* 'master' of ssh://handel.debian.org/srv/puppet.debian.org/git/dsa-puppet: (24 commits)
stop doubling up an entry
add puppetmaster role
be a little more liberal about throwing away MS traffic
this should be empty for those hosters
use the right list of hosts
move inclusion of samhain to the end of the block, so it knows about all other classes included
clean up samhain template by role instead of by hostname
and even more carefully this time
skip hosts without ip addresses in ldap
bartok gets ferm
add debian hosts to the list
and recursors should allow localnets ...
name new class correctly
add bartok as recursor for manda
add bartok as a recursor
add local DNS recursor class
/etc/ferm is now also (kind of, almost) under puppet control
ferm.conf is now (kind of, almost) under puppet control
and name them usefully
use v4 for iptables and v6 for ip6tables
...
include ntp
include motd
- include samhain
case $smartarraycontroller {
"true": { include debian-proliant }
case $hostname {
klecker,ravel,senfl,orff: { include named::secondary }
geo1,geo2,geo3: { include named::geodns }
+ bartok: { include named::recursor }
}
case $hostname {
- logtest01,geo1,geo2,geo3: { include ferm }
+ logtest01,geo1,geo2,geo3,bartok: { include ferm }
}
case $brokenhosts {
case $portforwarder_user_exists {
"true": { include portforwarder }
}
+ include samhain
}
- draghi.debian.org
- spohr.debian.org
muninmaster: spohr.debian.org
- nagiosmaster: tchaikovsky.debian.org
+ nagiosmaster:
+ - draghi.debian.org
+ - tchaikovsky.debian.org
packagesmaster: powell.debian.org
packagesqamaster: master.debian.org
+ puppetmaster: handel.debian.org
qamaster: merkel.debian.org
rtmaster: spohr.debian.org
host_settings:
domain (ip ip6) {
chain INPUT {
+ proto (tcp udp) mod multiport destination-ports (135 137 138 139 445 1026 1027 1433) DROP;
jump log_or_drop;
}
}
@def $HOST_DB = ($HOST_DB_V4 $HOST_DB_V6);
+@def $HOST_DEBIAN_V4 = (<%=
+ dbs = []
+ keyinfo.keys.sort.each do |node|
+ next unless keyinfo[node][0].has_key?('ipHostNumber')
+ keyinfo[node][0]['ipHostNumber'].each do |ip|
+ next if ip =~ /:/
+ dbs << ip
+ end
+ end
+
+ dbs.join(' ')
+%>);
+
+@def $HOST_DEBIAN_V6 = (<%=
+ dbs = []
+ keyinfo.keys.sort.each do |node|
+ next unless keyinfo[node][0].has_key?('ipHostNumber')
+ keyinfo[node][0]['ipHostNumber'].each do |ip|
+ next if ip =~ /\./
+ dbs << ip
+ end
+ end
+
+ dbs.join(' ')
+%>);
+
+@def $HOST_DEBIAN = ($HOST_DEBIAN_V4 $HOST_DEBIAN_V6);
+
@def $sgran = (91.103.132.24/29);
@def $weasel = ();
@def $weasel = ($weasel 86.59.118.144/28); # debian@sil
@def $weasel6 = ($weasel6 2001:826:408:200::/56); # came
@def $weasel6 = ($weasel6 2001:858:10f::/48); # anguilla
@def $zobel6 = ();
-@def $zobel6 = ($zobel6 2001:6f8:1215::/48); baldur
-@def $zobel6 = ($zobel6 2001:6f8:928::/48); WS2
-@def $zobel6 = ($zobel6 2a01:198:549::/48); WGS20
+@def $zobel6 = ($zobel6 2001:6f8:1215::/48); # baldur
+@def $zobel6 = ($zobel6 2001:6f8:928::/48); # WS2
+@def $zobel6 = ($zobel6 2a01:198:549::/48); # WGS20
@def $luca6 = ();
@def $DSA_V6_IPS = ($sgran6 $weasel6 $zobel6 $luca6);
sshallowed = []
case hostname
- when 'logtest01', 'geo1', 'geo2', 'geo3' then sshallowed << [ '$DSA_IPS', '$HOST_NAGIOS_V4', '$HOST_DB_V4' ]
