From 3eb533e5499e66423bafdedaf6c7d08ead1772de Mon Sep 17 00:00:00 2001 From: Stephen Gran Date: Wed, 4 Apr 2012 19:15:14 +0100 Subject: [PATCH] massive style guide fixups Signed-off-by: Stephen Gran --- manifests/site.pp | 290 ++++++----- modules/acpi/manifests/init.pp | 20 +- .../sites-available => }/common-ssl.inc | 0 .../etc/apache2/conf.d => }/local-serverinfo | 0 .../{common/etc/apache2/conf.d => }/security | 0 .../etc/apache2/conf.d => }/server-status | 0 .../{common/etc/php5/conf.d => }/suhosin.ini | 0 modules/apache2/manifests/backports_mirror.pp | 25 - modules/apache2/manifests/config.pp | 30 ++ modules/apache2/manifests/dynamic.pp | 71 +++ .../apache2/manifests/ftp-upcoming_mirror.pp | 18 - modules/apache2/manifests/init.pp | 342 ++++--------- modules/apache2/manifests/module.pp | 17 + modules/apache2/manifests/security_mirror.pp | 19 - modules/apache2/manifests/site.pp | 48 ++ modules/apache2/manifests/www_mirror.pp | 20 - modules/apache2/templates/conf-builddlist.erb | 26 - modules/apt-keys/manifests/init.pp | 29 -- modules/buildd/manifests/init.pp | 82 ++- .../templates/etc/schroot/mount-defaults.erb | 2 +- modules/clamav/manifests/init.pp | 42 +- modules/dacs/manifests/init.pp | 236 ++++----- .../files/backports.org.asc | 0 .../files/db.debian.org.asc | 0 modules/debian-org/lib/facter/ipaddresses.rb | 6 +- modules/debian-org/manifests/init.pp | 368 ++++++-------- modules/debian-org/manifests/proliant.pp | 30 ++ modules/debian-org/manifests/radvd.pp | 10 + modules/entropykey/manifests/init.pp | 96 +--- .../entropykey/manifests/local_consumer.pp | 14 + modules/entropykey/manifests/provider.pp | 27 + .../entropykey/manifests/remote_consumer.pp | 8 + modules/exim/manifests/init.pp | 322 ++++++------ modules/exim/manifests/mx.pp | 57 +-- modules/exim/templates/eximconf.erb | 90 ++-- modules/exim/templates/manualroute.erb | 12 +- modules/exim/templates/submission-domains.erb | 8 + modules/ferm/manifests/ftp.pp | 10 +- modules/ferm/manifests/init.pp | 172 +++---- modules/ferm/manifests/nfs-server.pp | 27 - modules/ferm/manifests/per-host.pp | 476 +++++++++--------- modules/ferm/manifests/rsync.pp | 10 +- modules/ferm/manifests/rule.pp | 19 + modules/ferm/manifests/zivit.pp | 24 +- modules/ferm/templates/defs.conf.erb | 60 +-- modules/ferm/templates/interfaces.conf.erb | 2 +- modules/ferm/templates/me.conf.erb | 6 +- modules/hardware/manifests/init.pp | 14 + modules/hosts/manifests/init.pp | 11 +- modules/kfreebsd/manifests/init.pp | 21 +- modules/megactl/manifests/init.pp | 18 +- modules/monit/manifests/init.pp | 123 ++--- modules/motd/manifests/init.pp | 25 +- modules/motd/templates/motd.erb | 36 +- modules/munin-node/manifests/init.pp | 114 ----- modules/munin-node/manifests/master.pp | 14 - modules/{munin-node => munin}/files/df-wrap | 0 modules/munin/manifests/check.pp | 22 + modules/munin/manifests/init.pp | 43 ++ modules/munin/manifests/master.pp | 11 + .../templates/munin-node.conf.erb | 6 +- .../templates/munin-node.plugin.conf.erb | 0 .../templates/munin.conf.erb | 4 +- modules/nagios/manifests/client.pp | 131 +++-- modules/nagios/manifests/init.pp | 7 +- modules/nagios/manifests/server.pp | 151 +++--- modules/nagios/templates/inc-debian.org.erb | 6 +- modules/named/manifests/authoritative.pp | 31 +- modules/named/manifests/geodns.pp | 116 ++--- modules/named/manifests/init.pp | 54 +- modules/named/manifests/recursor.pp | 15 +- .../named/templates/named.conf.options.erb | 6 +- modules/nfs-server/manifests/init.pp | 79 ++- modules/ntp/manifests/client.pp | 24 + modules/ntp/manifests/init.pp | 140 ++---- modules/ntp/manifests/timeserver.pp | 7 + modules/ntp/templates/ntp.conf | 4 +- modules/ntpdate/manifests/init.pp | 32 +- modules/portforwarder/manifests/init.pp | 46 +- .../templates/authorized_keys.erb | 2 +- modules/postgres/manifests/init.pp | 32 +- modules/postgrey/manifests/init.pp | 28 +- .../lib/puppet/parser/functions/nodeinfo.rb | 2 +- modules/puppetmaster/manifests/init.pp | 3 - modules/raidmpt/manifests/init.pp | 31 +- modules/resolv/manifests/init.pp | 8 +- modules/resolv/templates/resolv.conf.erb | 6 +- .../backports_mirror}/backports.debian.org | 0 .../files/backports_mirror}/www.backports.org | 0 .../ftp-upcoming.debian.org | 0 .../security_mirror}/security.debian.org | 0 .../files/www_mirror}/www.debian.org | 0 modules/roles/manifests/backports_mirror.pp | 13 + modules/roles/manifests/dakmaster.pp | 13 + .../roles/manifests/ftp-upcoming_mirror.pp | 7 + modules/roles/manifests/security_mirror.pp | 11 + modules/roles/manifests/www_mirror.pp | 11 + modules/roles/templates/conf-builddlist.erb | 26 + modules/rsyncd-log/manifests/init.pp | 23 +- modules/samhain/manifests/init.pp | 25 +- modules/samhain/templates/samhainrc.erb | 22 +- modules/site/manifests/alternative.pp | 17 + modules/site/manifests/aptrepo.pp | 39 ++ modules/site/manifests/init.pp | 13 + modules/site/manifests/linux_module.pp | 19 + modules/site/manifests/sysctl.pp | 18 + modules/ssh/manifests/init.pp | 72 ++- modules/ssh/templates/authorized_keys.erb | 8 +- modules/ssl/manifests/init.pp | 95 ++-- modules/stunnel4/manifests/client.pp | 19 + modules/stunnel4/manifests/generic.pp | 30 ++ modules/stunnel4/manifests/init.pp | 150 +----- modules/stunnel4/manifests/server.pp | 32 ++ modules/sudo/files/{common => }/pam | 0 modules/sudo/files/{common => }/sudoers | 0 .../files/{lenny/sudoers => sudoers.lenny} | 0 modules/sudo/manifests/init.pp | 49 +- modules/syslog-ng/manifests/init.pp | 48 +- modules/unbound/manifests/init.pp | 118 ++--- modules/unbound/templates/unbound.conf.erb | 6 +- 120 files changed, 2530 insertions(+), 2948 deletions(-) rename modules/apache2/files/{common/etc/apache2/sites-available => }/common-ssl.inc (100%) rename modules/apache2/files/{common/etc/apache2/conf.d => }/local-serverinfo (100%) rename modules/apache2/files/{common/etc/apache2/conf.d => }/security (100%) rename modules/apache2/files/{common/etc/apache2/conf.d => }/server-status (100%) rename modules/apache2/files/{common/etc/php5/conf.d => }/suhosin.ini (100%) delete mode 100644 modules/apache2/manifests/backports_mirror.pp create mode 100644 modules/apache2/manifests/config.pp create mode 100644 modules/apache2/manifests/dynamic.pp delete mode 100644 modules/apache2/manifests/ftp-upcoming_mirror.pp create mode 100644 modules/apache2/manifests/module.pp delete mode 100644 modules/apache2/manifests/security_mirror.pp create mode 100644 modules/apache2/manifests/site.pp delete mode 100644 modules/apache2/manifests/www_mirror.pp delete mode 100644 modules/apache2/templates/conf-builddlist.erb delete mode 100644 modules/apt-keys/manifests/init.pp rename modules/{apt-keys => debian-org}/files/backports.org.asc (100%) rename modules/{apt-keys => debian-org}/files/db.debian.org.asc (100%) create mode 100644 modules/debian-org/manifests/proliant.pp create mode 100644 modules/debian-org/manifests/radvd.pp create mode 100644 modules/entropykey/manifests/local_consumer.pp create mode 100644 modules/entropykey/manifests/provider.pp create mode 100644 modules/entropykey/manifests/remote_consumer.pp create mode 100644 modules/exim/templates/submission-domains.erb delete mode 100644 modules/ferm/manifests/nfs-server.pp create mode 100644 modules/ferm/manifests/rule.pp create mode 100644 modules/hardware/manifests/init.pp delete mode 100644 modules/munin-node/manifests/init.pp delete mode 100644 modules/munin-node/manifests/master.pp