From 3eb533e5499e66423bafdedaf6c7d08ead1772de Mon Sep 17 00:00:00 2001
From: Stephen Gran <steve@lobefin.net>
Date: Wed, 4 Apr 2012 19:15:14 +0100
Subject: [PATCH] massive style guide fixups
Signed-off-by: Stephen Gran <steve@lobefin.net>
---
manifests/site.pp | 290 ++++++-----
modules/acpi/manifests/init.pp | 20 +-
.../sites-available => }/common-ssl.inc | 0
.../etc/apache2/conf.d => }/local-serverinfo | 0
.../{common/etc/apache2/conf.d => }/security | 0
.../etc/apache2/conf.d => }/server-status | 0
.../{common/etc/php5/conf.d => }/suhosin.ini | 0
modules/apache2/manifests/backports_mirror.pp | 25 -
modules/apache2/manifests/config.pp | 30 ++
modules/apache2/manifests/dynamic.pp | 71 +++
.../apache2/manifests/ftp-upcoming_mirror.pp | 18 -
modules/apache2/manifests/init.pp | 342 ++++---------
modules/apache2/manifests/module.pp | 17 +
modules/apache2/manifests/security_mirror.pp | 19 -
modules/apache2/manifests/site.pp | 48 ++
modules/apache2/manifests/www_mirror.pp | 20 -
modules/apache2/templates/conf-builddlist.erb | 26 -
modules/apt-keys/manifests/init.pp | 29 --
modules/buildd/manifests/init.pp | 82 ++-
.../templates/etc/schroot/mount-defaults.erb | 2 +-
modules/clamav/manifests/init.pp | 42 +-
modules/dacs/manifests/init.pp | 236 ++++-----
.../files/backports.org.asc | 0
.../files/db.debian.org.asc | 0
modules/debian-org/lib/facter/ipaddresses.rb | 6 +-
modules/debian-org/manifests/init.pp | 368 ++++++--------
modules/debian-org/manifests/proliant.pp | 30 ++
modules/debian-org/manifests/radvd.pp | 10 +
modules/entropykey/manifests/init.pp | 96 +---
.../entropykey/manifests/local_consumer.pp | 14 +
modules/entropykey/manifests/provider.pp | 27 +
.../entropykey/manifests/remote_consumer.pp | 8 +
modules/exim/manifests/init.pp | 322 ++++++------
modules/exim/manifests/mx.pp | 57 +--
modules/exim/templates/eximconf.erb | 90 ++--
modules/exim/templates/manualroute.erb | 12 +-
modules/exim/templates/submission-domains.erb | 8 +
modules/ferm/manifests/ftp.pp | 10 +-
modules/ferm/manifests/init.pp | 172 +++----
modules/ferm/manifests/nfs-server.pp | 27 -
modules/ferm/manifests/per-host.pp | 476 +++++++++---------
modules/ferm/manifests/rsync.pp | 10 +-
modules/ferm/manifests/rule.pp | 19 +
modules/ferm/manifests/zivit.pp | 24 +-
modules/ferm/templates/defs.conf.erb | 60 +--
modules/ferm/templates/interfaces.conf.erb | 2 +-
modules/ferm/templates/me.conf.erb | 6 +-
modules/hardware/manifests/init.pp | 14 +
modules/hosts/manifests/init.pp | 11 +-
modules/kfreebsd/manifests/init.pp | 21 +-
modules/megactl/manifests/init.pp | 18 +-
modules/monit/manifests/init.pp | 123 ++---
modules/motd/manifests/init.pp | 25 +-
modules/motd/templates/motd.erb | 36 +-
modules/munin-node/manifests/init.pp | 114 -----
modules/munin-node/manifests/master.pp | 14 -
modules/{munin-node => munin}/files/df-wrap | 0
modules/munin/manifests/check.pp | 22 +
modules/munin/manifests/init.pp | 43 ++
modules/munin/manifests/master.pp | 11 +
.../templates/munin-node.conf.erb | 6 +-
.../templates/munin-node.plugin.conf.erb | 0
.../templates/munin.conf.erb | 4 +-
modules/nagios/manifests/client.pp | 131 +++--
modules/nagios/manifests/init.pp | 7 +-
modules/nagios/manifests/server.pp | 151 +++---
modules/nagios/templates/inc-debian.org.erb | 6 +-
modules/named/manifests/authoritative.pp | 31 +-
modules/named/manifests/geodns.pp | 116 ++---
modules/named/manifests/init.pp | 54 +-
modules/named/manifests/recursor.pp | 15 +-
.../named/templates/named.conf.options.erb | 6 +-
modules/nfs-server/manifests/init.pp | 79 ++-
modules/ntp/manifests/client.pp | 24 +
modules/ntp/manifests/init.pp | 140 ++----
modules/ntp/manifests/timeserver.pp | 7 +
modules/ntp/templates/ntp.conf | 4 +-
modules/ntpdate/manifests/init.pp | 32 +-
modules/portforwarder/manifests/init.pp | 46 +-
.../templates/authorized_keys.erb | 2 +-
modules/postgres/manifests/init.pp | 32 +-
modules/postgrey/manifests/init.pp | 28 +-
.../lib/puppet/parser/functions/nodeinfo.rb | 2 +-
modules/puppetmaster/manifests/init.pp | 3 -
modules/raidmpt/manifests/init.pp | 31 +-
modules/resolv/manifests/init.pp | 8 +-
modules/resolv/templates/resolv.conf.erb | 6 +-
.../backports_mirror}/backports.debian.org | 0
.../files/backports_mirror}/www.backports.org | 0
.../ftp-upcoming.debian.org | 0
.../security_mirror}/security.debian.org | 0
.../files/www_mirror}/www.debian.org | 0
modules/roles/manifests/backports_mirror.pp | 13 +
modules/roles/manifests/dakmaster.pp | 13 +
.../roles/manifests/ftp-upcoming_mirror.pp | 7 +
modules/roles/manifests/security_mirror.pp | 11 +
modules/roles/manifests/www_mirror.pp | 11 +
modules/roles/templates/conf-builddlist.erb | 26 +
modules/rsyncd-log/manifests/init.pp | 23 +-
modules/samhain/manifests/init.pp | 25 +-
modules/samhain/templates/samhainrc.erb | 22 +-
modules/site/manifests/alternative.pp | 17 +
modules/site/manifests/aptrepo.pp | 39 ++
modules/site/manifests/init.pp | 13 +
modules/site/manifests/linux_module.pp | 19 +
modules/site/manifests/sysctl.pp | 18 +
modules/ssh/manifests/init.pp | 72 ++-
modules/ssh/templates/authorized_keys.erb | 8 +-
modules/ssl/manifests/init.pp | 95 ++--
modules/stunnel4/manifests/client.pp | 19 +
modules/stunnel4/manifests/generic.pp | 30 ++
modules/stunnel4/manifests/init.pp | 150 +-----
modules/stunnel4/manifests/server.pp | 32 ++
modules/sudo/files/{common => }/pam | 0
modules/sudo/files/{common => }/sudoers | 0
.../files/{lenny/sudoers => sudoers.lenny} | 0
modules/sudo/manifests/init.pp | 49 +-
modules/syslog-ng/manifests/init.pp | 48 +-
modules/unbound/manifests/init.pp | 118 ++---
modules/unbound/templates/unbound.conf.erb | 6 +-
120 files changed, 2530 insertions(+), 2948 deletions(-)
rename modules/apache2/files/{common/etc/apache2/sites-available => }/common-ssl.inc (100%)
rename modules/apache2/files/{common/etc/apache2/conf.d => }/local-serverinfo (100%)
rename modules/apache2/files/{common/etc/apache2/conf.d => }/security (100%)
rename modules/apache2/files/{common/etc/apache2/conf.d => }/server-status (100%)
rename modules/apache2/files/{common/etc/php5/conf.d => }/suhosin.ini (100%)
delete mode 100644 modules/apache2/manifests/backports_mirror.pp
create mode 100644 modules/apache2/manifests/config.pp
create mode 100644 modules/apache2/manifests/dynamic.pp
delete mode 100644 modules/apache2/manifests/ftp-upcoming_mirror.pp
create mode 100644 modules/apache2/manifests/module.pp
delete mode 100644 modules/apache2/manifests/security_mirror.pp
create mode 100644 modules/apache2/manifests/site.pp
delete mode 100644 modules/apache2/manifests/www_mirror.pp
delete mode 100644 modules/apache2/templates/conf-builddlist.erb
delete mode 100644 modules/apt-keys/manifests/init.pp
rename modules/{apt-keys => debian-org}/files/backports.org.asc (100%)
rename modules/{apt-keys => debian-org}/files/db.debian.org.asc (100%)
create mode 100644 modules/debian-org/manifests/proliant.pp
create mode 100644 modules/debian-org/manifests/radvd.pp
create mode 100644 modules/entropykey/manifests/local_consumer.pp
create mode 100644 modules/entropykey/manifests/provider.pp
create mode 100644 modules/entropykey/manifests/remote_consumer.pp
create mode 100644 modules/exim/templates/submission-domains.erb
delete mode 100644 modules/ferm/manifests/nfs-server.pp
create mode 100644 modules/ferm/manifests/rule.pp
create mode 100644 modules/hardware/manifests/init.pp
delete mode 100644 modules/munin-node/manifests/init.pp
delete mode 100644 modules/munin-node/manifests/master.pp
rename modules/{munin-node => munin}/files/df-wrap (100%)
create mode 100644 modules/munin/manifests/check.pp
create mode 100644 modules/munin/manifests/init.pp
create mode 100644 modules/munin/manifests/master.pp
rename modules/{munin-node => munin}/templates/munin-node.conf.erb (83%)
rename modules/{munin-node => munin}/templates/munin-node.plugin.conf.erb (100%)
rename modules/{munin-node => munin}/templates/munin.conf.erb (75%)
create mode 100644 modules/ntp/manifests/client.pp
create mode 100644 modules/ntp/manifests/timeserver.pp
rename modules/{apache2/files/common/etc/apache2/sites-available => roles/files/backports_mirror}/backports.debian.org (100%)
rename modules/{apache2/files/common/etc/apache2/sites-available => roles/files/backports_mirror}/www.backports.org (100%)
rename modules/{apache2/files/common/etc/apache2/sites-available => roles/files/ftp-upcoming_mirror}/ftp-upcoming.debian.org (100%)
rename modules/{apache2/files/common/etc/apache2/sites-available => roles/files/security_mirror}/security.debian.org (100%)
rename modules/{apache2/files/common/etc/apache2/sites-available => roles/files/www_mirror}/www.debian.org (100%)
create mode 100644 modules/roles/manifests/backports_mirror.pp
create mode 100644 modules/roles/manifests/dakmaster.pp
create mode 100644 modules/roles/manifests/ftp-upcoming_mirror.pp
create mode 100644 modules/roles/manifests/security_mirror.pp
create mode 100644 modules/roles/manifests/www_mirror.pp
create mode 100644 modules/roles/templates/conf-builddlist.erb
create mode 100644 modules/site/manifests/alternative.pp
create mode 100644 modules/site/manifests/aptrepo.pp
create mode 100644 modules/site/manifests/init.pp
create mode 100644 modules/site/manifests/linux_module.pp
create mode 100644 modules/site/manifests/sysctl.pp
create mode 100644 modules/stunnel4/manifests/client.pp
create mode 100644 modules/stunnel4/manifests/generic.pp
create mode 100644 modules/stunnel4/manifests/server.pp
rename modules/sudo/files/{common => }/pam (100%)
rename modules/sudo/files/{common => }/sudoers (100%)
rename modules/sudo/files/{lenny/sudoers => sudoers.lenny} (100%)
diff --git a/manifests/site.pp b/manifests/site.pp
index d7a965dd..a55107b4 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -1,157 +1,155 @@
Package {
- require => File["/etc/apt/apt.conf.d/local-recommends"]
+ require => File['/etc/apt/apt.conf.d/local-recommends']
}
File {
- owner => root,
- group => root,
- mode => 444,
- ensure => file,
+ owner => root,
+ group => root,
+ mode => '0444',
+ ensure => file,
}
Exec {
- path => "/usr/bin:/usr/sbin:/bin:/sbin"
+ path => '/usr/bin:/usr/sbin:/bin:/sbin'
}
-node default {
- $localinfo = yamlinfo('*', "/etc/puppet/modules/debian-org/misc/local.yaml")
- $nodeinfo = nodeinfo($::fqdn, "/etc/puppet/modules/debian-org/misc/local.yaml")
- $allnodeinfo = allnodeinfo("sshRSAHostKey ipHostNumber", "purpose mXRecord physicalHost purpose")
- notice( sprintf("hoster for %s is %s", $::fqdn, getfromhash($nodeinfo, 'hoster', 'name') ) )
-
- include munin-node
- include syslog-ng
- include sudo
- include ssh
- include debian-org
- include monit
- include apt-keys
- include ntp
- include ntpdate
- include ssl
- include motd
-
- case $::hostname {
- finzi,fano,fasch,field: { include kfreebsd }
- }
-
- if $::smartarraycontroller {
- include debian-proliant
- }
-
- if $::productname == 'PowerEdge 2850' {
- include megactl
- }
-
- if $::mptraid {
- include raidmpt
- }
-
- if $::kvmdomain {
- include acpi
- }
-
- if $::mta == 'exim4' {
- case getfromhash($nodeinfo, 'heavy_exim') {
- true: { include exim::mx }
- default: { include exim }
- }
- }
-
- if getfromhash($nodeinfo, 'puppetmaster') {
- include puppetmaster
- }
-
- if getfromhash($nodeinfo, 'muninmaster') {
- include munin-node::master
- }
-
- case getfromhash($nodeinfo, 'nagiosmaster') {
- true: { include nagios::server }
- default: { include nagios::client }
- }
-
- if $::apache2 {
- if getfromhash($nodeinfo, 'apache2_security_mirror') {
- include apache2::security_mirror
- }
- if getfromhash($nodeinfo, 'apache2_www_mirror') {
- include apache2::www_mirror
- }
- if getfromhash($nodeinfo, 'apache2_backports_mirror') {
- include apache2::backports_mirror
- }
- if getfromhash($nodeinfo, 'apache2_ftp-upcoming_mirror') {
- include apache2::ftp-upcoming_mirror
- }
- include apache2
- }
-
- if $::rsyncd {
- include rsyncd-log
- }
-
-
- if getfromhash($nodeinfo, 'buildd') {
- include buildd
- }
-
- case $::hostname {
- ravel,senfl,orff,draghi,diamond: { include named::authoritative }
- geo1,geo2,geo3: { include named::geodns }
- liszt: { include named::recursor }
- }
-
- case $::hostname {
- franck,master,lobos,samosa,spohr,widor: { include unbound }
- }
-
- if $::lsbdistcodename != 'lenny' {
- include unbound
- }
-
- include resolv
-
- if $::kernel == 'Linux' {
- include ferm
- include ferm::per-host
- }
-
- case $::hostname {
- diabelli,nono,spohr: { include dacs }
- }
-
- case $::hostname {
- beethoven,duarte,spohr,stabile: {
- include nfs-server
- }
- }
-
- if $::brokenhosts {
- include hosts
- }
-
- if $::portforwarder_user_exists {
- include portforwarder
- }
-
- include samhain
-
- case $::hostname {
- chopin,geo3,soler,wieck: {
- include debian-radvd
- }
- }
-
- if $::kernel == 'Linux' {
- include entropykey
- }
-
- if ($::postgres84 or $::postgres90) {
- include postgres
- }
+Service {
+ hasrestart => true,
+ hasstatus => true,
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
+node default {
+ include site
+ include munin
+ include syslog-ng
+ include sudo
+ include ssh
+ include debian-org
+ include monit
+ include apt-keys
+ include ntp
+ include ntpdate
+ include ssl
+ include motd
+ include hardware
+ include nagios::client
+ include resolv
+
+ if $::hostname in [finzi,fano,fasch,field] {
+ include kfreebsd
+ }
+
+ if $::kvmdomain {
+ include acpi
+ }
+
+ if $::mta == 'exim4' {
+ if getfromhash($site::nodeinfo, 'heavy_exim') {
+ include exim::mx
+ } else {
+ include exim
+ }
+ }
+
+ if $::lsbdistcodename != 'lenny' {
+ include unbound
+ }
+
+ if getfromhash($site::nodeinfo, 'puppetmaster') {
+ include puppetmaster
+ }
+
+ if getfromhash($site::nodeinfo, 'muninmaster') {
+ include munin::master
+ }
+
+ if getfromhash($site::nodeinfo, 'nagiosmaster') {
+ include nagios::server
+ }
+
+ if getfromhash($site::nodeinfo, 'buildd') {
+ include buildd
+ }
+
+ if $::hostname in [chopin,franck,morricone,bizet] {
+ include roles::dakmaster
+ }
+
+ if getfromhash($site::nodeinfo, 'apache2_security_mirror') {
+ include roles::security_mirror
+ }
+
+ if getfromhash($site::nodeinfo, 'apache2_www_mirror') {
+ include roles::www_mirror
+ }
+
+ if getfromhash($site::nodeinfo, 'apache2_backports_mirror') {
+ include roles::backports_mirror
+ }
+
+ if getfromhash($site::nodeinfo, 'apache2_ftp-upcoming_mirror') {
+ include roles::ftp-upcoming_mirror
+ }
+
+ if $::apache2 {
+ include apache2
+ }
+
+ if $::rsyncd {
+ include rsyncd-log
+ }
+
+ if $::hostname in [ravel,senfl,orff,draghi,diamond] {
+ include named::authoritative
+ } elsif $::hostname in [geo1,geo2,geo3] {
+ include named::geodns
+ } elsif $::hostname == 'liszt' {
+ include named::recursor
+ }
+
+ if $::kernel == 'Linux' {
+ include ferm
+ include ferm::per-host
+ include entropykey
+ }
+
+ if $::hostname in [diabelli,nono,spohr] {
+ include dacs
+ }
+
+ if $::hostname in [beethoven,duarte,spohr,stabile] {
+ include nfs-server
+ }
+
+ if $::brokenhosts {
+ include hosts
+ }
+
+ if $::portforwarder_user_exists {
+ include portforwarder
+ }
+
+ include samhain
+
+ if $::hostname in [chopin,geo3,soler,wieck] {
+ include debian-org::radvd
+ }
+
+ if ($::postgres84 or $::postgres90) {
+ include postgres
+ }
+
+ if $::spamd {
+ munin::check { 'spamassassin': }
+ }
+
+ if $::vsftpd {
+ package { 'logtail':
+ ensure => installed
+ }
+ munin::check { 'vsftpd': }
+ munin::check { 'ps_vsftpd':
+ script => 'ps_'
+ }
+ }
+}
diff --git a/modules/acpi/manifests/init.pp b/modules/acpi/manifests/init.pp
index ffc779b8..c427cb99 100644
--- a/modules/acpi/manifests/init.pp
+++ b/modules/acpi/manifests/init.pp
@@ -1,13 +1,13 @@
class acpi {
- if ! ($::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) {
- package {
- acpid: ensure => installed
- }
+ if ! ($::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) {
+ package { 'acpid':
+ ensure => installed
+ }
- if $lsbdistcodename != 'lenny' {
- package {
- acpi-support-base: ensure => installed
- }
- }
- }
+ if $::lsbdistcodename != 'lenny' {
+ package { 'acpi-support-base':
+ ensure => installed
+ }
+ }
+ }
}
diff --git a/modules/apache2/files/common/etc/apache2/sites-available/common-ssl.inc b/modules/apache2/files/common-ssl.inc
similarity index 100%
rename from modules/apache2/files/common/etc/apache2/sites-available/common-ssl.inc
rename to modules/apache2/files/common-ssl.inc
diff --git a/modules/apache2/files/common/etc/apache2/conf.d/local-serverinfo b/modules/apache2/files/local-serverinfo
similarity index 100%
rename from modules/apache2/files/common/etc/apache2/conf.d/local-serverinfo
rename to modules/apache2/files/local-serverinfo
diff --git a/modules/apache2/files/common/etc/apache2/conf.d/security b/modules/apache2/files/security
similarity index 100%
rename from modules/apache2/files/common/etc/apache2/conf.d/security
rename to modules/apache2/files/security
diff --git a/modules/apache2/files/common/etc/apache2/conf.d/server-status b/modules/apache2/files/server-status
similarity index 100%
rename from modules/apache2/files/common/etc/apache2/conf.d/server-status
rename to modules/apache2/files/server-status
diff --git a/modules/apache2/files/common/etc/php5/conf.d/suhosin.ini b/modules/apache2/files/suhosin.ini
similarity index 100%
rename from modules/apache2/files/common/etc/php5/conf.d/suhosin.ini
rename to modules/apache2/files/suhosin.ini
diff --git a/modules/apache2/manifests/backports_mirror.pp b/modules/apache2/manifests/backports_mirror.pp
deleted file mode 100644
index 47b2a2dc..00000000
--- a/modules/apache2/manifests/backports_mirror.pp
+++ /dev/null
@@ -1,25 +0,0 @@
-class apache2::backports_mirror {
- include apache2
- file {
- "/etc/apache2/sites-available/backports.debian.org":
- source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/sites-available/backports.debian.org",
- "puppet:///modules/apache2/common/etc/apache2/sites-available/backports.debian.org" ];
- "/etc/apache2/sites-available/www.backports.org":
- source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/sites-available/www.backports.org",
- "puppet:///modules/apache2/common/etc/apache2/sites-available/www.backports.org" ];
-
- }
-
- activate_apache_site {
- "010-backports.debian.org": site => "backports.debian.org";
- "010-www.backports.org": site => "www.backports.org";
- }
-
- enable_module {
- "rewrite":;
- }
-}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/apache2/manifests/config.pp b/modules/apache2/manifests/config.pp
new file mode 100644
index 00000000..5d517004
--- /dev/null
+++ b/modules/apache2/manifests/config.pp
@@ -0,0 +1,30 @@
+define apache2::config($config = undef, $template = undef, $ensure = present) {
+
+ include apache2
+
+ if ! ($config or $template) {
+ err ( "No configuration found for ${name}" )
+ }
+
+ case $ensure {
+ present: {}
+ absent: {}
+ default: { err ( "Unknown ensure value: '$ensure'" ) }
+ }
+
+ if $template {
+ file { "/etc/apache2/conf.d/${name}":
+ ensure => $ensure,
+ content => template($template),
+ require => Package['apache2'],
+ notify => Service['apache2'],
+ }
+ } else {
+ file { "/etc/apache2/conf.d/${name}":
+ ensure => $ensure,
+ source => $config,
+ require => Package['apache2'],
+ notify => Service['apache2'],
+ }
+ }
+}
diff --git a/modules/apache2/manifests/dynamic.pp b/modules/apache2/manifests/dynamic.pp
new file mode 100644
index 00000000..0b4b144d
--- /dev/null
+++ b/modules/apache2/manifests/dynamic.pp
@@ -0,0 +1,71 @@
+class apache2::dynamic {
+ @ferm::rule { 'dsa-http-limit':
+ prio => '20',
+ description => 'limit HTTP DOS',
+ chain => 'http_limit',
+ rule => 'mod limit limit-burst 60 limit 15/minute jump ACCEPT;
+ jump DROP'
+ }
+
+ @ferm::rule { 'dsa-http-soso':
+ prio => '21',
+ description => 'slow soso spider',
+ chain => 'limit_sosospider',
+ rule => 'mod connlimit connlimit-above 2 connlimit-mask 21 jump DROP;
+ jump http_limit'
+ }
+
+ @ferm::rule { 'dsa-http-yahoo':
+ prio => '21',
+ description => 'slow yahoo spider',
+ chain => 'limit_yahoo',
+ rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
+ jump http_limit'
+ }
+
+ @ferm::rule { 'dsa-http-google':
+ prio => '21',
+ description => 'slow google spider',
+ chain => 'limit_google',
+ rule => 'mod connlimit connlimit-above 2 connlimit-mask 19 jump DROP;
+ jump http_limit'
+ }
+
+ @ferm::rule { 'dsa-http-bing':
+ prio => '21',
+ description => 'slow bing spider',
+ chain => 'limit_bing',
+ rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
+ jump http_limit'
+ }
+
+ @ferm::rule { 'dsa-http-baidu':
+ prio => '21',
+ description => 'slow baidu spider',
+ chain => 'limit_baidu',
+ rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
+ jump http_limit'
+ }
+
+ @ferm::rule { 'dsa-http-rules':
+ prio => '22',
+ description => 'http subchain',
+ chain => 'http',
+ rule => '
+ saddr ( 74.6.22.182 74.6.18.240 67.195.0.0/16 ) jump limit_yahoo;
+ saddr 124.115.0.0/21 jump limit_sosospider;
+ saddr (65.52.0.0/14 207.46.0.0/16) jump limit_bing;
+ saddr (66.249.64.0/19) jump limit_google;
+ saddr (123.125.71.0/24 119.63.192.0/21 180.76.0.0/16) jump limit_baidu;
+
+ mod recent name HTTPDOS update seconds 1800 jump log_or_drop;
+ mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT;
+ mod recent name HTTPDOS set jump log_or_drop'
+ }
+
+ @ferm::rule { 'dsa-http':
+ prio => '23',
+ description => 'Allow web access',
+ rule => 'proto tcp dport (http https) jump http'
+ }
+}
diff --git a/modules/apache2/manifests/ftp-upcoming_mirror.pp b/modules/apache2/manifests/ftp-upcoming_mirror.pp
deleted file mode 100644
index aa3610c4..00000000
--- a/modules/apache2/manifests/ftp-upcoming_mirror.pp
+++ /dev/null
@@ -1,18 +0,0 @@
-class apache2::ftp-upcoming_mirror {
- include apache2
- file {
- "/etc/apache2/sites-available/ftp-upcoming.debian.org":
- source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/sites-available/ftp-upcoming.debian.org",
- "puppet:///modules/apache2/common/etc/apache2/sites-available/ftp-upcoming.debian.org" ];
-
- }
-
- activate_apache_site {
- "010-ftp-upcoming.debian.org": site => "ftp-upcoming.debian.org";
- }
-
-}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp
index ade26fb1..3c0874e3 100644
--- a/modules/apache2/manifests/init.pp
+++ b/modules/apache2/manifests/init.pp
@@ -1,250 +1,96 @@
class apache2 {
- activate_munin_check {
- "apache_accesses":;
- "apache_processes":;
- "apache_volume":;
- "apache_servers":;
- "ps_apache2": script => "ps_";
- }
-
- package {
- "apache2": ensure => installed;
- }
-
- case $php5 {
- "true": {
- package {
- "php5-suhosin": ensure => installed;
- }
-
- file { "/etc/php5/conf.d/suhosin.ini":
- source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/php5/conf.d/suhosin.ini",
- "puppet:///modules/apache2/common/etc/php5/conf.d/suhosin.ini" ],
- require => Package["apache2", "php5-suhosin"],
- notify => Exec["force-reload-apache2"];
- }
- }
- }
-
- define activate_apache_site($ensure=present, $site=$name) {
- case $site {
- "": { $base = $name }
- default: { $base = $site }
- }
-
- case $ensure {
- present: {
- file { "/etc/apache2/sites-enabled/$name":
- ensure => "/etc/apache2/sites-available/$base",
- require => Package["apache2"],
- notify => Exec["reload-apache2"];
- }
- }
- absent: {
- file { "/etc/apache2/sites-enabled/$name":
- ensure => $ensure,
- notify => Exec["reload-apache2"];
- }
- }
- default: { err ( "Unknown ensure value: '$ensure'" ) }
- }
- }
-
- define enable_module($ensure=present) {
- case $ensure {
- present: {
- exec {
- "/usr/sbin/a2enmod $name":
- unless => "/bin/sh -c '[ -L /etc/apache2/mods-enabled/${name}.load ]'",
- notify => Exec["force-reload-apache2"],
- }
- }
- absent: {
- exec {
- "/usr/sbin/a2dismod $name":
- onlyif => "/bin/sh -c '[ -L /etc/apache2/mods-enabled/${name}.load ]'",
- notify => Exec["force-reload-apache2"],
- }
- }
- default: { err ( "Unknown ensure value: '$ensure'" ) }
- }
- }
-
- enable_module {
- "info":;
- "status":;
- }
-
- activate_apache_site {
- "00-default": site => "default-debian.org";
- "000-default": ensure => absent;
- }
-
- file {
- "/etc/apache2/conf.d/ressource-limits":
- content => template("apache2/ressource-limits.erb"),
