' + $service_description = 'Website' + } + default: { fail ('unknown service') } + } + + nagios_service { $name: + use => 'generic-service', + check_command => $check_command, + service_description => $service_description, + host_name => $host } +} diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index e11ffd48..df3e00cd 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -1,7 +1,18 @@ class site_nagios::server { - class {'nagios': - allow_external_cmd => true + + $nagios_hiera=hiera('nagios') + $nagiosadmin_pw = $nagios_hiera['nagiosadmin_pw'] + $hosts = $nagios_hiera['hosts'] + + include nagios::defaults + include nagios::base + #Class ['nagios'] -> Class ['nagios::defaults'] + class {'nagios::apache': + allow_external_cmd => true, + stored_config => false, + #before => Class ['nagios::defaults'] } - #include nagios::defaults + + create_resources ( site_nagios::add_host, $hosts) } -- cgit v1.2.3 From ef3ed5e3f898a4636b57ea4cf6fe2cc9da02dfaa Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 28 Jan 2013 13:01:27 +0100 Subject: automatic update of submodule puppet_nagios --- puppet/modules/nagios | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/nagios b/puppet/modules/nagios index 256cf866..23e65341 160000 --- a/puppet/modules/nagios +++ b/puppet/modules/nagios @@ -1 +1 @@ -Subproject commit 256cf866cb3cc9e88e8cd89dd59ac24ab24e1366 +Subproject commit 23e653414cbabed2ca8fd443eedd412ab5756d8c -- cgit v1.2.3 From ab0792667b57bb034fe23ae24064fad56f3c8163 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 28 Jan 2013 15:03:10 +0100 Subject: adapted new hiera config, see #1546 --- puppet/modules/site_nagios/manifests/add_host.pp | 29 +++++++++++----------- .../modules/site_nagios/manifests/add_service.pp | 22 ++++++++-------- puppet/modules/site_nagios/manifests/server.pp | 3 +-- 3 files changed, 26 insertions(+), 28 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/add_host.pp b/puppet/modules/site_nagios/manifests/add_host.pp index 5148048d..d5aac67c 100644 --- a/puppet/modules/site_nagios/manifests/add_host.pp +++ b/puppet/modules/site_nagios/manifests/add_host.pp @@ -1,30 +1,29 @@ -define site_nagios::add_host ($ip, $services='' ) { - - $nagios_hostname = $name - - #notice ("$nagios_hostname $ip $services") +define site_nagios::add_host { + $nagios_host = $name + $nagios_hostname = $name['domain_full'] + $nagios_ip = $name['ip_address'] + $nagios_services = $name['services'] + # Add Nagios host nagios_host { $nagios_hostname: - address => $ip, + address => $nagios_ip, use => 'generic-host', } - # turn serice array into hash - # https://github.com/ashak/puppet-resource-looping + # Add Nagios service + + # First, we need to turn the serice array into hash, using a "hash template" + # see https://github.com/ashak/puppet-resource-looping $nagios_service_hashpart = { - 'host' => $nagios_hostname, - 'ip' => $ip, + 'hostname' => $nagios_hostname, + 'ip_address' => $nagios_ip, } $dynamic_parameters = { 'service' => '%s' } - - #$nagios_services = ['one', 'two'] $nagios_servicename = "${nagios_hostname}_%s" - $nagios_service_hash = create_resources_hash_from($nagios_servicename, $services, $nagios_service_hashpart, $dynamic_parameters) - #notice ($created_resource_hash) - + $nagios_service_hash = create_resources_hash_from($nagios_servicename, $nagios_services, $nagios_service_hashpart, $dynamic_parameters) create_resources ( site_nagios::add_service, $nagios_service_hash ) } diff --git a/puppet/modules/site_nagios/manifests/add_service.pp b/puppet/modules/site_nagios/manifests/add_service.pp index 5a5b344f..1a69e068 100644 --- a/puppet/modules/site_nagios/manifests/add_service.pp +++ b/puppet/modules/site_nagios/manifests/add_service.pp @@ -1,22 +1,22 @@ -define site_nagios::add_service ($host, $ip, $service) { - - notice ('$name $host $ip $service') +define site_nagios::add_service ($hostname, $ip_address, $service) { case $service { 'openvpn': { - $check_command = 'check_openvpn!...' + $check_command = 'check_openvpn' $service_description = 'Openvpn' } 'webapp': { - $check_command = 'check_http!...' + $check_command = 'check_http' $service_description = 'Website' } - default: { fail ('unknown service') } + default: { notice ("No Nagios service check for service \"$service\"") } } - nagios_service { $name: - use => 'generic-service', - check_command => $check_command, - service_description => $service_description, - host_name => $host } + if ( $check_command != '' ) { + nagios_service { $name: + use => 'generic-service', + check_command => $check_command, + service_description => $service_description, + host_name => $hostname } + } } diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index df3e00cd..a8ebeaf4 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -13,6 +13,5 @@ class site_nagios::server { #before => Class ['nagios::defaults'] } - create_resources ( site_nagios::add_host, $hosts) - + site_nagios::add_host {$hosts:} } -- cgit v1.2.3 From 3e68650ddea6d9d01c518727894939204a21369c Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 28 Jan 2013 15:27:20 +0100 Subject: automatic update of submodule puppet_nagios --- puppet/modules/nagios | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/nagios b/puppet/modules/nagios index 23e65341..57a1140b 160000 --- a/puppet/modules/nagios +++ b/puppet/modules/nagios @@ -1 +1 @@ -Subproject commit 23e653414cbabed2ca8fd443eedd412ab5756d8c +Subproject commit 57a1140b437a8cfb9cfd5d94a5759b1e3ed86d45 -- cgit v1.2.3 From 4a2091518a9b68e53de556bebd98d992e42b8910 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 28 Jan 2013 15:41:06 +0100 Subject: main nagios config: allow external cmds, debug mode --- .../site_nagios/files/configs/Debian/nagios.cfg | 1273 ++++++++++++++++++++ 1 file changed, 1273 insertions(+) create mode 100644 puppet/modules/site_nagios/files/configs/Debian/nagios.cfg (limited to 'puppet') diff --git a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg new file mode 100644 index 00000000..d8062a2f --- /dev/null +++ b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg @@ -0,0 +1,1273 @@ +############################################################################## +# +# NAGIOS.CFG - Sample Main Config File for Nagios +# +# +############################################################################## + + +# LOG FILE +# This is the main log file where service and host events are logged +# for historical purposes. This should be the first option specified +# in the config file!!! + +log_file=/var/log/nagios3/nagios.log + + + +# OBJECT CONFIGURATION FILE(S) +# These are the object configuration files in which you define hosts, +# host groups, contacts, contact groups, services, etc. +# You can split your object definitions across several config files +# if you wish (as shown below), or keep them all in a single config file. +#cfg_file=/etc/nagios3/commands.cfg + +# Puppet-managed configuration files +cfg_dir=/etc/nagios3/conf.d + +# Debian also defaults to using the check commands defined by the debian +# nagios-plugins package +cfg_dir=/etc/nagios-plugins/config + + + +# OBJECT CACHE FILE +# This option determines where object definitions are cached when +# Nagios starts/restarts. The CGIs read object definitions from +# this cache file (rather than looking at the object config files +# directly) in order to prevent inconsistencies that can occur +# when the config files are modified after Nagios starts. + +object_cache_file=/var/cache/nagios3/objects.cache + + + +# PRE-CACHED OBJECT FILE +# This options determines the location of the precached object file. +# If you run Nagios with the -p command line option, it will preprocess +# your object configuration file(s) and write the cached config to this +# file. You can then start Nagios with the -u option to have it read +# object definitions from this precached file, rather than the standard +# object configuration files (see the cfg_file and cfg_dir options above). +# Using a precached object file can speed up the time needed to (re)start +# the Nagios process if you've got a large and/or complex configuration. +# Read the documentation section on optimizing Nagios to find our more +# about how this feature works. + +precached_object_file=/var/lib/nagios3/objects.precache + + + +# RESOURCE FILE +# This is an optional resource file that contains $USERx$ macro +# definitions. Multiple resource files can be specified by using +# multiple resource_file definitions. The CGIs will not attempt to +# read the contents of resource files, so information that is +# considered to be sensitive (usernames, passwords, etc) can be +# defined as macros in this file and restrictive permissions (600) +# can be placed on this file. + +resource_file=/etc/nagios3/private/resource.cfg + + + +# STATUS FILE +# This is where the current status of all monitored services and +# hosts is stored. Its contents are read and processed by the CGIs. +# The contents of the status file are deleted every time Nagios +# restarts. + +status_file=/var/cache/nagios3/status.dat + + + +# STATUS FILE UPDATE INTERVAL +# This option determines the frequency (in seconds) that +# Nagios will periodically dump program, host, and +# service status data. + +status_update_interval=10 + + + +# NAGIOS USER +# This determines the effective user that Nagios should run as. +# You can either supply a username or a UID. + +nagios_user=nagios + + + +# NAGIOS GROUP +# This determines the effective group that Nagios should run as. +# You can either supply a group name or a GID. + +nagios_group=nagios + + + +# EXTERNAL COMMAND OPTION +# This option allows you to specify whether or not Nagios should check +# for external commands (in the command file defined below). By default +# Nagios will *not* check for external commands, just to be on the +# cautious side. If you want to be able to use the CGI command interface +# you will have to enable this. +# Values: 0 = disable commands, 1 = enable commands + +check_external_commands=1 + + + +# EXTERNAL COMMAND CHECK INTERVAL +# This is the interval at which Nagios should check for external commands. +# This value works of the interval_length you specify later. If you leave +# that at its default value of 60 (seconds), a value of 1 here will cause +# Nagios to check for external commands every minute. If you specify a +# number followed by an "s" (i.e. 15s), this will be interpreted to mean +# actual seconds rather than a multiple of the interval_length variable. +# Note: In addition to reading the external command file at regularly +# scheduled intervals, Nagios will also check for external commands after +# event handlers are executed. +# NOTE: Setting this value to -1 causes Nagios to check the external +# command file as often as possible. + +#command_check_interval=15s +command_check_interval=-1 + + + +# EXTERNAL COMMAND FILE +# This is the file that Nagios checks for external command requests. +# It is also where the command CGI will write commands that are submitted +# by users, so it must be writeable by the user that the web server +# is running as (usually 'nobody'). Permissions should be set at the +# directory level instead of on the file, as the file is deleted every +# time its contents are processed. +# Debian Users: In case you didn't read README.Debian yet, _NOW_ is the +# time to do it. + +command_file=/var/lib/nagios3/rw/nagios.cmd + + + +# EXTERNAL COMMAND BUFFER SLOTS +# This settings is used to tweak the number of items or "slots" that +# the Nagios daemon should allocate to the buffer that holds incoming +# external commands before they are processed. As external commands +# are processed by the daemon, they are removed from the buffer. + +external_command_buffer_slots=4096 + + + +# LOCK FILE +# This is the lockfile that Nagios will use to store its PID number +# in when it is running in daemon mode. + +lock_file=/var/run/nagios3/nagios3.pid + + + +# TEMP FILE +# This is a temporary file that is used as scratch space when Nagios +# updates the status log, cleans the comment file, etc. This file +# is created, used, and deleted throughout the time that Nagios is +# running. + +temp_file=/var/cache/nagios3/nagios.tmp + + + +# TEMP PATH +# This is path where Nagios can create temp files for service and +# host check results, etc. + +temp_path=/tmp + + + +# EVENT BROKER OPTIONS +# Controls what (if any) data gets sent to the event broker. +# Values: 0 = Broker nothing +# -1 = Broker everything +# = See documentation + +event_broker_options=-1 + + + +# EVENT BROKER MODULE(S) +# This directive is used to specify an event broker module that should +# by loaded by Nagios at startup. Use multiple directives if you want +# to load more than one module. Arguments that should be passed to +# the module at startup are seperated from the module path by a space. +# +#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING +#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# +# Do NOT overwrite modules while they are being used by Nagios or Nagios +# will crash in a fiery display of SEGFAULT glory. This is a bug/limitation +# either in dlopen(), the kernel, and/or the filesystem. And maybe Nagios... +# +# The correct/safe way of updating a module is by using one of these methods: +# 1. Shutdown Nagios, replace the module file, restart Nagios +# 2. Delete the original module file, move the new module file into place, restart Nagios +# +# Example: +# +# broker_module= [moduleargs] + +#broker_module=/somewhere/module1.o +#broker_module=/somewhere/module2.o arg1 arg2=3 debug=0 + + + +# LOG ROTATION METHOD +# This is the log rotation method that Nagios should use to rotate +# the main log file. Values are as follows.. +# n = None - don't rotate the log +# h = Hourly rotation (top of the hour) +# d = Daily rotation (midnight every day) +# w = Weekly rotation (midnight on Saturday evening) +# m = Monthly rotation (midnight last day of month) + +log_rotation_method=d + + + +# LOG ARCHIVE PATH +# This is the directory where archived (rotated) log files should be +# placed (assuming you've chosen to do log rotation). + +log_archive_path=/var/log/nagios3/archives + + + +# LOGGING OPTIONS +# If you want messages logged to the syslog facility, as well as the +# Nagios log file set this option to 1. If not, set it to 0. + +use_syslog=1 + + + +# NOTIFICATION LOGGING OPTION +# If you don't want notifications to be logged, set this value to 0. +# If notifications should be logged, set the value to 1. + +log_notifications=1 + + + +# SERVICE RETRY LOGGING OPTION +# If you don't want service check retries to be logged, set this value +# to 0. If retries should be logged, set the value to 1. + +log_service_retries=1 + + + +# HOST RETRY LOGGING OPTION +# If you don't want host check retries to be logged, set this value to +# 0. If retries should be logged, set the value to 1. + +log_host_retries=1 + + + +# EVENT HANDLER LOGGING OPTION +# If you don't want host and service event handlers to be logged, set +# this value to 0. If event handlers should be logged, set the value +# to 1. + +log_event_handlers=1 + + + +# INITIAL STATES LOGGING OPTION +# If you want Nagios to log all initial host and service states to +# the main log file (the first time the service or host is checked) +# you can enable this option by setting this value to 1. If you +# are not using an external application that does long term state +# statistics reporting, you do not need to enable this option. In +# this case, set the value to 0. + +log_initial_states=0 + + + +# EXTERNAL COMMANDS LOGGING OPTION +# If you don't want Nagios to log external commands, set this value +# to 0. If external commands should be logged, set this value to 1. +# Note: This option does not include logging of passive service +# checks - see the option below for controlling whether or not +# passive checks are logged. + +log_external_commands=1 + + + +# PASSIVE CHECKS LOGGING OPTION +# If you don't want Nagios to log passive host and service checks, set +# this value to 0. If passive checks should be logged, set +# this value to 1. + +log_passive_checks=1 + + + +# GLOBAL HOST AND SERVICE EVENT HANDLERS +# These options allow you to specify a host and service event handler +# command that is to be run for every host or service state change. +# The global event handler is executed immediately prior to the event +# handler that you have optionally specified in each host or +# service definition. The command argument is the short name of a +# command definition that you define in your host configuration file. +# Read the HTML docs for more information. + +#global_host_event_handler=somecommand +#global_service_event_handler=somecommand + + + +# SERVICE INTER-CHECK DELAY METHOD +# This is the method that Nagios should use when initially +# "spreading out" service checks when it starts monitoring. The +# default is to use smart delay calculation, which will try to +# space all service checks out evenly to minimize CPU load. +# Using the dumb setting will cause all checks to be scheduled +# at the same time (with no delay between them)! This is not a +# good thing for production, but is useful when testing the +# parallelization functionality. +# n = None - don't use any delay between checks +# d = Use