rename modules/{munin-node => munin}/files/df-wrap (100%) create mode 100644 modules/munin/manifests/check.pp create mode 100644 modules/munin/manifests/init.pp create mode 100644 modules/munin/manifests/master.pp rename modules/{munin-node => munin}/templates/munin-node.conf.erb (83%) rename modules/{munin-node => munin}/templates/munin-node.plugin.conf.erb (100%) rename modules/{munin-node => munin}/templates/munin.conf.erb (75%) create mode 100644 modules/ntp/manifests/client.pp create mode 100644 modules/ntp/manifests/timeserver.pp rename modules/{apache2/files/common/etc/apache2/sites-available => roles/files/backports_mirror}/backports.debian.org (100%) rename modules/{apache2/files/common/etc/apache2/sites-available => roles/files/backports_mirror}/www.backports.org (100%) rename modules/{apache2/files/common/etc/apache2/sites-available => roles/files/ftp-upcoming_mirror}/ftp-upcoming.debian.org (100%) rename modules/{apache2/files/common/etc/apache2/sites-available => roles/files/security_mirror}/security.debian.org (100%) rename modules/{apache2/files/common/etc/apache2/sites-available => roles/files/www_mirror}/www.debian.org (100%) create mode 100644 modules/roles/manifests/backports_mirror.pp create mode 100644 modules/roles/manifests/dakmaster.pp create mode 100644 modules/roles/manifests/ftp-upcoming_mirror.pp create mode 100644 modules/roles/manifests/security_mirror.pp create mode 100644 modules/roles/manifests/www_mirror.pp create mode 100644 modules/roles/templates/conf-builddlist.erb create mode 100644 modules/site/manifests/alternative.pp create mode 100644 modules/site/manifests/aptrepo.pp create mode 100644 modules/site/manifests/init.pp create mode 100644 modules/site/manifests/linux_module.pp create mode 100644 modules/site/manifests/sysctl.pp create mode 100644 modules/stunnel4/manifests/client.pp create mode 100644 modules/stunnel4/manifests/generic.pp create mode 100644 modules/stunnel4/manifests/server.pp rename modules/sudo/files/{common => }/pam (100%) rename modules/sudo/files/{common => }/sudoers (100%) rename modules/sudo/files/{lenny/sudoers => sudoers.lenny} (100%) diff --git a/manifests/site.pp b/manifests/site.pp index d7a965dd..a55107b4 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -1,157 +1,155 @@ Package { - require => File["/etc/apt/apt.conf.d/local-recommends"] + require => File['/etc/apt/apt.conf.d/local-recommends'] } File { - owner => root, - group => root, - mode => 444, - ensure => file, + owner => root, + group => root, + mode => '0444', + ensure => file, } Exec { - path => "/usr/bin:/usr/sbin:/bin:/sbin" + path => '/usr/bin:/usr/sbin:/bin:/sbin' } -node default { - $localinfo = yamlinfo('*', "/etc/puppet/modules/debian-org/misc/local.yaml") - $nodeinfo = nodeinfo($::fqdn, "/etc/puppet/modules/debian-org/misc/local.yaml") - $allnodeinfo = allnodeinfo("sshRSAHostKey ipHostNumber", "purpose mXRecord physicalHost purpose") - notice( sprintf("hoster for %s is %s", $::fqdn, getfromhash($nodeinfo, 'hoster', 'name') ) ) - - include munin-node - include syslog-ng - include sudo - include ssh - include debian-org - include monit - include apt-keys - include ntp - include ntpdate - include ssl - include motd - - case $::hostname { - finzi,fano,fasch,field: { include kfreebsd } - } - - if $::smartarraycontroller { - include debian-proliant - } - - if $::productname == 'PowerEdge 2850' { - include megactl - } - - if $::mptraid { - include raidmpt - } - - if $::kvmdomain { - include acpi - } - - if $::mta == 'exim4' { - case getfromhash($nodeinfo, 'heavy_exim') { - true: { include exim::mx } - default: { include exim } - } - } - - if getfromhash($nodeinfo, 'puppetmaster') { - include