+ when 'logtest01', 'geo1', 'geo2', 'geo3', 'bartok' then sshallowed << [ '$DSA_IPS', '$HOST_NAGIOS_V4', '$HOST_DB_V4' ]
+end
+
+case hostname
+ when 'bartok' then sshallowed << '$HOST_DEBIAN_V4'
end
if sshallowed.length == 0
sshallowed = []
case hostname
- when 'logtest01', 'geo1', 'geo2', 'geo3' then sshallowed << [ '$DSA_V6_IPS', '$HOST_NAGIOS_V6', '$HOST_DB_V6' ]
+ when 'logtest01', 'geo1', 'geo2', 'geo3', 'bartok' then sshallowed << [ '$DSA_V6_IPS', '$HOST_NAGIOS_V6', '$HOST_DB_V6' ]
+end
+
+case hostname
+ when 'bartok' then sshallowed << '$HOST_DEBIAN_V6'
end
if sshallowed.length == 0
path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
refreshonly => true,
}
- @ferm::rule { "dsa-nagios":
+ @ferm::rule { "dsa-nagios-v4":
description => "Allow nrpe from nagios master",
- rule => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS) ACCEPT; }"
+ rule => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V4) ACCEPT; }"
+ }
+ @ferm::rule { "dsa-nagios-v6":
+ description => "Allow nrpe from nagios master",
+ domain => "ip6",
+ rule => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V6) ACCEPT; }"
}
}
--- /dev/null
+class named::recursor inherits named {
+ file { "/etc/bind/named.conf.options":
+ content => template("named/named.conf.options.erb"),
+ notify => Exec["bind9 reload"],
+ }
+}
+
+
<%=
allowed='Nagios; '
- if classes.include?('named::secondary')
+ if classes.include?('named::secondary') or classes.include?('named::recursor')
allowed += 'localnets; '
end
when "draghi", "liszt" then
nameservers << "127.0.0.1"
end
- nameservers += ["82.195.75.81", "82.195.66.249", "217.198.242.225"]
+ nameservers += ["82.195.75.91", "82.195.75.81", "82.195.66.249", "217.198.242.225"]
searchpaths << "debprivate-darmstadt.debian.org"
when "ftcollins" then
case hostname
file=/etc/mtab
file=/etc/ssh_random_seed
file=/etc/asound.conf
-<% case hoster when "ubcece", "darmstadt", "ftcollins" then ""
-else -%>
+<% case hoster when "ubcece", "darmstadt", "ftcollins", "grnet" then -%>
+<% else -%>
file=/etc/resolv.conf
<% end -%>
file=/etc/localtime
file=/var/state/samhain/samhain_file
file=/etc/bind/zones/db.debian.net
file=/etc/exim4/bsmtp
-<% if hostname == "geo1" || hostname == "geo2" || hostname == "geo3" -%>
+<% if classes.include?("named::geodns") -%>
file=/etc/bind
file=/etc/bind/named.conf.acl
-file=/etc/bind/named.conf.options
file=/etc/bind/named.conf.local
file=/etc/bind/geodns/named.conf.geo
file=/etc/bind/geodns/recvconf.files
<% end -%>
-
+<% if classes.include?("named") -%>
+file=/etc/bind/named.conf.options
+<% end -%>
#
# There are files in /etc that might change, thus changing the directory
file=/etc/nagios/nrpe.d
file=/etc/nagios/obsolete-packages-ignore.d
file=/etc/bind/geodns
-<%= extradir=""
-if nodeinfo['nagiosmaster']
- extradir="file=/etc/nagios3/puppetconf.d
-file=/etc/puppet"
-end
-extradir
-%>
+<% if nodeinfo['nagiosmaster'] -%>
+file=/etc/nagios3/puppetconf.d
+<% end -%>
file=/etc/puppet
file=/etc/cron.d
file=/usr/lib/nagios/plugins
file=/etc/pam.d
file=/etc/sysctl.d
file=/etc/syslog-ng
+file=/etc/ferm/
+file=/etc/ferm/conf.d
+file=/etc/ferm/dsa.d
[LogFiles]