a "dumb" delay of 1 second between checks +# s = Use "smart" inter-check delay calculation +# x.xx = Use an inter-check delay of x.xx seconds + +service_inter_check_delay_method=s + + + +# MAXIMUM SERVICE CHECK SPREAD +# This variable determines the timeframe (in minutes) from the +# program start time that an initial check of all services should +# be completed. Default is 30 minutes. + +max_service_check_spread=30 + + + +# SERVICE CHECK INTERLEAVE FACTOR +# This variable determines how service checks are interleaved. +# Interleaving the service checks allows for a more even +# distribution of service checks and reduced load on remote +# hosts. Setting this value to 1 is equivalent to how versions +# of Nagios previous to 0.0.5 did service checks. Set this +# value to s (smart) for automatic calculation of the interleave +# factor unless you have a specific reason to change it. +# s = Use "smart" interleave factor calculation +# x = Use an interleave factor of x, where x is a +# number greater than or equal to 1. + +service_interleave_factor=s + + + +# HOST INTER-CHECK DELAY METHOD +# This is the method that Nagios should use when initially +# "spreading out" host checks when it starts monitoring. The +# default is to use smart delay calculation, which will try to +# space all host checks out evenly to minimize CPU load. +# Using the dumb setting will cause all checks to be scheduled +# at the same time (with no delay between them)! +# n = None - don't use any delay between checks +# d = Use a "dumb" delay of 1 second between checks +# s = Use "smart" inter-check delay calculation +# x.xx = Use an inter-check delay of x.xx seconds + +host_inter_check_delay_method=s + + + +# MAXIMUM HOST CHECK SPREAD +# This variable determines the timeframe (in minutes) from the +# program start time that an initial check of all hosts should +# be completed. Default is 30 minutes. + +max_host_check_spread=30 + + + +# MAXIMUM CONCURRENT SERVICE CHECKS +# This option allows you to specify the maximum number of +# service checks that can be run in parallel at any given time. +# Specifying a value of 1 for this variable essentially prevents +# any service checks from being parallelized. A value of 0 +# will not restrict the number of concurrent checks that are +# being executed. + +max_concurrent_checks=0 + + + +# HOST AND SERVICE CHECK REAPER FREQUENCY +# This is the frequency (in seconds!) that Nagios will process +# the results of host and service checks. + +check_result_reaper_frequency=10 + + + + +# MAX CHECK RESULT REAPER TIME +# This is the max amount of time (in seconds) that a single +# check result reaper event will be allowed to run before +# returning control back to Nagios so it can perform other +# duties. + +max_check_result_reaper_time=30 + + + + +# CHECK RESULT PATH +# This is directory where Nagios stores the results of host and +# service checks that have not yet been processed. +# +# Note: Make sure that only one instance of Nagios has access +# to this directory! + +check_result_path=/var/lib/nagios3/spool/checkresults + + + + +# MAX CHECK RESULT FILE AGE +# This option determines the maximum age (in seconds) which check +# result files are considered to be valid. Files older than this +# threshold will be mercilessly deleted without further processing. + +max_check_result_file_age=3600 + + + + +# CACHED HOST CHECK HORIZON +# This option determines the maximum amount of time (in seconds) +# that the state of a previous host check is considered current. +# Cached host states (from host checks that were performed more +# recently that the timeframe specified by this value) can immensely +# improve performance in regards to the host check logic. +# Too high of a value for this option may result in inaccurate host +# states being used by Nagios, while a lower value may result in a +# performance hit for host checks. Use a value of 0 to disable host +# check caching. + +cached_host_check_horizon=15 + + + +# CACHED SERVICE CHECK HORIZON +# This option determines the maximum amount of time (in seconds) +# that the state of a previous service check is considered current. +# Cached service states (from service checks that were performed more +# recently that the timeframe specified by this value) can immensely +# improve performance in regards to predictive dependency checks. +# Use a value of 0 to disable service check caching. + +cached_service_check_horizon=15 + + + +# ENABLE PREDICTIVE HOST DEPENDENCY CHECKS +# This option determines whether or not Nagios will attempt to execute +# checks of hosts when it predicts that future dependency logic test +# may be needed. These predictive checks can help ensure that your +# host dependency logic works well. +# Values: +# 0 = Disable predictive checks +# 1 = Enable predictive checks (default) + +enable_predictive_host_dependency_checks=1 + + + +# ENABLE PREDICTIVE SERVICE DEPENDENCY CHECKS +# This option determines whether or not Nagios will attempt to execute +# checks of service when it predicts that future dependency logic test +# may be needed. These predictive checks can help ensure that your +# service dependency logic works well. +# Values: +# 0 = Disable predictive checks +# 1 = Enable predictive checks (default) + +enable_predictive_service_dependency_checks=1 + + + +# SOFT STATE DEPENDENCIES +# This option determines whether or not Nagios will use soft state +# information when checking host and service dependencies. Normally +# Nagios will only use the latest hard host or service state when +# checking dependencies. If you want it to use the latest state (regardless +# of whether its a soft or hard state type), enable this option. +# Values: +# 0 = Don't use soft state dependencies (default) +# 1 = Use soft state dependencies + +soft_state_dependencies=0 + + + +# TIME CHANGE ADJUSTMENT THRESHOLDS +# These options determine when Nagios will react to detected changes +# in system time (either forward or backwards). + +#time_change_threshold=900 + + + +# AUTO-RESCHEDULING OPTION +# This option determines whether or not Nagios will attempt to +# automatically reschedule active host and service checks to +# "smooth" them out over time. This can help balance the load on +# the monitoring server. +# WARNING: THIS IS AN EXPERIMENTAL FEATURE - IT CAN DEGRADE +# PERFORMANCE, RATHER THAN INCREASE IT, IF USED IMPROPERLY + +auto_reschedule_checks=0 + + + +# AUTO-RESCHEDULING INTERVAL +# This option determines how often (in seconds) Nagios will +# attempt to automatically reschedule checks. This option only +# has an effect if the auto_reschedule_checks option is enabled. +# Default is 30 seconds. +# WARNING: THIS IS AN EXPERIMENTAL FEATURE - IT CAN DEGRADE +# PERFORMANCE, RATHER THAN INCREASE IT, IF USED IMPROPERLY + +auto_rescheduling_interval=30 + + + +# AUTO-RESCHEDULING WINDOW +# This option determines the "window" of time (in seconds) that +# Nagios will look at when automatically rescheduling checks. +# Only host and service checks that occur in the next X seconds +# (determined by this variable) will be rescheduled. This option +# only has an effect if the auto_reschedule_checks option is +# enabled. Default is 180 seconds (3 minutes). +# WARNING: THIS IS AN EXPERIMENTAL FEATURE - IT CAN DEGRADE +# PERFORMANCE, RATHER THAN INCREASE IT, IF USED IMPROPERLY + +auto_rescheduling_window=180 + + + +# SLEEP TIME +# This is the number of seconds to sleep between checking for system +# events and service checks that need to be run. + +sleep_time=0.25 + + + +# TIMEOUT VALUES +# These options control how much time Nagios will allow various +# types of commands to execute before killing them off. Options +# are available for controlling maximum time allotted for +# service checks, host checks, event handlers, notifications, the +# ocsp command, and performance data commands. All values are in +# seconds. + +service_check_timeout=60 +host_check_timeout=30 +event_handler_timeout=30 +notification_timeout=30 +ocsp_timeout=5 +perfdata_timeout=5 + + + +# RETAIN STATE INFORMATION +# This setting determines whether or not Nagios will save state +# information for services and hosts before it shuts down. Upon +# startup Nagios will reload all saved service and host state +# information before starting to monitor. This is useful for +# maintaining long-term data on state statistics, etc, but will +# slow Nagios down a bit when it (re)starts. Since its only +# a one-time penalty, I think its well worth the additional +# startup delay. + +retain_state_information=1 + + + +# STATE RETENTION FILE +# This is the file that Nagios should use to store host and +# service state information before it shuts down. The state +# information in this file is also read immediately prior to +# starting to monitor the network when Nagios is restarted. +# This file is used only if the preserve_state_information +# variable is set to 1. + +state_retention_file=/var/lib/nagios3/retention.dat + + + +# RETENTION DATA UPDATE INTERVAL +# This setting determines how often (in minutes) that Nagios +# will automatically save retention data during normal operation. +# If you set this value to 0, Nagios will not save retention +# data at regular interval, but it will still save retention +# data before shutting down or restarting. If you have disabled +# state retention, this option has no effect. + +retention_update_interval=60 + + + +# USE RETAINED PROGRAM STATE +# This setting determines whether or not Nagios will set +# program status variables based on the values saved in the +# retention file. If you want to use retained program status +# information, set this value to 1. If not, set this value +# to 0. + +use_retained_program_state=1 + + + +# USE RETAINED SCHEDULING INFO +# This setting determines whether or not Nagios will retain +# the scheduling info (next check time) for hosts and services +# based on the values saved in the retention file. If you +# If you want to use retained scheduling info, set this +# value to 1. If not, set this value to 0. + +use_retained_scheduling_info=1 + + + +# RETAINED ATTRIBUTE MASKS (ADVANCED FEATURE) +# The following variables are used to specify specific host and +# service attributes that should *not* be retained by Nagios during +# program restarts. +# +# The values of the masks are bitwise ANDs of values specified +# by the "MODATTR_" definitions found in include/common.h. +# For example, if you do not want the current enabled/disabled state +# of flap detection and event handlers for hosts to be retained, you +# would use a value of 24 for the host attribute mask... +# MODATTR_EVENT_HANDLER_ENABLED (8) + MODATTR_FLAP_DETECTION_ENABLED (16) = 24 + +# This mask determines what host attributes are not retained +retained_host_attribute_mask=0 + +# This mask determines what service attributes are not retained +retained_service_attribute_mask=0 + +# These two masks determine what process attributes are not retained. +# There are two masks, because some process attributes have host and service +# options. For example, you can disable active host checks, but leave active +# service checks enabled. +retained_process_host_attribute_mask=0 +retained_process_service_attribute_mask=0 + +# These two masks determine what contact attributes are not retained. +# There are two masks, because some contact attributes have host and +# service options. For example, you can disable host notifications for +# a contact, but leave service notifications enabled for them. +retained_contact_host_attribute_mask=0 +retained_contact_service_attribute_mask=0 + + + +# INTERVAL LENGTH +# This is the seconds per unit interval as used in the +# host/contact/service configuration files. Setting this to 60 means +# that each interval is one minute long (60 seconds). Other settings +# have not been tested much, so your mileage is likely to vary... + +interval_length=60 + + + +# AGGRESSIVE HOST CHECKING OPTION +# If you don't want to turn on aggressive host checking features, set +# this value to 0 (the default). Otherwise set this value to 1 to +# enable the aggressive check option. Read the docs for more info +# on what aggressive host check is or check out the source code in +# base/checks.c + +use_aggressive_host_checking=0 + + + +# SERVICE CHECK EXECUTION OPTION +# This determines whether or not Nagios will actively execute +# service checks when it initially starts. If this option is +# disabled, checks are not actively made, but Nagios can still +# receive and process passive check results that come in. Unless +# you're implementing redundant hosts or have a special need for +# disabling the execution of service checks, leave this enabled! +# Values: 1 = enable checks, 0 = disable checks + +execute_service_checks=1 + + + +# PASSIVE SERVICE CHECK ACCEPTANCE OPTION +# This determines whether or not Nagios will accept passive +# service checks results when it initially (re)starts. +# Values: 1 = accept passive checks, 0 = reject passive checks + +accept_passive_service_checks=1 + + + +# HOST CHECK EXECUTION OPTION +# This determines whether or not Nagios will actively execute +# host checks when it initially starts. If this option is +# disabled, checks are not actively made, but Nagios can still +# receive and process passive check results that come in. Unless +# you're implementing redundant hosts or have a special need for +# disabling the execution of host checks, leave this enabled! +# Values: 1 = enable checks, 0 = disable checks + +execute_host_checks=1 + + + +# PASSIVE HOST CHECK ACCEPTANCE OPTION +# This determines whether or not Nagios will accept passive +# host checks results when it initially (re)starts. +# Values: 1 = accept passive checks, 0 = reject passive checks + +accept_passive_host_checks=1 + + + +# NOTIFICATIONS OPTION +# This determines whether or not Nagios will sent out any host or +# service notifications when it is initially (re)started. +# Values: 1 = enable notifications, 0 = disable notifications + +enable_notifications=1 + + + +# EVENT HANDLER USE OPTION +# This determines whether or not Nagios will run any host or +# service event handlers when it is initially (re)started. Unless +# you're implementing redundant hosts, leave this option enabled. +# Values: 1 = enable event handlers, 0 = disable event handlers + +enable_event_handlers=1 + + + +# PROCESS PERFORMANCE DATA OPTION +# This determines whether or not Nagios will process performance +# data returned from service and host checks. If this option is +# enabled, host performance data will be processed using the +# host_perfdata_command (defined below) and service performance +# data will be processed using the service_perfdata_command (also +# defined below). Read the HTML docs for more information on +# performance data. +# Values: 1 = process performance data, 0 = do not process performance data + +process_performance_data=0 + + + +# HOST AND SERVICE PERFORMANCE DATA PROCESSING COMMANDS +# These commands are run after every host and service check is +# performed. These commands are executed only if the +# enable_performance_data option (above) is set to 1. The command +# argument is the short name of a command definition that you +# define in your host configuration file. Read the HTML docs for +# more information on performance data. + +#host_perfdata_command=process-host-perfdata +#service_perfdata_command=process-service-perfdata + + + +# HOST AND SERVICE PERFORMANCE DATA FILES +# These files are used to store host and service performance data. +# Performance data is only written to these files if the +# enable_performance_data option (above) is set to 1. + +#host_perfdata_file=/tmp/host-perfdata +#service_perfdata_file=/tmp/service-perfdata + + + +# HOST AND SERVICE PERFORMANCE DATA FILE TEMPLATES +# These options determine what data is written (and how) to the +# performance data files. The templates may contain macros, special +# characters (\t for tab, \r for carriage return, \n for newline) +# and plain text. A newline is automatically added after each write +# to the performance data file. Some examples of what you can do are +# shown below. + +#host_perfdata_file_template=[HOSTPERFDATA]\t$TIMET$\t$HOSTNAME$\t$HOSTEXECUTIONTIME$\t$HOSTOUTPUT$\t$HOSTPERFDATA$ +#service_perfdata_file_template=[SERVICEPERFDATA]\t$TIMET$\t$HOSTNAME$\t$SERVICEDESC$\t$SERVICEEXECUTIONTIME$\t$SERVICELATENCY$\t$SERVICEOUTPUT$\t$SERVICEPERFDATA$ + + + +# HOST AND SERVICE PERFORMANCE DATA FILE MODES +# This option determines whether or not the host and service +# performance data files are opened in write ("w") or append ("a") +# mode. If you want to use named pipes, you should use the special +# pipe ("p") mode which avoid blocking at startup, otherwise you will +# likely want the defult append ("a") mode. + +#host_perfdata_file_mode=a +#service_perfdata_file_mode=a + + + +# HOST AND SERVICE PERFORMANCE DATA FILE PROCESSING INTERVAL +# These options determine how often (in seconds) the host and service +# performance data files are processed using the commands defined +# below. A value of 0 indicates the files should not be periodically +# processed. + +#host_perfdata_file_processing_interval=0 +#service_perfdata_file_processing_interval=0 + + + +# HOST AND SERVICE