puppetmaster - } - - if getfromhash($nodeinfo, 'muninmaster') { - include munin-node::master - } - - case getfromhash($nodeinfo, 'nagiosmaster') { - true: { include nagios::server } - default: { include nagios::client } - } - - if $::apache2 { - if getfromhash($nodeinfo, 'apache2_security_mirror') { - include apache2::security_mirror - } - if getfromhash($nodeinfo, 'apache2_www_mirror') { - include apache2::www_mirror - } - if getfromhash($nodeinfo, 'apache2_backports_mirror') { - include apache2::backports_mirror - } - if getfromhash($nodeinfo, 'apache2_ftp-upcoming_mirror') { - include apache2::ftp-upcoming_mirror - } - include apache2 - } - - if $::rsyncd { - include rsyncd-log - } - - - if getfromhash($nodeinfo, 'buildd') { - include buildd - } - - case $::hostname { - ravel,senfl,orff,draghi,diamond: { include named::authoritative } - geo1,geo2,geo3: { include named::geodns } - liszt: { include named::recursor } - } - - case $::hostname { - franck,master,lobos,samosa,spohr,widor: { include unbound } - } - - if $::lsbdistcodename != 'lenny' { - include unbound - } - - include resolv - - if $::kernel == 'Linux' { - include ferm - include ferm::per-host - } - - case $::hostname { - diabelli,nono,spohr: { include dacs } - } - - case $::hostname { - beethoven,duarte,spohr,stabile: { - include nfs-server - } - } - - if $::brokenhosts { - include hosts - } - - if $::portforwarder_user_exists { - include portforwarder - } - - include samhain - - case $::hostname { - chopin,geo3,soler,wieck: { - include debian-radvd - } - } - - if $::kernel == 'Linux' { - include entropykey - } - - if ($::postgres84 or $::postgres90) { - include postgres - } +Service { + hasrestart => true, + hasstatus => true, } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: +node default { + include site + include munin + include syslog-ng + include sudo + include ssh + include debian-org + include monit + include apt-keys + include ntp + include ntpdate + include ssl + include motd + include hardware + include nagios::client + include resolv + + if $::hostname in [finzi,fano,fasch,field] { + include kfreebsd + } + + if $::kvmdomain { + include acpi + } + + if $::mta == 'exim4' { + if getfromhash($site::nodeinfo, 'heavy_exim') { + include exim::mx + } else { + include exim + } + } + + if $::lsbdistcodename != 'lenny' { + include unbound + } + + if getfromhash($site::nodeinfo, 'puppetmaster') { + include puppetmaster + } + + if getfromhash($site::nodeinfo, 'muninmaster') { + include munin::master + } + + if getfromhash($site::nodeinfo, 'nagiosmaster') { + include nagios::server + } + + if getfromhash($site::nodeinfo, 'buildd') { + include buildd + } + + if $::hostname in [chopin,franck,morricone,bizet] { + include roles::dakmaster + } + + if getfromhash($site::nodeinfo, 'apache2_security_mirror') { + include roles::security_mirror + } + + if getfromhash($site::nodeinfo, 'apache2_www_mirror') { + include roles::www_mirror + } + + if getfromhash($site::nodeinfo, 'apache2_backports_mirror') { + include roles::backports_mirror + } + + if getfromhash($site::nodeinfo, 'apache2_ftp-upcoming_mirror') { + include roles::ftp-upcoming_mirror + } + + if $::apache2 { + include apache2 + } + + if $::rsyncd { + include rsyncd-log + } + + if $::hostname in [ravel,senfl,orff,draghi,diamond] { + include named::authoritative + } elsif $::hostname in [geo1,geo2,geo3] { + include named::geodns + } elsif $::hostname == 'liszt' { + include named::recursor + } + + if $::kernel == 'Linux' { + include ferm + include ferm::per-host + include entropykey + } + + if $::hostname in [diabelli,nono,spohr] { + include dacs + } + + if $::hostname in [beethoven,duarte,spohr,stabile] { + include nfs-server + } + + if $::brokenhosts { + include hosts + } + + if $::portforwarder_user_exists { + include portforwarder + } + + include samhain + + if $::hostname in [chopin,geo3,soler,wieck] { + include debian-org::radvd + } + + if ($::postgres84 or $::postgres90) { + include postgres + } + + if $::spamd { + munin::check { 'spamassassin': } + } + + if $::vsftpd { + package { 'logtail': + ensure => installed + } + munin::check { 'vsftpd': } + munin::check { 'ps_vsftpd': + script => 'ps_' + } + } +} diff --git a/modules/acpi/manifests/init.pp b/modules/acpi/manifests/init.pp index ffc779b8..c427cb99 100644 --- a/modules/acpi/manifests/init.pp +++ b/modules/acpi/manifests/init.pp @@ -1,13 +1,13 @@ class acpi { - if ! ($::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) { - package { - acpid: ensure => installed - } + if ! ($::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) { + package { 'acpid': + ensure => installed + } - if $lsbdistcodename != 'lenny' { - package { - acpi-support-base: ensure => installed - } - } - } + if $::lsbdistcodename != 'lenny' { + package { 'acpi-support-base': + ensure => installed + } + } + } } diff --git a/modules/apache2/files/common/etc/apache2/sites-available/common-ssl.inc b/modules/apache2/files/common-ssl.inc similarity index 100% rename from modules/apache2/files/common/etc/apache2/sites-available/common-ssl.inc rename to modules/apache2/files/common-ssl.inc diff --git a/modules/apache2/files/common/etc/apache2/conf.d/local-serverinfo b/modules/apache2/files/local-serverinfo similarity index 100% rename from modules/apache2/files/common/etc/apache2/conf.d/local-serverinfo rename to modules/apache2/files/local-serverinfo diff --git a/modules/apache2/files/common/etc/apache2/conf.d/security b/modules/apache2/files/security similarity index 100% rename from modules/apache2/files/common/etc/apache2/conf.d/security rename to modules/apache2/files/security diff --git a/modules/apache2/files/common/etc/apache2/conf.d/server-status b/modules/apache2/files/server-status similarity index 100% rename from modules/apache2/files/common/etc/apache2/conf.d/server-status rename to modules/apache2/files/server-status diff --git a/modules/apache2/files/common/etc/php5/conf.d/suhosin.ini b/modules/apache2/files/suhosin.ini similarity index 100% rename from modules/apache2/files/common/etc/php5/conf.d/suhosin.ini rename to modules/apache2/files/suhosin.ini diff --git a/modules/apache2/manifests/backports_mirror.pp b/modules/apache2/manifests/backports_mirror.pp deleted file mode 100644 index 47b2a2dc..00000000 --- a/modules/apache2/manifests/backports_mirror.pp +++ /dev/null @@ -1,25 +0,0 @@ -class apache2::backports_mirror { - include apache2 - file { - "/etc/apache2/sites-available/backports.debian.org": - source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/sites-available/backports.debian.org", - "puppet:///modules/apache2/common/etc/apache2/sites-available/backports.debian.org" ]; - "/etc/apache2/sites-available/www.backports.org": - source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/sites-available/www.backports.org", - "puppet:///modules/apache2/common/etc/apache2/sites-available/www.backports.org" ]; - - } - - activate_apache_site { - "010-backports.debian.org": site => "backports.debian.org"; - "010-www.backports.org": site => "www.backports.org"; - } - - enable_module { - "rewrite":; - } -} - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/apache2/manifests/config.pp b/modules/apache2/manifests/config.pp new file mode 100644 index 00000000..5d517004 --- /dev/null +++ b/modules/apache2/manifests/config.pp @@ -0,0 +1,30 @@ +define apache2::config($config = undef, $template = undef, $ensure = present) { + + include