From: Peter Palfrader Date: Wed, 24 Feb 2010 15:40:24 +0000 (+0100) Subject: Merge branch 'master' of ssh://handel.debian.org/srv/puppet.debian.org/git/dsa-puppet X-Git-Url: https://git.donarmstrong.com/?a=commitdiff_plain;h=fe3c81154c72b3fd5d5911fb3893021ffe6032e0;hp=7811a25710eabad9dbc08da2af115b080467b6e1;p=dsa-puppet.git Merge branch 'master' of ssh://handel.debian.org/srv/puppet.debian.org/git/dsa-puppet * 'master' of ssh://handel.debian.org/srv/puppet.debian.org/git/dsa-puppet: (24 commits) stop doubling up an entry add puppetmaster role be a little more liberal about throwing away MS traffic this should be empty for those hosters use the right list of hosts move inclusion of samhain to the end of the block, so it knows about all other classes included clean up samhain template by role instead of by hostname and even more carefully this time skip hosts without ip addresses in ldap bartok gets ferm add debian hosts to the list and recursors should allow localnets ... name new class correctly add bartok as recursor for manda add bartok as a recursor add local DNS recursor class /etc/ferm is now also (kind of, almost) under puppet control ferm.conf is now (kind of, almost) under puppet control and name them usefully use v4 for iptables and v6 for ip6tables ... --- diff --git a/manifests/site.pp b/manifests/site.pp index f57efd2d..56f7d3b2 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -31,7 +31,6 @@ node default { include ntp include motd - include samhain case $smartarraycontroller { "true": { include debian-proliant } @@ -74,10 +73,11 @@ node default { case $hostname { klecker,ravel,senfl,orff: { include named::secondary } geo1,geo2,geo3: { include named::geodns } + bartok: { include named::recursor } } case $hostname { - logtest01,geo1,geo2,geo3: { include ferm } + logtest01,geo1,geo2,geo3,bartok: { include ferm } } case $brokenhosts { @@ -89,4 +89,5 @@ node default { case $portforwarder_user_exists { "true": { include portforwarder } } + include samhain } diff --git a/modules/debian-org/misc/local.yaml b/modules/debian-org/misc/local.yaml index 53350051..1de0136d 100644 --- a/modules/debian-org/misc/local.yaml +++ b/modules/debian-org/misc/local.yaml @@ -112,9 +112,12 @@ services: - draghi.debian.org - spohr.debian.org muninmaster: spohr.debian.org - nagiosmaster: tchaikovsky.debian.org + nagiosmaster: + - draghi.debian.org + - tchaikovsky.debian.org packagesmaster: powell.debian.org packagesqamaster: master.debian.org + puppetmaster: handel.debian.org qamaster: merkel.debian.org rtmaster: spohr.debian.org host_settings: diff --git a/modules/ferm/files/ferm.conf b/modules/ferm/files/ferm.conf index f761b01e..b5448b07 100644 --- a/modules/ferm/files/ferm.conf +++ b/modules/ferm/files/ferm.conf @@ -54,6 +54,7 @@ domain (ip ip6) { domain (ip ip6) { chain INPUT { + proto (tcp udp) mod multiport destination-ports (135 137 138 139 445 1026 1027 1433) DROP; jump log_or_drop; } } diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb index 25cb39ca..31f1bb46 100644 --- a/modules/ferm/templates/defs.conf.erb +++ b/modules/ferm/templates/defs.conf.erb @@ -105,6 +105,34 @@ @def $HOST_DB = ($HOST_DB_V4 $HOST_DB_V6); +@def $HOST_DEBIAN_V4 = (<%= + dbs = [] + keyinfo.keys.sort.each do |node| + next unless keyinfo[node][0].has_key?('ipHostNumber') + keyinfo[node][0]['ipHostNumber'].each do |ip| + next if ip =~ /:/ + dbs << ip + end + end + + dbs.join(' ') +%>); + +@def $HOST_DEBIAN_V6 = (<%= + dbs = [] + keyinfo.keys.sort.each do |node| + next unless keyinfo[node][0].has_key?