PERFORMANCE DATA FILE PROCESSING COMMANDS +# These commands are used to periodically process the host and +# service performance data files. The interval at which the +# processing occurs is determined by the options above. + +#host_perfdata_file_processing_command=process-host-perfdata-file +#service_perfdata_file_processing_command=process-service-perfdata-file + + + +# OBSESS OVER SERVICE CHECKS OPTION +# This determines whether or not Nagios will obsess over service +# checks and run the ocsp_command defined below. Unless you're +# planning on implementing distributed monitoring, do not enable +# this option. Read the HTML docs for more information on +# implementing distributed monitoring. +# Values: 1 = obsess over services, 0 = do not obsess (default) + +obsess_over_services=0 + + + +# OBSESSIVE COMPULSIVE SERVICE PROCESSOR COMMAND +# This is the command that is run for every service check that is +# processed by Nagios. This command is executed only if the +# obsess_over_services option (above) is set to 1. The command +# argument is the short name of a command definition that you +# define in your host configuration file. Read the HTML docs for +# more information on implementing distributed monitoring. + +#ocsp_command=somecommand + + + +# OBSESS OVER HOST CHECKS OPTION +# This determines whether or not Nagios will obsess over host +# checks and run the ochp_command defined below. Unless you're +# planning on implementing distributed monitoring, do not enable +# this option. Read the HTML docs for more information on +# implementing distributed monitoring. +# Values: 1 = obsess over hosts, 0 = do not obsess (default) + +obsess_over_hosts=0 + + + +# OBSESSIVE COMPULSIVE HOST PROCESSOR COMMAND +# This is the command that is run for every host check that is +# processed by Nagios. This command is executed only if the +# obsess_over_hosts option (above) is set to 1. The command +# argument is the short name of a command definition that you +# define in your host configuration file. Read the HTML docs for +# more information on implementing distributed monitoring. + +#ochp_command=somecommand + + + +# TRANSLATE PASSIVE HOST CHECKS OPTION +# This determines whether or not Nagios will translate +# DOWN/UNREACHABLE passive host check results into their proper +# state for this instance of Nagios. This option is useful +# if you have distributed or failover monitoring setup. In +# these cases your other Nagios servers probably have a different +# "view" of the network, with regards to the parent/child relationship +# of hosts. If a distributed monitoring server thinks a host +# is DOWN, it may actually be UNREACHABLE from the point of +# this Nagios instance. Enabling this option will tell Nagios +# to translate any DOWN or UNREACHABLE host states it receives +# passively into the correct state from the view of this server. +# Values: 1 = perform translation, 0 = do not translate (default) + +translate_passive_host_checks=0 + + + +# PASSIVE HOST CHECKS ARE SOFT OPTION +# This determines whether or not Nagios will treat passive host +# checks as being HARD or SOFT. By default, a passive host check +# result will put a host into a HARD state type. This can be changed +# by enabling this option. +# Values: 0 = passive checks are HARD, 1 = passive checks are SOFT + +passive_host_checks_are_soft=0 + + + +# ORPHANED HOST/SERVICE CHECK OPTIONS +# These options determine whether or not Nagios will periodically +# check for orphaned host service checks. Since service checks are +# not rescheduled until the results of their previous execution +# instance are processed, there exists a possibility that some +# checks may never get rescheduled. A similar situation exists for +# host checks, although the exact scheduling details differ a bit +# from service checks. Orphaned checks seem to be a rare +# problem and should not happen under normal circumstances. +# If you have problems with service checks never getting +# rescheduled, make sure you have orphaned service checks enabled. +# Values: 1 = enable checks, 0 = disable checks + +check_for_orphaned_services=1 +check_for_orphaned_hosts=1 + + + +# SERVICE FRESHNESS CHECK OPTION +# This option determines whether or not Nagios will periodically +# check the "freshness" of service results. Enabling this option +# is useful for ensuring passive checks are received in a timely +# manner. +# Values: 1 = enabled freshness checking, 0 = disable freshness checking + +check_service_freshness=1 + + + +# SERVICE FRESHNESS CHECK INTERVAL +# This setting determines how often (in seconds) Nagios will +# check the "freshness" of service check results. If you have +# disabled service freshness checking, this option has no effect. + +service_freshness_check_interval=60 + + + +# HOST FRESHNESS CHECK OPTION +# This option determines whether or not Nagios will periodically +# check the "freshness" of host results. Enabling this option +# is useful for ensuring passive checks are received in a timely +# manner. +# Values: 1 = enabled freshness checking, 0 = disable freshness checking + +check_host_freshness=0 + + + +# HOST FRESHNESS CHECK INTERVAL +# This setting determines how often (in seconds) Nagios will +# check the "freshness" of host check results. If you have +# disabled host freshness checking, this option has no effect. + +host_freshness_check_interval=60 + + + + +# ADDITIONAL FRESHNESS THRESHOLD LATENCY +# This setting determines the number of seconds that Nagios +# will add to any host and service freshness thresholds that +# it calculates (those not explicitly specified by the user). + +additional_freshness_latency=15 + + + + +# FLAP DETECTION OPTION +# This option determines whether or not Nagios will try +# and detect hosts and services that are "flapping". +# Flapping occurs when a host or service changes between +# states too frequently. When Nagios detects that a +# host or service is flapping, it will temporarily suppress +# notifications for that host/service until it stops +# flapping. Flap detection is very experimental, so read +# the HTML documentation before enabling this feature! +# Values: 1 = enable flap detection +# 0 = disable flap detection (default) + +enable_flap_detection=1 + + + +# FLAP DETECTION THRESHOLDS FOR HOSTS AND SERVICES +# Read the HTML documentation on flap detection for +# an explanation of what this option does. This option +# has no effect if flap detection is disabled. + +low_service_flap_threshold=5.0 +high_service_flap_threshold=20.0 +low_host_flap_threshold=5.0 +high_host_flap_threshold=20.0 + + + +# DATE FORMAT OPTION +# This option determines how short dates are displayed. Valid options +# include: +# us (MM-DD-YYYY HH:MM:SS) +# euro (DD-MM-YYYY HH:MM:SS) +# iso8601 (YYYY-MM-DD HH:MM:SS) +# strict-iso8601 (YYYY-MM-DDTHH:MM:SS) +# + +date_format=iso8601 + + + + +# TIMEZONE OFFSET +# This option is used to override the default timezone that this +# instance of Nagios runs in. If not specified, Nagios will use +# the system configured timezone. +# +# NOTE: In order to display the correct timezone in the CGIs, you +# will also need to alter the Apache directives for the CGI path +# to include your timezone. Example: +# +# +# SetEnv TZ "Australia/Brisbane" +# ... +# + +#use_timezone=US/Mountain +#use_timezone=Australia/Brisbane + + + + +# P1.PL FILE LOCATION +# This value determines where the p1.pl perl script (used by the +# embedded Perl interpreter) is located. If you didn't compile +# Nagios with embedded Perl support, this option has no effect. + +p1_file=/usr/lib/nagios3/p1.pl + + + +# EMBEDDED PERL INTERPRETER OPTION +# This option determines whether or not the embedded Perl interpreter +# will be enabled during runtime. This option has no effect if Nagios +# has not been compiled with support for embedded Perl. +# Values: 0 = disable interpreter, 1 = enable interpreter + +enable_embedded_perl=1 + + + +# EMBEDDED PERL USAGE OPTION +# This option determines whether or not Nagios will process Perl plugins +# and scripts with the embedded Perl interpreter if the plugins/scripts +# do not explicitly indicate whether or not it is okay to do so. Read +# the HTML documentation on the embedded Perl interpreter for more +# information on how this option works. + +use_embedded_perl_implicitly=1 + + + +# ILLEGAL OBJECT NAME CHARACTERS +# This option allows you to specify illegal characters that cannot +# be used in host names, service descriptions, or names of other +# object types. + +illegal_object_name_chars=`~!$%^&*|'"<>?,()= + + + +# ILLEGAL MACRO OUTPUT CHARACTERS +# This option allows you to specify illegal characters that are +# stripped from macros before being used in notifications, event +# handlers, etc. This DOES NOT affect macros used in service or +# host check commands. +# The following macros are stripped of the characters you specify: +# $HOSTOUTPUT$ +# $HOSTPERFDATA$ +# $HOSTACKAUTHOR$ +# $HOSTACKCOMMENT$ +# $SERVICEOUTPUT$ +# $SERVICEPERFDATA$ +# $SERVICEACKAUTHOR$ +# $SERVICEACKCOMMENT$ + +illegal_macro_output_chars=`~$&|'"<> + + + +# REGULAR EXPRESSION MATCHING +# This option controls whether or not regular expression matching +# takes place in the object config files. Regular expression +# matching is used to match host, hostgroup, service, and service +# group names/descriptions in some fields of various object types. +# Values: 1 = enable regexp matching, 0 = disable regexp matching + +use_regexp_matching=0 + + + +# "TRUE" REGULAR EXPRESSION MATCHING +# This option controls whether or not "true" regular expression +# matching takes place in the object config files. This option +# only has an effect if regular expression matching is enabled +# (see above). If this option is DISABLED, regular expression +# matching only occurs if a string contains wildcard characters +# (* and ?). If the option is ENABLED, regexp matching occurs +# all the time (which can be annoying). +# Values: 1 = enable true matching, 0 = disable true matching + +use_true_regexp_matching=0 + + + +# ADMINISTRATOR EMAIL/PAGER ADDRESSES +# The email and pager address of a global administrator (likely you). +# Nagios never uses these values itself, but you can access them by +# using the $ADMINEMAIL$ and $ADMINPAGER$ macros in your notification +# commands. + +admin_email=root@localhost +admin_pager=pageroot@localhost + + + +# DAEMON CORE DUMP OPTION +# This option determines whether or not Nagios is allowed to create +# a core dump when it runs as a daemon. Note that it is generally +# considered bad form to allow this, but it may be useful for +# debugging purposes. Enabling this option doesn't guarantee that +# a core file will be produced, but that's just life... +# Values: 1 - Allow core dumps +# 0 - Do not allow core dumps (default) + +daemon_dumps_core=0 + + + +# LARGE INSTALLATION TWEAKS OPTION +# This option determines whether or not Nagios will take some shortcuts +# which can save on memory and CPU usage in large Nagios installations. +# Read the documentation for more information on the benefits/tradeoffs +# of enabling this option. +# Values: 1 - Enabled tweaks +# 0 - Disable tweaks (default) + +use_large_installation_tweaks=0 + + + +# ENABLE ENVIRONMENT MACROS +# This option determines whether or not Nagios will make all standard +# macros available as environment variables when host/service checks +# and system commands (event handlers, notifications, etc.) are +# executed. Enabling this option can cause performance issues in +# large installations, as it will consume a bit more memory and (more +# importantly) consume more CPU. +# Values: 1 - Enable environment variable macros (default) +# 0 - Disable environment variable macros + +enable_environment_macros=1 + + + +# CHILD PROCESS MEMORY OPTION +# This option determines whether or not Nagios will free memory in +# child processes (processed used to execute system commands and host/ +# service checks). If you specify a value here, it will override +# program defaults. +# Value: 1 - Free memory in child processes +# 0 - Do not free memory in child processes + +#free_child_process_memory=1 + + + +# CHILD PROCESS FORKING BEHAVIOR +# This option determines how Nagios will fork child processes +# (used to execute system commands and host/service checks). Normally +# child processes are fork()ed twice, which provides a very high level +# of isolation from problems. Fork()ing once is probably enough and will +# save a great deal on CPU usage (in large installs), so you might +# want to consider using this. If you specify a value here, it will +# program defaults. +# Value: 1 - Child processes fork() twice +# 0 - Child processes fork() just once + +#child_processes_fork_twice=1 + + + +# DEBUG LEVEL +# This option determines how much (if any) debugging information will +# be written to the debug file. OR values together to log multiple +# types of information. +# Values: +# -1 = Everything +# 0 = Nothing +# 1 = Functions +# 2 = Configuration +# 4 = Process information +# 8 = Scheduled events +# 16 = Host/service checks +# 32 = Notifications +# 64 = Event broker +# 128 = External commands +# 256 = Commands +# 512 = Scheduled downtime +# 1024 = Comments +# 2048 = Macros + +debug_level=-1 + + + +# DEBUG VERBOSITY +# This option determines how verbose the debug log out will be. +# Values: 0 = Brief output +# 1 = More detailed +# 2 = Very detailed + +debug_verbosity=1 + + + +# DEBUG FILE +# This option determines where Nagios should write debugging information. + +debug_file=/var/lib/nagios3/nagios.debug + + + +# MAX DEBUG FILE SIZE +# This option determines the maximum size (in bytes) of the debug file. If +# the file grows larger than this size, it will be renamed with a .old +# extension. If a file already exists with a .old extension it will +# automatically be deleted. This helps ensure your disk space usage doesn't +# get out of control when debugging Nagios. + +max_debug_file_size=1000000 + + -- cgit v1.2.3 From f8e3cf9aa8362c5ec36d3b0d33477898a2fd5c0c Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 28 Jan 2013 16:14:26 +0100 Subject: deploy openvpn check --- puppet/modules/site_nagios/manifests/add_service.pp | 2 +- puppet/modules/site_nagios/manifests/server.pp | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/add_service.pp b/puppet/modules/site_nagios/manifests/add_service.pp index 1a69e068..a1f99cc9 100644 --- a/puppet/modules/site_nagios/manifests/add_service.pp +++ b/puppet/modules/site_nagios/manifests/add_service.pp @@ -2,7 +2,7 @@ define site_nagios::add_service ($hostname, $ip_address, $service) { case $service { 'openvpn': { - $check_command = 'check_openvpn' + $check_command = "check_openvpn_server_ip_port!$ip_address!1194" $service_description = 'Openvpn' } 'webapp': { diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index a8ebeaf4..fe3ab542 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -13,5 +13,13 @@ class site_nagios::server { #before => Class ['nagios::defaults'] } + # deploy serverside plugins + file { '/usr/lib/nagios/plugins/check_openvpn_server.pl': + source => 'puppet:///modules/nagios/plugins/check_openvpn_server.pl', + mode => '0755', + owner => 'nagios', + group => 'nagios', + } + site_nagios::add_host {$hosts:} } -- cgit v1.2.3 From 8164205e06ecd9e1c68b788425cb4f71129b1061 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 28 Jan 2013 16:15:33 +0100 Subject: don't deploy openvpn check until we fix #1546 --- puppet/modules/site_nagios/manifests/add_service.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/add_service.pp b/puppet/modules/site_nagios/manifests/add_service.pp index a1f99cc9..d8293b42 100644 --- a/puppet/modules/site_nagios/manifests/add_service.pp +++ b/puppet/modules/site_nagios/manifests/add_service.pp @@ -1,10 +1,10 @@ define site_nagios::add_service ($hostname, $ip_address, $service) { case $service { - 'openvpn': { - $check_command = "check_openvpn_server_ip_port!$ip_address!1194" - $service_description = 'Openvpn' - } + #'openvpn': { + # $check_command = "check_openvpn_server_ip_port!$ip_address!1194" + # $service_description = 'Openvpn' + #} 'webapp': { $check_command = 'check_http' $service_description = 'Website' -- cgit v1.2.3 From f34cecba90941f3e4acbe88cab6ce0b5a76b8ce2 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 28 Jan 2013 16:21:11 +0100 Subject: use check_https for website --- puppet/modules/site_nagios/manifests/add_service.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/add_service.pp b/puppet/modules/site_nagios/manifests/add_service.pp index d8293b42..5b282ac4 100644 --- a/puppet/modules/site_nagios/manifests/add_service.pp +++ b/puppet/modules/site_nagios/manifests/add_service.pp @@ -6,7 +6,7 @@ define site_nagios::add_service ($hostname, $ip_address, $service) { # $service_description = 'Openvpn' #} 'webapp': { - $check_command = 'check_http' + $check_command = 'check_https' $service_description = 'Website' } default: { notice ("No Nagios service check for service \"$service\"") } -- cgit v1.2.3 From 76375b224bd621ab2238fa49207ca928892cd6f5 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 28 Jan 2013 16:59:18 +0100 Subject: disabled notice about nagios services not deployed --- puppet/modules/site_nagios/manifests/add_service.