- require => Package["apache2"],
- notify => Exec["reload-apache2"];
- "/etc/apache2/conf.d/security":
- source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/conf.d/security",
- "puppet:///modules/apache2/common/etc/apache2/conf.d/security" ],
- require => Package["apache2"],
- notify => Exec["reload-apache2"];
- "/etc/apache2/conf.d/local-serverinfo":
- source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/conf.d/local-serverinfo",
- "puppet:///modules/apache2/common/etc/apache2/conf.d/local-serverinfo" ],
- require => Package["apache2"],
- notify => Exec["reload-apache2"];
- "/etc/apache2/conf.d/server-status":
- source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/conf.d/server-status",
- "puppet:///modules/apache2/common/etc/apache2/conf.d/server-status" ],
- require => Package["apache2"],
- notify => Exec["reload-apache2"];
-
- "/etc/apache2/sites-available/default-debian.org":
- content => template("apache2/default-debian.org.erb"),
- require => Package["apache2"],
- notify => Exec["reload-apache2"];
-
- "/etc/apache2/sites-available/common-ssl.inc":
- source => [ "puppet:///modules/apache2/per-host/$fqdn//etc/apache2/sites-available/common-ssl.inc",
- "puppet:///modules/apache2/common/etc/apache2/sites-available/common-ssl.inc" ],
- require => Package["apache2"],
- notify => Exec["reload-apache2"];
-
- "/etc/logrotate.d/apache2":
- source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/logrotate.d/apache2",
- "puppet:///modules/apache2/common/etc/logrotate.d/apache2" ];
-
- "/srv/www":
- mode => 755,
- ensure => directory;
- "/srv/www/default.debian.org":
- mode => 755,
- ensure => directory;
- "/srv/www/default.debian.org/htdocs":
- mode => 755,
- ensure => directory;
- "/srv/www/default.debian.org/htdocs/index.html":
- content => template("apache2/default-index.html");
-
- # sometimes this is a symlink
- #"/var/log/apache2":
- # mode => 755,
- # ensure => directory;
- }
-
- exec {
- "reload-apache2":
- command => "/etc/init.d/apache2 reload",
- refreshonly => true;
- "force-reload-apache2":
- command => "/etc/init.d/apache2 force-reload",
- refreshonly => true;
- }
- case $hostname {
- chopin,franck,morricone,bizet: {
- package {
- "libapache2-mod-macro": ensure => installed;
- }
- enable_module {
- "macro":;
- }
- file {
- "/etc/apache2/conf.d/puppet-builddlist":
- content => template("apache2/conf-builddlist.erb"),
- require => Package["apache2"],
- notify => Exec["reload-apache2"];
- }
- }
- }
-
- case $hostname {
- busoni,duarte,holter,lindberg,master,powell,rore: {
- @ferm::rule { "dsa-http-limit":
- prio => "20",
- description => "limit HTTP DOS",
- chain => 'http_limit',
- rule => '
- mod limit limit-burst 60 limit 15/minute jump ACCEPT;
- jump DROP'
- }
- @ferm::rule { "dsa-http-soso":
- prio => "21",
- description => "slow soso spider",
- chain => 'limit_sosospider',
- rule => '
- mod connlimit connlimit-above 2 connlimit-mask 21 jump DROP;
- jump http_limit'
- }
- @ferm::rule { "dsa-http-yahoo":
- prio => "21",
- description => "slow yahoo spider",
- chain => 'limit_yahoo',
- rule => '
- mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
- jump http_limit'
- }
- @ferm::rule { "dsa-http-google":
- prio => "21",
- description => "slow google spider",
- chain => 'limit_google',
- rule => '
- mod connlimit connlimit-above 2 connlimit-mask 19 jump DROP;
- jump http_limit'
- }
- @ferm::rule { "dsa-http-bing":
- prio => "21",
- description => "slow bing spider",
- chain => 'limit_bing',
- rule => '
- mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
- jump http_limit'
- }
- @ferm::rule { "dsa-http-baidu":
- prio => "21",
- description => "slow baidu spider",
- chain => 'limit_baidu',
- rule => '
- mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
- jump http_limit'
- }
- @ferm::rule { "dsa-http-rules":
- prio => "22",
- description => "http subchain",
- chain => 'http',
- rule => '
- saddr ( 74.6.22.182 74.6.18.240 67.195.0.0/16 ) jump limit_yahoo;
- saddr 124.115.0.0/21 jump limit_sosospider;
- saddr (65.52.0.0/14 207.46.0.0/16) jump limit_bing;
- saddr (66.249.64.0/19) jump limit_google;
- saddr (123.125.71.0/24 119.63.192.0/21 180.76.0.0/16) jump limit_baidu;
-
- mod recent name HTTPDOS update seconds 1800 jump log_or_drop;
- mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT;
- mod recent name HTTPDOS set jump log_or_drop'
- }
- @ferm::rule { "dsa-http":
- prio => "23",
- description => "Allow web access",
- rule => "proto tcp dport (http https) jump http"
- }
- }
- default: {
- @ferm::rule { "dsa-http":
- prio => "23",
- description => "Allow web access",
- rule => "&SERVICE(tcp, (http https))"
- }
- }
- }
- @ferm::rule { "dsa-http-v6":
- domain => "(ip6)",
- prio => "23",
- description => "Allow web access",
- rule => "&SERVICE(tcp, (http https))"
- }
+
+ package { 'apache2':
+ ensure => installed,
+ }
+
+ service { 'apache2':
+ ensure => running,
+ require => Package['apache2'],
+ }
+
+ apache2::module { 'info': }
+ apache2::module { 'status': }
+
+ apache2::site { '00-default':
+ site => 'default-debian.org',
+ template => 'apache2/default-debian.org.erb',
+ }
+
+ apache2::site { '000-default':
+ ensure => absent,
+ }
+
+ apache2::config { 'ressource-limits':
+ template => 'apache2/ressource-limits.erb',
+ }
+
+ apache2::config { 'security':
+ config => 'puppet:///modules/apache2/security',
+ }
+
+ apache2::config { 'local-serverinfo':
+ config => 'puppet:///modules/apache2/local-serverinfo',
+ }
+
+ apache2::config { 'server-status':
+ config => 'puppet:///modules/apache2/server-status',
+ }
+
+ file { '/etc/apache2/sites-available/common-ssl.inc':
+ source => 'puppet:///modules/apache2/common-ssl.inc',
+ require => Package['apache2'],
+ notify => Service['apache2'],
+ }
+
+ file { '/etc/logrotate.d/apache2':
+ source => 'puppet:///modules/apache2/apache2.logrotate',
+ }
+
+ file { [ '/srv/www', '/srv/www/default.debian.org', '/srv/www/default.debian.org/htdocs' ]:
+ ensure => directory,
+ mode => '0755',
+ }
+
+ file { '/srv/www/default.debian.org/htdocs/index.html':
+ content => template('apache2/default-index.html'),
+ }
+
+ munin::check { 'apache_accesses': }
+ munin::check { 'apache_processes': }
+ munin::check { 'apache_volume': }
+ munin::check { 'apache_servers': }
+ munin::check { 'ps_apache2':
+ script => 'ps_',
+ }
+
+ if $php5 {
+ package { 'php5-suhosin':
+ ensure => installed,
+ require => Package['apache2'],
+ }
+
+ file { '/etc/php5/conf.d/suhosin.ini':
+ source => 'puppet:///modules/apache2/suhosin.ini',
+ require => Package['php5-suhosin'],
+ notify => Service['apache2'],
+ }
+ }
+
+ if $::hostname in [busoni,duarte,holter,lindberg,master,powell,rore] {
+ include apache2::dynamic
+ } else {
+ @ferm::rule { 'dsa-http':
+ prio => '23',
+ description => 'Allow web access',
+ rule => '&SERVICE(tcp, (http https))'
+ }
+ }
+
+ @ferm::rule { 'dsa-http-v6':
+ domain => '(ip6)',
+ prio => '23',
+ description => 'Allow web access',
+ rule => '&SERVICE(tcp, (http https))'
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/apache2/manifests/module.pp b/modules/apache2/manifests/module.pp
new file mode 100644
index 00000000..3a6922bd
--- /dev/null
+++ b/modules/apache2/manifests/module.pp
@@ -0,0 +1,17 @@
+define apache2::module ($ensure = present) {
+ case $ensure {
+ present: {
+ exec { "/usr/sbin/a2enmod ${name}":
+ creates => "/etc/apache2/mods-enabled/${name}.load",
+ notify => Service['apache2']
+ }
+ }
+ absent: {
+ exec { "/usr/sbin/a2dismod ${name}":
+ onlyif => "test -L /etc/apache2/mods-enabled/${name}.load",
+ notify => Service['apache2']
+ }
+ }
+ default: { err ( "Unknown ensure value: '$ensure'" ) }
+ }
+}
diff --git a/modules/apache2/manifests/security_mirror.pp b/modules/apache2/manifests/security_mirror.pp
deleted file mode 100644
index 853b9f89..00000000
--- a/modules/apache2/manifests/security_mirror.pp
+++ /dev/null
@@ -1,19 +0,0 @@
-class apache2::security_mirror {
- include apache2
- file {
- "/etc/apache2/sites-available/security.debian.org":
- source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/sites-available/security.debian.org",
- "puppet:///modules/apache2/common/etc/apache2/sites-available/security.debian.org" ];
-
- }
-
- activate_apache_site {
- "010-security.debian.org": site => "security.debian.org";
- "security.debian.org": ensure => absent;
- }
-
-}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/apache2/manifests/site.pp b/modules/apache2/manifests/site.pp
new file mode 100644
index 00000000..708e6fa0
--- /dev/null
+++ b/modules/apache2/manifests/site.pp
@@ -0,0 +1,48 @@
+define apache2::site (
+ $config = undef,
+ $template = undef,
+ $ensure = present,
+ $site = undef
+) {
+
+ include apache2
+
+ if ! ($config or $template) {
+ err ( "No configuration found for ${name}" )
+ }
+
+ if $site {
+ $base = $site
+ } else {
+ $base = $name
+ }
+
+ $target = "/etc/apache2/sites-available/${base}"
+
+ $link_target = $ensure ? {
+ present => $target,
+ absent => absent,
+ default => err ( "Unknown ensure value: '$ensure'" ),
+ }
+
+ if $template {
+ file { $target:
+ ensure => $ensure,
+ content => template($template),
+ require => Package['apache2'],
+ notify => Service['apache2'],
+ }
+ } else {
+ file { $target:
+ ensure => $ensure,
+ source => $config,
+ require => Package['apache2'],
+ notify => Service['apache2'],
+ }
+ }
+
+ file { "/etc/apache2/sites-enabled/${name}":
+ ensure => $link_target,
+ notify => Service['apache2'],
+ }
+}
diff --git a/modules/apache2/manifests/www_mirror.pp b/modules/apache2/manifests/www_mirror.pp
deleted file mode 100644
index 136e571e..00000000
--- a/modules/apache2/manifests/www_mirror.pp
+++ /dev/null
@@ -1,20 +0,0 @@
-class apache2::www_mirror {
- include apache2
- file {
- "/etc/apache2/sites-available/www.debian.org":
- source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/sites-available/www.debian.org",
- "puppet:///modules/apache2/common/etc/apache2/sites-available/www.debian.org" ],
- notify => Exec["reload-apache2"],
- ;
- }
-
- activate_apache_site {
- "010-www.debian.org": site => "www.debian.org";
- "www.debian.org": ensure => absent;
- }
-
-}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/apache2/templates/conf-builddlist.erb b/modules/apache2/templates/conf-builddlist.erb
deleted file mode 100644
index 1aa47587..00000000
--- a/modules/apache2/templates/conf-builddlist.erb
+++ /dev/null
@@ -1,26 +0,0 @@
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-<Macro DebianBuilddHostList>
-
-<%=
- lines = []
-
- allnodeinfo.keys.sort.each do |node|
- next unless allnodeinfo[node]['purpose']
- if allnodeinfo[node]['purpose'].include?('buildd')
- lines << " # #{allnodeinfo[node]['hostname'].to_s}"
- allnodeinfo[node]['ipHostNumber'].each do |addr|
- lines << " allow from #{addr}"
- end
- end
- end
-
- lines.join("\n")
-# vim:set et:
-# vim:set sts=2 ts=2:
-# vim:set shiftwidth=2:
-%>
-</Macro>
diff --git a/modules/apt-keys/manifests/init.pp b/modules/apt-keys/manifests/init.pp
deleted file mode 100644
index bb3574eb..00000000
--- a/modules/apt-keys/manifests/init.pp
+++ /dev/null
@@ -1,29 +0,0 @@
-class apt-keys {
- file {
- "/etc/apt/trusted-keys.d/":
- ensure => directory,
- purge => true,
- notify => Exec["apt-keys-update"],
- ;
-
- "/etc/apt/trusted-keys.d/backports.org.asc":
- source => "puppet:///modules/apt-keys/backports.org.asc",
- mode => 664,
- notify => Exec["apt-keys-update"],
- ;
- "/etc/apt/trusted-keys.d/db.debian.org.asc":
- source => "puppet:///modules/apt-keys/db.debian.org.asc",
- mode => 664,
- notify => Exec["apt-keys-update"],
- ;
- }
-
- exec { "apt-keys-update":
- command => '/bin/true && for keyfile in /etc/apt/trusted-keys.d/*; do apt-key add $keyfile; done',
- refreshonly => true
- }
-}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/buildd/manifests/init.pp b/modules/buildd/manifests/init.pp
index f001291b..01dca34d 100644
--- a/modules/buildd/manifests/init.pp
+++ b/modules/buildd/manifests/init.pp
@@ -1,51 +1,43 @@
class buildd {
- package {
- "schroot": ensure => installed;
- "sbuild": ensure => installed;
- "apt-transport-https": ensure => installed;
- "debootstrap": ensure => installed;
- "dupload": ensure => installed;
- }
+ package { [
+ 'schroot',
+ 'sbuild',
+ 'apt-transport-https',
+ 'debootstrap',
+ 'dupload'
+ ]:
+ ensure => installed
+ }
- file {
- "/etc/apt/preferences.d/buildd":
- ensure => absent
- ;
+ site::linux_module { 'dm_snapshot': }
- "/etc/apt/sources.list.d/buildd.list":
- content => template("buildd/etc/apt/sources.list.d/buildd.list.erb"),
- require => Package["apt-transport-https"],
- notify => Exec["apt-get update"],
- ;
+ site::aptrepo { 'buildd':
+ content => template('buildd/etc/apt/sources.list.d/buildd.list.erb'),
+ key => 'puppet:///modules/buildd/buildd.debian.org.asc',
+ }
- "/etc/apt/trusted-keys.d/buildd.debian.org.asc":
- source => "puppet:///modules/buildd/buildd.debian.org.asc",
- mode => 664,
- notify => Exec["apt-keys-update"],
- ;
- "/etc/schroot/mount-defaults":
- content => template("buildd/etc/schroot/mount-defaults.erb"),
- require => Package["sbuild"]
- ;
- "/etc/cron.d/dsa-buildd":
- source => "puppet:///modules/buildd/cron.d-dsa-buildd",
- require => Package["debian.org"]
- ;
- "/etc/dupload.conf":
- source => "puppet:///modules/buildd/dupload.conf",
- require => Package["dupload"]
- ;
- "/etc/default/schroot":
- source => "puppet:///modules/buildd/default-schroot",
- require => Package["schroot"]
- ;
- }
-
- case $kernel {
- Linux: { linux_module { "dm_snapshot": ensure => present; } }
- }
+ file { '/etc/apt/preferences.d/buildd':
+ ensure => absent
+ }
+ file { '/etc/schroot/mount-defaults':
+ content => template('buildd/etc/schroot/mount-defaults.erb'),
+ require => Package['sbuild'],
+ }
+ file { '/etc/schroot/mount-defaults':
+ content => template('buildd/etc/schroot/mount-defaults.erb'),
+ require => Package['sbuild'],
+ }
+ file { '/etc/cron.d/dsa-buildd':
+ source => 'puppet:///modules/buildd/cron.d-dsa-buildd',
+ require => Package['debian.org']
+ }
+ file { '/etc/dupload.conf':
+ source => 'puppet:///modules/buildd/dupload.conf',
+ require => Package['dupload'],
+ }
+ file { '/etc/default/schroot':
+ source => 'puppet:///modules/buildd/default-schroot',
+ require => Package['schroot']
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/buildd/templates/etc/schroot/mount-defaults.erb b/modules/buildd/templates/etc/schroot/mount-defaults.erb
index ec016d9c..9dc2d518 100644
--- a/modules/buildd/templates/etc/schroot/mount-defaults.erb
+++ b/modules/buildd/templates/etc/schroot/mount-defaults.erb
@@ -7,7 +7,7 @@
# (CHROOT_PATH)
#
# <file system> <mount point> <type> <options> <dump> <pass>
-<% if nodeinfo['ldap'].has_key?('architecture') and nodeinfo['ldap']['architecture'][0].start_with?('kfreebsd') -%>
+<% if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('architecture') and scope.lookupvar('site::nodeinfo')['ldap']['architecture'][0].start_with?('kfreebsd') -%>
# kFreeBSD version
proc /proc linprocfs defaults 0 0
dev /dev devfs rw,bind 0 0
diff --git a/modules/clamav/manifests/init.pp b/modules/clamav/manifests/init.pp
index 885258bf..47c4109d 100644
--- a/modules/clamav/manifests/init.pp
+++ b/modules/clamav/manifests/init.pp
@@ -1,24 +1,22 @@
class clamav {
- package {
- "clamav-daemon": ensure => installed;
- "clamav-freshclam": ensure => installed;
- "clamav-unofficial-sigs": ensure => installed;
- }
- file {
- "/etc/clamav-unofficial-sigs.dsa.conf":
- require => Package["clamav-unofficial-sigs"],
- source => [ "puppet:///modules/clamav/clamav-unofficial-sigs.dsa.conf" ]
- ;
- "/etc/clamav-unofficial-sigs.conf":
- require => Package["clamav-unofficial-sigs"],
- source => [ "puppet:///modules/clamav/clamav-unofficial-sigs.conf" ]
- ;
- "/var/lib/clamav/mbl.ndb":
- ensure => absent,
- ;
- }
-}
+ package { [
+ 'clamav-daemon',
+ 'clamav-freshclam',
+ 'clamav-unofficial-sigs'
+ ]:
+ ensure => installed
+ }
+
+ file { '/var/lib/clamav/mbl.ndb':
+ ensure => absent
+ }
+ file { '/etc/clamav-unofficial-sigs.dsa.conf':
+ require => Package['clamav-unofficial-sigs'],
+ source => [ 'puppet:///modules/clamav/clamav-unofficial-sigs.dsa.conf' ]
+ }
+ file { '/etc/clamav-unofficial-sigs.conf':
+ require => Package['clamav-unofficial-sigs'],
+ source => [ 'puppet:///modules/clamav/clamav-unofficial-sigs.conf' ]
+ }
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
+}
diff --git a/modules/dacs/manifests/init.pp b/modules/dacs/manifests/init.pp
index 79cf4841..377dfa9d 100644
--- a/modules/dacs/manifests/init.pp
+++ b/modules/dacs/manifests/init.pp
@@ -1,153 +1,89 @@
class dacs {
- package {
- "dacs": ensure => installed;
- "libapache2-mod-dacs": ensure => installed;
- }
-
- file {
- "/var/log/dacs":
- ensure => directory,
- owner => root,
- group => www-data,
- mode => 770,
- purge => true
- ;
- "/etc/dacs/federations":
- require => Package["libapache2-mod-dacs"],
- ensure => directory,
- owner => root,
- group => www-data,
- mode => 750,
- purge => true
- ;
-
- "/etc/dacs/federations/debian.org/":
- require => Package["libapache2-mod-dacs"],
- ensure => directory,
- owner => root,
- group => www-data,
- mode => 750,
- purge => true
- ;
-
- "/etc/dacs/federations/debian.org/DEBIAN":
- require => Package["libapache2-mod-dacs"],
- ensure => directory,
- owner => root,
- group => www-data,
- mode => 750,
- purge => true
- ;
-
- "/etc/dacs/federations/debian.org/DEBIAN/acls":
- require => Package["libapache2-mod-dacs"],
- ensure => directory,
- owner => root,
- group => www-data,
- mode => 750,
- purge => true
- ;
-
- "/etc/dacs/federations/debian.org/DEBIAN/groups":
- require => Package["libapache2-mod-dacs"],
- ensure => directory,
- owner => root,
- group => www-data,
- mode => 750,
- purge => true
- ;
-
- "/etc/dacs/federations/debian.org/DEBIAN/groups/DACS":
- require => Package["libapache2-mod-dacs"],
- ensure => directory,
- owner => root,
- group => www-data,
- mode => 750,
- purge => true
- ;
-
- "/etc/dacs/federations/site.conf":
- require => Package["libapache2-mod-dacs"],
- source => [ "puppet:///modules/dacs/per-host/$fqdn/site.conf",
- "puppet:///modules/dacs/common/site.conf" ],
- mode => 640,
- owner => root,
- group => www-data
- ;
-
- "/etc/dacs/federations/debian.org/DEBIAN/dacs.conf":
- require => Package["libapache2-mod-dacs"],
- source => [ "puppet:///modules/dacs/per-host/$fqdn/dacs.conf",
- "puppet:///modules/dacs/common/dacs.conf" ],
- mode => 640,
- owner => root,
- group => www-data
- ;
-
- "/etc/dacs/federations/debian.org/DEBIAN/acls/revocations":
- require => Package["libapache2-mod-dacs"],
- source => [ "puppet:///modules/dacs/per-host/$fqdn/revocations",
- "puppet:///modules/dacs/common/revocations" ],
- mode => 640,
- owner => root,
- group => www-data
- ;
-
- "/etc/dacs/federations/debian.org/DEBIAN/groups/DACS/jurisdictions.grp":
- require => Package["libapache2-mod-dacs"],
- source => [ "puppet:///modules/dacs/per-host/$fqdn/jurisdictions.grp",
- "puppet:///modules/dacs/common/jurisdictions.grp" ],
- mode => 640,
- owner => root,
- group => www-data
- ;
-
- "/etc/dacs/federations/debian.org/DEBIAN/acls/acl-noauth.0":
- require => Package["libapache2-mod-dacs"],
- source => [ "puppet:///modules/dacs/per-host/$fqdn/acl-noauth.0",
- "puppet:///modules/dacs/common/acl-noauth.0" ],
- mode => 640,
- owner => root,
- group => www-data,
- notify => Exec["dacsacl"]
- ;
-
- "/etc/dacs/federations/debian.org/DEBIAN/acls/acl-private.0":
- require => Package["libapache2-mod-dacs"],
- source => [ "puppet:///modules/dacs/per-host/$fqdn/acl-private.0",
- "puppet:///modules/dacs/common/acl-private.0" ],
- mode => 640,
- owner => root,
- group => www-data,
- notify => Exec["dacsacl"]
- ;
-
- "/etc/dacs/federations/debian.org/federation_keyfile":
- require => Package["libapache2-mod-dacs"],
- source => "puppet:///modules/dacs/private/debian.org_federation_keyfile",
- mode => 640,
- owner => root,
- group => www-data
- ;
-
- "/etc/dacs/federations/debian.org/DEBIAN/jurisdiction_keyfile":
- require => Package["libapache2-mod-dacs"],
- source => "puppet:///modules/dacs/private/DEBIAN_jurisdiction_keyfile",
- mode => 640,
- owner => root,
- group => www-data
- ;
-
- }
-
- exec {
- "dacsacl":
- command => "dacsacl -sc /etc/dacs/federations/site.conf -c /etc/dacs/federations/debian.org/DEBIAN/dacs.conf -uj DEBIAN && chown root:www-data /etc/dacs/federations/debian.org/DEBIAN/acls/INDEX",
- refreshonly => true,
- }
-
+ package { 'dacs':
+ ensure => installed,
+ }
+ package { 'libapache2-mod-dacs':
+ ensure => installed,
+ }
+
+ file { '/var/log/dacs':
+ ensure => directory,
+ owner => root,
+ group => www-data,
+ mode => '0770',
+ purge => true,
+ }
+ file { [
+ '/etc/dacs/federations',
+ '/etc/dacs/federations/debian.org/',
+ '/etc/dacs/federations/debian.org/DEBIAN',
+ '/etc/dacs/federations/debian.org/DEBIAN/acls',
+ '/etc/dacs/federations/debian.org/DEBIAN/groups',
+ '/etc/dacs/federations/debian.org/DEBIAN/groups/DACS'
+ ]:
+ ensure => directory,
+ owner => root,
+ group => www-data,
+ mode => '0750',
+ require => Package['libapache2-mod-dacs'],
+ purge => true
+ }
+ file { '/etc/dacs/federations/site.conf':
+ source => 'puppet:///modules/dacs/common/site.conf',
+ mode => '0640',
+ owner => root,
+ group => www-data
+ }
+ file { '/etc/dacs/federations/debian.org/DEBIAN/dacs.conf':
+ source => 'puppet:///modules/dacs/common/dacs.conf',
+ mode => '0640',
+ owner => root,
+ group => www-data
+ }
+ file { '/etc/dacs/federations/debian.org/DEBIAN/acls/revocations':
+ source => 'puppet:///modules/dacs/common/revocations',
+ mode => '0640',
+ owner => root,
+ group => www-data
+ }
+ file { '/etc/dacs/federations/debian.org/DEBIAN/groups/DACS/jurisdictions.grp':
+ source => 'puppet:///modules/dacs/common/jurisdictions.grp',
+ mode => '0640',
+ owner => root,
+ group => www-data
+ }
+ file { '/etc/dacs/federations/debian.org/DEBIAN/acls/acl-noauth.0':
+ source => [ 'puppet:///modules/dacs/per-host/$fqdn/acl-noauth.0',
+ 'puppet:///modules/dacs/common/acl-noauth.0' ],
+ mode => '0640',
+ owner => root,
+ group => www-data,
+ notify => Exec['dacsacl']
+ }
+ file { '/etc/dacs/federations/debian.org/DEBIAN/acls/acl-private.0':
+ source => [ 'puppet:///modules/dacs/per-host/$fqdn/acl-private.0',
+ 'puppet:///modules/dacs/common/acl-private.0' ],
+ mode => '0640',
+ owner => root,
+ group => www-data,
+ notify => Exec['dacsacl']
+ }
+ file { '/etc/dacs/federations/debian.org/federation_keyfile':
+ source => 'puppet:///modules/dacs/private/debian.org_federation_keyfile',
+ mode => '0640',
+ owner => root,
+ group => www-data
+ }
+ file { '/etc/dacs/federations/debian.org/DEBIAN/jurisdiction_keyfile':
+ source => 'puppet:///modules/dacs/private/DEBIAN_jurisdiction_keyfile',
+ mode => '0640',
+ owner => root,
+ group => www-data
+ }
+
+ exec { 'dacsacl':
+ command => 'dacsacl -sc /etc/dacs/federations/site.conf -c /etc/dacs/federations/debian.org/DEBIAN/dacs.conf -uj DEBIAN && chown root:www-data /etc/dacs/federations/debian.org/DEBIAN/acls/INDEX',
+ refreshonly => true,
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/apt-keys/files/backports.org.asc b/modules/debian-org/files/backports.org.asc
similarity index 100%
rename from modules/apt-keys/files/backports.org.asc
rename to modules/debian-org/files/backports.org.asc
diff --git a/modules/apt-keys/files/db.debian.org.asc b/modules/debian-org/files/db.debian.org.asc
similarity index 100%
rename from modules/apt-keys/files/db.debian.org.asc
rename to modules/debian-org/files/db.debian.org.asc
diff --git a/modules/debian-org/lib/facter/ipaddresses.rb b/modules/debian-org/lib/facter/ipaddresses.rb
index 80b59bd3..0832063d 100644
--- a/modules/debian-org/lib/facter/ipaddresses.rb
+++ b/modules/debian-org/lib/facter/ipaddresses.rb
@@ -12,7 +12,7 @@ Facter.add("v4ips") do
end
ret = addrs.join(",")
if ret.empty?
- ret = 'no'
+ ret = ''
end
setcode do
ret
@@ -37,7 +37,7 @@ Facter.add("v4ips") do
ret = addrs.join(",")
if ret.empty?
- ret = 'no'
+ ret = ''
end
ret
end
@@ -57,7 +57,7 @@ Facter.add("v6ips") do
end
ret = addrs.join(",")
if ret.empty?