('ipHostNumber') + keyinfo[node][0]['ipHostNumber'].each do |ip| + next if ip =~ /\./ + dbs << ip + end + end + + dbs.join(' ') +%>); + +@def $HOST_DEBIAN = ($HOST_DEBIAN_V4 $HOST_DEBIAN_V6); + @def $sgran = (91.103.132.24/29); @def $weasel = (); @def $weasel = ($weasel 86.59.118.144/28); # debian@sil @@ -124,8 +152,8 @@ @def $weasel6 = ($weasel6 2001:826:408:200::/56); # came @def $weasel6 = ($weasel6 2001:858:10f::/48); # anguilla @def $zobel6 = (); -@def $zobel6 = ($zobel6 2001:6f8:1215::/48); baldur -@def $zobel6 = ($zobel6 2001:6f8:928::/48); WS2 -@def $zobel6 = ($zobel6 2a01:198:549::/48); WGS20 +@def $zobel6 = ($zobel6 2001:6f8:1215::/48); # baldur +@def $zobel6 = ($zobel6 2001:6f8:928::/48); # WS2 +@def $zobel6 = ($zobel6 2a01:198:549::/48); # WGS20 @def $luca6 = (); @def $DSA_V6_IPS = ($sgran6 $weasel6 $zobel6 $luca6); diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb index f8a57558..20edce92 100644 --- a/modules/ferm/templates/me.conf.erb +++ b/modules/ferm/templates/me.conf.erb @@ -9,7 +9,11 @@ sshallowed = [] case hostname - when 'logtest01', 'geo1', 'geo2', 'geo3' then sshallowed << [ '$DSA_IPS', '$HOST_NAGIOS_V4', '$HOST_DB_V4' ] + when 'logtest01', 'geo1', 'geo2', 'geo3', 'bartok' then sshallowed << [ '$DSA_IPS', '$HOST_NAGIOS_V4', '$HOST_DB_V4' ] +end + +case hostname + when 'bartok' then sshallowed << '$HOST_DEBIAN_V4' end if sshallowed.length == 0 @@ -24,7 +28,11 @@ sshallowed.join(' ') sshallowed = [] case hostname - when 'logtest01', 'geo1', 'geo2', 'geo3' then sshallowed << [ '$DSA_V6_IPS', '$HOST_NAGIOS_V6', '$HOST_DB_V6' ] + when 'logtest01', 'geo1', 'geo2', 'geo3', 'bartok' then sshallowed << [ '$DSA_V6_IPS', '$HOST_NAGIOS_V6', '$HOST_DB_V6' ] +end + +case hostname + when 'bartok' then sshallowed << '$HOST_DEBIAN_V6' end if sshallowed.length == 0 diff --git a/modules/nagios/manifests/client.pp b/modules/nagios/manifests/client.pp index 9cea3378..85c471fc 100644 --- a/modules/nagios/manifests/client.pp +++ b/modules/nagios/manifests/client.pp @@ -45,8 +45,13 @@ class nagios::client inherits nagios { path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", refreshonly => true, } - @ferm::rule { "dsa-nagios": + @ferm::rule { "dsa-nagios-v4": description => "Allow nrpe from nagios master", - rule => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS) ACCEPT; }" + rule => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V4) ACCEPT; }" + } + @ferm::rule { "dsa-nagios-v6": + description => "Allow nrpe from nagios master", + domain => "ip6", + rule => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V6) ACCEPT; }" } } diff --git a/modules/named/manifests/recursor.pp b/modules/named/manifests/recursor.pp new file mode 100644 index 00000000..61ca459c --- /dev/null +++ b/modules/named/manifests/recursor.pp @@ -0,0 +1,8 @@ +class named::recursor inherits named { + file { "/etc/bind/named.conf.options": + content => template("named/named.conf.options.erb"), + notify => Exec["bind9 reload"], + } +} + + diff --git a/modules/named/templates/named.conf.options.erb b/modules/named/templates/named.conf.options.erb index 457dcda2..a2f309e2 100644 --- a/modules/named/templates/named.conf.options.erb +++ b/modules/named/templates/named.conf.options.erb @@ -30,7 +30,7 @@ options { <%= allowed='Nagios; ' - if classes.include?('named::secondary') + if classes.include?('named::secondary') or classes.include?('named::recursor') allowed += 'localnets; ' end diff --git a/modules/resolv/templates/resolv.conf.erb b/modules/resolv/templates/resolv.conf.erb index 5c120ba8..785a419c 100644 --- a/modules/resolv/templates/resolv.conf.erb +++ b/modules/resolv/templates/resolv.conf.erb @@ -14,7 +14,7 @@ case hoster when "draghi", "liszt" then nameservers << "127.0.0.1" end - nameservers += ["82.195.75.81", "82.195.66.249", "217.198.242.225"] + nameservers += ["82.195.75.91", "82.195.75.81", "82.195.66.249", "217.198.242.225"] searchpaths << "debprivate-darmstadt.debian.org" when "ftcollins" then case hostname diff --git a/modules/samhain/templates/samhainrc.erb b/modules/samhain/templates/samhainrc.erb index 0ed6a865..1c1b3060 100644 --- a/modules/samhain/templates/samhainrc.erb +++ b/modules/samhain/templates/samhainrc.erb @@ -78,8 +78,8 @@ IgnoreMissing=/etc/lvm/archive/vg.