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/add_service.pp b/puppet/modules/site_nagios/manifests/add_service.pp index 5b282ac4..25babd18 100644 --- a/puppet/modules/site_nagios/manifests/add_service.pp +++ b/puppet/modules/site_nagios/manifests/add_service.pp @@ -1,6 +1,7 @@ define site_nagios::add_service ($hostname, $ip_address, $service) { case $service { + # don't deploy until we fix 1546 #'openvpn': { # $check_command = "check_openvpn_server_ip_port!$ip_address!1194" # $service_description = 'Openvpn' @@ -9,7 +10,9 @@ define site_nagios::add_service ($hostname, $ip_address, $service) { $check_command = 'check_https' $service_description = 'Website' } - default: { notice ("No Nagios service check for service \"$service\"") } + default: { + #notice ("No Nagios service check for service \"$service\"") + } } if ( $check_command != '' ) { -- cgit v1.2.3 From 5380b3add3c1cd9c016905d0c339744fc9f2be98 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 28 Jan 2013 22:03:23 +0100 Subject: re-add nagios service check openvpn --- puppet/modules/site_nagios/manifests/add_host.pp | 14 ++++++++------ puppet/modules/site_nagios/manifests/add_service.pp | 11 ++++++----- 2 files changed, 14 insertions(+), 11 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/add_host.pp b/puppet/modules/site_nagios/manifests/add_host.pp index d5aac67c..498552b5 100644 --- a/puppet/modules/site_nagios/manifests/add_host.pp +++ b/puppet/modules/site_nagios/manifests/add_host.pp @@ -1,8 +1,9 @@ define site_nagios::add_host { - $nagios_host = $name - $nagios_hostname = $name['domain_full'] - $nagios_ip = $name['ip_address'] - $nagios_services = $name['services'] + $nagios_host = $name + $nagios_hostname = $name['domain_internal'] + $nagios_ip = $name['ip_address'] + $nagios_services = $name['services'] + $nagios_openvpn_gw = $name['openvpn_gateway_address'] # Add Nagios host nagios_host { $nagios_hostname: @@ -15,8 +16,9 @@ define site_nagios::add_host { # First, we need to turn the serice array into hash, using a "hash template" # see https://github.com/ashak/puppet-resource-looping $nagios_service_hashpart = { - 'hostname' => $nagios_hostname, - 'ip_address' => $nagios_ip, + 'hostname' => $nagios_hostname, + 'ip_address' => $nagios_ip, + 'openvpn_gw' => $nagios_openvpn_gw, } $dynamic_parameters = { 'service' => '%s' diff --git a/puppet/modules/site_nagios/manifests/add_service.pp b/puppet/modules/site_nagios/manifests/add_service.pp index 25babd18..280cb010 100644 --- a/puppet/modules/site_nagios/manifests/add_service.pp +++ b/puppet/modules/site_nagios/manifests/add_service.pp @@ -1,11 +1,12 @@ -define site_nagios::add_service ($hostname, $ip_address, $service) { +define site_nagios::add_service ( + $hostname, $ip_address, $openvpn_gw = '', $service) { case $service { # don't deploy until we fix 1546 - #'openvpn': { - # $check_command = "check_openvpn_server_ip_port!$ip_address!1194" - # $service_description = 'Openvpn' - #} + 'openvpn': { + $check_command = "check_openvpn_server_ip_port!$openvpn_gw!1194" + $service_description = 'Openvpn' + } 'webapp': { $check_command = 'check_https' $service_description = 'Website' -- cgit v1.2.3 From 39cd7faddb030dbf4f789ff5964e5c96201c64dc Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 28 Jan 2013 22:33:25 +0100 Subject: set nagiosadmin htpasswd --- puppet/modules/site_nagios/manifests/server.pp | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index fe3ab542..7c17fe82 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -1,7 +1,7 @@ -class site_nagios::server { +class site_nagios::server inherits nagios::base { $nagios_hiera=hiera('nagios') - $nagiosadmin_pw = $nagios_hiera['nagiosadmin_pw'] + $nagiosadmin_pw = htpasswd_sha1($nagios_hiera['nagiosadmin_pw']) $hosts = $nagios_hiera['hosts'] include nagios::defaults @@ -13,6 +13,13 @@ class site_nagios::server { #before => Class ['nagios::defaults'] } + File ['nagios_htpasswd'] { + source => undef, + content => "nagiosadmin:$nagiosadmin_pw", + mode => '0640', + } + + # deploy serverside plugins file { '/usr/lib/nagios/plugins/check_openvpn_server.pl': source => 'puppet:///modules/nagios/plugins/check_openvpn_server.pl', -- cgit v1.2.3 From dd39a69c717cb01b604e8df84217288cc8133fa1 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 29 Jan 2013 11:29:14 +0100 Subject: automatic update of submodule puppet_apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/apt b/puppet/modules/apt index 507d5448..92d2d7be 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 507d5448c85904d6471e829d3afe00cff89e7520 +Subproject commit 92d2d7be5f99920c67245d02c1ce76288967db62 -- cgit v1.2.3 From be81edd7aa5e35c9bd79cd77946e6e7d17288bee Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 29 Jan 2013 16:36:29 +0100 Subject: apt-get update + dist-upgrade in initial stage --- puppet/modules/site_apt/manifests/dist_upgrade.pp | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_apt/manifests/dist_upgrade.pp b/puppet/modules/site_apt/manifests/dist_upgrade.pp index 87a2fc00..f129dd73 100644 --- a/puppet/modules/site_apt/manifests/dist_upgrade.pp +++ b/puppet/modules/site_apt/manifests/dist_upgrade.pp @@ -1,11 +1,15 @@ -class site_apt::dist_upgrade inherits apt::dist_upgrade { +class site_apt::dist_upgrade { if $::apt_running == 'true' { fail ('apt-get is running in background - Please wait until it finishes. Exiting.') + } else { + exec{'initial_apt_update': + command => '/usr/bin/apt-get update && /usr/bin/apt-get autoclean', + refreshonly => false, + } + exec{'initial_apt_dist_upgrade': + command => "/usr/bin/apt-get -q -y -o 'DPkg::Options::=--force-confold' dist-upgrade", + refreshonly => false, + } } - # ensue dist-upgrade on every puppetrun - Exec['apt_dist-upgrade']{ - refreshonly => false, - } - } -- cgit v1.2.3 From d0bec7ba086aadefba3655509db6c5b25b116bfb Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 29 Jan 2013 16:39:23 +0100 Subject: run stage declaration moved to site.pp --- puppet/manifests/site.pp | 6 +++++- puppet/modules/site_config/manifests/init.pp | 6 +----- 2 files changed, 6 insertions(+), 6 deletions(-) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 1a76e3bd..33566f0c 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,6 +1,10 @@ # set a default exec path Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } +stage { 'initial': + before => Stage['main'], +} + node 'default' { # prerequisites import 'common' @@ -11,7 +15,7 @@ node 'default' { # include some basic classes include site_config } else { - notice ('NOT applying site_config') + notice ('NOT applying site_config') } # parse services for host diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp index c27074ed..f0ce9856 100644 --- a/puppet/modules/site_config/manifests/init.pp +++ b/puppet/modules/site_config/manifests/init.pp @@ -17,12 +17,8 @@ class site_config { # configure caching, local resolver include site_config::caching_resolver - - # configure /etc/hosts - stage { 'initial': - before => Stage['main'], - } + # configure /etc/hosts class { 'site_config::hosts': stage => initial, } -- cgit v1.2.3 From 3f8c8b8f4b02dd1948d931945ab673e15f0e5089 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 29 Jan 2013 17:01:47 +0100 Subject: start shorewall on deploy (fixes #1122) --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 57dc17e9..7de1510c 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -1,7 +1,7 @@ class site_shorewall::eip { # be safe for development - $shorewall_startup='0' + if ( $::virtual == 'virtualbox') { $shorewall_startup='0' } include site_shorewall::defaults -- cgit v1.2.3 From 4cc4237b1184b89b7c491267f8ddbc13067730b4 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 29 Jan 2013 17:02:13 +0100 Subject: fix deprecation warnings in site_config --- puppet/modules/site_config/manifests/hosts.pp | 2 +- puppet/modules/site_config/manifests/resolvconf.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index 80619e33..a5f1b105 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -3,7 +3,7 @@ class site_config::hosts() { $hosts = hiera('hosts','') $hostname = hiera('name') - $domain_public = $domain_hash['full_suffix'] + $domain_public = $site_config::domain_hash['full_suffix'] file { "/etc/hostname": ensure => present, diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index adecb838..b803f17e 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -11,7 +11,7 @@ class site_config::resolvconf { ensure => absent; } - $domain_public = $domain_hash['full_suffix'] + $domain_public = $site_config::domain_hash['full_suffix'] # 127.0.0.1: caching-only local bind # 87.118.100.175: http://server.privacyfoundation.de -- cgit v1.2.3 From 64a3ec6ac5a064800a32170c2e8d058ab8b7dd62 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 29 Jan 2013 18:57:56 +0100 Subject: Purge nagios config files on every run (Feature #1544) --- puppet/modules/site_nagios/manifests/server.pp | 5 +++++ puppet/modules/site_nagios/manifests/server/purge.pp | 7 +++++++ 2 files changed, 12 insertions(+) create mode 100644 puppet/modules/site_nagios/manifests/server/purge.pp (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 7c17fe82..5e2f832b 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -1,5 +1,10 @@ class site_nagios::server inherits nagios::base { + # First, purge old nagios config (see #1467) + class { 'site_nagios::server::purge': + stage => initial + } + $nagios_hiera=hiera('nagios') $nagiosadmin_pw = htpasswd_sha1($nagios_hiera['nagiosadmin_pw']) $hosts = $nagios_hiera['hosts'] diff --git a/puppet/modules/site_nagios/manifests/server/purge.pp b/puppet/modules/site_nagios/manifests/server/purge.pp new file mode 100644 index 00000000..66c27dd5 --- /dev/null +++ b/puppet/modules/site_nagios/manifests/server/purge.pp @@ -0,0 +1,7 @@ +class site_nagios::server::purge { + exec {'purge_conf.d': + command => '/bin/rm -rf /etc/nagios3/conf.d', + onlyif => 'test -e /etc/nagios3/conf.d' + } + +} -- cgit v1.2.3 From 6ebc2b495d9ea920770823cd08ae4eb881b684f7 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 27 Jan 2013 20:23:52 -0500 Subject: add a new fact that provides a fact for each configured ip address, telling you which interface has it (essentially the inverse of the ipaddress_${interface} fact). Switch the hiera lookups of the $interface, which was pulling from the .json to pull instead from the above fact, see #1547 and #1548 --- puppet/modules/site_config/lib/facter/ip_interface.rb | 13 +++++++++++++ puppet/modules/site_openvpn/manifests/init.pp | 2 +- puppet/modules/site_shorewall/manifests/eip.pp | 3 ++- 3 files changed, 16 insertions(+), 2 deletions(-) create mode 100644 puppet/modules/site_config/lib/facter/ip_interface.rb (limited to 'puppet') diff --git a/puppet/modules/site_config/lib/facter/ip_interface.rb b/puppet/modules/site_config/lib/facter/ip_interface.rb new file mode 100644 index 00000000..2a4a6b50 --- /dev/null +++ b/puppet/modules/site_config/lib/facter/ip_interface.rb @@ -0,0 +1,13 @@ +require 'facter/util/ip' + +Facter::Util::IP.get_interfaces.each do |interface| + ip = Facter.value("ipaddress_#{interface}") + if ip != nil + Facter.add(ip + "_interface" ) do + setcode do + interface + end + end + end +end + diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 4606179c..a9fa8b2b 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,7 +1,7 @@ class site_openvpn { # parse hiera config $ip_address = hiera('ip_address') - $interface = hiera('interface') + $interface = getvar("$::{ip_address}_interface") #$gateway_address = hiera('gateway_address') $openvpn_config = hiera('openvpn') $openvpn_gateway_address = $openvpn_config['gateway_address'] diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 7de1510c..35912dfe 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -5,7 +5,8 @@ class site_shorewall::eip { include site_shorewall::defaults - $interface = hiera('interface') + $ip_address = hiera('ip_address') + $interface = getvar("$::{ip_address}_interface") $ssh_config = hiera('ssh') $ssh_port = $ssh_config['port'] $openvpn_config = hiera('openvpn') -- cgit v1.2.3 From bdf7beb1594b480bd438625b33f27403d2ab5959 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 27 Jan 2013 20:24:29 -0500 Subject: enclose the variables in curly braces, as recommended by puppet-lint --- puppet/modules/site_openvpn/manifests/init.pp | 8 ++++---- puppet/modules/site_shorewall/manifests/eip.pp | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index a9fa8b2b..4e13bb5d 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -21,15 +21,15 @@ class site_openvpn { port => '1194', proto => 'tcp', local => $openvpn_gateway_address, - server => "$openvpn_tcp_network_prefix.0 $openvpn_tcp_netmask", - push => "\"dhcp-option DNS $openvpn_tcp_network_prefix.1\"", + server => "${openvpn_tcp_network_prefix.0} ${openvpn_tcp_netmask}", + push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"", management => '127.0.0.1 1000' } site_openvpn::server_config { 'udp_config': port => '1194', proto => 'udp', - server => "$openvpn_udp_network_prefix.0 $openvpn_udp_netmask", - push => "\"dhcp-option DNS $openvpn_udp_network_prefix.1\"", + server => "${openvpn_udp_network_prefix.0} ${openvpn_udp_netmask}", + push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"", local => $openvpn_gateway_address, management => '127.0.0.1 1001' } diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 35912dfe..a3f6ee54 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -43,11 +43,11 @@ PARAM - - udp 1194 shorewall::masq { "${interface}_tcp": interface => $interface, - source => "$site_openvpn::openvpn_tcp_network_prefix.0/$site_openvpn::openvpn_tcp_cidr"; } + source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}"; } shorewall::masq { "${interface}_udp": interface => $interface, - source => "$site_openvpn::openvpn_udp_network_prefix.0/$site_openvpn::openvpn_udp_cidr"; } + source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } shorewall::policy { 'eip-to-all': -- cgit v1.2.3 From 7480df63974459e733a6733994adc19ac464be6a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 27 Jan 2013 20:47:01 -0500 Subject: create a special case for vagrant machines that need to have both interfaces in the net zone so we dont lock ourselves out during deploy, but also are able to access the internet --- puppet/modules/site_shorewall/manifests/eip.pp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index a3f6ee54..067b2f83 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -6,7 +6,11 @@ class site_shorewall::eip { include site_shorewall::defaults $ip_address = hiera('ip_address') - $interface = getvar("$::{ip_address}_interface") + # a special case for vagrant interfaces + $interface = $::virtual ? { + virtualbox => ['eth0', 'eth1'], + default => getvar("$::{ip_address}_interface") + } $ssh_config = hiera('ssh') $ssh_port = $ssh_config['port'] $openvpn_config = hiera('openvpn') -- cgit v1.2.3 From 4afce540c645bb0e472312db726141c3ab18f065 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 29 Jan 2013 11:36:08 -0500 Subject: it seems facts cannot start with numbers --- puppet/modules/site_config/lib/facter/ip_interface.