From: Stephen Gran Date: Wed, 4 Apr 2012 18:15:14 +0000 (+0100) Subject: massive style guide fixups X-Git-Url: https://git.donarmstrong.com/?p=dsa-puppet.git;a=commitdiff_plain;h=3eb533e5499e66423bafdedaf6c7d08ead1772de massive style guide fixups Signed-off-by: Stephen Gran --- diff --git a/manifests/site.pp b/manifests/site.pp index d7a965dd..a55107b4 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -1,157 +1,155 @@ Package { - require => File["/etc/apt/apt.conf.d/local-recommends"] + require => File['/etc/apt/apt.conf.d/local-recommends'] } File { - owner => root, - group => root, - mode => 444, - ensure => file, + owner => root, + group => root, + mode => '0444', + ensure => file, } Exec { - path => "/usr/bin:/usr/sbin:/bin:/sbin" + path => '/usr/bin:/usr/sbin:/bin:/sbin' } -node default { - $localinfo = yamlinfo('*', "/etc/puppet/modules/debian-org/misc/local.yaml") - $nodeinfo = nodeinfo($::fqdn, "/etc/puppet/modules/debian-org/misc/local.yaml") - $allnodeinfo = allnodeinfo("sshRSAHostKey ipHostNumber", "purpose mXRecord physicalHost purpose") - notice( sprintf("hoster for %s is %s", $::fqdn, getfromhash($nodeinfo, 'hoster', 'name') ) ) - - include munin-node - include syslog-ng - include sudo - include ssh - include debian-org - include monit - include apt-keys - include ntp - include ntpdate - include ssl - include motd - - case $::hostname { - finzi,fano,fasch,field: { include kfreebsd } - } - - if $::smartarraycontroller { - include debian-proliant - } - - if $::productname == 'PowerEdge 2850' { - include megactl - } - - if $::mptraid { - include raidmpt - } - - if $::kvmdomain { - include acpi - } - - if $::mta == 'exim4' { - case getfromhash($nodeinfo, 'heavy_exim') { - true: { include exim::mx } - default: { include exim } - } - } - - if getfromhash($nodeinfo, 'puppetmaster') { - include puppetmaster - } - - if getfromhash($nodeinfo, 'muninmaster') { - include munin-node::master - } - - case getfromhash($nodeinfo, 'nagiosmaster') { - true: { include nagios::server } - default: { include nagios::client } - } - - if $::apache2 { - if getfromhash($nodeinfo, 'apache2_security_mirror') { - include apache2::security_mirror - } - if getfromhash($nodeinfo, 'apache2_www_mirror') { - include apache2::www_mirror - } - if getfromhash($nodeinfo, 'apache2_backports_mirror') { - include apache2::backports_mirror - } - if getfromhash($nodeinfo, 'apache2_ftp-upcoming_mirror') { - include apache2::ftp-upcoming_mirror - } - include apache2 - } - - if $::rsyncd { - include rsyncd-log - } - - - if getfromhash($nodeinfo, 'buildd') { - include buildd - } - - case $::hostname { - ravel,senfl,orff,draghi,diamond: { include named::authoritative } - geo1,geo2,geo3: { include named::geodns } - liszt: { include named::recursor } - } - - case $::hostname { - franck,master,lobos,samosa,spohr,widor: { include unbound } - } - - if $::lsbdistcodename != 'lenny' { - include unbound - } - - include resolv - - if $::kernel == 'Linux' { - include ferm - include ferm::per-host - } - - case $::hostname { - diabelli,nono,spohr: { include dacs } - } - - case $::hostname { - beethoven,duarte,spohr,stabile: { - include nfs-server - } - } - - if $::brokenhosts { - include hosts - } - - if $::portforwarder_user_exists { - include portforwarder - } - - include samhain - - case $::hostname { - chopin,geo3,soler,wieck: { - include debian-radvd - } - } - - if $::kernel == 'Linux' { - include entropykey - } - - if ($::postgres84 or $::postgres90) { - include postgres - } +Service { + hasrestart => true, + hasstatus => true, } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: +node default { + include site + include munin + include syslog-ng + include sudo + include ssh + include debian-org + include monit + include apt-keys + include ntp + include ntpdate + include ssl + include motd + include hardware + include nagios::client + include resolv + + if $::hostname in [finzi,fano,fasch,field] { + include kfreebsd + } + + if $::kvmdomain { + include acpi + } + + if $::mta == 'exim4' { + if getfromhash($site::nodeinfo, 'heavy_exim') { + include exim::mx + } else { + include exim + } + } + + if $::lsbdistcodename != 'lenny' { + include unbound + } + + if getfromhash($site::nodeinfo, 'puppetmaster') { + include puppetmaster + } + + if getfromhash($site::nodeinfo, 'muninmaster') { + include munin::master + } + + if getfromhash($site::nodeinfo, 'nagiosmaster') { + include nagios::server + } + + if getfromhash($site::nodeinfo, 'buildd') { + include buildd + } + + if $::hostname in [chopin,franck,morricone,bizet] { + include roles::dakmaster + } + + if getfromhash($site::nodeinfo, 'apache2_security_mirror') { + include roles::security_mirror + } + + if getfromhash($site::nodeinfo, 'apache2_www_mirror') { + include roles::www_mirror + } + + if getfromhash($site::nodeinfo, 'apache2_backports_mirror') { + include roles::backports_mirror + } + + if getfromhash($site::nodeinfo, 'apache2_ftp-upcoming_mirror') { + include roles::ftp-upcoming_mirror + } + + if $::apache2 { + include apache2 + } + + if $::rsyncd { + include rsyncd-log + } + + if $::hostname in [ravel,senfl,orff,draghi,diamond] { + include named::authoritative + } elsif $::hostname in [geo1,geo2,geo3] { + include named::geodns + } elsif $::hostname == 'liszt' { + include named::recursor + } + + if $::kernel == 'Linux' { + include ferm + include ferm::per-host + include entropykey + } + + if $::hostname in [diabelli,nono,spohr] { + include dacs + } + + if $::hostname in [beethoven,duarte,spohr,stabile] { + include nfs-server + } + + if $::brokenhosts { + include hosts + } + + if $::portforwarder_user_exists { + include portforwarder + } + + include samhain + + if $::hostname in [chopin,geo3,soler,wieck] { + include debian-org::radvd + } + + if ($::postgres84 or $::postgres90) { + include postgres + } + + if $::spamd { + munin::check { 'spamassassin': } + } + + if $::vsftpd { + package { 'logtail': + ensure => installed + } + munin::check { 'vsftpd': } + munin::check { 'ps_vsftpd': + script => 'ps_' + } + } +} diff --git a/modules/acpi/manifests/init.pp b/modules/acpi/manifests/init.pp index ffc779b8..c427cb99 100644 --- a/modules/acpi/manifests/init.pp +++ b/modules/acpi/manifests/init.pp @@ -1,13 +1,13 @@ class acpi { - if ! ($::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) { - package { - acpid: ensure => installed - } + if ! ($::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) { + package { 'acpid': + ensure => installed + } - if $lsbdistcodename != 'lenny' { - package { - acpi-support-base: ensure => installed - } - } - } + if $::lsbdistcodename != 'lenny' { + package { 'acpi-support-base': + ensure => installed + } + } + } } diff --git a/modules/apache2/files/common-ssl.inc b/modules/apache2/files/common-ssl.inc new file mode 100644 index 00000000..2021ab4c --- /dev/null +++ b/modules/apache2/files/common-ssl.inc @@ -0,0 +1,30 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +SSLEngine on + +# SSL Protocol support: +# List the protocol versions which clients are allowed to +# connect with. Disable SSLv2 by default (cf. RFC 6176). +SSLProtocol all -SSLv2 + +# +# Some MIME-types for downloading Certificates and CRLs +# +AddType application/x-x509-ca-cert .crt +AddType application/x-pkcs7-crl .crl + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_ssl documentation for a complete list. +SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM +SSLHonorCipherOrder on + +# Add STS +Header add Strict-Transport-Security "max-age=604800" + diff --git a/modules/apache2/files/common/etc/apache2/conf.d/local-serverinfo b/modules/apache2/files/common/etc/apache2/conf.d/local-serverinfo deleted file mode 100644 index cd52b7a9..00000000 --- a/modules/apache2/files/common/etc/apache2/conf.d/local-serverinfo +++ /dev/null @@ -1,14 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - - - - SetHandler server-info - order deny,allow - deny from all - allow from localhost - - - diff --git a/modules/apache2/files/common/etc/apache2/conf.d/security b/modules/apache2/files/common/etc/apache2/conf.d/security deleted file mode 100644 index da8525a9..00000000 --- a/modules/apache2/files/common/etc/apache2/conf.d/security +++ /dev/null @@ -1,55 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - -# -# Disable access to the entire file system except for the directories that -# are explicitly allowed later. -# -# This currently breaks the configurations that come with some web application -# Debian packages. It will be made the default for the release after lenny. -# -# -# AllowOverride None -# Order Deny,Allow -# Deny from all -# - - -# Changing the following options will not really affect the security of the -# server, but might make attacks slightly more difficult in some cases. - -# -# ServerTokens -# This directive configures what you return as the Server HTTP response -# Header. The default is 'Full' which sends information about the OS-Type -# and compiled in modules. -# Set to one of: Full | OS | Minimal | Minor | Major | Prod -# where Full conveys the most information, and Prod the least. -# -#ServerTokens Minimal -ServerTokens ProductOnly - -# -# Optionally add a line containing the server version and virtual host -# name to server-generated pages (internal error documents, FTP directory -# listings, mod_status and mod_info output etc., but not CGI generated -# documents or custom error documents). -# Set to "EMail" to also include a mailto: link to the ServerAdmin. -# Set to one of: On | Off | EMail -# -#ServerSignature Off -ServerSignature On - -# -# Allow TRACE method -# -# Set to "extended" to also reflect the request body (only for testing and -# diagnostic purposes). -# -# Set to one of: On | Off | extended -# -TraceEnable Off -#TraceEnable On - diff --git a/modules/apache2/files/common/etc/apache2/conf.d/server-status b/modules/apache2/files/common/etc/apache2/conf.d/server-status deleted file mode 100644 index 3e25f8a7..00000000 --- a/modules/apache2/files/common/etc/apache2/conf.d/server-status +++ /dev/null @@ -1,19 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - - - # - # Allow server status reports generated by mod_status, - # with the URL of http://servername/server-status - # Change the ".example.com" to match your domain to enable. - # - ExtendedStatus on - - SetHandler server-status - Order deny,allow - Deny from all - Allow from 127.0.0.1 - - diff --git a/modules/apache2/files/common/etc/apache2/sites-available/backports.debian.org b/modules/apache2/files/common/etc/apache2/sites-available/backports.debian.org deleted file mode 100644 index 73966cfb..00000000 --- a/modules/apache2/files/common/etc/apache2/sites-available/backports.debian.org +++ /dev/null @@ -1,23 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - - - ServerName backports.debian.org - ServerAdmin debian-admin@debian.org - - ErrorLog /var/log/apache2/backports.debian.org-error.log - CustomLog /var/log/apache2/backports.debian.org-access.log combined - - - UserDir disabled - - - Alias /debian-backports /srv/mirrors/backports.debian.org/ - - RewriteEngine On - RewriteRule ^/debian-backports($|/.*) - [L] - RewriteRule ^/(.*) http://backports-master.debian.org/$1 [R] - -# vim:set syn=apache: diff --git a/modules/apache2/files/common/etc/apache2/sites-available/common-ssl.inc b/modules/apache2/files/common/etc/apache2/sites-available/common-ssl.inc deleted file mode 100644 index 2021ab4c..00000000 --- a/modules/apache2/files/common/etc/apache2/sites-available/common-ssl.inc +++ /dev/null @@ -1,30 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - - -# SSL Engine Switch: -# Enable/Disable SSL for this virtual host. -SSLEngine on - -# SSL Protocol support: -# List the protocol versions which clients are allowed to -# connect with. Disable SSLv2 by default (cf. RFC 6176). -SSLProtocol all -SSLv2 - -# -# Some MIME-types for downloading Certificates and CRLs -# -AddType application/x-x509-ca-cert .crt -AddType application/x-pkcs7-crl .crl - -# SSL Cipher Suite: -# List the ciphers that the client is permitted to negotiate. -# See the mod_ssl documentation for a complete list. -SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM -SSLHonorCipherOrder on - -# Add STS -Header add Strict-Transport-Security "max-age=604800" - diff --git a/modules/apache2/files/common/etc/apache2/sites-available/ftp-upcoming.debian.org b/modules/apache2/files/common/etc/apache2/sites-available/ftp-upcoming.debian.org deleted file mode 100644 index 24e6fa0d..00000000 --- a/modules/apache2/files/common/etc/apache2/sites-available/ftp-upcoming.debian.org +++ /dev/null @@ -1,16 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - - - ServerAdmin ftpmaster@debian.org - DocumentRoot /srv/mirrors/buildd-all - ServerName ftp-upcoming.debian.org - - ErrorLog /var/log/apache2/ftp-upcoming.debian.org-error.log - LogLevel warn - CustomLog /var/log/apache2/ftp-upcoming.debian.org-access.log combined - - IndexOptions FancyIndexing NameWidth=* - diff --git a/modules/apache2/files/common/etc/apache2/sites-available/security.debian.org b/modules/apache2/files/common/etc/apache2/sites-available/security.debian.org deleted file mode 100644 index 0f77652d..00000000 --- a/modules/apache2/files/common/etc/apache2/sites-available/security.debian.org +++ /dev/null @@ -1,38 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - - - IndexOptions NameWidth=* +SuppressDescription - Options +FollowSymLinks - Options +Indexes - FileETag MTime Size - - - - ServerAdmin debian-admin@debian.org - DocumentRoot /org/security.debian.org/ftp - ServerPath /debian-security - ServerName security.debian.org - ServerAlias security.ipv6.debian.org - ServerAlias security.eu.debian.org - ServerAlias security.us.debian.org - ServerAlias security.na.debian.org - ServerAlias security.geo.debian.org - ServerAlias security-nagios.debian.org - - Alias /debian-security /org/security.debian.org/ftp - - RewriteEngine on - RewriteRule ^/$ http://www.debian.org/security/ - - # Possible values include: debug, info, notice, warn, error, crit, - # alert, emerg. - LogLevel warn - - CustomLog /var/log/apache2/security.debian.org-access.log combined - ServerSignature On - - - diff --git a/modules/apache2/files/common/etc/apache2/sites-available/www.backports.org b/modules/apache2/files/common/etc/apache2/sites-available/www.backports.org deleted file mode 100644 index 7bcade28..00000000 --- a/modules/apache2/files/common/etc/apache2/sites-available/www.backports.org +++ /dev/null @@ -1,28 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - -# www.backports.org is the historical place for the backports -# website and archive. It is now a CNAME to backports.debian.org - -# redirect http requests. - - - ServerName www.backports.org - ServerAlias lists.backports.org - ServerAdmin debian-admin@debian.org - - ErrorLog /var/log/apache2/www.backports.org-error.log - CustomLog /var/log/apache2/www.backports.org-access.log combined - - - UserDir disabled - - - RedirectPermanent /debian/ http://backports.debian.org/debian-backports/ - RedirectPermanent /backports.org/ http://backports.debian.org/debian-backports/ - RedirectPermanent /debian-backports/ http://backports.debian.org/debian-backports/ - RedirectPermanent / http://backports-master.debian.org/ - -# vim:set syn=apache: - diff --git a/modules/apache2/files/common/etc/apache2/sites-available/www.debian.org b/modules/apache2/files/common/etc/apache2/sites-available/www.debian.org deleted file mode 100644 index c9b60489..00000000 --- a/modules/apache2/files/common/etc/apache2/sites-available/www.debian.org +++ /dev/null @@ -1,217 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - -# Need to turn on negotiation_module - - Options +MultiViews +FollowSymLinks +Indexes - AddHandler type-map var - # Make sure that the srm.conf directive is commented out. - AddDefaultCharSet Off - AllowOverride AuthConfig FileInfo - - # Serve icons as image/x-icon - AddType image/x-icon .ico - - # Serve RSS feeds as application/rss+xml - AddType application/rss+xml .rdf - - # Nice caching.. - ExpiresActive On - ExpiresDefault "access plus 1 day" - ExpiresByType image/gif "access plus 1 week" - ExpiresByType image/jpeg "access plus 1 week" - ExpiresByType image/png "access plus 1 week" - ExpiresByType image/x-icon "access plus 1 week" - - # FileEtag needs to be the same across mirrors (used for caching, ignore inode) - FileEtag MTime Size - - # language stuff, for web site translations - # for boot-floppies docs only: sk - AddLanguage en .en - AddLanguage en-us .en-us - AddLanguage en-gb .en-gb - AddLanguage ar .ar - AddLanguage bg .bg - AddLanguage ca .ca - AddLanguage cs .cs - AddLanguage da .da - AddLanguage de .de - AddLanguage el .el - AddLanguage eo .eo - AddLanguage es .es - AddLanguage fi .fi - AddLanguage fr .fr - AddLanguage hr .hr - AddLanguage hu .hu - AddLanguage hy .hy - AddLanguage id .id - AddLanguage it .it - AddLanguage ja .ja - AddLanguage ko .ko - AddLanguage lt .lt - AddLanguage nl .nl - AddLanguage no .no - AddLanguage nb .nb - AddLanguage pl .pl - AddLanguage pt .pt - AddLanguage pt-br .pt - AddLanguage ro .ro - AddLanguage ru .ru - AddLanguage sk .sk - AddLanguage sl .sl - AddLanguage sv .sv - AddLanguage tr .tr - AddLanguage uk .uk - AddLanguage vi .vi - AddLanguage zh-CN .zh-cn - AddLanguage zh-HK .zh-hk - AddLanguage zh-TW .zh-tw - LanguagePriority en fr de it es ja pl hr da pt pt-br fi zh-cn zh-hk zh-tw cs sv ko no nb ru tr eo ar nl hu ro sk el ca en-us en-gb id lt sl bg uk hy vi - - DirectoryIndex maintenance index index.html index.shtml index.htm - - - ForceType text/html - - - - ForceType application/pdf - - - - ForceType text/plain - - - - - ServerName www.nl.debian.org - ServerAdmin webmaster@debian.org - ServerAlias www.debian.com www.debian.de www.*.debian.org newwww.deb.at www.debian.net debian.net debian.org www.debian.at www.debian.eu debian.eu - DocumentRoot /srv/www.debian.org/www/ - ErrorLog /var/log/apache2/www-other.debian.org-error.log - CustomLog /var/log/apache2/www-other.debian.org-access.log combined - RewriteLog /var/log/apache2/www-other.debian.org-redirect.log - RewriteLogLevel 1 - - RewriteEngine on - RewriteRule ^/(.*)$ http://www.debian.org/$1 [R=301,L] - - - - ServerName www.debian.org - ServerAdmin webmaster@debian.org - ServerAlias www-*.debian.org - DocumentRoot /srv/www.debian.org/www/ - ErrorLog /var/log/apache2/www.debian.org-error.log - CustomLog /var/log/apache2/www.debian.org-access.log combined - - # CacheNegotiatedDocs: By default, Apache sends Pragma: no-cache with each - # document that was negotiated on the basis of content. This asks proxy - # servers not to cache the document. Uncommenting the following line disables - # this behavior, and proxies will be allowed to cache the documents. - CacheNegotiatedDocs On - -# Custom Error - ErrorDocument 404 /devel/website/errors/404 - RewriteCond %{DOCUMENT_ROOT}/devel/website/errors/404.$2.html -f - RewriteRule ^/(?!devel/website/errors/)(.*/)?404\.(.+)\.html$ /devel/website/errors/404.$2.html [L] - -# the joys of backwards compatibility - RedirectPermanent /cgi-bin/cvsweb http://cvs.debian.org - RedirectPermanent /Lists-Archives http://lists.debian.org - RedirectPermanent /search http://search.debian.org - RedirectPermanent /Packages http://packages.debian.org - RedirectPermanent /lintian http://lintian.debian.org - - RedirectPermanent /SPI http://www.spi-inc.org -# RedirectPermanent /OpenHardware http://www.openhardware.org - RedirectPermanent /OpenSource http://www.opensource.org - - RedirectPermanent /Bugs/db/ix/pseudopackages.html /Bugs/pseudo-packages - RewriteEngine on - RewriteRule ^/Bugs/db/pa/l([^/]+).html$ http://bugs.debian.org/$1 - RewriteRule ^/Bugs/db/[[:digit:]][[:digit:]]/([[:digit:]][[:digit:]][[:digit:]]+).html$ http://bugs.debian.org/$1 - RewriteRule ^/Bugs/db/ma/l([^/]+).html$ http://bugs.debian.org/cgi-bin/pkgreport.cgi?maintenc=$1 - - Userdir http://people.debian.org/~*/ - - RedirectPermanent /devel/todo/ /devel/wnpp/help_requested_bypop - RedirectPermanent /doc/FAQ /doc/manuals/debian-faq - RedirectPermanent /doc/manuals/debian-fr-howto /doc/manuals/fr/debian-fr-howto - RedirectPermanent /doc/manuals/reference /doc/manuals/debian-reference - RedirectPermanent /doc/packaging-manuals/developers-reference /doc/manuals/developers-reference - RedirectPermanent /doc/packaging-manuals/packaging-tutorial /doc/manuals/packaging-tutorial - RedirectPermanent /doc/prospective-packages /devel/wnpp/ - RedirectPermanent /devel/maintainer_contacts /intro/organization - RedirectPermanent /devel/debian-installer/gtk-frontend http://wiki.debian.org/DebianInstaller/GUI - RedirectPermanent /zh/ /international/Chinese/ - RedirectPermanent /chinese/ /international/Chinese/ - RedirectPermanent /devel/help /devel/join/ - RedirectPermanent /distrib/books /doc/books - RedirectPermanent /distrib/floppyinst /distrib/netinst - RedirectPermanent /distrib/netboot /distrib/netinst - RedirectPermanent /distrib/vendors /CD/vendors/ - RedirectPermanent /distrib/cd /CD/ - RedirectPermanent /distrib/cdinfo /CD/vendors/info - RedirectPermanent /related_links /misc/related_links - RedirectPermanent /ports/laptops /misc/laptops/ - RedirectPermanent /misc/README.mirrors /mirror/list - RedirectPermanent /misc/README.non-US /mirror/list.non-US - RedirectPermanent /intl /international - RedirectPermanent /ports/armel /ports/arm - RedirectPermanent /ports/mipsel /ports/mips - RedirectPermanent /ports/kfreebsd-amd64 /ports/kfreebsd-gnu - RedirectPermanent /ports/kfreebsd-i386 /ports/kfreebsd-gnu - RedirectPermanent /ports/sparc64 /ports/sparc - RedirectPermanent /mirror/mirrors_full.html /mirror/list-full.html - RedirectPermanent /mirrors /mirror - RedirectPermanent /News/project /News/weekly - RedirectPermanent /releases/2.0 /releases/hamm - RedirectPermanent /releases/2.1 /releases/slink - RedirectPermanent /releases/2.2 /releases/potato - RedirectPermanent /releases/3.0 /releases/woody - RedirectPermanent /releases/3.1 /releases/sarge - RedirectPermanent /releases/4.0 /releases/etch - RedirectPermanent /releases/5.0 /releases/lenny - RedirectPermanent /releases/6.0 /releases/squeeze - RedirectPermanent /releases/unstable /releases/sid - - RewriteRule ^/ports/freebsd(.*) /ports/kfreebsd-gnu/ [R=301] - RewriteRule ^/devel/debian-installer/report-template(.*) /releases/stable/i386/ch05s04.html#submit-bug [NE,R=301] - RewriteRule ^/devel/debian-installer/hooks(.*) http://d-i.alioth.debian.org/doc/internals/apb.html [R=301] - RewriteRule ^/doc/packaging-manuals/mime-policy(.*) /doc/debian-policy/ch-opersys.html#s-mime [NE,R=301] - - RewriteRule ^/volatile/index.* - [S=1] - RewriteRule ^/volatile/.+ /volatile/ [L,R=301] - RewriteRule ^/devel/debian-volatile/.* /volatile/ [R=301] - -# Offer a Redirect to DSA without knowing year #474730 - RewriteMap dsa txt:/srv/www.debian.org/www/security/map-dsa.txt - RewriteRule ^/security/dsa-(\d+)(\..*)? /security/${dsa:$1}$2 [R=301] - -# Compatibility after SGML -> DocBook -# Debian Reference #624239 - RewriteMap reference txt:/srv/www.debian.org/www/doc/map-reference.txt - RewriteCond %{DOCUMENT_ROOT}/doc/manuals/debian-reference/ch-support$1 !-f - RewriteRule ^/doc/manuals/debian-reference/ch-support(.*) /support$1 [L,R=301] - RewriteCond %{DOCUMENT_ROOT}/doc/manuals/debian-reference/${reference:$1}$2 -f - RewriteRule ^/doc/manuals/debian-reference/ch-([^\.]+)(.+) /doc/manuals/debian-reference/${reference:$1}$2 [L,R=301] - RewriteRule ^/doc/manuals/debian-reference/ch-([^\.]+)$ /doc/manuals/debian-reference/${reference:$1} [R=301] - RewriteCond %{DOCUMENT_ROOT}/doc/manuals/debian-reference/apa$1 -f - RewriteRule ^/doc/manuals/debian-reference/ap-appendix(.+) /doc/manuals/debian-reference/apa$1 [L,R=301] - RewriteRule ^/doc/manuals/debian-reference/ap-appendix$ /doc/manuals/debian-reference/apa [R=301] - RewriteCond %{DOCUMENT_ROOT}/doc/manuals/debian-reference/footnotes$1 !-f - RewriteRule ^/doc/manuals/debian-reference/footnotes(.+) /doc/manuals/debian-reference/index$1 [L,R=301] - RewriteRule ^/doc/manuals/debian-reference/footnotes$ /doc/manuals/debian-reference/ [R=301] -# New Maintainers' Guide - RewriteRule ^/doc/(manuals/)?maint-guide/ch-(.*) /doc/manuals/maint-guide/$2 [R=301] - RewriteRule ^/doc/(manuals/)?maint-guide/footnotes(.*) /doc/manuals/maint-guide/index$2 [R=301] - -# Canonical place for manuals under /doc/manuals/ - RewriteCond %{DOCUMENT_ROOT}/doc/manuals/$1 -d - RewriteRule ^/doc/([^/]+)/?(.*)? /doc/manuals/$1/$2 [L,R=301] - - diff --git a/modules/apache2/files/common/etc/php5/conf.d/suhosin.ini b/modules/apache2/files/common/etc/php5/conf.d/suhosin.ini deleted file mode 100644 index 46376f70..00000000 --- a/modules/apache2/files/common/etc/php5/conf.d/suhosin.ini +++ /dev/null @@ -1,94 +0,0 @@ -; configuration for php suhosin module -extension=suhosin.so - -;;;;;;;;;;;;;;;;;;; -; Module Settings ; -;;;;;;;;;;;;;;;;;;; -; the following values are the internal default settings and set implicit -; feel free to modify to your needs - -[suhosin] -; Logging Configuration -;suhosin.log.syslog.facility = 9 -;suhosin.log.syslog.priority = 1 -;suhosin.log.script = 0 -;suhosin.log.phpscript = 0 -;suhosin.log.script.name = -;suhosin.log.phpscript.name = -;suhosin.log.use-x-forwarded-for = off - -; Executor Options -;suhosin.executor.max_depth = 0 -;suhosin.executor.include.max_traversal = 0 -;suhosin.executor.include.whitelist = -;suhosin.executor.include.blacklist = -;suhosin.executor.func.whitelist = -;suhosin.executor.func.blacklist = -;suhosin.executor.eval.whitelist = -;suhosin.executor.eval.blacklist = -;suhosin.executor.disable_emodifier = off -;suhosin.executor.allow_symlink = off - -; Misc Options -;suhosin.simulation = off -;suhosin.apc_bug_workaround = off -;suhosin.sql.bailout_on_error = off -;suhosin.sql.user_prefix = -;suhosin.sql.user_postfix = -;suhosin.multiheader = off -;suhosin.mail.protect = 0 -;suhosin.memory_limit = 0 - -; Transparent Encryption Options -;suhosin.session.encrypt = on -;suhosin.session.cryptkey = -;suhosin.session.cryptua = on -;suhosin.session.cryptdocroot = on -;suhosin.session.cryptraddr = 0 -;suhosin.session.checkraddr = 0 -;suhosin.cookie.encrypt = on -;suhosin.cookie.cryptkey = -;suhosin.cookie.cryptua = on -;suhosin.cookie.cryptdocroot = on -;suhosin.cookie.cryptraddr = 0 -;suhosin.cookie.checkraddr = 0 -;suhosin.cookie.cryptlist = -;suhosin.cookie.plainlist = - -; Filtering Options -;suhosin.filter.action = -;suhosin.cookie.max_array_depth = 100 -;suhosin.cookie.max_array_index_length = 64 -;suhosin.cookie.max_name_length = 64 -;suhosin.cookie.max_totalname_length = 256 -;suhosin.cookie.max_value_length = 10000 -;suhosin.cookie.max_vars = 100 -;suhosin.cookie.disallow_nul = on -;suhosin.get.max_array_depth = 50 -;suhosin.get.max_array_index_length = 64 -;suhosin.get.max_name_length = 64 -;suhosin.get.max_totalname_length = 256 -suhosin.get.max_value_length = 4096 -;suhosin.get.max_vars = 100 -;suhosin.get.disallow_nul = on -;suhosin.post.max_array_depth = 100 -;suhosin.post.max_array_index_length = 64 -;suhosin.post.max_name_length = 64 -;suhosin.post.max_totalname_length = 256 -;suhosin.post.max_value_length = 65000 -;suhosin.post.max_vars = 200 -;suhosin.post.disallow_nul = on -;suhosin.request.max_array_depth = 100 -;suhosin.request.max_array_index_length = 64 -;suhosin.request.max_totalname_length = 256 -;suhosin.request.max_value_length = 65000 -;suhosin.request.max_vars = 200 -;suhosin.request.max_varname_length = 64 -;suhosin.request.disallow_nul = on -;suhosin.upload.max_uploads = 25 -;suhosin.upload.disallow_elf = on -;suhosin.upload.disallow_binary = off -;suhosin.upload.remove_binary = off -;suhosin.upload.verification_script = -;suhosin.session.max_id_length = 128 - diff --git a/modules/apache2/files/local-serverinfo b/modules/apache2/files/local-serverinfo new file mode 100644 index 00000000..cd52b7a9 --- /dev/null +++ b/modules/apache2/files/local-serverinfo @@ -0,0 +1,14 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + + + + SetHandler server-info + order deny,allow + deny from all + allow from localhost + + + diff --git a/modules/apache2/files/security b/modules/apache2/files/security new file mode 100644 index 00000000..da8525a9 --- /dev/null +++ b/modules/apache2/files/security @@ -0,0 +1,55 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +# +# Disable access to the entire file system except for the directories that +# are explicitly allowed later. +# +# This currently breaks the configurations that come with some web application +# Debian packages. It will be made the default for the release after lenny. +# +# +# AllowOverride None +# Order Deny,Allow +# Deny from all +# + + +# Changing the following options will not really affect the security of the +# server, but might make attacks slightly more difficult in some cases. + +# +# ServerTokens +# This directive configures what you return as the Server HTTP response +# Header. The default is 'Full' which sends information about the OS-Type +# and compiled in modules. +# Set to one of: Full | OS | Minimal | Minor | Major | Prod +# where Full conveys the most information, and Prod the least. +# +#ServerTokens Minimal +ServerTokens ProductOnly + +# +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated +# documents or custom error documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +# +#ServerSignature Off +ServerSignature On + +# +# Allow TRACE method +# +# Set to "extended" to also reflect the request body (only for testing and +# diagnostic purposes). +# +# Set to one of: On | Off | extended +# +TraceEnable Off +#TraceEnable On + diff --git a/modules/apache2/files/server-status b/modules/apache2/files/server-status new file mode 100644 index 00000000..3e25f8a7 --- /dev/null +++ b/modules/apache2/files/server-status @@ -0,0 +1,19 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + + + # + # Allow server status reports generated by mod_status, + # with the URL of http://servername/server-status + # Change the ".example.com" to match your domain to enable. + # + ExtendedStatus on + + SetHandler server-status + Order deny,allow + Deny from all + Allow from 127.0.0.1 + + diff --git a/modules/apache2/files/suhosin.ini b/modules/apache2/files/suhosin.ini new file mode 100644 index 00000000..46376f70 --- /dev/null +++ b/modules/apache2/files/suhosin.ini @@ -0,0 +1,94 @@ +; configuration for php suhosin module +extension=suhosin.so + +;;;;;;;;;;;;;;;;;;; +; Module Settings ; +;;;;;;;;;;;;;;;;;;; +; the following values are the internal default settings and set implicit +; feel free to modify to your needs + +[suhosin] +; Logging Configuration +;suhosin.log.syslog.facility = 9 +;suhosin.log.syslog.priority = 1 +;suhosin.log.script = 0 +;suhosin.log.phpscript = 0 +;suhosin.log.script.name = +;suhosin.log.phpscript.name = +;suhosin.log.use-x-forwarded-for = off + +; Executor Options +;suhosin.executor.max_depth = 0 +;suhosin.executor.include.max_traversal = 0 +;suhosin.executor.include.whitelist = +;suhosin.executor.include.blacklist = +;suhosin.executor.func.whitelist = +;suhosin.executor.func.blacklist = +;suhosin.executor.eval.whitelist = +;suhosin.executor.eval.blacklist = +;suhosin.executor.disable_emodifier = off +;suhosin.executor.allow_symlink = off + +; Misc Options +;suhosin.simulation = off +;suhosin.apc_bug_workaround = off +;suhosin.sql.bailout_on_error = off +;suhosin.sql.user_prefix = +;suhosin.sql.user_postfix = +;suhosin.multiheader = off +;suhosin.mail.protect = 0 +;suhosin.memory_limit = 0 + +; Transparent Encryption Options +;suhosin.session.encrypt = on +;suhosin.session.cryptkey = +;suhosin.session.cryptua = on +;suhosin.session.cryptdocroot = on +;suhosin.session.cryptraddr = 0 +;suhosin.session.checkraddr = 0 +;suhosin.cookie.encrypt = on +;suhosin.cookie.cryptkey = +;suhosin.cookie.cryptua = on +;suhosin.cookie.cryptdocroot = on +;suhosin.cookie.cryptraddr = 0 +;suhosin.cookie.checkraddr = 0 +;suhosin.cookie.cryptlist = +;suhosin.cookie.plainlist = + +; Filtering Options +;suhosin.filter.action = +;suhosin.cookie.max_array_depth = 100 +;suhosin.cookie.max_array_index_length = 64 +;suhosin.cookie.max_name_length = 64 +;suhosin.cookie.max_totalname_length = 256 +;suhosin.cookie.max_value_length = 10000 +;suhosin.cookie.max_vars = 100 +;suhosin.cookie.disallow_nul = on +;suhosin.get.max_array_depth = 50 +;suhosin.get.max_array_index_length = 64 +;suhosin.get.max_name_length = 64 +;suhosin.get.max_totalname_length = 256 +suhosin.get.max_value_length = 4096 +;suhosin.get.max_vars = 100 +;suhosin.get.disallow_nul = on +;suhosin.post.max_array_depth = 100 +;suhosin.post.max_array_index_length = 64 +;suhosin.post.max_name_length = 64 +;suhosin.post.max_totalname_length = 256 +;suhosin.post.max_value_length = 65000 +;suhosin.post.max_vars = 200 +;suhosin.post.disallow_nul = on +;suhosin.request.max_array_depth = 100 +;suhosin.request.max_array_index_length = 64 +;suhosin.request.max_totalname_length = 256 +;suhosin.request.max_value_length = 65000 +;suhosin.request.max_vars = 200 +;suhosin.request.max_varname_length = 64 +;suhosin.request.disallow_nul = on +;suhosin.upload.max_uploads = 25 +;suhosin.upload.disallow_elf = on +;suhosin.upload.disallow_binary = off +;suhosin.upload.remove_binary = off +;suhosin.upload.verification_script = +;suhosin.session.max_id_length = 128 + diff --git a/modules/apache2/manifests/backports_mirror.pp b/modules/apache2/manifests/backports_mirror.pp deleted file mode 100644 index 47b2a2dc..00000000 --- a/modules/apache2/manifests/backports_mirror.pp +++ /dev/null @@ -1,25 +0,0 @@ -class apache2::backports_mirror { - include apache2 - file { - "/etc/apache2/sites-available/backports.debian.org": - source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/sites-available/backports.debian.org", - "puppet:///modules/apache2/common/etc/apache2/sites-available/backports.debian.org" ]; - "/etc/apache2/sites-available/www.backports.org": - source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/sites-available/www.backports.org", - "puppet:///modules/apache2/common/etc/apache2/sites-available/www.backports.org" ]; - - } - - activate_apache_site { - "010-backports.debian.org": site => "backports.debian.org"; - "010-www.backports.org": site => "www.backports.org"; - } - - enable_module { - "rewrite":; - } -} - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/apache2/manifests/config.pp b/modules/apache2/manifests/config.pp new file mode 100644 index 00000000..5d517004 --- /dev/null +++ b/modules/apache2/manifests/config.pp @@ -0,0 +1,30 @@ +define apache2::config($config = undef, $template = undef, $ensure = present) { + + include apache2 + + if ! ($config or $template) { + err ( "No configuration found for ${name}" ) + } + + case $ensure { + present: {} + absent: {} + default: { err ( "Unknown ensure value: '$ensure'" ) } + } + + if $template { + file { "/etc/apache2/conf.d/${name}": + ensure => $ensure, + content => template($template), + require => Package['apache2'], + notify => Service['apache2'], + } + } else { + file { "/etc/apache2/conf.d/${name}": + ensure => $ensure, + source => $config, + require => Package['apache2'], + notify => Service['apache2'], + } + } +} diff --git a/modules/apache2/manifests/dynamic.pp b/modules/apache2/manifests/dynamic.pp new file mode 100644 index 00000000..0b4b144d --- /dev/null +++ b/modules/apache2/manifests/dynamic.pp @@ -0,0 +1,71 @@ +class apache2::dynamic { + @ferm::rule { 'dsa-http-limit': + prio => '20', + description => 'limit HTTP DOS', + chain => 'http_limit', + rule => 'mod limit limit-burst 60 limit 15/minute jump ACCEPT; + jump DROP' + } + + @ferm::rule { 'dsa-http-soso': + prio => '21', + description => 'slow soso spider', + chain => 'limit_sosospider', + rule => 'mod connlimit connlimit-above 2 connlimit-mask 21 jump DROP; + jump http_limit' + } + + @ferm::rule { 'dsa-http-yahoo': + prio => '21', + description => 'slow yahoo spider', + chain => 'limit_yahoo', + rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; + jump http_limit' + } + + @ferm::rule { 'dsa-http-google': + prio => '21', + description => 'slow google spider', + chain => 'limit_google', + rule => 'mod connlimit connlimit-above 2 connlimit-mask 19 jump DROP; + jump http_limit' + } + + @ferm::rule { 'dsa-http-bing': + prio => '21', + description => 'slow bing spider', + chain => 'limit_bing', + rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; + jump http_limit' + } + + @ferm::rule { 'dsa-http-baidu': + prio => '21', + description => 'slow baidu spider', + chain => 'limit_baidu', + rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; + jump http_limit' + } + + @ferm::rule { 'dsa-http-rules': + prio => '22', + description => 'http subchain', + chain => 'http', + rule => ' + saddr ( 74.6.22.182 74.6.18.240 67.195.0.0/16 ) jump limit_yahoo; + saddr 124.115.0.0/21 jump limit_sosospider; + saddr (65.52.0.0/14 207.46.0.0/16) jump limit_bing; + saddr (66.249.64.0/19) jump limit_google; + saddr (123.125.71.0/24 119.63.192.0/21 180.76.0.0/16) jump limit_baidu; + + mod recent name HTTPDOS update seconds 1800 jump log_or_drop; + mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT; + mod recent name HTTPDOS set jump log_or_drop' + } + + @ferm::rule { 'dsa-http': + prio => '23', + description => 'Allow web access', + rule => 'proto tcp dport (http https) jump http' + } +} diff --git a/modules/apache2/manifests/ftp-upcoming_mirror.pp b/modules/apache2/manifests/ftp-upcoming_mirror.pp deleted file mode 100644 index aa3610c4..00000000 --- a/modules/apache2/manifests/ftp-upcoming_mirror.pp +++ /dev/null @@ -1,18 +0,0 @@ -class apache2::ftp-upcoming_mirror { - include apache2 - file { - "/etc/apache2/sites-available/ftp-upcoming.debian.org": - source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/sites-available/ftp-upcoming.debian.org", - "puppet:///modules/apache2/common/etc/apache2/sites-available/ftp-upcoming.debian.org" ]; - - } - - activate_apache_site { - "010-ftp-upcoming.debian.org": site => "ftp-upcoming.debian.org"; - } - -} - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp index ade26fb1..3c0874e3 100644 --- a/modules/apache2/manifests/init.pp +++ b/modules/apache2/manifests/init.pp @@ -1,250 +1,96 @@ class apache2 { - activate_munin_check { - "apache_accesses":; - "apache_processes":; - "apache_volume":; - "apache_servers":; - "ps_apache2": script => "ps_"; - } - - package { - "apache2": ensure => installed; - } - - case $php5 { - "true": { - package { - "php5-suhosin": ensure => installed; - } - - file { "/etc/php5/conf.d/suhosin.ini": - source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/php5/conf.d/suhosin.ini", - "puppet:///modules/apache2/common/etc/php5/conf.d/suhosin.ini" ], - require => Package["apache2", "php5-suhosin"], - notify => Exec["force-reload-apache2"]; - } - } - } - - define activate_apache_site($ensure=present, $site=$name) { - case $site { - "": { $base = $name } - default: { $base = $site } - } - - case $ensure { - present: { - file { "/etc/apache2/sites-enabled/$name": - ensure => "/etc/apache2/sites-available/$base", - require => Package["apache2"], - notify => Exec["reload-apache2"]; - } - } - absent: { - file { "/etc/apache2/sites-enabled/$name": - ensure => $ensure, - notify => Exec["reload-apache2"]; - } - } - default: { err ( "Unknown ensure value: '$ensure'" ) } - } - } - - define enable_module($ensure=present) { - case $ensure { - present: { - exec { - "/usr/sbin/a2enmod $name": - unless => "/bin/sh -c '[ -L /etc/apache2/mods-enabled/${name}.load ]'", - notify => Exec["force-reload-apache2"], - } - } - absent: { - exec { - "/usr/sbin/a2dismod $name": - onlyif => "/bin/sh -c '[ -L /etc/apache2/mods-enabled/${name}.load ]'", - notify => Exec["force-reload-apache2"], - } - } - default: { err ( "Unknown ensure value: '$ensure'" ) } - } - } - - enable_module { - "info":; - "status":; - } - - activate_apache_site { - "00-default": site => "default-debian.org"; - "000-default": ensure => absent; - } - - file { - "/etc/apache2/conf.d/ressource-limits": - content => template("apache2/ressource-limits.erb"), - require => Package["apache2"], - notify => Exec["reload-apache2"]; - "/etc/apache2/conf.d/security": - source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/conf.d/security", - "puppet:///modules/apache2/common/etc/apache2/conf.d/security" ], - require => Package["apache2"], - notify => Exec["reload-apache2"]; - "/etc/apache2/conf.d/local-serverinfo": - source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/conf.d/local-serverinfo", - "puppet:///modules/apache2/common/etc/apache2/conf.d/local-serverinfo" ], - require => Package["apache2"], - notify => Exec["reload-apache2"]; - "/etc/apache2/conf.d/server-status": - source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/conf.d/server-status", - "puppet:///modules/apache2/common/etc/apache2/conf.d/server-status" ], - require => Package["apache2"], - notify => Exec["reload-apache2"]; - - "/etc/apache2/sites-available/default-debian.org": - content => template("apache2/default-debian.org.erb"), - require => Package["apache2"], - notify => Exec["reload-apache2"]; - - "/etc/apache2/sites-available/common-ssl.inc": - source => [ "puppet:///modules/apache2/per-host/$fqdn//etc/apache2/sites-available/common-ssl.inc", - "puppet:///modules/apache2/common/etc/apache2/sites-available/common-ssl.inc" ], - require => Package["apache2"], - notify => Exec["reload-apache2"]; - - "/etc/logrotate.d/apache2": - source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/logrotate.d/apache2", - "puppet:///modules/apache2/common/etc/logrotate.d/apache2" ]; - - "/srv/www": - mode => 755, - ensure => directory; - "/srv/www/default.debian.org": - mode => 755, - ensure => directory; - "/srv/www/default.debian.org/htdocs": - mode => 755, - ensure => directory; - "/srv/www/default.debian.org/htdocs/index.html": - content => template("apache2/default-index.html"); - - # sometimes this is a symlink - #"/var/log/apache2": - # mode => 755, - # ensure => directory; - } - - exec { - "reload-apache2": - command => "/etc/init.d/apache2 reload", - refreshonly => true; - "force-reload-apache2": - command => "/etc/init.d/apache2 force-reload", - refreshonly => true; - } - case $hostname { - chopin,franck,morricone,bizet: { - package { - "libapache2-mod-macro": ensure => installed; - } - enable_module { - "macro":; - } - file { - "/etc/apache2/conf.d/puppet-builddlist": - content => template("apache2/conf-builddlist.erb"), - require => Package["apache2"], - notify => Exec["reload-apache2"]; - } - } - } - - case $hostname { - busoni,duarte,holter,lindberg,master,powell,rore: { - @ferm::rule { "dsa-http-limit": - prio => "20", - description => "limit HTTP DOS", - chain => 'http_limit', - rule => ' - mod limit limit-burst 60 limit 15/minute jump ACCEPT; - jump DROP' - } - @ferm::rule { "dsa-http-soso": - prio => "21", - description => "slow soso spider", - chain => 'limit_sosospider', - rule => ' - mod connlimit connlimit-above 2 connlimit-mask 21 jump DROP; - jump http_limit' - } - @ferm::rule { "dsa-http-yahoo": - prio => "21", - description => "slow yahoo spider", - chain => 'limit_yahoo', - rule => ' - mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; - jump http_limit' - } - @ferm::rule { "dsa-http-google": - prio => "21", - description => "slow google spider", - chain => 'limit_google', - rule => ' - mod connlimit connlimit-above 2 connlimit-mask 19 jump DROP; - jump http_limit' - } - @ferm::rule { "dsa-http-bing": - prio => "21", - description => "slow bing spider", - chain => 'limit_bing', - rule => ' - mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; - jump http_limit' - } - @ferm::rule { "dsa-http-baidu": - prio => "21", - description => "slow baidu spider", - chain => 'limit_baidu', - rule => ' - mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; - jump http_limit' - } - @ferm::rule { "dsa-http-rules": - prio => "22", - description => "http subchain", - chain => 'http', - rule => ' - saddr ( 74.6.22.182 74.6.18.240 67.195.0.0/16 ) jump limit_yahoo; - saddr 124.115.0.0/21 jump limit_sosospider; - saddr (65.52.0.0/14 207.46.0.0/16) jump limit_bing; - saddr (66.249.64.0/19) jump limit_google; - saddr (123.125.71.0/24 119.63.192.0/21 180.76.0.0/16) jump limit_baidu; - - mod recent name HTTPDOS update seconds 1800 jump log_or_drop; - mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT; - mod recent name HTTPDOS set jump log_or_drop' - } - @ferm::rule { "dsa-http": - prio => "23", - description => "Allow web access", - rule => "proto tcp dport (http https) jump http" - } - } - default: { - @ferm::rule { "dsa-http": - prio => "23", - description => "Allow web access", - rule => "&SERVICE(tcp, (http https))" - } - } - } - @ferm::rule { "dsa-http-v6": - domain => "(ip6)", - prio => "23", - description => "Allow web access", - rule => "&SERVICE(tcp, (http https))" - } + + package { 'apache2': + ensure => installed, + } + + service { 'apache2': + ensure => running, + require => Package['apache2'], + } + + apache2::module { 'info': } + apache2::module { 'status': } + + apache2::site { '00-default': + site => 'default-debian.org', + template => 'apache2/default-debian.org.erb', + } + + apache2::site { '000-default': + ensure => absent, + } + + apache2::config { 'ressource-limits': + template => 'apache2/ressource-limits.erb', + } + + apache2::config { 'security': + config => 'puppet:///modules/apache2/security', + } + + apache2::config { 'local-serverinfo': + config => 'puppet:///modules/apache2/local-serverinfo', + } + + apache2::config { 'server-status': + config => 'puppet:///modules/apache2/server-status', + } + + file { '/etc/apache2/sites-available/common-ssl.inc': + source => 'puppet:///modules/apache2/common-ssl.inc', + require => Package['apache2'], + notify => Service['apache2'], + } + + file { '/etc/logrotate.d/apache2': + source => 'puppet:///modules/apache2/apache2.logrotate', + } + + file { [ '/srv/www', '/srv/www/default.debian.org', '/srv/www/default.debian.org/htdocs' ]: + ensure => directory, + mode => '0755', + } + + file { '/srv/www/default.debian.org/htdocs/index.html': + content => template('apache2/default-index.html'), + } + + munin::check { 'apache_accesses': } + munin::check { 'apache_processes': } + munin::check { 'apache_volume': } + munin::check { 'apache_servers': } + munin::check { 'ps_apache2': + script => 'ps_', + } + + if $php5 { + package { 'php5-suhosin': + ensure => installed, + require => Package['apache2'], + } + + file { '/etc/php5/conf.d/suhosin.ini': + source => 'puppet:///modules/apache2/suhosin.ini', + require => Package['php5-suhosin'], + notify => Service['apache2'], + } + } + + if $::hostname in [busoni,duarte,holter,lindberg,master,powell,rore] { + include apache2::dynamic + } else { + @ferm::rule { 'dsa-http': + prio => '23', + description => 'Allow web access', + rule => '&SERVICE(tcp, (http https))' + } + } + + @ferm::rule { 'dsa-http-v6': + domain => '(ip6)', + prio => '23', + description => 'Allow web access', + rule => '&SERVICE(tcp, (http https))' + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/apache2/manifests/module.pp b/modules/apache2/manifests/module.pp new file mode 100644 index 00000000..3a6922bd --- /dev/null +++ b/modules/apache2/manifests/module.pp @@ -0,0 +1,17 @@ +define apache2::module ($ensure = present) { + case $ensure { + present: { + exec { "/usr/sbin/a2enmod ${name}": + creates => "/etc/apache2/mods-enabled/${name}.load", + notify => Service['apache2'] + } + } + absent: { + exec { "/usr/sbin/a2dismod ${name}": + onlyif => "test -L /etc/apache2/mods-enabled/${name}.load", + notify => Service['apache2'] + } + } + default: { err ( "Unknown ensure value: '$ensure'" ) } + } +} diff --git a/modules/apache2/manifests/security_mirror.pp b/modules/apache2/manifests/security_mirror.pp deleted file mode 100644 index 853b9f89..00000000 --- a/modules/apache2/manifests/security_mirror.pp +++ /dev/null @@ -1,19 +0,0 @@ -class apache2::security_mirror { - include apache2 - file { - "/etc/apache2/sites-available/security.debian.org": - source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/sites-available/security.debian.org", - "puppet:///modules/apache2/common/etc/apache2/sites-available/security.debian.org" ]; - - } - - activate_apache_site { - "010-security.debian.org": site => "security.debian.org"; - "security.debian.org": ensure => absent; - } - -} - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/apache2/manifests/site.pp b/modules/apache2/manifests/site.pp new file mode 100644 index 00000000..708e6fa0 --- /dev/null +++ b/modules/apache2/manifests/site.pp @@ -0,0 +1,48 @@ +define apache2::site ( + $config = undef, + $template = undef, + $ensure = present, + $site = undef +) { + + include apache2 + + if ! ($config or $template) { + err ( "No configuration found for ${name}" ) + } + + if $site { + $base = $site + } else { + $base = $name + } + + $target = "/etc/apache2/sites-available/${base}" + + $link_target = $ensure ? { + present => $target, + absent => absent, + default => err ( "Unknown ensure value: '$ensure'" ), + } + + if $template { + file { $target: + ensure => $ensure, + content => template($template), + require => Package['apache2'], + notify => Service['apache2'], + } + } else { + file { $target: + ensure => $ensure, + source => $config, + require => Package['apache2'], + notify => Service['apache2'], + } + } + + file { "/etc/apache2/sites-enabled/${name}": + ensure => $link_target, + notify => Service['apache2'], + } +} diff --git a/modules/apache2/manifests/www_mirror.pp b/modules/apache2/manifests/www_mirror.pp deleted file mode 100644 index 136e571e..00000000 --- a/modules/apache2/manifests/www_mirror.pp +++ /dev/null @@ -1,20 +0,0 @@ -class apache2::www_mirror { - include apache2 - file { - "/etc/apache2/sites-available/www.debian.org": - source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/sites-available/www.debian.org", - "puppet:///modules/apache2/common/etc/apache2/sites-available/www.debian.org" ], - notify => Exec["reload-apache2"], - ; - } - - activate_apache_site { - "010-www.debian.org": site => "www.debian.org"; - "www.debian.org": ensure => absent; - } - -} - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/apache2/templates/conf-builddlist.erb b/modules/apache2/templates/conf-builddlist.erb deleted file mode 100644 index 1aa47587..00000000 --- a/modules/apache2/templates/conf-builddlist.erb +++ /dev/null @@ -1,26 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - - - -<%= - lines = [] - - allnodeinfo.keys.sort.each do |node| - next unless allnodeinfo[node]['purpose'] - if allnodeinfo[node]['purpose'].include?('buildd') - lines << " # #{allnodeinfo[node]['hostname'].to_s}" - allnodeinfo[node]['ipHostNumber'].each do |addr| - lines << " allow from #{addr}" - end - end - end - - lines.join("\n") -# vim:set et: -# vim:set sts=2 ts=2: -# vim:set shiftwidth=2: -%> - diff --git a/modules/apt-keys/files/backports.org.asc b/modules/apt-keys/files/backports.org.asc deleted file mode 100644 index 335513c6..00000000 --- a/modules/apt-keys/files/backports.org.asc +++ /dev/null @@ -1,40 +0,0 @@ -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. - ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.9 (GNU/Linux) - -mQGiBEMIgw4RBADueqAzlq+rQT9JYSSWnNzo6C+9crI8lzW/fcl2Q3PO97MOQTOx -Qsf/lOh0Ku7O+VdBa+BwVPuUkSw6wTY5Ku1y/6r1BQzJ9oHkryDDJXsHzKhpdyFc -/lD4hNGqRkiNg5ulwAI0O1eqffPWDmeR9ZzSsqM40f1U4TNLfPAu1viWxwCgnbWz -onY6RqSYlRsDQaPsNTwieVEEAJeX2FGgNepD1SvfEremAkWCrYYlSZI76iTIf6bd -kGkWqIT0vJyE2MNenhDJ2ebbHJVFmL9x8S3m1daC4Zwnacm7aoCY/QgMJ+Js1Fex -Acev48W9KHgpVbFMd1t8KAwRbmFcQf0C/FZUbE7xScpTxS4z3SsMOuRyfnGpDOi6 -m/SnA/9wpquf3pPwbPykzKWNJEDouiJgt0zaFLauKDPeyTWeJ6htaAPDglArewdq -bJ9M8QgLFtzjhg/fBQlRRUk7YP4OYtp1OdPkg2D/1rPQNySWlDf21T3N/K8ydKhR -bYi+AsPuJLQUi3d+lVTFOebaL9felePvDC2/Eod7PSD1/rnkZ7Q0QmFja3BvcnRz -Lm9yZyBBcmNoaXZlIEtleSA8ZnRwLW1hc3RlckBiYWNrcG9ydHMub3JnPohGBBAR -AgAGBQJDgImkAAoJEHFe1qB+e4rJ2x4An2oI4xJpDvOx8uDIo9ihG1M0MpUqAJ9S -cqVUmiyYSPtu8MwcZecy9kmOIYheBBMRAgAeBQJDCIMOAhsDBgsJCAcDAgMVAgMD -FgIBAh4BAheAAAoJEOqOiyEWuhNsDt4AniaEBvlr4oVFMrGgPiye7iE/jv68AJ48 -OkIfwcKJt7N8ImPAboeimFvWgIheBBMRAgAeBQJDCIMOAhsDBgsJCAcDAgMVAgMD -FgIBAh4BAheAAAoJEOqOiyEWuhNsDt4AnjdB14rGa/rzz1ohwsi1oEnDRYuyAJ44 -Nv8MTPjOaeEZArQ0flg8OXwF34hGBBARAgAGBQJEeI+KAAoJEHvDNTBle/A9pDwA -mwVpbaoH1hebV4MgXIpRvTQiL2keAJ9ryd2LvhbPd5EZM1C3Nsar2/2CgIhGBBAR -AgAGBQJHE7HYAAoJEGvFvIY3KyPVlwEAoJyGuJ/SsJTlyIVbulWYp3U/uZQTAJ4l -40SrE/wwDeSIrhWNkmmNPbnz54hGBBARAgAGBQJHKneLAAoJEBRrPPJWJbOATcsA -n3I8y3pJN6jkmnhUQepfa7jJoDY2AKClHVXYuNZpc2jZKyruwgwck+jCabkCDQRD -CIMREAgAzXu6DGSDAz4JH+mlthtiQwNZFU8bjWanGT3DL6zubxwc3ZQmRaMOiVuv -JUuaJv8fdGRSvp09dP2/x5mzq2rACiEnDwZssNSK5sigxgy2W9zeO9bOtg6bhqZL -wlsL8Y2xZhyGL3qGeP4zL1QbXZ1QdJuO90Xu7GWYS6Wsj+Y6dUsZFYvTZwSiLkEm -gFUTxkNue3DQtZ/KNkwoKc+aqU+S7gDNStQDvTNtR6IV11KbKcY1iQ0B2bkh4zSh -WwloIr83V6huAhfH8GA7UW6saRJAof5DJWUb+PRmU2TAOOlyZoM4nMH+sFFDPOeG -8fbecwlox5BRTMqcCB5ELbQXoVZT+wADBQf/ffI9R53f9USQkhsSak+k82JjRo9h -qKAvPwBv3fDhMYqX3XRmwgNeax2y6Ub0AQkDhIC6eJILP5hTb2gjpmYYP7YE/7F1 -h37lUg7dDYeyPQF54mUXPnIg3uQ/V9HBTY+ZW8rsVe1KRvPAuVFU77FfCvIFdLSX -Vi1HSUcGv9Y7Kk4Tkr7vzKshlcIp6zZrO0Y3t/+ekBwTTQqEoUylVYkCSt3z6bjp -VWbepkL88rbqJnPueTATw9shjbFYaND8cXZox9tQmlOIZ6gDeH1YvFf7ObRLxULm -7C6hwik6agtXWkNABVXSxM6MB4hcP9QC+FEhK6y/7wC3SyNRBuFujDG1aohJBBgR -AgAJBQJDCIMRAhsMAAoJEOqOiyEWuhNsVVMAoJ1gbL0PHVf7yDwMjO3HuJBErxLd -AJ4v9ojJnvJu2yUl4W586soBm+wsLg== -=n4L0 ------END PGP PUBLIC KEY BLOCK----- diff --git a/modules/apt-keys/files/db.debian.org.asc b/modules/apt-keys/files/db.debian.org.asc deleted file mode 100644 index 80a9f028..00000000 --- a/modules/apt-keys/files/db.debian.org.asc +++ /dev/null @@ -1,19 +0,0 @@ -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. - ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.9 (GNU/Linux) - -mQGiBEf4BP0RBACfXnRhBb9HKiA3h5A1tDnluVwfkSuDX4ZXdVAuMZapdOm8r9ug -9zE/dDGWPWja+DArAPZ/i3BFvlMewmden/IFbQKtXluQVIC4GL1RBMwrtWsZzo0g -picl3CYWDAYjRdg4WppUc9FawwGw081FlLGDv7eYRO3+8uGUHfr+SD7CwwCgxJK6 -SvDX6M2Ifuq8WmgWWrVFyakD/ipdxd3NPIcnl1JTO2NjbOJYKpZMl6v0g+1OofSq -CAKTO8ymc0z6SF1j/4mWe1W76wvTpOhOUgn2WO7SQHZaujb/3z+yAJedfbCDgq0S -H/T2qbQTzv+woAjyR/e2Zpsc2DRfqO/8aCw1Jx8N3UbH9MBPYlYlyCnSra1OAyXW -VvC0A/9nT/k6VIFBF0Oq2WwmzOLptOqg61WrnxBr3GIe503++p88tOwlCJlL0uZZ -k68m3m5t7WDtQK4fHQwLramb9AqtBPhiEaXU5bXk77RYE54EeEH9Z4H4YSMMkdYU -gLG5CZI2jprxAZew1mHKROv+15jxYd+BZCrORmpWn5g7N+TC5rQeZGIuZGViaWFu -Lm9yZyBhcmNoaXZlIGtleSAyMDA4iGYEExECACYCGwMGCwkIBwMCBBUCCAMEFgID -AQIeAQIXgAUCS7uHvAUJB4XptQAKCRC+p88QvSsO4EsWAJsHsiccMVwWatQWuk2G -M3MdAZLDCwCfYma5XoZnyFv27h5LxGo+57xU44Y= -=2WKp ------END PGP PUBLIC KEY BLOCK----- diff --git a/modules/apt-keys/manifests/init.pp b/modules/apt-keys/manifests/init.pp deleted file mode 100644 index bb3574eb..00000000 --- a/modules/apt-keys/manifests/init.pp +++ /dev/null @@ -1,29 +0,0 @@ -class apt-keys { - file { - "/etc/apt/trusted-keys.d/": - ensure => directory, - purge => true, - notify => Exec["apt-keys-update"], - ; - - "/etc/apt/trusted-keys.d/backports.org.asc": - source => "puppet:///modules/apt-keys/backports.org.asc", - mode => 664, - notify => Exec["apt-keys-update"], - ; - "/etc/apt/trusted-keys.d/db.debian.org.asc": - source => "puppet:///modules/apt-keys/db.debian.org.asc", - mode => 664, - notify => Exec["apt-keys-update"], - ; - } - - exec { "apt-keys-update": - command => '/bin/true && for keyfile in /etc/apt/trusted-keys.d/*; do apt-key add $keyfile; done', - refreshonly => true - } -} - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/buildd/manifests/init.pp b/modules/buildd/manifests/init.pp index f001291b..01dca34d 100644 --- a/modules/buildd/manifests/init.pp +++ b/modules/buildd/manifests/init.pp @@ -1,51 +1,43 @@ class buildd { - package { - "schroot": ensure => installed; - "sbuild": ensure => installed; - "apt-transport-https": ensure => installed; - "debootstrap": ensure => installed; - "dupload": ensure => installed; - } + package { [ + 'schroot', + 'sbuild', + 'apt-transport-https', + 'debootstrap', + 'dupload' + ]: + ensure => installed + } - file { - "/etc/apt/preferences.d/buildd": - ensure => absent - ; + site::linux_module { 'dm_snapshot': } - "/etc/apt/sources.list.d/buildd.list": - content => template("buildd/etc/apt/sources.list.d/buildd.list.erb"), - require => Package["apt-transport-https"], - notify => Exec["apt-get update"], - ; + site::aptrepo { 'buildd': + content => template('buildd/etc/apt/sources.list.d/buildd.list.erb'), + key => 'puppet:///modules/buildd/buildd.debian.org.asc', + } - "/etc/apt/trusted-keys.d/buildd.debian.org.asc": - source => "puppet:///modules/buildd/buildd.debian.org.asc", - mode => 664, - notify => Exec["apt-keys-update"], - ; - "/etc/schroot/mount-defaults": - content => template("buildd/etc/schroot/mount-defaults.erb"), - require => Package["sbuild"] - ; - "/etc/cron.d/dsa-buildd": - source => "puppet:///modules/buildd/cron.d-dsa-buildd", - require => Package["debian.org"] - ; - "/etc/dupload.conf": - source => "puppet:///modules/buildd/dupload.conf", - require => Package["dupload"] - ; - "/etc/default/schroot": - source => "puppet:///modules/buildd/default-schroot", - require => Package["schroot"] - ; - } - - case $kernel { - Linux: { linux_module { "dm_snapshot": ensure => present; } } - } + file { '/etc/apt/preferences.d/buildd': + ensure => absent + } + file { '/etc/schroot/mount-defaults': + content => template('buildd/etc/schroot/mount-defaults.erb'), + require => Package['sbuild'], + } + file { '/etc/schroot/mount-defaults': + content => template('buildd/etc/schroot/mount-defaults.erb'), + require => Package['sbuild'], + } + file { '/etc/cron.d/dsa-buildd': + source => 'puppet:///modules/buildd/cron.d-dsa-buildd', + require => Package['debian.org'] + } + file { '/etc/dupload.conf': + source => 'puppet:///modules/buildd/dupload.conf', + require => Package['dupload'], + } + file { '/etc/default/schroot': + source => 'puppet:///modules/buildd/default-schroot', + require => Package['schroot'] + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/buildd/templates/etc/schroot/mount-defaults.erb b/modules/buildd/templates/etc/schroot/mount-defaults.erb index ec016d9c..9dc2d518 100644 --- a/modules/buildd/templates/etc/schroot/mount-defaults.erb +++ b/modules/buildd/templates/etc/schroot/mount-defaults.erb @@ -7,7 +7,7 @@ # (CHROOT_PATH) # # -<% if nodeinfo['ldap'].has_key?('architecture') and nodeinfo['ldap']['architecture'][0].start_with?('kfreebsd') -%> +<% if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('architecture') and scope.lookupvar('site::nodeinfo')['ldap']['architecture'][0].start_with?('kfreebsd') -%> # kFreeBSD version proc /proc linprocfs defaults 0 0 dev /dev devfs rw,bind 0 0 diff --git a/modules/clamav/manifests/init.pp b/modules/clamav/manifests/init.pp index 885258bf..47c4109d 100644 --- a/modules/clamav/manifests/init.pp +++ b/modules/clamav/manifests/init.pp @@ -1,24 +1,22 @@ class clamav { - package { - "clamav-daemon": ensure => installed; - "clamav-freshclam": ensure => installed; - "clamav-unofficial-sigs": ensure => installed; - } - file { - "/etc/clamav-unofficial-sigs.dsa.conf": - require => Package["clamav-unofficial-sigs"], - source => [ "puppet:///modules/clamav/clamav-unofficial-sigs.dsa.conf" ] - ; - "/etc/clamav-unofficial-sigs.conf": - require => Package["clamav-unofficial-sigs"], - source => [ "puppet:///modules/clamav/clamav-unofficial-sigs.conf" ] - ; - "/var/lib/clamav/mbl.ndb": - ensure => absent, - ; - } -} + package { [ + 'clamav-daemon', + 'clamav-freshclam', + 'clamav-unofficial-sigs' + ]: + ensure => installed + } + + file { '/var/lib/clamav/mbl.ndb': + ensure => absent + } + file { '/etc/clamav-unofficial-sigs.dsa.conf': + require => Package['clamav-unofficial-sigs'], + source => [ 'puppet:///modules/clamav/clamav-unofficial-sigs.dsa.conf' ] + } + file { '/etc/clamav-unofficial-sigs.conf': + require => Package['clamav-unofficial-sigs'], + source => [ 'puppet:///modules/clamav/clamav-unofficial-sigs.conf' ] + } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: +} diff --git a/modules/dacs/manifests/init.pp b/modules/dacs/manifests/init.pp index 79cf4841..377dfa9d 100644 --- a/modules/dacs/manifests/init.pp +++ b/modules/dacs/manifests/init.pp @@ -1,153 +1,89 @@ class dacs { - package { - "dacs": ensure => installed; - "libapache2-mod-dacs": ensure => installed; - } - - file { - "/var/log/dacs": - ensure => directory, - owner => root, - group => www-data, - mode => 770, - purge => true - ; - "/etc/dacs/federations": - require => Package["libapache2-mod-dacs"], - ensure => directory, - owner => root, - group => www-data, - mode => 750, - purge => true - ; - - "/etc/dacs/federations/debian.org/": - require => Package["libapache2-mod-dacs"], - ensure => directory, - owner => root, - group => www-data, - mode => 750, - purge => true - ; - - "/etc/dacs/federations/debian.org/DEBIAN": - require => Package["libapache2-mod-dacs"], - ensure => directory, - owner => root, - group => www-data, - mode => 750, - purge => true - ; - - "/etc/dacs/federations/debian.org/DEBIAN/acls": - require => Package["libapache2-mod-dacs"], - ensure => directory, - owner => root, - group => www-data, - mode => 750, - purge => true - ; - - "/etc/dacs/federations/debian.org/DEBIAN/groups": - require => Package["libapache2-mod-dacs"], - ensure => directory, - owner => root, - group => www-data, - mode => 750, - purge => true - ; - - "/etc/dacs/federations/debian.org/DEBIAN/groups/DACS": - require => Package["libapache2-mod-dacs"], - ensure => directory, - owner => root, - group => www-data, - mode => 750, - purge => true - ; - - "/etc/dacs/federations/site.conf": - require => Package["libapache2-mod-dacs"], - source => [ "puppet:///modules/dacs/per-host/$fqdn/site.conf", - "puppet:///modules/dacs/common/site.conf" ], - mode => 640, - owner => root, - group => www-data - ; - - "/etc/dacs/federations/debian.org/DEBIAN/dacs.conf": - require => Package["libapache2-mod-dacs"], - source => [ "puppet:///modules/dacs/per-host/$fqdn/dacs.conf", - "puppet:///modules/dacs/common/dacs.conf" ], - mode => 640, - owner => root, - group => www-data - ; - - "/etc/dacs/federations/debian.org/DEBIAN/acls/revocations": - require => Package["libapache2-mod-dacs"], - source => [ "puppet:///modules/dacs/per-host/$fqdn/revocations", - "puppet:///modules/dacs/common/revocations" ], - mode => 640, - owner => root, - group => www-data - ; - - "/etc/dacs/federations/debian.org/DEBIAN/groups/DACS/jurisdictions.grp": - require => Package["libapache2-mod-dacs"], - source => [ "puppet:///modules/dacs/per-host/$fqdn/jurisdictions.grp", - "puppet:///modules/dacs/common/jurisdictions.grp" ], - mode => 640, - owner => root, - group => www-data - ; - - "/etc/dacs/federations/debian.org/DEBIAN/acls/acl-noauth.0": - require => Package["libapache2-mod-dacs"], - source => [ "puppet:///modules/dacs/per-host/$fqdn/acl-noauth.0", - "puppet:///modules/dacs/common/acl-noauth.0" ], - mode => 640, - owner => root, - group => www-data, - notify => Exec["dacsacl"] - ; - - "/etc/dacs/federations/debian.org/DEBIAN/acls/acl-private.0": - require => Package["libapache2-mod-dacs"], - source => [ "puppet:///modules/dacs/per-host/$fqdn/acl-private.0", - "puppet:///modules/dacs/common/acl-private.0" ], - mode => 640, - owner => root, - group => www-data, - notify => Exec["dacsacl"] - ; - - "/etc/dacs/federations/debian.org/federation_keyfile": - require => Package["libapache2-mod-dacs"], - source => "puppet:///modules/dacs/private/debian.org_federation_keyfile", - mode => 640, - owner => root, - group => www-data - ; - - "/etc/dacs/federations/debian.org/DEBIAN/jurisdiction_keyfile": - require => Package["libapache2-mod-dacs"], - source => "puppet:///modules/dacs/private/DEBIAN_jurisdiction_keyfile", - mode => 640, - owner => root, - group => www-data - ; - - } - - exec { - "dacsacl": - command => "dacsacl -sc /etc/dacs/federations/site.conf -c /etc/dacs/federations/debian.org/DEBIAN/dacs.conf -uj DEBIAN && chown root:www-data /etc/dacs/federations/debian.org/DEBIAN/acls/INDEX", - refreshonly => true, - } - + package { 'dacs': + ensure => installed, + } + package { 'libapache2-mod-dacs': + ensure => installed, + } + + file { '/var/log/dacs': + ensure => directory, + owner => root, + group => www-data, + mode => '0770', + purge => true, + } + file { [ + '/etc/dacs/federations', + '/etc/dacs/federations/debian.org/', + '/etc/dacs/federations/debian.org/DEBIAN', + '/etc/dacs/federations/debian.org/DEBIAN/acls', + '/etc/dacs/federations/debian.org/DEBIAN/groups', + '/etc/dacs/federations/debian.org/DEBIAN/groups/DACS' + ]: + ensure => directory, + owner => root, + group => www-data, + mode => '0750', + require => Package['libapache2-mod-dacs'], + purge => true + } + file { '/etc/dacs/federations/site.conf': + source => 'puppet:///modules/dacs/common/site.conf', + mode => '0640', + owner => root, + group => www-data + } + file { '/etc/dacs/federations/debian.org/DEBIAN/dacs.conf': + source => 'puppet:///modules/dacs/common/dacs.conf', + mode => '0640', + owner => root, + group => www-data + } + file { '/etc/dacs/federations/debian.org/DEBIAN/acls/revocations': + source => 'puppet:///modules/dacs/common/revocations', + mode => '0640', + owner => root, + group => www-data + } + file { '/etc/dacs/federations/debian.org/DEBIAN/groups/DACS/jurisdictions.grp': + source => 'puppet:///modules/dacs/common/jurisdictions.grp', + mode => '0640', + owner => root, + group => www-data + } + file { '/etc/dacs/federations/debian.org/DEBIAN/acls/acl-noauth.0': + source => [ 'puppet:///modules/dacs/per-host/$fqdn/acl-noauth.0', + 'puppet:///modules/dacs/common/acl-noauth.0' ], + mode => '0640', + owner => root, + group => www-data, + notify => Exec['dacsacl'] + } + file { '/etc/dacs/federations/debian.org/DEBIAN/acls/acl-private.0': + source => [ 'puppet:///modules/dacs/per-host/$fqdn/acl-private.0', + 'puppet:///modules/dacs/common/acl-private.0' ], + mode => '0640', + owner => root, + group => www-data, + notify => Exec['dacsacl'] + } + file { '/etc/dacs/federations/debian.org/federation_keyfile': + source => 'puppet:///modules/dacs/private/debian.org_federation_keyfile', + mode => '0640', + owner => root, + group => www-data + } + file { '/etc/dacs/federations/debian.org/DEBIAN/jurisdiction_keyfile': + source => 'puppet:///modules/dacs/private/DEBIAN_jurisdiction_keyfile', + mode => '0640', + owner => root, + group => www-data + } + + exec { 'dacsacl': + command => 'dacsacl -sc /etc/dacs/federations/site.conf -c /etc/dacs/federations/debian.org/DEBIAN/dacs.conf -uj DEBIAN && chown root:www-data /etc/dacs/federations/debian.org/DEBIAN/acls/INDEX', + refreshonly => true, + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/debian-org/files/backports.org.asc b/modules/debian-org/files/backports.org.asc new file mode 100644 index 00000000..335513c6 --- /dev/null +++ b/modules/debian-org/files/backports.org.asc @@ -0,0 +1,40 @@ +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.9 (GNU/Linux) + +mQGiBEMIgw4RBADueqAzlq+rQT9JYSSWnNzo6C+9crI8lzW/fcl2Q3PO97MOQTOx +Qsf/lOh0Ku7O+VdBa+BwVPuUkSw6wTY5Ku1y/6r1BQzJ9oHkryDDJXsHzKhpdyFc +/lD4hNGqRkiNg5ulwAI0O1eqffPWDmeR9ZzSsqM40f1U4TNLfPAu1viWxwCgnbWz +onY6RqSYlRsDQaPsNTwieVEEAJeX2FGgNepD1SvfEremAkWCrYYlSZI76iTIf6bd +kGkWqIT0vJyE2MNenhDJ2ebbHJVFmL9x8S3m1daC4Zwnacm7aoCY/QgMJ+Js1Fex +Acev48W9KHgpVbFMd1t8KAwRbmFcQf0C/FZUbE7xScpTxS4z3SsMOuRyfnGpDOi6 +m/SnA/9wpquf3pPwbPykzKWNJEDouiJgt0zaFLauKDPeyTWeJ6htaAPDglArewdq +bJ9M8QgLFtzjhg/fBQlRRUk7YP4OYtp1OdPkg2D/1rPQNySWlDf21T3N/K8ydKhR +bYi+AsPuJLQUi3d+lVTFOebaL9felePvDC2/Eod7PSD1/rnkZ7Q0QmFja3BvcnRz +Lm9yZyBBcmNoaXZlIEtleSA8ZnRwLW1hc3RlckBiYWNrcG9ydHMub3JnPohGBBAR +AgAGBQJDgImkAAoJEHFe1qB+e4rJ2x4An2oI4xJpDvOx8uDIo9ihG1M0MpUqAJ9S +cqVUmiyYSPtu8MwcZecy9kmOIYheBBMRAgAeBQJDCIMOAhsDBgsJCAcDAgMVAgMD +FgIBAh4BAheAAAoJEOqOiyEWuhNsDt4AniaEBvlr4oVFMrGgPiye7iE/jv68AJ48 +OkIfwcKJt7N8ImPAboeimFvWgIheBBMRAgAeBQJDCIMOAhsDBgsJCAcDAgMVAgMD +FgIBAh4BAheAAAoJEOqOiyEWuhNsDt4AnjdB14rGa/rzz1ohwsi1oEnDRYuyAJ44 +Nv8MTPjOaeEZArQ0flg8OXwF34hGBBARAgAGBQJEeI+KAAoJEHvDNTBle/A9pDwA +mwVpbaoH1hebV4MgXIpRvTQiL2keAJ9ryd2LvhbPd5EZM1C3Nsar2/2CgIhGBBAR +AgAGBQJHE7HYAAoJEGvFvIY3KyPVlwEAoJyGuJ/SsJTlyIVbulWYp3U/uZQTAJ4l +40SrE/wwDeSIrhWNkmmNPbnz54hGBBARAgAGBQJHKneLAAoJEBRrPPJWJbOATcsA +n3I8y3pJN6jkmnhUQepfa7jJoDY2AKClHVXYuNZpc2jZKyruwgwck+jCabkCDQRD +CIMREAgAzXu6DGSDAz4JH+mlthtiQwNZFU8bjWanGT3DL6zubxwc3ZQmRaMOiVuv +JUuaJv8fdGRSvp09dP2/x5mzq2rACiEnDwZssNSK5sigxgy2W9zeO9bOtg6bhqZL +wlsL8Y2xZhyGL3qGeP4zL1QbXZ1QdJuO90Xu7GWYS6Wsj+Y6dUsZFYvTZwSiLkEm +gFUTxkNue3DQtZ/KNkwoKc+aqU+S7gDNStQDvTNtR6IV11KbKcY1iQ0B2bkh4zSh +WwloIr83V6huAhfH8GA7UW6saRJAof5DJWUb+PRmU2TAOOlyZoM4nMH+sFFDPOeG +8fbecwlox5BRTMqcCB5ELbQXoVZT+wADBQf/ffI9R53f9USQkhsSak+k82JjRo9h +qKAvPwBv3fDhMYqX3XRmwgNeax2y6Ub0AQkDhIC6eJILP5hTb2gjpmYYP7YE/7F1 +h37lUg7dDYeyPQF54mUXPnIg3uQ/V9HBTY+ZW8rsVe1KRvPAuVFU77FfCvIFdLSX +Vi1HSUcGv9Y7Kk4Tkr7vzKshlcIp6zZrO0Y3t/+ekBwTTQqEoUylVYkCSt3z6bjp +VWbepkL88rbqJnPueTATw9shjbFYaND8cXZox9tQmlOIZ6gDeH1YvFf7ObRLxULm +7C6hwik6agtXWkNABVXSxM6MB4hcP9QC+FEhK6y/7wC3SyNRBuFujDG1aohJBBgR +AgAJBQJDCIMRAhsMAAoJEOqOiyEWuhNsVVMAoJ1gbL0PHVf7yDwMjO3HuJBErxLd +AJ4v9ojJnvJu2yUl4W586soBm+wsLg== +=n4L0 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/modules/debian-org/files/db.debian.org.asc b/modules/debian-org/files/db.debian.org.asc new file mode 100644 index 00000000..80a9f028 --- /dev/null +++ b/modules/debian-org/files/db.debian.org.asc @@ -0,0 +1,19 @@ +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.9 (GNU/Linux) + +mQGiBEf4BP0RBACfXnRhBb9HKiA3h5A1tDnluVwfkSuDX4ZXdVAuMZapdOm8r9ug +9zE/dDGWPWja+DArAPZ/i3BFvlMewmden/IFbQKtXluQVIC4GL1RBMwrtWsZzo0g +picl3CYWDAYjRdg4WppUc9FawwGw081FlLGDv7eYRO3+8uGUHfr+SD7CwwCgxJK6 +SvDX6M2Ifuq8WmgWWrVFyakD/ipdxd3NPIcnl1JTO2NjbOJYKpZMl6v0g+1OofSq +CAKTO8ymc0z6SF1j/4mWe1W76wvTpOhOUgn2WO7SQHZaujb/3z+yAJedfbCDgq0S +H/T2qbQTzv+woAjyR/e2Zpsc2DRfqO/8aCw1Jx8N3UbH9MBPYlYlyCnSra1OAyXW +VvC0A/9nT/k6VIFBF0Oq2WwmzOLptOqg61WrnxBr3GIe503++p88tOwlCJlL0uZZ +k68m3m5t7WDtQK4fHQwLramb9AqtBPhiEaXU5bXk77RYE54EeEH9Z4H4YSMMkdYU +gLG5CZI2jprxAZew1mHKROv+15jxYd+BZCrORmpWn5g7N+TC5rQeZGIuZGViaWFu +Lm9yZyBhcmNoaXZlIGtleSAyMDA4iGYEExECACYCGwMGCwkIBwMCBBUCCAMEFgID +AQIeAQIXgAUCS7uHvAUJB4XptQAKCRC+p88QvSsO4EsWAJsHsiccMVwWatQWuk2G +M3MdAZLDCwCfYma5XoZnyFv27h5LxGo+57xU44Y= +=2WKp +-----END PGP PUBLIC KEY BLOCK----- diff --git a/modules/debian-org/lib/facter/ipaddresses.rb b/modules/debian-org/lib/facter/ipaddresses.rb index 80b59bd3..0832063d 100644 --- a/modules/debian-org/lib/facter/ipaddresses.rb +++ b/modules/debian-org/lib/facter/ipaddresses.rb @@ -12,7 +12,7 @@ Facter.add("v4ips") do end ret = addrs.join(",") if ret.empty? - ret = 'no' + ret = '' end setcode do ret @@ -37,7 +37,7 @@ Facter.add("v4ips") do ret = addrs.join(",") if ret.empty? - ret = 'no' + ret = '' end ret end @@ -57,7 +57,7 @@ Facter.add("v6ips") do end ret = addrs.join(",") if ret.empty? - ret = 'no' + ret = '' end setcode do ret diff --git a/modules/debian-org/manifests/init.pp b/modules/debian-org/manifests/init.pp index 7d4bf5c3..30998c35 100644 --- a/modules/debian-org/manifests/init.pp +++ b/modules/debian-org/manifests/init.pp @@ -1,220 +1,168 @@ -define sysctl($key, $value, $ensure=present) { - file { - "/etc/sysctl.d/$name.conf": - ensure => $ensure, - owner => root, - group => root, - mode => 0644, - content => "$key = $value\n", - notify => Exec["procps restart"], - } -} +class debian-org { -define set_alternatives($linkto) { - exec { - "/usr/sbin/update-alternatives --set $name $linkto": - unless => "/bin/sh -c '! [ -e $linkto ] || ! [ -e /etc/alternatives/$name ] || ([ -L /etc/alternatives/$name ] && [ /etc/alternatives/$name -ef $linkto ])'" - } -} + $debianadmin = [ + 'debian-archive-debian-samhain-reports@master.debian.org', + 'debian-admin@ftbfs.de', + 'weasel@debian.org', + 'steve@lobefin.net', + 'paravoid@debian.org' + ] -define linux_module ($ensure) { - case $ensure { - present: { - exec { "append_module_${name}": - command => "echo '${name}' >> /etc/modules", - unless => "grep -q -F -x '${name}' /etc/modules", - } - } - absent: { - exec { "remove_module_${name}": - command => "sed -i -e'/^${name}\$/d' /etc/modules", - onlyif => "grep -q -F -x '${name}' /etc/modules", - } - } - default: { - err("invalid ensure value ${ensure}") - } - } -} + package { [ + 'apt-utils', + 'bash-completion', + 'debian.org', + 'dnsutils', + 'dsa-munin-plugins', + 'klogd', + 'less', + 'lsb-release', + 'libfilesystem-ruby1.8', + 'molly-guard', + 'mtr-tiny', + 'nload', + 'pciutils', + 'rsyslog', + 'sysklogd', + ]: + ensure => installed, + } + munin::check { [ + 'cpu', + 'entropy', + 'forks', + 'interrupts', + 'iostat', + 'irqstats', + 'load', + 'memory', + 'ntp_offset', + 'ntp_states', + 'open_files', + 'open_inodes', + 'processes', + 'swap', + 'uptime', + 'vmstat', + ]: + } -class debian-org { - $debianadmin = [ "debian-archive-debian-samhain-reports@master.debian.org", "debian-admin@ftbfs.de", "weasel@debian.org", "steve@lobefin.net", "paravoid@debian.org" ] - package { - "apt-utils": ensure => installed; - "bash-completion": ensure => installed; - "debian.org": ensure => installed; - "dnsutils": ensure => installed; - "dsa-munin-plugins": ensure => installed; - "klogd": ensure => purged; - "less": ensure => installed; - "lsb-release": ensure => installed; - "libfilesystem-ruby1.8": ensure => installed; - "molly-guard": ensure => installed; - "mtr-tiny": ensure => installed; - "nload": ensure => installed; - "pciutils": ensure => installed; - "rsyslog": ensure => purged; - "sysklogd": ensure => purged; - } - case getfromhash($nodeinfo, 'broken-rtc') { - true: { - package { - fake-hwclock: ensure => installed; - } - } - } - case $debarchitecture { - "armhf": {} - default: { - file { - "/etc/apt/sources.list.d/security.list": - content => template("debian-org/etc/apt/sources.list.d/security.list.erb"), - notify => Exec["apt-get update"]; - "/etc/apt/sources.list.d/backports.org.list": - content => template("debian-org/etc/apt/sources.list.d/backports.org.list.erb"), - notify => Exec["apt-get update"]; - "/etc/apt/sources.list.d/volatile.list": - content => template("debian-org/etc/apt/sources.list.d/volatile.list.erb"), - notify => Exec["apt-get update"]; - } - } - } - file { - "/etc/apt/preferences": - source => "puppet:///modules/debian-org/apt.preferences"; - "/etc/apt/sources.list.d/debian.org.list": - content => template("debian-org/etc/apt/sources.list.d/debian.org.list.erb"), - notify => Exec["apt-get update"]; - "/etc/apt/apt.conf.d/local-compression": - source => "puppet:///modules/debian-org/apt.conf.d/local-compression"; - "/etc/apt/apt.conf.d/local-recommends": - source => "puppet:///modules/debian-org/apt.conf.d/local-recommends"; - "/etc/apt/apt.conf.d/local-pdiffs": - source => "puppet:///modules/debian-org/apt.conf.d/local-pdiffs"; - "/etc/timezone": - source => "puppet:///modules/debian-org/timezone", - notify => Exec["dpkg-reconfigure tzdata -pcritical -fnoninteractive"]; - "/etc/puppet/puppet.conf": - # require => Package["puppet"], - source => "puppet:///modules/debian-org/puppet.conf" - ; - "/etc/default/puppet": - # require => Package["puppet"], - source => "puppet:///modules/debian-org/puppet.default" - ; + if getfromhash($site::nodeinfo, 'broken-rtc') { + package { 'fake-hwclock': + ensure => installed + } + } - "/etc/cron.d/dsa-puppet-stuff": - source => "puppet:///modules/debian-org/dsa-puppet-stuff.cron", - require => Package["debian.org"] - ; - "/etc/ldap/ldap.conf": - require => Package["debian.org"], - source => "puppet:///modules/debian-org/ldap.conf", - ; - "/etc/pam.d/common-session": - require => Package["debian.org"], - content => template("debian-org/pam.common-session.erb"), - ; - "/etc/rc.local": - mode => 0755, - source => "puppet:///modules/debian-org/rc.local", - notify => Exec["rc.local start"], - ; - "/etc/molly-guard/run.d/15-acquire-reboot-lock": - mode => 0755, - source => "puppet:///modules/debian-org/molly-guard-acquire-reboot-lock", - require => Package["molly-guard"], - ; + # This really means 'not wheezy' - "/etc/dsa": - mode => 0755, - ensure => directory, - ; - "/etc/dsa/cron.ignore.dsa-puppet-stuff": - source => "puppet:///modules/debian-org/dsa-puppet-stuff.cron.ignore", - require => Package["debian.org"] - ; - } - - # set mmap_min_addr to 4096 to mitigate - # Linux NULL-pointer dereference exploits - sysctl { - "mmap_min_addr" : - key => "vm.mmap_min_addr", - value => 4096, - } - - set_alternatives { - "editor": - linkto => "/usr/bin/vim.basic", - } - - mailalias { - "samhain-reports": - recipient => $debianadmin, - ensure => present; - } + if $::debarchitecture != 'armhf' { + site::aptrepo { 'security': + template => 'debian-org/etc/apt/sources.list.d/security.list.erb', + } + site::aptrepo { 'backports.org': + template => 'debian-org/etc/apt/sources.list.d/backports.org.list.erb', + key => 'puppet:///modules/debian-org/backports.org.asc', + } + site::aptrepo { 'volatile': + template => 'debian-org/etc/apt/sources.list.d/volatile.list.erb', + } + } - exec { - "dpkg-reconfigure tzdata -pcritical -fnoninteractive": - path => "/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true; - "apt-get update": - command => 'apt-get update', - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true; - "puppetmaster restart": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true; - "rc.local start": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true; - "procps restart": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true; - "init q": - refreshonly => true; - } -} + site::aptrepo { 'debian.org': + template => 'debian-org/etc/apt/sources.list.d/debian.org.list.erb', + key => 'puppet:///modules/debian-org/db.debian.org.asc', + } -class debian-proliant inherits debian-org { - package { - "hpacucli": ensure => installed; - "hp-health": ensure => installed; - "arrayprobe": ensure => installed; - } - case $lsbdistcodename { - 'lenny': { - package { - "cpqarrayd": ensure => installed; - } - } - } - case $debarchitecture { - "amd64": { - package { "lib32gcc1": ensure => installed; } - } - } - file { - "/etc/apt/sources.list.d/debian.restricted.list": - content => template("debian-org/etc/apt/sources.list.d/debian.restricted.list.erb"), - notify => Exec["apt-get update"]; - } -} + file { '/etc/apt/preferences': + source => 'puppet:///modules/debian-org/apt.preferences', + } + file { '/etc/apt/trusted-keys.d/': + ensure => directory, + purge => true, + } + file { '/etc/apt/apt.conf.d/local-compression': + source => 'puppet:///modules/debian-org/apt.conf.d/local-compression', + } + file { '/etc/apt/apt.conf.d/local-recommends': + source => 'puppet:///modules/debian-org/apt.conf.d/local-recommends', + } + file { '/etc/apt/apt.conf.d/local-pdiffs': + source => 'puppet:///modules/debian-org/apt.conf.d/local-pdiffs', + } + file { '/etc/timezone': + source => 'puppet:///modules/debian-org/timezone', + notify => Exec['dpkg-reconfigure tzdata -pcritical -fnoninteractive'], + } + file { '/etc/puppet/puppet.conf': + source => 'puppet:///modules/debian-org/puppet.conf', + } + file { '/etc/default/puppet': + source => 'puppet:///modules/debian-org/puppet.default', + } + file { '/etc/cron.d/dsa-puppet-stuff': + source => 'puppet:///modules/debian-org/dsa-puppet-stuff.cron', + require => Package['debian.org'], + } + file { '/etc/ldap/ldap.conf': + require => Package['debian.org'], + source => 'puppet:///modules/debian-org/ldap.conf', + } + file { '/etc/pam.d/common-session': + require => Package['debian.org'], + content => template('debian-org/pam.common-session.erb'), + } + file { '/etc/rc.local': + mode => '0755', + source => 'puppet:///modules/debian-org/rc.local', + notify => Exec['rc.local start'], + } + file { '/etc/molly-guard/run.d/15-acquire-reboot-lock': + mode => '0755', + source => 'puppet:///modules/debian-org/molly-guard-acquire-reboot-lock', + require => Package['molly-guard'], + } + file { '/etc/dsa': + ensure => directory, + mode => '0755', + } + file { '/etc/dsa/cron.ignore.dsa-puppet-stuff': + source => 'puppet:///modules/debian-org/dsa-puppet-stuff.cron.ignore', + require => Package['debian.org'] + } + + # set mmap_min_addr to 4096 to mitigate + # Linux NULL-pointer dereference exploits + site::sysctl { 'mmap_min_addr': + key => 'vm.mmap_min_addr', + value => '4096', + } + site::alternative { 'editor': + linkto => '/usr/bin/vim.basic', + } + mailalias { 'samhain-reports': + ensure => present, + recipient => $debianadmin, + } + + exec { 'apt-get update': + path => '/usr/bin:/usr/sbin:/bin:/sbin', + refreshonly => true, + }-> Package <| |> -class debian-radvd inherits debian-org { - sysctl { - "dsa-accept-ra-default" : - key => "net.ipv6.conf.default.accept_ra", - value => 0, - } - sysctl { - "dsa-accept-ra-all" : - key => "net.ipv6.conf.all.accept_ra", - value => 0, - } + exec { 'dpkg-reconfigure tzdata -pcritical -fnoninteractive': + path => '/usr/bin:/usr/sbin:/bin:/sbin', + refreshonly => true + } + exec { 'puppetmaster restart': + path => '/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin', + refreshonly => true + } + exec { 'rc.local start': + path => '/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin', + refreshonly => true + } + exec { 'init q': + refreshonly => true + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/debian-org/manifests/proliant.pp b/modules/debian-org/manifests/proliant.pp new file mode 100644 index 00000000..04b9cdd3 --- /dev/null +++ b/modules/debian-org/manifests/proliant.pp @@ -0,0 +1,30 @@ +class debian-org::proliant { + + site::aptrepo { 'debian.restricted': + template => 'debian-org/etc/apt/sources.list.d/debian.restricted.list.erb', + } + + package { 'hpacucli': + ensure => installed, + } + package { 'hp-health': + ensure => installed, + } + package { 'arrayprobe': + ensure => installed, + } + + if $::lsbdistcodename == 'lenny' { + package { 'cpqarrayd': + ensure => installed, + } + } + + if $::debarchitecture == 'amd64' { + package { 'lib32gcc1': + ensure => installed, + } + } +} + + diff --git a/modules/debian-org/manifests/radvd.pp b/modules/debian-org/manifests/radvd.pp new file mode 100644 index 00000000..b9eeb808 --- /dev/null +++ b/modules/debian-org/manifests/radvd.pp @@ -0,0 +1,10 @@ +class debian-org::radvd { + site::sysctl { 'dsa-accept-ra-default': + key => 'net.ipv6.conf.default.accept_ra', + value => 0, + } + site::sysctl { 'dsa-accept-ra-all': + key => 'net.ipv6.conf.all.accept_ra', + value => 0, + } +} diff --git a/modules/entropykey/manifests/init.pp b/modules/entropykey/manifests/init.pp index 8f91cf55..6d327fc6 100644 --- a/modules/entropykey/manifests/init.pp +++ b/modules/entropykey/manifests/init.pp @@ -1,86 +1,18 @@ -class entropykey::provider { - package { - "ekeyd": ensure => installed; - } - - file { - "/etc/entropykey/ekeyd.conf": - source => "puppet:///modules/entropykey/ekeyd.conf", - notify => Exec['restart_ekeyd'], - require => [ Package['ekeyd'] ], - ; - # our CRL expires after a while (2 or 4 weeks?), so we have - # to restart stunnel so it loads the new CRL. - "/etc/cron.weekly/stunnel-ekey-restart": - content => "#!/bin/sh\n# This file is under puppet control\nenv -i /etc/init.d/stunnel4 restart puppet-ekeyd > /dev/null\n", - mode => "555", - ; - } - - exec { - "restart_ekeyd": - command => "true && cd / && env -i /etc/init.d/ekeyd restart", - require => [ File['/etc/entropykey/ekeyd.conf'] ], - refreshonly => true, - ; - } - - include "stunnel4" - stunnel4::stunnel_server { - "ekeyd": - accept => 18888, - connect => "127.0.0.1:8888", - ; - } -} - -class entropykey::local_consumer { - package { - "ekeyd-egd-linux": ensure => installed; - } - - file { - "/etc/default/ekeyd-egd-linux": - source => "puppet:///modules/entropykey/ekeyd-egd-linux", - notify => Exec['restart_ekeyd-egd-linux'], - require => [ Package['ekeyd-egd-linux'] ], - ; - } - - exec { - "restart_ekeyd-egd-linux": - command => "true && cd / && env -i /etc/init.d/ekeyd-egd-linux restart", - require => [ File['/etc/default/ekeyd-egd-linux'] ], - refreshonly => true, - ; - } -} - -class entropykey::remote_consumer inherits entropykey::local_consumer { - include "stunnel4" - stunnel4::stunnel_client { - "ekeyd": - accept => "127.0.0.1:8888", - connecthost => "${entropy_provider}", - connectport => 18888, - ; - } -} - class entropykey { - case getfromhash($nodeinfo, 'entropy_key') { - true: { include entropykey::provider } - } - $entropy_provider = entropy_provider($fqdn, $nodeinfo) - case $entropy_provider { - false: {} - local: { include entropykey::local_consumer } - default: { include entropykey::remote_consumer } - } + if getfromhash($site::nodeinfo, 'entropy_key') { + include entropykey::provider + } + + $entropy_provider = entropy_provider($::fqdn, $site::nodeinfo) + case $entropy_provider { + false: {} + local: { include entropykey::local_consumer } + default: { + class { 'entropykey::remote_consumer': + entropy_provider => $entropy_provider, + } + } + } } - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/entropykey/manifests/local_consumer.pp b/modules/entropykey/manifests/local_consumer.pp new file mode 100644 index 00000000..ecfe24c2 --- /dev/null +++ b/modules/entropykey/manifests/local_consumer.pp @@ -0,0 +1,14 @@ +class entropykey::local_consumer { + + package { 'ekeyd-egd-linux': ensure => installed } + + file { '/etc/default/ekeyd-egd-linux': + source => 'puppet:///modules/entropykey/ekeyd-egd-linux', + notify => Service['ekeyd-egd-linux'], + require => Package['ekeyd-egd-linux'], + } + + service { 'ekeyd-egd-linux': + require => File['/etc/default/ekeyd-egd-linux'], + } +} diff --git a/modules/entropykey/manifests/provider.pp b/modules/entropykey/manifests/provider.pp new file mode 100644 index 00000000..99148102 --- /dev/null +++ b/modules/entropykey/manifests/provider.pp @@ -0,0 +1,27 @@ +class entropykey::provider { + + package { 'ekeyd': ensure => installed } + + file { '/etc/entropykey/ekeyd.conf': + source => 'puppet:///modules/entropykey/ekeyd.conf', + notify => Service['ekeyd'], + require => Package['ekeyd'], + } + + # our CRL expires after a while (2 or 4 weeks?), so we have + # to restart stunnel so it loads the new CRL. + file { '/etc/cron.weekly/stunnel-ekey-restart': + content => '#!/bin/sh\n# This file is under puppet control\nenv -i /etc/init.d/stunnel4 restart puppet-ekeyd > /dev/null\n', + mode => '0555', + } + + service { 'ekeyd': + ensure => running, + require => File['/etc/entropykey/ekeyd.conf'], + } + + stunnel4::stunnel_server { 'ekeyd': + accept => 18888, + connect => '127.0.0.1:8888', + } +} diff --git a/modules/entropykey/manifests/remote_consumer.pp b/modules/entropykey/manifests/remote_consumer.pp new file mode 100644 index 00000000..20d14774 --- /dev/null +++ b/modules/entropykey/manifests/remote_consumer.pp @@ -0,0 +1,8 @@ +class entropykey::remote_consumer ($entropy_provider) inherits entropykey::local_consumer { + + stunnel4::stunnel_client { 'ekeyd': + accept => '127.0.0.1:8888', + connecthost => $entropy_provider, + connectport => 18888, + } +} diff --git a/modules/exim/manifests/init.pp b/modules/exim/manifests/init.pp index a448d2ae..e18f0aab 100644 --- a/modules/exim/manifests/init.pp +++ b/modules/exim/manifests/init.pp @@ -1,190 +1,148 @@ class exim { - activate_munin_check { - "ps_exim4": script => "ps_"; - "exim_mailqueue":; - "exim_mailstats":; - "postfix_mailqueue": ensure => absent; - "postfix_mailstats": ensure => absent; - "postfix_mailvolume": ensure => absent; - } + munin::check { 'ps_exim4': script => 'ps_' } + munin::check { 'exim_mailqueue': } + munin::check { 'exim_mailstats': } - package { exim4-daemon-heavy: ensure => installed } + munin::check { 'postfix_mailqueue': ensure => absent } + munin::check { 'postfix_mailstats': ensure => absent } + munin::check { 'postfix_mailvolume': ensure => absent } - file { - "/etc/exim4/": - ensure => directory, - owner => root, - group => root, - mode => 755, - purge => true - ; - "/etc/exim4/Git": - ensure => directory, - purge => true, - force => true, - recurse => true, - source => "puppet:///files/empty/" - ; - "/etc/exim4/conf.d": - ensure => directory, - purge => true, - force => true, - recurse => true, - source => "puppet:///files/empty/" - ; - "/etc/exim4/ssl": - ensure => directory, - owner => root, - group => Debian-exim, - mode => 750, - require => Package["exim4-daemon-heavy"], - purge => true - ; - "/etc/mailname": - content => template("exim/mailname.erb"), - ; - "/etc/exim4/exim4.conf": - content => template("exim/eximconf.erb"), - require => Package["exim4-daemon-heavy"], - notify => Exec["exim4 reload"] - ; - "/etc/exim4/manualroute": - require => Package["exim4-daemon-heavy"], - content => template("exim/manualroute.erb") - ; - "/etc/exim4/host_blacklist": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/per-host/$fqdn/host_blacklist", - "puppet:///modules/exim/common/host_blacklist" ] - ; - "/etc/exim4/blacklist": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/per-host/$fqdn/blacklist", - "puppet:///modules/exim/common/blacklist" ] - ; - "/etc/exim4/callout_users": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/per-host/$fqdn/callout_users", - "puppet:///modules/exim/common/callout_users" ] - ; - "/etc/exim4/grey_users": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/per-host/$fqdn/grey_users", - "puppet:///modules/exim/common/grey_users" ] - ; - "/etc/exim4/helo-check": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/per-host/$fqdn/helo-check", - "puppet:///modules/exim/common/helo-check" ] - ; - "/etc/exim4/locals": - require => Package["exim4-daemon-heavy"], - content => template("exim/locals.erb") - ; - "/etc/exim4/localusers": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/per-host/$fqdn/localusers", - "puppet:///modules/exim/common/localusers" ] - ; - "/etc/exim4/rbllist": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/per-host/$fqdn/rbllist", - "puppet:///modules/exim/common/rbllist" ] - ; - "/etc/exim4/rhsbllist": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/per-host/$fqdn/rhsbllist", - "puppet:///modules/exim/common/rhsbllist" ] - ; - "/etc/exim4/virtualdomains": - require => Package["exim4-daemon-heavy"], - content => template("exim/virtualdomains.erb") - ; - "/etc/exim4/whitelist": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/per-host/$fqdn/whitelist", - "puppet:///modules/exim/common/whitelist" ] - ; - "/etc/exim4/submission-domains": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/per-host/$fqdn/submission-domains", - "puppet:///modules/exim/common/submission-domains" ] - ; - "/etc/logrotate.d/exim4-base": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/per-host/$fqdn/logrotate-exim4-base", - "puppet:///modules/exim/common/logrotate-exim4-base" ] - ; - "/etc/logrotate.d/exim4-paniclog": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/per-host/$fqdn/logrotate-exim4-paniclog", - "puppet:///modules/exim/common/logrotate-exim4-paniclog" ] - ; - "/etc/exim4/ssl/thishost.crt": - require => Package["exim4-daemon-heavy"], - source => "puppet:///modules/exim/certs/$fqdn.crt", - owner => root, - group => Debian-exim, - mode => 640 - ; - "/etc/exim4/ssl/thishost.key": - require => Package["exim4-daemon-heavy"], - source => "puppet:///modules/exim/certs/$fqdn.key", - owner => root, - group => Debian-exim, - mode => 640 - ; - "/etc/exim4/ssl/ca.crt": - require => Package["exim4-daemon-heavy"], - source => "puppet:///modules/exim/certs/ca.crt", - owner => root, - group => Debian-exim, - mode => 640 - ; - "/etc/exim4/ssl/ca.crl": - require => Package["exim4-daemon-heavy"], - source => "puppet:///modules/exim/certs/ca.crl", - owner => root, - group => Debian-exim, - mode => 640 - ; - "/var/log/exim4": - mode => 2750, - ensure => directory, - owner => Debian-exim, - group => maillog - ; - } + package { 'exim4-daemon-heavy': ensure => installed } - exec { "exim4 reload": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - } + service { 'exim4': + ensure => running, + require => File['/etc/exim4/exim4.conf'], + } - case getfromhash($nodeinfo, 'mail_port') { - /^(\d+)$/: { $mail_port = $1 } - default: { $mail_port = 'smtp' } - } + file { '/etc/exim4/': + ensure => directory, + mode => '0755', + require => Package['exim4-daemon-heavy'], + purge => true, + } + file { '/etc/exim4/Git': + ensure => directory, + purge => true, + force => true, + recurse => true, + source => 'puppet:///files/empty/', + } + file { '/etc/exim4/conf.d': + ensure => directory, + purge => true, + force => true, + recurse => true, + source => 'puppet:///files/empty/', + } + file { '/etc/exim4/ssl': + ensure => directory, + group => Debian-exim, + mode => '0750', + purge => true, + } + file { '/etc/exim4/exim4.conf': + content => template('exim/eximconf.erb'), + notify => Service['exim4'], + } + file { '/etc/mailname': + content => template('exim/mailname.erb'), + } + file { '/etc/exim4/manualroute': + content => template('exim/manualroute.erb') + } + file { '/etc/exim4/locals': + content => template('exim/locals.erb') + } + file { '/etc/exim4/virtualdomains': + content => template('exim/virtualdomains.erb'), + } + file { '/etc/exim4/submission-domains': + content => template('exim/common/submission-domains.erb'), + } + file { '/etc/exim4/host_blacklist': + source => 'puppet:///modules/exim/common/host_blacklist', + } + file { '/etc/exim4/blacklist': + source => 'puppet:///modules/exim/common/blacklist', + } + file { '/etc/exim4/callout_users': + source => 'puppet:///modules/exim/common/callout_users', + } + file { '/etc/exim4/grey_users': + source => 'puppet:///modules/exim/common/grey_users', + } + file { '/etc/exim4/helo-check': + source => 'puppet:///modules/exim/common/helo-check', + } + file { '/etc/exim4/localusers': + source => 'puppet:///modules/exim/common/localusers', + } + file { '/etc/exim4/rbllist': + source => 'puppet:///modules/exim/common/rbllist', + } + file { '/etc/exim4/rhsbllist': + source => 'puppet:///modules/exim/common/rhsbllist', + } + file { '/etc/exim4/whitelist': + source => 'puppet:///modules/exim/common/whitelist', + } + file { '/etc/logrotate.d/exim4-base': + source => 'puppet:///modules/exim/common/logrotate-exim4-base', + } + file { '/etc/logrotate.d/exim4-paniclog': + source => 'puppet:///modules/exim/common/logrotate-exim4-paniclog' + } + file { '/etc/exim4/ssl/thishost.crt': + source => "puppet:///modules/exim/certs/${::fqdn}.crt", + group => Debian-exim, + mode => '0640', + } + file { '/etc/exim4/ssl/thishost.key': + source => "puppet:///modules/exim/certs/${::fqdn}.key", + group => Debian-exim, + mode => '0640', + } + file { '/etc/exim4/ssl/ca.crt': + source => 'puppet:///modules/exim/certs/ca.crt', + group => Debian-exim, + mode => '0640', + } + file { '/etc/exim4/ssl/ca.crl': + source => 'puppet:///modules/exim/certs/ca.crl', + group => Debian-exim, + mode => '0640', + } + file { '/var/log/exim4': + ensure => directory, + mode => '2750', + owner => Debian-exim, + group => maillog, + } + + case getfromhash($site::nodeinfo, 'mail_port') { + /^(\d+)$/: { $mail_port = $1 } + default: { $mail_port = 'smtp' } + } + + @ferm::rule { 'dsa-exim': + description => 'Allow SMTP', + rule => '&SERVICE_RANGE(tcp, $mail_port, \$SMTP_SOURCES)' + } + + @ferm::rule { 'dsa-exim-v6': + description => 'Allow SMTP', + domain => 'ip6', + rule => '&SERVICE_RANGE(tcp, $mail_port, \$SMTP_V6_SOURCES)' + } + + # Do we actually want this? I'm only doing it because it's harmless + # and makes the logs quiet. There are better ways of making logs quiet, + # though. + @ferm::rule { 'dsa-ident': + domain => '(ip ip6)', + description => 'Allow ident access', + rule => '&SERVICE(tcp, 113)' + } - @ferm::rule { "dsa-exim": - description => "Allow SMTP", - rule => "&SERVICE_RANGE(tcp, $mail_port, \$SMTP_SOURCES)" - } - @ferm::rule { "dsa-exim-v6": - description => "Allow SMTP", - domain => "ip6", - rule => "&SERVICE_RANGE(tcp, $mail_port, \$SMTP_V6_SOURCES)" - } - # Do we actually want this? I'm only doing it because it's harmless - # and makes the logs quiet. There are better ways of making logs quiet, - # though. - @ferm::rule { "dsa-ident": - domain => "(ip ip6)", - description => "Allow ident access", - rule => "&SERVICE(tcp, 113)" - } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/exim/manifests/mx.pp b/modules/exim/manifests/mx.pp index 8a81592e..c1b4fdbc 100644 --- a/modules/exim/manifests/mx.pp +++ b/modules/exim/manifests/mx.pp @@ -1,37 +1,26 @@ class exim::mx inherits exim { - include clamav - include postgrey + include clamav + include postgrey - file { - "/etc/exim4/ccTLD.txt": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/common/ccTLD.txt" ] - ; - "/etc/exim4/surbl_whitelist.txt": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/common/surbl_whitelist.txt" ] - ; - "/etc/exim4/exim_surbl.pl": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/common/exim_surbl.pl" ], - notify => Exec["exim4 restart"] - ; - } - exec { "exim4 restart": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - } - @ferm::rule { "dsa-exim-submission": - description => "Allow SMTP", - rule => "&SERVICE_RANGE(tcp, submission, \$SMTP_SOURCES)" - } - @ferm::rule { "dsa-exim-v6-submission": - description => "Allow SMTP", - domain => "ip6", - rule => "&SERVICE_RANGE(tcp, submission, \$SMTP_V6_SOURCES)" - } -} + file { '/etc/exim4/ccTLD.txt': + source => 'puppet:///modules/exim/common/ccTLD.txt', + } + file { '/etc/exim4/surbl_whitelist.txt': + source => 'puppet:///modules/exim/common/surbl_whitelist.txt', + } + file { '/etc/exim4/exim_surbl.pl': + source => 'puppet:///modules/exim/common/exim_surbl.pl', + notify => Service['exim4'], + } + + @ferm::rule { 'dsa-exim-submission': + description => 'Allow SMTP', + rule => '&SERVICE_RANGE(tcp, submission, \$SMTP_SOURCES)' + } + @ferm::rule { 'dsa-exim-v6-submission': + description => 'Allow SMTP', + domain => 'ip6', + rule => '&SERVICE_RANGE(tcp, submission, \$SMTP_V6_SOURCES)', + } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: +} diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index 575ad0c5..9877917b 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -32,7 +32,7 @@ # flushing' operations, but should be populated with a list # of trusted machines. Wildcards are not permitted # bsmtp_domains - Domains that we deliver locally via bsmtp -<%- if nodeinfo['mailrelay'] -%> +<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> # mailhubdomains - Domains for which we are the MX, but the mail is relayed # elsewhere. This is designed for use with small volume or # restricted machines that need to use a smarthost for mail @@ -76,7 +76,7 @@ # MAIN CONFIGURATION SETTINGS # ###################################################################### -<%- if nodeinfo.has_key?('heavy_exim') and nodeinfo['heavy_exim'] -%> +<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%> perl_startup = do '/etc/exim4/exim_surbl.pl' <%- end -%> @@ -87,7 +87,7 @@ perl_startup = do '/etc/exim4/exim_surbl.pl' acl_smtp_helo = check_helo acl_smtp_rcpt = ${if ={$interface_port}{587} {check_submission}{check_recipient}} acl_smtp_data = check_message -<%- if nodeinfo.has_key?('heavy_exim') and nodeinfo['heavy_exim'] -%> +<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%> acl_smtp_mime = acl_check_mime <%- end -%> acl_smtp_predata = acl_check_predata @@ -121,9 +121,9 @@ localpartlist postmasterish = postmaster : abuse : hostmaster hostlist debianhosts = <; ; 127.0.0.1 ; ::1 ; /var/lib/misc/thishost/debianhosts ; 89.16.166.49 ; 82.195.75.76 ; 2001:41b8:202:deb:bab5:0:52c3:4b4c -hostlist reservedaddrs = <%= nodeinfo['reservedaddrs'] %> +hostlist reservedaddrs = <%= scope.lookupvar('site::nodeinfo')['reservedaddrs'] %> -<%- if nodeinfo['mailrelay'] -%> +<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> # Domains we relay for; that is domains that aren't considered local but we # accept mail for them. domainlist mailhubdomains = lsearch;/etc/exim4/manualroute @@ -169,7 +169,7 @@ timeout_frozen_after=14d message_size_limit = 100M message_logs = false smtp_accept_max_per_host = ${if match_ip {$sender_host_address}{+debianhosts}{0}{7}} -<%- if nodeinfo.has_key?('heavy_exim') and nodeinfo['heavy_exim'] -%> +<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%> smtp_accept_max = 300 smtp_accept_queue = 200 smtp_accept_queue_per_connection = 50 @@ -188,7 +188,7 @@ check_spool_space = 20M delay_warning = -<%- if nodeinfo.has_key?('heavy_exim') and nodeinfo['heavy_exim'] -%> +<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%> message_body_visible = 5000 queue_run_max = 50 deliver_queue_load_max = 50 @@ -210,16 +210,16 @@ ports = [] out = "daemon_smtp_ports = " ports << 25 -if nodeinfo['bugsmaster'] or nodeinfo['bugsmx'] +if scope.lookupvar('site::nodeinfo')['bugsmaster'] or scope.lookupvar('site::nodeinfo')['bugsmx'] ports << 587 end -if not nodeinfo['mail_port'].to_s.empty? - ports << nodeinfo['mail_port'] +if not scope.lookupvar('site::nodeinfo')['mail_port'].to_s.empty? + ports << scope.lookupvar('site::nodeinfo')['mail_port'] end -if nodeinfo['mailrelay'] - ports << nodeinfo['smarthost_port'] +if scope.lookupvar('site::nodeinfo')['mailrelay'] + ports << scope.lookupvar('site::nodeinfo')['smarthost_port'] end out += ports.uniq.sort.join(" : ") @@ -289,7 +289,7 @@ acl_getprofile: hosts = !+debianhosts set acl_m_rprf = localonly -<%- if nodeinfo['mailrelay'] -%> +<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> warn local_parts = +local_only_users domains = +mailhubdomains hosts = !+debianhosts @@ -298,28 +298,28 @@ acl_getprofile: <%- end -%> accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} -<%- if nodeinfo['rtmaster'] -%> +<%- if scope.lookupvar('site::nodeinfo')['rtmaster'] -%> warn domains = rt.debian.org set acl_m_rprf = RTMail accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} <%- end -%> -<%- if nodeinfo['bugsmx'] -%> +<%- if scope.lookupvar('site::nodeinfo')['bugsmx'] -%> warn domains = bugs.debian.org set acl_m_rprf = BugsMail accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} <%- end -%> -<%- if nodeinfo['packagesmaster'] -%> +<%- if scope.lookupvar('site::nodeinfo')['packagesmaster'] -%> warn domains = packages.debian.org set acl_m_rprf = PackagesMail accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} <%- end -%> -<%- if nodeinfo['packagesqamaster'] -%> +<%- if scope.lookupvar('site::nodeinfo')['packagesqamaster'] -%> warn recipients = owner@packages.qa.debian.org : postmaster@packages.qa.debian.org set acl_m_rprf = PTSOwner @@ -391,11 +391,11 @@ check_helo: warn set acl_c_scr = 0 -<%- if nodeinfo['mailrelay'] -%> +<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> accept verify = certificate <%- end -%> -<%- if nodeinfo['smarthost'].empty? -%> +<%- if scope.lookupvar('site::nodeinfo')['smarthost'].empty? -%> # These are in HELO acl so that they are only run once. They increment a counter, # so we don't want it to increment per rcpt to. @@ -487,7 +487,7 @@ check_submission: # We do this by testing for an empty sending host field. accept hosts = +debianhosts -<%- if nodeinfo['mailrelay'] -%> +<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> accept verify = certificate <%- end -%> @@ -508,7 +508,7 @@ check_submission: endpass verify = recipient -<%- if nodeinfo['mailrelay'] -%> +<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> accept domains = +mailhubdomains endpass verify = recipient/callout=30s,defer_ok,use_sender,no_cache @@ -523,7 +523,7 @@ check_submission: #!!