##
## This file might be created or removed by the system sometimes.
##
-<% case hoster when "ubcece", "darmstadt", "ftcollins" then "" -%>
+<% case hoster when "ubcece", "darmstadt", "ftcollins", "grnet" then -%>
file=/etc/resolv.conf
-<% else
-end -%>
+<% end -%>
file=/etc/resolv.conf.pcmcia.save
file=/etc/nologin
file=/etc/postfix/debian.db
file=/etc/monit/monit.d/00debian.org
file=/etc/cron.d/dsa-puppet-stuff
file=/etc/cron.d/dsa-buildd
-<%= extrafiles=""
-case fqdn
-when "tchaikovsky.debian.org": extrafiles="file=/etc/nagios3/puppetconf.d/auto-hostgroups.cfg
+<% if nodeinfo['nagiosmaster'] -%>
+file=/etc/nagios3/puppetconf.d/auto-hostgroups.cfg
file=/etc/nagios3/puppetconf.d/auto-hosts.cfg
file=/etc/nagios3/puppetconf.d/auto-services.cfg
file=/etc/nagios3/puppetconf.d/auto-dependencies.cfg
file=/etc/nagios3/puppetconf.d/auto-hostextinfo.cfg
file=/etc/nagios3/puppetconf.d/auto-serviceextinfo.cfg
-file=/etc/munin/munin.conf"
-when "handel.debian.org": extrafiles="dir=8/etc/puppet"
-when "dijkstra.debian.org": extrafiles="dir=4/etc/dsa-kvm"
-when /geo[123].debian.org/: extrafiles="dir=1/etc/bind/geodns"
-when /(senfl|ravel|orff|klecker).debian.org/: extrafiles="dir=1/etc/bind
-file=/etc/bind/named.conf.debian-zones"
-end
-extrafiles
-%>
+<% end -%>
+<% if nodeinfo['muninmaster'] -%>
+file=/etc/munin/munin.conf
+<% end -%>
+<% if nodeinfo['puppetmaster'] -%>
+dir=8/etc/puppet
+<% end -%>
+<% if classes.include?('named::geodns') -%>
+dir=1/etc/bind/geodns
+<% end -%>
+<% if classes.include?('named::secondary') -%>
+dir=1/etc/bind
+file=/etc/bind/named.conf.debian-zones
+<% end -%>
+<% if fqdn == "dijkstra.debian.org" -%>
+dir=4/etc/dsa-kvm
+<% end -%>
<% if nodeinfo['buildd'] -%>
dir=3/etc/lvm
<% end -%>
+dir=1/etc/ferm/dsa.d
+file=/etc/ferm/conf.d/me.conf
+file=/etc/ferm/conf.d/defs.conf
+file=/etc/ferm/ferm.conf
[IgnoreNone]
##
SetMailAddress=samhain-reports@debian.org
## Mail relay (IP address)
-<%=
-out=""
-if not nodeinfo['smarthost'].empty?
- out = '
-SetMailRelay = localhost
-'
-else
-out = '
+<% if nodeinfo['smarthost'].empty? -%>
SetMailRelay = master.debian.org
-'
-end
-out
-%>
+<% else -%>
+SetMailRelay = localhost
+<% end -%>
+
## Custom subject format
#
MailSubject = [Samhain at %H] %T: %S
projects / dsa-puppet.git / commitdiff