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/lib/facter/ip_interface.rb b/puppet/modules/site_config/lib/facter/ip_interface.rb index 2a4a6b50..45764bfc 100644 --- a/puppet/modules/site_config/lib/facter/ip_interface.rb +++ b/puppet/modules/site_config/lib/facter/ip_interface.rb @@ -3,7 +3,7 @@ require 'facter/util/ip' Facter::Util::IP.get_interfaces.each do |interface| ip = Facter.value("ipaddress_#{interface}") if ip != nil - Facter.add(ip + "_interface" ) do + Facter.add("interface_" + ip ) do setcode do interface end -- cgit v1.2.3 From d6b334a20dcf495ea0b9cb7247c0e20d478dbbba Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 29 Jan 2013 11:37:42 -0500 Subject: fix syntax error from enclosing variables in curly --- puppet/modules/site_openvpn/manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 4e13bb5d..b4c573e7 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -21,14 +21,14 @@ class site_openvpn { port => '1194', proto => 'tcp', local => $openvpn_gateway_address, - server => "${openvpn_tcp_network_prefix.0} ${openvpn_tcp_netmask}", + server => "${openvpn_tcp_network_prefix}.0 ${openvpn_tcp_netmask}", push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"", management => '127.0.0.1 1000' } site_openvpn::server_config { 'udp_config': port => '1194', proto => 'udp', - server => "${openvpn_udp_network_prefix.0} ${openvpn_udp_netmask}", + server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}", push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"", local => $openvpn_gateway_address, management => '127.0.0.1 1001' -- cgit v1.2.3 From 0e1f5ab91e7a613da7ec15495f05386a98626b08 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 29 Jan 2013 11:54:53 -0500 Subject: fix variable scoping --- puppet/modules/site_openvpn/manifests/init.pp | 2 +- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index b4c573e7..d777aa81 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,7 +1,7 @@ class site_openvpn { # parse hiera config $ip_address = hiera('ip_address') - $interface = getvar("$::{ip_address}_interface") + $interface = getvar("${ip_address}_interface") #$gateway_address = hiera('gateway_address') $openvpn_config = hiera('openvpn') $openvpn_gateway_address = $openvpn_config['gateway_address'] diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 067b2f83..d5d7ff19 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -9,7 +9,7 @@ class site_shorewall::eip { # a special case for vagrant interfaces $interface = $::virtual ? { virtualbox => ['eth0', 'eth1'], - default => getvar("$::{ip_address}_interface") + default => getvar("${ip_address}_interface") } $ssh_config = hiera('ssh') $ssh_port = $ssh_config['port'] -- cgit v1.2.3 From e83842af0eff8e7754f79100c786f0dc235eba75 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 29 Jan 2013 13:15:38 -0500 Subject: setup special casing for vagrant/virtualbox --- puppet/modules/site_shorewall/manifests/eip.pp | 50 ++++++++++++++++---------- 1 file changed, 32 insertions(+), 18 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index d5d7ff19..b2d165db 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -8,7 +8,7 @@ class site_shorewall::eip { $ip_address = hiera('ip_address') # a special case for vagrant interfaces $interface = $::virtual ? { - virtualbox => ['eth0', 'eth1'], + virtualbox => [ 'eth0', 'eth1' ], default => getvar("${ip_address}_interface") } $ssh_config = hiera('ssh') @@ -30,28 +30,42 @@ PARAM - - udp 1194 options => 'tcpflags,blacklist,nosmurfs'; } - shorewall::interface {'tun0': - zone => 'eip', - options => 'tcpflags,blacklist,nosmurfs'; } - shorewall::interface {'tun1': - zone => 'eip', - options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::interface { + 'tun0': + zone => 'eip', + options => 'tcpflags,blacklist,nosmurfs'; + 'tun1': + zone => 'eip', + options => 'tcpflags,blacklist,nosmurfs' + } shorewall::zone {'eip': type => 'ipv4'; } - shorewall::routestopped { $interface: - interface => $interface; } - - - shorewall::masq { "${interface}_tcp": - interface => $interface, - source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}"; } - - shorewall::masq { "${interface}_udp": - interface => $interface, - source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } + shorewall::routestopped { $interface: } + + case $::virtual { + 'virtualbox': { + shorewall::masq { + 'eth0_tcp': + interface => 'eth0', + source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}"; + 'eth0_udp': + interface => 'eth0', + source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } + } + default: { + shorewall::masq { + "${interface}_tcp": + interface => $interface, + source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}"; + + "${interface}_udp": + interface => $interface, + source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } + } + } shorewall::policy { 'eip-to-all': -- cgit v1.2.3 From a3edca1924353a797fffd8fb8506d8be86d930d3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 29 Jan 2013 13:20:05 -0500 Subject: fix variable name for re-ordered fact --- puppet/modules/site_openvpn/manifests/init.pp | 2 +- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index d777aa81..0ddb01ae 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,7 +1,7 @@ class site_openvpn { # parse hiera config $ip_address = hiera('ip_address') - $interface = getvar("${ip_address}_interface") + $interface = getvar("interface_${ip_address}") #$gateway_address = hiera('gateway_address') $openvpn_config = hiera('openvpn') $openvpn_gateway_address = $openvpn_config['gateway_address'] diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index b2d165db..09dfece6 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -9,7 +9,7 @@ class site_shorewall::eip { # a special case for vagrant interfaces $interface = $::virtual ? { virtualbox => [ 'eth0', 'eth1' ], - default => getvar("${ip_address}_interface") + default => getvar("interface_${ip_address}") } $ssh_config = hiera('ssh') $ssh_port = $ssh_config['port'] -- cgit v1.2.3 From fd72a5e2a5f044003544602ebfa59dbaac685324 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 29 Jan 2013 19:47:55 +0100 Subject: automatic update of submodule puppet_couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index b598e7d2..dcb8a082 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit b598e7d2a4be7ee863ae70450a73bfcda381634e +Subproject commit dcb8a082ac842b0660819ea61f9448c4e373746e -- cgit v1.2.3 From 93054f283f7f6e4e04fa9ddf901158654a62e9df Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 29 Jan 2013 15:17:28 -0500 Subject: eliminate dynamic lookup deprecation warnings for site_couchdb::apache_ssl_proxy --- puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp index 02aae0c3..7739473e 100644 --- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp +++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp @@ -12,13 +12,13 @@ define site_couchdb::apache_ssl_proxy ($key, $cert) { x509::key { 'leap_couchdb': - content => $x509['key'], + content => $key, notify => Service[apache]; } x509::cert { 'leap_couchdb': - content => $x509['cert'], + content => $cert, notify => Service[apache]; } -- cgit v1.2.3 From a48160a4861dcfffb661bcbf8783ecdb84cbf3e6 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 29 Jan 2013 13:00:40 -0800 Subject: added support for client ca cert in site openvpn. --- puppet/modules/site_openvpn/manifests/keys.pp | 6 ++++++ puppet/modules/site_openvpn/manifests/server_config.pp | 4 ++++ 2 files changed, 10 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index 4c43ec05..78902676 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -12,6 +12,12 @@ class site_openvpn::keys { notify => Service[openvpn]; } + x509::ca { + 'leap_client_ca': + content => $site_openvpn::x509_config['client_ca_cert'], + notify => Service[openvpn]; + } + x509::ca { 'leap_openvpn': content => $site_openvpn::x509_config['ca_cert'], diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index c4f64225..da40529c 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -67,6 +67,10 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana } openvpn::option { + "ca $openvpn_configname": + key => 'ca', + value => '/usr/local/share/ca-certificates/leap_client_ca.crt', + server => $openvpn_configname; "ca $openvpn_configname": key => 'ca', value => '/usr/local/share/ca-certificates/leap_openvpn.crt', -- cgit v1.2.3 From b3f1d297973694f9aef9a7ab3d87799fc644f464 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 29 Jan 2013 16:38:39 -0500 Subject: test the $webapp['img_dir'] variable to see if it is undef or not, the default in the json is ~ (nil), which ends up being undef in puppet (closes #1575) --- puppet/modules/site_webapp/manifests/init.pp | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 717a9477..c7d918ae 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -84,10 +84,14 @@ class site_webapp { '/srv/leap-webapp/app/assets/stylesheets/head.scss': ensure => 'link', target => $webapp['head_scss']; + } - '/srv/leap-webapp/public/img': - ensure => 'link', - target => $webapp['img_dir']; + if $webapp['img_dir'] != undef { + file { + '/srv/leap-webapp/public/img': + ensure => 'link', + target => $webapp['img_dir']; + } } file { -- cgit v1.2.3 From d61c7bc52dd86132a96d80d498dd63f1582417be Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 30 Jan 2013 15:16:19 +0100 Subject: linted --- puppet/modules/site_openvpn/manifests/server_config.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index da40529c..68387a90 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -143,7 +143,7 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana server => $openvpn_configname; "server $openvpn_configname": key => 'server', - value => "$server", + value => $server, server => $openvpn_configname; "status $openvpn_configname": key => 'status', -- cgit v1.2.3 From 6b3dafcb8c18ac31a1d11be661c255ec458d6078 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 30 Jan 2013 15:40:58 +0100 Subject: start shorewall on vagrant nodes too (#1467) --- puppet/modules/site_shorewall/manifests/eip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 09dfece6..de81aa1d 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -1,7 +1,7 @@ class site_shorewall::eip { # be safe for development - if ( $::virtual == 'virtualbox') { $shorewall_startup='0' } + #if ( $::virtual == 'virtualbox') { $shorewall_startup='0' } include site_shorewall::defaults -- cgit v1.2.3 From 50bb4b8b4d3f71b2916acbbefca92df9fdc53e68 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 30 Jan 2013 10:32:15 -0500 Subject: provide a fall-back apt.sources.d entry that is disabled by default (#1348) This file will have the .disabled removed by the apt wrapper when the apt-get update fails --- puppet/modules/site_apt/manifests/init.pp | 5 +++++ puppet/modules/site_apt/templates/fallback.list | 3 +++ 2 files changed, 8 insertions(+) create mode 100644 puppet/modules/site_apt/templates/fallback.list (limited to 'puppet') diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 99bcce4f..beef6fa5 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -8,4 +8,9 @@ class site_apt { } include ::apt::unattended_upgrades + + apt::sources_list { 'fallback.list.disabled': + content => template('site_apt/fallback.list'); + } + } diff --git a/puppet/modules/site_apt/templates/fallback.list b/puppet/modules/site_apt/templates/fallback.list new file mode 100644 index 00000000..fa6d041f --- /dev/null +++ b/puppet/modules/site_apt/templates/fallback.list @@ -0,0 +1,3 @@ +# basic +deb http://ftp.debian.org/debian/ <%= codename %> <%= repos %> + -- cgit v1.2.3 From 0c0abf8496260f9e0f4c6e655af850396f203afe Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 30 Jan 2013 16:53:58 +0100 Subject: automatic update of submodule puppet_apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/apt b/puppet/modules/apt index 92d2d7be..6c135ea7 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 92d2d7be5f99920c67245d02c1ce76288967db62 +Subproject commit 6c135ea7bc2ae9951154cf5471801469e3e3d581 -- cgit v1.2.3 From 09649211f3c4b9ffd08af15deabe5916cf78df72 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 30 Jan 2013 11:19:20 -0500 Subject: codename is unavailable in the site_apt module, but $::lsbdistcodename is fine here --- puppet/modules/site_apt/templates/fallback.list | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_apt/templates/fallback.list b/puppet/modules/site_apt/templates/fallback.list index fa6d041f..41334b0b 100644 --- a/puppet/modules/site_apt/templates/fallback.list +++ b/puppet/modules/site_apt/templates/fallback.list @@ -1,3 +1,3 @@ # basic -deb http://ftp.debian.org/debian/ <%= codename %> <%= repos %> +deb http://ftp.debian.org/debian/ <%= lsbdistcodename %> main contrib non-free -- cgit v1.2.3 From ab9a292f41139c5c5e36de87e03236e29dd27e23 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 31 Jan 2013 11:09:20 +0100 Subject: puppet tags: site_config::default and site_config::slow --- puppet/manifests/site.pp | 66 ++++++++++------------ puppet/modules/site_config/manifests/default.pp | 28 +++++++++ puppet/modules/site_config/manifests/hosts.pp | 2 +- puppet/modules/site_config/manifests/init.pp | 29 ---------- puppet/modules/site_config/manifests/resolvconf.pp | 2 +- puppet/modules/site_config/manifests/slow.pp | 6 ++ 6 files changed, 65 insertions(+), 68 deletions(-) create mode 100644 puppet/modules/site_config/manifests/default.pp delete mode 100644 puppet/modules/site_config/manifests/init.pp create mode 100644 puppet/modules/site_config/manifests/slow.pp (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 33566f0c..146b373e 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -5,41 +5,33 @@ stage { 'initial': before => Stage['main'], } -node 'default' { - # prerequisites - import 'common' - include concat::setup - - $development = hiera('development') - if $development['site_config'] == true { - # include some basic classes - include site_config - } else { - notice ('NOT applying site_config') - } - - # parse services for host - $services=hiera_array('services') - notice("Services for $fqdn: $services") - - # configure eip - if 'openvpn' in $services { - include site_openvpn - } - - if 'couchdb' in $services { - include site_couchdb - } - - if 'webapp' in $services { - include site_webapp - } - - if 'ca' in $services { - include site_ca_daemon - } - - if 'monitor' in $services { - include site_nagios::server - } +# prerequisites +import 'common' +include concat::setup +include site_config::default +include site_config::slow + +# parse services for host +$services=hiera_array('services') +notice("Services for ${fqdn}: ${services}") + +# configure eip +if 'openvpn' in $services { + include site_openvpn +} + +if 'couchdb' in $services { + include site_couchdb +} + +if 'webapp' in $services { + include site_webapp +} + +if 'ca' in $services { + include site_ca_daemon +} + +if 'monitor' in $services { + include site_nagios::server } diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp new file mode 100644 index 00000000..0605604b --- /dev/null +++ b/puppet/modules/site_config/manifests/default.pp @@ -0,0 +1,28 @@ +class site_config::default { + tag 'default' + + $domain_hash = hiera('domain') + + # default class, used by all hosts + + include lsb, git + + # configure apt + include site_apt + + + # configure ssh and include ssh-keys + include site_config::sshd + + # configure /etc/resolv.conf + include site_config::resolvconf + + # configure caching, local resolver + include site_config::caching_resolver + + # configure /etc/hosts + class { 'site_config::hosts': + stage => initial, + } + +} diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index a5f1b105..6c00f3b6 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -3,7 +3,7 @@ class site_config::hosts() { $hosts = hiera('hosts','') $hostname = hiera('name') - $domain_public = $site_config::domain_hash['full_suffix'] + $domain_public = $site_config::default::domain_hash['full_suffix'] file { "/etc/hostname": ensure => present, diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp deleted file mode 100644 index f0ce9856..00000000 --- a/puppet/modules/site_config/manifests/init.pp +++ /dev/null @@ -1,29 +0,0 @@ -class site_config { - $domain_hash = hiera('domain') - - # default class, used by all hosts - - include lsb, git - - # configure apt - include site_apt - - - # configure ssh and include ssh-keys - include site_config::sshd - - # configure /etc/resolv.conf - include site_config::resolvconf - - # configure caching, local resolver - include site_config::caching_resolver - - # configure /etc/hosts - class { 'site_config::hosts': - stage => initial, - } - - class { 'site_apt::dist_upgrade': - stage => initial, - } -} diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index b803f17e..d73f0b78 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -11,7 +11,7 @@ class site_config::resolvconf { ensure => absent; } - $domain_public = $site_config::domain_hash['full_suffix'] + $domain_public = $site_config::default::domain_hash['full_suffix'] # 127.0.0.1: caching-only local bind # 87.118.100.175: http://server.privacyfoundation.de diff --git a/puppet/modules/site_config/manifests/slow.pp b/puppet/modules/site_config/manifests/slow.pp new file mode 100644 index 00000000..a4a9f19f --- /dev/null +++ b/puppet/modules/site_config/manifests/slow.pp @@ -0,0 +1,6 @@ +class site_config::slow { + + class { 'site_apt::dist_upgrade': + stage => initial, + } +} -- cgit v1.2.3 From ced1717ae310c5b24fffd041c8af38b016d90ed4 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 31 Jan 2013 11:40:41 +0100 Subject: include site_nagios so every subclass inherits tag 'service' --- puppet/manifests/site.pp | 2 +- puppet/modules/site_nagios/manifests/init.pp | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_nagios/manifests/init.pp (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 146b373e..d422bef7 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -33,5 +33,5 @@ if 'ca' in $services { } if 'monitor' in $services { - include site_nagios::server + include site_nagios } diff --git a/puppet/modules/site_nagios/manifests/init.pp b/puppet/modules/site_nagios/manifests/init.pp new file mode 100644 index 00000000..57da3011 --- /dev/null +++ b/puppet/modules/site_nagios/manifests/init.pp @@ -0,0 +1,4 @@ +class site_nagios { + tag 'service' + include site_nagios::server +} -- cgit v1.2.3 From 5addc36a364186d53d13304182d6f41b30f6a890 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 31 Jan 2013 11:41:13 +0100 Subject: just purge the nagios3/conf.d content, not the dir itself --- puppet/modules/site_nagios/manifests/server/purge.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/server/purge.pp b/puppet/modules/site_nagios/manifests/server/purge.pp index 66c27dd5..39735cd3 100644 --- a/puppet/modules/site_nagios/manifests/server/purge.pp +++ b/puppet/modules/site_nagios/manifests/server/purge.pp @@ -1,6 +1,6 @@ class site_nagios::server::purge { exec {'purge_conf.d': - command => '/bin/rm -rf /etc/nagios3/conf.d', + command => '/bin/rm -rf /etc/nagios3/conf.d/*', onlyif => 'test -e /etc/nagios3/conf.d' } -- cgit v1.2.3 From 42aef6df0091f8879d83860efd3c08a6d8e26bdf Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 31 Jan 2013 11:42:58 +0100 Subject: changed tag default to 'base' --- puppet/modules/site_config/manifests/default.