# ACL that is used after the RCPT command check_recipient: -<%- if nodeinfo['mailrelay'] -%> +<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> accept verify = certificate <%- end -%> @@ -636,7 +636,7 @@ check_recipient: warn condition = ${if eq{$acl_m_prf}{localonly}} set acl_m_lrc = ${if eq{$acl_m_lrc}{}{$local_part@$domain}{$acl_m_lrc, $local_part@$domain}} -<%- if nodeinfo['packagesmaster'] -%> +<%- if scope.lookupvar('site::nodeinfo')['packagesmaster'] -%> warn condition = ${if eq {$acl_m_prf}{PackagesMail}} condition = ${if eq {$sender_address}{$local_part@$domain}} message = X-Packages-FromTo-Same: yes @@ -714,7 +714,7 @@ check_recipient: condition = ${if eq{$acl_m_act}{450}{yes}{no}} <%- end -%> -<%- if nodeinfo['rtmaster'] -%> +<%- if scope.lookupvar('site::nodeinfo')['rtmaster'] -%> warn condition = ${if eq{$acl_m_prf}{RTMail}} set acl_m12 = ${if def:acl_m12 {$acl_m12} {${if or{{match{$local_part}{\N[^+]+\+\d+\N}}{match{$local_part}{\N[^+]+\+new\N}}{match{$local_part}{3520}}{match{$local_part}{3645}}} {RTMailRecipientHasSubaddress}}}} # temporary hack because weasel screwed up and gave people an rt-3520@ address, which doesn't really work normally. and rt-3645 @@ -805,7 +805,7 @@ check_recipient: senders = ${if exists{/etc/exim4/blacklist}{/etc/exim4/blacklist}{}} message = We have blacklisted <$sender_address>. Please stop mailing us -<%- if nodeinfo['smarthost'].empty? -%> +<%- if scope.lookupvar('site::nodeinfo')['smarthost'].empty? -%> deny message = host $sender_host_address is listed in $dnslist_domain; see $dnslist_text dnslists = ${if match_domain{$domain}{+virtual_domains}\ {${if exists {${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}\ @@ -825,7 +825,7 @@ check_recipient: domains = +handled_domains !hosts = +debianhosts : WHITELIST -<%- if nodeinfo['smarthost'].empty? -%> +<%- if scope.lookupvar('site::nodeinfo')['smarthost'].empty? -%> deny domains = +handled_domains local_parts = ${if match_domain{$domain}{+virtual_domains}\ {${if exists {${extract{directory}{VDOMAINDATA}{${value}/callout_users}}}\ @@ -836,7 +836,7 @@ check_recipient: !verify = sender/callout=90s,maxwait=300s <%- end -%> -<%- if nodeinfo['mailrelay'] -%> +<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> accept domains = +mailhubdomains endpass verify = recipient/callout=30s,defer_ok,use_sender,no_cache @@ -852,7 +852,7 @@ check_recipient: deny message = relay not permitted -<%- if nodeinfo.has_key?('heavy_exim') and nodeinfo['heavy_exim'] -%> +<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%> acl_check_mime: accept verify = certificate @@ -895,7 +895,7 @@ check_message: # header. Take their crack pipe away. drop condition = ${if match{${lc:$h_From:}}{\Npostmaster@([^.]+\.)?debian\.org\N}} -<%- if nodeinfo['rtmaster'] -%> +<%- if scope.lookupvar('site::nodeinfo')['rtmaster'] -%> deny condition = ${if eq {$acl_m_prf}{RTMail}} condition = ${if and{{!match {${lc:$rh_Subject:}} {debian rt}} \ {!match {${lc:$rh_Subject:]}} {\N\[rt.debian.org \N}} \ @@ -903,7 +903,7 @@ check_message: message = messages to the Request Tracker system require a subject tag or a subaddress <%- end -%> -<%- if nodeinfo['packagesqamaster'] -%> +<%- if scope.lookupvar('site::nodeinfo')['packagesqamaster'] -%> deny !hosts = +debianhosts : 217.196.43.134 condition = ${if eq {$acl_m_prf}{PTSMail}} condition = ${if def:h_X-PTS-Approved:{false}{true}} @@ -961,7 +961,7 @@ check_message: message = X-malware detected: $malware_name <%- end -%> -<%- if nodeinfo.has_key?('heavy_exim') and nodeinfo['heavy_exim'] -%> +<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%> discard condition = ${if <{$message_size}{256000}} condition = ${if eq {$acl_m_prf}{blackhole}} set acl_m_srb = ${perl{surblspamcheck}} @@ -988,7 +988,7 @@ check_message: !verify = header_sender message = No valid sender found in the From:, Sender: and Reply-to: headers -<%- if nodeinfo['packagesmaster'] -%> +<%- if scope.lookupvar('site::nodeinfo')['packagesmaster'] -%> deny message = Congratulations, you scored $spam_score points. log_message = spam: $spam_score points. condition = ${if eq {$acl_m_prf}{PackagesMail}} @@ -1036,7 +1036,7 @@ begin routers # An address is passed to each in turn until it is accepted. # ###################################################################### -<%- if nodeinfo['mailrelay'] -%> +<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> relay_manualroute: driver = manualroute domains = +mailhubdomains @@ -1067,15 +1067,15 @@ ipliteral: <%= out = "" -if not nodeinfo['smarthost'].empty? +if not scope.lookupvar('site::nodeinfo')['smarthost'].empty? out = ' smarthost: debug_print = "R: smarthost for $local_part@$domain" driver = manualroute domains = !+handled_domains transport = remote_smtp_smarthost - route_list = * ' + nodeinfo['smarthost'] - if nodeinfo['smarthost'] == 'mailout.debian.org' + route_list = * ' + scope.lookupvar('site::nodeinfo')['smarthost'] + if scope.lookupvar('site::nodeinfo')['smarthost'] == 'mailout.debian.org' out += '/MX' end out += ' @@ -1310,7 +1310,7 @@ localuser: # Everything before here should apply only to the local domains with a # domains= rule -<%- if nodeinfo['packagesmaster'] -%> +<%- if scope.lookupvar('site::nodeinfo')['packagesmaster'] -%> # This router delivers for packages.d.o packages: debug_print = "R: packages for $local_part@$domain" @@ -1328,7 +1328,7 @@ packages: no_more <%- end -%> -<%- if nodeinfo['rtmaster'] -%> +<%- if scope.lookupvar('site::nodeinfo')['rtmaster'] -%> # This router delivers for rt.d.o rt_force_new_verbose: debug_print = "R: rt for $local_part+new@$domain" @@ -1452,9 +1452,9 @@ virt_users: <%= out = "" -if nodeinfo['bugsmaster'] or nodeinfo['bugsmx'] +if scope.lookupvar('site::nodeinfo')['bugsmaster'] or scope.lookupvar('site::nodeinfo')['bugsmx'] domain = 'bugs.debian.org' - if nodeinfo['bugsmaster'] + if scope.lookupvar('site::nodeinfo')['bugsmaster'] domain = 'bugs-master.debian.org' end out = ' @@ -1573,17 +1573,17 @@ remote_smtp: <%= out = "" -if not nodeinfo['smarthost'].empty? +if not scope.lookupvar('site::nodeinfo')['smarthost'].empty? out = ' remote_smtp_smarthost: debug_print = "T: remote_smtp_smarthost for $local_part@$domain" driver = smtp delay_after_cutoff = false port = ' - out += nodeinfo['smarthost_port'].to_s + "\n" + out += scope.lookupvar('site::nodeinfo')['smarthost_port'].to_s + "\n" if has_variable?("exim_ssl_certs") && exim_ssl_certs == "true" out += ' tls_tempfail_tryclear = false - hosts_require_tls = ' + nodeinfo['smarthost'] + ' + hosts_require_tls = ' + scope.lookupvar('site::nodeinfo')['smarthost'] + ' tls_certificate = /etc/exim4/ssl/thishost.crt tls_privatekey = /etc/exim4/ssl/thishost.key ' @@ -1610,7 +1610,7 @@ bsmtp: {$value}fail}\ }} -<%- if nodeinfo['bugsmaster'] or nodeinfo['bugsmx'] -%> +<%- if scope.lookupvar('site::nodeinfo')['bugsmaster'] or scope.lookupvar('site::nodeinfo')['bugsmx'] -%> bugs_pipe: driver = pipe command = /org/bugs.debian.org/mail/run-procmail @@ -1623,7 +1623,7 @@ bugs_pipe: user = debbugs <%- end -%> -<%- if nodeinfo['rtmaster'] -%> +<%- if scope.lookupvar('site::nodeinfo')['rtmaster'] -%> rt_pipe: debug_print = "T: rt_pipe for $local_part${local_part_suffix}@$domain" driver = pipe diff --git a/modules/exim/templates/manualroute.erb b/modules/exim/templates/manualroute.erb index 40062d8d..0e57849a 100644 --- a/modules/exim/templates/manualroute.erb +++ b/modules/exim/templates/manualroute.erb @@ -12,20 +12,20 @@ mxmatches = [ fqdn ] routes = [] extraroutes = [] -if nodeinfo['mailrelay'] +if scope.lookupvar('site::nodeinfo')['mailrelay'] mxmatches << 'mailout.debian.org' extraroutes = [ "keyring.debian.org:\t\tkaufmann.debian.org" ] end mxregex = Regexp.new('^\d+\s+(.*)\.$') -allnodeinfo.keys.sort.each do |host| - next unless allnodeinfo[host]['mXRecord'] - allnodeinfo[host]['mXRecord'].each do |mx| +scope.lookupvar('site::allnodeinfo').keys.sort.each do |host| + next unless scope.lookupvar('site::allnodeinfo')[host]['mXRecord'] + scope.lookupvar('site::allnodeinfo')[host]['mXRecord'].each do |mx| mxmatch = mxregex.match(mx) if mxmatches.include?(mxmatch[1]) route = host + ":\t\t" + host - if localinfo.has_key?(host) and localinfo[host].has_key?('mail_port') and localinfo[host]['mail_port'].to_s != '' - route += "::" + localinfo[host]['mail_port'].to_s + if scope.lookupvar('site::localinfo').has_key?(host) and scope.lookupvar('site::localinfo')[host].has_key?('mail_port') and scope.lookupvar('site::localinfo')[host]['mail_port'].to_s != '' + route += "::" + scope.lookupvar('site::localinfo')[host]['mail_port'].to_s end routes << route end diff --git a/modules/exim/templates/submission-domains.erb b/modules/exim/templates/submission-domains.erb new file mode 100644 index 00000000..4759822d --- /dev/null +++ b/modules/exim/templates/submission-domains.erb @@ -0,0 +1,8 @@ +## +### THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +### USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +### + +<%= if scope.lookupvar('::hostname') == 'busoni' %> +bugs.debian.org +<%= end %> diff --git a/modules/ferm/manifests/ftp.pp b/modules/ferm/manifests/ftp.pp index 7c666a1f..51d79fb8 100644 --- a/modules/ferm/manifests/ftp.pp +++ b/modules/ferm/manifests/ftp.pp @@ -1,7 +1,7 @@ class ferm::ftp { - @ferm::rule { "dsa-ftp": - domain => "(ip ip6)", - description => "Allow ftp access", - rule => "&SERVICE(tcp, 21)" - } + @ferm::rule { 'dsa-ftp': + domain => '(ip ip6)', + description => 'Allow ftp access', + rule => '&SERVICE(tcp, 21)', + } } diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp index 2850c4a9..4332dad7 100644 --- a/modules/ferm/manifests/init.pp +++ b/modules/ferm/manifests/init.pp @@ -1,117 +1,77 @@ class ferm { - define rule($domain="ip", $table="filter", $chain="INPUT", $rule, $description="", $prio="00", $notarule=false) { - file { - "/etc/ferm/dsa.d/${prio}_${name}": - ensure => present, - owner => root, - group => root, - mode => 0400, - content => template("ferm/ferm-rule.erb"), - notify => Exec["ferm restart"], - } - } + # realize (i.e. enable) all @ferm::rule virtual resources + Ferm::Rule <| |> - # realize (i.e. enable) all @ferm::rule virtual resources - Ferm::Rule <| |> + File { mode => '0400' } - package { - ferm: ensure => installed; - ulogd: ensure => installed; - } + package { 'ferm': + ensure => installed + } + package { 'ulogd': + ensure => installed + } - file { - "/etc/ferm/dsa.d": - ensure => directory, - purge => true, - force => true, - recurse => true, - source => "puppet:///files/empty/", - notify => Exec["ferm restart"], - require => Package["ferm"]; - "/etc/ferm": - ensure => directory, - mode => 0755; - "/etc/ferm/conf.d": - ensure => directory, - require => Package["ferm"]; - "/etc/default/ferm": - source => "puppet:///modules/ferm/ferm.default", - require => Package["ferm"], - notify => Exec["ferm restart"]; - "/etc/ferm/ferm.conf": - source => "puppet:///modules/ferm/ferm.conf", - require => Package["ferm"], - mode => 0400, - notify => Exec["ferm restart"]; - "/etc/ferm/conf.d/me.conf": - content => template("ferm/me.conf.erb"), - require => Package["ferm"], - mode => 0400, - notify => Exec["ferm restart"]; - "/etc/ferm/conf.d/defs.conf": - content => template("ferm/defs.conf.erb"), - require => Package["ferm"], - mode => 0400, - notify => Exec["ferm restart"]; - "/etc/ferm/conf.d/interfaces.conf": - content => template("ferm/interfaces.conf.erb"), - require => Package["ferm"], - mode => 0400, - notify => Exec["ferm restart"]; - "/etc/logrotate.d/ulogd": - source => "puppet:///modules/ferm/logrotate-ulogd", - require => Package["debian.org"], - ; - } + service { 'ferm': + hasstatus => false, + status => '/bin/true', + refreshonly => true, + } - $munin_ips = split(regsubst($v4ips, '([^,]+)', 'ip_\1', 'G'), ',') + $munin_ips = split(regsubst($v4ips, '([^,]+)', 'ip_\1', 'G'), ',') - activate_munin_check { - $munin_ips: script => "ip_"; - } + munin::check { $munin_ips: script => 'ip_', } - define munin_ipv6_plugin() { - file { - "/etc/munin/plugins/$name": - content => "#!/bin/bash\n# This file is under puppet control\n. /usr/share/munin/plugins/ip_\n", - mode => 555, - notify => Exec["munin-node restart"], - ; - } - } - case $v6ips { - 'no': {} - default: { - $munin6_ips = split(regsubst($v6ips, '([^,]+)', 'ip_\1', 'G'), ',') - munin_ipv6_plugin { - $munin6_ips: ; - } - # get rid of old stuff - $munin6_ip6s = split(regsubst($v6ips, '([^,]+)', 'ip6_\1', 'G'), ',') - activate_munin_check { - $munin6_ip6s: ensure => absent; - } - } - } + if $v6ips { + $munin6_ips = split(regsubst($v6ips, '([^,]+)', 'ip_\1', 'G'), ',') + munin::check { $munin6_ips: script => 'ip_', } + } + # get rid of old stuff + $munin6_ip6s = split(regsubst($v6ips, '([^,]+)', 'ip6_\1', 'G'), ',') + munin::check { $munin6_ip6s: ensure => absent } - case getfromhash($nodeinfo, 'buildd') { - true: { - file { - "/etc/ferm/conf.d/load_ftp_conntrack.conf": - source => "puppet:///modules/ferm/conntrack_ftp.conf", - require => Package["ferm"], - notify => Exec["ferm restart"]; - } - } - } + file { '/etc/ferm': + ensure => directory, + notify => Service['ferm'], + require => Package['ferm'], + mode => '0755' + } + file { '/etc/ferm/dsa.d': + ensure => directory, + purge => true, + force => true, + recurse => true, + source => 'puppet:///files/empty/', + } + file { '/etc/ferm/conf.d': + ensure => directory, + } + file { '/etc/default/ferm': + source => 'puppet:///modules/ferm/ferm.default', + require => Package['ferm'], + notify => Service['ferm'], + } + file { '/etc/ferm/ferm.conf': + source => 'puppet:///modules/ferm/ferm.conf', + } + file { '/etc/ferm/conf.d/me.conf': + content => template('ferm/me.conf.erb'), + } + file { '/etc/ferm/conf.d/defs.conf': + content => template('ferm/defs.conf.erb'), + } + file { '/etc/ferm/conf.d/interfaces.conf': + content => template('ferm/interfaces.conf.erb'), + } + file { '/etc/logrotate.d/ulogd': + source => 'puppet:///modules/ferm/logrotate-ulogd', + require => Package['debian.org'], + } + + if getfromhash($site::nodeinfo, 'buildd') { + file { '/etc/ferm/conf.d/load_ftp_conntrack.conf': + source => 'puppet:///modules/ferm/conntrack_ftp.conf', + } + } - exec { - "ferm restart": - command => "/etc/init.d/ferm restart", - refreshonly => true, - } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/ferm/manifests/nfs-server.pp b/modules/ferm/manifests/nfs-server.pp deleted file mode 100644 index 8fc4f1a3..00000000 --- a/modules/ferm/manifests/nfs-server.pp +++ /dev/null @@ -1,27 +0,0 @@ -class ferm::nfs-server { - @ferm::rule { "dsa-portmap": - domain => "(ip ip6)", - description => "Allow portmap access", - rule => "&TCP_UDP_SERVICE(111)" - } - @ferm::rule { "dsa-nfs": - domain => "(ip ip6)", - description => "Allow nfsd access", - rule => "&TCP_UDP_SERVICE(2049)" - } - @ferm::rule { "dsa-status": - domain => "(ip ip6)", - description => "Allow statd access", - rule => "&TCP_UDP_SERVICE(10000)" - } - @ferm::rule { "dsa-mountd": - domain => "(ip ip6)", - description => "Allow mountd access", - rule => "&TCP_UDP_SERVICE(10002)" - } - @ferm::rule { "dsa-lockd": - domain => "(ip ip6)", - description => "Allow lockd access", - rule => "&TCP_UDP_SERVICE(10003)" - } -} diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp index 374da372..83e28947 100644 --- a/modules/ferm/manifests/per-host.pp +++ b/modules/ferm/manifests/per-host.pp @@ -1,254 +1,244 @@ class ferm::per-host { - case $::hostname { - ancina,zandonai,zelenka: { - include ferm::zivit - } - } - - case $::hostname { - chopin,franck,gluck,kassia,klecker,lobos,morricone,ravel,ries,rietz,saens,schein,santoro,steffani,valente,villa,wieck,stabile,bizet: { - include ferm::ftp - } - } + if $::hostname in [ancina,zandonai,zelenka] { + include ferm::zivit + } - case $::hostname { - piatti,samosa: { - @ferm::rule { "dsa-udd-stunnel": - description => "port 8080 for udd stunnel", - rule => "&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))" - } - } - danzi: { - @ferm::rule { - "dsa-postgres-danzi": - description => "Allow postgress access", - rule => "&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 ))" - ; - "dsa-postgres2-danzi": - description => "Allow postgress access2", - rule => "&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))" - ; - "dsa-postgres3-danzi": - description => "Allow postgress access2", - rule => "&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))" - ; - } + if $::hostname in [chopin,franck,gluck,kassia,klecker,lobos,morricone,ravel,ries,rietz,saens,schein,santoro,steffani,valente,villa,wieck,stabile,bizet] { + include ferm::ftp + } - } - abel,alwyn,rietz: { - @ferm::rule { "dsa-tftp": - description => "Allow tftp access", - rule => "&SERVICE(udp, 69)" - } - } - paganini: { - @ferm::rule { "dsa-dhcp": - description => "Allow dhcp access", - rule => "&SERVICE(udp, 67)" - } - @ferm::rule { "dsa-tftp": - description => "Allow tftp access", - rule => "&SERVICE(udp, 69)" - } - } - handel: { - @ferm::rule { "dsa-puppet": - description => "Allow puppet access", - rule => "&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V4)" - } - @ferm::rule { "dsa-puppet-v6": - domain => 'ip6', - description => "Allow puppet access", - rule => "&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V6)" - } - } - powell: { - @ferm::rule { "dsa-powell-v6-tunnel": - description => "Allow powell to use V6 tunnel broker", - rule => "proto ipv6 saddr 212.227.117.6 jump ACCEPT" - } - @ferm::rule { "dsa-powell-btseed": - domain => "(ip ip6)", - description => "Allow powell to seed BT", - rule => "proto tcp dport 8000:8100 jump ACCEPT" - } - } - heininen,lotti: { - @ferm::rule { "dsa-syslog": - description => "Allow syslog access", - rule => "&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V4)" - } - @ferm::rule { "dsa-syslog-v6": - domain => 'ip6', - description => "Allow syslog access", - rule => "&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V6)" - } - } - kaufmann: { - @ferm::rule { "dsa-hkp": - domain => "(ip ip6)", - description => "Allow hkp access", - rule => "&SERVICE(tcp, 11371)" - } - } - gombert: { - @ferm::rule { "dsa-infinoted": - domain => "(ip ip6)", - description => "Allow infinoted access", - rule => "&SERVICE(tcp, 6523)" - } - } - bendel,liszt: { - @ferm::rule { "smtp": - domain => "(ip ip6)", - description => "Allow smtp access", - rule => "&SERVICE(tcp, 25)" - } - } - draghi: { - #@ferm::rule { "dsa-bind": - # domain => "(ip ip6)", - # description => "Allow nameserver access", - # rule => "&TCP_UDP_SERVICE(53)" - #} - @ferm::rule { "dsa-finger": - domain => "(ip ip6)", - description => "Allow finger access", - rule => "&SERVICE(tcp, 79)" - } - @ferm::rule { "dsa-ldap": - domain => "(ip ip6)", - description => "Allow ldap access", - rule => "&SERVICE(tcp, 389)" - } - @ferm::rule { "dsa-ldaps": - domain => "(ip ip6)", - description => "Allow ldaps access", - rule => "&SERVICE(tcp, 636)" - } - } - cilea: { - file { - "/etc/ferm/conf.d/load_sip_conntrack.conf": - source => "puppet:///modules/ferm/conntrack_sip.conf", - require => Package["ferm"], - notify => Exec["ferm restart"]; - } - @ferm::rule { "dsa-sip": - domain => "(ip ip6)", - description => "Allow sip access", - rule => "&TCP_UDP_SERVICE(5060)" - } - @ferm::rule { "dsa-sipx": - domain => "(ip ip6)", - description => "Allow sipx access", - rule => "&TCP_UDP_SERVICE(5080)" - } - } - scelsi: { - @ferm::rule { "dc11-icecast": - domain => "(ip ip6)", - description => "Allow icecast access", - rule => "&SERVICE(tcp, 8000)" - } + case $::hostname { + piatti,samosa: { + @ferm::rule { 'dsa-udd-stunnel': + description => 'port 8080 for udd stunnel', + rule => '&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))' + } + } + danzi: { + @ferm::rule { 'dsa-postgres-danzi': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 ))' + } + @ferm::rule { 'dsa-postgres2-danzi': + description => 'Allow postgress access2', + rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))' + } + @ferm::rule { 'dsa-postgres3-danzi': + description => 'Allow postgress access2', + rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))' + } + } + abel,alwyn,rietz: { + @ferm::rule { 'dsa-tftp': + description => 'Allow tftp access', + rule => '&SERVICE(udp, 69)' + } + } + paganini: { + @ferm::rule { 'dsa-dhcp': + description => 'Allow dhcp access', + rule => '&SERVICE(udp, 67)' + } + @ferm::rule { 'dsa-tftp': + description => 'Allow tftp access', + rule => '&SERVICE(udp, 69)' + } + } + handel: { + @ferm::rule { 'dsa-puppet': + description => 'Allow puppet access', + rule => '&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V4)' + } + @ferm::rule { 'dsa-puppet-v6': + domain => 'ip6', + description => 'Allow puppet access', + rule => '&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V6)' + } + } + powell: { + @ferm::rule { 'dsa-powell-v6-tunnel': + description => 'Allow powell to use V6 tunnel broker', + rule => 'proto ipv6 saddr 212.227.117.6 jump ACCEPT' + } + @ferm::rule { 'dsa-powell-btseed': + domain => '(ip ip6)', + description => 'Allow powell to seed BT', + rule => 'proto tcp dport 8000:8100 jump ACCEPT' + } + } + heininen,lotti: { + @ferm::rule { 'dsa-syslog': + description => 'Allow syslog access', + rule => '&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V4)' + } + @ferm::rule { 'dsa-syslog-v6': + domain => 'ip6', + description => 'Allow syslog access', + rule => '&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V6)' + } + } + kaufmann: { + @ferm::rule { 'dsa-hkp': + domain => '(ip ip6)', + description => 'Allow hkp access', + rule => '&SERVICE(tcp, 11371)' + } + } + gombert: { + @ferm::rule { 'dsa-infinoted': + domain => '(ip ip6)', + description => 'Allow infinoted access', + rule => '&SERVICE(tcp, 6523)' + } + } + bendel,liszt: { + @ferm::rule { 'smtp': + domain => '(ip ip6)', + description => 'Allow smtp access', + rule => '&SERVICE(tcp, 25)' + } + } + draghi: { + #@ferm::rule { 'dsa-bind': + # domain => '(ip ip6)', + # description => 'Allow nameserver access', + # rule => '&TCP_UDP_SERVICE(53)' + #} + @ferm::rule { 'dsa-finger': + domain => '(ip ip6)', + description => 'Allow finger access', + rule => '&SERVICE(tcp, 79)' + } + @ferm::rule { 'dsa-ldap': + domain => '(ip ip6)', + description => 'Allow ldap access', + rule => '&SERVICE(tcp, 389)' + } + @ferm::rule { 'dsa-ldaps': + domain => '(ip ip6)', + description => 'Allow ldaps access', + rule => '&SERVICE(tcp, 636)' + } + } + cilea: { + file { + '/etc/ferm/conf.d/load_sip_conntrack.conf': + source => 'puppet:///modules/ferm/conntrack_sip.conf', + require => Package['ferm'], + notify => Exec['ferm restart']; + } + @ferm::rule { 'dsa-sip': + domain => '(ip ip6)', + description => 'Allow sip access', + rule => '&TCP_UDP_SERVICE(5060)' + } + @ferm::rule { 'dsa-sipx': + domain => '(ip ip6)', + description => 'Allow sipx access', + rule => '&TCP_UDP_SERVICE(5080)' + } + } + scelsi: { + @ferm::rule { 'dc11-icecast': + domain => '(ip ip6)', + description => 'Allow icecast access', + rule => '&SERVICE(tcp, 8000)' + } + } + default: {} } - } - case $hostname { rautavaara,luchesi: { - @ferm::rule { "dsa-to-kfreebsd": - description => "Traffic routed to kfreebsd hosts", - chain => 'to-kfreebsd', - rule => 'proto icmp ACCEPT; - source ($FREEBSD_SSH_ACCESS $HOST_NAGIOS_V4) proto tcp dport 22 ACCEPT; - source ($HOST_MAILRELAY_V4 $HOST_NAGIOS_V4) proto tcp dport 25 ACCEPT; - source ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) proto tcp dport 4949 ACCEPT; - source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT; - source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT - ' - } - @ferm::rule { "dsa-from-kfreebsd": - description => "Traffic routed from kfreebsd vlan/bridge", - chain => 'from-kfreebsd', - rule => 'proto icmp ACCEPT; - proto tcp dport (21 22 80 53 443) ACCEPT; - proto udp dport (53 123) ACCEPT; - proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost - proto tcp dport 5140 daddr (82.195.75.98 206.12.19.121) ACCEPT; # loghost - proto tcp dport 11371 daddr 82.195.75.107 ACCEPT; # keyring host - proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT - ' - } - }} - case $hostname { - rautavaara: { - @ferm::rule { "dsa-routing": - description => "forward chain", - chain => "FORWARD", - rule => ' - def $ADDRESS_FASCH=194.177.211.201; - def $ADDRESS_FIELD=194.177.211.210; - def $FREEBSD_HOSTS=($ADDRESS_FASCH $ADDRESS_FIELD); + if $::hostname in [rautavaara,luchesi] { + @ferm::rule { 'dsa-to-kfreebsd': + description => 'Traffic routed to kfreebsd hosts', + chain => 'to-kfreebsd', + rule => 'proto icmp ACCEPT; +source ($FREEBSD_SSH_ACCESS $HOST_NAGIOS_V4) proto tcp dport 22 ACCEPT; +source ($HOST_MAILRELAY_V4 $HOST_NAGIOS_V4) proto tcp dport 25 ACCEPT; +source ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) proto tcp dport 4949 ACCEPT; +source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT; +source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT +' + } + @ferm::rule { 'dsa-from-kfreebsd': + description => 'Traffic routed from kfreebsd vlan/bridge', + chain => 'from-kfreebsd', + rule => 'proto icmp ACCEPT; +proto tcp dport (21 22 80 53 443) ACCEPT; +proto udp dport (53 123) ACCEPT; +proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost +proto tcp dport 5140 daddr (82.195.75.98 206.12.19.121) ACCEPT; # loghost +proto tcp dport 11371 daddr 82.195.75.107 ACCEPT; # keyring host +proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT +' + } + } + case $::hostname { + rautavaara: { + @ferm::rule { 'dsa-routing': + description => 'forward chain', + chain => 'FORWARD', + rule => 'def $ADDRESS_FASCH=194.177.211.201; +def $ADDRESS_FIELD=194.177.211.210; +def $FREEBSD_HOSTS=($ADDRESS_FASCH $ADDRESS_FIELD); - policy ACCEPT; - mod state state (ESTABLISHED RELATED) ACCEPT; - interface vlan11 outerface eth0 jump from-kfreebsd; - interface eth0 destination ($FREEBSD_HOSTS) jump to-kfreebsd; - ULOG ulog-prefix "REJECT FORWARD: "; - REJECT reject-with icmp-admin-prohibited - ' - } - } - luchesi: { - @ferm::rule { "dsa-routing": - description => "forward chain", - chain => "FORWARD", - rule => ' - def $ADDRESS_FANO=206.12.19.110; - def $ADDRESS_FINZI=206.12.19.111; - def $FREEBSD_HOSTS=($ADDRESS_FANO $ADDRESS_FINZI); +policy ACCEPT; +mod state state (ESTABLISHED RELATED) ACCEPT; +interface vlan11 outerface eth0 jump from-kfreebsd; +interface eth0 destination ($FREEBSD_HOSTS) jump to-kfreebsd; +ULOG ulog-prefix "REJECT FORWARD: "; +REJECT reject-with icmp-admin-prohibited +' + } + } + luchesi: { + @ferm::rule { 'dsa-routing': + description => 'forward chain', + chain => 'FORWARD', + rule => 'def $ADDRESS_FANO=206.12.19.110; +def $ADDRESS_FINZI=206.12.19.111; +def $FREEBSD_HOSTS=($ADDRESS_FANO $ADDRESS_FINZI); - policy ACCEPT; - mod state state (ESTABLISHED RELATED) ACCEPT; - interface br0 outerface br0 ACCEPT; +policy ACCEPT; +mod state state (ESTABLISHED RELATED) ACCEPT; +interface br0 outerface br0 ACCEPT; - interface br2 outerface br0 jump from-kfreebsd; - interface br0 destination ($FREEBSD_HOSTS) jump to-kfreebsd; - ULOG ulog-prefix "REJECT FORWARD: "; - REJECT reject-with icmp-admin-prohibited - ' - } - } - } +interface br2 outerface br0 jump from-kfreebsd; +interface br0 destination ($FREEBSD_HOSTS) jump to-kfreebsd; +ULOG ulog-prefix "REJECT FORWARD: "; +REJECT reject-with icmp-admin-prohibited +' + } + } + default: {} + } - # redirect snapshot into varnish - case $::hostname { - sibelius: { - @ferm::rule { "dsa-snapshot-varnish": - rule => '&SERVICE(tcp, 6081)', - } - @ferm::rule { "dsa-nat-snapshot-varnish": - table => 'nat', - chain => 'PREROUTING', - rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081', - } - } - stabile: { - @ferm::rule { "dsa-snapshot-varnish": - rule => '&SERVICE(tcp, 6081)', - } - @ferm::rule { "dsa-nat-snapshot-varnish": - table => 'nat', - chain => 'PREROUTING', - rule => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081', - } - } - } + # redirect snapshot into varnish + case $::hostname { + sibelius: { + @ferm::rule { 'dsa-snapshot-varnish': + rule => '&SERVICE(tcp, 6081)', + } + @ferm::rule { 'dsa-nat-snapshot-varnish': + table => 'nat', + chain => 'PREROUTING', + rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081', + } + } + stabile: { + @ferm::rule { 'dsa-snapshot-varnish': + rule => '&SERVICE(tcp, 6081)', + } + @ferm::rule { 'dsa-nat-snapshot-varnish': + table => 'nat', + chain => 'PREROUTING', + rule => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081', + } + } + default: {} + } - if $::rsyncd == 'true' { - include ferm::rsync - } + if $::rsyncd == true { + include ferm::rsync + } } - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/ferm/manifests/rsync.pp b/modules/ferm/manifests/rsync.pp index 390bce2b..44feab65 100644 --- a/modules/ferm/manifests/rsync.pp +++ b/modules/ferm/manifests/rsync.pp @@ -1,8 +1,8 @@ class ferm::rsync { - @ferm::rule { "dsa-rsync": - domain => "(ip ip6)", - description => "Allow rsync access", - rule => "&SERVICE(tcp, 873)" - } + @ferm::rule { 'dsa-rsync': + domain => '(ip ip6)', + description => 'Allow rsync access', + rule => '&SERVICE(tcp, 873)' + } } diff --git a/modules/ferm/manifests/rule.pp b/modules/ferm/manifests/rule.pp new file mode 100644 index 00000000..7eef2a21 --- /dev/null +++ b/modules/ferm/manifests/rule.pp @@ -0,0 +1,19 @@ +define ferm::rule( + $rule, + $domain='ip', + $table='filter', + $chain='INPUT', + $description='', + $prio='00', + $notarule=false +) { + file { + "/etc/ferm/dsa.d/${prio}_${name}": + ensure => present, + mode => '0400', + content => template('ferm/ferm-rule.erb'), + notify => Service['ferm'], + } +} + + diff --git a/modules/ferm/manifests/zivit.pp b/modules/ferm/manifests/zivit.pp index e392b3fe..b513a3b1 100644 --- a/modules/ferm/manifests/zivit.pp +++ b/modules/ferm/manifests/zivit.pp @@ -1,15 +1,15 @@ class ferm::zivit { - @ferm::rule { "dsa-zivit-rrdcollect": - description => "port 6666 for rrdcollect for zivit", - rule => "&SERVICE_RANGE(tcp, 6666, ( 10.130.18.71 ))" - } - @ferm::rule { "dsa-zivit-zabbix": - description => "port 10050 for zabbix for zivit", - rule => "&SERVICE_RANGE(tcp, 10050, ( 10.130.18.76 ))" - } - @ferm::rule { "dsa-time": - description => "Allow time access", - rule => "&SERVICE_RANGE(tcp, time, \$HOST_NAGIOS_V4)" - } + @ferm::rule { 'dsa-zivit-rrdcollect': + description => 'port 6666 for rrdcollect for zivit', + rule => '&SERVICE_RANGE(tcp, 6666, ( 10.130.18.71 ))' + } + @ferm::rule { 'dsa-zivit-zabbix': + description => 'port 10050 for zabbix for zivit', + rule => '&SERVICE_RANGE(tcp, 10050, ( 10.130.18.76 ))' + } + @ferm::rule { 'dsa-time': + description => 'Allow time access', + rule => '&SERVICE_RANGE(tcp, time, \$HOST_NAGIOS_V4)' + } } diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb index d46bee1e..3af87c48 100644 --- a/modules/ferm/templates/defs.conf.erb +++ b/modules/ferm/templates/defs.conf.erb @@ -21,9 +21,9 @@ @def $HOST_MAILRELAY_V4 = (<%= mailrelay = [] - localinfo.keys.sort.each do |node| - if localinfo[node]['mailrelay'] - allnodeinfo[node]['ipHostNumber'].each do |ip| + scope.lookupvar('site::localinfo').keys.sort.each do |node| + if scope.lookupvar('site::localinfo')[node]['mailrelay'] + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip| next if ip =~ /:/ mailrelay << ip end @@ -35,9 +35,9 @@ @def $HOST_MAILRELAY_V6 = (<%= mailrelay = [] - localinfo.keys.sort.each do |node| - if localinfo[node]['mailrelay'] - allnodeinfo[node]['ipHostNumber'].each do |ip| + scope.lookupvar('site::localinfo').keys.sort.each do |node| + if scope.lookupvar('site::localinfo')[node]['mailrelay'] + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip| next if ip =~ /\./ mailrelay << ip end @@ -51,9 +51,9 @@ @def $HOST_NAGIOS_V4 = (<%= nagii = [] - localinfo.keys.sort.each do |node| - if localinfo[node]['nagiosmaster'] or localinfo[node]['extranrpeclient'] - allnodeinfo[node]['ipHostNumber'].each do |ip| + scope.lookupvar('site::localinfo').keys.sort.each do |node| + if scope.lookupvar('site::localinfo')[node]['nagiosmaster'] or scope.lookupvar('site::localinfo')[node]['extranrpeclient'] + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip| next if ip =~ /:/ nagii << ip end @@ -65,9 +65,9 @@ @def $HOST_NAGIOS_V6 = (<%= nagii = [] - localinfo.keys.sort.each do |node| - if localinfo[node]['nagiosmaster'] or localinfo[node]['extranrpeclient'] - allnodeinfo[node]['ipHostNumber'].each do |ip| + scope.lookupvar('site::localinfo').keys.sort.each do |node| + if scope.lookupvar('site::localinfo')[node]['nagiosmaster'] or scope.lookupvar('site::localinfo')[node]['extranrpeclient'] + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip| next if ip =~ /\./ nagii << ip end @@ -81,9 +81,9 @@ @def $HOST_MUNIN_V4 = (<%= munins = [] - localinfo.keys.sort.each do |node| - if localinfo[node]['muninmaster'] - allnodeinfo[node]['ipHostNumber'].each do |ip| + scope.lookupvar('site::localinfo').keys.sort.each do |node| + if scope.lookupvar('site::localinfo')[node]['muninmaster'] + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip| next if ip =~ /:/ munins << ip end @@ -95,9 +95,9 @@ @def $HOST_MUNIN_V6 = (<%= munins = [] - localinfo.keys.sort.each do |node| - if localinfo[node]['muninmaster'] - allnodeinfo[node]['ipHostNumber'].each do |ip| + scope.lookupvar('site::localinfo').keys.sort.each do |node| + if scope.lookupvar('site::localinfo')[node]['muninmaster'] + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip| next if ip =~ /\./ munins << ip end @@ -111,9 +111,9 @@ @def $HOST_DB_V6 = (<%= dbs = [] - localinfo.keys.sort.each do |node| - if localinfo[node]['dbmaster'] - allnodeinfo[node]['ipHostNumber'].each do |ip| + scope.lookupvar('site::localinfo').keys.sort.each do |node| + if scope.lookupvar('site::localinfo')[node]['dbmaster'] + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip| next if ip =~ /\./ dbs << ip end @@ -125,9 +125,9 @@ @def $HOST_DB_V4 = (<%= dbs = [] - localinfo.keys.sort.each do |node| - if localinfo[node]['dbmaster'] - allnodeinfo[node]['ipHostNumber'].each do |ip| + scope.lookupvar('site::localinfo').keys.sort.each do |node| + if scope.lookupvar('site::localinfo')[node]['dbmaster'] + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip| next if ip =~ /:/ dbs << ip end @@ -141,9 +141,9 @@ @def $HOST_DEBIAN_V4 = (<%= dbs = [] - allnodeinfo.keys.sort.each do |node| - next unless allnodeinfo[node].has_key?('ipHostNumber') - allnodeinfo[node]['ipHostNumber'].each do |ip| + scope.lookupvar('site::allnodeinfo').keys.sort.each do |node| + next unless scope.lookupvar('site::allnodeinfo')[node].has_key?('ipHostNumber') + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip| next if ip =~ /:/ dbs << ip end @@ -154,9 +154,9 @@ @def $HOST_DEBIAN_V6 = (<%= dbs = [] - allnodeinfo.keys.sort.each do |node| - next unless allnodeinfo[node].has_key?('ipHostNumber') - allnodeinfo[node]['ipHostNumber'].each do |ip| + scope.lookupvar('site::allnodeinfo').keys.sort.each do |node| + next unless scope.lookupvar('site::allnodeinfo')[node].has_key?('ipHostNumber') + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip| next if ip =~ /\./ dbs << ip end diff --git a/modules/ferm/templates/interfaces.conf.erb b/modules/ferm/templates/interfaces.conf.erb index af6585a5..fbe96026 100644 --- a/modules/ferm/templates/interfaces.conf.erb +++ b/modules/ferm/templates/interfaces.conf.erb @@ -7,7 +7,7 @@ end %>); def $MUNIN6_IPS = (<%= begin - v6ips == 'no' ? '' : v6ips.split(',').join(' ') + v6ips == '' ? '' : v6ips.split(',').join(' ') rescue '' end diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb index 7069f592..2e5e18e8 100644 --- a/modules/ferm/templates/me.conf.erb +++ b/modules/ferm/templates/me.conf.erb @@ -9,8 +9,8 @@ out = [] restricted_purposes = {'kvm host', 'central syslog server', 'puppet master', 'jumphost'} restrict_ssh = %w{lebrun logtest01 geo1 geo2 geo3 beethoven tchaikovsky schroeder rossini draghi} -if (nodeinfo['ldap'].has_key?