- ret = 'no'
+ ret = ''
end
setcode do
ret
diff --git a/modules/debian-org/manifests/init.pp b/modules/debian-org/manifests/init.pp
index 7d4bf5c3..30998c35 100644
--- a/modules/debian-org/manifests/init.pp
+++ b/modules/debian-org/manifests/init.pp
@@ -1,220 +1,168 @@
-define sysctl($key, $value, $ensure=present) {
- file {
- "/etc/sysctl.d/$name.conf":
- ensure => $ensure,
- owner => root,
- group => root,
- mode => 0644,
- content => "$key = $value\n",
- notify => Exec["procps restart"],
- }
-}
+class debian-org {
-define set_alternatives($linkto) {
- exec {
- "/usr/sbin/update-alternatives --set $name $linkto":
- unless => "/bin/sh -c '! [ -e $linkto ] || ! [ -e /etc/alternatives/$name ] || ([ -L /etc/alternatives/$name ] && [ /etc/alternatives/$name -ef $linkto ])'"
- }
-}
+ $debianadmin = [
+ 'debian-archive-debian-samhain-reports@master.debian.org',
+ 'debian-admin@ftbfs.de',
+ 'weasel@debian.org',
+ 'steve@lobefin.net',
+ 'paravoid@debian.org'
+ ]
-define linux_module ($ensure) {
- case $ensure {
- present: {
- exec { "append_module_${name}":
- command => "echo '${name}' >> /etc/modules",
- unless => "grep -q -F -x '${name}' /etc/modules",
- }
- }
- absent: {
- exec { "remove_module_${name}":
- command => "sed -i -e'/^${name}\$/d' /etc/modules",
- onlyif => "grep -q -F -x '${name}' /etc/modules",
- }
- }
- default: {
- err("invalid ensure value ${ensure}")
- }
- }
-}
+ package { [
+ 'apt-utils',
+ 'bash-completion',
+ 'debian.org',
+ 'dnsutils',
+ 'dsa-munin-plugins',
+ 'klogd',
+ 'less',
+ 'lsb-release',
+ 'libfilesystem-ruby1.8',
+ 'molly-guard',
+ 'mtr-tiny',
+ 'nload',
+ 'pciutils',
+ 'rsyslog',
+ 'sysklogd',
+ ]:
+ ensure => installed,
+ }
+ munin::check { [
+ 'cpu',
+ 'entropy',
+ 'forks',
+ 'interrupts',
+ 'iostat',
+ 'irqstats',
+ 'load',
+ 'memory',
+ 'ntp_offset',
+ 'ntp_states',
+ 'open_files',
+ 'open_inodes',
+ 'processes',
+ 'swap',
+ 'uptime',
+ 'vmstat',
+ ]:
+ }
-class debian-org {
- $debianadmin = [ "debian-archive-debian-samhain-reports@master.debian.org", "debian-admin@ftbfs.de", "weasel@debian.org", "steve@lobefin.net", "paravoid@debian.org" ]
- package {
- "apt-utils": ensure => installed;
- "bash-completion": ensure => installed;
- "debian.org": ensure => installed;
- "dnsutils": ensure => installed;
- "dsa-munin-plugins": ensure => installed;
- "klogd": ensure => purged;
- "less": ensure => installed;
- "lsb-release": ensure => installed;
- "libfilesystem-ruby1.8": ensure => installed;
- "molly-guard": ensure => installed;
- "mtr-tiny": ensure => installed;
- "nload": ensure => installed;
- "pciutils": ensure => installed;
- "rsyslog": ensure => purged;
- "sysklogd": ensure => purged;
- }
- case getfromhash($nodeinfo, 'broken-rtc') {
- true: {
- package {
- fake-hwclock: ensure => installed;
- }
- }
- }
- case $debarchitecture {
- "armhf": {}
- default: {
- file {
- "/etc/apt/sources.list.d/security.list":
- content => template("debian-org/etc/apt/sources.list.d/security.list.erb"),
- notify => Exec["apt-get update"];
- "/etc/apt/sources.list.d/backports.org.list":
- content => template("debian-org/etc/apt/sources.list.d/backports.org.list.erb"),
- notify => Exec["apt-get update"];
- "/etc/apt/sources.list.d/volatile.list":
- content => template("debian-org/etc/apt/sources.list.d/volatile.list.erb"),
- notify => Exec["apt-get update"];
- }
- }
- }
- file {
- "/etc/apt/preferences":
- source => "puppet:///modules/debian-org/apt.preferences";
- "/etc/apt/sources.list.d/debian.org.list":
- content => template("debian-org/etc/apt/sources.list.d/debian.org.list.erb"),
- notify => Exec["apt-get update"];
- "/etc/apt/apt.conf.d/local-compression":
- source => "puppet:///modules/debian-org/apt.conf.d/local-compression";
- "/etc/apt/apt.conf.d/local-recommends":
- source => "puppet:///modules/debian-org/apt.conf.d/local-recommends";
- "/etc/apt/apt.conf.d/local-pdiffs":
- source => "puppet:///modules/debian-org/apt.conf.d/local-pdiffs";
- "/etc/timezone":
- source => "puppet:///modules/debian-org/timezone",
- notify => Exec["dpkg-reconfigure tzdata -pcritical -fnoninteractive"];
- "/etc/puppet/puppet.conf":
- # require => Package["puppet"],
- source => "puppet:///modules/debian-org/puppet.conf"
- ;
- "/etc/default/puppet":
- # require => Package["puppet"],
- source => "puppet:///modules/debian-org/puppet.default"
- ;
+ if getfromhash($site::nodeinfo, 'broken-rtc') {
+ package { 'fake-hwclock':
+ ensure => installed
+ }
+ }
- "/etc/cron.d/dsa-puppet-stuff":
- source => "puppet:///modules/debian-org/dsa-puppet-stuff.cron",
- require => Package["debian.org"]
- ;
- "/etc/ldap/ldap.conf":
- require => Package["debian.org"],
- source => "puppet:///modules/debian-org/ldap.conf",
- ;
- "/etc/pam.d/common-session":
- require => Package["debian.org"],
- content => template("debian-org/pam.common-session.erb"),
- ;
- "/etc/rc.local":
- mode => 0755,
- source => "puppet:///modules/debian-org/rc.local",
- notify => Exec["rc.local start"],
- ;
- "/etc/molly-guard/run.d/15-acquire-reboot-lock":
- mode => 0755,
- source => "puppet:///modules/debian-org/molly-guard-acquire-reboot-lock",
- require => Package["molly-guard"],
- ;
+ # This really means 'not wheezy'
- "/etc/dsa":
- mode => 0755,
- ensure => directory,
- ;
- "/etc/dsa/cron.ignore.dsa-puppet-stuff":
- source => "puppet:///modules/debian-org/dsa-puppet-stuff.cron.ignore",
- require => Package["debian.org"]
- ;
- }
-
- # set mmap_min_addr to 4096 to mitigate
- # Linux NULL-pointer dereference exploits
- sysctl {
- "mmap_min_addr" :
- key => "vm.mmap_min_addr",
- value => 4096,
- }
-
- set_alternatives {
- "editor":
- linkto => "/usr/bin/vim.basic",
- }
-
- mailalias {
- "samhain-reports":
- recipient => $debianadmin,
- ensure => present;
- }
+ if $::debarchitecture != 'armhf' {
+ site::aptrepo { 'security':
+ template => 'debian-org/etc/apt/sources.list.d/security.list.erb',
+ }
+ site::aptrepo { 'backports.org':
+ template => 'debian-org/etc/apt/sources.list.d/backports.org.list.erb',
+ key => 'puppet:///modules/debian-org/backports.org.asc',
+ }
+ site::aptrepo { 'volatile':
+ template => 'debian-org/etc/apt/sources.list.d/volatile.list.erb',
+ }
+ }
- exec {
- "dpkg-reconfigure tzdata -pcritical -fnoninteractive":
- path => "/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true;
- "apt-get update":
- command => 'apt-get update',
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true;
- "puppetmaster restart":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true;
- "rc.local start":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true;
- "procps restart":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true;
- "init q":
- refreshonly => true;
- }
-}
+ site::aptrepo { 'debian.org':
+ template => 'debian-org/etc/apt/sources.list.d/debian.org.list.erb',
+ key => 'puppet:///modules/debian-org/db.debian.org.asc',
+ }
-class debian-proliant inherits debian-org {
- package {
- "hpacucli": ensure => installed;
- "hp-health": ensure => installed;
- "arrayprobe": ensure => installed;
- }
- case $lsbdistcodename {
- 'lenny': {
- package {
- "cpqarrayd": ensure => installed;
- }
- }
- }
- case $debarchitecture {
- "amd64": {
- package { "lib32gcc1": ensure => installed; }
- }
- }
- file {
- "/etc/apt/sources.list.d/debian.restricted.list":
- content => template("debian-org/etc/apt/sources.list.d/debian.restricted.list.erb"),
- notify => Exec["apt-get update"];
- }
-}
+ file { '/etc/apt/preferences':
+ source => 'puppet:///modules/debian-org/apt.preferences',
+ }
+ file { '/etc/apt/trusted-keys.d/':
+ ensure => directory,
+ purge => true,
+ }
+ file { '/etc/apt/apt.conf.d/local-compression':
+ source => 'puppet:///modules/debian-org/apt.conf.d/local-compression',
+ }
+ file { '/etc/apt/apt.conf.d/local-recommends':
+ source => 'puppet:///modules/debian-org/apt.conf.d/local-recommends',
+ }
+ file { '/etc/apt/apt.conf.d/local-pdiffs':
+ source => 'puppet:///modules/debian-org/apt.conf.d/local-pdiffs',
+ }
+ file { '/etc/timezone':
+ source => 'puppet:///modules/debian-org/timezone',
+ notify => Exec['dpkg-reconfigure tzdata -pcritical -fnoninteractive'],
+ }
+ file { '/etc/puppet/puppet.conf':
+ source => 'puppet:///modules/debian-org/puppet.conf',
+ }
+ file { '/etc/default/puppet':
+ source => 'puppet:///modules/debian-org/puppet.default',
+ }
+ file { '/etc/cron.d/dsa-puppet-stuff':
+ source => 'puppet:///modules/debian-org/dsa-puppet-stuff.cron',
+ require => Package['debian.org'],
+ }
+ file { '/etc/ldap/ldap.conf':
+ require => Package['debian.org'],
+ source => 'puppet:///modules/debian-org/ldap.conf',
+ }
+ file { '/etc/pam.d/common-session':
+ require => Package['debian.org'],
+ content => template('debian-org/pam.common-session.erb'),
+ }
+ file { '/etc/rc.local':
+ mode => '0755',
+ source => 'puppet:///modules/debian-org/rc.local',
+ notify => Exec['rc.local start'],
+ }
+ file { '/etc/molly-guard/run.d/15-acquire-reboot-lock':
+ mode => '0755',
+ source => 'puppet:///modules/debian-org/molly-guard-acquire-reboot-lock',
+ require => Package['molly-guard'],
+ }
+ file { '/etc/dsa':
+ ensure => directory,
+ mode => '0755',
+ }
+ file { '/etc/dsa/cron.ignore.dsa-puppet-stuff':
+ source => 'puppet:///modules/debian-org/dsa-puppet-stuff.cron.ignore',
+ require => Package['debian.org']
+ }
+
+ # set mmap_min_addr to 4096 to mitigate
+ # Linux NULL-pointer dereference exploits
+ site::sysctl { 'mmap_min_addr':
+ key => 'vm.mmap_min_addr',
+ value => '4096',
+ }
+ site::alternative { 'editor':
+ linkto => '/usr/bin/vim.basic',
+ }
+ mailalias { 'samhain-reports':
+ ensure => present,
+ recipient => $debianadmin,
+ }
+
+ exec { 'apt-get update':
+ path => '/usr/bin:/usr/sbin:/bin:/sbin',
+ refreshonly => true,
+ }-> Package <| |>
-class debian-radvd inherits debian-org {
- sysctl {
- "dsa-accept-ra-default" :
- key => "net.ipv6.conf.default.accept_ra",
- value => 0,
- }
- sysctl {
- "dsa-accept-ra-all" :
- key => "net.ipv6.conf.all.accept_ra",
- value => 0,
- }
+ exec { 'dpkg-reconfigure tzdata -pcritical -fnoninteractive':
+ path => '/usr/bin:/usr/sbin:/bin:/sbin',
+ refreshonly => true
+ }
+ exec { 'puppetmaster restart':
+ path => '/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin',
+ refreshonly => true
+ }
+ exec { 'rc.local start':
+ path => '/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin',
+ refreshonly => true
+ }
+ exec { 'init q':
+ refreshonly => true
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/debian-org/manifests/proliant.pp b/modules/debian-org/manifests/proliant.pp
new file mode 100644
index 00000000..04b9cdd3
--- /dev/null
+++ b/modules/debian-org/manifests/proliant.pp
@@ -0,0 +1,30 @@
+class debian-org::proliant {
+
+ site::aptrepo { 'debian.restricted':
+ template => 'debian-org/etc/apt/sources.list.d/debian.restricted.list.erb',
+ }
+
+ package { 'hpacucli':
+ ensure => installed,
+ }
+ package { 'hp-health':
+ ensure => installed,
+ }
+ package { 'arrayprobe':
+ ensure => installed,
+ }
+
+ if $::lsbdistcodename == 'lenny' {
+ package { 'cpqarrayd':
+ ensure => installed,
+ }
+ }
+
+ if $::debarchitecture == 'amd64' {
+ package { 'lib32gcc1':
+ ensure => installed,
+ }
+ }
+}
+
+
diff --git a/modules/debian-org/manifests/radvd.pp b/modules/debian-org/manifests/radvd.pp
new file mode 100644
index 00000000..b9eeb808
--- /dev/null
+++ b/modules/debian-org/manifests/radvd.pp
@@ -0,0 +1,10 @@
+class debian-org::radvd {
+ site::sysctl { 'dsa-accept-ra-default':
+ key => 'net.ipv6.conf.default.accept_ra',
+ value => 0,
+ }
+ site::sysctl { 'dsa-accept-ra-all':
+ key => 'net.ipv6.conf.all.accept_ra',
+ value => 0,
+ }
+}
diff --git a/modules/entropykey/manifests/init.pp b/modules/entropykey/manifests/init.pp
index 8f91cf55..6d327fc6 100644
--- a/modules/entropykey/manifests/init.pp
+++ b/modules/entropykey/manifests/init.pp
@@ -1,86 +1,18 @@
-class entropykey::provider {
- package {
- "ekeyd": ensure => installed;
- }
-
- file {
- "/etc/entropykey/ekeyd.conf":
- source => "puppet:///modules/entropykey/ekeyd.conf",
- notify => Exec['restart_ekeyd'],
- require => [ Package['ekeyd'] ],
- ;
- # our CRL expires after a while (2 or 4 weeks?), so we have
- # to restart stunnel so it loads the new CRL.
- "/etc/cron.weekly/stunnel-ekey-restart":
- content => "#!/bin/sh\n# This file is under puppet control\nenv -i /etc/init.d/stunnel4 restart puppet-ekeyd > /dev/null\n",
- mode => "555",
- ;
- }
-
- exec {
- "restart_ekeyd":
- command => "true && cd / && env -i /etc/init.d/ekeyd restart",
- require => [ File['/etc/entropykey/ekeyd.conf'] ],
- refreshonly => true,
- ;
- }
-
- include "stunnel4"
- stunnel4::stunnel_server {
- "ekeyd":
- accept => 18888,
- connect => "127.0.0.1:8888",
- ;
- }
-}
-
-class entropykey::local_consumer {
- package {
- "ekeyd-egd-linux": ensure => installed;
- }
-
- file {
- "/etc/default/ekeyd-egd-linux":
- source => "puppet:///modules/entropykey/ekeyd-egd-linux",
- notify => Exec['restart_ekeyd-egd-linux'],
- require => [ Package['ekeyd-egd-linux'] ],
- ;
- }
-
- exec {
- "restart_ekeyd-egd-linux":
- command => "true && cd / && env -i /etc/init.d/ekeyd-egd-linux restart",
- require => [ File['/etc/default/ekeyd-egd-linux'] ],
- refreshonly => true,
- ;
- }
-}
-
-class entropykey::remote_consumer inherits entropykey::local_consumer {
- include "stunnel4"
- stunnel4::stunnel_client {
- "ekeyd":
- accept => "127.0.0.1:8888",
- connecthost => "${entropy_provider}",
- connectport => 18888,
- ;
- }
-}
-
class entropykey {
- case getfromhash($nodeinfo, 'entropy_key') {
- true: { include entropykey::provider }
- }
- $entropy_provider = entropy_provider($fqdn, $nodeinfo)
- case $entropy_provider {
- false: {}
- local: { include entropykey::local_consumer }
- default: { include entropykey::remote_consumer }
- }
+ if getfromhash($site::nodeinfo, 'entropy_key') {
+ include entropykey::provider
+ }
+
+ $entropy_provider = entropy_provider($::fqdn, $site::nodeinfo)
+ case $entropy_provider {
+ false: {}
+ local: { include entropykey::local_consumer }
+ default: {
+ class { 'entropykey::remote_consumer':
+ entropy_provider => $entropy_provider,
+ }
+ }
+ }
}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/entropykey/manifests/local_consumer.pp b/modules/entropykey/manifests/local_consumer.pp
new file mode 100644
index 00000000..ecfe24c2
--- /dev/null
+++ b/modules/entropykey/manifests/local_consumer.pp
@@ -0,0 +1,14 @@
+class entropykey::local_consumer {
+
+ package { 'ekeyd-egd-linux': ensure => installed }
+
+ file { '/etc/default/ekeyd-egd-linux':
+ source => 'puppet:///modules/entropykey/ekeyd-egd-linux',
+ notify => Service['ekeyd-egd-linux'],
+ require => Package['ekeyd-egd-linux'],
+ }
+
+ service { 'ekeyd-egd-linux':
+ require => File['/etc/default/ekeyd-egd-linux'],
+ }
+}
diff --git a/modules/entropykey/manifests/provider.pp b/modules/entropykey/manifests/provider.pp
new file mode 100644
index 00000000..99148102
--- /dev/null
+++ b/modules/entropykey/manifests/provider.pp
@@ -0,0 +1,27 @@
+class entropykey::provider {
+
+ package { 'ekeyd': ensure => installed }
+
+ file { '/etc/entropykey/ekeyd.conf':
+ source => 'puppet:///modules/entropykey/ekeyd.conf',
+ notify => Service['ekeyd'],
+ require => Package['ekeyd'],
+ }
+
+ # our CRL expires after a while (2 or 4 weeks?), so we have
+ # to restart stunnel so it loads the new CRL.
+ file { '/etc/cron.weekly/stunnel-ekey-restart':
+ content => '#!/bin/sh\n# This file is under puppet control\nenv -i /etc/init.d/stunnel4 restart puppet-ekeyd > /dev/null\n',
+ mode => '0555',
+ }
+
+ service { 'ekeyd':
+ ensure => running,
+ require => File['/etc/entropykey/ekeyd.conf'],
+ }
+
+ stunnel4::stunnel_server { 'ekeyd':
+ accept => 18888,
+ connect => '127.0.0.1:8888',
+ }
+}
diff --git a/modules/entropykey/manifests/remote_consumer.pp b/modules/entropykey/manifests/remote_consumer.pp
new file mode 100644
index 00000000..20d14774
--- /dev/null
+++ b/modules/entropykey/manifests/remote_consumer.pp
@@ -0,0 +1,8 @@
+class entropykey::remote_consumer ($entropy_provider) inherits entropykey::local_consumer {
+
+ stunnel4::stunnel_client { 'ekeyd':
+ accept => '127.0.0.1:8888',
+ connecthost => $entropy_provider,
+ connectport => 18888,
+ }
+}
diff --git a/modules/exim/manifests/init.pp b/modules/exim/manifests/init.pp
index a448d2ae..e18f0aab 100644
--- a/modules/exim/manifests/init.pp
+++ b/modules/exim/manifests/init.pp
@@ -1,190 +1,148 @@
class exim {
- activate_munin_check {
- "ps_exim4": script => "ps_";
- "exim_mailqueue":;
- "exim_mailstats":;
- "postfix_mailqueue": ensure => absent;
- "postfix_mailstats": ensure => absent;
- "postfix_mailvolume": ensure => absent;
- }
+ munin::check { 'ps_exim4': script => 'ps_' }
+ munin::check { 'exim_mailqueue': }
+ munin::check { 'exim_mailstats': }
- package { exim4-daemon-heavy: ensure => installed }
+ munin::check { 'postfix_mailqueue': ensure => absent }
+ munin::check { 'postfix_mailstats': ensure => absent }
+ munin::check { 'postfix_mailvolume': ensure => absent }
- file {
- "/etc/exim4/":
- ensure => directory,
- owner => root,
- group => root,
- mode => 755,
- purge => true
- ;
- "/etc/exim4/Git":
- ensure => directory,
- purge => true,
- force => true,
- recurse => true,
- source => "puppet:///files/empty/"
- ;
- "/etc/exim4/conf.d":
- ensure => directory,
- purge => true,
- force => true,
- recurse => true,
- source => "puppet:///files/empty/"
- ;
- "/etc/exim4/ssl":
- ensure => directory,
- owner => root,
- group => Debian-exim,
- mode => 750,
- require => Package["exim4-daemon-heavy"],
- purge => true
- ;
- "/etc/mailname":
- content => template("exim/mailname.erb"),
- ;
- "/etc/exim4/exim4.conf":
- content => template("exim/eximconf.erb"),
- require => Package["exim4-daemon-heavy"],
- notify => Exec["exim4 reload"]
- ;
- "/etc/exim4/manualroute":
- require => Package["exim4-daemon-heavy"],
- content => template("exim/manualroute.erb")
- ;
- "/etc/exim4/host_blacklist":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/per-host/$fqdn/host_blacklist",
- "puppet:///modules/exim/common/host_blacklist" ]
- ;
- "/etc/exim4/blacklist":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/per-host/$fqdn/blacklist",
- "puppet:///modules/exim/common/blacklist" ]
- ;
- "/etc/exim4/callout_users":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/per-host/$fqdn/callout_users",
- "puppet:///modules/exim/common/callout_users" ]
- ;
- "/etc/exim4/grey_users":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/per-host/$fqdn/grey_users",
- "puppet:///modules/exim/common/grey_users" ]
- ;
- "/etc/exim4/helo-check":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/per-host/$fqdn/helo-check",
- "puppet:///modules/exim/common/helo-check" ]
- ;
- "/etc/exim4/locals":
- require => Package["exim4-daemon-heavy"],
- content => template("exim/locals.erb")
- ;
- "/etc/exim4/localusers":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/per-host/$fqdn/localusers",
- "puppet:///modules/exim/common/localusers" ]
- ;
- "/etc/exim4/rbllist":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/per-host/$fqdn/rbllist",
- "puppet:///modules/exim/common/rbllist" ]
- ;
- "/etc/exim4/rhsbllist":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/per-host/$fqdn/rhsbllist",
- "puppet:///modules/exim/common/rhsbllist" ]
- ;
- "/etc/exim4/virtualdomains":
- require => Package["exim4-daemon-heavy"],
- content => template("exim/virtualdomains.erb")
- ;
- "/etc/exim4/whitelist":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/per-host/$fqdn/whitelist",
- "puppet:///modules/exim/common/whitelist" ]
- ;
- "/etc/exim4/submission-domains":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/per-host/$fqdn/submission-domains",
- "puppet:///modules/exim/common/submission-domains" ]
- ;
- "/etc/logrotate.d/exim4-base":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/per-host/$fqdn/logrotate-exim4-base",
- "puppet:///modules/exim/common/logrotate-exim4-base" ]
- ;
- "/etc/logrotate.d/exim4-paniclog":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/per-host/$fqdn/logrotate-exim4-paniclog",
- "puppet:///modules/exim/common/logrotate-exim4-paniclog" ]
- ;
- "/etc/exim4/ssl/thishost.crt":
- require => Package["exim4-daemon-heavy"],
- source => "puppet:///modules/exim/certs/$fqdn.crt",
- owner => root,
- group => Debian-exim,
- mode => 640
- ;
- "/etc/exim4/ssl/thishost.key":
- require => Package["exim4-daemon-heavy"],
- source => "puppet:///modules/exim/certs/$fqdn.key",
- owner => root,
- group => Debian-exim,
- mode => 640
- ;
- "/etc/exim4/ssl/ca.crt":
- require => Package["exim4-daemon-heavy"],
- source => "puppet:///modules/exim/certs/ca.crt",
- owner => root,
- group => Debian-exim,
- mode => 640
- ;
- "/etc/exim4/ssl/ca.crl":
- require => Package["exim4-daemon-heavy"],
- source => "puppet:///modules/exim/certs/ca.crl",
- owner => root,
- group => Debian-exim,
- mode => 640
- ;
- "/var/log/exim4":
- mode => 2750,
- ensure => directory,
- owner => Debian-exim,
- group => maillog
- ;
- }
+ package { 'exim4-daemon-heavy': ensure => installed }
- exec { "exim4 reload":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- }
+ service { 'exim4':
+ ensure => running,
+ require => File['/etc/exim4/exim4.conf'],
+ }
- case getfromhash($nodeinfo, 'mail_port') {
- /^(\d+)$/: { $mail_port = $1 }
- default: { $mail_port = 'smtp' }
- }
+ file { '/etc/exim4/':
+ ensure => directory,
+ mode => '0755',
+ require => Package['exim4-daemon-heavy'],
+ purge => true,
+ }
+ file { '/etc/exim4/Git':
+ ensure => directory,
+ purge => true,
+ force => true,
+ recurse => true,
+ source => 'puppet:///files/empty/',
+ }
+ file { '/etc/exim4/conf.d':
+ ensure => directory,
+ purge => true,
+ force => true,
+ recurse => true,
+ source => 'puppet:///files/empty/',
+ }
+ file { '/etc/exim4/ssl':
+ ensure => directory,
+ group => Debian-exim,
+ mode => '0750',
+ purge => true,
+ }
+ file { '/etc/exim4/exim4.conf':
+ content => template('exim/eximconf.erb'),
+ notify => Service['exim4'],
+ }
+ file { '/etc/mailname':
+ content => template('exim/mailname.erb'),
+ }
+ file { '/etc/exim4/manualroute':
+ content => template('exim/manualroute.erb')
+ }
+ file { '/etc/exim4/locals':
+ content => template('exim/locals.erb')
+ }
+ file { '/etc/exim4/virtualdomains':
+ content => template('exim/virtualdomains.erb'),
+ }
+ file { '/etc/exim4/submission-domains':
+ content => template('exim/common/submission-domains.erb'),
+ }
+ file { '/etc/exim4/host_blacklist':
+ source => 'puppet:///modules/exim/common/host_blacklist',
+ }
+ file { '/etc/exim4/blacklist':
+ source => 'puppet:///modules/exim/common/blacklist',
+ }
+ file { '/etc/exim4/callout_users':
+ source => 'puppet:///modules/exim/common/callout_users',
+ }
+ file { '/etc/exim4/grey_users':
+ source => 'puppet:///modules/exim/common/grey_users',
+ }
+ file { '/etc/exim4/helo-check':
+ source => 'puppet:///modules/exim/common/helo-check',
+ }
+ file { '/etc/exim4/localusers':
+ source => 'puppet:///modules/exim/common/localusers',
+ }
+ file { '/etc/exim4/rbllist':
+ source => 'puppet:///modules/exim/common/rbllist',
+ }
+ file { '/etc/exim4/rhsbllist':
+ source => 'puppet:///modules/exim/common/rhsbllist',
+ }
+ file { '/etc/exim4/whitelist':
+ source => 'puppet:///modules/exim/common/whitelist',
+ }
+ file { '/etc/logrotate.d/exim4-base':
+ source => 'puppet:///modules/exim/common/logrotate-exim4-base',
+ }
+ file { '/etc/logrotate.d/exim4-paniclog':
+ source => 'puppet:///modules/exim/common/logrotate-exim4-paniclog'
+ }
+ file { '/etc/exim4/ssl/thishost.crt':
+ source => "puppet:///modules/exim/certs/${::fqdn}.crt",
+ group => Debian-exim,
+ mode => '0640',
+ }
+ file { '/etc/exim4/ssl/thishost.key':
+ source => "puppet:///modules/exim/certs/${::fqdn}.key",
+ group => Debian-exim,
+ mode => '0640',
+ }
+ file { '/etc/exim4/ssl/ca.crt':
+ source => 'puppet:///modules/exim/certs/ca.crt',
+ group => Debian-exim,
+ mode => '0640',
+ }
+ file { '/etc/exim4/ssl/ca.crl':
+ source => 'puppet:///modules/exim/certs/ca.crl',
+ group => Debian-exim,
+ mode => '0640',
+ }
+ file { '/var/log/exim4':
+ ensure => directory,
+ mode => '2750',
+ owner => Debian-exim,
+ group => maillog,
+ }
+
+ case getfromhash($site::nodeinfo, 'mail_port') {
+ /^(\d+)$/: { $mail_port = $1 }
+ default: { $mail_port = 'smtp' }
+ }
+
+ @ferm::rule { 'dsa-exim':
+ description => 'Allow SMTP',
+ rule => '&SERVICE_RANGE(tcp, $mail_port, \$SMTP_SOURCES)'
+ }
+
+ @ferm::rule { 'dsa-exim-v6':
+ description => 'Allow SMTP',
+ domain => 'ip6',
+ rule => '&SERVICE_RANGE(tcp, $mail_port, \$SMTP_V6_SOURCES)'
+ }
+
+ # Do we actually want this? I'm only doing it because it's harmless
+ # and makes the logs quiet. There are better ways of making logs quiet,
+ # though.
+ @ferm::rule { 'dsa-ident':
+ domain => '(ip ip6)',
+ description => 'Allow ident access',
+ rule => '&SERVICE(tcp, 113)'
+ }
- @ferm::rule { "dsa-exim":
- description => "Allow SMTP",
- rule => "&SERVICE_RANGE(tcp, $mail_port, \$SMTP_SOURCES)"
- }
- @ferm::rule { "dsa-exim-v6":
- description => "Allow SMTP",
- domain => "ip6",
- rule => "&SERVICE_RANGE(tcp, $mail_port, \$SMTP_V6_SOURCES)"
- }
- # Do we actually want this? I'm only doing it because it's harmless
- # and makes the logs quiet. There are better ways of making logs quiet,
- # though.
- @ferm::rule { "dsa-ident":
- domain => "(ip ip6)",
- description => "Allow ident access",
- rule => "&SERVICE(tcp, 113)"
- }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/exim/manifests/mx.pp b/modules/exim/manifests/mx.pp
index 8a81592e..c1b4fdbc 100644
--- a/modules/exim/manifests/mx.pp
+++ b/modules/exim/manifests/mx.pp
@@ -1,37 +1,26 @@
class exim::mx inherits exim {
- include clamav
- include postgrey
+ include clamav
+ include postgrey
- file {
- "/etc/exim4/ccTLD.txt":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/common/ccTLD.txt" ]
- ;
- "/etc/exim4/surbl_whitelist.txt":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/common/surbl_whitelist.txt" ]
- ;
- "/etc/exim4/exim_surbl.pl":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/common/exim_surbl.pl" ],
- notify => Exec["exim4 restart"]
- ;
- }
- exec { "exim4 restart":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- }
- @ferm::rule { "dsa-exim-submission":
- description => "Allow SMTP",
- rule => "&SERVICE_RANGE(tcp, submission, \$SMTP_SOURCES)"
- }
- @ferm::rule { "dsa-exim-v6-submission":
- description => "Allow SMTP",
- domain => "ip6",
- rule => "&SERVICE_RANGE(tcp, submission, \$SMTP_V6_SOURCES)"
- }
-}
+ file { '/etc/exim4/ccTLD.txt':
+ source => 'puppet:///modules/exim/common/ccTLD.txt',
+ }
+ file { '/etc/exim4/surbl_whitelist.txt':
+ source => 'puppet:///modules/exim/common/surbl_whitelist.txt',
+ }
+ file { '/etc/exim4/exim_surbl.pl':
+ source => 'puppet:///modules/exim/common/exim_surbl.pl',
+ notify => Service['exim4'],
+ }
+
+ @ferm::rule { 'dsa-exim-submission':
+ description => 'Allow SMTP',
+ rule => '&SERVICE_RANGE(tcp, submission, \$SMTP_SOURCES)'
+ }
+ @ferm::rule { 'dsa-exim-v6-submission':
+ description => 'Allow SMTP',
+ domain => 'ip6',
+ rule => '&SERVICE_RANGE(tcp, submission, \$SMTP_V6_SOURCES)',
+ }
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
+}
diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb
index 575ad0c5..9877917b 100644
--- a/modules/exim/templates/eximconf.erb
+++ b/modules/exim/templates/eximconf.erb
@@ -32,7 +32,7 @@
# flushing' operations, but should be populated with a list
# of trusted machines. Wildcards are not permitted
# bsmtp_domains - Domains that we deliver locally via bsmtp
-<%- if nodeinfo['mailrelay'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%>
# mailhubdomains - Domains for which we are the MX, but the mail is relayed
# elsewhere. This is designed for use with small volume or
# restricted machines that need to use a smarthost for mail
@@ -76,7 +76,7 @@
# MAIN CONFIGURATION SETTINGS #
######################################################################
-<%- if nodeinfo.has_key?('heavy_exim') and nodeinfo['heavy_exim'] -%>
+<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%>
perl_startup = do '/etc/exim4/exim_surbl.pl'
<%- end -%>
@@ -87,7 +87,7 @@ perl_startup = do '/etc/exim4/exim_surbl.pl'
acl_smtp_helo = check_helo
acl_smtp_rcpt = ${if ={$interface_port}{587} {check_submission}{check_recipient}}
acl_smtp_data = check_message
-<%- if nodeinfo.has_key?('heavy_exim') and nodeinfo['heavy_exim'] -%>
+<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%>
acl_smtp_mime = acl_check_mime
<%- end -%>
acl_smtp_predata = acl_check_predata
@@ -121,9 +121,9 @@ localpartlist postmasterish = postmaster : abuse : hostmaster
hostlist debianhosts = <; ; 127.0.0.1 ; ::1 ; /var/lib/misc/thishost/debianhosts ; 89.16.166.49 ; 82.195.75.76 ; 2001:41b8:202:deb:bab5:0:52c3:4b4c
-hostlist reservedaddrs = <%= nodeinfo['reservedaddrs'] %>
+hostlist reservedaddrs = <%= scope.lookupvar('site::nodeinfo')['reservedaddrs'] %>
-<%- if nodeinfo['mailrelay'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%>
# Domains we relay for; that is domains that aren't considered local but we
# accept mail for them.
domainlist mailhubdomains = lsearch;/etc/exim4/manualroute
@@ -169,7 +169,7 @@ timeout_frozen_after=14d
message_size_limit = 100M
message_logs = false
smtp_accept_max_per_host = ${if match_ip {$sender_host_address}{+debianhosts}{0}{7}}
-<%- if nodeinfo.has_key?('heavy_exim') and nodeinfo['heavy_exim'] -%>
+<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%>
smtp_accept_max = 300
smtp_accept_queue = 200
smtp_accept_queue_per_connection = 50
@@ -188,7 +188,7 @@ check_spool_space = 20M
delay_warning =
-<%- if nodeinfo.has_key?('heavy_exim') and nodeinfo['heavy_exim'] -%>
+<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%>
message_body_visible = 5000
queue_run_max = 50
deliver_queue_load_max = 50
@@ -210,16 +210,16 @@ ports = []
out = "daemon_smtp_ports = "
ports << 25
-if nodeinfo['bugsmaster'] or nodeinfo['bugsmx']
+if scope.lookupvar('site::nodeinfo')['bugsmaster'] or scope.lookupvar('site::nodeinfo')['bugsmx']
ports << 587
end
-if not nodeinfo['mail_port'].to_s.empty?