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 0605604b..577970ca 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -1,5 +1,5 @@ class site_config::default { - tag 'default' + tag 'base' $domain_hash = hiera('domain') -- cgit v1.2.3 From dda36946d405301d9123bb455753650920d0756a Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 31 Jan 2013 11:52:32 +0100 Subject: tag 'service' for all service classes --- puppet/modules/site_ca_daemon/manifests/init.pp | 2 +- puppet/modules/site_couchdb/manifests/init.pp | 2 +- puppet/modules/site_openvpn/manifests/init.pp | 1 + puppet/modules/site_webapp/manifests/init.pp | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp index 4ec5b00b..c00a22c8 100644 --- a/puppet/modules/site_ca_daemon/manifests/init.pp +++ b/puppet/modules/site_ca_daemon/manifests/init.pp @@ -1,5 +1,5 @@ class site_ca_daemon { - + tag 'service' #$definition_files = hiera('definition_files') #$provider = $definition_files['provider'] #$eip_service = $definition_files['eip_service'] diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 04f2ca1a..632df799 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,5 +1,5 @@ class site_couchdb { - + tag 'service' include couchdb $x509 = hiera('x509') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 0ddb01ae..df4277cd 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,4 +1,5 @@ class site_openvpn { + tag 'service' # parse hiera config $ip_address = hiera('ip_address') $interface = getvar("interface_${ip_address}") diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index c7d918ae..d1951dcd 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -1,5 +1,5 @@ class site_webapp { - + tag 'service' $definition_files = hiera('definition_files') $provider = $definition_files['provider'] $eip_service = $definition_files['eip_service'] -- cgit v1.2.3 From 3c3ed940466eabf9cb56a47614133b5bc90d4ad7 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 31 Jan 2013 04:31:54 -0800 Subject: added /etc/openvpn/ca_bundle.pem in order to allow multiple CA certs to be used. --- puppet/modules/site_openvpn/manifests/keys.pp | 33 +++++++++++++++++----- .../site_openvpn/manifests/server_config.pp | 6 +--- 2 files changed, 27 insertions(+), 12 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index 78902676..f3c5b423 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -13,13 +13,7 @@ class site_openvpn::keys { } x509::ca { - 'leap_client_ca': - content => $site_openvpn::x509_config['client_ca_cert'], - notify => Service[openvpn]; - } - - x509::ca { - 'leap_openvpn': + 'leap_ca': content => $site_openvpn::x509_config['ca_cert'], notify => Service[openvpn]; } @@ -29,4 +23,29 @@ class site_openvpn::keys { mode => '0644', } + # + # CA bundle -- we want to have the possibility of allowing multiple CAs. + # For now, the reason is to transition to using client CA. In the future, + # we will want to be able to smoothly phase out one CA and phase in another. + # I tried "--capath" for this, but it did not work. + # + + concat { + '/etc/openvpn/ca_bundle.pem': + owner => root, + group => root, + mode => 644, + warn => true, + notify => Service['openvpn']; + } + + concat::fragment { + 'client_ca_cert': + content => $site_openvpn::x509_config['client_ca_cert'], + target => '/etc/openvpn/ca_bundle.pem'; + 'ca_cert': + content => $site_openvpn::x509_config['ca_cert'], + target => '/etc/openvpn/ca_bundle.pem'; + } + } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 68387a90..de273b46 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -69,11 +69,7 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana openvpn::option { "ca $openvpn_configname": key => 'ca', - value => '/usr/local/share/ca-certificates/leap_client_ca.crt', - server => $openvpn_configname; - "ca $openvpn_configname": - key => 'ca', - value => '/usr/local/share/ca-certificates/leap_openvpn.crt', + value => '/etc/openvpn/ca_bundle.pem', server => $openvpn_configname; "cert $openvpn_configname": key => 'cert', -- cgit v1.2.3 From 24829044b9726f5eb9a8a0ac09f94152b943f9e4 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 31 Jan 2013 14:54:05 +0100 Subject: install etckeeper on all nodes --- puppet/modules/site_config/manifests/default.pp | 3 +++ 1 file changed, 3 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 577970ca..699eb4dd 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -25,4 +25,7 @@ class site_config::default { stage => initial, } + package { [ 'etckeeper' ]: + ensure => installed, + } } -- cgit v1.2.3 From e6fe80f9460b8bc013068e1dda8be6230b8d60a4 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 31 Jan 2013 19:09:19 +0100 Subject: tag 'base' is a bad idea because it invokes apache::base as well --- puppet/modules/site_ca_daemon/manifests/init.pp | 2 +- puppet/modules/site_config/manifests/default.pp | 2 +- puppet/modules/site_config/manifests/slow.pp | 2 +- puppet/modules/site_couchdb/manifests/init.pp | 2 +- puppet/modules/site_nagios/manifests/init.pp | 2 +- puppet/modules/site_openvpn/manifests/init.pp | 2 +- puppet/modules/site_webapp/manifests/init.pp | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp index c00a22c8..86e186bb 100644 --- a/puppet/modules/site_ca_daemon/manifests/init.pp +++ b/puppet/modules/site_ca_daemon/manifests/init.pp @@ -1,5 +1,5 @@ class site_ca_daemon { - tag 'service' + tag 'leap_service' #$definition_files = hiera('definition_files') #$provider = $definition_files['provider'] #$eip_service = $definition_files['eip_service'] diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 699eb4dd..14b389e8 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -1,5 +1,5 @@ class site_config::default { - tag 'base' + tag 'leap_base' $domain_hash = hiera('domain') diff --git a/puppet/modules/site_config/manifests/slow.pp b/puppet/modules/site_config/manifests/slow.pp index a4a9f19f..18b22a9c 100644 --- a/puppet/modules/site_config/manifests/slow.pp +++ b/puppet/modules/site_config/manifests/slow.pp @@ -1,5 +1,5 @@ class site_config::slow { - + tag 'leap_slow' class { 'site_apt::dist_upgrade': stage => initial, } diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 632df799..1789dd55 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,5 +1,5 @@ class site_couchdb { - tag 'service' + tag 'leap_service' include couchdb $x509 = hiera('x509') diff --git a/puppet/modules/site_nagios/manifests/init.pp b/puppet/modules/site_nagios/manifests/init.pp index 57da3011..cab32905 100644 --- a/puppet/modules/site_nagios/manifests/init.pp +++ b/puppet/modules/site_nagios/manifests/init.pp @@ -1,4 +1,4 @@ class site_nagios { - tag 'service' + tag 'leap_service' include site_nagios::server } diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index df4277cd..e3d2a9af 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,5 +1,5 @@ class site_openvpn { - tag 'service' + tag 'leap_service' # parse hiera config $ip_address = hiera('ip_address') $interface = getvar("interface_${ip_address}") diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index d1951dcd..592241c1 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -1,5 +1,5 @@ class site_webapp { - tag 'service' + tag 'leap_service' $definition_files = hiera('definition_files') $provider = $definition_files['provider'] $eip_service = $definition_files['eip_service'] -- cgit v1.2.3 From c4805af340ae63e9129696e0c96f9896417eb9c4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 31 Jan 2013 15:58:16 -0500 Subject: install an apache Directory override block to disable passenger for nagios, if the node is a monitor node --- puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 8c820788..4928cdd6 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -36,5 +36,12 @@ PassengerAllowEncodedSlashes on PassengerFriendlyErrorPages off SetEnv TMPDIR /var/tmp + + <% if (defined? @services) and (services.is_a? Array) and (@services.include? 'monitor') -%> + + PassengerEnabled off + AllowOverride all + + <% end -%> -- cgit v1.2.3 From 5a825f7f6045cea00d94bcebf339c8e2dff5b067 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 31 Jan 2013 18:31:02 -0500 Subject: update the x509 submodule to get non-root application access to key file enhancement put the leap-webapp user in the 'ssl-cert' group pass group => 'leap-webapp' to the leap_client_ca.key so the application can access it --- puppet/modules/site_webapp/manifests/client_ca.pp | 1 + puppet/modules/site_webapp/manifests/init.pp | 1 + puppet/modules/x509 | 2 +- 3 files changed, 3 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/client_ca.pp b/puppet/modules/site_webapp/manifests/client_ca.pp index 53c49d69..0d9b15d6 100644 --- a/puppet/modules/site_webapp/manifests/client_ca.pp +++ b/puppet/modules/site_webapp/manifests/client_ca.pp @@ -13,6 +13,7 @@ class site_webapp::client_ca { x509::key { 'leap_client_ca': source => $x509['client_ca_key'], + group => 'leap-webapp', notify => Service[apache]; } diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 592241c1..d59cebba 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -27,6 +27,7 @@ class site_webapp { ensure => present, allowdupe => false, gid => 'leap-webapp', + groups => 'ssl-cert', home => '/srv/leap-webapp', require => [ Group['leap-webapp'] ]; } diff --git a/puppet/modules/x509 b/puppet/modules/x509 index d7a252b7..456212d1 160000 --- a/puppet/modules/x509 +++ b/puppet/modules/x509 @@ -1 +1 @@ -Subproject commit d7a252b77db843e800ed9fc92a56d5214f432026 +Subproject commit 456212d16e55e1299c2d9bfcc7965b40e0318cb4 -- cgit v1.2.3 From e8edd253d1a27d7ed95c690282bc8cf579baa158 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 1 Feb 2013 11:14:35 +0100 Subject: disable nagios debug mode (Feature #1551) --- puppet/modules/site_nagios/files/configs/Debian/nagios.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg index d8062a2f..753d1610 100644 --- a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg +++ b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg @@ -1240,7 +1240,7 @@ enable_environment_macros=1 # 1024 = Comments # 2048 = Macros -debug_level=-1 +debug_level=0 -- cgit v1.2.3 From ddb46b60b591b35249f5820b9cf751a80d93d386 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 1 Feb 2013 16:05:11 +0100 Subject: automatic update of submodule puppet_apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/apt b/puppet/modules/apt index 6c135ea7..f16a0727 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 6c135ea7bc2ae9951154cf5471801469e3e3d581 +Subproject commit f16a0727dce187d07389388da8b816f7b520205d -- cgit v1.2.3 From a059418a7690b38c1ccc1e32e57c297e70396dac Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 1 Feb 2013 11:23:22 -0500 Subject: update x509 submodule to get key owner enhancement --- puppet/modules/x509 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/x509 b/puppet/modules/x509 index 456212d1..19254a38 160000 --- a/puppet/modules/x509 +++ b/puppet/modules/x509 @@ -1 +1 @@ -Subproject commit 456212d16e55e1299c2d9bfcc7965b40e0318cb4 +Subproject commit 19254a38c1c372ae7912ea9f15500b9b1cbffe81 -- cgit v1.2.3 From 0ab18bc91fa84df2c457ca1ea43ebebc65e5bb2b Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 1 Feb 2013 21:46:06 +0100 Subject: moved concat::setup to site_config::default Because in site.pp it didn't get the tag "leap_base" and would not be declared with leap cli's default puppet tags. Fixes: parent directory /var/lib/puppet/concat does not exist (Feature#1625) --- puppet/manifests/site.pp | 2 -- puppet/modules/site_config/manifests/default.pp | 2 ++ 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index d422bef7..53b452d1 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -5,9 +5,7 @@ stage { 'initial': before => Stage['main'], } -# prerequisites import 'common' -include concat::setup include site_config::default include site_config::slow diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 14b389e8..c65c0799 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -3,6 +3,8 @@ class site_config::default { $domain_hash = hiera('domain') + include concat::setup + # default class, used by all hosts include lsb, git -- cgit v1.2.3 From 3b32d321b131723bbd830945ef4176d7d37b6e3c Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 3 Feb 2013 17:47:02 +0100 Subject: Increase Exec[bundler_update] timeout Exec[bundler_update] can take a really long time, increasing timeout from 300s (default) to 600s fixes Increase command timeout for Exec[bundler_update] (Feature #1643) --- puppet/modules/site_ca_daemon/manifests/init.pp | 1 + puppet/modules/site_webapp/manifests/init.pp | 1 + 2 files changed, 2 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp index 86e186bb..8ba9c506 100644 --- a/puppet/modules/site_ca_daemon/manifests/init.pp +++ b/puppet/modules/site_ca_daemon/manifests/init.pp @@ -82,6 +82,7 @@ class site_ca_daemon { cwd => '/srv/leap_ca_daemon', command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install"', unless => '/usr/bin/bundle check', + timeout => 600, require => [ Class['bundler::install'], Vcsrepo['/srv/leap_ca_daemon'] ]; } diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index d59cebba..24c258dc 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -54,6 +54,7 @@ class site_webapp { cwd => '/srv/leap-webapp', command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install"', unless => '/usr/bin/bundle check', + timeout => 600, require => [ Class['bundler::install'], Vcsrepo['/srv/leap-webapp'] ]; } -- cgit v1.2.3 From 07cc737f655c9fc0afe50e9850963120114ee18e Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 4 Feb 2013 17:26:56 +0100 Subject: compile assets for webapp, fixes #1628 --- puppet/modules/site_webapp/manifests/init.pp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 24c258dc..ff5a3611 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -55,7 +55,15 @@ class site_webapp { command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install"', unless => '/usr/bin/bundle check', timeout => 600, - require => [ Class['bundler::install'], Vcsrepo['/srv/leap-webapp'] ]; + require => [ Class['bundler::install'], Vcsrepo['/srv/leap-webapp'] ], + notify => Service['apache']; + } + + exec { 'compile_assets': + cwd => '/srv/leap-webapp', + command => '/bin/bash -c "/usr/bin/bundle exec rake assets:precompile"', + require => Exec['bundler_update'], + notify => Service['apache']; } file { -- cgit v1.2.3 From 97c5451b0f8b63b4884a9560c0a796f931d059e3 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Feb 2013 10:56:38 +0100 Subject: added submodule tor --- puppet/modules/tor | 1 + 1 file changed, 1 insertion(+) create mode 160000 puppet/modules/tor (limited to 'puppet') diff --git a/puppet/modules/tor b/puppet/modules/tor new file mode 160000 index 00000000..a780e840 --- /dev/null +++ b/puppet/modules/tor @@ -0,0 +1 @@ +Subproject commit a780e84001177f10a86a7bf824589c0553f513a0 -- cgit v1.2.3 From ab25692d3b8aaf3e71ec3546d1ea9d85f26f7b63 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Feb 2013 18:11:21 +0100 Subject: Restructuring site_shorewall site_shorewall::defaults can be used on every host, it configures a basic firewall, which blocks everything from outside except ping + ssh, and allows outgoing traffic for http, git, dns. --- .../modules/site_shorewall/manifests/defaults.pp | 59 +++++++++++++++--- puppet/modules/site_shorewall/manifests/eip.pp | 71 +++------------------- .../modules/site_shorewall/manifests/ip_forward.pp | 10 +++ puppet/modules/site_shorewall/manifests/sshd.pp | 23 +++++++ 4 files changed, 92 insertions(+), 71 deletions(-) create mode 100644 puppet/modules/site_shorewall/manifests/ip_forward.pp create mode 100644 puppet/modules/site_shorewall/manifests/sshd.pp (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index d5f60ec6..7992406b 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -1,6 +1,17 @@ class site_shorewall::defaults { include shorewall + # be safe for development + #if ( $::virtual == 'virtualbox') { $shorewall_startup='0' } + + $ip_address = hiera('ip_address') + # a special case for vagrant interfaces + $interface = $::virtual ? { + virtualbox => [ 'eth0', 'eth1' ], + default => getvar("interface_${ip_address}") + } + + # If you want logging: shorewall::params { 'LOG': value => 'debug'; @@ -8,14 +19,48 @@ class site_shorewall::defaults { shorewall::zone {'net': type => 'ipv4'; } - include augeas - augeas { 'enable_ip_forwarding': - changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Service[shorewall], - require => Class[augeas]; + # define interfaces + shorewall::interface { $interface: + zone => 'net', + options => 'tcpflags,blacklist,nosmurfs'; + } + + shorewall::routestopped { $interface: } + + shorewall::policy { + 'all-to-all': + sourcezone => 'all', + destinationzone => 'all', + policy => 'DROP', + order => 200; + } + + shorewall::rule { + # ping party + 'all2all-ping': + source => 'all', + destination => 'all', + action => 'Ping(ACCEPT)', + order => 200; + + # server to outside + 'fw2all-http': + source => '$FW', + destination => 'all', + action => 'HTTP(ACCEPT)', + order => 200; + 'fw2all-DNS': + source => '$FW', + destination => 'all', + action => 'DNS(ACCEPT)', + order => 200; + 'fw2all-git': + source => '$FW', + destination => 'all', + action => 'Git(ACCEPT)', + order => 200; } + include site_shorewall::sshd } diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index de81aa1d..a6209327 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -1,35 +1,21 @@ class site_shorewall::eip { - # be safe for development - #if ( $::virtual == 'virtualbox') { $shorewall_startup='0' } - include site_shorewall::defaults + include site_shorewall::ip_forward - $ip_address = hiera('ip_address') - # a special case for vagrant interfaces - $interface = $::virtual ? { - virtualbox => [ 'eth0', 'eth1' ], - default => getvar("interface_${ip_address}") - } - $ssh_config = hiera('ssh') - $ssh_port = $ssh_config['port'] $openvpn_config = hiera('openvpn') $openvpn_ports = $openvpn_config['ports'] $openvpn_gateway_address = $site_openvpn::openvpn_gateway_address # define macro for incoming services file { '/etc/shorewall/macro.leap_eip': - content => "PARAM - - tcp 1194,$ssh_port + content => "PARAM - - tcp 1194 PARAM - - udp 1194 -", } - - - # define interfaces - shorewall::interface { $interface: - zone => 'net', - options => 'tcpflags,blacklist,nosmurfs'; +", + notify => Service['shorewall'] } + shorewall::interface { 'tun0': zone => 'eip', @@ -40,11 +26,9 @@ PARAM - - udp 1194 } - shorewall::zone {'eip': + shorewall::zone {'eip': type => 'ipv4'; } - shorewall::routestopped { $interface: } - case $::virtual { 'virtualbox': { shorewall::masq { @@ -56,6 +40,7 @@ PARAM - - udp 1194 source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } } default: { + $interface = $site_shorewall::defaults::interface shorewall::masq { "${interface}_tcp": interface => $interface, @@ -78,56 +63,14 @@ PARAM - - udp 1194 destinationzone => 'all', policy => 'ACCEPT', order => 100; - 'all-to-all': - sourcezone => 'all', - destinationzone => 'all', - policy => 'DROP', - order => 200; } shorewall::rule { - # ping party - 'all2all-ping': - source => 'all', - destination => 'all', - action => 'Ping(ACCEPT)', - order => 200; - - # outside to server - 'net2fw-ssh': - source => 'net', - destination => '$FW', - action => 'SSH(ACCEPT)', - order => 200; 'net2fw-openvpn': source => 'net', destination => '$FW', action => 'leap_eip(ACCEPT)', order => 200; - - # server to outside - 'fw2all-http': - source => '$FW', - destination => 'all', - action => 'HTTP(ACCEPT)', - order => 200; - 'fw2all-DNS': - source => '$FW', - destination => 'all', - action => 'DNS(ACCEPT)', - order => 200; - 'fw2all-git': - source => '$FW', - destination => 'all', - action => 'Git(ACCEPT)', - order => 200; - - # Webfrontend is running on another server - #'eip2fw-https': - # source => 'eip', - # destination => '$FW', - # action => 'HTTPS(ACCEPT)', - # order => 200; } # create dnat rule for each port diff --git a/puppet/modules/site_shorewall/manifests/ip_forward.pp b/puppet/modules/site_shorewall/manifests/ip_forward.pp new file mode 100644 index 00000000..d09d4fd1 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/ip_forward.pp @@ -0,0 +1,10 @@ +class site_shorewall::ip_forward { + include augeas + augeas { 'enable_ip_forwarding': + changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall], + require => Class[augeas]; + } +} diff --git a/puppet/modules/site_shorewall/manifests/sshd.pp b/puppet/modules/site_shorewall/manifests/sshd.pp new file mode 100644 index 00000000..2cf4fd56 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/sshd.pp @@ -0,0 +1,23 @@ +class site_shorewall::sshd { + + $ssh_config = hiera('ssh') + $ssh_port = $ssh_config['port'] + + include shorewall + + # define macro for incoming sshd + file { '/etc/shorewall/macro.leap_sshd': + content => "PARAM - - tcp $ssh_port", + notify => Service['shorewall'] + } + + + shorewall::rule { + # outside to server + 'net2fw-ssh': + source => 'net', + destination => '$FW', + action => 'leap_sshd(ACCEPT)', + order => 200; + } +} -- cgit v1.2.3 From 07afa7bd4c7dcb941e3984d4fccc1169baf03448 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Feb 2013 23:33:51 +0100 Subject: allow all outgoing traffic --- .../modules/site_shorewall/manifests/defaults.pp | 22 +++++----------------- 1 file changed, 5 insertions(+), 17 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index 7992406b..d5639a90 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -29,6 +29,11 @@ class site_shorewall::defaults { shorewall::routestopped { $interface: } shorewall::policy { + 'fw-to-all': + sourcezone => 'fw', + destinationzone => 'all', + policy => 'ACCEPT', + order => 100; 'all-to-all': sourcezone => 'all', destinationzone => 'all', @@ -43,23 +48,6 @@ class site_shorewall::defaults { destination => 'all', action => 'Ping(ACCEPT)', order => 200; - - # server to outside - 'fw2all-http': - source => '$FW', - destination => 'all', - action => 'HTTP(ACCEPT)', - order => 200; - 'fw2all-DNS': - source => '$FW', - destination => 'all', - action => 'DNS(ACCEPT)', - order => 200; - 'fw2all-git': - source => '$FW', - destination => 'all', - action => 'Git(ACCEPT)', - order => 200; } include site_shorewall::sshd -- cgit v1.2.3 From 18a2f385ff1f56f493db5302f5ae51173a65cd86 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Feb 2013 23:34:29 +0100 Subject: configure shorewall for couchdb, tor, webapp --- puppet/modules/site_shorewall/manifests/couchdb.pp | 22 +++++++++++++++++++++ puppet/modules/site_shorewall/manifests/tor.pp | 23 ++++++++++++++++++++++ puppet/modules/site_shorewall/manifests/webapp.pp | 13 ++++++++++++ 3 files changed, 58 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/couchdb.pp create mode 100644 puppet/modules/site_shorewall/manifests/tor.pp create mode 100644 puppet/modules/site_shorewall/manifests/webapp.pp (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp new file mode 100644 index 00000000..1b7f791d --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -0,0 +1,22 @@ +class site_shorewall::couchdb { + + include site_shorewall::defaults + + $couchdb_port = '6984' + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_couchdb': + content => "PARAM - - tcp $couchdb_port", + notify => Service['shorewall'] + } + + + shorewall::rule { + 'net2fw-couchdb': + source => 'net', + destination => '$FW', + action => 'leap_couchdb(ACCEPT)', + order => 200; + } + +} diff --git a/puppet/modules/site_shorewall/manifests/tor.pp b/puppet/modules/site_shorewall/manifests/tor.pp new file mode 100644 index 00000000..d04adeac --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/tor.pp @@ -0,0 +1,23 @@ +class site_shorewall::tor { + + include site_shorewall::defaults + include site_shorewall::ip_forward + + $tor_port = '9001' + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_tor': + content => "PARAM - - tcp $tor_port ", + notify => Service['shorewall'] + } + + + shorewall::rule { + 'net2fw-tor': + source => 'net', + destination => '$FW', + action => 'leap_tor(ACCEPT)', + order => 200; + } + +} diff --git a/puppet/modules/site_shorewall/manifests/webapp.pp b/puppet/modules/site_shorewall/manifests/webapp.pp new file mode 100644 index 00000000..ff9b7646 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/webapp.pp @@ -0,0 +1,13 @@ +class site_shorewall::webapp { + + include site_shorewall::defaults + + shorewall::rule { + 'net2fw-https': + source => 'net', + destination => '$FW', + action => 'HTTPS(ACCEPT)', + order => 200; + } + +} -- cgit v1.2.3 From 726a652b31ef6c1c2b4b93ec38398d70ba496f8c Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Feb 2013 23:35:25 +0100 Subject: site_config::default : include site_shorewall::defaults --- puppet/modules/site_config/manifests/default.pp | 3 +++ 1 file changed, 3 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index c65c0799..2191e9a1 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -30,4 +30,7 @@ class site_config::default { package { [ 'etckeeper' ]: ensure => installed, } + + # include basic shorewall config + include site_shorewall::defaults } -- cgit v1.2.3 From 68b6e843aa852cdb71fdec4f741150e4daddaac9 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Feb 2013 23:36:24 +0100 Subject: include shorewall config for webapp and couchdb --- puppet/modules/site_couchdb/manifests/init.pp | 2 ++ puppet/modules/site_webapp/manifests/init.pp | 2 ++ 2 files changed, 4 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 1789dd55..9ecde5e6 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -59,4 +59,6 @@ class site_couchdb { couchdb::create_db { 'client_certificates': readers => "{ \"names\": [], \"roles\": [\"certs\"] }" } + + include site_shorewall::couchdb } diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index ff5a3611..f0d6c90a 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -112,4 +112,6 @@ class site_webapp { mode => '0600'; } + include site_shorewall::webapp + } -- cgit v1.2.3 From 0f47539146baa793a17739ede0137312d333bb9e Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Feb 2013 23:37:32 +0100 Subject: nagios: don't check openvpn, check cmd doesn't work --- puppet/modules/site_nagios/manifests/add_service.pp | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/add_service.pp b/puppet/modules/site_nagios/manifests/add_service.pp index 280cb010..6ef3cbf5 100644 --- a/puppet/modules/site_nagios/manifests/add_service.pp +++ b/puppet/modules/site_nagios/manifests/add_service.pp @@ -2,14 +2,9 @@ define site_nagios::add_service ( $hostname, $ip_address, $openvpn_gw = '', $service) { case $service { - # don't deploy until we fix 1546 - 'openvpn': { - $check_command = "check_openvpn_server_ip_port!$openvpn_gw!1194" - $service_description = 'Openvpn' - } 'webapp': { - $check_command = 'check_https' - $service_description = 'Website' + $check_command = 'check_https_cert' + $service_description = 'Website Certificate' } default: { #notice ("No Nagios service check for service \"$service\"") -- cgit v1.2.3 From 4642e8a0780f1eb6ba14fdf1f2966101dab993f7 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Feb 2013 23:58:17 +0100 Subject: add basic tor service --- puppet/manifests/site.pp | 4 ++++ puppet/modules/site_tor/manifests/init.pp | 20 ++++++++++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 puppet/modules/site_tor/manifests/init.pp (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 53b452d1..1ec806d9 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -33,3 +33,7 @@ if 'ca' in $services { if 'monitor' in $services { include site_nagios } + +if 'tor' in $services { + include site_tor +} diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp new file mode 100644 index 00000000..a854a163 --- /dev/null +++ b/puppet/modules/site_tor/manifests/init.pp @@ -0,0 +1,20 @@ +class site_tor { + tag 'leap_service' + + $tor = hiera('tor') + $bandwidth_rate = $tor['bandwidth_rate'] + + $contact_email = hiera('contact_email') + + class { 'tor::daemon': } + tor::daemon::relay { $::hostname: + port => 9001, + #listen_addresses => '', + contact_info => $contact_email, + bandwidth_rate => $bandwidth_rate, + } + tor::daemon::directory { $::hostname: port => 80 } + + include site_shorewall::tor + +} -- cgit v1.2.3 From 27094aa7aa3abf7f8dc0148a8a76ed3fdbf34add Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Feb 2013 23:58:43 +0100 Subject: allow port 80 to tor server --- puppet/modules/site_shorewall/manifests/tor.pp | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/tor.pp b/puppet/modules/site_shorewall/manifests/tor.pp index d04adeac..a72d9dfc 100644 --- a/puppet/modules/site_shorewall/manifests/tor.pp +++ b/puppet/modules/site_shorewall/manifests/tor.pp @@ -18,6 +18,11 @@ class site_shorewall::tor { destination => '$FW', action => 'leap_tor(ACCEPT)', order => 200; + 'net2fw-http': + source => 'net', + destination => '$FW', + action => 'HTTP(ACCEPT)', + order => 200; } } -- cgit v1.2.3 From dbdbb33ce52cf04798763d488e63acc5a26980f9 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Feb 2013 23:59:17 +0100 Subject: allow outgoing traffic moved to site_shorewall::defaults --- puppet/modules/site_shorewall/manifests/eip.pp | 5 ----- 1 file changed, 5 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index a6209327..4e5a5d48 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -58,11 +58,6 @@ PARAM - - udp 1194 destinationzone => 'all', policy => 'ACCEPT', order => 100; - 'fw-to-all': - sourcezone => '$FW', - destinationzone => 'all', - policy => 'ACCEPT', - order => 100; } shorewall::rule { -- cgit v1.2.3 From c82b7c8a74ea0154ece5686eac43cab90af77b96 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Feb 2013 00:33:07 +0100 Subject: configure exit policies --- puppet/modules/site_tor/manifests/exit_policy.pp | 8 ++++++++ puppet/modules/site_tor/manifests/init.pp | 9 ++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_tor/manifests/exit_policy.pp (limited to 'puppet') diff --git a/puppet/modules/site_tor/manifests/exit_policy.pp b/puppet/modules/site_tor/manifests/exit_policy.pp new file mode 100644 index 00000000..f2d2d38f --- /dev/null +++ b/puppet/modules/site_tor/manifests/exit_policy.pp @@ -0,0 +1,8 @@ +class site_tor::exit_policy { + # exaple policy to allow ssh + tor::daemon::exit_policy { 'ssh_exit_policy': + accept => '*:22', + reject => '*:*'; + } +} + diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index a854a163..7c25b0e9 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -3,6 +3,7 @@ class site_tor { $tor = hiera('tor') $bandwidth_rate = $tor['bandwidth_rate'] + $tor_type = $tor['type'] $contact_email = hiera('contact_email') @@ -13,8 +14,14 @@ class site_tor { contact_info => $contact_email, bandwidth_rate => $bandwidth_rate, } - tor::daemon::directory { $::hostname: port => 80 } + + # we configure the directory later + #tor::daemon::directory { $::hostname: port => 80 } include site_shorewall::tor + if ( $tor_type == 'exit' ) { + include site_tor::exit_policy + } + } -- cgit v1.2.3 From 08720568f7c00373560379e44695b881fff18af1 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Feb 2013 11:48:29 +0100 Subject: working tor relay --- puppet/modules/site_tor/manifests/disable_exit.pp | 7 +++++++ puppet/modules/site_tor/manifests/exit_policy.pp | 8 -------- puppet/modules/site_tor/manifests/init.pp | 10 +++++----- 3 files changed, 12 insertions(+), 13 deletions(-) create mode 100644 puppet/modules/site_tor/manifests/disable_exit.pp delete mode 100644 puppet/modules/site_tor/manifests/exit_policy.pp (limited to 'puppet') diff --git a/puppet/modules/site_tor/manifests/disable_exit.pp b/puppet/modules/site_tor/manifests/disable_exit.pp new file mode 100644 index 00000000..73016646 --- /dev/null +++ b/puppet/modules/site_tor/manifests/disable_exit.pp @@ -0,0 +1,7 @@ +class site_tor::disable_exit { + tor::daemon::exit_policy { + 'no_exit_at_all': + reject => '*:*'; + } +} + diff --git a/puppet/modules/site_tor/manifests/exit_policy.pp b/puppet/modules/site_tor/manifests/exit_policy.pp deleted file mode 100644 index f2d2d38f..00000000 --- a/puppet/modules/site_tor/manifests/exit_policy.pp +++ /dev/null @@ -1,8 +0,0 @@ -class site_tor::exit_policy { - # exaple policy to allow ssh - tor::daemon::exit_policy { 'ssh_exit_policy': - accept => '*:22', - reject => '*:*'; - } -} - diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index 7c25b0e9..654337c7 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -6,22 +6,22 @@ class site_tor { $tor_type = $tor['type'] $contact_email = hiera('contact_email') + $address = hiera('ip_address') class { 'tor::daemon': } tor::daemon::relay { $::hostname: port => 9001, - #listen_addresses => '', + address => $address, contact_info => $contact_email, bandwidth_rate => $bandwidth_rate, } - # we configure the directory later - #tor::daemon::directory { $::hostname: port => 80 } + tor::daemon::directory { $::hostname: port => 80 } include site_shorewall::tor - if ( $tor_type == 'exit' ) { - include site_tor::exit_policy + if ( $tor_type != 'exit' ) { + include site_tor::disable_exit } } -- cgit v1.2.3 From 173b2dc3ecbdab2cacede4e50f6fa3f5daa3c683 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Feb 2013 12:32:02 +0100 Subject: configure tor relay nickname --- puppet/modules/site_tor/manifests/init.pp | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index 654337c7..dc16f91a 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -1,15 +1,16 @@ class site_tor { tag 'leap_service' - $tor = hiera('tor') + $tor = hiera('tor') $bandwidth_rate = $tor['bandwidth_rate'] - $tor_type = $tor['type'] + $tor_type = $tor['type'] + $nickname = $tor['nickname'] - $contact_email = hiera('contact_email') - $address = hiera('ip_address') + $contact_email = hiera('contact_email') + $address = hiera('ip_address') class { 'tor::daemon': } - tor::daemon::relay { $::hostname: + tor::daemon::relay { $nickname: port => 9001, address => $address, contact_info => $contact_email, -- cgit v1.2.3 From 84b02911502331b4bf1b298fab2577424d7ef534 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 8 Feb 2013 17:20:42 +0100 Subject: couchdb: disable futon (Feature #1121) --- puppet/modules/site_couchdb/files/local.ini | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/files/local.ini b/puppet/modules/site_couchdb/files/local.ini index 485c9a29..4003bfcd 100644 --- a/puppet/modules/site_couchdb/files/local.ini +++ b/puppet/modules/site_couchdb/files/local.ini @@ -27,6 +27,7 @@ [httpd_global_handlers] ;_google = {couch_httpd_proxy, handle_proxy_req, <<"http://www.google.com">>} +_utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Welcome, Futon