('purpose')) then - nodeinfo['ldap']['purpose'].each do |purp| +if (scope.lookupvar('site::nodeinfo')['ldap'].has_key?('purpose')) then + scope.lookupvar('site::nodeinfo')['ldap']['purpose'].each do |purp| if restricted_purposes.include?(purp) then restrict_ssh << hostname end @@ -49,7 +49,7 @@ out << "@def $SSH_V6_SOURCES = (#{ssh6allowed.join(' ')});" smtp4allowed = [] smtp6allowed = [] -if not nodeinfo['smarthost'].empty? +if not scope.lookupvar('site::nodeinfo')['smarthost'].empty? smtp4allowed << %w{$HOST_MAILRELAY_V4 $HOST_NAGIOS_V4} smtp6allowed << %w{$HOST_MAILRELAY_V6 $HOST_NAGIOS_V6} end diff --git a/modules/hardware/manifests/init.pp b/modules/hardware/manifests/init.pp new file mode 100644 index 00000000..bc5897e5 --- /dev/null +++ b/modules/hardware/manifests/init.pp @@ -0,0 +1,14 @@ +class hardware { + if $::smartarraycontroller { + include debian::proliant + } + + if $::productname == 'PowerEdge 2850' { + include megactl + } + + if $::mptraid { + include raidmpt + } + +} diff --git a/modules/hosts/manifests/init.pp b/modules/hosts/manifests/init.pp index cdd19017..47616af6 100644 --- a/modules/hosts/manifests/init.pp +++ b/modules/hosts/manifests/init.pp @@ -1,10 +1,5 @@ class hosts { - - file { - "/etc/hosts": content => template("hosts/etc-hosts.erb"); - } + file { '/etc/hosts': + content => template('hosts/etc-hosts.erb') + } } - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/kfreebsd/manifests/init.pp b/modules/kfreebsd/manifests/init.pp index 00a7449c..8ccfe318 100644 --- a/modules/kfreebsd/manifests/init.pp +++ b/modules/kfreebsd/manifests/init.pp @@ -1,15 +1,10 @@ class kfreebsd { - file { - "/etc/cron.d/dsa-killruby": - source => [ "puppet:///modules/kfreebsd/dsa-killruby" ], - ; - } - sysctl { - "maxfiles" : - key => "kern.maxfiles", - value => 65536, - } + file { '/etc/cron.d/dsa-killruby': + source => 'puppet:///modules/kfreebsd/dsa-killruby', + } + + site::sysctl { 'maxfiles': + key => 'kern.maxfiles', + value => 65536, + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/megactl/manifests/init.pp b/modules/megactl/manifests/init.pp index d15cb17e..3c376639 100644 --- a/modules/megactl/manifests/init.pp +++ b/modules/megactl/manifests/init.pp @@ -1,13 +1,9 @@ class megactl { - package { - megactl: ensure => installed; - } - file { - "/etc/apt/sources.list.d/debian.restricted.list": - content => template("debian-org/etc/apt/sources.list.d/debian.restricted.list.erb"), - notify => Exec["apt-get update"]; - } + package { 'megactl': + ensure => installed + } + + site::aptrepo { 'debian.restricted': + template => 'debian-org/etc/apt/sources.list.d/debian.restricted.list.erb', + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/monit/manifests/init.pp b/modules/monit/manifests/init.pp index 7792b086..4c9b736b 100644 --- a/modules/monit/manifests/init.pp +++ b/modules/monit/manifests/init.pp @@ -1,76 +1,53 @@ class monit { - package { "monit": ensure => installed } - $cmd = $::lsbdistcodename ? { - 'sid' => '/usr/bin/monit', - 'wheezy' => '/usr/bin/monit', - default => '/usr/sbin/monit', - } - - augeas { "inittab": - context => "/files/etc/inittab", - changes => [ "set mo/runlevels 2345", - "set mo/action respawn", - "set mo/process \"$cmd -d 300 -I -c /etc/monit/monitrc -s /var/lib/monit/monit.state\"", - ], - notify => Exec["init q"], - } - - file { - #"/etc/rc2.d/K99monit": - # ensure => "../init.d/monit"; - #"/etc/rc2.d/S99monit": - # ensure => absent; - - "/etc/monit/": - ensure => directory, - owner => root, - group => root, - mode => 755, - purge => true - ; - - "/etc/monit/monitrc": - content => template("monit/monitrc.erb"), - require => Package["monit"], - notify => Exec["monit stop"], - mode => 400 - ; - - "/etc/monit/monit.d": - ensure => directory, - owner => root, - group => root, - mode => 750, - purge => true - ; - - "/etc/monit/monit.d/01puppet": - source => "puppet:///modules/monit/puppet", - require => Package["monit"], - notify => Exec["monit stop"], - mode => 440 - ; - - "/etc/monit/monit.d/00debian.org": - source => "puppet:///modules/monit/debianorg", - require => Package["monit"], - notify => Exec["monit stop"], - mode => 440 - ; - - "/etc/default/monit": - content => template("monit/default.erb"), - require => Package["monit"], - notify => Exec["monit stop"] - ; - } - exec { "monit stop": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - } + package { 'monit': + ensure => installed + } + + $cmd = $::lsbdistcodename ? { + 'sid' => '/usr/bin/monit', + 'wheezy' => '/usr/bin/monit', + default => '/usr/sbin/monit', + } + + augeas { 'inittab': + context => '/files/etc/inittab', + changes => [ 'set mo/runlevels 2345', + 'set mo/action respawn', + "set mo/process \"$cmd -d 300 -I -c /etc/monit/monitrc -s /var/lib/monit/monit.state\"", + ], + notify => Exec['init q'], + } + + file { [ '/etc/monit/', '/etc/monit/monit.d']: + ensure => directory, + owner => root, + group => root, + mode => '0755', + purge => true, + notify => Exec['monit stop'], + require => Package['monit'], + } + file { '/etc/monit/monitrc': + content => template('monit/monitrc.erb'), + mode => '0400' + } + file { '/etc/monit/monit.d/01puppet': + source => 'puppet:///modules/monit/puppet', + mode => '0440' + } + file { '/etc/monit/monit.d/00debian.org': + source => 'puppet:///modules/monit/debianorg', + mode => '0440' + } + file { '/etc/default/monit': + content => template('monit/default.erb'), + require => Package['monit'], + notify => Exec['monit stop'] + } + + exec { 'monit stop': + path => '/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin', + refreshonly => true, + } } - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/motd/manifests/init.pp b/modules/motd/manifests/init.pp index 0de49360..ffa85733 100644 --- a/modules/motd/manifests/init.pp +++ b/modules/motd/manifests/init.pp @@ -1,15 +1,16 @@ class motd { - file { "/etc/motd.tail": - notify => Exec["updatemotd"], - content => template("motd/motd.erb") ; - "/etc/motd": - ensure => "/var/run/motd"; + + file { '/etc/motd.tail': + notify => Exec['updatemotd'], + content => template('motd/motd.erb') + } + file { '/etc/motd': + ensure => link, + target => '/var/run/motd' + } + + exec { 'updatemotd': + command => 'uname -snrvm > /var/run/motd && cat /etc/motd.tail >> /var/run/motd', + refreshonly => true, } - exec { "updatemotd": - command => "uname -snrvm > /var/run/motd && cat /etc/motd.tail >> /var/run/motd", - refreshonly => true - } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/motd/templates/motd.erb b/modules/motd/templates/motd.erb index 2087cbc2..47eb9521 100644 --- a/modules/motd/templates/motd.erb +++ b/modules/motd/templates/motd.erb @@ -18,32 +18,32 @@ def markup(l) end purp = '' -if nodeinfo.has_key?('nameinfo') - purp += wrap(nodeinfo['nameinfo']) + "\n\n" +if scope.lookupvar('site::nodeinfo').has_key?('nameinfo') + purp += wrap(scope.lookupvar('site::nodeinfo')['nameinfo']) + "\n\n" end purp += 'Welcome to ' + fqdn -if (nodeinfo['ldap'].has_key?('purpose')) - p = nodeinfo['ldap']['purpose'].clone() +if (scope.lookupvar('site::nodeinfo')['ldap'].has_key?('purpose')) + p = scope.lookupvar('site::nodeinfo')['ldap']['purpose'].clone() extra = '' if p.delete('buildd') purp += ", the Debian " - if nodeinfo['ldap'].has_key?('architecture') - purp += nodeinfo['ldap']['architecture'][0] + if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('architecture') + purp += scope.lookupvar('site::nodeinfo')['ldap']['architecture'][0] end purp += " build daemon" end if p.delete('porterbox') purp += ", the Debian " - if nodeinfo['ldap'].has_key?('architecture') - purp += nodeinfo['ldap']['architecture'][0] + if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('architecture') + purp += scope.lookupvar('site::nodeinfo')['ldap']['architecture'][0] end purp += " porterbox" extra += "\n" extra += "See 'dchroot -l' or 'schroot -l' for a list of available chroots.\n" - if nodeinfo['ldap'].has_key?('admin') + if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('admin') extra += "Please contact #{nodeinfo['ldap']['admin'][0]} for install requests,\n" extra += "following the recommendations in .\n" end @@ -51,7 +51,7 @@ if (nodeinfo['ldap'].has_key?('purpose')) if p.size() > 0 purp += ", used for the following services:\n" - nodeinfo['ldap']['purpose'].sort.each do |l| + scope.lookupvar('site::nodeinfo')['ldap']['purpose'].sort.each do |l| l = markup(l) purp += "\t" + l + "\n" end @@ -66,18 +66,18 @@ end purp += "\n" -if (nodeinfo['ldap'].has_key?('physicalHost')) +if (scope.lookupvar('site::nodeinfo')['ldap'].has_key?('physicalHost')) purp += wrap("This virtual server runs on the physical host #{nodeinfo['ldap']['physicalHost'][0]}, " + "which is hosted at #{nodeinfo['hoster']['longname']}." ) -elsif nodeinfo['hoster']['name'] +elsif scope.lookupvar('site::nodeinfo')['hoster']['name'] purp += wrap("This server is hosted at #{nodeinfo['hoster']['longname']}.") end vms = [] -allnodeinfo.keys.sort.each do |node| - if allnodeinfo[node]['physicalHost'] and allnodeinfo[node]['physicalHost'].include?(fqdn) +scope.lookupvar('site::allnodeinfo').keys.sort.each do |node| + if scope.lookupvar('site::allnodeinfo')[node]['physicalHost'] and scope.lookupvar('site::allnodeinfo')[node]['physicalHost'].include?(fqdn) vms << node end end @@ -85,9 +85,9 @@ unless vms.empty? purp += "\nThe following virtual machines run on this system:\n" vms.each do |node| purp += "\t- #{node}" - if allnodeinfo[node]['purpose'] + if scope.lookupvar('site::allnodeinfo')[node]['purpose'] purp += ":\n" - allnodeinfo[node]['purpose'].sort.each do |l| + scope.lookupvar('site::allnodeinfo')[node]['purpose'].sort.each do |l| l = markup(l) purp += "\t " + l + "\n" end @@ -98,8 +98,8 @@ unless vms.empty? end -if nodeinfo.has_key?('footer') - purp += "\n" + wrap(nodeinfo['footer']) + "\n" +if scope.lookupvar('site::nodeinfo').has_key?('footer') + purp += "\n" + wrap(scope.lookupvar('site::nodeinfo')['footer']) + "\n" end purp -%> diff --git a/modules/munin-node/files/df-wrap b/modules/munin-node/files/df-wrap deleted file mode 100644 index b53f2bb2..00000000 --- a/modules/munin-node/files/df-wrap +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/sh - -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - -# Calls the appropriate df plugin while filtering out short-lived entries -# like the sbuild/schroot filesystems. - -# Copyright 2011 Peter Palfrader -# -# Permission is hereby granted, free of charge, to any person obtaining -# a copy of this software and associated documentation files (the -# "Software"), to deal in the Software without restriction, including -# without limitation the rights to use, copy, modify, merge, publish, -# distribute, sublicense, and/or sell copies of the Software, and to -# permit persons to whom the Software is furnished to do so, subject to -# the following conditions: -# -# The above copyright notice and this permission notice shall be -# included in all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE -# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION -# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION -# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - -case "${0##*/}" in - df) plugin=/usr/share/munin/plugins/df ; filter='^_dev\.|^_run|^_lib_init_rw|_sbuild_|_schroot_' ;; - df_abs) plugin=/usr/share/munin/plugins/df_abs ; filter='^tmpfs|^udev|_sbuild_|_schroot_' ;; - df_inode) plugin=/usr/share/munin/plugins/df_inode ; filter='^_dev\.|^_run|^_lib_init_rw|_sbuild_|_schroot_' ;; - *) echo >&2 "$0: Do not know which plugin to call based on script name."; exit 1 ;; -esac - -"$plugin" "$@" | egrep -v "$filter" diff --git a/modules/munin-node/manifests/init.pp b/modules/munin-node/manifests/init.pp deleted file mode 100644 index 72dbce1c..00000000 --- a/modules/munin-node/manifests/init.pp +++ /dev/null @@ -1,114 +0,0 @@ -define activate_munin_check($ensure=present, $script = none) { - case $script { - none: { $link = $name } - default: { $link = $script } - } - - case $ensure { - present: { - file { "/etc/munin/plugins/$name": - ensure => "/usr/share/munin/plugins/$link", - notify => Exec["munin-node restart"]; - } - } - default: { - file { "/etc/munin/plugins/$name": - ensure => $ensure, - notify => Exec["munin-node restart"]; - } - } - } -} - -class munin-node { - - package { munin-node: ensure => installed } - - activate_munin_check { - "cpu":; - "entropy":; - "forks":; - "interrupts":; - "iostat":; - "irqstats":; - "load":; - "memory":; - "ntp_offset":; - "ntp_states":; - "open_files":; - "open_inodes":; - "processes":; - "swap":; - "uptime":; - "vmstat":; - } - - case $spamd { - "true": { - activate_munin_check { "spamassassin":; } - } - } - - case $vsftpd { - "true": { - package { - "logtail": ensure => installed; - } - activate_munin_check { - "vsftpd":; - "ps_vsftpd": script => "ps_"; - } - } - } - - file { - "/etc/munin/munin-node.conf": - content => template("munin-node/munin-node.conf.erb"), - require => Package["munin-node"], - notify => Exec["munin-node restart"]; - - "/etc/munin/plugin-conf.d/munin-node": - content => template("munin-node/munin-node.plugin.conf.erb"), - require => Package["munin-node"], - notify => Exec["munin-node restart"]; - - "/etc/munin/plugins/df": - source => "puppet:///modules/munin-node/df-wrap", - mode => 555, - require => Package["munin-node"], - notify => Exec["munin-node restart"] - ; - "/etc/munin/plugins/df_abs": - source => "puppet:///modules/munin-node/df-wrap", - mode => 555, - require => Package["munin-node"], - notify => Exec["munin-node restart"] - ; - "/etc/munin/plugins/df_inode": - source => "puppet:///modules/munin-node/df-wrap", - mode => 555, - require => Package["munin-node"], - notify => Exec["munin-node restart"] - ; - } - - exec { "munin-node restart": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - } - @ferm::rule { "dsa-munin-v4": - description => "Allow munin from munin master", - rule => "proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN_V4 \$HOST_NAGIOS_V4) ACCEPT; }", - notarule => true, - } - @ferm::rule { "dsa-munin-v6": - description => "Allow munin from munin master", - domain => "ip6", - rule => "proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN_V6 \$HOST_NAGIOS_V6) ACCEPT; }", - notarule => true, - } -} - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/munin-node/manifests/master.pp b/modules/munin-node/manifests/master.pp deleted file mode 100644 index 23418891..00000000 --- a/modules/munin-node/manifests/master.pp +++ /dev/null @@ -1,14 +0,0 @@ -class munin-node::master inherits munin-node { - - package { munin: ensure => installed } - - file { - "/etc/munin/munin.conf": - content => template("munin-node/munin.conf.erb"), - require => Package["munin"]; - } -} - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/munin-node/templates/munin-node.conf.erb b/modules/munin-node/templates/munin-node.conf.erb deleted file mode 100644 index 45cf119a..00000000 --- a/modules/munin-node/templates/munin-node.conf.erb +++ /dev/null @@ -1,51 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - -# -# Example config-file for munin-node -# - -log_level 4 -log_file /var/log/munin/munin-node.log -port 4949 -pid_file /var/run/munin/munin-node.pid -background 1 -setsid 1 - -# Which port to bind to; -host * -user root -group root -setsid yes - -# Regexps for files to ignore - -ignore_file ~$ -ignore_file \.bak$ -ignore_file %$ -ignore_file \.dpkg-(tmp|new|old|dist)$ -ignore_file \.rpm(save|new)$ - -# Set this if the client doesn't report the correct hostname when -# telnetting to localhost, port 4949 -# -#host_name localhost.localdomain - -# A list of addresses that are allowed to connect. This must be a -# regular expression, due to brain damage in Net::Server, which -# doesn't understand CIDR-style network notation. You may repeat -# the allow line as many times as you'd like - -<%= -str = '' -localinfo.keys.sort.each do |node| - if localinfo[node]['muninmaster'] - allnodeinfo[node]['ipHostNumber'].each do |ip| - str += "allow ^" + ip.split('.').join('\.') + "$\n" - end - end -end -str --%> diff --git a/modules/munin-node/templates/munin-node.plugin.conf.erb b/modules/munin-node/templates/munin-node.plugin.conf.erb deleted file mode 100644 index 73ffb462..00000000 --- a/modules/munin-node/templates/munin-node.plugin.conf.erb +++ /dev/null @@ -1,108 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - -[apt] -user root - -[courier_mta_mailqueue] -group daemon - -[courier_mta_mailstats] -group adm, maillog - -[courier_mta_mailvolume] -group adm, maillog - -[cps*] -user root -<%= -out = "" -if has_variable?("mta") and mta == "exim4" - out=" -[exim_mail*] -user Debian-exim -group maillog" -end -out -%> -<%= -out = "" -if has_variable?("vsftpd") and vsftpd == "true" - out=" -[vsftpd] -user root -" -end -out -%> -[fw_conntrack] -user root - -[fw_forwarded_local] -user root - -[hddtemp_smartctl] -user root - -[if_*] -user root - -[if_err_*] -user nobody - -[ip_*] -user root - -[ip6_*] -user root - -[mysql*] -user root -env.mysqlopts --defaults-extra-file=/etc/mysql/debian.cnf - -[df*] -env.exclude none unknown iso9660 squashfs udf romfs ramfs debugfs -env.warning 92 -env.critical 98 - -<%= -out = "" -if has_variable?("mta") and mta == "postfix" - out=" -[postfix_mailqueue] -user postfix - -[postfix_mailstats] -group adm, maillog - -[postfix_mailvolume] -group adm, maillog -env.logfile mail.log" -end -out -%> - -[smart_*] -user root - -[vlan*] -user root - -[spamassassin] -group maillog - -[bind*] -group bind -<%= -out = case hostname - when "geo1","geo2","geo3" then "env.logfile /var/log/bind9/geoip-query.log" - else "env.logfile /var/log/bind9/named-query.log" -end -out -%> - -# filter out all the short-lived sbuild/schroot filesystems for diskstats: -[diskstats] -env.exclude sbuild,schroot diff --git a/modules/munin-node/templates/munin.conf.erb b/modules/munin-node/templates/munin.conf.erb deleted file mode 100644 index 50468cb5..00000000 --- a/modules/munin-node/templates/munin.conf.erb +++ /dev/null @@ -1,23 +0,0 @@ -## -### THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -### USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - -dbdir /var/lib/munin -htmldir /var/cache/munin/www -logdir /var/log/munin -rundir /var/run/munin -tmpldir /etc/munin/templates -graph_strategy cgi - -<%= out = '' - localinfo.keys.sort.each do |node| - if not localinfo[node]['no_munin'] - out += '[' + node + '] - address ' + node + ' - -' - end - end -out -%> diff --git a/modules/munin/files/df-wrap b/modules/munin/files/df-wrap new file mode 100644 index 00000000..b53f2bb2 --- /dev/null +++ b/modules/munin/files/df-wrap @@ -0,0 +1,39 @@ +#!/bin/sh + +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +# Calls the appropriate df plugin while filtering out short-lived entries +# like the sbuild/schroot filesystems. + +# Copyright 2011 Peter Palfrader +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +case "${0##*/}" in + df) plugin=/usr/share/munin/plugins/df ; filter='^_dev\.|^_run|^_lib_init_rw|_sbuild_|_schroot_' ;; + df_abs) plugin=/usr/share/munin/plugins/df_abs ; filter='^tmpfs|^udev|_sbuild_|_schroot_' ;; + df_inode) plugin=/usr/share/munin/plugins/df_inode ; filter='^_dev\.|^_run|^_lib_init_rw|_sbuild_|_schroot_' ;; + *) echo >&2 "$0: Do not know which plugin to call based on script name."; exit 1 ;; +esac + +"$plugin" "$@" | egrep -v "$filter" diff --git a/modules/munin/manifests/check.pp b/modules/munin/manifests/check.pp new file mode 100644 index 00000000..7e4a5c65 --- /dev/null +++ b/modules/munin/manifests/check.pp @@ -0,0 +1,22 @@ +define munin::check($ensure = present, $script = undef) { + + if $script { + $link = $script + } else { + $link = $name + } + + $link_target = $ensure ? { + present => "/usr/share/munin/plugins/${link}" + absent => absent, + default => err ( "Unknown ensure value: '$ensure'" ), + } + + file { "/etc/munin/plugins/${name}": + ensure => $link_target, + require => Package['munin-node'], + notify => Service['munin-node'], + } +} + + diff --git a/modules/munin/manifests/init.pp b/modules/munin/manifests/init.pp new file mode 100644 index 00000000..1ba4477a --- /dev/null +++ b/modules/munin/manifests/init.pp @@ -0,0 +1,43 @@ +class munin { + + package { 'munin-node': + ensure => installed + } + + service { 'munin-node': + ensure => running, + require => Package['munin-node'], + } + + file { '/etc/munin/munin-node.conf': + content => template('munin/munin-node.conf.erb') + require => Package['munin-node'], + notify => Service['munin-node'], + } + + file { '/etc/munin/plugin-conf.d/munin-node': + content => template('munin/munin-node.plugin.conf.erb'), + require => Package['munin-node'], + notify => Service['munin-node'], + } + + file { [ '/etc/munin/plugins/df', '/etc/munin/plugins/df_abs', '/etc/munin/plugins/df_inode' ]: + source => 'puppet:///modules/munin/df-wrap', + mode => '0555', + require => Package['munin-node'], + notify => Service['munin-node'], + } + + @ferm::rule { 'dsa-munin-v4': + description => 'Allow munin from munin master', + rule => 'proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN_V4 \$HOST_NAGIOS_V4) ACCEPT; }', + notarule => true, + } + + @ferm::rule { 'dsa-munin-v6': + description => 'Allow munin from munin master', + domain => 'ip6', + rule => 'proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN_V6 \$HOST_NAGIOS_V6) ACCEPT; }', + notarule => true, + } +} diff --git a/modules/munin/manifests/master.pp b/modules/munin/manifests/master.pp new file mode 100644 index 00000000..4706dfbf --- /dev/null +++ b/modules/munin/manifests/master.pp @@ -0,0 +1,11 @@ +class munin::master { + + package { 'munin': + ensure => installed + } + + file { '/etc/munin/munin.conf': + content => template('munin/munin.conf.erb'), + require => Package['munin']; + } +} diff --git a/modules/munin/templates/munin-node.conf.erb b/modules/munin/templates/munin-node.conf.erb new file mode 100644 index 00000000..e5ef6ff7 --- /dev/null +++ b/modules/munin/templates/munin-node.conf.erb @@ -0,0 +1,51 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +# +# Example config-file for munin-node +# + +log_level 4 +log_file /var/log/munin/munin-node.log +port 4949 +pid_file /var/run/munin/munin-node.pid +background 1 +setsid 1 + +# Which port to bind to; +host * +user root +group root +setsid yes + +# Regexps for files to ignore + +ignore_file ~$ +ignore_file \.bak$ +ignore_file %$ +ignore_file \.dpkg-(tmp|new|old|dist)$ +ignore_file \.rpm(save|new)$ + +# Set this if the client doesn't report the correct hostname when +# telnetting to localhost, port 4949 +# +#host_name localhost.localdomain + +# A list of addresses that are allowed to connect. This must be a +# regular expression, due to brain damage in Net::Server, which +# doesn't understand CIDR-style network notation. You may repeat +# the allow line as many times as you'd like + +<%= +str = '' +scope.lookupvar('site::localinfo').keys.sort.each do |node| + if scope.lookupvar('site::localinfo')[node]['muninmaster'] + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip| + str += "allow ^" + ip.split('.').join('\.') + "$\n" + end + end +end +str +-%> diff --git a/modules/munin/templates/munin-node.plugin.conf.erb b/modules/munin/templates/munin-node.plugin.conf.erb new file mode 100644 index 00000000..73ffb462 --- /dev/null +++ b/modules/munin/templates/munin-node.plugin.conf.erb @@ -0,0 +1,108 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +[apt] +user root + +[courier_mta_mailqueue] +group daemon + +[courier_mta_mailstats] +group adm, maillog + +[courier_mta_mailvolume] +group adm, maillog + +[cps*] +user root +<%= +out = "" +if has_variable?("mta") and mta == "exim4" + out=" +[exim_mail*] +user Debian-exim +group maillog" +end +out +%> +<%= +out = "" +if has_variable?("vsftpd") and vsftpd == "true" + out=" +[vsftpd] +user root +" +end +out +%> +[fw_conntrack] +user root + +[fw_forwarded_local] +user root + +[hddtemp_smartctl] +user root + +[if_*] +user root + +[if_err_*] +user nobody + +[ip_*] +user root + +[ip6_*] +user root + +[mysql*] +user root +env.mysqlopts --defaults-extra-file=/etc/mysql/debian.cnf + +[df*] +env.exclude none unknown iso9660 squashfs udf romfs ramfs debugfs +env.warning 92 +env.critical 98 + +<%= +out = "" +if has_variable?("mta") and mta == "postfix" + out=" +[postfix_mailqueue] +user postfix + +[postfix_mailstats] +group adm, maillog + +[postfix_mailvolume] +group adm, maillog +env.logfile mail.log" +end +out +%> + +[smart_*] +user root + +[vlan*] +user root + +[spamassassin] +group maillog + +[bind*] +group bind +<%= +out = case hostname + when "geo1","geo2","geo3" then "env.logfile /var/log/bind9/geoip-query.log" + else "env.logfile /var/log/bind9/named-query.log" +end +out +%> + +# filter out all the short-lived sbuild/schroot filesystems for diskstats: +[diskstats] +env.exclude sbuild,schroot diff --git a/modules/munin/templates/munin.conf.erb b/modules/munin/templates/munin.conf.erb new file mode 100644 index 00000000..b223bd65 --- /dev/null +++ b/modules/munin/templates/munin.conf.erb @@ -0,0 +1,23 @@ +## +### THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +### USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +dbdir /var/lib/munin +htmldir /var/cache/munin/www +logdir /var/log/munin +rundir /var/run/munin +tmpldir /etc/munin/templates +graph_strategy cgi + +<%= out = '' + scope.lookupvar('site::localinfo').keys.sort.each do |node| + if not scope.lookupvar('site::localinfo')[node]['no_munin'] + out += '[' + node + '] + address ' + node + ' + +' + end + end +out +%> diff --git a/modules/nagios/manifests/client.pp b/modules/nagios/manifests/client.pp index 33808c45..b72f002b 100644 --- a/modules/nagios/manifests/client.pp +++ b/modules/nagios/manifests/client.pp @@ -1,81 +1,64 @@ class nagios::client inherits nagios { - package { - dsa-nagios-nrpe-config: ensure => purged; - dsa-nagios-checks: ensure => installed; - } - file { - "/etc/default/nagios-nrpe-server": - source => [ "puppet:///modules/nagios/per-host/$fqdn/default", - "puppet:///modules/nagios/common/default" ], - require => Package["nagios-nrpe-server"], - notify => Exec["nagios-nrpe-server restart"], - ; - "/etc/default/nagios-nrpe": - ensure => absent, - notify => Exec["nagios-nrpe-server restart"], - ; - "/etc/nagios/nrpe.cfg": - content => template("nagios/nrpe.cfg.erb"), - require => Package["nagios-nrpe-server"], - notify => Exec["service nagios-nrpe-server reload"], - ; - "/etc/nagios/nrpe.d": - mode => 755, - require => Package["nagios-nrpe-server"], - ensure => directory, - ; - "/etc/nagios/nrpe.d/debianorg.cfg": - content => template("nagios/inc-debian.org.erb"), - require => Package["nagios-nrpe-server"], - notify => Exec["service nagios-nrpe-server reload"], - ; - "/etc/nagios/nrpe.d/nrpe_dsa.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/generated/nrpe_dsa.cfg" ], - require => Package["dsa-nagios-checks"], - notify => Exec["service nagios-nrpe-server reload"], - ; + package { 'dsa-nagios-nrpe-config': + ensure => purged + } + package { 'dsa-nagios-checks': + ensure => installed + } - "/etc/nagios/obsolete-packages-ignore": - source => [ "puppet:///modules/nagios/per-host/$fqdn/obsolete-packages-ignore", - "puppet:///modules/nagios/common/obsolete-packages-ignore" ], - require => Package["dsa-nagios-checks"], - ; + service { 'nagios-nrpe-server': + ensure => running, + hasstatus => false, + pattern => 'nrpe', + } - "/etc/nagios/obsolete-packages-ignore.d/hostspecific": - content => template("nagios/obsolete-packages-ignore.d-hostspecific.erb"), - require => Package["dsa-nagios-checks"], - ; - } + @ferm::rule { 'dsa-nagios-v4': + description => 'Allow nrpe from nagios master', + rule => 'proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V4) ACCEPT; }', + notarule => true, + } + @ferm::rule { 'dsa-nagios-v6': + description => 'Allow nrpe from nagios master', + domain => 'ip6', + rule => 'proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V6) ACCEPT; }', + notarule => true, + } - exec { - "nagios-nrpe-server restart": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - ; - "service nagios-nrpe-server reload": -# remove after lenny EOL (lenny has no service binary) -# -cut- - command => "/etc/init.d/nagios-nrpe-server reload", -# -cut- - refreshonly => true, - ; - } + file { '/etc/default/nagios-nrpe-server': + source => 'puppet:///modules/nagios/common/default', + require => Package['nagios-nrpe-server'], + notify => Service['nagios-nrpe-server'], + } + file { '/etc/default/nagios-nrpe': + ensure => absent, + notify => Service['nagios-nrpe-server'], + } + file { '/etc/nagios/': + ensure => directory, + require => Package['nagios-nrpe-server'], + notify => Service['nagios-nrpe-server'], + } + file { '/etc/nagios/nrpe.cfg': + content => template('nagios/nrpe.cfg.erb'), + } + file { '/etc/nagios/nrpe.d': + ensure => directory, + mode => '0755', + } + file { '/etc/nagios/nrpe.d/debianorg.cfg': + content => template('nagios/inc-debian.org.erb'), + } + file { '/etc/nagios/nrpe.d/nrpe_dsa.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/generated/nrpe_dsa.cfg', + } + file { '/etc/nagios/obsolete-packages-ignore': + source => 'puppet:///modules/nagios/common/obsolete-packages-ignore', + require => Package['dsa-nagios-checks'], + } + file { '/etc/nagios/obsolete-packages-ignore.d/hostspecific': + content => template('nagios/obsolete-packages-ignore.d-hostspecific.erb'), + require => Package['dsa-nagios-checks'], + } - @ferm::rule { - "dsa-nagios-v4": - description => "Allow nrpe from nagios master", - rule => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V4) ACCEPT; }", - notarule => true, - ; - "dsa-nagios-v6": - description => "Allow nrpe from nagios master", - domain => "ip6", - rule => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V6) ACCEPT; }", - notarule => true, - ; - } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/nagios/manifests/init.pp b/modules/nagios/manifests/init.pp index 4975a413..3149da3e 100644 --- a/modules/nagios/manifests/init.pp +++ b/modules/nagios/manifests/init.pp @@ -1,8 +1,5 @@ class nagios { - package { - nagios-nrpe-server: ensure => installed; + package { 'nagios-nrpe-server': + ensure => installed } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/nagios/manifests/server.pp b/modules/nagios/manifests/server.pp index f73d8ad2..2ab72a84 100644 --- a/modules/nagios/manifests/server.pp +++ b/modules/nagios/manifests/server.pp @@ -1,88 +1,75 @@ -class nagios::server inherits nagios::client { - package { - nagios3: ensure => installed; - nagios-nrpe-plugin: ensure => installed; - nagios-plugins: ensure => installed; - nagios-images: ensure => installed; - } - - file { - "/etc/nagios-plugins/config/local-dsa-checkcommands.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/static/checkcommands.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; - "/etc/nagios-plugins/config/local-dsa-eventhandlers.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/static/eventhandlers.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; - - "/etc/nagios3/cgi.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/static/cgi.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; - "/etc/nagios3/nagios.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/static/nagios.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; +class nagios::server { - "/etc/nagios3/puppetconf.d": - mode => 755, - require => Package["nagios3"], - ensure => directory; - - "/etc/nagios3/puppetconf.d/contacts.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/static/conf.d/contacts.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; - "/etc/nagios3/puppetconf.d/generic-host.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/static/conf.d/generic-host.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; - "/etc/nagios3/puppetconf.d/generic-service.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/static/conf.d/generic-service.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; - "/etc/nagios3/puppetconf.d/timeperiods.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/static/conf.d/timeperiods.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; - - "/etc/nagios3/puppetconf.d/auto-dependencies.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-dependencies.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; - "/etc/nagios3/puppetconf.d/auto-hostextinfo.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-hostextinfo.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; - "/etc/nagios3/puppetconf.d/auto-hostgroups.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-hostgroups.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; - "/etc/nagios3/puppetconf.d/auto-hosts.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-hosts.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; - "/etc/nagios3/puppetconf.d/auto-serviceextinfo.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-serviceextinfo.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; - "/etc/nagios3/puppetconf.d/auto-servicegroups.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-servicegroups.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; - "/etc/nagios3/puppetconf.d/auto-services.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-services.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; + package { [ + 'nagios3', + 'nagios-nrpe-plugin', + 'nagios-plugins', + 'nagios-images' + ] + ensure => installed + } + service { 'nagios3': + ensure => running, } - exec { "nagios3 reload": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, + file { '/etc/nagios-plugins/config': + ensure => directory, + require => Package['nagios3'], + notify => Service['nagios3'], + } + file { '/etc/nagios3': + ensure => directory, + require => Package['nagios3'], + notify => Service['nagios3'], + } + file { '/etc/nagios3/puppetconf.d': + ensure => directory, + mode => '0755', + } + file { '/etc/nagios-plugins/config/local-dsa-checkcommands.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/static/checkcommands.cfg', + } + file { '/etc/nagios-plugins/config/local-dsa-eventhandlers.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/static/eventhandlers.cfg', + } + file { '/etc/nagios3/cgi.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/static/cgi.cfg', + } + file { '/etc/nagios3/nagios.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/static/nagios.cfg', + } + file { '/etc/nagios3/puppetconf.d/contacts.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/static/conf.d/contacts.cfg', + } + file { '/etc/nagios3/puppetconf.d/generic-host.