- ports << nodeinfo['mail_port']
+if not scope.lookupvar('site::nodeinfo')['mail_port'].to_s.empty?
+ ports << scope.lookupvar('site::nodeinfo')['mail_port']
end
-if nodeinfo['mailrelay']
- ports << nodeinfo['smarthost_port']
+if scope.lookupvar('site::nodeinfo')['mailrelay']
+ ports << scope.lookupvar('site::nodeinfo')['smarthost_port']
end
out += ports.uniq.sort.join(" : ")
@@ -289,7 +289,7 @@ acl_getprofile:
hosts = !+debianhosts
set acl_m_rprf = localonly
-<%- if nodeinfo['mailrelay'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%>
warn local_parts = +local_only_users
domains = +mailhubdomains
hosts = !+debianhosts
@@ -298,28 +298,28 @@ acl_getprofile:
<%- end -%>
accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}}
-<%- if nodeinfo['rtmaster'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['rtmaster'] -%>
warn domains = rt.debian.org
set acl_m_rprf = RTMail
accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}}
<%- end -%>
-<%- if nodeinfo['bugsmx'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['bugsmx'] -%>
warn domains = bugs.debian.org
set acl_m_rprf = BugsMail
accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}}
<%- end -%>
-<%- if nodeinfo['packagesmaster'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['packagesmaster'] -%>
warn domains = packages.debian.org
set acl_m_rprf = PackagesMail
accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}}
<%- end -%>
-<%- if nodeinfo['packagesqamaster'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['packagesqamaster'] -%>
warn recipients = owner@packages.qa.debian.org : postmaster@packages.qa.debian.org
set acl_m_rprf = PTSOwner
@@ -391,11 +391,11 @@ check_helo:
warn set acl_c_scr = 0
-<%- if nodeinfo['mailrelay'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%>
accept verify = certificate
<%- end -%>
-<%- if nodeinfo['smarthost'].empty? -%>
+<%- if scope.lookupvar('site::nodeinfo')['smarthost'].empty? -%>
# These are in HELO acl so that they are only run once. They increment a counter,
# so we don't want it to increment per rcpt to.
@@ -487,7 +487,7 @@ check_submission:
# We do this by testing for an empty sending host field.
accept hosts = +debianhosts
-<%- if nodeinfo['mailrelay'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%>
accept verify = certificate
<%- end -%>
@@ -508,7 +508,7 @@ check_submission:
endpass
verify = recipient
-<%- if nodeinfo['mailrelay'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%>
accept domains = +mailhubdomains
endpass
verify = recipient/callout=30s,defer_ok,use_sender,no_cache
@@ -523,7 +523,7 @@ check_submission:
#!!# ACL that is used after the RCPT command
check_recipient:
-<%- if nodeinfo['mailrelay'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%>
accept verify = certificate
<%- end -%>
@@ -636,7 +636,7 @@ check_recipient:
warn condition = ${if eq{$acl_m_prf}{localonly}}
set acl_m_lrc = ${if eq{$acl_m_lrc}{}{$local_part@$domain}{$acl_m_lrc, $local_part@$domain}}
-<%- if nodeinfo['packagesmaster'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['packagesmaster'] -%>
warn condition = ${if eq {$acl_m_prf}{PackagesMail}}
condition = ${if eq {$sender_address}{$local_part@$domain}}
message = X-Packages-FromTo-Same: yes
@@ -714,7 +714,7 @@ check_recipient:
condition = ${if eq{$acl_m_act}{450}{yes}{no}}
<%- end -%>
-<%- if nodeinfo['rtmaster'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['rtmaster'] -%>
warn condition = ${if eq{$acl_m_prf}{RTMail}}
set acl_m12 = ${if def:acl_m12 {$acl_m12} {${if or{{match{$local_part}{\N[^+]+\+\d+\N}}{match{$local_part}{\N[^+]+\+new\N}}{match{$local_part}{3520}}{match{$local_part}{3645}}} {RTMailRecipientHasSubaddress}}}}
# temporary hack because weasel screwed up and gave people an rt-3520@ address, which doesn't really work normally. and rt-3645
@@ -805,7 +805,7 @@ check_recipient:
senders = ${if exists{/etc/exim4/blacklist}{/etc/exim4/blacklist}{}}
message = We have blacklisted <$sender_address>. Please stop mailing us
-<%- if nodeinfo['smarthost'].empty? -%>
+<%- if scope.lookupvar('site::nodeinfo')['smarthost'].empty? -%>
deny message = host $sender_host_address is listed in $dnslist_domain; see $dnslist_text
dnslists = ${if match_domain{$domain}{+virtual_domains}\
{${if exists {${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}\
@@ -825,7 +825,7 @@ check_recipient:
domains = +handled_domains
!hosts = +debianhosts : WHITELIST
-<%- if nodeinfo['smarthost'].empty? -%>
+<%- if scope.lookupvar('site::nodeinfo')['smarthost'].empty? -%>
deny domains = +handled_domains
local_parts = ${if match_domain{$domain}{+virtual_domains}\
{${if exists {${extract{directory}{VDOMAINDATA}{${value}/callout_users}}}\
@@ -836,7 +836,7 @@ check_recipient:
!verify = sender/callout=90s,maxwait=300s
<%- end -%>
-<%- if nodeinfo['mailrelay'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%>
accept domains = +mailhubdomains
endpass
verify = recipient/callout=30s,defer_ok,use_sender,no_cache
@@ -852,7 +852,7 @@ check_recipient:
deny message = relay not permitted
-<%- if nodeinfo.has_key?('heavy_exim') and nodeinfo['heavy_exim'] -%>
+<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%>
acl_check_mime:
accept verify = certificate
@@ -895,7 +895,7 @@ check_message:
# header. Take their crack pipe away.
drop condition = ${if match{${lc:$h_From:}}{\Npostmaster@([^.]+\.)?debian\.org\N}}
-<%- if nodeinfo['rtmaster'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['rtmaster'] -%>
deny condition = ${if eq {$acl_m_prf}{RTMail}}
condition = ${if and{{!match {${lc:$rh_Subject:}} {debian rt}} \
{!match {${lc:$rh_Subject:]}} {\N\[rt.debian.org \N}} \
@@ -903,7 +903,7 @@ check_message:
message = messages to the Request Tracker system require a subject tag or a subaddress
<%- end -%>
-<%- if nodeinfo['packagesqamaster'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['packagesqamaster'] -%>
deny !hosts = +debianhosts : 217.196.43.134
condition = ${if eq {$acl_m_prf}{PTSMail}}
condition = ${if def:h_X-PTS-Approved:{false}{true}}
@@ -961,7 +961,7 @@ check_message:
message = X-malware detected: $malware_name
<%- end -%>
-<%- if nodeinfo.has_key?('heavy_exim') and nodeinfo['heavy_exim'] -%>
+<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%>
discard condition = ${if <{$message_size}{256000}}
condition = ${if eq {$acl_m_prf}{blackhole}}
set acl_m_srb = ${perl{surblspamcheck}}
@@ -988,7 +988,7 @@ check_message:
!verify = header_sender
message = No valid sender found in the From:, Sender: and Reply-to: headers
-<%- if nodeinfo['packagesmaster'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['packagesmaster'] -%>
deny message = Congratulations, you scored $spam_score points.
log_message = spam: $spam_score points.
condition = ${if eq {$acl_m_prf}{PackagesMail}}
@@ -1036,7 +1036,7 @@ begin routers
# An address is passed to each in turn until it is accepted. #
######################################################################
-<%- if nodeinfo['mailrelay'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%>
relay_manualroute:
driver = manualroute
domains = +mailhubdomains
@@ -1067,15 +1067,15 @@ ipliteral:
<%=
out = ""
-if not nodeinfo['smarthost'].empty?
+if not scope.lookupvar('site::nodeinfo')['smarthost'].empty?
out = '
smarthost:
debug_print = "R: smarthost for $local_part@$domain"
driver = manualroute
domains = !+handled_domains
transport = remote_smtp_smarthost
- route_list = * ' + nodeinfo['smarthost']
- if nodeinfo['smarthost'] == 'mailout.debian.org'
+ route_list = * ' + scope.lookupvar('site::nodeinfo')['smarthost']
+ if scope.lookupvar('site::nodeinfo')['smarthost'] == 'mailout.debian.org'
out += '/MX'
end
out += '
@@ -1310,7 +1310,7 @@ localuser:
# Everything before here should apply only to the local domains with a
# domains= rule
-<%- if nodeinfo['packagesmaster'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['packagesmaster'] -%>
# This router delivers for packages.d.o
packages:
debug_print = "R: packages for $local_part@$domain"
@@ -1328,7 +1328,7 @@ packages:
no_more
<%- end -%>
-<%- if nodeinfo['rtmaster'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['rtmaster'] -%>
# This router delivers for rt.d.o
rt_force_new_verbose:
debug_print = "R: rt for $local_part+new@$domain"
@@ -1452,9 +1452,9 @@ virt_users:
<%=
out = ""
-if nodeinfo['bugsmaster'] or nodeinfo['bugsmx']
+if scope.lookupvar('site::nodeinfo')['bugsmaster'] or scope.lookupvar('site::nodeinfo')['bugsmx']
domain = 'bugs.debian.org'
- if nodeinfo['bugsmaster']
+ if scope.lookupvar('site::nodeinfo')['bugsmaster']
domain = 'bugs-master.debian.org'
end
out = '
@@ -1573,17 +1573,17 @@ remote_smtp:
<%=
out = ""
-if not nodeinfo['smarthost'].empty?
+if not scope.lookupvar('site::nodeinfo')['smarthost'].empty?
out = '
remote_smtp_smarthost:
debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
driver = smtp
delay_after_cutoff = false
port = '
- out += nodeinfo['smarthost_port'].to_s + "\n"
+ out += scope.lookupvar('site::nodeinfo')['smarthost_port'].to_s + "\n"
if has_variable?("exim_ssl_certs") && exim_ssl_certs == "true"
out += ' tls_tempfail_tryclear = false
- hosts_require_tls = ' + nodeinfo['smarthost'] + '
+ hosts_require_tls = ' + scope.lookupvar('site::nodeinfo')['smarthost'] + '
tls_certificate = /etc/exim4/ssl/thishost.crt
tls_privatekey = /etc/exim4/ssl/thishost.key
'
@@ -1610,7 +1610,7 @@ bsmtp:
{$value}fail}\
}}
-<%- if nodeinfo['bugsmaster'] or nodeinfo['bugsmx'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['bugsmaster'] or scope.lookupvar('site::nodeinfo')['bugsmx'] -%>
bugs_pipe:
driver = pipe
command = /org/bugs.debian.org/mail/run-procmail
@@ -1623,7 +1623,7 @@ bugs_pipe:
user = debbugs
<%- end -%>
-<%- if nodeinfo['rtmaster'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['rtmaster'] -%>
rt_pipe:
debug_print = "T: rt_pipe for $local_part${local_part_suffix}@$domain"
driver = pipe
diff --git a/modules/exim/templates/manualroute.erb b/modules/exim/templates/manualroute.erb
index 40062d8d..0e57849a 100644
--- a/modules/exim/templates/manualroute.erb
+++ b/modules/exim/templates/manualroute.erb
@@ -12,20 +12,20 @@ mxmatches = [ fqdn ]
routes = []
extraroutes = []
-if nodeinfo['mailrelay']
+if scope.lookupvar('site::nodeinfo')['mailrelay']
mxmatches << 'mailout.debian.org'
extraroutes = [ "keyring.debian.org:\t\tkaufmann.debian.org" ]
end
mxregex = Regexp.new('^\d+\s+(.*)\.$')
-allnodeinfo.keys.sort.each do |host|
- next unless allnodeinfo[host]['mXRecord']
- allnodeinfo[host]['mXRecord'].each do |mx|
+scope.lookupvar('site::allnodeinfo').keys.sort.each do |host|
+ next unless scope.lookupvar('site::allnodeinfo')[host]['mXRecord']
+ scope.lookupvar('site::allnodeinfo')[host]['mXRecord'].each do |mx|
mxmatch = mxregex.match(mx)
if mxmatches.include?(mxmatch[1])
route = host + ":\t\t" + host
- if localinfo.has_key?(host) and localinfo[host].has_key?('mail_port') and localinfo[host]['mail_port'].to_s != ''
- route += "::" + localinfo[host]['mail_port'].to_s
+ if scope.lookupvar('site::localinfo').has_key?(host) and scope.lookupvar('site::localinfo')[host].has_key?('mail_port') and scope.lookupvar('site::localinfo')[host]['mail_port'].to_s != ''
+ route += "::" + scope.lookupvar('site::localinfo')[host]['mail_port'].to_s
end
routes << route
end
diff --git a/modules/exim/templates/submission-domains.erb b/modules/exim/templates/submission-domains.erb
new file mode 100644
index 00000000..4759822d
--- /dev/null
+++ b/modules/exim/templates/submission-domains.erb
@@ -0,0 +1,8 @@
+##
+### THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+### USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+###
+
+<%= if scope.lookupvar('::hostname') == 'busoni' %>
+bugs.debian.org
+<%= end %>
diff --git a/modules/ferm/manifests/ftp.pp b/modules/ferm/manifests/ftp.pp
index 7c666a1f..51d79fb8 100644
--- a/modules/ferm/manifests/ftp.pp
+++ b/modules/ferm/manifests/ftp.pp
@@ -1,7 +1,7 @@
class ferm::ftp {
- @ferm::rule { "dsa-ftp":
- domain => "(ip ip6)",
- description => "Allow ftp access",
- rule => "&SERVICE(tcp, 21)"
- }
+ @ferm::rule { 'dsa-ftp':
+ domain => '(ip ip6)',
+ description => 'Allow ftp access',
+ rule => '&SERVICE(tcp, 21)',
+ }
}
diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp
index 2850c4a9..4332dad7 100644
--- a/modules/ferm/manifests/init.pp
+++ b/modules/ferm/manifests/init.pp
@@ -1,117 +1,77 @@
class ferm {
- define rule($domain="ip", $table="filter", $chain="INPUT", $rule, $description="", $prio="00", $notarule=false) {
- file {
- "/etc/ferm/dsa.d/${prio}_${name}":
- ensure => present,
- owner => root,
- group => root,
- mode => 0400,
- content => template("ferm/ferm-rule.erb"),
- notify => Exec["ferm restart"],
- }
- }
+ # realize (i.e. enable) all @ferm::rule virtual resources
+ Ferm::Rule <| |>
- # realize (i.e. enable) all @ferm::rule virtual resources
- Ferm::Rule <| |>
+ File { mode => '0400' }
- package {
- ferm: ensure => installed;
- ulogd: ensure => installed;
- }
+ package { 'ferm':
+ ensure => installed
+ }
+ package { 'ulogd':
+ ensure => installed
+ }
- file {
- "/etc/ferm/dsa.d":
- ensure => directory,
- purge => true,
- force => true,
- recurse => true,
- source => "puppet:///files/empty/",
- notify => Exec["ferm restart"],
- require => Package["ferm"];
- "/etc/ferm":
- ensure => directory,
- mode => 0755;
- "/etc/ferm/conf.d":
- ensure => directory,
- require => Package["ferm"];
- "/etc/default/ferm":
- source => "puppet:///modules/ferm/ferm.default",
- require => Package["ferm"],
- notify => Exec["ferm restart"];
- "/etc/ferm/ferm.conf":
- source => "puppet:///modules/ferm/ferm.conf",
- require => Package["ferm"],
- mode => 0400,
- notify => Exec["ferm restart"];
- "/etc/ferm/conf.d/me.conf":
- content => template("ferm/me.conf.erb"),
- require => Package["ferm"],
- mode => 0400,
- notify => Exec["ferm restart"];
- "/etc/ferm/conf.d/defs.conf":
- content => template("ferm/defs.conf.erb"),
- require => Package["ferm"],
- mode => 0400,
- notify => Exec["ferm restart"];
- "/etc/ferm/conf.d/interfaces.conf":
- content => template("ferm/interfaces.conf.erb"),
- require => Package["ferm"],
- mode => 0400,
- notify => Exec["ferm restart"];
- "/etc/logrotate.d/ulogd":
- source => "puppet:///modules/ferm/logrotate-ulogd",
- require => Package["debian.org"],
- ;
- }
+ service { 'ferm':
+ hasstatus => false,
+ status => '/bin/true',
+ refreshonly => true,
+ }
- $munin_ips = split(regsubst($v4ips, '([^,]+)', 'ip_\1', 'G'), ',')
+ $munin_ips = split(regsubst($v4ips, '([^,]+)', 'ip_\1', 'G'), ',')
- activate_munin_check {
- $munin_ips: script => "ip_";
- }
+ munin::check { $munin_ips: script => 'ip_', }
- define munin_ipv6_plugin() {
- file {
- "/etc/munin/plugins/$name":
- content => "#!/bin/bash\n# This file is under puppet control\n. /usr/share/munin/plugins/ip_\n",
- mode => 555,
- notify => Exec["munin-node restart"],
- ;
- }
- }
- case $v6ips {
- 'no': {}
- default: {
- $munin6_ips = split(regsubst($v6ips, '([^,]+)', 'ip_\1', 'G'), ',')
- munin_ipv6_plugin {
- $munin6_ips: ;
- }
- # get rid of old stuff
- $munin6_ip6s = split(regsubst($v6ips, '([^,]+)', 'ip6_\1', 'G'), ',')
- activate_munin_check {
- $munin6_ip6s: ensure => absent;
- }
- }
- }
+ if $v6ips {
+ $munin6_ips = split(regsubst($v6ips, '([^,]+)', 'ip_\1', 'G'), ',')
+ munin::check { $munin6_ips: script => 'ip_', }
+ }
+ # get rid of old stuff
+ $munin6_ip6s = split(regsubst($v6ips, '([^,]+)', 'ip6_\1', 'G'), ',')
+ munin::check { $munin6_ip6s: ensure => absent }
- case getfromhash($nodeinfo, 'buildd') {
- true: {
- file {
- "/etc/ferm/conf.d/load_ftp_conntrack.conf":
- source => "puppet:///modules/ferm/conntrack_ftp.conf",
- require => Package["ferm"],
- notify => Exec["ferm restart"];
- }
- }
- }
+ file { '/etc/ferm':
+ ensure => directory,
+ notify => Service['ferm'],
+ require => Package['ferm'],
+ mode => '0755'
+ }
+ file { '/etc/ferm/dsa.d':
+ ensure => directory,
+ purge => true,
+ force => true,
+ recurse => true,
+ source => 'puppet:///files/empty/',
+ }
+ file { '/etc/ferm/conf.d':
+ ensure => directory,
+ }
+ file { '/etc/default/ferm':
+ source => 'puppet:///modules/ferm/ferm.default',
+ require => Package['ferm'],
+ notify => Service['ferm'],
+ }
+ file { '/etc/ferm/ferm.conf':
+ source => 'puppet:///modules/ferm/ferm.conf',
+ }
+ file { '/etc/ferm/conf.d/me.conf':
+ content => template('ferm/me.conf.erb'),
+ }
+ file { '/etc/ferm/conf.d/defs.conf':
+ content => template('ferm/defs.conf.erb'),
+ }
+ file { '/etc/ferm/conf.d/interfaces.conf':
+ content => template('ferm/interfaces.conf.erb'),
+ }
+ file { '/etc/logrotate.d/ulogd':
+ source => 'puppet:///modules/ferm/logrotate-ulogd',
+ require => Package['debian.org'],
+ }
+
+ if getfromhash($site::nodeinfo, 'buildd') {
+ file { '/etc/ferm/conf.d/load_ftp_conntrack.conf':
+ source => 'puppet:///modules/ferm/conntrack_ftp.conf',
+ }
+ }
- exec {
- "ferm restart":
- command => "/etc/init.d/ferm restart",
- refreshonly => true,
- }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/ferm/manifests/nfs-server.pp b/modules/ferm/manifests/nfs-server.pp
deleted file mode 100644
index 8fc4f1a3..00000000
--- a/modules/ferm/manifests/nfs-server.pp
+++ /dev/null
@@ -1,27 +0,0 @@
-class ferm::nfs-server {
- @ferm::rule { "dsa-portmap":
- domain => "(ip ip6)",
- description => "Allow portmap access",
- rule => "&TCP_UDP_SERVICE(111)"
- }
- @ferm::rule { "dsa-nfs":
- domain => "(ip ip6)",
- description => "Allow nfsd access",
- rule => "&TCP_UDP_SERVICE(2049)"
- }
- @ferm::rule { "dsa-status":
- domain => "(ip ip6)",
- description => "Allow statd access",
- rule => "&TCP_UDP_SERVICE(10000)"
- }
- @ferm::rule { "dsa-mountd":
- domain => "(ip ip6)",
- description => "Allow mountd access",
- rule => "&TCP_UDP_SERVICE(10002)"
- }
- @ferm::rule { "dsa-lockd":
- domain => "(ip ip6)",
- description => "Allow lockd access",
- rule => "&TCP_UDP_SERVICE(10003)"
- }
-}
diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp
index 374da372..83e28947 100644
--- a/modules/ferm/manifests/per-host.pp
+++ b/modules/ferm/manifests/per-host.pp
@@ -1,254 +1,244 @@
class ferm::per-host {
- case $::hostname {
- ancina,zandonai,zelenka: {
- include ferm::zivit
- }
- }
-
- case $::hostname {
- chopin,franck,gluck,kassia,klecker,lobos,morricone,ravel,ries,rietz,saens,schein,santoro,steffani,valente,villa,wieck,stabile,bizet: {
- include ferm::ftp
- }
- }
+ if $::hostname in [ancina,zandonai,zelenka] {
+ include ferm::zivit
+ }
- case $::hostname {
- piatti,samosa: {
- @ferm::rule { "dsa-udd-stunnel":
- description => "port 8080 for udd stunnel",
- rule => "&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))"
- }
- }
- danzi: {
- @ferm::rule {
- "dsa-postgres-danzi":
- description => "Allow postgress access",
- rule => "&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 ))"
- ;
- "dsa-postgres2-danzi":
- description => "Allow postgress access2",
- rule => "&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))"
- ;
- "dsa-postgres3-danzi":
- description => "Allow postgress access2",
- rule => "&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))"
- ;
- }
+ if $::hostname in [chopin,franck,gluck,kassia,klecker,lobos,morricone,ravel,ries,rietz,saens,schein,santoro,steffani,valente,villa,wieck,stabile,bizet] {
+ include ferm::ftp
+ }
- }
- abel,alwyn,rietz: {
- @ferm::rule { "dsa-tftp":
- description => "Allow tftp access",
- rule => "&SERVICE(udp, 69)"
- }
- }
- paganini: {
- @ferm::rule { "dsa-dhcp":
- description => "Allow dhcp access",
- rule => "&SERVICE(udp, 67)"
- }
- @ferm::rule { "dsa-tftp":
- description => "Allow tftp access",
- rule => "&SERVICE(udp, 69)"
- }
- }
- handel: {
- @ferm::rule { "dsa-puppet":
- description => "Allow puppet access",
- rule => "&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V4)"
- }
- @ferm::rule { "dsa-puppet-v6":
- domain => 'ip6',
- description => "Allow puppet access",
- rule => "&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V6)"
- }
- }
- powell: {
- @ferm::rule { "dsa-powell-v6-tunnel":
- description => "Allow powell to use V6 tunnel broker",
- rule => "proto ipv6 saddr 212.227.117.6 jump ACCEPT"
- }
- @ferm::rule { "dsa-powell-btseed":
- domain => "(ip ip6)",
- description => "Allow powell to seed BT",
- rule => "proto tcp dport 8000:8100 jump ACCEPT"
- }
- }
- heininen,lotti: {
- @ferm::rule { "dsa-syslog":
- description => "Allow syslog access",
- rule => "&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V4)"
- }
- @ferm::rule { "dsa-syslog-v6":
- domain => 'ip6',
- description => "Allow syslog access",
- rule => "&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V6)"
- }
- }
- kaufmann: {
- @ferm::rule { "dsa-hkp":
- domain => "(ip ip6)",
- description => "Allow hkp access",
- rule => "&SERVICE(tcp, 11371)"
- }
- }
- gombert: {
- @ferm::rule { "dsa-infinoted":
- domain => "(ip ip6)",
- description => "Allow infinoted access",
- rule => "&SERVICE(tcp, 6523)"
- }
- }
- bendel,liszt: {
- @ferm::rule { "smtp":
- domain => "(ip ip6)",
- description => "Allow smtp access",
- rule => "&SERVICE(tcp, 25)"
- }
- }
- draghi: {
- #@ferm::rule { "dsa-bind":
- # domain => "(ip ip6)",
- # description => "Allow nameserver access",
- # rule => "&TCP_UDP_SERVICE(53)"
- #}
- @ferm::rule { "dsa-finger":
- domain => "(ip ip6)",
- description => "Allow finger access",
- rule => "&SERVICE(tcp, 79)"
- }
- @ferm::rule { "dsa-ldap":
- domain => "(ip ip6)",
- description => "Allow ldap access",
- rule => "&SERVICE(tcp, 389)"
- }
- @ferm::rule { "dsa-ldaps":
- domain => "(ip ip6)",
- description => "Allow ldaps access",
- rule => "&SERVICE(tcp, 636)"
- }
- }
- cilea: {
- file {
- "/etc/ferm/conf.d/load_sip_conntrack.conf":
- source => "puppet:///modules/ferm/conntrack_sip.conf",
- require => Package["ferm"],
- notify => Exec["ferm restart"];
- }
- @ferm::rule { "dsa-sip":
- domain => "(ip ip6)",
- description => "Allow sip access",
- rule => "&TCP_UDP_SERVICE(5060)"
- }
- @ferm::rule { "dsa-sipx":
- domain => "(ip ip6)",
- description => "Allow sipx access",
- rule => "&TCP_UDP_SERVICE(5080)"
- }
- }
- scelsi: {
- @ferm::rule { "dc11-icecast":
- domain => "(ip ip6)",
- description => "Allow icecast access",
- rule => "&SERVICE(tcp, 8000)"
- }
+ case $::hostname {
+ piatti,samosa: {
+ @ferm::rule { 'dsa-udd-stunnel':
+ description => 'port 8080 for udd stunnel',
+ rule => '&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))'
+ }
+ }
+ danzi: {
+ @ferm::rule { 'dsa-postgres-danzi':
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 ))'
+ }
+ @ferm::rule { 'dsa-postgres2-danzi':
+ description => 'Allow postgress access2',
+ rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))'
+ }
+ @ferm::rule { 'dsa-postgres3-danzi':
+ description => 'Allow postgress access2',
+ rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))'
+ }
+ }
+ abel,alwyn,rietz: {
+ @ferm::rule { 'dsa-tftp':
+ description => 'Allow tftp access',
+ rule => '&SERVICE(udp, 69)'
+ }
+ }
+ paganini: {
+ @ferm::rule { 'dsa-dhcp':
+ description => 'Allow dhcp access',
+ rule => '&SERVICE(udp, 67)'
+ }
+ @ferm::rule { 'dsa-tftp':
+ description => 'Allow tftp access',
+ rule => '&SERVICE(udp, 69)'
+ }
+ }
+ handel: {
+ @ferm::rule { 'dsa-puppet':
+ description => 'Allow puppet access',
+ rule => '&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V4)'
+ }
+ @ferm::rule { 'dsa-puppet-v6':
+ domain => 'ip6',
+ description => 'Allow puppet access',
+ rule => '&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V6)'
+ }
+ }
+ powell: {
+ @ferm::rule { 'dsa-powell-v6-tunnel':
+ description => 'Allow powell to use V6 tunnel broker',
+ rule => 'proto ipv6 saddr 212.227.117.6 jump ACCEPT'
+ }
+ @ferm::rule { 'dsa-powell-btseed':
+ domain => '(ip ip6)',
+ description => 'Allow powell to seed BT',