is disabled!">>} [couch_httpd_auth] ; If you set this to true, you should also uncomment the WWW-Authenticate line -- cgit v1.2.3 From 6e3d87d88578447aa4358aabdf270df2082b422d Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 8 Feb 2013 23:11:15 -0800 Subject: changed contact_email to tor.contacts --- puppet/modules/site_tor/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index dc16f91a..ceb6fb13 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -5,8 +5,8 @@ class site_tor { $bandwidth_rate = $tor['bandwidth_rate'] $tor_type = $tor['type'] $nickname = $tor['nickname'] + $contact_email = $tor['contacts'] - $contact_email = hiera('contact_email') $address = hiera('ip_address') class { 'tor::daemon': } -- cgit v1.2.3 From bda22dea464eddeb9a8be4e8513a8e4d1d3cbe8d Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 9 Feb 2013 14:10:35 +0100 Subject: re-enabling futon (see #1121) --- puppet/modules/site_couchdb/files/local.ini | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/files/local.ini b/puppet/modules/site_couchdb/files/local.ini index 4003bfcd..b3376cbb 100644 --- a/puppet/modules/site_couchdb/files/local.ini +++ b/puppet/modules/site_couchdb/files/local.ini @@ -27,7 +27,11 @@ [httpd_global_handlers] ;_google = {couch_httpd_proxy, handle_proxy_req, <<"http://www.google.com">>} -_utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Welcome, Futon is disabled!">>} + +# enable futon +_utils = {couch_httpd_misc_handlers, handle_utils_dir_req, "/usr/share/couchdb/www"} +# disable futon +#_utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Welcome, Futon is disabled!">>} [couch_httpd_auth] ; If you set this to true, you should also uncomment the WWW-Authenticate line -- cgit v1.2.3 From 5c0d817778b57b253c7443145fa928547f48e9f5 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 9 Feb 2013 15:05:16 +0100 Subject: site_shorewall::monitor: allow port 80 + 443 --- puppet/modules/site_nagios/manifests/server.pp | 1 + puppet/modules/site_shorewall/manifests/monitor.pp | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/monitor.pp (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 5e2f832b..c98a8a1f 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -34,4 +34,5 @@ class site_nagios::server inherits nagios::base { } site_nagios::add_host {$hosts:} + include site_shorewall::monitor } diff --git a/puppet/modules/site_shorewall/manifests/monitor.pp b/puppet/modules/site_shorewall/manifests/monitor.pp new file mode 100644 index 00000000..af9f8bfe --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/monitor.pp @@ -0,0 +1,18 @@ +class site_shorewall::monitor { + + include site_shorewall::defaults + + shorewall::rule { + 'net2fw-https': + source => 'net', + destination => '$FW', + action => 'HTTPS(ACCEPT)', + order => 200; + 'net2fw-http': + source => 'net', + destination => '$FW', + action => 'HTTP(ACCEPT)', + order => 200; + } + +} -- cgit v1.2.3 From 1a2789d084c3c2beccb97726b8799cb194a634fd Mon Sep 17 00:00:00 2001 From: Azul Date: Sat, 9 Feb 2013 20:17:48 +0100 Subject: run bundler and rake assets:precompile as normal user otherwise the generated files will be owned by root and the bundle will be inside roots /home/max --- puppet/modules/site_webapp/manifests/init.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index f0d6c90a..46cc0ed6 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -52,8 +52,9 @@ class site_webapp { exec { 'bundler_update': cwd => '/srv/leap-webapp', - command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install"', + command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle"', unless => '/usr/bin/bundle check', + user => 'leap-webapp', timeout => 600, require => [ Class['bundler::install'], Vcsrepo['/srv/leap-webapp'] ], notify => Service['apache']; @@ -62,6 +63,7 @@ class site_webapp { exec { 'compile_assets': cwd => '/srv/leap-webapp', command => '/bin/bash -c "/usr/bin/bundle exec rake assets:precompile"', + user => 'leap-webapp', require => Exec['bundler_update'], notify => Service['apache']; } -- cgit v1.2.3 From 7680ed13b47561ab0bf96bdb63c3aff3f022ee0d Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 10 Feb 2013 23:39:04 -0800 Subject: added 'try' module --- puppet/modules/try/README.md | 13 +++++++++ puppet/modules/try/manifests/file.pp | 51 ++++++++++++++++++++++++++++++++++++ puppet/modules/try/manifests/init.pp | 3 +++ 3 files changed, 67 insertions(+) create mode 100644 puppet/modules/try/README.md create mode 100644 puppet/modules/try/manifests/file.pp create mode 100644 puppet/modules/try/manifests/init.pp (limited to 'puppet') diff --git a/puppet/modules/try/README.md b/puppet/modules/try/README.md new file mode 100644 index 00000000..3888661e --- /dev/null +++ b/puppet/modules/try/README.md @@ -0,0 +1,13 @@ +This module provides a "try" wrapper around common resource types. + +For example: + + try::file { + '/path/to/file': + ensure => 'link', + target => $target; + } + +This will work just like `file`, but will silently fail if `$target` is undefined or the file does not exist. + +So far, only `file` type with symlinks works. diff --git a/puppet/modules/try/manifests/file.pp b/puppet/modules/try/manifests/file.pp new file mode 100644 index 00000000..406c0b7a --- /dev/null +++ b/puppet/modules/try/manifests/file.pp @@ -0,0 +1,51 @@ +# +# like built-in type "file", but gets gracefully ignored if the target does not exist or is undefined. +# +# /bin/true and /usr/bin/test are hardcoded to their paths in debian. +# + +define try::file ( + $ensure = undef, + $target = undef, + $restore = true) { + + if $target != undef { + exec { "check_${name}": + command => "/bin/true", + onlyif => "/usr/bin/test -e '${target}'", + loglevel => info; + } + file { "$name": + ensure => $ensure, + target => $target, + require => Exec["check_${name}"], + loglevel => info; + } + } + + # + # if the target does not exist (or is undef), and the file happens to be in a git repo, + # then restore the file to its original state. + # + if $target == undef or $restore { + $file_basename = basename($name) + $file_dirname = dirname($name) + $command = "git rev-parse && unlink '${name}'; git checkout -- '${file_basename}' && chown --reference='${file_dirname}' '${name}'; true" + debug($command) + + if $target == undef { + exec { "restore_${name}": + command => $command, + cwd => $file_dirname, + loglevel => info; + } + } else { + exec { "restore_${name}": + unless => "/usr/bin/test -e '${target}'", + command => $command, + cwd => $file_dirname, + loglevel => info; + } + } + } +} diff --git a/puppet/modules/try/manifests/init.pp b/puppet/modules/try/manifests/init.pp new file mode 100644 index 00000000..1d2108c9 --- /dev/null +++ b/puppet/modules/try/manifests/init.pp @@ -0,0 +1,3 @@ +class try { + +} -- cgit v1.2.3 From 708a7e39af9a337ae38f491e7ca1892dd70002c1 Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 10 Feb 2013 23:39:27 -0800 Subject: set webapp module to use try::file where appropriate --- puppet/modules/site_webapp/manifests/init.pp | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index f0d6c90a..cdec1b6a 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -82,7 +82,9 @@ class site_webapp { '/srv/leap-webapp/public/config/eip-service.json': content => $eip_service, owner => leap-webapp, group => leap-webapp, mode => '0644'; + } + try::file { '/srv/leap-webapp/public/favicon.ico': ensure => 'link', target => $webapp['favicon']; @@ -94,14 +96,10 @@ class site_webapp { '/srv/leap-webapp/app/assets/stylesheets/head.scss': ensure => 'link', target => $webapp['head_scss']; - } - if $webapp['img_dir'] != undef { - file { - '/srv/leap-webapp/public/img': - ensure => 'link', - target => $webapp['img_dir']; - } + '/srv/leap-webapp/public/img': + ensure => 'link', + target => $webapp['img_dir']; } file { -- cgit v1.2.3 From b754c9f3412441c58e90fa57dc236fab74cee167 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 11 Feb 2013 15:20:05 +0100 Subject: duplicate shortwall service definitions now inclduded from services/* --- puppet/modules/site_shorewall/manifests/monitor.pp | 14 ++------------ puppet/modules/site_shorewall/manifests/service/http.pp | 13 +++++++++++++ puppet/modules/site_shorewall/manifests/service/https.pp | 12 ++++++++++++ puppet/modules/site_shorewall/manifests/tor.pp | 6 +----- puppet/modules/site_shorewall/manifests/webapp.pp | 10 +--------- 5 files changed, 29 insertions(+), 26 deletions(-) create mode 100644 puppet/modules/site_shorewall/manifests/service/http.pp create mode 100644 puppet/modules/site_shorewall/manifests/service/https.pp (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/monitor.pp b/puppet/modules/site_shorewall/manifests/monitor.pp index af9f8bfe..f4ed4f7c 100644 --- a/puppet/modules/site_shorewall/manifests/monitor.pp +++ b/puppet/modules/site_shorewall/manifests/monitor.pp @@ -1,18 +1,8 @@ class site_shorewall::monitor { include site_shorewall::defaults + include site_shorewall::service::http + include site_shorewall::service::https - shorewall::rule { - 'net2fw-https': - source => 'net', - destination => '$FW', - action => 'HTTPS(ACCEPT)', - order => 200; - 'net2fw-http': - source => 'net', - destination => '$FW', - action => 'HTTP(ACCEPT)', - order => 200; - } } diff --git a/puppet/modules/site_shorewall/manifests/service/http.pp b/puppet/modules/site_shorewall/manifests/service/http.pp new file mode 100644 index 00000000..74b874d5 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/service/http.pp @@ -0,0 +1,13 @@ +class site_shorewall::service::http { + + include site_shorewall::defaults + + shorewall::rule { + 'net2fw-http': + source => 'net', + destination => '$FW', + action => 'HTTP(ACCEPT)', + order => 200; + } + +} diff --git a/puppet/modules/site_shorewall/manifests/service/https.pp b/puppet/modules/site_shorewall/manifests/service/https.pp new file mode 100644 index 00000000..4a8b119c --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/service/https.pp @@ -0,0 +1,12 @@ +class site_shorewall::service::https { + + include site_shorewall::defaults + + shorewall::rule { + 'net2fw-https': + source => 'net', + destination => '$FW', + action => 'HTTPS(ACCEPT)', + order => 200; + } +} diff --git a/puppet/modules/site_shorewall/manifests/tor.pp b/puppet/modules/site_shorewall/manifests/tor.pp index a72d9dfc..8fe21ee6 100644 --- a/puppet/modules/site_shorewall/manifests/tor.pp +++ b/puppet/modules/site_shorewall/manifests/tor.pp @@ -18,11 +18,7 @@ class site_shorewall::tor { destination => '$FW', action => 'leap_tor(ACCEPT)', order => 200; - 'net2fw-http': - source => 'net', - destination => '$FW', - action => 'HTTP(ACCEPT)', - order => 200; } + include site_shorewall::service::http } diff --git a/puppet/modules/site_shorewall/manifests/webapp.pp b/puppet/modules/site_shorewall/manifests/webapp.pp index ff9b7646..31a65b1b 100644 --- a/puppet/modules/site_shorewall/manifests/webapp.pp +++ b/puppet/modules/site_shorewall/manifests/webapp.pp @@ -1,13 +1,5 @@ class site_shorewall::webapp { include site_shorewall::defaults - - shorewall::rule { - 'net2fw-https': - source => 'net', - destination => '$FW', - action => 'HTTPS(ACCEPT)', - order => 200; - } - + include site_shorewall::service::https } -- cgit v1.2.3 From 102af94df02decef888bac09748dbac6773dedd6 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 12 Feb 2013 13:26:42 +0100 Subject: fixed shorewall is blocking api port (Bug #1735) --- .../site_shorewall/manifests/service/webapp_api.pp | 21 +++++++++++++++++++++ puppet/modules/site_shorewall/manifests/webapp.pp | 1 + 2 files changed, 22 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/service/webapp_api.pp (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/service/webapp_api.pp b/puppet/modules/site_shorewall/manifests/service/webapp_api.pp new file mode 100644 index 00000000..9d4296e5 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/service/webapp_api.pp @@ -0,0 +1,21 @@ +class site_shorewall::service::webapp_api { + + $api = hiera('api') + $api_port = $api['port'] + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_webapp_api': + content => "PARAM - - tcp $api_port ", + notify => Service['shorewall'] + } + + + shorewall::rule { + 'net2fw-webapp_api': + source => 'net', + destination => '$FW', + action => 'leap_webapp_api(ACCEPT)', + order => 200; + } + +} diff --git a/puppet/modules/site_shorewall/manifests/webapp.pp b/puppet/modules/site_shorewall/manifests/webapp.pp index 31a65b1b..d12bbc8f 100644 --- a/puppet/modules/site_shorewall/manifests/webapp.pp +++ b/puppet/modules/site_shorewall/manifests/webapp.pp @@ -2,4 +2,5 @@ class site_shorewall::webapp { include site_shorewall::defaults include site_shorewall::service::https + include site_shorewall::service::webapp_api } -- cgit v1.2.3 From 2a1dbb22ed96b1cc39014e6166f5795e81b829df Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 12 Feb 2013 13:10:54 -0500 Subject: update shorewall submodule to get fix for augeas package dependency problem --- puppet/modules/shorewall | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/shorewall b/puppet/modules/shorewall index 614ee152..e4a54e30 160000 --- a/puppet/modules/shorewall +++ b/puppet/modules/shorewall @@ -1 +1 @@ -Subproject commit 614ee152c39bbc66c82a52022e2c05aa7856cd4b +Subproject commit e4a54e30bf2ad7fa45c73cc544e1da4524a287a4 -- cgit v1.2.3 From 1b01713860db2cb0df080874b31c0ba898323c35 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 12 Feb 2013 13:11:34 -0500 Subject: remove unused commented-out line --- puppet/modules/site_apt/manifests/init.pp | 1 - 1 file changed, 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index beef6fa5..80c6fbde 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -1,7 +1,6 @@ class site_apt { include ::apt - #include site_apt::dist_upgrade apt::apt_conf { '90disable-pdiffs': content => 'Acquire::PDiffs "false";'; -- cgit v1.2.3 From aab5906b79a43fbcedab819a05b25bef7a2757c8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 12 Feb 2013 13:12:27 -0500 Subject: file resources that make changes to shorewall need to make sure that shorewall is installed first (#1741) --- puppet/modules/site_shorewall/manifests/couchdb.pp | 3 ++- puppet/modules/site_shorewall/manifests/ip_forward.pp | 2 +- puppet/modules/site_shorewall/manifests/sshd.pp | 3 ++- puppet/modules/site_shorewall/manifests/tor.pp | 3 ++- 4 files changed, 7 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp index 1b7f791d..9fa59569 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -7,7 +7,8 @@ class site_shorewall::couchdb { # define macro for incoming services file { '/etc/shorewall/macro.leap_couchdb': content => "PARAM - - tcp $couchdb_port", - notify => Service['shorewall'] + notify => Service['shorewall'], + require => Package['shorewall'] } diff --git a/puppet/modules/site_shorewall/manifests/ip_forward.pp b/puppet/modules/site_shorewall/manifests/ip_forward.pp index d09d4fd1..d53ee8a5 100644 --- a/puppet/modules/site_shorewall/manifests/ip_forward.pp +++ b/puppet/modules/site_shorewall/manifests/ip_forward.pp @@ -5,6 +5,6 @@ class site_shorewall::ip_forward { lens => 'Shellvars.lns', incl => '/etc/shorewall/shorewall.conf', notify => Service[shorewall], - require => Class[augeas]; + require => [ Class[augeas], Package[shorewall] ]; } } diff --git a/puppet/modules/site_shorewall/manifests/sshd.pp b/puppet/modules/site_shorewall/manifests/sshd.pp index 2cf4fd56..a8e09e42 100644 --- a/puppet/modules/site_shorewall/manifests/sshd.pp +++ b/puppet/modules/site_shorewall/manifests/sshd.pp @@ -8,7 +8,8 @@ class site_shorewall::sshd { # define macro for incoming sshd file { '/etc/shorewall/macro.leap_sshd': content => "PARAM - - tcp $ssh_port", - notify => Service['shorewall'] + notify => Service['shorewall'], + require => Package['shorewall'] } diff --git a/puppet/modules/site_shorewall/manifests/tor.pp b/puppet/modules/site_shorewall/manifests/tor.pp index 8fe21ee6..f35af985 100644 --- a/puppet/modules/site_shorewall/manifests/tor.pp +++ b/puppet/modules/site_shorewall/manifests/tor.pp @@ -8,7 +8,8 @@ class site_shorewall::tor { # define macro for incoming services file { '/etc/shorewall/macro.leap_tor': content => "PARAM - - tcp $tor_port ", - notify => Service['shorewall'] + notify => Service['shorewall'], + require => Package['shorewall'] } -- cgit v1.2.3 From 2e5eec3856b58aaff0a2049599a6455e6ff91122 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 12 Feb 2013 13:31:55 -0500 Subject: missed one require => Package['shorewall'] on of the file resources in site_shorewall --- puppet/modules/site_shorewall/manifests/service/webapp_api.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/service/webapp_api.pp b/puppet/modules/site_shorewall/manifests/service/webapp_api.pp index 9d4296e5..0c6c824d 100644 --- a/puppet/modules/site_shorewall/manifests/service/webapp_api.pp +++ b/puppet/modules/site_shorewall/manifests/service/webapp_api.pp @@ -6,7 +6,8 @@ class site_shorewall::service::webapp_api { # define macro for incoming services file { '/etc/shorewall/macro.leap_webapp_api': content => "PARAM - - tcp $api_port ", - notify => Service['shorewall'] + notify => Service['shorewall'], + require => Package['shorewall'] } -- cgit v1.2.3