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/static/conf.d/generic-host.cfg', + } + file { '/etc/nagios3/puppetconf.d/generic-service.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/static/conf.d/generic-service.cfg', + } + file { '/etc/nagios3/puppetconf.d/timeperiods.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/static/conf.d/timeperiods.cfg', + } + file { '/etc/nagios3/puppetconf.d/auto-dependencies.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-dependencies.cfg', + } + file { '/etc/nagios3/puppetconf.d/auto-hostextinfo.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-hostextinfo.cfg', + } + file { '/etc/nagios3/puppetconf.d/auto-hostgroups.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-hostgroups.cfg', + } + file { '/etc/nagios3/puppetconf.d/auto-hosts.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-hosts.cfg', + } + file { '/etc/nagios3/puppetconf.d/auto-serviceextinfo.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-serviceextinfo.cfg', + } + file { '/etc/nagios3/puppetconf.d/auto-servicegroups.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-servicegroups.cfg', + } + file { '/etc/nagios3/puppetconf.d/auto-services.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-services.cfg', } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/nagios/templates/inc-debian.org.erb b/modules/nagios/templates/inc-debian.org.erb index 5732e2a3..b06c3284 100644 --- a/modules/nagios/templates/inc-debian.org.erb +++ b/modules/nagios/templates/inc-debian.org.erb @@ -5,9 +5,9 @@ <%= nagii = [] -localinfo.keys.sort.each do |node| - if localinfo[node]['nagiosmaster'] or localinfo[node]['extranrpeclient'] - nagii << allnodeinfo[node]['ipHostNumber'] +scope.lookupvar('site::localinfo').keys.sort.each do |node| + if scope.lookupvar('site::localinfo')[node]['nagiosmaster'] or scope.lookupvar('site::localinfo')[node]['extranrpeclient'] + nagii << scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'] end end diff --git a/modules/named/manifests/authoritative.pp b/modules/named/manifests/authoritative.pp index 4ffba00d..a1024d88 100644 --- a/modules/named/manifests/authoritative.pp +++ b/modules/named/manifests/authoritative.pp @@ -1,20 +1,15 @@ class named::authoritative inherits named { - file { - "/etc/bind/named.conf.debian-zones": - source => [ "puppet:///modules/named/per-host/$fqdn/named.conf.debian-zones", - "puppet:///modules/named/common/named.conf.debian-zones" ], - notify => Exec["bind9 reload"]; - "/etc/bind/named.conf.options": - content => template("named/named.conf.options.erb"), - notify => Exec["bind9 reload"]; - } - file { "/etc/bind/named.conf.shared-keys": - mode => 640, - owner => root, - group => bind, - } + file { '/etc/bind/named.conf.debian-zones': + source => 'puppet:///modules/named/common/named.conf.debian-zones', + notify => Service['bind9'], + } + file { '/etc/bind/named.conf.options': + content => template('named/named.conf.options.erb'), + notify => Service['bind9'], + } + file { '/etc/bind/named.conf.shared-keys': + mode => '0640', + owner => root, + group => bind, + } } - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/named/manifests/geodns.pp b/modules/named/manifests/geodns.pp index 76cfe3c6..1dd57113 100644 --- a/modules/named/manifests/geodns.pp +++ b/modules/named/manifests/geodns.pp @@ -1,75 +1,47 @@ class named::geodns inherits named { - activate_munin_check { - "bind_views": script => bind; - } + munin::check { 'bind_views': + script => bind + } - file { - "/etc/bind/named.conf.options": - content => template("named/named.conf.options.erb"), - notify => Exec["bind9 reload"]; - "/etc/apt/sources.list.d/geoip.list": - content => template("debian-org/etc/apt/sources.list.d/geoip.list.erb"), - notify => Exec["apt-get update"], - ; - "/etc/bind/named.conf.local": - source => [ "puppet:///modules/named/per-host/$fqdn/named.conf.local", - "puppet:///modules/named/common/named.conf.local" ], - require => Package["bind9"], - notify => Exec["bind9 restart"], - owner => root, - group => root, - ; - "/etc/bind/named.conf.acl": - source => [ "puppet:///modules/named/per-host/$fqdn/named.conf.acl", - "puppet:///modules/named/common/named.conf.acl" ], - require => Package["bind9"], - notify => Exec["bind9 restart"], - owner => root, - group => root, - ; - "/etc/bind/geodns": - ensure => directory, - owner => root, - group => root, - mode => 755, - ; - "/etc/bind/geodns/zonefiles": - ensure => directory, - owner => geodnssync, - group => geodnssync, - mode => 755, - ; - "/etc/bind/geodns/named.conf.geo": - source => [ "puppet:///modules/named/per-host/$fqdn/named.conf.geo", - "puppet:///modules/named/common/named.conf.geo" ], - require => Package["bind9"], - notify => Exec["bind9 restart"], - owner => root, - group => root, - ; - "/etc/bind/geodns/trigger": - source => [ "puppet:///modules/named/per-host/$fqdn/trigger", - "puppet:///modules/named/common/trigger" ], - owner => root, - group => root, - mode => 555, - ; - "/etc/ssh/userkeys/geodnssync": - source => [ "puppet:///modules/named/per-host/$fqdn/authorized_keys", - "puppet:///modules/named/common/authorized_keys" ], - owner => root, - group => geodnssync, - mode => 440, - ; - "/etc/cron.d/dsa-boot-geodnssync": - source => [ "puppet:///modules/named/per-host/$fqdn/cron-geo", - "puppet:///modules/named/common/cron-geo" ], - owner => root, - group => root, - ; - } -} + site::aptrepo { 'geoip': + template => 'debian-org/etc/apt/sources.list.d/geoip.list.erb', + } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: + file { '/etc/bind/': + ensure => directory, + require => Package['bind9'], + notify => Service['bind9'], + } + file { '/etc/bind/geodns': + ensure => directory, + } + file { '/etc/bind/named.conf.options': + content => template('named/named.conf.options.erb'), + } + file { '/etc/bind/named.conf.local': + source => 'puppet:///modules/named/common/named.conf.local', + } + file { '/etc/bind/named.conf.acl': + source => 'puppet:///modules/named/common/named.conf.acl', + } + file { '/etc/bind/geodns/zonefiles': + ensure => directory, + owner => geodnssync, + group => geodnssync, + mode => '0755', + } + file { '/etc/bind/geodns/named.conf.geo': + source => 'puppet:///modules/named/common/named.conf.geo', + } + file { '/etc/bind/geodns/trigger': + source => 'puppet:///modules/named/common/trigger', + } + file { '/etc/ssh/userkeys/geodnssync': + source => 'puppet:///modules/named/common/authorized_keys', + group => geodnssync, + mode => '0440', + } + file { '/etc/cron.d/dsa-boot-geodnssync': + source => 'puppet:///modules/named/common/cron-geo' + } +} diff --git a/modules/named/manifests/init.pp b/modules/named/manifests/init.pp index 8cfa4080..28a666b5 100644 --- a/modules/named/manifests/init.pp +++ b/modules/named/manifests/init.pp @@ -1,37 +1,25 @@ class named { - activate_munin_check { - "bind":; - } - package { - bind9: ensure => installed; - } + munin::check { 'bind': } - exec { - "bind9 restart": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - ; - "bind9 reload": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - ; - } - file { - "/var/log/bind9": - ensure => directory, - owner => bind, - group => bind, - mode => 775, - ; - } - @ferm::rule { "dsa-bind": - domain => "(ip ip6)", - description => "Allow nameserver access", - rule => "&TCP_UDP_SERVICE(53)" - } -} + package { 'bind9': + ensure => installed + } + + service { 'bind9': + ensure => running, + } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: + @ferm::rule { 'dsa-bind': + domain => '(ip ip6)', + description => 'Allow nameserver access', + rule => '&TCP_UDP_SERVICE(53)' + } + + file { '/var/log/bind9': + ensure => directory, + owner => bind, + group => bind, + mode => '0775', + } +} diff --git a/modules/named/manifests/recursor.pp b/modules/named/manifests/recursor.pp index 66227c4b..3bd06d9b 100644 --- a/modules/named/manifests/recursor.pp +++ b/modules/named/manifests/recursor.pp @@ -1,12 +1,7 @@ class named::recursor inherits named { - file { - "/etc/bind/named.conf.options": - content => template("named/named.conf.options.erb"), - notify => Exec["bind9 reload"]; - } -} - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: + file { '/etc/bind/named.conf.options': + content => template('named/named.conf.options.erb'), + notify => Service['bind9'], + } +} diff --git a/modules/named/templates/named.conf.options.erb b/modules/named/templates/named.conf.options.erb index e093aa4e..4224254d 100644 --- a/modules/named/templates/named.conf.options.erb +++ b/modules/named/templates/named.conf.options.erb @@ -6,9 +6,9 @@ acl Nagios { <%= str = '' - localinfo.keys.sort.each do |node| - if localinfo[node]['nagiosmaster'] - allnodeinfo[node]['ipHostNumber'].each do |ip| + scope.lookupvar('site::localinfo').keys.sort.each do |node| + if scope.lookupvar('site::localinfo')[node]['nagiosmaster'] + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip| str += "\t" + ip + "/32;\n" end end diff --git a/modules/nfs-server/manifests/init.pp b/modules/nfs-server/manifests/init.pp index d14a6ca3..b9ff8885 100644 --- a/modules/nfs-server/manifests/init.pp +++ b/modules/nfs-server/manifests/init.pp @@ -1,31 +1,60 @@ class nfs-server { - include ferm::nfs-server + package { [ + 'nfs-common', + 'nfs-kernel-server' + ]: + ensure => installed + } - package { - nfs-common: ensure => installed; - nfs-kernel-server: ensure => installed; - } + service { 'nfs-common': + hasstatus => false, + status => '/bin/true', + refreshonly => true, + } + service { 'nfs-kernel-server': + hasstatus => false, + status => '/bin/true', + refreshonly => true, + } - file { - "/etc/default/nfs-common": - source => "puppet:///modules/nfs-server/nfs-common.default", - require => Package["nfs-common"], - notify => Exec["nfs-common restart"]; - "/etc/default/nfs-kernel-server": - source => "puppet:///modules/nfs-server/nfs-kernel-server.default", - require => Package["nfs-kernel-server"], - notify => Exec["nfs-kernel-server restart"]; - "/etc/modprobe.d/lockd.local": - source => "puppet:///modules/nfs-server/lockd.local.modprobe"; - } + @ferm::rule { 'dsa-portmap': + domain => '(ip ip6)', + description => 'Allow portmap access', + rule => '&TCP_UDP_SERVICE(111)' + } + @ferm::rule { 'dsa-nfs': + domain => '(ip ip6)', + description => 'Allow nfsd access', + rule => '&TCP_UDP_SERVICE(2049)' + } + @ferm::rule { 'dsa-status': + domain => '(ip ip6)', + description => 'Allow statd access', + rule => '&TCP_UDP_SERVICE(10000)' + } + @ferm::rule { 'dsa-mountd': + domain => '(ip ip6)', + description => 'Allow mountd access', + rule => '&TCP_UDP_SERVICE(10002)' + } + @ferm::rule { 'dsa-lockd': + domain => '(ip ip6)', + description => 'Allow lockd access', + rule => '&TCP_UDP_SERVICE(10003)' + } - exec { - "nfs-common restart": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true; - "nfs-kernel-server restart": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true; - } + file { '/etc/default/nfs-common': + source => 'puppet:///modules/nfs-server/nfs-common.default', + require => Package['nfs-common'], + notify => Service['nfs-common'], + } + file { '/etc/default/nfs-kernel-server': + source => 'puppet:///modules/nfs-server/nfs-kernel-server.default', + require => Package['nfs-kernel-server'], + notify => Service['nfs-kernel-server'], + } + file { '/etc/modprobe.d/lockd.local': + source => 'puppet:///modules/nfs-server/lockd.local.modprobe' + } } diff --git a/modules/ntp/manifests/client.pp b/modules/ntp/manifests/client.pp new file mode 100644 index 00000000..aa877a1a --- /dev/null +++ b/modules/ntp/manifests/client.pp @@ -0,0 +1,24 @@ +class ntp::client { + file { '/etc/default/ntp': + source => 'puppet:///modules/ntp/etc-default-ntp', + require => Package['ntp'], + notify => Service['ntp'] + } + file { '/etc/ntp.keys.d/': + ensure => directory, + require => Package['ntp'], + notify => Service['ntp'] + } + file { '/etc/ntp.keys.d/ntpkey_iff_merikanto': + source => 'puppet:///modules/ntp/ntpkey_iff_merikanto.pub', + } + file { '/etc/ntp.keys.d/ntpkey_iff_orff': + source => 'puppet:///modules/ntp/ntpkey_iff_orff.pub', + } + file { '/etc/ntp.keys.d/ntpkey_iff_ravel': + source => 'puppet:///modules/ntp/ntpkey_iff_ravel.pub', + } + file { '/etc/ntp.keys.d/ntpkey_iff_busoni': + source => 'puppet:///modules/ntp/ntpkey_iff_busoni.pub', + } +} diff --git a/modules/ntp/manifests/init.pp b/modules/ntp/manifests/init.pp index 74a5a322..26aa2d4f 100644 --- a/modules/ntp/manifests/init.pp +++ b/modules/ntp/manifests/init.pp @@ -1,107 +1,43 @@ class ntp { - package { ntp: ensure => installed } - file { - "/var/lib/ntp/": - ensure => directory, - owner => ntp, - group => ntp, - mode => 755, - require => Package["ntp"] - ; - "/var/lib/ntp": - ensure => directory, - owner => ntp, - group => ntp, - mode => 755, - require => Package["ntp"] - ; - "/etc/ntp.conf": - owner => root, - group => root, - mode => 444, - content => template("ntp/ntp.conf"), - notify => Exec["ntp restart"], - require => Package["ntp"] - ; - "/etc/ntp.keys.d": - owner => root, - group => ntp, - mode => 750, - ensure => directory, - require => Package["ntp"] - ; - } - case getfromhash($nodeinfo, 'timeserver') { - true: { - file { - "/var/lib/ntp/leap-seconds.list": - owner => root, - group => root, - mode => 444, - source => [ "puppet:///modules/ntp/leap-seconds.list" ], - require => Package["ntp"], - notify => Exec["ntp restart"], - ; - } - } - default: { - file { - "/etc/default/ntp": - owner => root, - group => root, - mode => 444, - source => [ "puppet:///modules/ntp/etc-default-ntp" ], - require => Package["ntp"], - notify => Exec["ntp restart"], - ; - "/etc/ntp.keys.d/ntpkey_iff_merikanto": - owner => root, - group => root, - mode => 444, - source => [ "puppet:///modules/ntp/ntpkey_iff_merikanto.pub" ], - require => Package["ntp"], - notify => Exec["ntp restart"], - ; - "/etc/ntp.keys.d/ntpkey_iff_orff": - owner => root, - group => root, - mode => 444, - source => [ "puppet:///modules/ntp/ntpkey_iff_orff.pub" ], - require => Package["ntp"], - notify => Exec["ntp restart"], - ; - "/etc/ntp.keys.d/ntpkey_iff_ravel": - owner => root, - group => root, - mode => 444, - source => [ "puppet:///modules/ntp/ntpkey_iff_ravel.pub" ], - require => Package["ntp"], - notify => Exec["ntp restart"], - ; - "/etc/ntp.keys.d/ntpkey_iff_busoni": - owner => root, - group => root, - mode => 444, - source => [ "puppet:///modules/ntp/ntpkey_iff_busoni.pub" ], - require => Package["ntp"], - notify => Exec["ntp restart"], - ; - } - } - } + package { 'ntp': + ensure => installed + } + service { 'ntp': + ensure => running, + require => Package['ntp'] + } - exec { "ntp restart": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - } - @ferm::rule { "dsa-ntp": - domain => "(ip ip6)", - description => "Allow ntp access", - rule => "&SERVICE(udp, 123)" - } + @ferm::rule { 'dsa-ntp': + domain => '(ip ip6)', + description => 'Allow ntp access', + rule => '&SERVICE(udp, 123)' + } + + file { '/var/lib/ntp': + ensure => directory, + owner => ntp, + group => ntp, + mode => '0755', + require => Package['ntp'] + } + file { '/etc/ntp.conf': + content => template('ntp/ntp.conf'), + notify => Service['ntp'], + require => Package['ntp'] + } + file { '/etc/ntp.keys.d': + ensure => directory, + group => ntp, + mode => '0750', + notify => Service['ntp'], + require => Package['ntp'] + } + + if getfromhash($site::nodeinfo, 'timeserver') { + include ntp::timeserver + } else { + include ntp::client + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/ntp/manifests/timeserver.pp b/modules/ntp/manifests/timeserver.pp new file mode 100644 index 00000000..f86ddf47 --- /dev/null +++ b/modules/ntp/manifests/timeserver.pp @@ -0,0 +1,7 @@ +class ntp::timeserver { + file { '/var/lib/ntp/leap-seconds.list': + source => 'puppet:///modules/ntp/leap-seconds.list', + require => Package['ntp'], + notify => Service['ntp'], + } +} diff --git a/modules/ntp/templates/ntp.conf b/modules/ntp/templates/ntp.conf index 94787968..11c5c3c4 100644 --- a/modules/ntp/templates/ntp.conf +++ b/modules/ntp/templates/ntp.conf @@ -14,7 +14,7 @@ filegen clockstats file clockstats type day enable crypto randfile /dev/urandom keysdir /etc/ntp.keys.d -<% if nodeinfo['timeserver'] -%> +<% if scope.lookupvar('site::nodeinfo')['timeserver'] -%> server 0.debian.pool.ntp.org iburst dynamic server 1.debian.pool.ntp.org iburst dynamic server 2.debian.pool.ntp.org iburst dynamic @@ -26,7 +26,7 @@ server ntp.grnet.gr iburst <% end -%> <% elsif fqdn == "ancina.debian.org" -%> server ntp.ugent.be iburst dynamic -<% elsif nodeinfo['misc']['natted'] -%> +<% elsif scope.lookupvar('site::nodeinfo')['misc']['natted'] -%> # autokey doesn't work behind nat # merikanto's and orff's ipv4 IP, hard coded for the benefit of hosts diff --git a/modules/ntpdate/manifests/init.pp b/modules/ntpdate/manifests/init.pp index 37de5af5..ca21a4db 100644 --- a/modules/ntpdate/manifests/init.pp +++ b/modules/ntpdate/manifests/init.pp @@ -1,21 +1,15 @@ class ntpdate { - case getfromhash($nodeinfo, 'broken-rtc') { - true: { - package { - ntpdate: ensure => installed; - lockfile-progs: ensure => installed; - } - file { - "/etc/default/ntpdate": - owner => root, - group => root, - mode => 444, - content => template("ntpdate/etc-default-ntpdate.erb"), - ; - } - } - } + + if getfromhash($site::nodeinfo, 'broken-rtc') { + package { [ + 'ntpdate', + 'lockfile-progs' + ]: + ensure => installed + } + + file { '/etc/default/ntpdate': + content => template('ntpdate/etc-default-ntpdate.erb'), + } + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/portforwarder/manifests/init.pp b/modules/portforwarder/manifests/init.pp index 83d11cf6..8fd01c34 100644 --- a/modules/portforwarder/manifests/init.pp +++ b/modules/portforwarder/manifests/init.pp @@ -1,30 +1,22 @@ class portforwarder { - # do not depend on xinetd, yet. it might uninstall other inetds - # for now this will have to be done manually - file { - "/etc/ssh/userkeys/portforwarder": - content => template("portforwarder/authorized_keys.erb"), - mode => 444, - ; - "/etc/xinetd.d": - ensure => directory, - owner => root, - group => root, - mode => 755, - ; - "/etc/xinetd.d/dsa-portforwader": - content => template("portforwarder/xinetd.erb"), - notify => Exec["xinetd reload"] - ; - } + # do not depend on xinetd, yet. it might uninstall other inetds + # for now this will have to be done manually + file { '/etc/ssh/userkeys/portforwarder': + content => template('portforwarder/authorized_keys.erb'), + } + file { '/etc/xinetd.d': + ensure => directory, + owner => root, + group => root, + mode => '0755', + } + file { '/etc/xinetd.d/dsa-portforwader': + content => template('portforwarder/xinetd.erb'), + notify => Exec['xinetd reload'] + } - exec { - "xinetd reload": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - ; - } + exec { 'xinetd reload': + path => '/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin', + refreshonly => true, + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/portforwarder/templates/authorized_keys.erb b/modules/portforwarder/templates/authorized_keys.erb index 5cb76624..1ffd9e84 100644 --- a/modules/portforwarder/templates/authorized_keys.erb +++ b/modules/portforwarder/templates/authorized_keys.erb @@ -29,7 +29,7 @@ config.each_pair do |sourcehost, services| if allowed_ports.length > 0 sshkey = getportforwarderkey(sourcehost) - remote_ip = allnodeinfo[sourcehost]['ipHostNumber'].join(',') + remote_ip = scope.lookupvar('site::allnodeinfo')[sourcehost]['ipHostNumber'].join(',') local_bind = '127.101.%d.%d'%[ (sourcehost.hash / 256 % 256), sourcehost.hash % 256 ] lines << "# from #{sourcehost}" diff --git a/modules/postgres/manifests/init.pp b/modules/postgres/manifests/init.pp index bb2b7689..4edc5c8a 100644 --- a/modules/postgres/manifests/init.pp +++ b/modules/postgres/manifests/init.pp @@ -1,19 +1,17 @@ class postgres { - activate_munin_check { - "postgres_bgwriter":; - "postgres_connections_db":; - "postgres_cache_ALL": script => "postgres_cache_"; - "postgres_querylength_ALL": script => "postgres_querylength_"; - "postgres_size_ALL": script => "postgres_size_"; - } - file { - "/etc/munin/plugin-conf.d/local-postgres": - source => "puppet:///modules/postgres/plugin.conf", - ; - } -} - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: + munin::check { 'postgres_bgwriter': } + munin::check { 'postgres_connections_db': } + munin::check { 'postgres_cache_ALL': + script => 'postgres_cache_' + } + munin::check { 'postgres_querylength_ALL': + script => 'postgres_querylength_' + } + munin::check { 'postgres_size_ALL': + script => 'postgres_size_' + } + file { '/etc/munin/plugin-conf.d/local-postgres': + source => 'puppet:///modules/postgres/plugin.conf', + } +} diff --git a/modules/postgrey/manifests/init.pp b/modules/postgrey/manifests/init.pp index 678665ee..44139743 100644 --- a/modules/postgrey/manifests/init.pp +++ b/modules/postgrey/manifests/init.pp @@ -1,19 +1,17 @@ class postgrey { - package { "postgrey": ensure => installed; } - file { - "/etc/default/postgrey": - source => "puppet:///modules/postgrey/default", - require => Package["postgrey"], - notify => Exec["postgrey restart"] - ; - } + package { 'postgrey': + ensure => installed + } - exec { "postgrey restart": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - } + service { 'postgrey': + ensure => running, + require => Package['postgrey'] + } + + file { '/etc/default/postgrey': + source => 'puppet:///modules/postgrey/default', + require => Package['postgrey'], + notify => Service['postgrey'] + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb b/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb index 41a071af..deb07d95 100644 --- a/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb +++ b/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb @@ -27,7 +27,7 @@ module Puppet::Parser::Functions end v6ips = lookupvar('v6ips') - if v6ips and v6ips != "no" + if v6ips and v6ips != "" nodeinfo['misc']['v6addrs'] = v6ips.split(',') end end diff --git a/modules/puppetmaster/manifests/init.pp b/modules/puppetmaster/manifests/init.pp index b702a158..c48ef599 100644 --- a/modules/puppetmaster/manifests/init.pp +++ b/modules/puppetmaster/manifests/init.pp @@ -1,5 +1,2 @@ class puppetmaster { } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/raidmpt/manifests/init.pp b/modules/raidmpt/manifests/init.pp index 814fd5b4..c6884aa8 100644 --- a/modules/raidmpt/manifests/init.pp +++ b/modules/raidmpt/manifests/init.pp @@ -1,21 +1,16 @@ class raidmpt { - package { - mpt-status: ensure => installed; - } - file { - "/etc/default/mpt-statusd": - content => "# This file is under puppet control\nRUN_DAEMON=no\n", - notify => Exec["mpt-statusd-stop"], - ; - } - exec { - "mpt-statusd-stop": - command => 'pidfile=/var/run/mpt-statusd.pid; ! [ -e "$pidfile" ] || /sbin/start-stop-daemon --oknodo --stop --signal TERM --quiet --pidfile "$pidfile"; rm -f "$pidfile"; pkill -INT -P 1 -u 0 -f "/usr/bin/daemon /etc/init.d/mpt-statusd check_mpt"', - refreshonly => true, - ; - } + package { 'mpt-status': + ensure => installed + } + + file { '/etc/default/mpt-statusd': + content => "# This file is under puppet control\nRUN_DAEMON=no\n", + notify => Exec['mpt-statusd-stop'], + } + + exec { 'mpt-statusd-stop': + command => 'pidfile=/var/run/mpt-statusd.pid; ! [ -e "$pidfile" ] || /sbin/start-stop-daemon --oknodo --stop --signal TERM --quiet --pidfile "$pidfile"; rm -f "$pidfile"; pkill -INT -P 1 -u 0 -f "/usr/bin/daemon /etc/init.d/mpt-statusd check_mpt"', + refreshonly => true, + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/resolv/manifests/init.pp b/modules/resolv/manifests/init.pp index 1934cfa1..59f3147f 100644 --- a/modules/resolv/manifests/init.pp +++ b/modules/resolv/manifests/init.pp @@ -1,8 +1,6 @@ class resolv { - file { "/etc/resolv.conf": - content => template("resolv/resolv.conf.erb"); + + file { '/etc/resolv.conf': + content => template('resolv/resolv.conf.erb'); } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/resolv/templates/resolv.conf.erb b/modules/resolv/templates/resolv.conf.erb index 531b5165..dfea7786 100644 --- a/modules/resolv/templates/resolv.conf.erb +++ b/modules/resolv/templates/resolv.conf.erb @@ -12,9 +12,9 @@ if %w{draghi liszt}.include?(hostname) nameservers << "127.0.0.1" end -nameservers += nodeinfo['hoster']['nameservers'] if nodeinfo['hoster']['nameservers'] -searchpaths += nodeinfo['hoster']['searchpaths'] if nodeinfo['hoster']['searchpaths'] -options += nodeinfo['hoster']['resolvoptions'] if nodeinfo['hoster']['resolvoptions'] +nameservers += scope.lookupvar('site::nodeinfo')['hoster']['nameservers'] if scope.lookupvar('site::nodeinfo')['hoster']['nameservers'] +searchpaths += scope.lookupvar('site::nodeinfo')['hoster']['searchpaths'] if scope.lookupvar('site::nodeinfo')['hoster']['searchpaths'] +options += scope.lookupvar('site::nodeinfo')['hoster']['resolvoptions'] if scope.lookupvar('site::nodeinfo')['hoster']['resolvoptions'] searchpaths << "debian.org" diff --git a/modules/roles/files/backports_mirror/backports.debian.org b/modules/roles/files/backports_mirror/backports.debian.org new file mode 100644 index 00000000..73966cfb --- /dev/null +++ b/modules/roles/files/backports_mirror/backports.debian.org @@ -0,0 +1,23 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + + + ServerName backports.debian.org + ServerAdmin debian-admin@debian.org + + ErrorLog /var/log/apache2/backports.debian.org-error.log + CustomLog /var/log/apache2/backports.debian.org-access.log combined + + + UserDir disabled + + + Alias /debian-backports /srv/mirrors/backports.debian.org/ + + RewriteEngine On + RewriteRule ^/debian-backports($|/.*) - [L] + RewriteRule ^/(.*) http://backports-master.debian.org/$1 [R] + +# vim:set syn=apache: diff --git a/modules/roles/files/backports_mirror/www.backports.org b/modules/roles/files/backports_mirror/www.backports.org new file mode 100644 index 00000000..7bcade28 --- /dev/null +++ b/modules/roles/files/backports_mirror/www.backports.org @@ -0,0 +1,28 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +# www.backports.org is the historical place for the backports +# website and archive. It is now a CNAME to backports.debian.org - +# redirect http requests. + + + ServerName www.backports.org + ServerAlias lists.backports.org + ServerAdmin debian-admin@debian.org + + ErrorLog /var/log/apache2/www.backports.org-error.log + CustomLog /var/log/apache2/www.backports.org-access.log combined + + + UserDir disabled + + + RedirectPermanent /debian/ http://backports.debian.org/debian-backports/ + RedirectPermanent /backports.org/ http://backports.debian.org/debian-backports/ + RedirectPermanent /debian-backports/ http://backports.debian.org/debian-backports/ + RedirectPermanent / http://backports-master.debian.org/ + +# vim:set syn=apache: + diff --git a/modules/roles/files/ftp-upcoming_mirror/ftp-upcoming.debian.org b/modules/roles/files/ftp-upcoming_mirror/ftp-upcoming.debian.org new file mode 100644 index 00000000..24e6fa0d --- /dev/null +++ b/modules/roles/files/ftp-upcoming_mirror/ftp-upcoming.debian.org @@ -0,0 +1,16 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + + + ServerAdmin ftpmaster@debian.org + DocumentRoot /srv/mirrors/buildd-all + ServerName ftp-upcoming.debian.org + + ErrorLog /var/log/apache2/ftp-upcoming.debian.org-error.log + LogLevel warn + CustomLog /var/log/apache2/ftp-upcoming.debian.org-access.log combined + + IndexOptions FancyIndexing NameWidth=* + diff --git a/modules/roles/files/security_mirror/security.debian.org b/modules/roles/files/security_mirror/security.debian.org new file mode 100644 index 00000000..0f77652d --- /dev/null +++ b/modules/roles/files/security_mirror/security.debian.org @@ -0,0 +1,38 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + + + IndexOptions NameWidth=* +SuppressDescription + Options +FollowSymLinks + Options +Indexes + FileETag MTime Size + + + + ServerAdmin debian-admin@debian.org + DocumentRoot /org/security.debian.org/ftp + ServerPath /debian-security + ServerName security.debian.org + ServerAlias security.ipv6.debian.org + ServerAlias security.eu.debian.org + ServerAlias security.us.debian.org + ServerAlias security.na.debian.org + ServerAlias security.geo.debian.org + ServerAlias security-nagios.debian.org + + Alias /debian-security /org/security.debian.org/ftp + + RewriteEngine on + RewriteRule ^/$ http://www.debian.org/security/ + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + + CustomLog /var/log/apache2/security.debian.org-access.log combined + ServerSignature On + + + diff --git a/modules/roles/files/www_mirror/www.debian.org b/modules/roles/files/www_mirror/www.debian.org new file mode 100644 index 00000000..c9b60489 --- /dev/null +++ b/modules/roles/files/www_mirror/www.debian.org @@ -0,0 +1,217 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +# Need to turn on negotiation_module + + Options +MultiViews +FollowSymLinks +Indexes + AddHandler type-map var + # Make sure that the srm.conf directive is commented out. + AddDefaultCharSet Off + AllowOverride AuthConfig FileInfo + + # Serve icons as image/x-icon + AddType image/x-icon .ico + + # Serve RSS feeds as application/rss+xml + AddType application/rss+xml .rdf + + # Nice caching.. + ExpiresActive On + ExpiresDefault "access plus 1 day" + ExpiresByType image/gif "access plus 1 week" + ExpiresByType image/jpeg "access plus 1 week" + ExpiresByType image/png "access plus 1 week" + ExpiresByType image/x-icon "access plus 1 week" + + # FileEtag needs to be the same across mirrors (used for caching, ignore inode) + FileEtag MTime Size + + # language stuff, for web site translations + # for boot-floppies docs only: sk + AddLanguage en .en + AddLanguage en-us .en-us + AddLanguage en-gb .en-gb + AddLanguage ar .ar + AddLanguage bg .bg + AddLanguage ca .ca + AddLanguage cs .cs + AddLanguage da .da + AddLanguage de .de + AddLanguage el .el + AddLanguage eo .eo + AddLanguage es .es + AddLanguage fi .fi + AddLanguage fr .fr + AddLanguage hr .hr + AddLanguage hu .hu + AddLanguage hy .hy + AddLanguage id .id + AddLanguage it .it + AddLanguage ja .ja + AddLanguage ko .ko + AddLanguage lt .lt + AddLanguage nl .nl + AddLanguage no .no + AddLanguage nb .nb + AddLanguage pl .pl + AddLanguage pt .pt + AddLanguage pt-br .pt + AddLanguage ro .ro + AddLanguage ru .ru + AddLanguage sk .sk + AddLanguage sl .sl + AddLanguage sv .sv + AddLanguage tr .tr + AddLanguage uk .uk + AddLanguage vi .vi + AddLanguage zh-CN .zh-cn + AddLanguage zh-HK .zh-hk + AddLanguage zh-TW .zh-tw + LanguagePriority en fr de it es ja pl hr da pt pt-br fi zh-cn zh-hk zh-tw cs sv ko no nb ru tr eo ar nl hu ro sk el ca en-us en-gb id lt sl bg uk hy vi + + DirectoryIndex maintenance index index.html index.shtml index.htm + + + ForceType text/html + + + + ForceType application/pdf + + + + ForceType text/plain + + + + + ServerName www.nl.debian.org + ServerAdmin webmaster@debian.org + ServerAlias www.debian.com www.debian.de www.*.debian.org newwww.deb.at www.debian.net debian.net debian.org www.debian.at www.debian.eu debian.eu + DocumentRoot /srv/www.debian.org/www/ + ErrorLog /var/log/apache2/www-other.debian.org-error.log + CustomLog /var/log/apache2/www-other.debian.org-access.log combined + RewriteLog /var/log/apache2/www-other.debian.org-redirect.log + RewriteLogLevel 1 + + RewriteEngine on + RewriteRule ^/(.*)$ http://www.debian.org/$1 [R=301,L] + + + + ServerName www.debian.org + ServerAdmin webmaster@debian.org + ServerAlias www-*.debian.org + DocumentRoot /srv/www.debian.org/www/ + ErrorLog /var/log/apache2/www.debian.org-error.log + CustomLog /var/log/apache2/www.debian.org-access.log combined + + # CacheNegotiatedDocs: By default, Apache sends Pragma: no-cache with each + # document that was negotiated on the basis of content. This asks proxy + # servers not to cache the document. Uncommenting the following line disables + # this behavior, and proxies will be allowed to cache the documents. + CacheNegotiatedDocs On + +# Custom Error + ErrorDocument 404 /devel/website/errors/404 + RewriteCond %{DOCUMENT_ROOT}/devel/website/errors/404.$2.html -f + RewriteRule ^/(?!devel/website/errors/)(.*/)?404\.(.+)\.html$ /devel/website/errors/404.$2.html [L] + +# the joys of backwards compatibility + RedirectPermanent /cgi-bin/cvsweb http://cvs.debian.org + RedirectPermanent /Lists-Archives http://lists.debian.org + RedirectPermanent /search http://search.debian.org + RedirectPermanent /Packages http://packages.debian.org + RedirectPermanent /lintian http://lintian.debian.org + + RedirectPermanent /SPI http://www.spi-inc.org +# RedirectPermanent /OpenHardware http://www.openhardware.org + RedirectPermanent /OpenSource http://www.opensource.org + + RedirectPermanent /Bugs/db/ix/pseudopackages.html /Bugs/pseudo-packages + RewriteEngine on + RewriteRule ^/Bugs/db/pa/l([^/]+).html$ http://bugs.debian.org/$1 + RewriteRule ^/Bugs/db/[[:digit:]][[:digit:]]/([[:digit:]][[:digit:]][[:digit:]]+).html$ http://bugs.debian.org/$1 + RewriteRule ^/Bugs/db/ma/l([^/]+).html$ http://bugs.debian.org/cgi-bin/pkgreport.cgi?maintenc=$1 + + Userdir http://people.debian.org/~*/ + + RedirectPermanent /devel/todo/ /devel/wnpp/help_requested_bypop + RedirectPermanent /doc/FAQ /doc/manuals/debian-faq + RedirectPermanent /doc/manuals/debian-fr-howto /doc/manuals/fr/debian-fr-howto + RedirectPermanent /doc/manuals/reference /doc/manuals/debian-reference + RedirectPermanent /doc/packaging-manuals/developers-reference /doc/manuals/developers-reference + RedirectPermanent /doc/packaging-manuals/packaging-tutorial /doc/manuals/packaging-tutorial + RedirectPermanent /doc/prospective-packages /devel/wnpp/ + RedirectPermanent /devel/maintainer_contacts /intro/organization + RedirectPermanent /devel/debian-installer/gtk-frontend http://wiki.debian.org/DebianInstaller/GUI + RedirectPermanent /zh/ /international/Chinese/ + RedirectPermanent /chinese/ /international/Chinese/ + RedirectPermanent /devel/help /devel/join/ + RedirectPermanent /distrib/books /doc/books + RedirectPermanent /distrib/floppyinst /distrib/netinst + RedirectPermanent /distrib/netboot /distrib/netinst + RedirectPermanent /distrib/vendors /CD/vendors/ + RedirectPermanent /distrib/cd /CD/ + RedirectPermanent /distrib/cdinfo /CD/vendors/info + RedirectPermanent /related_links /misc/related_links + RedirectPermanent /ports/laptops /misc/laptops/ + RedirectPermanent /misc/README.mirrors /mirror/list + RedirectPermanent /misc/README.non-US /mirror/list.non-US + RedirectPermanent /intl /international + RedirectPermanent /ports/armel /ports/arm + RedirectPermanent /ports/mipsel /ports/mips + RedirectPermanent /ports/kfreebsd-amd64 /ports/kfreebsd-gnu + RedirectPermanent /ports/kfreebsd-i386 /ports/kfreebsd-gnu + RedirectPermanent /ports/sparc64 /ports/sparc + RedirectPermanent /mirror/mirrors_full.html /mirror/list-full.html + RedirectPermanent /mirrors /mirror + RedirectPermanent /News/project /News/weekly + RedirectPermanent /releases/2.0 /releases/hamm + RedirectPermanent /releases/2.1 /releases/slink + RedirectPermanent /releases/2.2 /releases/potato + RedirectPermanent /releases/3.0 /releases/woody + RedirectPermanent /releases/3.1 /releases/sarge + RedirectPermanent /releases/4.0 /releases/etch + RedirectPermanent /releases/5.0 /releases/lenny + RedirectPermanent /releases/6.0 /releases/squeeze + RedirectPermanent /releases/unstable /releases/sid + + RewriteRule ^/ports/freebsd(.