+ rule => 'proto tcp dport 8000:8100 jump ACCEPT'
+ }
+ }
+ heininen,lotti: {
+ @ferm::rule { 'dsa-syslog':
+ description => 'Allow syslog access',
+ rule => '&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V4)'
+ }
+ @ferm::rule { 'dsa-syslog-v6':
+ domain => 'ip6',
+ description => 'Allow syslog access',
+ rule => '&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V6)'
+ }
+ }
+ kaufmann: {
+ @ferm::rule { 'dsa-hkp':
+ domain => '(ip ip6)',
+ description => 'Allow hkp access',
+ rule => '&SERVICE(tcp, 11371)'
+ }
+ }
+ gombert: {
+ @ferm::rule { 'dsa-infinoted':
+ domain => '(ip ip6)',
+ description => 'Allow infinoted access',
+ rule => '&SERVICE(tcp, 6523)'
+ }
+ }
+ bendel,liszt: {
+ @ferm::rule { 'smtp':
+ domain => '(ip ip6)',
+ description => 'Allow smtp access',
+ rule => '&SERVICE(tcp, 25)'
+ }
+ }
+ draghi: {
+ #@ferm::rule { 'dsa-bind':
+ # domain => '(ip ip6)',
+ # description => 'Allow nameserver access',
+ # rule => '&TCP_UDP_SERVICE(53)'
+ #}
+ @ferm::rule { 'dsa-finger':
+ domain => '(ip ip6)',
+ description => 'Allow finger access',
+ rule => '&SERVICE(tcp, 79)'
+ }
+ @ferm::rule { 'dsa-ldap':
+ domain => '(ip ip6)',
+ description => 'Allow ldap access',
+ rule => '&SERVICE(tcp, 389)'
+ }
+ @ferm::rule { 'dsa-ldaps':
+ domain => '(ip ip6)',
+ description => 'Allow ldaps access',
+ rule => '&SERVICE(tcp, 636)'
+ }
+ }
+ cilea: {
+ file {
+ '/etc/ferm/conf.d/load_sip_conntrack.conf':
+ source => 'puppet:///modules/ferm/conntrack_sip.conf',
+ require => Package['ferm'],
+ notify => Exec['ferm restart'];
+ }
+ @ferm::rule { 'dsa-sip':
+ domain => '(ip ip6)',
+ description => 'Allow sip access',
+ rule => '&TCP_UDP_SERVICE(5060)'
+ }
+ @ferm::rule { 'dsa-sipx':
+ domain => '(ip ip6)',
+ description => 'Allow sipx access',
+ rule => '&TCP_UDP_SERVICE(5080)'
+ }
+ }
+ scelsi: {
+ @ferm::rule { 'dc11-icecast':
+ domain => '(ip ip6)',
+ description => 'Allow icecast access',
+ rule => '&SERVICE(tcp, 8000)'
+ }
+ }
+ default: {}
}
- }
- case $hostname { rautavaara,luchesi: {
- @ferm::rule { "dsa-to-kfreebsd":
- description => "Traffic routed to kfreebsd hosts",
- chain => 'to-kfreebsd',
- rule => 'proto icmp ACCEPT;
- source ($FREEBSD_SSH_ACCESS $HOST_NAGIOS_V4) proto tcp dport 22 ACCEPT;
- source ($HOST_MAILRELAY_V4 $HOST_NAGIOS_V4) proto tcp dport 25 ACCEPT;
- source ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) proto tcp dport 4949 ACCEPT;
- source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT;
- source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT
- '
- }
- @ferm::rule { "dsa-from-kfreebsd":
- description => "Traffic routed from kfreebsd vlan/bridge",
- chain => 'from-kfreebsd',
- rule => 'proto icmp ACCEPT;
- proto tcp dport (21 22 80 53 443) ACCEPT;
- proto udp dport (53 123) ACCEPT;
- proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost
- proto tcp dport 5140 daddr (82.195.75.98 206.12.19.121) ACCEPT; # loghost
- proto tcp dport 11371 daddr 82.195.75.107 ACCEPT; # keyring host
- proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT
- '
- }
- }}
- case $hostname {
- rautavaara: {
- @ferm::rule { "dsa-routing":
- description => "forward chain",
- chain => "FORWARD",
- rule => '
- def $ADDRESS_FASCH=194.177.211.201;
- def $ADDRESS_FIELD=194.177.211.210;
- def $FREEBSD_HOSTS=($ADDRESS_FASCH $ADDRESS_FIELD);
+ if $::hostname in [rautavaara,luchesi] {
+ @ferm::rule { 'dsa-to-kfreebsd':
+ description => 'Traffic routed to kfreebsd hosts',
+ chain => 'to-kfreebsd',
+ rule => 'proto icmp ACCEPT;
+source ($FREEBSD_SSH_ACCESS $HOST_NAGIOS_V4) proto tcp dport 22 ACCEPT;
+source ($HOST_MAILRELAY_V4 $HOST_NAGIOS_V4) proto tcp dport 25 ACCEPT;
+source ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) proto tcp dport 4949 ACCEPT;
+source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT;
+source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT
+'
+ }
+ @ferm::rule { 'dsa-from-kfreebsd':
+ description => 'Traffic routed from kfreebsd vlan/bridge',
+ chain => 'from-kfreebsd',
+ rule => 'proto icmp ACCEPT;
+proto tcp dport (21 22 80 53 443) ACCEPT;
+proto udp dport (53 123) ACCEPT;
+proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost
+proto tcp dport 5140 daddr (82.195.75.98 206.12.19.121) ACCEPT; # loghost
+proto tcp dport 11371 daddr 82.195.75.107 ACCEPT; # keyring host
+proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT
+'
+ }
+ }
+ case $::hostname {
+ rautavaara: {
+ @ferm::rule { 'dsa-routing':
+ description => 'forward chain',
+ chain => 'FORWARD',
+ rule => 'def $ADDRESS_FASCH=194.177.211.201;
+def $ADDRESS_FIELD=194.177.211.210;
+def $FREEBSD_HOSTS=($ADDRESS_FASCH $ADDRESS_FIELD);
- policy ACCEPT;
- mod state state (ESTABLISHED RELATED) ACCEPT;
- interface vlan11 outerface eth0 jump from-kfreebsd;
- interface eth0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
- ULOG ulog-prefix "REJECT FORWARD: ";
- REJECT reject-with icmp-admin-prohibited
- '
- }
- }
- luchesi: {
- @ferm::rule { "dsa-routing":
- description => "forward chain",
- chain => "FORWARD",
- rule => '
- def $ADDRESS_FANO=206.12.19.110;
- def $ADDRESS_FINZI=206.12.19.111;
- def $FREEBSD_HOSTS=($ADDRESS_FANO $ADDRESS_FINZI);
+policy ACCEPT;
+mod state state (ESTABLISHED RELATED) ACCEPT;
+interface vlan11 outerface eth0 jump from-kfreebsd;
+interface eth0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
+ULOG ulog-prefix "REJECT FORWARD: ";
+REJECT reject-with icmp-admin-prohibited
+'
+ }
+ }
+ luchesi: {
+ @ferm::rule { 'dsa-routing':
+ description => 'forward chain',
+ chain => 'FORWARD',
+ rule => 'def $ADDRESS_FANO=206.12.19.110;
+def $ADDRESS_FINZI=206.12.19.111;
+def $FREEBSD_HOSTS=($ADDRESS_FANO $ADDRESS_FINZI);
- policy ACCEPT;
- mod state state (ESTABLISHED RELATED) ACCEPT;
- interface br0 outerface br0 ACCEPT;
+policy ACCEPT;
+mod state state (ESTABLISHED RELATED) ACCEPT;
+interface br0 outerface br0 ACCEPT;
- interface br2 outerface br0 jump from-kfreebsd;
- interface br0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
- ULOG ulog-prefix "REJECT FORWARD: ";
- REJECT reject-with icmp-admin-prohibited
- '
- }
- }
- }
+interface br2 outerface br0 jump from-kfreebsd;
+interface br0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
+ULOG ulog-prefix "REJECT FORWARD: ";
+REJECT reject-with icmp-admin-prohibited
+'
+ }
+ }
+ default: {}
+ }
- # redirect snapshot into varnish
- case $::hostname {
- sibelius: {
- @ferm::rule { "dsa-snapshot-varnish":
- rule => '&SERVICE(tcp, 6081)',
- }
- @ferm::rule { "dsa-nat-snapshot-varnish":
- table => 'nat',
- chain => 'PREROUTING',
- rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
- }
- }
- stabile: {
- @ferm::rule { "dsa-snapshot-varnish":
- rule => '&SERVICE(tcp, 6081)',
- }
- @ferm::rule { "dsa-nat-snapshot-varnish":
- table => 'nat',
- chain => 'PREROUTING',
- rule => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081',
- }
- }
- }
+ # redirect snapshot into varnish
+ case $::hostname {
+ sibelius: {
+ @ferm::rule { 'dsa-snapshot-varnish':
+ rule => '&SERVICE(tcp, 6081)',
+ }
+ @ferm::rule { 'dsa-nat-snapshot-varnish':
+ table => 'nat',
+ chain => 'PREROUTING',
+ rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
+ }
+ }
+ stabile: {
+ @ferm::rule { 'dsa-snapshot-varnish':
+ rule => '&SERVICE(tcp, 6081)',
+ }
+ @ferm::rule { 'dsa-nat-snapshot-varnish':
+ table => 'nat',
+ chain => 'PREROUTING',
+ rule => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081',
+ }
+ }
+ default: {}
+ }
- if $::rsyncd == 'true' {
- include ferm::rsync
- }
+ if $::rsyncd == true {
+ include ferm::rsync
+ }
}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/ferm/manifests/rsync.pp b/modules/ferm/manifests/rsync.pp
index 390bce2b..44feab65 100644
--- a/modules/ferm/manifests/rsync.pp
+++ b/modules/ferm/manifests/rsync.pp
@@ -1,8 +1,8 @@
class ferm::rsync {
- @ferm::rule { "dsa-rsync":
- domain => "(ip ip6)",
- description => "Allow rsync access",
- rule => "&SERVICE(tcp, 873)"
- }
+ @ferm::rule { 'dsa-rsync':
+ domain => '(ip ip6)',
+ description => 'Allow rsync access',
+ rule => '&SERVICE(tcp, 873)'
+ }
}
diff --git a/modules/ferm/manifests/rule.pp b/modules/ferm/manifests/rule.pp
new file mode 100644
index 00000000..7eef2a21
--- /dev/null
+++ b/modules/ferm/manifests/rule.pp
@@ -0,0 +1,19 @@
+define ferm::rule(
+ $rule,
+ $domain='ip',
+ $table='filter',
+ $chain='INPUT',
+ $description='',
+ $prio='00',
+ $notarule=false
+) {
+ file {
+ "/etc/ferm/dsa.d/${prio}_${name}":
+ ensure => present,
+ mode => '0400',
+ content => template('ferm/ferm-rule.erb'),
+ notify => Service['ferm'],
+ }
+}
+
+
diff --git a/modules/ferm/manifests/zivit.pp b/modules/ferm/manifests/zivit.pp
index e392b3fe..b513a3b1 100644
--- a/modules/ferm/manifests/zivit.pp
+++ b/modules/ferm/manifests/zivit.pp
@@ -1,15 +1,15 @@
class ferm::zivit {
- @ferm::rule { "dsa-zivit-rrdcollect":
- description => "port 6666 for rrdcollect for zivit",
- rule => "&SERVICE_RANGE(tcp, 6666, ( 10.130.18.71 ))"
- }
- @ferm::rule { "dsa-zivit-zabbix":
- description => "port 10050 for zabbix for zivit",
- rule => "&SERVICE_RANGE(tcp, 10050, ( 10.130.18.76 ))"
- }
- @ferm::rule { "dsa-time":
- description => "Allow time access",
- rule => "&SERVICE_RANGE(tcp, time, \$HOST_NAGIOS_V4)"
- }
+ @ferm::rule { 'dsa-zivit-rrdcollect':
+ description => 'port 6666 for rrdcollect for zivit',
+ rule => '&SERVICE_RANGE(tcp, 6666, ( 10.130.18.71 ))'
+ }
+ @ferm::rule { 'dsa-zivit-zabbix':
+ description => 'port 10050 for zabbix for zivit',
+ rule => '&SERVICE_RANGE(tcp, 10050, ( 10.130.18.76 ))'
+ }
+ @ferm::rule { 'dsa-time':
+ description => 'Allow time access',
+ rule => '&SERVICE_RANGE(tcp, time, \$HOST_NAGIOS_V4)'
+ }
}
diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb
index d46bee1e..3af87c48 100644
--- a/modules/ferm/templates/defs.conf.erb
+++ b/modules/ferm/templates/defs.conf.erb
@@ -21,9 +21,9 @@
@def $HOST_MAILRELAY_V4 = (<%=
mailrelay = []
- localinfo.keys.sort.each do |node|
- if localinfo[node]['mailrelay']
- allnodeinfo[node]['ipHostNumber'].each do |ip|
+ scope.lookupvar('site::localinfo').keys.sort.each do |node|
+ if scope.lookupvar('site::localinfo')[node]['mailrelay']
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip|
next if ip =~ /:/
mailrelay << ip
end
@@ -35,9 +35,9 @@
@def $HOST_MAILRELAY_V6 = (<%=
mailrelay = []
- localinfo.keys.sort.each do |node|
- if localinfo[node]['mailrelay']
- allnodeinfo[node]['ipHostNumber'].each do |ip|
+ scope.lookupvar('site::localinfo').keys.sort.each do |node|
+ if scope.lookupvar('site::localinfo')[node]['mailrelay']
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip|
next if ip =~ /\./
mailrelay << ip
end
@@ -51,9 +51,9 @@
@def $HOST_NAGIOS_V4 = (<%=
nagii = []
- localinfo.keys.sort.each do |node|
- if localinfo[node]['nagiosmaster'] or localinfo[node]['extranrpeclient']
- allnodeinfo[node]['ipHostNumber'].each do |ip|
+ scope.lookupvar('site::localinfo').keys.sort.each do |node|
+ if scope.lookupvar('site::localinfo')[node]['nagiosmaster'] or scope.lookupvar('site::localinfo')[node]['extranrpeclient']
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip|
next if ip =~ /:/
nagii << ip
end
@@ -65,9 +65,9 @@
@def $HOST_NAGIOS_V6 = (<%=
nagii = []
- localinfo.keys.sort.each do |node|
- if localinfo[node]['nagiosmaster'] or localinfo[node]['extranrpeclient']
- allnodeinfo[node]['ipHostNumber'].each do |ip|
+ scope.lookupvar('site::localinfo').keys.sort.each do |node|
+ if scope.lookupvar('site::localinfo')[node]['nagiosmaster'] or scope.lookupvar('site::localinfo')[node]['extranrpeclient']
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip|
next if ip =~ /\./
nagii << ip
end
@@ -81,9 +81,9 @@
@def $HOST_MUNIN_V4 = (<%=
munins = []
- localinfo.keys.sort.each do |node|
- if localinfo[node]['muninmaster']
- allnodeinfo[node]['ipHostNumber'].each do |ip|
+ scope.lookupvar('site::localinfo').keys.sort.each do |node|
+ if scope.lookupvar('site::localinfo')[node]['muninmaster']
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip|
next if ip =~ /:/
munins << ip
end
@@ -95,9 +95,9 @@
@def $HOST_MUNIN_V6 = (<%=
munins = []
- localinfo.keys.sort.each do |node|
- if localinfo[node]['muninmaster']
- allnodeinfo[node]['ipHostNumber'].each do |ip|
+ scope.lookupvar('site::localinfo').keys.sort.each do |node|
+ if scope.lookupvar('site::localinfo')[node]['muninmaster']
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip|
next if ip =~ /\./
munins << ip
end
@@ -111,9 +111,9 @@
@def $HOST_DB_V6 = (<%=
dbs = []
- localinfo.keys.sort.each do |node|
- if localinfo[node]['dbmaster']
- allnodeinfo[node]['ipHostNumber'].each do |ip|
+ scope.lookupvar('site::localinfo').keys.sort.each do |node|
+ if scope.lookupvar('site::localinfo')[node]['dbmaster']
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip|
next if ip =~ /\./
dbs << ip
end
@@ -125,9 +125,9 @@
@def $HOST_DB_V4 = (<%=
dbs = []
- localinfo.keys.sort.each do |node|
- if localinfo[node]['dbmaster']
- allnodeinfo[node]['ipHostNumber'].each do |ip|
+ scope.lookupvar('site::localinfo').keys.sort.each do |node|
+ if scope.lookupvar('site::localinfo')[node]['dbmaster']
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip|
next if ip =~ /:/
dbs << ip
end
@@ -141,9 +141,9 @@
@def $HOST_DEBIAN_V4 = (<%=
dbs = []
- allnodeinfo.keys.sort.each do |node|
- next unless allnodeinfo[node].has_key?('ipHostNumber')
- allnodeinfo[node]['ipHostNumber'].each do |ip|
+ scope.lookupvar('site::allnodeinfo').keys.sort.each do |node|
+ next unless scope.lookupvar('site::allnodeinfo')[node].has_key?('ipHostNumber')
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip|
next if ip =~ /:/
dbs << ip
end
@@ -154,9 +154,9 @@
@def $HOST_DEBIAN_V6 = (<%=
dbs = []
- allnodeinfo.keys.sort.each do |node|
- next unless allnodeinfo[node].has_key?('ipHostNumber')
- allnodeinfo[node]['ipHostNumber'].each do |ip|
+ scope.lookupvar('site::allnodeinfo').keys.sort.each do |node|
+ next unless scope.lookupvar('site::allnodeinfo')[node].has_key?('ipHostNumber')
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip|
next if ip =~ /\./
dbs << ip
end
diff --git a/modules/ferm/templates/interfaces.conf.erb b/modules/ferm/templates/interfaces.conf.erb
index af6585a5..fbe96026 100644
--- a/modules/ferm/templates/interfaces.conf.erb
+++ b/modules/ferm/templates/interfaces.conf.erb
@@ -7,7 +7,7 @@ end
%>);
def $MUNIN6_IPS = (<%=
begin
- v6ips == 'no' ? '' : v6ips.split(',').join(' ')
+ v6ips == '' ? '' : v6ips.split(',').join(' ')
rescue
''
end
diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb
index 7069f592..2e5e18e8 100644
--- a/modules/ferm/templates/me.conf.erb
+++ b/modules/ferm/templates/me.conf.erb
@@ -9,8 +9,8 @@ out = []
restricted_purposes = {'kvm host', 'central syslog server', 'puppet master', 'jumphost'}
restrict_ssh = %w{lebrun logtest01 geo1 geo2 geo3 beethoven tchaikovsky schroeder rossini draghi}
-if (nodeinfo['ldap'].has_key?('purpose')) then
- nodeinfo['ldap']['purpose'].each do |purp|
+if (scope.lookupvar('site::nodeinfo')['ldap'].has_key?('purpose')) then
+ scope.lookupvar('site::nodeinfo')['ldap']['purpose'].each do |purp|
if restricted_purposes.include?(purp) then
restrict_ssh << hostname
end
@@ -49,7 +49,7 @@ out << "@def $SSH_V6_SOURCES = (#{ssh6allowed.join(' ')});"
smtp4allowed = []
smtp6allowed = []
-if not nodeinfo['smarthost'].empty?
+if not scope.lookupvar('site::nodeinfo')['smarthost'].empty?
smtp4allowed << %w{$HOST_MAILRELAY_V4 $HOST_NAGIOS_V4}
smtp6allowed << %w{$HOST_MAILRELAY_V6 $HOST_NAGIOS_V6}
end
diff --git a/modules/hardware/manifests/init.pp b/modules/hardware/manifests/init.pp
new file mode 100644
index 00000000..bc5897e5
--- /dev/null
+++ b/modules/hardware/manifests/init.pp
@@ -0,0 +1,14 @@
+class hardware {
+ if $::smartarraycontroller {
+ include debian::proliant
+ }
+
+ if $::productname == 'PowerEdge 2850' {
+ include megactl
+ }
+
+ if $::mptraid {
+ include raidmpt
+ }
+
+}
diff --git a/modules/hosts/manifests/init.pp b/modules/hosts/manifests/init.pp
index cdd19017..47616af6 100644
--- a/modules/hosts/manifests/init.pp
+++ b/modules/hosts/manifests/init.pp
@@ -1,10 +1,5 @@
class hosts {
-
- file {
- "/etc/hosts": content => template("hosts/etc-hosts.erb");
- }
+ file { '/etc/hosts':
+ content => template('hosts/etc-hosts.erb')
+ }
}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/kfreebsd/manifests/init.pp b/modules/kfreebsd/manifests/init.pp
index 00a7449c..8ccfe318 100644
--- a/modules/kfreebsd/manifests/init.pp
+++ b/modules/kfreebsd/manifests/init.pp
@@ -1,15 +1,10 @@
class kfreebsd {
- file {
- "/etc/cron.d/dsa-killruby":
- source => [ "puppet:///modules/kfreebsd/dsa-killruby" ],
- ;
- }
- sysctl {
- "maxfiles" :
- key => "kern.maxfiles",
- value => 65536,
- }
+ file { '/etc/cron.d/dsa-killruby':
+ source => 'puppet:///modules/kfreebsd/dsa-killruby',
+ }
+
+ site::sysctl { 'maxfiles':
+ key => 'kern.maxfiles',
+ value => 65536,
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/megactl/manifests/init.pp b/modules/megactl/manifests/init.pp
index d15cb17e..3c376639 100644
--- a/modules/megactl/manifests/init.pp
+++ b/modules/megactl/manifests/init.pp
@@ -1,13 +1,9 @@
class megactl {
- package {
- megactl: ensure => installed;
- }
- file {
- "/etc/apt/sources.list.d/debian.restricted.list":
- content => template("debian-org/etc/apt/sources.list.d/debian.restricted.list.erb"),
- notify => Exec["apt-get update"];
- }
+ package { 'megactl':
+ ensure => installed
+ }
+
+ site::aptrepo { 'debian.restricted':
+ template => 'debian-org/etc/apt/sources.list.d/debian.restricted.list.erb',
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/monit/manifests/init.pp b/modules/monit/manifests/init.pp
index 7792b086..4c9b736b 100644
--- a/modules/monit/manifests/init.pp
+++ b/modules/monit/manifests/init.pp
@@ -1,76 +1,53 @@
class monit {
- package { "monit": ensure => installed }
- $cmd = $::lsbdistcodename ? {
- 'sid' => '/usr/bin/monit',
- 'wheezy' => '/usr/bin/monit',
- default => '/usr/sbin/monit',
- }
-
- augeas { "inittab":
- context => "/files/etc/inittab",
- changes => [ "set mo/runlevels 2345",
- "set mo/action respawn",
- "set mo/process \"$cmd -d 300 -I -c /etc/monit/monitrc -s /var/lib/monit/monit.state\"",
- ],
- notify => Exec["init q"],
- }
-
- file {
- #"/etc/rc2.d/K99monit":
- # ensure => "../init.d/monit";
- #"/etc/rc2.d/S99monit":
- # ensure => absent;
-
- "/etc/monit/":
- ensure => directory,
- owner => root,
- group => root,
- mode => 755,
- purge => true
- ;
-
- "/etc/monit/monitrc":
- content => template("monit/monitrc.erb"),
- require => Package["monit"],
- notify => Exec["monit stop"],
- mode => 400
- ;
-
- "/etc/monit/monit.d":
- ensure => directory,
- owner => root,
- group => root,
- mode => 750,
- purge => true
- ;
-
- "/etc/monit/monit.d/01puppet":
- source => "puppet:///modules/monit/puppet",
- require => Package["monit"],
- notify => Exec["monit stop"],
- mode => 440
- ;
-
- "/etc/monit/monit.d/00debian.org":
- source => "puppet:///modules/monit/debianorg",
- require => Package["monit"],
- notify => Exec["monit stop"],
- mode => 440
- ;
-
- "/etc/default/monit":
- content => template("monit/default.erb"),
- require => Package["monit"],
- notify => Exec["monit stop"]
- ;
- }
- exec { "monit stop":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- }
+ package { 'monit':
+ ensure => installed
+ }
+
+ $cmd = $::lsbdistcodename ? {
+ 'sid' => '/usr/bin/monit',
+ 'wheezy' => '/usr/bin/monit',
+ default => '/usr/sbin/monit',
+ }
+
+ augeas { 'inittab':
+ context => '/files/etc/inittab',
+ changes => [ 'set mo/runlevels 2345',
+ 'set mo/action respawn',
+ "set mo/process \"$cmd -d 300 -I -c /etc/monit/monitrc -s /var/lib/monit/monit.state\"",
+ ],
+ notify => Exec['init q'],
+ }
+
+ file { [ '/etc/monit/', '/etc/monit/monit.d']:
+ ensure => directory,
+ owner => root,
+ group => root,
+ mode => '0755',
+ purge => true,
+ notify => Exec['monit stop'],
+ require => Package['monit'],
+ }
+ file { '/etc/monit/monitrc':
+ content => template('monit/monitrc.erb'),
+ mode => '0400'
+ }
+ file { '/etc/monit/monit.d/01puppet':
+ source => 'puppet:///modules/monit/puppet',
+ mode => '0440'
+ }
+ file { '/etc/monit/monit.d/00debian.org':
+ source => 'puppet:///modules/monit/debianorg',
+ mode => '0440'
+ }
+ file { '/etc/default/monit':
+ content => template('monit/default.erb'),
+ require => Package['monit'],
+ notify => Exec['monit stop']
+ }
+
+ exec { 'monit stop':
+ path => '/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin',
+ refreshonly => true,
+ }
}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/motd/manifests/init.pp b/modules/motd/manifests/init.pp
index 0de49360..ffa85733 100644
--- a/modules/motd/manifests/init.pp
+++ b/modules/motd/manifests/init.pp
@@ -1,15 +1,16 @@
class motd {
- file { "/etc/motd.tail":
- notify => Exec["updatemotd"],
- content => template("motd/motd.erb") ;
- "/etc/motd":
- ensure => "/var/run/motd";
+
+ file { '/etc/motd.tail':
+ notify => Exec['updatemotd'],
+ content => template('motd/motd.erb')
+ }
+ file { '/etc/motd':
+ ensure => link,
+ target => '/var/run/motd'
+ }
+
+ exec { 'updatemotd':
+ command => 'uname -snrvm > /var/run/motd && cat /etc/motd.tail >> /var/run/motd',
+ refreshonly => true,
}
- exec { "updatemotd":
- command => "uname -snrvm > /var/run/motd && cat /etc/motd.tail >> /var/run/motd",
- refreshonly => true
- }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/motd/templates/motd.erb b/modules/motd/templates/motd.erb
index 2087cbc2..47eb9521 100644
--- a/modules/motd/templates/motd.erb
+++ b/modules/motd/templates/motd.erb
@@ -18,32 +18,32 @@ def markup(l)
end
purp = ''
-if nodeinfo.has_key?('nameinfo')
- purp += wrap(nodeinfo['nameinfo']) + "\n\n"
+if scope.lookupvar('site::nodeinfo').has_key?('nameinfo')
+ purp += wrap(scope.lookupvar('site::nodeinfo')['nameinfo']) + "\n\n"
end
purp += 'Welcome to ' + fqdn
-if (nodeinfo['ldap'].has_key?('purpose'))
- p = nodeinfo['ldap']['purpose'].clone()
+if (scope.lookupvar('site::nodeinfo')['ldap'].has_key?('purpose'))
+ p = scope.lookupvar('site::nodeinfo')['ldap']['purpose'].clone()
extra = ''
if p.delete('buildd')
purp += ", the Debian "
- if nodeinfo['ldap'].has_key?('architecture')
- purp += nodeinfo['ldap']['architecture'][0]
+ if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('architecture')
+ purp += scope.lookupvar('site::nodeinfo')['ldap']['architecture'][0]
end
purp += " build daemon"
end
if p.delete('porterbox')
purp += ", the Debian "
- if nodeinfo['ldap'].has_key?('architecture')
- purp += nodeinfo['ldap']['architecture'][0]
+ if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('architecture')
+ purp += scope.lookupvar('site::nodeinfo')['ldap']['architecture'][0]
end
purp += " porterbox"
extra += "\n"
extra += "See 'dchroot -l' or 'schroot -l' for a list of available chroots.\n"
- if nodeinfo['ldap'].has_key?('admin')
+ if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('admin')
extra += "Please contact #{nodeinfo['ldap']['admin'][0]} for install requests,\n"
extra += "following the recommendations in <URL:http://dsa.debian.org/doc/install-req/>.\n"
end
@@ -51,7 +51,7 @@ if (nodeinfo['ldap'].has_key?('purpose'))
if p.size() > 0
purp += ", used for the following services:\n"
- nodeinfo['ldap']['purpose'].sort.each do |l|
+ scope.lookupvar('site::nodeinfo')['ldap']['purpose'].sort.each do |l|
l = markup(l)
purp += "\t" + l + "\n"
end
@@ -66,18 +66,18 @@ end
purp += "\n"
-if (nodeinfo['ldap'].has_key?('physicalHost'))
+if (scope.lookupvar('site::nodeinfo')['ldap'].has_key?('physicalHost'))
purp += wrap("This virtual server runs on the physical host #{nodeinfo['ldap']['physicalHost'][0]}, " +
"which is hosted at #{nodeinfo['hoster']['longname']}."