*.vg file=/etc/mtab file=/etc/ssh_random_seed file=/etc/asound.conf -<% case hoster when "ubcece", "darmstadt", "ftcollins" then "" -else -%> +<% case hoster when "ubcece", "darmstadt", "ftcollins", "grnet" then -%> +<% else -%> file=/etc/resolv.conf <% end -%> file=/etc/localtime @@ -95,15 +95,16 @@ file=/etc/network/run/ifstate file=/var/state/samhain/samhain_file file=/etc/bind/zones/db.debian.net file=/etc/exim4/bsmtp -<% if hostname == "geo1" || hostname == "geo2" || hostname == "geo3" -%> +<% if classes.include?("named::geodns") -%> file=/etc/bind file=/etc/bind/named.conf.acl -file=/etc/bind/named.conf.options file=/etc/bind/named.conf.local file=/etc/bind/geodns/named.conf.geo file=/etc/bind/geodns/recvconf.files <% end -%> - +<% if classes.include?("named") -%> +file=/etc/bind/named.conf.options +<% end -%> # # There are files in /etc that might change, thus changing the directory @@ -133,13 +134,9 @@ file=/etc/nagios file=/etc/nagios/nrpe.d file=/etc/nagios/obsolete-packages-ignore.d file=/etc/bind/geodns -<%= extradir="" -if nodeinfo['nagiosmaster'] - extradir="file=/etc/nagios3/puppetconf.d -file=/etc/puppet" -end -extradir -%> +<% if nodeinfo['nagiosmaster'] -%> +file=/etc/nagios3/puppetconf.d +<% end -%> file=/etc/puppet file=/etc/cron.d file=/usr/lib/nagios/plugins @@ -149,6 +146,9 @@ file=/etc/monit/monit.d file=/etc/pam.d file=/etc/sysctl.d file=/etc/syslog-ng +file=/etc/ferm/ +file=/etc/ferm/conf.d +file=/etc/ferm/dsa.d [LogFiles] @@ -211,10 +211,9 @@ file=/var/log/syslog ## ## This file might be created or removed by the system sometimes. ## -<% case hoster when "ubcece", "darmstadt", "ftcollins" then "" -%> +<% case hoster when "ubcece", "darmstadt", "ftcollins", "grnet" then -%> file=/etc/resolv.conf -<% else -end -%> +<% end -%> file=/etc/resolv.conf.pcmcia.save file=/etc/nologin file=/etc/postfix/debian.db @@ -360,27 +359,38 @@ file=/etc/monit/monit.d/01puppet file=/etc/monit/monit.d/00debian.org file=/etc/cron.d/dsa-puppet-stuff file=/etc/cron.d/dsa-buildd -<%= extrafiles="" -case fqdn -when "tchaikovsky.debian.org": extrafiles="file=/etc/nagios3/puppetconf.d/auto-hostgroups.cfg +<% if nodeinfo['nagiosmaster'] -%> +file=/etc/nagios3/puppetconf.d/auto-hostgroups.cfg file=/etc/nagios3/puppetconf.d/auto-hosts.cfg file=/etc/nagios3/puppetconf.d/auto-services.cfg file=/etc/nagios3/puppetconf.d/auto-dependencies.cfg file=/etc/nagios3/puppetconf.d/auto-hostextinfo.cfg file=/etc/nagios3/puppetconf.d/auto-serviceextinfo.cfg -file=/etc/munin/munin.conf" -when "handel.debian.org": extrafiles="dir=8/etc/puppet" -when "dijkstra.debian.org": extrafiles="dir=4/etc/dsa-kvm" -when /geo[123].debian.org/: extrafiles="dir=1/etc/bind/geodns" -when /(senfl|ravel|orff|klecker).debian.org/: extrafiles="dir=1/etc/bind -file=/etc/bind/named.conf.debian-zones" -end -extrafiles -%> +<% end -%> +<% if nodeinfo['muninmaster'] -%> +file=/etc/munin/munin.conf +<% end -%> +<% if nodeinfo['puppetmaster'] -%> +dir=8/etc/puppet +<% end -%> +<% if classes.include?('named::geodns') -%> +dir=1/etc/bind/geodns +<% end -%> +<% if classes.include?('named::secondary') -%> +dir=1/etc/bind +file=/etc/bind/named.conf.debian-zones +<% end -%> +<% if fqdn == "dijkstra.debian.org" -%> +dir=4/etc/dsa-kvm +<% end -%> <% if nodeinfo['buildd'] -%> dir=3/etc/lvm <% end -%> +dir=1/etc/ferm/dsa.d +file=/etc/ferm/conf.d/me.conf +file=/etc/ferm/conf.d/defs.conf +file=/etc/ferm/ferm.conf [IgnoreNone] ## @@ -825,19 +835,12 @@ SetMailNum = 10 SetMailAddress=samhain-reports@debian.org ## Mail relay (IP address) -<%= -out="" -if not nodeinfo['smarthost'].empty? - out = ' -SetMailRelay = localhost -' -else -out = ' +<% if nodeinfo['smarthost'].empty? -%> SetMailRelay = master.debian.org -' -end -out -%> +<% else -%> +SetMailRelay = localhost +<% end -%> + ## Custom subject format # MailSubject = [Samhain at %H] %T: %S