*) /ports/kfreebsd-gnu/ [R=301] + RewriteRule ^/devel/debian-installer/report-template(.*) /releases/stable/i386/ch05s04.html#submit-bug [NE,R=301] + RewriteRule ^/devel/debian-installer/hooks(.*) http://d-i.alioth.debian.org/doc/internals/apb.html [R=301] + RewriteRule ^/doc/packaging-manuals/mime-policy(.*) /doc/debian-policy/ch-opersys.html#s-mime [NE,R=301] + + RewriteRule ^/volatile/index.* - [S=1] + RewriteRule ^/volatile/.+ /volatile/ [L,R=301] + RewriteRule ^/devel/debian-volatile/.* /volatile/ [R=301] + +# Offer a Redirect to DSA without knowing year #474730 + RewriteMap dsa txt:/srv/www.debian.org/www/security/map-dsa.txt + RewriteRule ^/security/dsa-(\d+)(\..*)? /security/${dsa:$1}$2 [R=301] + +# Compatibility after SGML -> DocBook +# Debian Reference #624239 + RewriteMap reference txt:/srv/www.debian.org/www/doc/map-reference.txt + RewriteCond %{DOCUMENT_ROOT}/doc/manuals/debian-reference/ch-support$1 !-f + RewriteRule ^/doc/manuals/debian-reference/ch-support(.*) /support$1 [L,R=301] + RewriteCond %{DOCUMENT_ROOT}/doc/manuals/debian-reference/${reference:$1}$2 -f + RewriteRule ^/doc/manuals/debian-reference/ch-([^\.]+)(.+) /doc/manuals/debian-reference/${reference:$1}$2 [L,R=301] + RewriteRule ^/doc/manuals/debian-reference/ch-([^\.]+)$ /doc/manuals/debian-reference/${reference:$1} [R=301] + RewriteCond %{DOCUMENT_ROOT}/doc/manuals/debian-reference/apa$1 -f + RewriteRule ^/doc/manuals/debian-reference/ap-appendix(.+) /doc/manuals/debian-reference/apa$1 [L,R=301] + RewriteRule ^/doc/manuals/debian-reference/ap-appendix$ /doc/manuals/debian-reference/apa [R=301] + RewriteCond %{DOCUMENT_ROOT}/doc/manuals/debian-reference/footnotes$1 !-f + RewriteRule ^/doc/manuals/debian-reference/footnotes(.+) /doc/manuals/debian-reference/index$1 [L,R=301] + RewriteRule ^/doc/manuals/debian-reference/footnotes$ /doc/manuals/debian-reference/ [R=301] +# New Maintainers' Guide + RewriteRule ^/doc/(manuals/)?maint-guide/ch-(.*) /doc/manuals/maint-guide/$2 [R=301] + RewriteRule ^/doc/(manuals/)?maint-guide/footnotes(.*) /doc/manuals/maint-guide/index$2 [R=301] + +# Canonical place for manuals under /doc/manuals/ + RewriteCond %{DOCUMENT_ROOT}/doc/manuals/$1 -d + RewriteRule ^/doc/([^/]+)/?(.*)? /doc/manuals/$1/$2 [L,R=301] + + diff --git a/modules/roles/manifests/backports_mirror.pp b/modules/roles/manifests/backports_mirror.pp new file mode 100644 index 00000000..d8f49307 --- /dev/null +++ b/modules/roles/manifests/backports_mirror.pp @@ -0,0 +1,13 @@ +class roles::backports_mirror { + apache2::site { '010-backports.debian.org': + site => 'backports.debian.org', + config => 'puppet:///modules/roles/backports_mirror/backports.debian.org', + } + + apache2::site { '010-www.backports.org': + site => 'www.backports.org', + config => 'puppet:///modules/roles/backports_mirror/www.backports.org', + } + + apache2::module { 'rewrite': } +} diff --git a/modules/roles/manifests/dakmaster.pp b/modules/roles/manifests/dakmaster.pp new file mode 100644 index 00000000..08a14819 --- /dev/null +++ b/modules/roles/manifests/dakmaster.pp @@ -0,0 +1,13 @@ +class roles::dakmaster { + + package { 'libapache2-mod-macro': + ensure => installed, + } + + apache2::module { 'macro': } + + apache2::config { 'puppet-builddlist': + template => 'roles/conf-builddlist.erb', + } + +} diff --git a/modules/roles/manifests/ftp-upcoming_mirror.pp b/modules/roles/manifests/ftp-upcoming_mirror.pp new file mode 100644 index 00000000..8c12dd3d --- /dev/null +++ b/modules/roles/manifests/ftp-upcoming_mirror.pp @@ -0,0 +1,7 @@ +class roles::ftp-upcoming_mirror { + + apache2::site { '010-ftp-upcoming.debian.org': + site => 'ftp-upcoming.debian.org', + config => 'puppet:///modules/roles/ftp-upcoming_mirror/ftp-upcoming.debian.org', + } +} diff --git a/modules/roles/manifests/security_mirror.pp b/modules/roles/manifests/security_mirror.pp new file mode 100644 index 00000000..13cba753 --- /dev/null +++ b/modules/roles/manifests/security_mirror.pp @@ -0,0 +1,11 @@ +class roles::security_mirror { + + apache2::site { '010-security.debian.org': + site => 'security.debian.org', + config => 'puppet:///modules/roles/security_mirror/security.debian.org' + } + + apache2::site { 'security.debian.org': + ensure => absent, + } +} diff --git a/modules/roles/manifests/www_mirror.pp b/modules/roles/manifests/www_mirror.pp new file mode 100644 index 00000000..5baa0060 --- /dev/null +++ b/modules/roles/manifests/www_mirror.pp @@ -0,0 +1,11 @@ +class roles::www_mirror { + + apache2::site { '010-www.debian.org': + site => 'www.debian.org', + config => 'puppet:///modules/roles/www_mirror/www.debian.org', + } + + apache2::site { 'www.debian.org': + ensure => absent, + } +} diff --git a/modules/roles/templates/conf-builddlist.erb b/modules/roles/templates/conf-builddlist.erb new file mode 100644 index 00000000..d216cdc9 --- /dev/null +++ b/modules/roles/templates/conf-builddlist.erb @@ -0,0 +1,26 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + + + +<%= + lines = [] + + scope.lookupvar('site::allnodeinfo').keys.sort.each do |node| + next unless scope.lookupvar('site::allnodeinfo')[node]['purpose'] + if scope.lookupvar('site::allnodeinfo')[node]['purpose'].include?('buildd') + lines << " # #{scope.lookupvar('site::allnodeinfo')[node]['hostname'].to_s}" + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |addr| + lines << " allow from #{addr}" + end + end + end + + lines.join("\n") +# vim:set et: +# vim:set sts=2 ts=2: +# vim:set shiftwidth=2: +%> + diff --git a/modules/rsyncd-log/manifests/init.pp b/modules/rsyncd-log/manifests/init.pp index 28e3c784..0ae5951d 100644 --- a/modules/rsyncd-log/manifests/init.pp +++ b/modules/rsyncd-log/manifests/init.pp @@ -1,17 +1,10 @@ class rsyncd-log { - file { - "/etc/logrotate.d/dsa-rsyncd": - source => "puppet:///modules/rsyncd-log/logrotate.d-dsa-rsyncd", - require => Package["debian.org"], - ; - "/var/log/rsyncd": - ensure => directory, - owner => root, - group => root, - mode => 755, - ; - } + file { '/etc/logrotate.d/dsa-rsyncd': + source => 'puppet:///modules/rsyncd-log/logrotate.d-dsa-rsyncd', + require => Package['debian.org'], + } + file { '/var/log/rsyncd': + ensure => directory, + mode => '0755', + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/samhain/manifests/init.pp b/modules/samhain/manifests/init.pp index f32a96bf..cfee73e1 100644 --- a/modules/samhain/manifests/init.pp +++ b/modules/samhain/manifests/init.pp @@ -1,19 +1,16 @@ class samhain { - package { samhain: ensure => installed } + package { 'samhain': + ensure => installed + } - file { "/etc/samhain/samhainrc": - content => template("samhain/samhainrc.erb"), - require => Package["samhain"], - notify => Exec["samhain reload"], - } + service { 'samhain': + ensure => running + } - exec { "samhain reload": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - } + file { '/etc/samhain/samhainrc': + content => template('samhain/samhainrc.erb'), + require => Package['samhain'], + notify => Service['samhain'] + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: - diff --git a/modules/samhain/templates/samhainrc.erb b/modules/samhain/templates/samhainrc.erb index fb151249..92ccea10 100644 --- a/modules/samhain/templates/samhainrc.erb +++ b/modules/samhain/templates/samhainrc.erb @@ -67,7 +67,7 @@ # RedefIgnoreNone=(no default) # RedefUser0=(no default) # RedefUser1=(no default) -<% if nodeinfo['buildd'] -%> +<% if scope.lookupvar('site::nodeinfo')['buildd'] -%> IgnoreMissing=/etc/lvm/archive/.*.vg <% end -%> @@ -133,7 +133,7 @@ file=/etc/nagios file=/etc/nagios/nrpe.d file=/etc/nagios/obsolete-packages-ignore.d file=/etc/bind/geodns -<% if nodeinfo['nagiosmaster'] -%> +<% if scope.lookupvar('site::nodeinfo')['nagiosmaster'] -%> file=/etc/nagios3/puppetconf.d <% end -%> file=/etc/puppet @@ -150,7 +150,7 @@ file=/etc/ferm/ file=/etc/ferm/conf.d file=/etc/ferm/dsa.d file=/etc/rc.local -<% unless lsbdistcodename == 'lenny' %> +<% unless scope.lookupvar('::lsbdistcodename') == 'lenny' %> file=/etc/unbound <% end -%> file=/etc/dsa @@ -217,7 +217,7 @@ file=/var/log/syslog ## This file might be created or removed by the system sometimes. ## file=/etc/resolv.conf -<% if nodeinfo['buildd'] -%> +<% if scope.lookupvar('site::nodeinfo')['buildd'] -%> file=/etc/dupload.conf <% end -%> file=/etc/resolv.conf.pcmcia.save @@ -266,7 +266,7 @@ file=/etc/ssh/sshd_config file=/etc/dsa/cron.ignore.dsa-puppet-stuff <%= out="" -if nodeinfo['heavy_exim'] +if scope.lookupvar('site::nodeinfo')['heavy_exim'] out = ' file=/etc/exim4/surbl_whitelist.txt file=/etc/exim4/exim_surbl.pl @@ -373,7 +373,7 @@ file=/etc/monit/monit.d/01puppet file=/etc/monit/monit.d/00debian.org file=/etc/cron.d/dsa-puppet-stuff file=/etc/cron.d/dsa-buildd -<% if nodeinfo['nagiosmaster'] -%> +<% if scope.lookupvar('site::nodeinfo')['nagiosmaster'] -%> file=/etc/nagios3/puppetconf.d/auto-hostgroups.cfg file=/etc/nagios3/puppetconf.d/auto-hosts.cfg file=/etc/nagios3/puppetconf.d/auto-services.cfg @@ -383,10 +383,10 @@ file=/etc/nagios3/puppetconf.d/auto-serviceextinfo.cfg file=/etc/nagios3/puppetconf.d/auto-servicegroups.cfg file=/etc/nagios3/puppetconf.d/contacts.cfg <% end -%> -<% if nodeinfo['muninmaster'] -%> +<% if scope.lookupvar('site::nodeinfo')['muninmaster'] -%> file=/etc/munin/munin.conf <% end -%> -<% if nodeinfo['puppetmaster'] -%> +<% if scope.lookupvar('site::nodeinfo')['puppetmaster'] -%> dir=8/etc/puppet <% end -%> <% if classes.include?('named::geodns') -%> @@ -396,10 +396,10 @@ dir=1/etc/bind/geodns dir=1/etc/bind file=/etc/bind/named.conf.debian-zones <% end -%> -<% if fqdn == "dijkstra.debian.org" -%> +<% if scope.lookupvar('::fqdn') == "dijkstra.debian.org" -%> dir=4/etc/dsa-kvm <% end -%> -<% if nodeinfo['buildd'] -%> +<% if scope.lookupvar('site::nodeinfo')['buildd'] -%> dir=3/etc/lvm <% end -%> dir=1/etc/ferm/dsa.d @@ -407,7 +407,7 @@ file=/etc/ferm/conf.d/me.conf file=/etc/ferm/conf.d/defs.conf file=/etc/ferm/ferm.conf dir=2/etc/ssl/debian -<% unless lsbdistcodename == 'lenny' %> +<% unless scope.lookupvar('::lsbdistcodename') == 'lenny' %> file=/etc/unbound/unbound.conf <% end -%> diff --git a/modules/site/manifests/alternative.pp b/modules/site/manifests/alternative.pp new file mode 100644 index 00000000..94d08881 --- /dev/null +++ b/modules/site/manifests/alternative.pp @@ -0,0 +1,17 @@ +define site::alternative ($linkto, $ensure = present) { + case $ensure { + present: { + exec { + "/usr/sbin/update-alternatives --set ${name} ${linkto}": + unless => "[ $(update-alternatives --query ${name} | grep ^Value | awk '{print \$2}') = ${linkto} ]", + } + } + absent: { + exec { + "/usr/sbin/update-alternatives --remove ${name} ${linkto}": + unless => "[ $(update-alternatives --query ${name} | grep ^Value | awk '{print \$2}') != ${linkto} ]", + } + } + default: { err ( "Unknown ensure value: '$ensure'" ) } + } +} diff --git a/modules/site/manifests/aptrepo.pp b/modules/site/manifests/aptrepo.pp new file mode 100644 index 00000000..eb03d465 --- /dev/null +++ b/modules/site/manifests/aptrepo.pp @@ -0,0 +1,39 @@ +class site::aptrepo ($key = undef, $template = undef, $config = undef, $ensure = present) { + + if $key { + exec { "apt-key-update-${name}": + command => "apt-key add /etc/apt/trusted-keys.d/${name}", + refreshonly => true, + } + + file { "/etc/apt/trusted-keys.d/${name}": + source => $key, + mode => '0664', + notify => Exec["apt-key-update-${name}"] + } + } + + case $ensure { + present: {} + absent: {} + default: { err ( "Unknown ensure value: '$ensure'" ) } + } + + if ! ($template or $config) { + err ( "Can't find configuration for ${name}" ) + } + + if $template { + file { "/etc/apt/sources.list.d/${name}.list": + ensure => $ensure, + content => template($template), + notify => Exec['apt-get update'], + } + } else { + file { "/etc/apt/sources.list.d/${name}.list": + ensure => $ensure, + source => $config, + notify => Exec['apt-get update'], + } + } +} diff --git a/modules/site/manifests/init.pp b/modules/site/manifests/init.pp new file mode 100644 index 00000000..01caca74 --- /dev/null +++ b/modules/site/manifests/init.pp @@ -0,0 +1,13 @@ +class site { + + $localinfo = yamlinfo('*', '/etc/puppet/modules/debian-org/misc/local.yaml') + $nodeinfo = nodeinfo($::fqdn, '/etc/puppet/modules/debian-org/misc/local.yaml') + $allnodeinfo = allnodeinfo('sshRSAHostKey ipHostNumber', 'purpose mXRecord physicalHost purpose') + notice( sprintf('hoster for %s is %s', $::fqdn, getfromhash($nodeinfo, 'hoster', 'name') ) ) + + service { 'procps': + hasstatus => false, + status => '/bin/true', + refreshonly => true, + } +} diff --git a/modules/site/manifests/linux_module.pp b/modules/site/manifests/linux_module.pp new file mode 100644 index 00000000..62b2197a --- /dev/null +++ b/modules/site/manifests/linux_module.pp @@ -0,0 +1,19 @@ +define site::linux_module ($ensure = present) { + case $ensure { + present: { + exec { "append_module_${name}": + command => "echo '${name}' >> /etc/modules", + unless => "grep -q -F -x '${name}' /etc/modules", + } + } + absent: { + exec { "remove_module_${name}": + command => "sed -i -e'/^${name}\$/d' /etc/modules", + onlyif => "grep -q -F -x '${name}' /etc/modules", + } + } + default: { + err("invalid ensure value ${ensure}") + } + } +} diff --git a/modules/site/manifests/sysctl.pp b/modules/site/manifests/sysctl.pp new file mode 100644 index 00000000..9786c8e5 --- /dev/null +++ b/modules/site/manifests/sysctl.pp @@ -0,0 +1,18 @@ +define site::sysctl ($key, $value, $ensure = present) { + include site + case $ensure { + present: {} + absent: {} + default: { err ( "Unknown ensure value: '$ensure'" ) } + } + + file { + "/etc/sysctl.d/${name}.conf": + ensure => $ensure, + owner => root, + group => root, + mode => '0644', + content => "${key} = ${value}\n", + notify => Service['procps'] + } +} diff --git a/modules/ssh/manifests/init.pp b/modules/ssh/manifests/init.pp index a9161888..b7df1810 100644 --- a/modules/ssh/manifests/init.pp +++ b/modules/ssh/manifests/init.pp @@ -1,46 +1,38 @@ class ssh { - package { - openssh-client: ensure => installed; - openssh-server: ensure => installed; - } - file { "/etc/ssh/ssh_config": - content => template("ssh/ssh_config.erb"), - require => Package["openssh-client"] - ; - "/etc/ssh/sshd_config": - content => template("ssh/sshd_config.erb"), - require => Package["openssh-server"], - notify => Exec["ssh restart"] - ; - "/etc/ssh/userkeys": - ensure => directory, - owner => root, - group => root, - mode => 755, - ; - "/etc/ssh/userkeys/root": - content => template("ssh/authorized_keys.erb"), - mode => 444, - require => Package["openssh-server"] - ; + package { [ 'openssh-client', 'openssh-server']: + ensure => installed + } + + service { 'ssh': + ensure => running } - exec { "ssh restart": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - } + @ferm::rule { 'dsa-ssh': + description => 'Allow SSH from DSA', + rule => '&SERVICE_RANGE(tcp, ssh, \$SSH_SOURCES)' + } + @ferm::rule { 'dsa-ssh-v6': + description => 'Allow SSH from DSA', + domain => 'ip6', + rule => '&SERVICE_RANGE(tcp, ssh, \$SSH_V6_SOURCES)' + } - @ferm::rule { "dsa-ssh": - description => "Allow SSH from DSA", - rule => "&SERVICE_RANGE(tcp, ssh, \$SSH_SOURCES)" - } - @ferm::rule { "dsa-ssh-v6": - description => "Allow SSH from DSA", - domain => "ip6", - rule => "&SERVICE_RANGE(tcp, ssh, \$SSH_V6_SOURCES)" - } + file { '/etc/ssh/ssh_config': + content => template('ssh/ssh_config.erb'), + require => Package['openssh-client'] + } + file { '/etc/ssh/sshd_config': + content => template('ssh/sshd_config.erb'), + require => Package['openssh-server'], + notify => Service['ssh'] + } + file { '/etc/ssh/userkeys': + ensure => directory, + mode => '0755', + require => Package['openssh-server'] + } + file { '/etc/ssh/userkeys/root': + content => template('ssh/authorized_keys.erb'), + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/ssh/templates/authorized_keys.erb b/modules/ssh/templates/authorized_keys.erb index 71a96455..0a19d72e 100644 --- a/modules/ssh/templates/authorized_keys.erb +++ b/modules/ssh/templates/authorized_keys.erb @@ -1,5 +1,5 @@ # local admin -<%= hosterkeys = case nodeinfo['hoster']['name'] +<%= hosterkeys = case scope.lookupvar('site::nodeinfo')['hoster']['name'] when "ubcece" then "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvEEyxznxleAhk98K7SkAeAKWibijL5uFjIl1+tr8rz+XmFsjabTK2+hQXkgzmU+jqQ2+MPp6btfAq9Oe27GQYWUFfsAZMRb907dReFQYPKbPhQZoo5LUfkrCiR3tD0Nm2JfepTV0079K1+Q50EMImttwbI94FfSoSgTxgF4rCoLpUgmF0IHDR1+kTGow7YnuS1Y/I1zKAbofg8KBGXOLArkcZbxArt25Y2wlnE+ZHIb3Rn3pYc3/KmPPvEQy9IkR/uzzkWSaCBVMFJEO0ejjWrV4HR64GlKUPQ0CekSYn1EErY55CF5sWkasXhflluwSf7b+/jedDM1A1Vrp9Z/F8Q== chrisd" end @@ -36,9 +36,9 @@ ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAuGJnElqbhgLtmJp/de8s42cAwKrkAhFq5u8EAkauEv6B <%= machine_keys = case fqdn when "beethoven.debian.org" then out = '' - allnodeinfo.keys.sort.each do |node| - out += '# ' + allnodeinfo[node]['hostname'].to_s + ' -command="/usr/lib/da-backup/da-backup-ssh-wrap ' + allnodeinfo[node]['hostname'].to_s + '",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,from="' + allnodeinfo[node]['ipHostNumber'].join(',') + '" ' + allnodeinfo[node]['sshRSAHostKey'].to_s + ' + scope.lookupvar('site::allnodeinfo').keys.sort.each do |node| + out += '# ' + scope.lookupvar('site::allnodeinfo')[node]['hostname'].to_s + ' +command="/usr/lib/da-backup/da-backup-ssh-wrap ' + scope.lookupvar('site::allnodeinfo')[node]['hostname'].to_s + '",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,from="' + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].join(',') + '" ' + scope.lookupvar('site::allnodeinfo')[node]['sshRSAHostKey'].to_s + ' ' end diff --git a/modules/ssl/manifests/init.pp b/modules/ssl/manifests/init.pp index 391da0a4..86094b1a 100644 --- a/modules/ssl/manifests/init.pp +++ b/modules/ssl/manifests/init.pp @@ -1,57 +1,46 @@ class ssl { - package { openssl: ensure => installed } - file { - "/etc/ssl/debian": - ensure => directory, - mode => 755, - purge => true, - recurse => true, - force => true, - source => "puppet:///files/empty/" - ; - "/etc/ssl/debian/certs": - ensure => directory, - mode => 755, - source => "puppet:///files/empty/" - ; - "/etc/ssl/debian/crls": - ensure => directory, - mode => 755, - purge => true, - force => true, - recurse => true, - source => "puppet:///files/empty/" - ; - "/etc/ssl/debian/keys": - ensure => directory, - mode => 750, - purge => true, - force => true, - recurse => true, - source => "puppet:///files/empty/" - ; - "/etc/ssl/debian/certs/thishost.crt": - source => "puppet:///modules/ssl/clientcerts/$fqdn.client.crt", - notify => Exec["c_rehash /etc/ssl/debian/certs"], - ; - "/etc/ssl/debian/keys/thishost.key": - source => "puppet:///modules/ssl/clientcerts/$fqdn.key", - mode => 640 - ; - "/etc/ssl/debian/certs/ca.crt": - source => "puppet:///modules/ssl/clientcerts/ca.crt", - notify => Exec["c_rehash /etc/ssl/debian/certs"], - ; - "/etc/ssl/debian/crls/ca.crl": - source => "puppet:///modules/ssl/clientcerts/ca.crl", - ; - } + package { 'openssl': + ensure => installed + } - exec { "c_rehash /etc/ssl/debian/certs": - refreshonly => true, - } + file { '/etc/ssl/debian': + ensure => directory, + mode => '0755', + purge => true, + recurse => true, + force => true, + source => 'puppet:///files/empty/' + } + file { '/etc/ssl/debian/certs': + ensure => directory, + mode => '0755', + } + file { '/etc/ssl/debian/crls': + ensure => directory, + mode => '0755', + } + file { '/etc/ssl/debian/keys': + ensure => directory, + mode => '0750', + } + file { '/etc/ssl/debian/certs/thishost.crt': + source => "puppet:///modules/ssl/clientcerts/${::fqdn}.client.crt", + notify => Exec['c_rehash /etc/ssl/debian/certs'], + } + file { '/etc/ssl/debian/keys/thishost.key': + source => "puppet:///modules/ssl/clientcerts/${::fqdn}.key", + mode => '0640' + } + file { '/etc/ssl/debian/certs/ca.crt': + source => 'puppet:///modules/ssl/clientcerts/ca.crt', + notify => Exec['c_rehash /etc/ssl/debian/certs'], + } + file { '/etc/ssl/debian/crls/ca.crl': + source => 'puppet:///modules/ssl/clientcerts/ca.crl', + } + + exec { 'c_rehash /etc/ssl/debian/certs': + refreshonly => true, + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/stunnel4/manifests/client.pp b/modules/stunnel4/manifests/client.pp new file mode 100644 index 00000000..26945e2e --- /dev/null +++ b/modules/stunnel4/manifests/client.pp @@ -0,0 +1,19 @@ +define stunnel4::client($accept, $connecthost, $connectport) { + + include stunnel4 + + file { "/etc/stunnel/puppet-${name}-peer.pem": + content => generate('/bin/cat', "/etc/puppet/modules/exim/files/certs/${connecthost}.crt", + '/etc/puppet/modules/exim/files/certs/ca.crt'), + notify => Exec["restart_stunnel_${name}"], + } + + stunnel_generic { $name: + client => true, + verify => 3, + cafile => "/etc/stunnel/puppet-${name}-peer.pem", + accept => $accept, + connect => "${connecthost}:${connectport}", + } +} + diff --git a/modules/stunnel4/manifests/generic.pp b/modules/stunnel4/manifests/generic.pp new file mode 100644 index 00000000..9c357096 --- /dev/null +++ b/modules/stunnel4/manifests/generic.pp @@ -0,0 +1,30 @@ +define stunnel4::generic ($client, $verify, $cafile, $accept, $connect, $crlfile=false, $local=false) { + + include stunnel4 + + file { "/etc/stunnel/puppet-${name}.conf": + content => template('stunnel4/stunnel.conf.erb'), + notify => Exec["restart_stunnel_${name}"], + } + + if $client { + $certfile = '/etc/ssl/debian/certs/thishost.crt' + $keyfile = '/etc/ssl/debian/keys/thishost.key' + } else { + $certfile = '/etc/exim4/ssl/thishost.crt' + $keyfile = '/etc/exim4/ssl/thishost.key' + } + + exec { "restart_stunnel_${name}": + command => "true && cd / && env -i /etc/init.d/stunnel4 restart puppet-${name}", + require => [ + File['/etc/stunnel/stunnel.conf'], + File['/etc/init.d/stunnel4'], + Exec['enable_stunnel4'], + Exec['kill_file_override'], + Package['stunnel4'] + ], + subscribe => [ File[$certfile], File[$keyfile] ], + refreshonly => true, + } +} diff --git a/modules/stunnel4/manifests/init.pp b/modules/stunnel4/manifests/init.pp index d7668467..300eb521 100644 --- a/modules/stunnel4/manifests/init.pp +++ b/modules/stunnel4/manifests/init.pp @@ -1,126 +1,30 @@ class stunnel4 { - define stunnel_generic($client, $verify, $cafile, $crlfile=false, $accept, $connect, $local=false) { - file { - "/etc/stunnel": - ensure => directory, - owner => root, - group => root, - mode => 755, - ; - "/etc/stunnel/puppet-${name}.conf": - content => template("stunnel4/stunnel.conf.erb"), - notify => Exec["restart_stunnel_${name}"], - ; - "/etc/init.d/stunnel4": - source => "puppet:///modules/stunnel4/etc-init.d-stunnel4", - mode => 555, - ; - } - case $client { - true: { - $certfile = "/etc/ssl/debian/certs/thishost.crt" - $keyfile = "/etc/ssl/debian/keys/thishost.key" - } - default: { - $certfile = "/etc/exim4/ssl/thishost.crt" - $keyfile = "/etc/exim4/ssl/thishost.key" - } - } - - exec { - "restart_stunnel_${name}": - command => "true && cd / && env -i /etc/init.d/stunnel4 restart puppet-${name}", - require => [ File['/etc/stunnel/stunnel.conf'], - File['/etc/init.d/stunnel4'], - Exec['enable_stunnel4'], - Exec['kill_file_override'], - Package['stunnel4'] - ], - subscribe => [ File[$certfile], - File[$keyfile] - ], - refreshonly => true, - ; - } - } - - # define an stunnel listener, listening for SSL connections on $accept, - # connecting to plaintext service $connect using local source address $local - # - # unfortunately stunnel is really bad about verifying its peer, - # all we can be certain of is that they are signed by our CA, - # not who they are. So do not use in places where the identity of - # the caller is important. Use dsa-portforwarder for that. - define stunnel_server($accept, $connect, $local = "127.0.0.1") { - stunnel_generic { - "${name}": - client => false, - verify => 2, - cafile => "/etc/exim4/ssl/ca.crt", - crlfile => "/etc/exim4/ssl/crl.crt", - accept => "${accept}", - connect => "${connect}", - ; - } - @ferm::rule { - "stunnel-${name}": - description => "stunnel ${name}", - rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V4)", - ; - "stunnel-${name}-v6": - domain => 'ip6', - description => "stunnel ${name}", - rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V6)", - ; - } - } - define stunnel_client($accept, $connecthost, $connectport) { - file { - "/etc/stunnel/puppet-${name}-peer.pem": - # source => "puppet:///modules/exim/certs/${connecthost}.crt", - content => generate("/bin/cat", "/etc/puppet/modules/exim/files/certs/${connecthost}.crt", - "/etc/puppet/modules/exim/files/certs/ca.crt"), - notify => Exec["restart_stunnel_${name}"], - ; - } - stunnel_generic { - "${name}": - client => true, - verify => 3, - cafile => "/etc/stunnel/puppet-${name}-peer.pem", - accept => "${accept}", - connect => "${connecthost}:${connectport}", - ; - } - } - - - package { - "stunnel4": ensure => installed; - } - - file { - "/etc/stunnel/stunnel.conf": - ensure => absent, - require => [ Package['stunnel4'] ], - ; - } - - exec { - "enable_stunnel4": - command => "sed -i -e 's/^ENABLED=/#&/; \$a ENABLED=1 # added by puppet' /etc/default/stunnel4", - unless => "grep -q '^ENABLED=1' /etc/default/stunnel4", - require => [ Package['stunnel4'] ], - ; - "kill_file_override": - command => "sed -i -e 's/^FILES=/#&/' /etc/default/stunnel4", - onlyif => "grep -q '^FILES=' /etc/default/stunnel4", - require => [ Package['stunnel4'] ], - ; - } + package { 'stunnel4': + ensure => installed + } + + file { '/etc/stunnel': + ensure => directory, + mode => '0755', + } + file { '/etc/init.d/stunnel4': + source => 'puppet:///modules/stunnel4/etc-init.d-stunnel4', + mode => '0555', + } + file { '/etc/stunnel/stunnel.conf': + ensure => absent, + require => Package['stunnel4'], + } + + exec { 'enable_stunnel4': + command => 'sed -i -e \'s/^ENABLED=/#&/; \$a ENABLED=1 # added by puppet\' /etc/default/stunnel4', + unless => 'grep -q \'^ENABLED=1\' /etc/default/stunnel4', + require => Package['stunnel4'], + } + exec { 'kill_file_override': + command => 'sed -i -e \'s/^FILES=/#&/\' /etc/default/stunnel4', + onlyif => 'grep -q \'^FILES=\' /etc/default/stunnel4', + require => Package['stunnel4'], + } } - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/stunnel4/manifests/server.pp b/modules/stunnel4/manifests/server.pp new file mode 100644 index 00000000..54672af9 --- /dev/null +++ b/modules/stunnel4/manifests/server.pp @@ -0,0 +1,32 @@ +define stunnel4::server($accept, $connect, $local = '127.0.0.1') { +# define an stunnel listener, listening for SSL connections on $accept, +# connecting to plaintext service $connect using local source address $local +# +# unfortunately stunnel is really bad about verifying its peer, +# all we can be certain of is that they are signed by our CA, +# not who they are. So do not use in places where the identity of +# the caller is important. Use dsa-portforwarder for that. + + include stunnel4 + + stunnel_generic { $name: + client => false, + verify => 2, + cafile => '/etc/exim4/ssl/ca.crt', + crlfile => '/etc/exim4/ssl/crl.crt', + accept => $accept, + connect => $connect + } + + @ferm::rule { + "stunnel-${name}": + description => "stunnel ${name}", + rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V4)" + } + @ferm::rule { "stunnel-${name}-v6": + domain => 'ip6', + description => "stunnel ${name}", + rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V6)" + } + +} diff --git a/modules/sudo/files/common/pam b/modules/sudo/files/common/pam deleted file mode 100644 index a6a2375b..00000000 --- a/modules/sudo/files/common/pam +++ /dev/null @@ -1,12 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## -#%PAM-1.0 - -auth [authinfo_unavail=ignore success=done ignore=ignore default=die] pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd -auth required pam_unix.so nullok_secure try_first_pass -@include common-account - -session required pam_permit.so -session required pam_limits.so diff --git a/modules/sudo/files/common/sudoers b/modules/sudo/files/common/sudoers deleted file mode 100644 index 8f37e500..00000000 --- a/modules/sudo/files/common/sudoers +++ /dev/null @@ -1,182 +0,0 @@ -# /etc/sudoers -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - -################################################################### -################################################################### -################################################################### -## -## PLEASE EDIT THIS FILE WITH THE visudo COMMAND TO ENSURE IT -## IS SYNTACTICALLY VALID. -## -## /usr/sbin/visudo -f sudoers -## -################################################################### -################################################################### -################################################################### - -Defaults env_reset -Defaults passprompt="[sudo] password for %u on %h: " -Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" - -# Host alias specification -Host_Alias QAHOSTS = master, quantz, stabile -Host_Alias WEBHOSTS = wolkenstein -Host_Alias SECHOSTS = chopin -Host_Alias FTPHOSTS = franck, morricone, bizet -Host_Alias ZIVITHOSTS = zelenka, zandonai -Host_Alias AACRAIDHOSTS = bellini, morricone, paganini, respighi, vivaldi, beethoven, pettersson -Host_Alias MEGARAIDHOSTS = grieg, rautavaara, sibelius -Host_Alias MPTRAIDHOSTS = master, fasch, holter, barber, biber, cilea, vitry, krenek, scelsi, orff, field -Host_Alias MEGACTLHOSTS = lindberg, englund, heininen, nielsen -Host_Alias LISTHOSTS = liszt, bendel - -# Cmnd alias specification - -# User privilege specification -root ALL=(ALL) ALL - - -# DSA and local admins -%adm ALL=(ALL) ALL -%adm ALL=(ALL) NOPASSWD: /usr/bin/apt-get update, /usr/bin/apt-get upgrade, /usr/bin/apt-get dist-upgrade, /usr/bin/apt-get clean, /usr/sbin/samhain -t check -i -p err -s none -l none -m none, /usr/sbin/upgrade-porter-chroots - -%zivit-admins ZIVITHOSTS=(ALL) NOPASSWD: ALL - -# nagios -nagios ALL=(ALL) NOPASSWD: /etc/init.d/ekeyd-egd-linux restart -nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-dabackup "" -# with smartarray controllers -nagios ALL=(ALL) NOPASSWD: /sbin/hpasmcli "" -nagios ALL=(ALL) NOPASSWD: /usr/bin/arrayprobe "" -nagios franck=(ALL) NOPASSWD: /usr/bin/arrayprobe -f /dev/cciss/c1d0 -nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller all show -nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd all show -nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd [0-9]\:[0-9] show -nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd [0-9][EIC]\:[0-9]\:[0-9] show -nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd [0-9][EIC]\:[0-9]\:[0-9][0-9] show -nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] show status -nagios franck=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=1 enclosure 1E\:1 show detail - -# other raid controllers -nagios powell=(ALL) NOPASSWD: /usr/local/sbin/areca-cli vsf info -nagios puccini=(ALL) NOPASSWD: /usr/local/bin/tw_cli info c0 u0 status -nagios MPTRAIDHOSTS=(ALL) NOPASSWD: /usr/sbin/mpt-status -s -nagios AACRAIDHOSTS=(ALL) NOPASSWD: /usr/local/bin/arcconf GETCONFIG 1 LD, /usr/local/bin/arcconf GETCONFIG 1 AD -nagios MEGARAIDHOSTS=(ALL) NOPASSWD: /usr/local/bin/megarc -AllAdpInfo -nolog, /usr/local/bin/megarc -dispCfg -a0 -nolog -nagios MEGACTLHOSTS=(ALL) NOPASSWD: /usr/sbin/megactl -Hv -# other nagios things -nagios beethoven=(debbackup) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-backuppg "" - -# groups and their role accounts -%auditor ALL=(accounting) ALL -%backports ALL=(backports) ALL -%buildd ALL=(buildd) ALL -%d-i ALL=(d-i) ALL -%dde ALL=(dde) ALL -%ddtp ALL=(ddtp) ALL -%debadmin ALL=(dak) ALL -%debbugs ALL=(debbugs) ALL -%debbugs ALL=(debbugs-mirror) ALL -%debian-cd ALL=(debian-cd) ALL -%debian-i18n ALL=(debian-i18n) ALL -%debian-release ALL=(release) ALL -%debtags ALL=(debtags) ALL -%debvoip cilea=(freeswitch) ALL -%debwww ALL=(debwww) ALL -%btslink ALL=(btslink) ALL -%emdebian ALL=(emdebian) ALL -%forums ALL=(forums) ALL -%keyring ALL=(keyring) ALL -%lintian ALL=(lintian) ALL -%listweb ALL=(listweb) ALL -%list LISTHOSTS=(list) ALL -%mirroradm ALL=(archvsync) ALL -%nm ALL=(nm) ALL -%patch-tracker ALL=(patch-tracker) ALL -%piuparts ALL=(piupartsm) ALL -%piuparts ALL=(piupartss) ALL -%pkg_maint ALL=(pkg_user) ALL -%planet ALL=(planet) ALL -%popcon ALL=(popcon) ALL -%search ALL=(search) ALL -%secretary ALL=(secretary) ALL -%sectracker ALL=(sectracker) ALL -%security SECHOSTS=(mail_security) ALL -%snapshot ALL=(snapshot) ALL -%uddadm ALL=(udd) ALL -%volatile ALL=(volatile) ALL -%wbadm ALL=(wbadm) ALL -%mujeres ALL=(women) ALL -%wikiadm ALL=(wiki) ALL -%qa-core QAHOSTS=(qa) ALL -%gobby gombert=(gobby) ALL - -# the dak user gets to run stuff as dak-unpriv (for things like lintian checks) -dak ALL=(dak-unpriv) NOPASSWD: ALL - -# some groups are in apachectrl on "their" hosts so they can reload apache and update their vhost -%apachectrl ALL=(root) /usr/sbin/apache2-vhost-update - -# buildd -# FIXME: change that ALL for hosts to a hostlist of buildds? -Defaults:buildd env_reset,env_keep+="APT_CONFIG DEBIAN_FRONTEND" -buildd ALL=(ALL) NOPASSWD: ALL - -# The piuparts slave needs to handle chroots -piupartss piatti=(ALL) NOPASSWD: ALL -# trigger of mirror run for packages -pkg_user powell=(archvsync) NOPASSWD: /home/archvsync/bin/pushpdo -# on draghi, the domains git thing will run bind9 reload afterwards -%dnsadm draghi,orff=(root) NOPASSWD: /etc/init.d/bind9 reload -%dnsadm draghi,orff=(geodnssync) NOPASSWD: /usr/bin/make -C /srv/dns.debian.org/geo -%adm draghi=(puppet) NOPASSWD: /usr/bin/make -s -C /srv/db.debian.org/var/gitnagios/dsa-nagios/config install -# remote power to babylon5 in the same rack: -joerg unger=(ALL) /usr/bin/sispmctl -t [12], /usr/bin/sispmctl -g [12] -# wbadm can update all buildd* users' keys on buildd.d.o -%wbadm grieg=(root) /usr/local/bin/update-buildd-sshkeys -wbadm grieg=(postgres) NOPASSWD: /usr/bin/pg_dumpall --cluster 8.4/wanna-build -# mirror push -dak FTPHOSTS,SECHOSTS=(archvsync) NOPASSWD:/home/archvsync/runmirrors -planet senfl=(archvsync) NOPASSWD: /home/archvsync/bin/runplanet "" -# archvsync triggers snapshot -archvsync sibelius,stabile=(snapshot) NOPASSWD: /srv/snapshot.debian.org/bin/update-trigger -archvsync sibelius,stabile=(snapshot) NOPASSWD: /srv/2ndsnapshot/bin/update-trigger -# allow the debbugs-mirror user on rietz to release the afs volume so changes make it to the read-only replicas -debbugs-mirror rietz=(root) NOPASSWD: /usr/bin/vos release -id srv.mirrors.bugs -localauth -# dak stuff -%debian-release FTPHOSTS=(dak) /usr/local/bin/dak transitions --import * -%ftpteam FTPHOSTS=(dak) /usr/local/bin/dak transitions --import * -# security -%security SECHOSTS=(dak) NOPASSWD: /usr/local/bin/dak new-security-install -[AR] -%sec_public SECHOSTS=(dak) NOPASSWD: /usr/local/bin/dak new-security-install -[AR] -%sec_public SECHOSTS=(dak) NOPASSWD: /home/dak/trigger_mirror -dak SECHOSTS=(archvsync) NOPASSWD: /home/archvsync/signal_security -# web stuff -debwww WEBHOSTS=(archvsync) NOPASSWD: /home/archvsync/webmirrors/runmirrors -%press WEBHOSTS=(debwww) /org/www.debian.org/update-part News -# more list stuff -%list LISTHOSTS=(root) /usr/sbin/postfix reload -%list LISTHOSTS=(root) /usr/sbin/qshape, /usr/sbin/postsuper -%list LISTHOSTS=(root) /etc/init.d/spamassassin, /etc/init.d/amavis -%list LISTHOSTS=(amavis) NOPASSWD: /usr/bin/sa-learn -%list LISTHOSTS=(amavis) ALL -# geodns may reload bind -geodnssync geo1,geo2,geo3=(root) NOPASSWD: /etc/init.d/bind9 reload -geodnssync geo1,geo2,geo3=(root) NOPASSWD: /usr/sbin/rndc reconfig -# fossology -%fossy vivaldi=(root) /etc/init.d/fossology -%fossy vivaldi=(fossy) ALL - -# Porter work -%porter-armel abel,agricola=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot -%porter-armel harris=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot -%porter-amd64 barriere,pergolesi=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot -%porter-hppa paer=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot -%porter-ia64 merulo=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot -%porter-mips eder,gabrielli=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot -%porter-ppc partch=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot -%porter-s390 zelenka=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot -%porter-sparc smetana,sperger=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot diff --git a/modules/sudo/files/lenny/sudoers b/modules/sudo/files/lenny/sudoers deleted file mode 100644 index 60859d1a..00000000 --- a/modules/sudo/files/lenny/sudoers +++ /dev/null @@ -1,179 +0,0 @@ -# /etc/sudoers -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - -################################################################### -################################################################### -################################################################### -## -## PLEASE EDIT THIS FILE WITH THE visudo COMMAND TO ENSURE IT -## IS SYNTACTICALLY VALID. -## -## /usr/sbin/visudo -f sudoers -## -################################################################### -################################################################### -################################################################### - -Defaults env_reset -Defaults passprompt="[sudo] password for %u on %h: " - -# Host alias specification -Host_Alias QAHOSTS = master, quantz, stabile -Host_Alias WEBHOSTS = wolkenstein -Host_Alias SECHOSTS = chopin -Host_Alias FTPHOSTS = franck, morricone -Host_Alias ZIVITHOSTS = zelenka, zandonai -Host_Alias AACRAIDHOSTS = bellini, morricone, paganini, respighi, vivaldi, beethoven, pettersson -Host_Alias MEGARAIDHOSTS = grieg, rautavaara, sibelius -Host_Alias MPTRAIDHOSTS = master, fasch, holter, barber, biber, cilea, vitry, krenek, scelsi, orff, field -Host_Alias MEGACTLHOSTS = lindberg, englund, heininen - -# Cmnd alias specification - -# User privilege specification -root ALL=(ALL) ALL - - -# DSA and local admins -%adm ALL=(ALL) ALL -%adm ALL=(ALL) NOPASSWD: /usr/bin/apt-get update, /usr/bin/apt-get upgrade, /usr/bin/apt-get dist-upgrade, /usr/bin/apt-get clean, /usr/sbin/samhain -t check -i -p err -s none -l none -m none, /usr/sbin/upgrade-porter-chroots - -%zivit-admins ZIVITHOSTS=(ALL) NOPASSWD: ALL - -# nagios -nagios ALL=(ALL) NOPASSWD: /etc/init.d/ekeyd-egd-linux restart -nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-dabackup "" -# with smartarray controllers -nagios ALL=(ALL) NOPASSWD: /sbin/hpasmcli "" -nagios ALL=(ALL) NOPASSWD: /usr/bin/arrayprobe "" -nagios franck=(ALL) NOPASSWD: /usr/bin/arrayprobe -f /dev/cciss/c1d0 -nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller all show -nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd all show -nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd [0-9]\:[0-9] show -nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd [0-9][EIC]\:[0-9]\:[0-9] show -nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd [0-9][EIC]\:[0-9]\:[0-9][0-9] show -nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] show status -nagios franck=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=1 enclosure 1E\:1 show detail - -# other raid controllers -nagios powell=(ALL) NOPASSWD: /usr/local/sbin/areca-cli vsf info -nagios puccini=(ALL) NOPASSWD: /usr/local/bin/tw_cli info c0 u0 status -nagios MPTRAIDHOSTS=(ALL) NOPASSWD: /usr/sbin/mpt-status -s -nagios AACRAIDHOSTS=(ALL) NOPASSWD: /usr/local/bin/arcconf GETCONFIG 1 LD, /usr/local/bin/arcconf GETCONFIG 1 AD -nagios MEGARAIDHOSTS=(ALL) NOPASSWD: /usr/local/bin/megarc -AllAdpInfo -nolog, /usr/local/bin/megarc -dispCfg -a0 -nolog -nagios MEGACTLHOSTS=(ALL) NOPASSWD: /usr/sbin/megactl -Hv -# other nagios things -nagios beethoven=(debbackup) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-backuppg "" - -# groups and their role accounts -%auditor ALL=(accounting) ALL -%backports ALL=(backports) ALL -%buildd ALL=(buildd) ALL -%d-i ALL=(d-i) ALL -%dde ALL=(dde) ALL -%ddtp ALL=(ddtp) ALL -%debadmin ALL=(dak) ALL -%debbugs ALL=(debbugs) ALL -%debbugs ALL=(debbugs-mirror) ALL -%debian-cd ALL=(debian-cd) ALL -%debian-i18n ALL=(debian-i18n) ALL -%debian-release ALL=(release) ALL -%debtags ALL=(debtags) ALL -%debvoip cilea=(freeswitch) ALL -%debwww ALL=(debwww) ALL -%btslink ALL=(btslink) ALL -%emdebian ALL=(emdebian) ALL -%forums ALL=(forums) ALL -%keyring ALL=(keyring) ALL -%lintian ALL=(lintian) ALL -%listweb ALL=(listweb) ALL -%list liszt=(list) ALL -%mirroradm ALL=(archvsync) ALL -%nm ALL=(nm) ALL -%patch-tracker ALL=(patch-tracker) ALL -%piuparts ALL=(piupartsm) ALL -%piuparts ALL=(piupartss) ALL -%pkg_maint ALL=(pkg_user) ALL -%planet ALL=(planet) ALL -%popcon ALL=(popcon) ALL -%search ALL=(search) ALL -%secretary ALL=(secretary) ALL -%sectracker ALL=(sectracker) ALL -%security SECHOSTS=(mail_security) ALL -%snapshot ALL=(snapshot) ALL -%uddadm ALL=(udd) ALL -%volatile ALL=(volatile) ALL -%wbadm ALL=(wbadm) ALL -%mujeres ALL=(women) ALL -%wikiadm ALL=(wiki) ALL -%qa-core QAHOSTS=(qa) ALL -%gobby gombert=(gobby) ALL - -# the dak user gets to run stuff as dak-unpriv (for things like lintian checks) -dak ALL=(dak-unpriv) NOPASSWD: ALL - -# some groups are in apachectrl on "their" hosts so they can reload apache and update their vhost -%apachectrl ALL=(root) /usr/sbin/apache2-vhost-update - -# buildd -# FIXME: change that ALL for hosts to a hostlist of buildds? -Defaults:buildd env_reset,env_keep+="APT_CONFIG DEBIAN_FRONTEND" -buildd ALL=(ALL) NOPASSWD: ALL - -# The piuparts slave needs to handle chroots -piupartss piatti=(ALL) NOPASSWD: ALL -# trigger of mirror run for packages -pkg_user powell=(archvsync) NOPASSWD: /home/archvsync/bin/pushpdo -# on draghi, the domains git thing will run bind9 reload afterwards -%dnsadm draghi,orff=(root) NOPASSWD: /etc/init.d/bind9 reload -%dnsadm draghi,orff=(geodnssync) NOPASSWD: /usr/bin/make -C /srv/dns.debian.org/geo -%adm draghi=(puppet) NOPASSWD: /usr/bin/make -s -C /srv/db.debian.org/var/gitnagios/dsa-nagios/config install -# remote power to babylon5 in the same rack: -joerg unger=(ALL) /usr/bin/sispmctl -t [12], /usr/bin/sispmctl -g [12] -# wbadm can update all buildd* users' keys on buildd.d.o -%wbadm grieg=(root) /usr/local/bin/update-buildd-sshkeys -wbadm grieg=(postgres) NOPASSWD: /usr/bin/pg_dumpall --cluster 8.4/wanna-build -# mirror push -dak FTPHOSTS,SECHOSTS=(archvsync) NOPASSWD:/home/archvsync/runmirrors -planet senfl=(archvsync) NOPASSWD: /home/archvsync/bin/runplanet "" -# archvsync triggers snapshot -archvsync sibelius,stabile=(snapshot) NOPASSWD: /srv/snapshot.debian.org/bin/update-trigger -archvsync sibelius,stabile=(snapshot) NOPASSWD: /srv/2ndsnapshot/bin/update-trigger -# allow the debbugs-mirror user on rietz to release the afs volume so changes make it to the read-only replicas -debbugs-mirror rietz=(root) NOPASSWD: /usr/bin/vos release -id srv.mirrors.bugs -localauth -# dak stuff -%debian-release FTPHOSTS=(dak) /usr/local/bin/dak transitions --import * -%ftpteam FTPHOSTS=(dak) /usr/local/bin/dak transitions --import * -# security -%security SECHOSTS=(dak) NOPASSWD: /usr/local/bin/dak new-security-install -[AR] -%sec_public SECHOSTS=(dak) NOPASSWD: /usr/local/bin/dak new-security-install -[AR] -%sec_public SECHOSTS=(dak) NOPASSWD: /home/dak/trigger_mirror -dak SECHOSTS=(archvsync) NOPASSWD: /home/archvsync/signal_security -# web stuff -debwww WEBHOSTS=(archvsync) NOPASSWD: /home/archvsync/webmirrors/runmirrors -%press WEBHOSTS=(debwww) /org/www.debian.org/update-part News -# more list stuff -%list liszt=(root) /usr/sbin/postfix reload -%list liszt=(root) /usr/sbin/qshape, /usr/sbin/postsuper -%list liszt=(root) /etc/init.d/spamassassin, /etc/init.d/amavis -%list liszt=(amavis) NOPASSWD: /usr/bin/sa-learn -%list liszt=(amavis) ALL -# geodns may reload bind -geodnssync geo1,geo2,geo3=(root) NOPASSWD: /etc/init.d/bind9 reload -geodnssync geo1,geo2,geo3=(root) NOPASSWD: /usr/sbin/rndc reconfig -# fossology -%fossy vivaldi=(root) /etc/init.d/fossology -%fossy vivaldi=(fossy) ALL - -# Porter work -%porter-armel abel,agricola=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot -%porter-armel harris=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot -%porter-amd64 pergolesi=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot -%porter-hppa paer=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot -%porter-ia64 merulo=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot -%porter-mips gabrielli=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot -%porter-s390 zelenka=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot -%porter-sparc smetana,sperger=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot diff --git a/modules/sudo/files/pam b/modules/sudo/files/pam new file mode 100644 index 00000000..a6a2375b --- /dev/null +++ b/modules/sudo/files/pam @@ -0,0 +1,12 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## +#%PAM-1.0 + +auth [authinfo_unavail=ignore success=done ignore=ignore default=die] pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd +auth required pam_unix.so nullok_secure try_first_pass +@include common-account + +session required pam_permit.so +session required pam_limits.so diff --git a/modules/sudo/files/sudoers b/modules/sudo/files/sudoers new file mode 100644 index 00000000..8f37e500 --- /dev/null +++ b/modules/sudo/files/sudoers @@ -0,0 +1,182 @@ +# /etc/sudoers +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +################################################################### +################################################################### +################################################################### +## +## PLEASE EDIT THIS FILE WITH THE visudo COMMAND TO ENSURE IT +## IS SYNTACTICALLY VALID. +## +## /usr/sbin/visudo -f sudoers +## +################################################################### +################################################################### +################################################################### + +Defaults env_reset +Defaults passprompt="[sudo] password for %u on %h: " +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + +# Host alias specification +Host_Alias QAHOSTS = master, quantz, stabile +Host_Alias WEBHOSTS = wolkenstein +Host_Alias SECHOSTS = chopin +Host_Alias FTPHOSTS = franck, morricone, bizet +Host_Alias ZIVITHOSTS = zelenka, zandonai +Host_Alias AACRAIDHOSTS = bellini, morricone, paganini, respighi, vivaldi, beethoven, pettersson +Host_Alias MEGARAIDHOSTS = grieg, rautavaara, sibelius +Host_Alias MPTRAIDHOSTS = master, fasch, holter, barber, biber, cilea, vitry, krenek, scelsi, orff, field +Host_Alias MEGACTLHOSTS = lindberg, englund, heininen, nielsen +Host_Alias LISTHOSTS = liszt, bendel + +# Cmnd alias specification + +# User privilege specification +root ALL=(ALL) ALL + + +# DSA and local admins +%adm ALL=(ALL) ALL +%adm ALL=(ALL) NOPASSWD: /usr/bin/apt-get update, /usr/bin/apt-get upgrade, /usr/bin/apt-get dist-upgrade, /usr/bin/apt-get clean, /usr/sbin/samhain -t check -i -p err -s none -l none -m none, /usr/sbin/upgrade-porter-chroots + +%zivit-admins ZIVITHOSTS=(ALL) NOPASSWD: ALL + +# nagios +nagios ALL=(ALL) NOPASSWD: /etc/init.d/ekeyd-egd-linux restart +nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-dabackup "" +# with smartarray controllers +nagios ALL=(ALL) NOPASSWD: /sbin/hpasmcli "" +nagios ALL=(ALL) NOPASSWD: /usr/bin/arrayprobe "" +nagios franck=(ALL) NOPASSWD: /usr/bin/arrayprobe -f /dev/cciss/c1d0 +nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller all show +nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd all show +nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd [0-9]\:[0-9] show +nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd [0-9][EIC]\:[0-9]\:[0-9] show +nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd [0-9][EIC]\:[0-9]\:[0-9][0-9] show +nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] show status +nagios franck=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=1 enclosure 1E\:1 show detail + +# other raid controllers +nagios powell=(ALL) NOPASSWD: /usr/local/sbin/areca-cli vsf info +nagios puccini=(ALL) NOPASSWD: /usr/local/bin/tw_cli info c0 u0 status +nagios MPTRAIDHOSTS=(ALL) NOPASSWD: /usr/sbin/mpt-status -s +nagios AACRAIDHOSTS=(ALL) NOPASSWD: /usr/local/bin/arcconf GETCONFIG 1 LD, /usr/local/bin/arcconf GETCONFIG 1 AD +nagios MEGARAIDHOSTS=(ALL) NOPASSWD: /usr/local/bin/megarc -AllAdpInfo -nolog, /usr/local/bin/megarc -dispCfg -a0 -nolog +nagios MEGACTLHOSTS=(ALL) NOPASSWD: /usr/sbin/megactl -Hv +# other nagios things +nagios beethoven=(debbackup) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-backuppg "" + +# groups and their role accounts +%auditor ALL=(accounting) ALL +%backports ALL=(backports) ALL +%buildd ALL=(buildd) ALL +%d-i ALL=(d-i) ALL +%dde ALL=(dde) ALL +%ddtp ALL=(ddtp) ALL +%debadmin ALL=(dak) ALL +%debbugs ALL=(debbugs) ALL +%debbugs ALL=(debbugs-mirror) ALL +%debian-cd ALL=(debian-cd) ALL +%debian-i18n ALL=(debian-i18n) ALL +%debian-release ALL=(release) ALL +%debtags ALL=(debtags) ALL +%debvoip cilea=(freeswitch) ALL +%debwww ALL=(debwww) ALL +%btslink ALL=(btslink) ALL +%emdebian ALL=(emdebian) ALL +%forums ALL=(forums) ALL +%keyring ALL=(keyring) ALL +%lintian ALL=(lintian) ALL +%listweb ALL=(listweb) ALL +%list LISTHOSTS=(list) ALL +%mirroradm ALL=(archvsync) ALL +%nm ALL=(nm) ALL +%patch-tracker ALL=(patch-tracker) ALL +%piuparts ALL=(piupartsm) ALL +%piuparts ALL=(piupartss) ALL +%pkg_maint ALL=(pkg_user) ALL +%planet ALL=(planet) ALL +%popcon ALL=(popcon) ALL +%search ALL=(search) ALL +%secretary ALL=(secretary) ALL +%sectracker ALL=(sectracker) ALL +%security SECHOSTS=(mail_security) ALL +%snapshot ALL=(snapshot) ALL +%uddadm ALL=(udd) ALL +%volatile ALL=(volatile) ALL +%wbadm ALL=(wbadm) ALL +%mujeres ALL=(women) ALL +%wikiadm ALL=(wiki) ALL +%qa-core QAHOSTS=(qa) ALL +%gobby gombert=(gobby) ALL + +# the dak user gets to run stuff as dak-unpriv (for things like lintian checks) +dak ALL=(dak-unpriv) NOPASSWD: ALL + +# some groups are in apachectrl on "their" hosts so they can reload apache and update their vhost +%apachectrl ALL=(root) /usr/sbin/apache2-vhost-update + +# buildd +# FIXME: change that ALL for hosts to a hostlist of buildds? +Defaults:buildd env_reset,env_keep+="APT_CONFIG DEBIAN_FRONTEND" +buildd ALL=(ALL) NOPASSWD: ALL + +# The piuparts slave needs to handle chroots +piupartss piatti=(ALL) NOPASSWD: ALL +# trigger of mirror run for packages +pkg_user powell=(archvsync) NOPASSWD: /home/archvsync/bin/pushpdo +# on draghi, the domains git thing will run bind9 reload afterwards +%dnsadm draghi,orff=(root) NOPASSWD: /etc/init.d/bind9 reload +%dnsadm draghi,orff=(geodnssync) NOPASSWD: /usr/bin/make -C /srv/dns.debian.org/geo +%adm draghi=(puppet) NOPASSWD: /usr/bin/make -s -C /srv/db.debian.org/var/gitnagios/dsa-nagios/config install +# remote power to babylon5 in the same rack: +joerg unger=(ALL) /usr/bin/sispmctl -t [12], /usr/bin/sispmctl -g [12] +# wbadm can update all buildd* users' keys on buildd.d.o +%wbadm grieg=(root) /usr/local/bin/update-buildd-sshkeys +wbadm grieg=(postgres) NOPASSWD: /usr/bin/pg_dumpall --cluster 8.4/wanna-build +# mirror push +dak FTPHOSTS,SECHOSTS=(archvsync) NOPASSWD:/home/archvsync/runmirrors +planet senfl=(archvsync) NOPASSWD: /home/archvsync/bin/runplanet "" +# archvsync triggers snapshot +archvsync sibelius,stabile=(snapshot) NOPASSWD: /srv/snapshot.debian.org/bin/update-trigger +archvsync sibelius,stabile=(snapshot) NOPASSWD: /srv/2ndsnapshot/bin/update-trigger +# allow the debbugs-mirror user on rietz to release the afs volume so changes make it to the read-only replicas +debbugs-mirror rietz=(root) NOPASSWD: /usr/bin/vos release -id srv.mirrors.bugs -localauth +# dak stuff +%debian-release FTPHOSTS=(dak) /usr/local/bin/dak transitions --import * +%ftpteam FTPHOSTS=(dak) /usr/local/bin/dak transitions --import * +# security +%security SECHOSTS=(dak) NOPASSWD: /usr/local/bin/dak new-security-install -[AR] +%sec_public SECHOSTS=(dak) NOPASSWD: /usr/local/bin/dak new-security-install -[AR] +%sec_public SECHOSTS=(dak) NOPASSWD: /home/dak/trigger_mirror +dak SECHOSTS=(archvsync) NOPASSWD: /home/archvsync/signal_security +# web stuff +debwww WEBHOSTS=(archvsync) NOPASSWD: /home/archvsync/webmirrors/runmirrors +%press WEBHOSTS=(debwww) /org/www.debian.org/update-part News +# more list stuff +%list LISTHOSTS=(root) /usr/sbin/postfix reload +%list LISTHOSTS=(root) /usr/sbin/qshape, /usr/sbin/postsuper +%list LISTHOSTS=(root) /etc/init.d/spamassassin, /etc/init.d/amavis +%list LISTHOSTS=(amavis) NOPASSWD: /usr/bin/sa-learn +%list LISTHOSTS=(amavis) ALL +# geodns may reload bind +geodnssync geo1,geo2,geo3=(root) NOPASSWD: /etc/init.d/bind9 reload +geodnssync geo1,geo2,geo3=(root) NOPASSWD: /usr/sbin/rndc reconfig +# fossology +%fossy vivaldi=(root) /etc/init.d/fossology +%fossy vivaldi=(fossy) ALL + +# Porter work +%porter-armel abel,agricola=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot +%porter-armel harris=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot +%porter-amd64 barriere,pergolesi=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot +%porter-hppa paer=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot +%porter-ia64 merulo=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot +%porter-mips eder,gabrielli=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot +%porter-ppc partch=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot +%porter-s390 zelenka=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot +%porter-sparc smetana,sperger=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot diff --git a/modules/sudo/files/sudoers.lenny b/modules/sudo/files/sudoers.lenny new file mode 100644 index 00000000..60859d1a --- /dev/null +++ b/modules/sudo/files/sudoers.lenny @@ -0,0 +1,179 @@ +# /etc/sudoers +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +################################################################### +################################################################### +################################################################### +## +## PLEASE EDIT THIS FILE WITH THE visudo COMMAND TO ENSURE IT +## IS SYNTACTICALLY VALID. +## +## /usr/sbin/visudo -f sudoers +## +################################################################### +################################################################### +################################################################### + +Defaults env_reset +Defaults passprompt="[sudo] password for %u on %h: " + +# Host alias specification +Host_Alias QAHOSTS = master, quantz, stabile +Host_Alias WEBHOSTS = wolkenstein +Host_Alias SECHOSTS = chopin +Host_Alias FTPHOSTS = franck, morricone +Host_Alias ZIVITHOSTS = zelenka, zandonai +Host_Alias AACRAIDHOSTS = bellini, morricone, paganini, respighi, vivaldi, beethoven, pettersson +Host_Alias MEGARAIDHOSTS = grieg, rautavaara, sibelius +Host_Alias MPTRAIDHOSTS = master, fasch, holter, barber, biber, cilea, vitry, krenek, scelsi, orff, field +Host_Alias MEGACTLHOSTS = lindberg, englund, heininen + +# Cmnd alias specification + +# User privilege specification +root ALL=(ALL) ALL + + +# DSA and local admins +%adm ALL=(ALL) ALL +%adm ALL=(ALL) NOPASSWD: /usr/bin/apt-get update, /usr/bin/apt-get upgrade, /usr/bin/apt-get dist-upgrade, /usr/bin/apt-get clean, /usr/sbin/samhain -t check -i -p err -s none -l none -m none, /usr/sbin/upgrade-porter-chroots + +%zivit-admins ZIVITHOSTS=(ALL) NOPASSWD: ALL + +# nagios +nagios ALL=(ALL) NOPASSWD: /etc/init.d/ekeyd-egd-linux restart +nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-dabackup "" +# with smartarray controllers +nagios ALL=(ALL) NOPASSWD: /sbin/hpasmcli "" +nagios ALL=(ALL) NOPASSWD: /usr/bin/arrayprobe "" +nagios franck=(ALL) NOPASSWD: /usr/bin/arrayprobe -f /dev/cciss/c1d0 +nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller all show +nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd all show +nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd [0-9]\:[0-9] show +nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd [0-9][EIC]\:[0-9]\:[0-9] show +nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd [0-9][EIC]\:[0-9]\:[0-9][0-9] show +nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] show status +nagios franck=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=1 enclosure 1E\:1 show detail + +# other raid controllers +nagios powell=(ALL) NOPASSWD: /usr/local/sbin/areca-cli vsf info +nagios puccini=(ALL) NOPASSWD: /usr/local/bin/tw_cli info c0 u0 status +nagios MPTRAIDHOSTS=(ALL) NOPASSWD: /usr/sbin/mpt-status -s +nagios AACRAIDHOSTS=(ALL) NOPASSWD: /usr/local/bin/arcconf GETCONFIG 1 LD, /usr/local/bin/arcconf GETCONFIG 1 AD +nagios MEGARAIDHOSTS=(ALL) NOPASSWD: /usr/local/bin/megarc -AllAdpInfo -nolog, /usr/local/bin/megarc -dispCfg -a0 -nolog +nagios MEGACTLHOSTS=(ALL) NOPASSWD: /usr/sbin/megactl -Hv +# other nagios things +nagios beethoven=(debbackup) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-backuppg "" + +# groups and their role accounts +%auditor ALL=(accounting) ALL +%backports ALL=(backports) ALL +%buildd ALL=(buildd) ALL +%d-i ALL=(d-i) ALL +%dde ALL=(dde) ALL +%ddtp ALL=(ddtp) ALL +%debadmin ALL=(dak) ALL +%debbugs ALL=(debbugs) ALL +%debbugs ALL=(debbugs-mirror) ALL +%debian-cd ALL=(debian-cd) ALL +%debian-i18n ALL=(debian-i18n) ALL +%debian-release ALL=(release) ALL +%debtags ALL=(debtags) ALL +%debvoip cilea=(freeswitch) ALL +%debwww ALL=(debwww) ALL +%btslink ALL=(btslink) ALL +%emdebian ALL=(emdebian) ALL +%forums ALL=(forums) ALL +%keyring ALL=(keyring) ALL +%lintian ALL=(lintian) ALL +%listweb ALL=(listweb) ALL +%list liszt=(list) ALL +%mirroradm ALL=(archvsync) ALL +%nm ALL=(nm) ALL +%patch-tracker ALL=(patch-tracker) ALL +%piuparts ALL=(piupartsm) ALL +%piuparts ALL=(piupartss) ALL +%pkg_maint ALL=(pkg_user) ALL +%planet ALL=(planet) ALL +%popcon ALL=(popcon) ALL +%search ALL=(search) ALL +%secretary ALL=(secretary) ALL +%sectracker ALL=(sectracker) ALL +%security SECHOSTS=(mail_security) ALL +%snapshot ALL=(snapshot) ALL +%uddadm ALL=(udd) ALL +%volatile ALL=(volatile) ALL +%wbadm ALL=(wbadm) ALL +%mujeres ALL=(women) ALL +%wikiadm ALL=(wiki) ALL +%qa-core QAHOSTS=(qa) ALL +%gobby gombert=(gobby) ALL + +# the dak user gets to run stuff as dak-unpriv (for things like lintian checks) +dak ALL=(dak-unpriv) NOPASSWD: ALL + +# some groups are in apachectrl on "their" hosts so they can reload apache and update their vhost +%apachectrl ALL=(root) /usr/sbin/apache2-vhost-update + +# buildd +# FIXME: change that ALL for hosts to a hostlist of buildds? +Defaults:buildd env_reset,env_keep+="APT_CONFIG DEBIAN_FRONTEND" +buildd ALL=(ALL) NOPASSWD: ALL + +# The piuparts slave needs to handle chroots +piupartss piatti=(ALL) NOPASSWD: ALL +# trigger of mirror run for packages +pkg_user powell=(archvsync) NOPASSWD: /home/archvsync/bin/pushpdo +# on draghi, the domains git thing will run bind9 reload afterwards +%dnsadm draghi,orff=(root) NOPASSWD: /etc/init.d/bind9 reload +%dnsadm draghi,orff=(geodnssync) NOPASSWD: /usr/bin/make -C /srv/dns.debian.org/geo +%adm draghi=(puppet) NOPASSWD: /usr/bin/make -s -C /srv/db.debian.org/var/gitnagios/dsa-nagios/config install +# remote power to babylon5 in the same rack: +joerg unger=(ALL) /usr/bin/sispmctl -t [12], /usr/bin/sispmctl -g [12] +# wbadm can update all buildd* users' keys on buildd.d.o +%wbadm grieg=(root) /usr/local/bin/update-buildd-sshkeys +wbadm grieg=(postgres) NOPASSWD: /usr/bin/pg_dumpall --cluster 8.4/wanna-build +# mirror push +dak FTPHOSTS,SECHOSTS=(archvsync) NOPASSWD:/home/archvsync/runmirrors +planet senfl=(archvsync) NOPASSWD: /home/archvsync/bin/runplanet "" +# archvsync triggers snapshot +archvsync sibelius,stabile=(snapshot) NOPASSWD: /srv/snapshot.debian.org/bin/update-trigger +archvsync sibelius,stabile=(snapshot) NOPASSWD: /srv/2ndsnapshot/bin/update-trigger +# allow the debbugs-mirror user on rietz to release the afs volume so changes make it to the read-only replicas +debbugs-mirror rietz=(root) NOPASSWD: /usr/bin/vos release -id srv.mirrors.bugs -localauth +# dak stuff +%debian-release FTPHOSTS=(dak) /usr/local/bin/dak transitions --import * +%ftpteam FTPHOSTS=(dak) /usr/local/bin/dak transitions --import * +# security +%security SECHOSTS=(dak) NOPASSWD: /usr/local/bin/dak new-security-install -[AR] +%sec_public SECHOSTS=(dak) NOPASSWD: /usr/local/bin/dak new-security-install -[AR] +%sec_public SECHOSTS=(dak) NOPASSWD: /home/dak/trigger_mirror +dak SECHOSTS=(archvsync) NOPASSWD: /home/archvsync/signal_security +# web stuff +debwww WEBHOSTS=(archvsync) NOPASSWD: /home/archvsync/webmirrors/runmirrors +%press WEBHOSTS=(debwww) /org/www.debian.org/update-part News +# more list stuff +%list liszt=(root) /usr/sbin/postfix reload +%list liszt=(root) /usr/sbin/qshape, /usr/sbin/postsuper +%list liszt=(root) /etc/init.d/spamassassin, /etc/init.d/amavis +%list liszt=(amavis) NOPASSWD: /usr/bin/sa-learn +%list liszt=(amavis) ALL +# geodns may reload bind +geodnssync geo1,geo2,geo3=(root) NOPASSWD: /etc/init.d/bind9 reload +geodnssync geo1,geo2,geo3=(root) NOPASSWD: /usr/sbin/rndc reconfig +# fossology +%fossy vivaldi=(root) /etc/init.d/fossology +%fossy vivaldi=(fossy) ALL + +# Porter work +%porter-armel abel,agricola=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot +%porter-armel harris=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot +%porter-amd64 pergolesi=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot +%porter-hppa paer=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot +%porter-ia64 merulo=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot +%porter-mips gabrielli=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot +%porter-s390 zelenka=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot +%porter-sparc smetana,sperger=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot diff --git a/modules/sudo/manifests/init.pp b/modules/sudo/manifests/init.pp index 1f7dc91c..0bb9d0f6 100644 --- a/modules/sudo/manifests/init.pp +++ b/modules/sudo/manifests/init.pp @@ -1,39 +1,18 @@ class sudo { - package { sudo: ensure => installed } - file { - "/etc/pam.d/sudo": - source => [ "puppet:///modules/sudo/per-host/$fqdn/pam", - "puppet:///modules/sudo/common/pam" ], - require => Package["sudo"], - ; - } + package { 'sudo': + ensure => installed + } - case $lsbdistcodename { - 'lenny': { - file { - "/etc/sudoers": - owner => root, - group => root, - mode => 440, - source => [ "puppet:///modules/sudo/lenny/sudoers" ], - require => Package["sudo"], - ; - } - } - default: { - file { - "/etc/sudoers": - owner => root, - group => root, - mode => 440, - source => [ "puppet:///modules/sudo/common/sudoers" ], - require => Package["sudo"], - ; - } - } - } + file { '/etc/pam.d/sudo': + source => 'puppet:///modules/sudo/common/pam', + require => Package['sudo'], + } + + file { '/etc/sudoers': + mode => '0440', + source => [ "puppet:///modules/sudo/sudoers.${::lsbdistcodename}", + 'puppet:///modules/sudo/sudoers' ], + require => Package['sudo'], + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/syslog-ng/manifests/init.pp b/modules/syslog-ng/manifests/init.pp index b1490d93..36704e20 100644 --- a/modules/syslog-ng/manifests/init.pp +++ b/modules/syslog-ng/manifests/init.pp @@ -1,30 +1,24 @@ class syslog-ng { - package { - "syslog-ng": ensure => installed; - } + package { 'syslog-ng': + ensure => installed + } - file { - "/etc/syslog-ng/syslog-ng.conf": - content => template("syslog-ng/syslog-ng.conf.erb"), - require => Package["syslog-ng"], - notify => Exec["syslog-ng reload"], - ; - "/etc/default/syslog-ng": - require => Package["syslog-ng"], - source => "puppet:///modules/syslog-ng/syslog-ng.default", - notify => Exec["syslog-ng reload"], - ; - "/etc/logrotate.d/syslog-ng": - require => Package["syslog-ng"], - source => "puppet:///modules/syslog-ng/syslog-ng.logrotate", - ; - } - exec { - "syslog-ng reload": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true; - } + service { 'syslog-ng': + ensure => running + } + + file { '/etc/syslog-ng/syslog-ng.conf': + content => template('syslog-ng/syslog-ng.conf.erb'), + require => Package['syslog-ng'], + notify => Service['syslog-ng'] + } + file { '/etc/default/syslog-ng': + source => 'puppet:///modules/syslog-ng/syslog-ng.default', + require => Package['syslog-ng'], + notify => Service['syslog-ng'] + } + file { '/etc/logrotate.d/syslog-ng': + source => 'puppet:///modules/syslog-ng/syslog-ng.logrotate', + require => Package['syslog-ng'] + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/unbound/manifests/init.pp b/modules/unbound/manifests/init.pp index f01b7fd7..9a110df2 100644 --- a/modules/unbound/manifests/init.pp +++ b/modules/unbound/manifests/init.pp @@ -1,68 +1,58 @@ class unbound { - package { - unbound: ensure => installed; - } - exec { - "unbound restart": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - ; - } - file { - "/var/lib/unbound": - ensure => directory, - owner => unbound, - group => unbound, - require => Package["unbound"], - mode => 775, - ; - "/var/lib/unbound/root.key": - ensure => present, - replace => false, - owner => unbound, - group => unbound, - mode => 644, - source => [ "puppet:///modules/unbound/root.key" ], - ; - "/var/lib/unbound/debian.org.key": - ensure => present, - replace => false, - owner => unbound, - group => unbound, - mode => 644, - source => [ "puppet:///modules/unbound/debian.org.key" ], - ; - "/etc/unbound/unbound.conf": - content => template("unbound/unbound.conf.erb"), - require => [ Package["unbound"], File['/var/lib/unbound/root.key'], File['/var/lib/unbound/debian.org.key'] ], - notify => Exec["unbound restart"], - owner => root, - group => root, - ; - } + package { 'unbound': + ensure => installed + } - case getfromhash($nodeinfo, 'misc', 'resolver-recursive') { - true: { - case getfromhash($nodeinfo, 'hoster', 'allow_dns_query') { - false: {} - default: { - @ferm::rule { "dsa-dns": - domain => "ip", - description => "Allow nameserver access", - rule => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv4(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))), - } - @ferm::rule { "dsa-dns6": - domain => "ip6", - description => "Allow nameserver access", - rule => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv6(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))), - } - } - } - } - } -} + service { 'unbound': + ensure => running, + } + + file { '/var/lib/unbound': + ensure => directory, + owner => unbound, + group => unbound, + require => Package['unbound'], + mode => '0775', + } + file { '/var/lib/unbound/root.key': + ensure => present, + replace => false, + owner => unbound, + group => unbound, + mode => '0644', + source => 'puppet:///modules/unbound/root.key' + } + file { '/var/lib/unbound/debian.org.key': + ensure => present, + replace => false, + owner => unbound, + group => unbound, + mode => '0644', + source => 'puppet:///modules/unbound/debian.org.key' + } + file { '/etc/unbound/unbound.conf': + content => template('unbound/unbound.conf.erb'), + require => [ + Package['unbound'], + File['/var/lib/unbound/root.key'], + File['/var/lib/unbound/debian.org.key'] + ], + notify => Service['unbound'] + } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: + if getfromhash($site::nodeinfo, 'misc', 'resolver-recursive') { + if getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query') { + @ferm::rule { 'dsa-dns': + domain => 'ip', + description => 'Allow nameserver access', + rule => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv4(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))), + } + @ferm::rule { 'dsa-dns6': + domain => 'ip6', + description => 'Allow nameserver access', + rule => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv6(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))), + } + } + } +} diff --git a/modules/unbound/templates/unbound.conf.erb b/modules/unbound/templates/unbound.conf.erb index 9a2c8373..c11df43f 100644 --- a/modules/unbound/templates/unbound.conf.erb +++ b/modules/unbound/templates/unbound.conf.erb @@ -8,7 +8,7 @@ server: <%= out = [] - if nodeinfo['misc']['resolver-recursive'] and nodeinfo['hoster']['allow_dns_query'] + if scope.lookupvar('site::nodeinfo')['misc']['resolver-recursive'] and scope.lookupvar('site::nodeinfo')['hoster']['allow_dns_query'] out << " interface: 0.0.0.0" out << " interface: ::0" out << "" @@ -50,8 +50,8 @@ server: <%= out = [] - if not nodeinfo['misc']['resolver-recursive'] and not nodeinfo['hoster']['nameservers_break_dnssec'] - forwarders = nodeinfo['hoster']['nameservers'] + if not scope.lookupvar('site::nodeinfo')['misc']['resolver-recursive'] and not scope.lookupvar('site::nodeinfo')['hoster']['nameservers_break_dnssec'] + forwarders = scope.lookupvar('site::nodeinfo')['hoster']['nameservers'] forwarders ||= [] out << 'forward-zone:'