)
-elsif nodeinfo['hoster']['name']
+elsif scope.lookupvar('site::nodeinfo')['hoster']['name']
purp += wrap("This server is hosted at #{nodeinfo['hoster']['longname']}.")
end
vms = []
-allnodeinfo.keys.sort.each do |node|
- if allnodeinfo[node]['physicalHost'] and allnodeinfo[node]['physicalHost'].include?(fqdn)
+scope.lookupvar('site::allnodeinfo').keys.sort.each do |node|
+ if scope.lookupvar('site::allnodeinfo')[node]['physicalHost'] and scope.lookupvar('site::allnodeinfo')[node]['physicalHost'].include?(fqdn)
vms << node
end
end
@@ -85,9 +85,9 @@ unless vms.empty?
purp += "\nThe following virtual machines run on this system:\n"
vms.each do |node|
purp += "\t- #{node}"
- if allnodeinfo[node]['purpose']
+ if scope.lookupvar('site::allnodeinfo')[node]['purpose']
purp += ":\n"
- allnodeinfo[node]['purpose'].sort.each do |l|
+ scope.lookupvar('site::allnodeinfo')[node]['purpose'].sort.each do |l|
l = markup(l)
purp += "\t " + l + "\n"
end
@@ -98,8 +98,8 @@ unless vms.empty?
end
-if nodeinfo.has_key?('footer')
- purp += "\n" + wrap(nodeinfo['footer']) + "\n"
+if scope.lookupvar('site::nodeinfo').has_key?('footer')
+ purp += "\n" + wrap(scope.lookupvar('site::nodeinfo')['footer']) + "\n"
end
purp
-%>
diff --git a/modules/munin-node/manifests/init.pp b/modules/munin-node/manifests/init.pp
deleted file mode 100644
index 72dbce1c..00000000
--- a/modules/munin-node/manifests/init.pp
+++ /dev/null
@@ -1,114 +0,0 @@
-define activate_munin_check($ensure=present, $script = none) {
- case $script {
- none: { $link = $name }
- default: { $link = $script }
- }
-
- case $ensure {
- present: {
- file { "/etc/munin/plugins/$name":
- ensure => "/usr/share/munin/plugins/$link",
- notify => Exec["munin-node restart"];
- }
- }
- default: {
- file { "/etc/munin/plugins/$name":
- ensure => $ensure,
- notify => Exec["munin-node restart"];
- }
- }
- }
-}
-
-class munin-node {
-
- package { munin-node: ensure => installed }
-
- activate_munin_check {
- "cpu":;
- "entropy":;
- "forks":;
- "interrupts":;
- "iostat":;
- "irqstats":;
- "load":;
- "memory":;
- "ntp_offset":;
- "ntp_states":;
- "open_files":;
- "open_inodes":;
- "processes":;
- "swap":;
- "uptime":;
- "vmstat":;
- }
-
- case $spamd {
- "true": {
- activate_munin_check { "spamassassin":; }
- }
- }
-
- case $vsftpd {
- "true": {
- package {
- "logtail": ensure => installed;
- }
- activate_munin_check {
- "vsftpd":;
- "ps_vsftpd": script => "ps_";
- }
- }
- }
-
- file {
- "/etc/munin/munin-node.conf":
- content => template("munin-node/munin-node.conf.erb"),
- require => Package["munin-node"],
- notify => Exec["munin-node restart"];
-
- "/etc/munin/plugin-conf.d/munin-node":
- content => template("munin-node/munin-node.plugin.conf.erb"),
- require => Package["munin-node"],
- notify => Exec["munin-node restart"];
-
- "/etc/munin/plugins/df":
- source => "puppet:///modules/munin-node/df-wrap",
- mode => 555,
- require => Package["munin-node"],
- notify => Exec["munin-node restart"]
- ;
- "/etc/munin/plugins/df_abs":
- source => "puppet:///modules/munin-node/df-wrap",
- mode => 555,
- require => Package["munin-node"],
- notify => Exec["munin-node restart"]
- ;
- "/etc/munin/plugins/df_inode":
- source => "puppet:///modules/munin-node/df-wrap",
- mode => 555,
- require => Package["munin-node"],
- notify => Exec["munin-node restart"]
- ;
- }
-
- exec { "munin-node restart":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- }
- @ferm::rule { "dsa-munin-v4":
- description => "Allow munin from munin master",
- rule => "proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN_V4 \$HOST_NAGIOS_V4) ACCEPT; }",
- notarule => true,
- }
- @ferm::rule { "dsa-munin-v6":
- description => "Allow munin from munin master",
- domain => "ip6",
- rule => "proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN_V6 \$HOST_NAGIOS_V6) ACCEPT; }",
- notarule => true,
- }
-}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/munin-node/manifests/master.pp b/modules/munin-node/manifests/master.pp
deleted file mode 100644
index 23418891..00000000
--- a/modules/munin-node/manifests/master.pp
+++ /dev/null
@@ -1,14 +0,0 @@
-class munin-node::master inherits munin-node {
-
- package { munin: ensure => installed }
-
- file {
- "/etc/munin/munin.conf":
- content => template("munin-node/munin.conf.erb"),
- require => Package["munin"];
- }
-}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/munin-node/files/df-wrap b/modules/munin/files/df-wrap
similarity index 100%
rename from modules/munin-node/files/df-wrap
rename to modules/munin/files/df-wrap
diff --git a/modules/munin/manifests/check.pp b/modules/munin/manifests/check.pp
new file mode 100644
index 00000000..7e4a5c65
--- /dev/null
+++ b/modules/munin/manifests/check.pp
@@ -0,0 +1,22 @@
+define munin::check($ensure = present, $script = undef) {
+
+ if $script {
+ $link = $script
+ } else {
+ $link = $name
+ }
+
+ $link_target = $ensure ? {
+ present => "/usr/share/munin/plugins/${link}"
+ absent => absent,
+ default => err ( "Unknown ensure value: '$ensure'" ),
+ }
+
+ file { "/etc/munin/plugins/${name}":
+ ensure => $link_target,
+ require => Package['munin-node'],
+ notify => Service['munin-node'],
+ }
+}
+
+
diff --git a/modules/munin/manifests/init.pp b/modules/munin/manifests/init.pp
new file mode 100644
index 00000000..1ba4477a
--- /dev/null
+++ b/modules/munin/manifests/init.pp
@@ -0,0 +1,43 @@
+class munin {
+
+ package { 'munin-node':
+ ensure => installed
+ }
+
+ service { 'munin-node':
+ ensure => running,
+ require => Package['munin-node'],
+ }
+
+ file { '/etc/munin/munin-node.conf':
+ content => template('munin/munin-node.conf.erb')
+ require => Package['munin-node'],
+ notify => Service['munin-node'],
+ }
+
+ file { '/etc/munin/plugin-conf.d/munin-node':
+ content => template('munin/munin-node.plugin.conf.erb'),
+ require => Package['munin-node'],
+ notify => Service['munin-node'],
+ }
+
+ file { [ '/etc/munin/plugins/df', '/etc/munin/plugins/df_abs', '/etc/munin/plugins/df_inode' ]:
+ source => 'puppet:///modules/munin/df-wrap',
+ mode => '0555',
+ require => Package['munin-node'],
+ notify => Service['munin-node'],
+ }
+
+ @ferm::rule { 'dsa-munin-v4':
+ description => 'Allow munin from munin master',
+ rule => 'proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN_V4 \$HOST_NAGIOS_V4) ACCEPT; }',
+ notarule => true,
+ }
+
+ @ferm::rule { 'dsa-munin-v6':
+ description => 'Allow munin from munin master',
+ domain => 'ip6',
+ rule => 'proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN_V6 \$HOST_NAGIOS_V6) ACCEPT; }',
+ notarule => true,
+ }
+}
diff --git a/modules/munin/manifests/master.pp b/modules/munin/manifests/master.pp
new file mode 100644
index 00000000..4706dfbf
--- /dev/null
+++ b/modules/munin/manifests/master.pp
@@ -0,0 +1,11 @@
+class munin::master {
+
+ package { 'munin':
+ ensure => installed
+ }
+
+ file { '/etc/munin/munin.conf':
+ content => template('munin/munin.conf.erb'),
+ require => Package['munin'];
+ }
+}
diff --git a/modules/munin-node/templates/munin-node.conf.erb b/modules/munin/templates/munin-node.conf.erb
similarity index 83%
rename from modules/munin-node/templates/munin-node.conf.erb
rename to modules/munin/templates/munin-node.conf.erb
index 45cf119a..e5ef6ff7 100644
--- a/modules/munin-node/templates/munin-node.conf.erb
+++ b/modules/munin/templates/munin-node.conf.erb
@@ -40,9 +40,9 @@ ignore_file \.rpm(save|new)$
<%=
str = ''
-localinfo.keys.sort.each do |node|
- if localinfo[node]['muninmaster']
- allnodeinfo[node]['ipHostNumber'].each do |ip|
+scope.lookupvar('site::localinfo').keys.sort.each do |node|
+ if scope.lookupvar('site::localinfo')[node]['muninmaster']
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip|
str += "allow ^" + ip.split('.').join('\.') + "$\n"
end
end
diff --git a/modules/munin-node/templates/munin-node.plugin.conf.erb b/modules/munin/templates/munin-node.plugin.conf.erb
similarity index 100%
rename from modules/munin-node/templates/munin-node.plugin.conf.erb
rename to modules/munin/templates/munin-node.plugin.conf.erb
diff --git a/modules/munin-node/templates/munin.conf.erb b/modules/munin/templates/munin.conf.erb
similarity index 75%
rename from modules/munin-node/templates/munin.conf.erb
rename to modules/munin/templates/munin.conf.erb
index 50468cb5..b223bd65 100644
--- a/modules/munin-node/templates/munin.conf.erb
+++ b/modules/munin/templates/munin.conf.erb
@@ -11,8 +11,8 @@ tmpldir /etc/munin/templates
graph_strategy cgi
<%= out = ''
- localinfo.keys.sort.each do |node|
- if not localinfo[node]['no_munin']
+ scope.lookupvar('site::localinfo').keys.sort.each do |node|
+ if not scope.lookupvar('site::localinfo')[node]['no_munin']
out += '[' + node + ']
address ' + node + '
diff --git a/modules/nagios/manifests/client.pp b/modules/nagios/manifests/client.pp
index 33808c45..b72f002b 100644
--- a/modules/nagios/manifests/client.pp
+++ b/modules/nagios/manifests/client.pp
@@ -1,81 +1,64 @@
class nagios::client inherits nagios {
- package {
- dsa-nagios-nrpe-config: ensure => purged;
- dsa-nagios-checks: ensure => installed;
- }
- file {
- "/etc/default/nagios-nrpe-server":
- source => [ "puppet:///modules/nagios/per-host/$fqdn/default",
- "puppet:///modules/nagios/common/default" ],
- require => Package["nagios-nrpe-server"],
- notify => Exec["nagios-nrpe-server restart"],
- ;
- "/etc/default/nagios-nrpe":
- ensure => absent,
- notify => Exec["nagios-nrpe-server restart"],
- ;
- "/etc/nagios/nrpe.cfg":
- content => template("nagios/nrpe.cfg.erb"),
- require => Package["nagios-nrpe-server"],
- notify => Exec["service nagios-nrpe-server reload"],
- ;
- "/etc/nagios/nrpe.d":
- mode => 755,
- require => Package["nagios-nrpe-server"],
- ensure => directory,
- ;
- "/etc/nagios/nrpe.d/debianorg.cfg":
- content => template("nagios/inc-debian.org.erb"),
- require => Package["nagios-nrpe-server"],
- notify => Exec["service nagios-nrpe-server reload"],
- ;
- "/etc/nagios/nrpe.d/nrpe_dsa.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/generated/nrpe_dsa.cfg" ],
- require => Package["dsa-nagios-checks"],
- notify => Exec["service nagios-nrpe-server reload"],
- ;
+ package { 'dsa-nagios-nrpe-config':
+ ensure => purged
+ }
+ package { 'dsa-nagios-checks':
+ ensure => installed
+ }
- "/etc/nagios/obsolete-packages-ignore":
- source => [ "puppet:///modules/nagios/per-host/$fqdn/obsolete-packages-ignore",
- "puppet:///modules/nagios/common/obsolete-packages-ignore" ],
- require => Package["dsa-nagios-checks"],
- ;
+ service { 'nagios-nrpe-server':
+ ensure => running,
+ hasstatus => false,
+ pattern => 'nrpe',
+ }
- "/etc/nagios/obsolete-packages-ignore.d/hostspecific":
- content => template("nagios/obsolete-packages-ignore.d-hostspecific.erb"),
- require => Package["dsa-nagios-checks"],
- ;
- }
+ @ferm::rule { 'dsa-nagios-v4':
+ description => 'Allow nrpe from nagios master',
+ rule => 'proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V4) ACCEPT; }',
+ notarule => true,
+ }
+ @ferm::rule { 'dsa-nagios-v6':
+ description => 'Allow nrpe from nagios master',
+ domain => 'ip6',
+ rule => 'proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V6) ACCEPT; }',
+ notarule => true,
+ }
- exec {
- "nagios-nrpe-server restart":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- ;
- "service nagios-nrpe-server reload":
-# remove after lenny EOL (lenny has no service binary)
-# -cut-
- command => "/etc/init.d/nagios-nrpe-server reload",
-# -cut-
- refreshonly => true,
- ;
- }
+ file { '/etc/default/nagios-nrpe-server':
+ source => 'puppet:///modules/nagios/common/default',
+ require => Package['nagios-nrpe-server'],
+ notify => Service['nagios-nrpe-server'],
+ }
+ file { '/etc/default/nagios-nrpe':
+ ensure => absent,
+ notify => Service['nagios-nrpe-server'],
+ }
+ file { '/etc/nagios/':
+ ensure => directory,
+ require => Package['nagios-nrpe-server'],
+ notify => Service['nagios-nrpe-server'],
+ }
+ file { '/etc/nagios/nrpe.cfg':
+ content => template('nagios/nrpe.cfg.erb'),
+ }
+ file { '/etc/nagios/nrpe.d':
+ ensure => directory,
+ mode => '0755',
+ }
+ file { '/etc/nagios/nrpe.d/debianorg.cfg':
+ content => template('nagios/inc-debian.org.erb'),
+ }
+ file { '/etc/nagios/nrpe.d/nrpe_dsa.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/generated/nrpe_dsa.cfg',
+ }
+ file { '/etc/nagios/obsolete-packages-ignore':
+ source => 'puppet:///modules/nagios/common/obsolete-packages-ignore',
+ require => Package['dsa-nagios-checks'],
+ }
+ file { '/etc/nagios/obsolete-packages-ignore.d/hostspecific':
+ content => template('nagios/obsolete-packages-ignore.d-hostspecific.erb'),
+ require => Package['dsa-nagios-checks'],
+ }
- @ferm::rule {
- "dsa-nagios-v4":
- description => "Allow nrpe from nagios master",
- rule => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V4) ACCEPT; }",
- notarule => true,
- ;
- "dsa-nagios-v6":
- description => "Allow nrpe from nagios master",
- domain => "ip6",
- rule => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V6) ACCEPT; }",
- notarule => true,
- ;
- }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/nagios/manifests/init.pp b/modules/nagios/manifests/init.pp
index 4975a413..3149da3e 100644
--- a/modules/nagios/manifests/init.pp
+++ b/modules/nagios/manifests/init.pp
@@ -1,8 +1,5 @@
class nagios {
- package {
- nagios-nrpe-server: ensure => installed;
+ package { 'nagios-nrpe-server':
+ ensure => installed
}
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/nagios/manifests/server.pp b/modules/nagios/manifests/server.pp
index f73d8ad2..2ab72a84 100644
--- a/modules/nagios/manifests/server.pp
+++ b/modules/nagios/manifests/server.pp
@@ -1,88 +1,75 @@
-class nagios::server inherits nagios::client {
- package {
- nagios3: ensure => installed;
- nagios-nrpe-plugin: ensure => installed;
- nagios-plugins: ensure => installed;
- nagios-images: ensure => installed;
- }
-
- file {
- "/etc/nagios-plugins/config/local-dsa-checkcommands.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/static/checkcommands.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
- "/etc/nagios-plugins/config/local-dsa-eventhandlers.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/static/eventhandlers.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
-
- "/etc/nagios3/cgi.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/static/cgi.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
- "/etc/nagios3/nagios.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/static/nagios.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
+class nagios::server {
- "/etc/nagios3/puppetconf.d":
- mode => 755,
- require => Package["nagios3"],
- ensure => directory;
-
- "/etc/nagios3/puppetconf.d/contacts.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/static/conf.d/contacts.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
- "/etc/nagios3/puppetconf.d/generic-host.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/static/conf.d/generic-host.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
- "/etc/nagios3/puppetconf.d/generic-service.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/static/conf.d/generic-service.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
- "/etc/nagios3/puppetconf.d/timeperiods.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/static/conf.d/timeperiods.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
-
- "/etc/nagios3/puppetconf.d/auto-dependencies.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-dependencies.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
- "/etc/nagios3/puppetconf.d/auto-hostextinfo.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-hostextinfo.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
- "/etc/nagios3/puppetconf.d/auto-hostgroups.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-hostgroups.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
- "/etc/nagios3/puppetconf.d/auto-hosts.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-hosts.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
- "/etc/nagios3/puppetconf.d/auto-serviceextinfo.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-serviceextinfo.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
- "/etc/nagios3/puppetconf.d/auto-servicegroups.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-servicegroups.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
- "/etc/nagios3/puppetconf.d/auto-services.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-services.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
+ package { [
+ 'nagios3',
+ 'nagios-nrpe-plugin',
+ 'nagios-plugins',
+ 'nagios-images'
+ ]
+ ensure => installed
+ }
+ service { 'nagios3':
+ ensure => running,
}
- exec { "nagios3 reload":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
+ file { '/etc/nagios-plugins/config':
+ ensure => directory,
+ require => Package['nagios3'],
+ notify => Service['nagios3'],
+ }
+ file { '/etc/nagios3':
+ ensure => directory,
+ require => Package['nagios3'],
+ notify => Service['nagios3'],
+ }
+ file { '/etc/nagios3/puppetconf.d':
+ ensure => directory,
+ mode => '0755',
+ }
+ file { '/etc/nagios-plugins/config/local-dsa-checkcommands.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/static/checkcommands.cfg',
+ }
+ file { '/etc/nagios-plugins/config/local-dsa-eventhandlers.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/static/eventhandlers.cfg',
+ }
+ file { '/etc/nagios3/cgi.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/static/cgi.cfg',
+ }
+ file { '/etc/nagios3/nagios.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/static/nagios.cfg',
+ }
+ file { '/etc/nagios3/puppetconf.d/contacts.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/static/conf.d/contacts.cfg',
+ }
+ file { '/etc/nagios3/puppetconf.d/generic-host.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/static/conf.d/generic-host.cfg',
+ }
+ file { '/etc/nagios3/puppetconf.d/generic-service.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/static/conf.d/generic-service.cfg',
+ }
+ file { '/etc/nagios3/puppetconf.d/timeperiods.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/static/conf.d/timeperiods.cfg',
+ }
+ file { '/etc/nagios3/puppetconf.d/auto-dependencies.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-dependencies.cfg',
+ }
+ file { '/etc/nagios3/puppetconf.d/auto-hostextinfo.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-hostextinfo.cfg',
+ }
+ file { '/etc/nagios3/puppetconf.d/auto-hostgroups.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-hostgroups.cfg',
+ }
+ file { '/etc/nagios3/puppetconf.d/auto-hosts.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-hosts.cfg',
+ }
+ file { '/etc/nagios3/puppetconf.d/auto-serviceextinfo.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-serviceextinfo.cfg',
+ }
+ file { '/etc/nagios3/puppetconf.d/auto-servicegroups.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-servicegroups.cfg',
+ }
+ file { '/etc/nagios3/puppetconf.d/auto-services.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-services.cfg',
}
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/nagios/templates/inc-debian.org.erb b/modules/nagios/templates/inc-debian.org.erb
index 5732e2a3..b06c3284 100644
--- a/modules/nagios/templates/inc-debian.org.erb
+++ b/modules/nagios/templates/inc-debian.org.erb
@@ -5,9 +5,9 @@
<%=
nagii = []
-localinfo.keys.sort.each do |node|
- if localinfo[node]['nagiosmaster'] or localinfo[node]['extranrpeclient']
- nagii << allnodeinfo[node]['ipHostNumber']
+scope.lookupvar('site::localinfo').keys.sort.each do |node|
+ if scope.lookupvar('site::localinfo')[node]['nagiosmaster'] or scope.lookupvar('site::localinfo')[node]['extranrpeclient']
+ nagii << scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber']
end
end
diff --git a/modules/named/manifests/authoritative.pp b/modules/named/manifests/authoritative.pp
index 4ffba00d..a1024d88 100644
--- a/modules/named/manifests/authoritative.pp
+++ b/modules/named/manifests/authoritative.pp
@@ -1,20 +1,15 @@
class named::authoritative inherits named {
- file {
- "/etc/bind/named.conf.debian-zones":
- source => [ "puppet:///modules/named/per-host/$fqdn/named.conf.debian-zones",
- "puppet:///modules/named/common/named.conf.debian-zones" ],
- notify => Exec["bind9 reload"];
- "/etc/bind/named.conf.options":
- content => template("named/named.conf.options.erb"),
- notify => Exec["bind9 reload"];
- }
- file { "/etc/bind/named.conf.shared-keys":
- mode => 640,
- owner => root,
- group => bind,
- }
+ file { '/etc/bind/named.conf.debian-zones':
+ source => 'puppet:///modules/named/common/named.conf.debian-zones',
+ notify => Service['bind9'],
+ }
+ file { '/etc/bind/named.conf.options':
+ content => template('named/named.conf.options.erb'),
+ notify => Service['bind9'],
+ }
+ file { '/etc/bind/named.conf.shared-keys':
+ mode => '0640',
+ owner => root,
+ group => bind,
+ }
}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/named/manifests/geodns.pp b/modules/named/manifests/geodns.pp
index 76cfe3c6..1dd57113 100644
--- a/modules/named/manifests/geodns.pp
+++ b/modules/named/manifests/geodns.pp
@@ -1,75 +1,47 @@
class named::geodns inherits named {
- activate_munin_check {
- "bind_views": script => bind;
- }
+ munin::check { 'bind_views':
+ script => bind
+ }
- file {
- "/etc/bind/named.conf.options":
- content => template("named/named.conf.options.erb"),
- notify => Exec["bind9 reload"];
- "/etc/apt/sources.list.d/geoip.list":
- content => template("debian-org/etc/apt/sources.list.d/geoip.list.erb"),
- notify => Exec["apt-get update"],
- ;
- "/etc/bind/named.conf.local":
- source => [ "puppet:///modules/named/per-host/$fqdn/named.conf.local",
- "puppet:///modules/named/common/named.conf.local" ],
- require => Package["bind9"],
- notify => Exec["bind9 restart"],
- owner => root,
- group => root,
- ;
- "/etc/bind/named.conf.acl":
- source => [ "puppet:///modules/named/per-host/$fqdn/named.conf.acl",
- "puppet:///modules/named/common/named.conf.acl" ],
- require => Package["bind9"],
- notify => Exec["bind9 restart"],
- owner => root,
- group => root,
- ;
- "/etc/bind/geodns":
- ensure => directory,
- owner => root,
- group => root,
- mode => 755,
- ;
- "/etc/bind/geodns/zonefiles":
- ensure => directory,
- owner => geodnssync,
- group => geodnssync,
- mode => 755,
- ;
- "/etc/bind/geodns/named.conf.geo":
- source => [ "puppet:///modules/named/per-host/$fqdn/named.conf.geo",
- "puppet:///modules/named/common/named.conf.geo" ],
- require => Package["bind9"],
- notify => Exec["bind9 restart"],
- owner => root,
- group => root,
- ;
- "/etc/bind/geodns/trigger":
- source => [ "puppet:///modules/named/per-host/$fqdn/trigger",
- "puppet:///modules/named/common/trigger" ],
- owner => root,
- group => root,
- mode => 555,
- ;
- "/etc/ssh/userkeys/geodnssync":
- source => [ "puppet:///modules/named/per-host/$fqdn/authorized_keys",
- "puppet:///modules/named/common/authorized_keys" ],
- owner => root,
- group => geodnssync,
- mode => 440,
- ;
- "/etc/cron.d/dsa-boot-geodnssync":
- source => [ "puppet:///modules/named/per-host/$fqdn/cron-geo",
- "puppet:///modules/named/common/cron-geo" ],
- owner => root,
- group => root,
- ;
- }
-}
+ site::aptrepo { 'geoip':
+ template => 'debian-org/etc/apt/sources.list.d/geoip.list.erb',
+ }
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
+ file { '/etc/bind/':
+ ensure => directory,
+ require => Package['bind9'],
+ notify => Service['bind9'],
+ }
+ file { '/etc/bind/geodns':
+ ensure => directory,
+ }
+ file { '/etc/bind/named.conf.options':
+ content => template('named/named.conf.options.erb'),
+ }
+ file { '/etc/bind/named.conf.local':
+ source => 'puppet:///modules/named/common/named.conf.local',
+ }
+ file { '/etc/bind/named.conf.acl':
+ source => 'puppet:///modules/named/common/named.conf.acl',
+ }
+ file { '/etc/bind/geodns/zonefiles':
+ ensure => directory,
+ owner => geodnssync,
+ group => geodnssync,
+ mode => '0755',
+ }
+ file { '/etc/bind/geodns/named.conf.geo':
+ source => 'puppet:///modules/named/common/named.conf.geo',
+ }
+ file { '/etc/bind/geodns/trigger':
+ source => 'puppet:///modules/named/common/trigger',
+ }
+ file { '/etc/ssh/userkeys/geodnssync':
+ source => 'puppet:///modules/named/common/authorized_keys',
+ group => geodnssync,
+ mode => '0440',
+ }
+ file { '/etc/cron.d/dsa-boot-geodnssync':
+ source => 'puppet:///modules/named/common/cron-geo'
+ }
+}
diff --git a/modules/named/manifests/init.pp b/modules/named/manifests/init.pp
index 8cfa4080..28a666b5 100644
--- a/modules/named/manifests/init.pp
+++ b/modules/named/manifests/init.pp
@@ -1,37 +1,25 @@
class named {
- activate_munin_check {
- "bind":;
- }
- package {
- bind9: ensure => installed;
- }
+ munin::check { 'bind': }
- exec {
- "bind9 restart":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- ;
- "bind9 reload":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- ;
- }
- file {
- "/var/log/bind9":
- ensure => directory,
- owner => bind,
- group => bind,
- mode => 775,
- ;
- }
- @ferm::rule { "dsa-bind":
- domain => "(ip ip6)",
- description => "Allow nameserver access",
- rule => "&TCP_UDP_SERVICE(53)"
- }
-}
+ package { 'bind9':
+ ensure => installed
+ }
+
+ service { 'bind9':
+ ensure => running,
+ }
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
+ @ferm::rule { 'dsa-bind':
+ domain => '(ip ip6)',
+ description => 'Allow nameserver access',
+ rule => '&TCP_UDP_SERVICE(53)'
+ }
+
+ file { '/var/log/bind9':
+ ensure => directory,
+ owner => bind,
+ group => bind,
+ mode => '0775',
+ }
+}
diff --git a/modules/named/manifests/recursor.pp b/modules/named/manifests/recursor.pp
index 66227c4b..3bd06d9b 100644
--- a/modules/named/manifests/recursor.pp
+++ b/modules/named/manifests/recursor.pp
@@ -1,12 +1,7 @@
class named::recursor inherits named {
- file {
- "/etc/bind/named.conf.options":
- content => template("named/named.conf.options.erb"),
- notify => Exec["bind9 reload"];
- }
-}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
+ file { '/etc/bind/named.conf.options':
+ content => template('named/named.conf.options.erb'),
+ notify => Service['bind9'],
+ }
+}
diff --git a/modules/named/templates/named.conf.options.erb b/modules/named/templates/named.conf.options.erb
index e093aa4e..4224254d 100644
--- a/modules/named/templates/named.conf.options.erb
+++ b/modules/named/templates/named.conf.options.erb
@@ -6,9 +6,9 @@
acl Nagios {
<%=
str = ''
- localinfo.keys.sort.each do |node|
- if localinfo[node]['nagiosmaster']
- allnodeinfo[node]['ipHostNumber'].each do |ip|
+ scope.lookupvar('site::localinfo').keys.sort.each do |node|
+ if scope.lookupvar('site::localinfo')[node]['nagiosmaster']
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip|
str += "\t" + ip + "/32;\n"
end
end
diff --git a/modules/nfs-server/manifests/init.pp b/modules/nfs-server/manifests/init.pp
index d14a6ca3..b9ff8885 100644
--- a/modules/nfs-server/manifests/init.pp
+++ b/modules/nfs-server/manifests/init.pp
@@ -1,31 +1,60 @@
class nfs-server {
- include ferm::nfs-server
+ package { [
+ 'nfs-common',
+ 'nfs-kernel-server'
+ ]:
+ ensure => installed
+ }
- package {
- nfs-common: ensure => installed;
- nfs-kernel-server: ensure => installed;
- }
+ service { 'nfs-common':
+ hasstatus => false,
+ status => '/bin/true',
+ refreshonly => true,
+ }
+ service { 'nfs-kernel-server':
+ hasstatus => false,
+ status => '/bin/true',
+ refreshonly => true,
+ }
- file {
- "/etc/default/nfs-common":
- source => "puppet:///modules/nfs-server/nfs-common.default",
- require => Package["nfs-common"],
- notify => Exec["nfs-common restart"];
- "/etc/default/nfs-kernel-server":
- source => "puppet:///modules/nfs-server/nfs-kernel-server.default",
- require => Package["nfs-kernel-server"],
- notify => Exec["nfs-kernel-server restart"];
- "/etc/modprobe.d/lockd.local":
- source => "puppet:///modules/nfs-server/lockd.local.modprobe";
- }
+ @ferm::rule { 'dsa-portmap':
+ domain => '(ip ip6)',
+ description => 'Allow portmap access',
+ rule => '&TCP_UDP_SERVICE(111)'
+ }
+ @ferm::rule { 'dsa-nfs':
+ domain => '(ip ip6)',
+ description => 'Allow nfsd access',
+ rule => '&TCP_UDP_SERVICE(2049)'
+ }
+ @ferm::rule { 'dsa-status':
+ domain => '(ip ip6)',
+ description => 'Allow statd access',
+ rule => '&TCP_UDP_SERVICE(10000)'
+ }
+ @ferm::rule { 'dsa-mountd':
+ domain => '(ip ip6)',
+ description => 'Allow mountd access',
+ rule => '&TCP_UDP_SERVICE(10002)'
+ }
+ @ferm::rule { 'dsa-lockd':
+ domain => '(ip ip6)',
+ description => 'Allow lockd access',
+ rule => '&TCP_UDP_SERVICE(10003)'
+ }
- exec {
- "nfs-common restart":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true;
- "nfs-kernel-server restart":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true;
- }
+ file { '/etc/default/nfs-common':
+ source => 'puppet:///modules/nfs-server/nfs-common.default',
+ require => Package['nfs-common'],
+ notify => Service['nfs-common'],
+ }
+ file { '/etc/default/nfs-kernel-server':
+ source => 'puppet:///modules/nfs-server/nfs-kernel-server.default',
+ require => Package['nfs-kernel-server'],
+ notify => Service['nfs-kernel-server'],
+ }
+ file { '/etc/modprobe.d/lockd.local':
+ source => 'puppet:///modules/nfs-server/lockd.local.modprobe'
+ }
}
diff --git a/modules/ntp/manifests/client.pp b/modules/ntp/manifests/client.pp
new file mode 100644
index 00000000..aa877a1a
--- /dev/null
+++ b/modules/ntp/manifests/client.pp
@@ -0,0 +1,24 @@
+class ntp::client {
+ file { '/etc/default/ntp':
+ source => 'puppet:///modules/ntp/etc-default-ntp',
+ require => Package['ntp'],
+ notify => Service['ntp']
+ }
+ file { '/etc/ntp.keys.d/':
+ ensure => directory,
+ require => Package['ntp'],
+ notify => Service['ntp']
+ }
+ file { '/etc/ntp.keys.d/ntpkey_iff_merikanto':
+ source => 'puppet:///modules/ntp/ntpkey_iff_merikanto.pub',
+ }
+ file { '/etc/ntp.keys.d/ntpkey_iff_orff':
+ source => 'puppet:///modules/ntp/ntpkey_iff_orff.pub',
+ }
+ file { '/etc/ntp.keys.d/ntpkey_iff_ravel':
+ source => 'puppet:///modules/ntp/ntpkey_iff_ravel.pub',
+ }
+ file { '/etc/ntp.keys.d/ntpkey_iff_busoni':
+ source => 'puppet:///modules/ntp/ntpkey_iff_busoni.pub',
+ }
+}
diff --git a/modules/ntp/manifests/init.pp b/modules/ntp/manifests/init.pp
index 74a5a322..26aa2d4f 100644
--- a/modules/ntp/manifests/init.pp
+++ b/modules/ntp/manifests/init.pp
@@ -1,107 +1,43 @@
class ntp {
- package { ntp: ensure => installed }
- file {
- "/var/lib/ntp/":
- ensure => directory,
- owner => ntp,
- group => ntp,
- mode => 755,
- require => Package["ntp"]
- ;
- "/var/lib/ntp":
- ensure => directory,
- owner => ntp,
- group => ntp,
- mode => 755,
- require => Package["ntp"]
- ;
- "/etc/ntp.conf":
- owner => root,
- group => root,
- mode => 444,
- content => template("ntp/ntp.conf"),
- notify => Exec["ntp restart"],
- require => Package["ntp"]
- ;
- "/etc/ntp.keys.d":
- owner => root,
- group => ntp,
- mode => 750,
- ensure => directory,
- require => Package["ntp"]
- ;
- }
- case getfromhash($nodeinfo, 'timeserver') {
- true: {
- file {
- "/var/lib/ntp/leap-seconds.list":
- owner => root,
- group => root,
- mode => 444,
- source => [ "puppet:///modules/ntp/leap-seconds.list" ],
- require => Package["ntp"],
- notify => Exec["ntp restart"],
- ;
- }
- }
- default: {
- file {
- "/etc/default/ntp":
- owner => root,
- group => root,
- mode => 444,
- source => [ "puppet:///modules/ntp/etc-default-ntp" ],
- require => Package["ntp"],
- notify => Exec["ntp restart"],
- ;
- "/etc/ntp.keys.d/ntpkey_iff_merikanto":
- owner => root,
- group => root,
- mode => 444,
- source => [ "puppet:///modules/ntp/ntpkey_iff_merikanto.pub" ],
- require => Package["ntp"],
- notify => Exec["ntp restart"],
- ;
- "/etc/ntp.keys.d/ntpkey_iff_orff":
- owner => root,
- group => root,
- mode => 444,
- source => [ "puppet:///modules/ntp/ntpkey_iff_orff.pub" ],
- require => Package["ntp"],
- notify => Exec["ntp restart"],
- ;
- "/etc/ntp.keys.d/ntpkey_iff_ravel":
- owner => root,
- group => root,
- mode => 444,
- source => [ "puppet:///modules/ntp/ntpkey_iff_ravel.pub" ],
- require => Package["ntp"],
- notify => Exec["ntp restart"],
- ;
- "/etc/ntp.keys.d/ntpkey_iff_busoni":
- owner => root,
- group => root,
- mode => 444,
- source => [ "puppet:///modules/ntp/ntpkey_iff_busoni.pub" ],
- require => Package["ntp"],
- notify => Exec["ntp restart"],
- ;
- }
- }
- }
+ package { 'ntp':
+ ensure => installed
+ }
+ service { 'ntp':
+ ensure => running,
+ require => Package['ntp']
+ }
- exec { "ntp restart":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- }
- @ferm::rule { "dsa-ntp":
- domain => "(ip ip6)",
- description => "Allow ntp access",
- rule => "&SERVICE(udp, 123)"
- }
+ @ferm::rule { 'dsa-ntp':
+ domain => '(ip ip6)',
+ description => 'Allow ntp access',
+ rule => '&SERVICE(udp, 123)'
+ }
+
+ file { '/var/lib/ntp':
+ ensure => directory,
+ owner => ntp,
+ group => ntp,
+ mode => '0755',
+ require => Package['ntp']
+ }
+ file { '/etc/ntp.conf':
+ content => template('ntp/ntp.conf'),
+ notify => Service['ntp'],
+ require => Package['ntp']
+ }
+ file { '/etc/ntp.keys.d':
+ ensure => directory,
+ group => ntp,
+ mode => '0750',
+ notify => Service['ntp'],
+ require => Package['ntp']
+ }
+
+ if getfromhash($site::nodeinfo, 'timeserver') {
+ include ntp::timeserver
+ } else {
+ include ntp::client
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/ntp/manifests/timeserver.pp b/modules/ntp/manifests/timeserver.pp
new file mode 100644
index 00000000..f86ddf47
--- /dev/null
+++ b/modules/ntp/manifests/timeserver.pp
@@ -0,0 +1,7 @@
+class ntp::timeserver {
+ file { '/var/lib/ntp/leap-seconds.list':
+ source => 'puppet:///modules/ntp/leap-seconds.list',
+ require => Package['ntp'],
+ notify => Service['ntp'],
+ }
+}
diff --git a/modules/ntp/templates/ntp.conf b/modules/ntp/templates/ntp.conf
index 94787968..11c5c3c4 100644
--- a/modules/ntp/templates/ntp.conf
+++ b/modules/ntp/templates/ntp.conf
@@ -14,7 +14,7 @@ filegen clockstats file clockstats type day enable
crypto randfile /dev/urandom
keysdir /etc/ntp.keys.d
-<% if nodeinfo['timeserver'] -%>
+<% if scope.lookupvar('site::nodeinfo')['timeserver'] -%>
server 0.debian.pool.ntp.org iburst dynamic
server 1.debian.pool.ntp.org iburst dynamic
server 2.debian.pool.ntp.org iburst dynamic
@@ -26,7 +26,7 @@ server ntp.grnet.gr iburst
<% end -%>
<% elsif fqdn == "ancina.debian.org" -%>
server ntp.ugent.be iburst dynamic
-<% elsif nodeinfo['misc']['natted'] -%>
+<% elsif scope.lookupvar('site::nodeinfo')['misc']['natted'] -%>
# autokey doesn't work behind nat
# merikanto's and orff's ipv4 IP, hard coded for the benefit of hosts
diff --git a/modules/ntpdate/manifests/init.pp b/modules/ntpdate/manifests/init.pp
index 37de5af5..ca21a4db 100644
--- a/modules/ntpdate/manifests/init.pp
+++ b/modules/ntpdate/manifests/init.pp
@@ -1,21 +1,15 @@
class ntpdate {
- case getfromhash($nodeinfo, 'broken-rtc') {
- true: {
- package {
- ntpdate: ensure => installed;
- lockfile-progs: ensure => installed;
- }
- file {
- "/etc/default/ntpdate":
- owner => root,
- group => root,
- mode => 444,
- content => template("ntpdate/etc-default-ntpdate.erb"),
- ;
- }
- }
- }
+
+ if getfromhash($site::nodeinfo, 'broken-rtc') {
+ package { [
+ 'ntpdate',
+ 'lockfile-progs'
+ ]:
+ ensure => installed
+ }
+
+ file { '/etc/default/ntpdate':
+ content => template('ntpdate/etc-default-ntpdate.erb'),
+ }
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/portforwarder/manifests/init.pp b/modules/portforwarder/manifests/init.pp
index 83d11cf6..8fd01c34 100644
--- a/modules/portforwarder/manifests/init.pp
+++ b/modules/portforwarder/manifests/init.pp
@@ -1,30 +1,22 @@
class portforwarder {
- # do not depend on xinetd, yet. it might uninstall other inetds
- # for now this will have to be done manually
- file {
- "/etc/ssh/userkeys/portforwarder":
- content => template("portforwarder/authorized_keys.erb"),
- mode => 444,
- ;
- "/etc/xinetd.d":
- ensure => directory,
- owner => root,
- group => root,
- mode => 755,
- ;
- "/etc/xinetd.d/dsa-portforwader":
- content => template("portforwarder/xinetd.erb"),
- notify => Exec["xinetd reload"]
- ;
- }
+ # do not depend on xinetd, yet. it might uninstall other inetds
+ # for now this will have to be done manually
+ file { '/etc/ssh/userkeys/portforwarder':
+ content => template('portforwarder/authorized_keys.erb'),
+ }
+ file { '/etc/xinetd.d':
+ ensure => directory,
+ owner => root,
+ group => root,
+ mode => '0755',
+ }
+ file { '/etc/xinetd.d/dsa-portforwader':
+ content => template('portforwarder/xinetd.erb'),
+ notify => Exec['xinetd reload']
+ }
- exec {
- "xinetd reload":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- ;
- }
+ exec { 'xinetd reload':
+ path => '/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin',
+ refreshonly => true,
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/portforwarder/templates/authorized_keys.erb b/modules/portforwarder/templates/authorized_keys.erb
index 5cb76624..1ffd9e84 100644
--- a/modules/portforwarder/templates/authorized_keys.erb
+++ b/modules/portforwarder/templates/authorized_keys.erb
@@ -29,7 +29,7 @@ config.each_pair do |sourcehost, services|
if allowed_ports.length > 0
sshkey = getportforwarderkey(sourcehost)
- remote_ip = allnodeinfo[sourcehost]['ipHostNumber'].join(',')
+ remote_ip = scope.lookupvar('site::allnodeinfo')[sourcehost]['ipHostNumber'].join(',')
local_bind = '127.101.%d.%d'%[ (sourcehost.hash / 256 % 256), sourcehost.hash % 256 ]
lines << "# from #{sourcehost}"
diff --git a/modules/postgres/manifests/init.pp b/modules/postgres/manifests/init.pp
index bb2b7689..4edc5c8a 100644
--- a/modules/postgres/manifests/init.pp
+++ b/modules/postgres/manifests/init.pp
@@ -1,19 +1,17 @@
class postgres {
- activate_munin_check {
- "postgres_bgwriter":;
- "postgres_connections_db":;
- "postgres_cache_ALL": script => "postgres_cache_";
- "postgres_querylength_ALL": script => "postgres_querylength_";
- "postgres_size_ALL": script => "postgres_size_";
- }
- file {
- "/etc/munin/plugin-conf.d/local-postgres":
- source => "puppet:///modules/postgres/plugin.conf",
- ;
- }
-}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
+ munin::check { 'postgres_bgwriter': }
+ munin::check { 'postgres_connections_db': }
+ munin::check { 'postgres_cache_ALL':
+ script => 'postgres_cache_'
+ }
+ munin::check { 'postgres_querylength_ALL':
+ script => 'postgres_querylength_'
+ }
+ munin::check { 'postgres_size_ALL':
+ script => 'postgres_size_'
+ }
+ file { '/etc/munin/plugin-conf.d/local-postgres':
+ source => 'puppet:///modules/postgres/plugin.conf',
+ }
+}
diff --git a/modules/postgrey/manifests/init.pp b/modules/postgrey/manifests/init.pp
index 678665ee..44139743 100644
--- a/modules/postgrey/manifests/init.pp
+++ b/modules/postgrey/manifests/init.pp
@@ -1,19 +1,17 @@
class postgrey {
- package { "postgrey": ensure => installed; }
- file {
- "/etc/default/postgrey":
- source => "puppet:///modules/postgrey/default",
- require => Package["postgrey"],
- notify => Exec["postgrey restart"]
- ;
- }
+ package { 'postgrey':
+ ensure => installed
+ }
- exec { "postgrey restart":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- }
+ service { 'postgrey':
+ ensure => running,
+ require => Package['postgrey']
+ }
+
+ file { '/etc/default/postgrey':
+ source => 'puppet:///modules/postgrey/default',
+ require => Package['postgrey'],
+ notify => Service['postgrey']
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb b/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb
index 41a071af..deb07d95 100644
--- a/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb
+++ b/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb
@@ -27,7 +27,7 @@ module Puppet::Parser::Functions
end
v6ips = lookupvar('v6ips')
- if v6ips and v6ips != "no"
+ if v6ips and v6ips != ""
nodeinfo['misc']['v6addrs'] = v6ips.split(',')
end
end
diff --git a/modules/puppetmaster/manifests/init.pp b/modules/puppetmaster/manifests/init.pp
index b702a158..c48ef599 100644
--- a/modules/puppetmaster/manifests/init.pp
+++ b/modules/puppetmaster/manifests/init.pp
@@ -1,5 +1,2 @@
class puppetmaster {
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/raidmpt/manifests/init.pp b/modules/raidmpt/manifests/init.pp
index 814fd5b4..c6884aa8 100644
--- a/modules/raidmpt/manifests/init.pp
+++ b/modules/raidmpt/manifests/init.pp
@@ -1,21 +1,16 @@
class raidmpt {
- package {
- mpt-status: ensure => installed;
- }
- file {
- "/etc/default/mpt-statusd":
- content => "# This file is under puppet control\nRUN_DAEMON=no\n",
- notify => Exec["mpt-statusd-stop"],
- ;
- }
- exec {
- "mpt-statusd-stop":
- command => 'pidfile=/var/run/mpt-statusd.pid; ! [ -e "$pidfile" ] || /sbin/start-stop-daemon --oknodo --stop --signal TERM --quiet --pidfile "$pidfile"; rm -f "$pidfile"; pkill -INT -P 1 -u 0 -f "/usr/bin/daemon /etc/init.d/mpt-statusd check_mpt"',
- refreshonly => true,
- ;
- }
+ package { 'mpt-status':
+ ensure => installed
+ }
+
+ file { '/etc/default/mpt-statusd':
+ content => "# This file is under puppet control\nRUN_DAEMON=no\n",
+ notify => Exec['mpt-statusd-stop'],
+ }
+
+ exec { 'mpt-statusd-stop':
+ command => 'pidfile=/var/run/mpt-statusd.pid; ! [ -e "$pidfile" ] || /sbin/start-stop-daemon --oknodo --stop --signal TERM --quiet --pidfile "$pidfile"; rm -f "$pidfile"; pkill -INT -P 1 -u 0 -f "/usr/bin/daemon /etc/init.d/mpt-statusd check_mpt"',
+ refreshonly => true,
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/resolv/manifests/init.pp b/modules/resolv/manifests/init.pp
index 1934cfa1..59f3147f 100644
--- a/modules/resolv/manifests/init.pp
+++ b/modules/resolv/manifests/init.pp
@@ -1,8 +1,6 @@
class resolv {
- file { "/etc/resolv.conf":
- content => template("resolv/resolv.conf.erb");
+
+ file { '/etc/resolv.conf':
+ content => template('resolv/resolv.conf.erb');
}
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/resolv/templates/resolv.conf.erb b/modules/resolv/templates/resolv.conf.erb
index 531b5165..dfea7786 100644
--- a/modules/resolv/templates/resolv.conf.erb
+++ b/modules/resolv/templates/resolv.conf.erb
@@ -12,9 +12,9 @@ if %w{draghi liszt}.include?(hostname)
nameservers << "127.0.0.1"
end
-nameservers += nodeinfo['hoster']['nameservers'] if nodeinfo['hoster']['nameservers']
-searchpaths += nodeinfo['hoster']['searchpaths'] if nodeinfo['hoster']['searchpaths']
-options += nodeinfo['hoster']['resolvoptions'] if nodeinfo['hoster']['resolvoptions']
+nameservers += scope.lookupvar('site::nodeinfo')['hoster']['nameservers'] if scope.lookupvar('site::nodeinfo')['hoster']['nameservers']
+searchpaths += scope.lookupvar('site::nodeinfo')['hoster']['searchpaths'] if scope.lookupvar('site::nodeinfo')['hoster']['searchpaths']
+options += scope.lookupvar('site::nodeinfo')['hoster']['resolvoptions'] if scope.lookupvar('site::nodeinfo')['hoster']['resolvoptions']
searchpaths << "debian.org"
diff --git a/modules/apache2/files/common/etc/apache2/sites-available/backports.debian.org b/modules/roles/files/backports_mirror/backports.debian.org
similarity index 100%
rename from modules/apache2/files/common/etc/apache2/sites-available/backports.debian.org
rename to modules/roles/files/backports_mirror/backports.debian.org
diff --git a/modules/apache2/files/common/etc/apache2/sites-available/www.backports.org b/modules/roles/files/backports_mirror/www.backports.org
similarity index 100%
rename from modules/apache2/files/common/etc/apache2/sites-available/www.backports.org
rename to modules/roles/files/backports_mirror/www.backports.org
diff --git a/modules/apache2/files/common/etc/apache2/sites-available/ftp-upcoming.debian.org b/modules/roles/files/ftp-upcoming_mirror/ftp-upcoming.debian.org
similarity index 100%
rename from modules/apache2/files/common/etc/apache2/sites-available/ftp-upcoming.debian.org
rename to modules/roles/files/ftp-upcoming_mirror/ftp-upcoming.debian.org
diff --git a/modules/apache2/files/common/etc/apache2/sites-available/security.debian.org b/modules/roles/files/security_mirror/security.debian.org
similarity index 100%
rename from modules/apache2/files/common/etc/apache2/sites-available/security.debian.org
rename to modules/roles/files/security_mirror/security.debian.org
diff --git a/modules/apache2/files/common/etc/apache2/sites-available/www.debian.org b/modules/roles/files/www_mirror/www.debian.org
similarity index 100%
rename from modules/apache2/files/common/etc/apache2/sites-available/www.debian.org
rename to modules/roles/files/www_mirror/www.debian.org
diff --git a/modules/roles/manifests/backports_mirror.pp b/modules/roles/manifests/backports_mirror.pp
new file mode 100644
index 00000000..d8f49307
--- /dev/null
+++ b/modules/roles/manifests/backports_mirror.pp
@@ -0,0 +1,13 @@
+class roles::backports_mirror {
+ apache2::site { '010-backports.debian.org':
+ site => 'backports.debian.org',
+ config => 'puppet:///modules/roles/backports_mirror/backports.debian.org',
+ }
+
+ apache2::site { '010-www.backports.org':
+ site => 'www.backports.org',
+ config => 'puppet:///modules/roles/backports_mirror/www.backports.org',
+ }
+
+ apache2::module { 'rewrite': }
+}
diff --git a/modules/roles/manifests/dakmaster.pp b/modules/roles/manifests/dakmaster.pp
new file mode 100644
index 00000000..08a14819
--- /dev/null
+++ b/modules/roles/manifests/dakmaster.pp
@@ -0,0 +1,13 @@
+class roles::dakmaster {
+
+ package { 'libapache2-mod-macro':
+ ensure => installed,
+ }
+
+ apache2::module { 'macro': }
+
+ apache2::config { 'puppet-builddlist':
+ template => 'roles/conf-builddlist.erb',
+ }
+
+}
diff --git a/modules/roles/manifests/ftp-upcoming_mirror.pp b/modules/roles/manifests/ftp-upcoming_mirror.pp
new file mode 100644
index 00000000..8c12dd3d
--- /dev/null
+++ b/modules/roles/manifests/ftp-upcoming_mirror.pp
@@ -0,0 +1,7 @@
+class roles::ftp-upcoming_mirror {
+
+ apache2::site { '010-ftp-upcoming.debian.org':
+ site => 'ftp-upcoming.debian.org',
+ config => 'puppet:///modules/roles/ftp-upcoming_mirror/ftp-upcoming.debian.org',
+ }
+}
diff --git a/modules/roles/manifests/security_mirror.pp b/modules/roles/manifests/security_mirror.pp
new file mode 100644
index 00000000..13cba753
--- /dev/null
+++ b/modules/roles/manifests/security_mirror.pp
@@ -0,0 +1,11 @@
+class roles::security_mirror {
+
+ apache2::site { '010-security.debian.org':
+ site => 'security.debian.org',
+ config => 'puppet:///modules/roles/security_mirror/security.debian.org'
+ }
+
+ apache2::site { 'security.debian.org':
+ ensure => absent,
+ }
+}
diff --git a/modules/roles/manifests/www_mirror.pp b/modules/roles/manifests/www_mirror.pp
new file mode 100644
index 00000000..5baa0060
--- /dev/null
+++ b/modules/roles/manifests/www_mirror.pp
@@ -0,0 +1,11 @@
+class roles::www_mirror {
+
+ apache2::site { '010-www.debian.org':
+ site => 'www.debian.org',
+ config => 'puppet:///modules/roles/www_mirror/www.debian.org',
+ }
+
+ apache2::site { 'www.debian.org':
+ ensure => absent,
+ }
+}
diff --git a/modules/roles/templates/conf-builddlist.erb b/modules/roles/templates/conf-builddlist.erb
new file mode 100644
index 00000000..d216cdc9
--- /dev/null
+++ b/modules/roles/templates/conf-builddlist.erb
@@ -0,0 +1,26 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+<Macro DebianBuilddHostList>
+
+<%=
+ lines = []
+
+ scope.lookupvar('site::allnodeinfo').keys.sort.each do |node|
+ next unless scope.lookupvar('site::allnodeinfo')[node]['purpose']
+ if scope.lookupvar('site::allnodeinfo')[node]['purpose'].include?('buildd')
+ lines << " # #{scope.lookupvar('site::allnodeinfo')[node]['hostname'].to_s}"
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |addr|
+ lines << " allow from #{addr}"
+ end
+ end
+ end
+
+ lines.join("\n")
+# vim:set et:
+# vim:set sts=2 ts=2:
+# vim:set shiftwidth=2:
+%>
+</Macro>
diff --git a/modules/rsyncd-log/manifests/init.pp b/modules/rsyncd-log/manifests/init.pp
index 28e3c784..0ae5951d 100644
--- a/modules/rsyncd-log/manifests/init.pp
+++ b/modules/rsyncd-log/manifests/init.pp
@@ -1,17 +1,10 @@
class rsyncd-log {
- file {
- "/etc/logrotate.d/dsa-rsyncd":
- source => "puppet:///modules/rsyncd-log/logrotate.d-dsa-rsyncd",
- require => Package["debian.org"],
- ;
- "/var/log/rsyncd":
- ensure => directory,
- owner => root,
- group => root,
- mode => 755,
- ;
- }
+ file { '/etc/logrotate.d/dsa-rsyncd':
+ source => 'puppet:///modules/rsyncd-log/logrotate.d-dsa-rsyncd',
+ require => Package['debian.org'],
+ }
+ file { '/var/log/rsyncd':
+ ensure => directory,
+ mode => '0755',
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/samhain/manifests/init.pp b/modules/samhain/manifests/init.pp
index f32a96bf..cfee73e1 100644
--- a/modules/samhain/manifests/init.pp
+++ b/modules/samhain/manifests/init.pp
@@ -1,19 +1,16 @@
class samhain {
- package { samhain: ensure => installed }
+ package { 'samhain':
+ ensure => installed
+ }
- file { "/etc/samhain/samhainrc":
- content => template("samhain/samhainrc.erb"),
- require => Package["samhain"],
- notify => Exec["samhain reload"],
- }
+ service { 'samhain':
+ ensure => running
+ }
- exec { "samhain reload":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- }
+ file { '/etc/samhain/samhainrc':
+ content => template('samhain/samhainrc.erb'),
+ require => Package['samhain'],
+ notify => Service['samhain']
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
-
diff --git a/modules/samhain/templates/samhainrc.erb b/modules/samhain/templates/samhainrc.erb
index fb151249..92ccea10 100644
--- a/modules/samhain/templates/samhainrc.erb
+++ b/modules/samhain/templates/samhainrc.erb
@@ -67,7 +67,7 @@
# RedefIgnoreNone=(no default)
# RedefUser0=(no default)
# RedefUser1=(no default)
-<% if nodeinfo['buildd'] -%>
+<% if scope.lookupvar('site::nodeinfo')['buildd'] -%>
IgnoreMissing=/etc/lvm/archive/.*.vg
<% end -%>
@@ -133,7 +133,7 @@ file=/etc/nagios
file=/etc/nagios/nrpe.d
file=/etc/nagios/obsolete-packages-ignore.d
file=/etc/bind/geodns
-<% if nodeinfo['nagiosmaster'] -%>
+<% if scope.lookupvar('site::nodeinfo')['nagiosmaster'] -%>
file=/etc/nagios3/puppetconf.d
<% end -%>
file=/etc/puppet
@@ -150,7 +150,7 @@ file=/etc/ferm/
file=/etc/ferm/conf.d
file=/etc/ferm/dsa.d
file=/etc/rc.local
-<% unless lsbdistcodename == 'lenny' %>
+<% unless scope.lookupvar('::lsbdistcodename') == 'lenny' %>
file=/etc/unbound
<% end -%>
file=/etc/dsa
@@ -217,7 +217,7 @@ file=/var/log/syslog
## This file might be created or removed by the system sometimes.
##
file=/etc/resolv.conf
-<% if nodeinfo['buildd'] -%>
+<% if scope.lookupvar('site::nodeinfo')['buildd'] -%>
file=/etc/dupload.conf
<% end -%>
file=/etc/resolv.conf.pcmcia.save
@@ -266,7 +266,7 @@ file=/etc/ssh/sshd_config
file=/etc/dsa/cron.ignore.dsa-puppet-stuff
<%=
out=""
-if nodeinfo['heavy_exim']
+if scope.lookupvar('site::nodeinfo')['heavy_exim']
out = '
file=/etc/exim4/surbl_whitelist.txt
file=/etc/exim4/exim_surbl.pl
@@ -373,7 +373,7 @@ file=/etc/monit/monit.d/01puppet
file=/etc/monit/monit.d/00debian.org
file=/etc/cron.d/dsa-puppet-stuff
file=/etc/cron.d/dsa-buildd
-<% if nodeinfo['nagiosmaster'] -%>
+<% if scope.lookupvar('site::nodeinfo')['nagiosmaster'] -%>
file=/etc/nagios3/puppetconf.d/auto-hostgroups.cfg
file=/etc/nagios3/puppetconf.d/auto-hosts.cfg
file=/etc/nagios3/puppetconf.d/auto-services.cfg
@@ -383,10 +383,10 @@ file=/etc/nagios3/puppetconf.d/auto-serviceextinfo.cfg
file=/etc/nagios3/puppetconf.d/auto-servicegroups.cfg
file=/etc/nagios3/puppetconf.d/contacts.cfg
<% end -%>
-<% if nodeinfo['muninmaster'] -%>
+<% if scope.lookupvar('site::nodeinfo')['muninmaster'] -%>
file=/etc/munin/munin.conf
<% end -%>
-<% if nodeinfo['puppetmaster'] -%>
+<% if scope.lookupvar('site::nodeinfo')['puppetmaster'] -%>
dir=8/etc/puppet
<% end -%>
<% if classes.include?('named::geodns') -%>
@@ -396,10 +396,10 @@ dir=1/etc/bind/geodns
dir=1/etc/bind
file=/etc/bind/named.conf.debian-zones
<% end -%>
-<% if fqdn == "dijkstra.debian.org" -%>
+<% if scope.lookupvar('::fqdn') == "dijkstra.debian.org" -%>
dir=4/etc/dsa-kvm
<% end -%>
-<% if nodeinfo['buildd'] -%>
+<% if scope.lookupvar('site::nodeinfo')['buildd'] -%>
dir=3/etc/lvm
<% end -%>
dir=1/etc/ferm/dsa.d
@@ -407,7 +407,7 @@ file=/etc/ferm/conf.d/me.conf
file=/etc/ferm/conf.d/defs.conf
file=/etc/ferm/ferm.conf
dir=2/etc/ssl/debian
-<% unless lsbdistcodename == 'lenny' %>
+<% unless scope.lookupvar('::lsbdistcodename') == 'lenny' %>
file=/etc/unbound/unbound.conf
<% end -%>
diff --git a/modules/site/manifests/alternative.pp b/modules/site/manifests/alternative.pp
new file mode 100644
index 00000000..94d08881
--- /dev/null
+++ b/modules/site/manifests/alternative.pp
@@ -0,0 +1,17 @@
+define site::alternative ($linkto, $ensure = present) {
+ case $ensure {
+ present: {
+ exec {
+ "/usr/sbin/update-alternatives --set ${name} ${linkto}":
+ unless => "[ $(update-alternatives --query ${name} | grep ^Value | awk '{print \$2}') = ${linkto} ]",
+ }
+ }
+ absent: {
+ exec {
+ "/usr/sbin/update-alternatives --remove ${name} ${linkto}":
+ unless => "[ $(update-alternatives --query ${name} | grep ^Value | awk '{print \$2}') != ${linkto} ]",
+ }
+ }
+ default: { err ( "Unknown ensure value: '$ensure'" ) }
+ }
+}
diff --git a/modules/site/manifests/aptrepo.pp b/modules/site/manifests/aptrepo.pp
new file mode 100644
index 00000000..eb03d465
--- /dev/null
+++ b/modules/site/manifests/aptrepo.pp
@@ -0,0 +1,39 @@
+class site::aptrepo ($key = undef, $template = undef, $config = undef, $ensure = present) {
+
+ if $key {
+ exec { "apt-key-update-${name}":
+ command => "apt-key add /etc/apt/trusted-keys.d/${name}",
+ refreshonly => true,
+ }
+
+ file { "/etc/apt/trusted-keys.d/${name}":
+ source => $key,
+ mode => '0664',
+ notify => Exec["apt-key-update-${name}"]
+ }
+ }
+
+ case $ensure {
+ present: {}
+ absent: {}
+ default: { err ( "Unknown ensure value: '$ensure'" ) }
+ }
+
+ if ! ($template or $config) {
+ err ( "Can't find configuration for ${name}" )
+ }
+
+ if $template {
+ file { "/etc/apt/sources.list.d/${name}.list":
+ ensure => $ensure,
+ content => template($template),
+ notify => Exec['apt-get update'],
+ }
+ } else {
+ file { "/etc/apt/sources.list.d/${name}.list":
+ ensure => $ensure,
+ source => $config,
+ notify => Exec['apt-get update'],
+ }
+ }
+}
diff --git a/modules/site/manifests/init.pp b/modules/site/manifests/init.pp
new file mode 100644
index 00000000..01caca74
--- /dev/null
+++ b/modules/site/manifests/init.pp
@@ -0,0 +1,13 @@
+class site {
+
+ $localinfo = yamlinfo('*', '/etc/puppet/modules/debian-org/misc/local.yaml')
+ $nodeinfo = nodeinfo($::fqdn, '/etc/puppet/modules/debian-org/misc/local.yaml')
+ $allnodeinfo = allnodeinfo('sshRSAHostKey ipHostNumber', 'purpose mXRecord physicalHost purpose')
+ notice( sprintf('hoster for %s is %s', $::fqdn, getfromhash($nodeinfo, 'hoster', 'name') ) )
+
+ service { 'procps':
+ hasstatus => false,
+ status => '/bin/true',
+ refreshonly => true,
+ }
+}
diff --git a/modules/site/manifests/linux_module.pp b/modules/site/manifests/linux_module.pp
new file mode 100644
index 00000000..62b2197a
--- /dev/null
+++ b/modules/site/manifests/linux_module.pp
@@ -0,0 +1,19 @@
+define site::linux_module ($ensure = present) {
+ case $ensure {
+ present: {
+ exec { "append_module_${name}":
+ command => "echo '${name}' >> /etc/modules",
+ unless => "grep -q -F -x '${name}' /etc/modules",
+ }
+ }
+ absent: {
+ exec { "remove_module_${name}":
+ command => "sed -i -e'/^${name}\$/d' /etc/modules",
+ onlyif => "grep -q -F -x '${name}' /etc/modules",
+ }
+ }
+ default: {
+ err("invalid ensure value ${ensure}")
+ }
+ }
+}
diff --git a/modules/site/manifests/sysctl.pp b/modules/site/manifests/sysctl.pp
new file mode 100644
index 00000000..9786c8e5
--- /dev/null
+++ b/modules/site/manifests/sysctl.pp
@@ -0,0 +1,18 @@
+define site::sysctl ($key, $value, $ensure = present) {
+ include site
+ case $ensure {
+ present: {}
+ absent: {}
+ default: { err ( "Unknown ensure value: '$ensure'" ) }
+ }
+
+ file {
+ "/etc/sysctl.d/${name}.conf":
+ ensure => $ensure,
+ owner => root,
+ group => root,
+ mode => '0644',
+ content => "${key} = ${value}\n",
+ notify => Service['procps']
+ }
+}
diff --git a/modules/ssh/manifests/init.pp b/modules/ssh/manifests/init.pp
index a9161888..b7df1810 100644
--- a/modules/ssh/manifests/init.pp
+++ b/modules/ssh/manifests/init.pp
@@ -1,46 +1,38 @@
class ssh {
- package {
- openssh-client: ensure => installed;
- openssh-server: ensure => installed;
- }
- file { "/etc/ssh/ssh_config":
- content => template("ssh/ssh_config.erb"),
- require => Package["openssh-client"]
- ;
- "/etc/ssh/sshd_config":
- content => template("ssh/sshd_config.erb"),
- require => Package["openssh-server"],
- notify => Exec["ssh restart"]
- ;
- "/etc/ssh/userkeys":
- ensure => directory,
- owner => root,
- group => root,
- mode => 755,
- ;
- "/etc/ssh/userkeys/root":
- content => template("ssh/authorized_keys.erb"),
- mode => 444,
- require => Package["openssh-server"]
- ;
+ package { [ 'openssh-client', 'openssh-server']:
+ ensure => installed
+ }
+
+ service { 'ssh':
+ ensure => running
}
- exec { "ssh restart":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- }
+ @ferm::rule { 'dsa-ssh':
+ description => 'Allow SSH from DSA',
+ rule => '&SERVICE_RANGE(tcp, ssh, \$SSH_SOURCES)'
+ }
+ @ferm::rule { 'dsa-ssh-v6':
+ description => 'Allow SSH from DSA',
+ domain => 'ip6',
+ rule => '&SERVICE_RANGE(tcp, ssh, \$SSH_V6_SOURCES)'
+ }
- @ferm::rule { "dsa-ssh":
- description => "Allow SSH from DSA",
- rule => "&SERVICE_RANGE(tcp, ssh, \$SSH_SOURCES)"
- }
- @ferm::rule { "dsa-ssh-v6":
- description => "Allow SSH from DSA",
- domain => "ip6",
- rule => "&SERVICE_RANGE(tcp, ssh, \$SSH_V6_SOURCES)"
- }
+ file { '/etc/ssh/ssh_config':
+ content => template('ssh/ssh_config.erb'),
+ require => Package['openssh-client']
+ }
+ file { '/etc/ssh/sshd_config':
+ content => template('ssh/sshd_config.erb'),
+ require => Package['openssh-server'],
+ notify => Service['ssh']
+ }
+ file { '/etc/ssh/userkeys':
+ ensure => directory,
+ mode => '0755',
+ require => Package['openssh-server']
+ }
+ file { '/etc/ssh/userkeys/root':
+ content => template('ssh/authorized_keys.erb'),
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/ssh/templates/authorized_keys.erb b/modules/ssh/templates/authorized_keys.erb
index 71a96455..0a19d72e 100644
--- a/modules/ssh/templates/authorized_keys.erb
+++ b/modules/ssh/templates/authorized_keys.erb
@@ -1,5 +1,5 @@
# local admin
-<%= hosterkeys = case nodeinfo['hoster']['name']
+<%= hosterkeys = case scope.lookupvar('site::nodeinfo')['hoster']['name']
when "ubcece" then
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvEEyxznxleAhk98K7SkAeAKWibijL5uFjIl1+tr8rz+XmFsjabTK2+hQXkgzmU+jqQ2+MPp6btfAq9Oe27GQYWUFfsAZMRb907dReFQYPKbPhQZoo5LUfkrCiR3tD0Nm2JfepTV0079K1+Q50EMImttwbI94FfSoSgTxgF4rCoLpUgmF0IHDR1+kTGow7YnuS1Y/I1zKAbofg8KBGXOLArkcZbxArt25Y2wlnE+ZHIb3Rn3pYc3/KmPPvEQy9IkR/uzzkWSaCBVMFJEO0ejjWrV4HR64GlKUPQ0CekSYn1EErY55CF5sWkasXhflluwSf7b+/jedDM1A1Vrp9Z/F8Q== chrisd"
end
@@ -36,9 +36,9 @@ ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAuGJnElqbhgLtmJp/de8s42cAwKrkAhFq5u8EAkauEv6B
<%= machine_keys = case fqdn
when "beethoven.debian.org" then
out = ''
- allnodeinfo.keys.sort.each do |node|
- out += '# ' + allnodeinfo[node]['hostname'].to_s + '
-command="/usr/lib/da-backup/da-backup-ssh-wrap ' + allnodeinfo[node]['hostname'].to_s + '",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,from="' + allnodeinfo[node]['ipHostNumber'].join(',') + '" ' + allnodeinfo[node]['sshRSAHostKey'].to_s + '
+ scope.lookupvar('site::allnodeinfo').keys.sort.each do |node|
+ out += '# ' + scope.lookupvar('site::allnodeinfo')[node]['hostname'].to_s + '
+command="/usr/lib/da-backup/da-backup-ssh-wrap ' + scope.lookupvar('site::allnodeinfo')[node]['hostname'].to_s + '",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,from="' + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].join(',') + '" ' + scope.lookupvar('site::allnodeinfo')[node]['sshRSAHostKey'].to_s + '
'
end
diff --git a/modules/ssl/manifests/init.pp b/modules/ssl/manifests/init.pp
index 391da0a4..86094b1a 100644
--- a/modules/ssl/manifests/init.pp
+++ b/modules/ssl/manifests/init.pp
@@ -1,57 +1,46 @@
class ssl {
- package { openssl: ensure => installed }
- file {
- "/etc/ssl/debian":
- ensure => directory,
- mode => 755,
- purge => true,
- recurse => true,
- force => true,
- source => "puppet:///files/empty/"
- ;
- "/etc/ssl/debian/certs":
- ensure => directory,
- mode => 755,
- source => "puppet:///files/empty/"
- ;
- "/etc/ssl/debian/crls":
- ensure => directory,
- mode => 755,
- purge => true,
- force => true,
- recurse => true,
- source => "puppet:///files/empty/"
- ;
- "/etc/ssl/debian/keys":
- ensure => directory,
- mode => 750,
- purge => true,
- force => true,
- recurse => true,
- source => "puppet:///files/empty/"
- ;
- "/etc/ssl/debian/certs/thishost.crt":
- source => "puppet:///modules/ssl/clientcerts/$fqdn.client.crt",
- notify => Exec["c_rehash /etc/ssl/debian/certs"],
- ;
- "/etc/ssl/debian/keys/thishost.key":
- source => "puppet:///modules/ssl/clientcerts/$fqdn.key",
- mode => 640
- ;
- "/etc/ssl/debian/certs/ca.crt":
- source => "puppet:///modules/ssl/clientcerts/ca.crt",
- notify => Exec["c_rehash /etc/ssl/debian/certs"],
- ;
- "/etc/ssl/debian/crls/ca.crl":
- source => "puppet:///modules/ssl/clientcerts/ca.crl",
- ;
- }
+ package { 'openssl':
+ ensure => installed
+ }
- exec { "c_rehash /etc/ssl/debian/certs":
- refreshonly => true,
- }
+ file { '/etc/ssl/debian':
+ ensure => directory,
+ mode => '0755',
+ purge => true,
+ recurse => true,
+ force => true,
+ source => 'puppet:///files/empty/'
+ }
+ file { '/etc/ssl/debian/certs':
+ ensure => directory,
+ mode => '0755',
+ }
+ file { '/etc/ssl/debian/crls':
+ ensure => directory,
+ mode => '0755',
+ }
+ file { '/etc/ssl/debian/keys':
+ ensure => directory,
+ mode => '0750',
+ }
+ file { '/etc/ssl/debian/certs/thishost.crt':
+ source => "puppet:///modules/ssl/clientcerts/${::fqdn}.client.crt",
+ notify => Exec['c_rehash /etc/ssl/debian/certs'],
+ }
+ file { '/etc/ssl/debian/keys/thishost.key':
+ source => "puppet:///modules/ssl/clientcerts/${::fqdn}.key",
+ mode => '0640'
+ }
+ file { '/etc/ssl/debian/certs/ca.crt':
+ source => 'puppet:///modules/ssl/clientcerts/ca.crt',
+ notify => Exec['c_rehash /etc/ssl/debian/certs'],
+ }
+ file { '/etc/ssl/debian/crls/ca.crl':
+ source => 'puppet:///modules/ssl/clientcerts/ca.crl',
+ }
+
+ exec { 'c_rehash /etc/ssl/debian/certs':
+ refreshonly => true,
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/stunnel4/manifests/client.pp b/modules/stunnel4/manifests/client.pp
new file mode 100644
index 00000000..26945e2e
--- /dev/null
+++ b/modules/stunnel4/manifests/client.pp
@@ -0,0 +1,19 @@
+define stunnel4::client($accept, $connecthost, $connectport) {
+
+ include stunnel4
+
+ file { "/etc/stunnel/puppet-${name}-peer.pem":
+ content => generate('/bin/cat', "/etc/puppet/modules/exim/files/certs/${connecthost}.crt",
+ '/etc/puppet/modules/exim/files/certs/ca.crt'),
+ notify => Exec["restart_stunnel_${name}"],
+ }
+
+ stunnel_generic { $name:
+ client => true,
+ verify => 3,
+ cafile => "/etc/stunnel/puppet-${name}-peer.pem",
+ accept => $accept,
+ connect => "${connecthost}:${connectport}",
+ }
+}
+
diff --git a/modules/stunnel4/manifests/generic.pp b/modules/stunnel4/manifests/generic.pp
new file mode 100644
index 00000000..9c357096
--- /dev/null
+++ b/modules/stunnel4/manifests/generic.pp
@@ -0,0 +1,30 @@
+define stunnel4::generic ($client, $verify, $cafile, $accept, $connect, $crlfile=false, $local=false) {
+
+ include stunnel4
+
+ file { "/etc/stunnel/puppet-${name}.conf":
+ content => template('stunnel4/stunnel.conf.erb'),
+ notify => Exec["restart_stunnel_${name}"],
+ }
+
+ if $client {
+ $certfile = '/etc/ssl/debian/certs/thishost.crt'
+ $keyfile = '/etc/ssl/debian/keys/thishost.key'
+ } else {
+ $certfile = '/etc/exim4/ssl/thishost.crt'
+ $keyfile = '/etc/exim4/ssl/thishost.key'
+ }
+
+ exec { "restart_stunnel_${name}":
+ command => "true && cd / && env -i /etc/init.d/stunnel4 restart puppet-${name}",
+ require => [
+ File['/etc/stunnel/stunnel.conf'],
+ File['/etc/init.d/stunnel4'],
+ Exec['enable_stunnel4'],
+ Exec['kill_file_override'],
+ Package['stunnel4']
+ ],
+ subscribe => [ File[$certfile], File[$keyfile] ],
+ refreshonly => true,
+ }
+}
diff --git a/modules/stunnel4/manifests/init.pp b/modules/stunnel4/manifests/init.pp
index d7668467..300eb521 100644
--- a/modules/stunnel4/manifests/init.pp
+++ b/modules/stunnel4/manifests/init.pp
@@ -1,126 +1,30 @@
class stunnel4 {
- define stunnel_generic($client, $verify, $cafile, $crlfile=false, $accept, $connect, $local=false) {
- file {
- "/etc/stunnel":
- ensure => directory,
- owner => root,
- group => root,
- mode => 755,
- ;
- "/etc/stunnel/puppet-${name}.conf":
- content => template("stunnel4/stunnel.conf.erb"),
- notify => Exec["restart_stunnel_${name}"],
- ;
- "/etc/init.d/stunnel4":
- source => "puppet:///modules/stunnel4/etc-init.d-stunnel4",
- mode => 555,
- ;
- }
- case $client {
- true: {
- $certfile = "/etc/ssl/debian/certs/thishost.crt"
- $keyfile = "/etc/ssl/debian/keys/thishost.key"
- }
- default: {
- $certfile = "/etc/exim4/ssl/thishost.crt"
- $keyfile = "/etc/exim4/ssl/thishost.key"
- }
- }
-
- exec {
- "restart_stunnel_${name}":
- command => "true && cd / && env -i /etc/init.d/stunnel4 restart puppet-${name}",
- require => [ File['/etc/stunnel/stunnel.conf'],
- File['/etc/init.d/stunnel4'],
- Exec['enable_stunnel4'],
- Exec['kill_file_override'],
- Package['stunnel4']
- ],
- subscribe => [ File[$certfile],
- File[$keyfile]
- ],
- refreshonly => true,
- ;
- }
- }
-
- # define an stunnel listener, listening for SSL connections on $accept,
- # connecting to plaintext service $connect using local source address $local
- #
- # unfortunately stunnel is really bad about verifying its peer,
- # all we can be certain of is that they are signed by our CA,
- # not who they are. So do not use in places where the identity of
- # the caller is important. Use dsa-portforwarder for that.
- define stunnel_server($accept, $connect, $local = "127.0.0.1") {
- stunnel_generic {
- "${name}":
- client => false,
- verify => 2,
- cafile => "/etc/exim4/ssl/ca.crt",
- crlfile => "/etc/exim4/ssl/crl.crt",
- accept => "${accept}",
- connect => "${connect}",
- ;
- }
- @ferm::rule {
- "stunnel-${name}":
- description => "stunnel ${name}",
- rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V4)",
- ;
- "stunnel-${name}-v6":
- domain => 'ip6',
- description => "stunnel ${name}",
- rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V6)",
- ;
- }
- }
- define stunnel_client($accept, $connecthost, $connectport) {
- file {
- "/etc/stunnel/puppet-${name}-peer.pem":
- # source => "puppet:///modules/exim/certs/${connecthost}.crt",
- content => generate("/bin/cat", "/etc/puppet/modules/exim/files/certs/${connecthost}.crt",
- "/etc/puppet/modules/exim/files/certs/ca.crt"),
- notify => Exec["restart_stunnel_${name}"],
- ;
- }
- stunnel_generic {
- "${name}":
- client => true,
- verify => 3,
- cafile => "/etc/stunnel/puppet-${name}-peer.pem",
- accept => "${accept}",
- connect => "${connecthost}:${connectport}",
- ;
- }
- }
-
-
- package {
- "stunnel4": ensure => installed;
- }
-
- file {
- "/etc/stunnel/stunnel.conf":
- ensure => absent,
- require => [ Package['stunnel4'] ],
- ;
- }
-
- exec {
- "enable_stunnel4":
- command => "sed -i -e 's/^ENABLED=/#&/; \$a ENABLED=1 # added by puppet' /etc/default/stunnel4",
- unless => "grep -q '^ENABLED=1' /etc/default/stunnel4",
- require => [ Package['stunnel4'] ],
- ;
- "kill_file_override":
- command => "sed -i -e 's/^FILES=/#&/' /etc/default/stunnel4",
- onlyif => "grep -q '^FILES=' /etc/default/stunnel4",
- require => [ Package['stunnel4'] ],
- ;
- }
+ package { 'stunnel4':
+ ensure => installed
+ }
+
+ file { '/etc/stunnel':
+ ensure => directory,
+ mode => '0755',
+ }
+ file { '/etc/init.d/stunnel4':
+ source => 'puppet:///modules/stunnel4/etc-init.d-stunnel4',
+ mode => '0555',
+ }
+ file { '/etc/stunnel/stunnel.conf':
+ ensure => absent,
+ require => Package['stunnel4'],
+ }
+
+ exec { 'enable_stunnel4':
+ command => 'sed -i -e \'s/^ENABLED=/#&/; \$a ENABLED=1 # added by puppet\' /etc/default/stunnel4',
+ unless => 'grep -q \'^ENABLED=1\' /etc/default/stunnel4',
+ require => Package['stunnel4'],
+ }
+ exec { 'kill_file_override':
+ command => 'sed -i -e \'s/^FILES=/#&/\' /etc/default/stunnel4',
+ onlyif => 'grep -q \'^FILES=\' /etc/default/stunnel4',
+ require => Package['stunnel4'],
+ }
}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/stunnel4/manifests/server.pp b/modules/stunnel4/manifests/server.pp
new file mode 100644
index 00000000..54672af9
--- /dev/null
+++ b/modules/stunnel4/manifests/server.pp
@@ -0,0 +1,32 @@
+define stunnel4::server($accept, $connect, $local = '127.0.0.1') {
+# define an stunnel listener, listening for SSL connections on $accept,
+# connecting to plaintext service $connect using local source address $local
+#
+# unfortunately stunnel is really bad about verifying its peer,
+# all we can be certain of is that they are signed by our CA,
+# not who they are. So do not use in places where the identity of
+# the caller is important. Use dsa-portforwarder for that.
+
+ include stunnel4
+
+ stunnel_generic { $name:
+ client => false,
+ verify => 2,
+ cafile => '/etc/exim4/ssl/ca.crt',
+ crlfile => '/etc/exim4/ssl/crl.crt',
+ accept => $accept,
+ connect => $connect
+ }
+
+ @ferm::rule {
+ "stunnel-${name}":
+ description => "stunnel ${name}",
+ rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V4)"
+ }
+ @ferm::rule { "stunnel-${name}-v6":
+ domain => 'ip6',
+ description => "stunnel ${name}",
+ rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V6)"
+ }
+
+}
diff --git a/modules/sudo/files/common/pam b/modules/sudo/files/pam
similarity index 100%
rename from modules/sudo/files/common/pam
rename to modules/sudo/files/pam
diff --git a/modules/sudo/files/common/sudoers b/modules/sudo/files/sudoers
similarity index 100%
rename from modules/sudo/files/common/sudoers
rename to modules/sudo/files/sudoers
diff --git a/modules/sudo/files/lenny/sudoers b/modules/sudo/files/sudoers.lenny
similarity index 100%
rename from modules/sudo/files/lenny/sudoers
rename to modules/sudo/files/sudoers.lenny
diff --git a/modules/sudo/manifests/init.pp b/modules/sudo/manifests/init.pp
index 1f7dc91c..0bb9d0f6 100644
--- a/modules/sudo/manifests/init.pp
+++ b/modules/sudo/manifests/init.pp
@@ -1,39 +1,18 @@
class sudo {
- package { sudo: ensure => installed }
- file {
- "/etc/pam.d/sudo":
- source => [ "puppet:///modules/sudo/per-host/$fqdn/pam",
- "puppet:///modules/sudo/common/pam" ],
- require => Package["sudo"],
- ;
- }
+ package { 'sudo':
+ ensure => installed
+ }
- case $lsbdistcodename {
- 'lenny': {
- file {
- "/etc/sudoers":
- owner => root,
- group => root,
- mode => 440,
- source => [ "puppet:///modules/sudo/lenny/sudoers" ],
- require => Package["sudo"],
- ;
- }
- }
- default: {
- file {
- "/etc/sudoers":
- owner => root,
- group => root,
- mode => 440,
- source => [ "puppet:///modules/sudo/common/sudoers" ],
- require => Package["sudo"],
- ;
- }
- }
- }
+ file { '/etc/pam.d/sudo':
+ source => 'puppet:///modules/sudo/common/pam',
+ require => Package['sudo'],
+ }
+
+ file { '/etc/sudoers':
+ mode => '0440',
+ source => [ "puppet:///modules/sudo/sudoers.${::lsbdistcodename}",
+ 'puppet:///modules/sudo/sudoers' ],
+ require => Package['sudo'],
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/syslog-ng/manifests/init.pp b/modules/syslog-ng/manifests/init.pp
index b1490d93..36704e20 100644
--- a/modules/syslog-ng/manifests/init.pp
+++ b/modules/syslog-ng/manifests/init.pp
@@ -1,30 +1,24 @@
class syslog-ng {
- package {
- "syslog-ng": ensure => installed;
- }
+ package { 'syslog-ng':
+ ensure => installed
+ }
- file {
- "/etc/syslog-ng/syslog-ng.conf":
- content => template("syslog-ng/syslog-ng.conf.erb"),
- require => Package["syslog-ng"],
- notify => Exec["syslog-ng reload"],
- ;
- "/etc/default/syslog-ng":
- require => Package["syslog-ng"],
- source => "puppet:///modules/syslog-ng/syslog-ng.default",
- notify => Exec["syslog-ng reload"],
- ;
- "/etc/logrotate.d/syslog-ng":
- require => Package["syslog-ng"],
- source => "puppet:///modules/syslog-ng/syslog-ng.logrotate",
- ;
- }
- exec {
- "syslog-ng reload":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true;
- }
+ service { 'syslog-ng':
+ ensure => running
+ }
+
+ file { '/etc/syslog-ng/syslog-ng.conf':
+ content => template('syslog-ng/syslog-ng.conf.erb'),
+ require => Package['syslog-ng'],
+ notify => Service['syslog-ng']
+ }
+ file { '/etc/default/syslog-ng':
+ source => 'puppet:///modules/syslog-ng/syslog-ng.default',
+ require => Package['syslog-ng'],
+ notify => Service['syslog-ng']
+ }
+ file { '/etc/logrotate.d/syslog-ng':
+ source => 'puppet:///modules/syslog-ng/syslog-ng.logrotate',
+ require => Package['syslog-ng']
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/unbound/manifests/init.pp b/modules/unbound/manifests/init.pp
index f01b7fd7..9a110df2 100644
--- a/modules/unbound/manifests/init.pp
+++ b/modules/unbound/manifests/init.pp
@@ -1,68 +1,58 @@
class unbound {
- package {
- unbound: ensure => installed;
- }
- exec {
- "unbound restart":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- ;
- }
- file {
- "/var/lib/unbound":
- ensure => directory,
- owner => unbound,
- group => unbound,
- require => Package["unbound"],
- mode => 775,
- ;
- "/var/lib/unbound/root.key":
- ensure => present,
- replace => false,
- owner => unbound,
- group => unbound,
- mode => 644,
- source => [ "puppet:///modules/unbound/root.key" ],
- ;
- "/var/lib/unbound/debian.org.key":
- ensure => present,
- replace => false,
- owner => unbound,
- group => unbound,
- mode => 644,
- source => [ "puppet:///modules/unbound/debian.org.key" ],
- ;
- "/etc/unbound/unbound.conf":
- content => template("unbound/unbound.conf.erb"),
- require => [ Package["unbound"], File['/var/lib/unbound/root.key'], File['/var/lib/unbound/debian.org.key'] ],
- notify => Exec["unbound restart"],
- owner => root,
- group => root,
- ;
- }
+ package { 'unbound':
+ ensure => installed
+ }
- case getfromhash($nodeinfo, 'misc', 'resolver-recursive') {
- true: {
- case getfromhash($nodeinfo, 'hoster', 'allow_dns_query') {
- false: {}
- default: {
- @ferm::rule { "dsa-dns":
- domain => "ip",
- description => "Allow nameserver access",
- rule => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv4(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))),
- }
- @ferm::rule { "dsa-dns6":
- domain => "ip6",
- description => "Allow nameserver access",
- rule => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv6(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))),
- }
- }
- }
- }
- }
-}
+ service { 'unbound':
+ ensure => running,
+ }
+
+ file { '/var/lib/unbound':
+ ensure => directory,
+ owner => unbound,
+ group => unbound,
+ require => Package['unbound'],
+ mode => '0775',
+ }
+ file { '/var/lib/unbound/root.key':
+ ensure => present,
+ replace => false,
+ owner => unbound,
+ group => unbound,
+ mode => '0644',
+ source => 'puppet:///modules/unbound/root.key'
+ }
+ file { '/var/lib/unbound/debian.org.key':
+ ensure => present,
+ replace => false,
+ owner => unbound,
+ group => unbound,
+ mode => '0644',
+ source => 'puppet:///modules/unbound/debian.org.key'
+ }
+ file { '/etc/unbound/unbound.conf':
+ content => template('unbound/unbound.conf.erb'),
+ require => [
+ Package['unbound'],
+ File['/var/lib/unbound/root.key'],
+ File['/var/lib/unbound/debian.org.key']
+ ],
+ notify => Service['unbound']
+ }
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
+ if getfromhash($site::nodeinfo, 'misc', 'resolver-recursive') {
+ if getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query') {
+ @ferm::rule { 'dsa-dns':
+ domain => 'ip',
+ description => 'Allow nameserver access',
+ rule => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv4(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))),
+ }
+ @ferm::rule { 'dsa-dns6':
+ domain => 'ip6',
+ description => 'Allow nameserver access',
+ rule => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv6(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))),
+ }
+ }
+ }
+}
diff --git a/modules/unbound/templates/unbound.conf.erb b/modules/unbound/templates/unbound.conf.erb
index 9a2c8373..c11df43f 100644
--- a/modules/unbound/templates/unbound.conf.erb
+++ b/modules/unbound/templates/unbound.conf.erb
@@ -8,7 +8,7 @@ server:
<%=
out = []
- if nodeinfo['misc']['resolver-recursive'] and nodeinfo['hoster']['allow_dns_query']
+ if scope.lookupvar('site::nodeinfo')['misc']['resolver-recursive'] and scope.lookupvar('site::nodeinfo')['hoster']['allow_dns_query']
out << " interface: 0.0.0.0"
out << " interface: ::0"
out << ""
@@ -50,8 +50,8 @@ server:
<%=
out = []
- if not nodeinfo['misc']['resolver-recursive'] and not nodeinfo['hoster']['nameservers_break_dnssec']
- forwarders = nodeinfo['hoster']['nameservers']
+ if not scope.lookupvar('site::nodeinfo')['misc']['resolver-recursive'] and not scope.lookupvar('site::nodeinfo')['hoster']['nameservers_break_dnssec']
+ forwarders = scope.lookupvar('site::nodeinfo')['hoster']['nameservers']
forwarders ||= []
out << 'forward-zone:'
--
2.39.5