apache2 + + if ! ($config or $template) { + err ( "No configuration found for ${name}" ) + } + + case $ensure { + present: {} + absent: {} + default: { err ( "Unknown ensure value: '$ensure'" ) } + } + + if $template { + file { "/etc/apache2/conf.d/${name}": + ensure => $ensure, + content => template($template), + require => Package['apache2'], + notify => Service['apache2'], + } + } else { + file { "/etc/apache2/conf.d/${name}": + ensure => $ensure, + source => $config, + require => Package['apache2'], + notify => Service['apache2'], + } + } +} diff --git a/modules/apache2/manifests/dynamic.pp b/modules/apache2/manifests/dynamic.pp new file mode 100644 index 00000000..0b4b144d --- /dev/null +++ b/modules/apache2/manifests/dynamic.pp @@ -0,0 +1,71 @@ +class apache2::dynamic { + @ferm::rule { 'dsa-http-limit': + prio => '20', + description => 'limit HTTP DOS', + chain => 'http_limit', + rule => 'mod limit limit-burst 60 limit 15/minute jump ACCEPT; + jump DROP' + } + + @ferm::rule { 'dsa-http-soso': + prio => '21', + description => 'slow soso spider', + chain => 'limit_sosospider', + rule => 'mod connlimit connlimit-above 2 connlimit-mask 21 jump DROP; + jump http_limit' + } + + @ferm::rule { 'dsa-http-yahoo': + prio => '21', + description => 'slow yahoo spider', + chain => 'limit_yahoo', + rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; + jump http_limit' + } + + @ferm::rule { 'dsa-http-google': + prio => '21', + description => 'slow google spider', + chain => 'limit_google', + rule => 'mod connlimit connlimit-above 2 connlimit-mask 19 jump DROP; + jump http_limit' + } + + @ferm::rule { 'dsa-http-bing': + prio => '21', + description => 'slow bing spider', + chain => 'limit_bing', + rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; + jump http_limit' + } + + @ferm::rule { 'dsa-http-baidu': + prio => '21', + description => 'slow baidu spider', + chain => 'limit_baidu', + rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; + jump http_limit' + } + + @ferm::rule { 'dsa-http-rules': + prio => '22', + description => 'http subchain', + chain => 'http', + rule => ' + saddr ( 74.6.22.182 74.6.18.240 67.195.0.0/16 ) jump limit_yahoo; + saddr 124.115.0.0/21 jump limit_sosospider; + saddr (65.52.0.0/14 207.46.0.0/16) jump limit_bing; + saddr (66.249.64.0/19) jump limit_google; + saddr (123.125.71.0/24 119.63.192.0/21 180.76.0.0/16) jump limit_baidu; + + mod recent name HTTPDOS update seconds 1800 jump log_or_drop; + mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT; + mod recent name HTTPDOS set jump log_or_drop' + } + + @ferm::rule { 'dsa-http': + prio => '23', + description => 'Allow web access', + rule => 'proto tcp dport (http https) jump http' + } +} diff --git a/modules/apache2/manifests/ftp-upcoming_mirror.pp b/modules/apache2/manifests/ftp-upcoming_mirror.pp deleted file mode 100644 index aa3610c4..00000000 --- a/modules/apache2/manifests/ftp-upcoming_mirror.pp +++ /dev/null @@ -1,18 +0,0 @@ -class apache2::ftp-upcoming_mirror { - include apache2 - file { - "/etc/apache2/sites-available/ftp-upcoming.debian.org": - source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/sites-available/ftp-upcoming.debian.org", - "puppet:///modules/apache2/common/etc/apache2/sites-available/ftp-upcoming.debian.org" ]; - - } - - activate_apache_site { - "010-ftp-upcoming.debian.org": site => "ftp-upcoming.debian.org"; - } - -} - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp index ade26fb1..3c0874e3 100644 --- a/modules/apache2/manifests/init.pp +++ b/modules/apache2/manifests/init.pp @@ -1,250 +1,96 @@ class apache2 { - activate_munin_check { - "apache_accesses":; - "apache_processes":; - "apache_volume":; - "apache_servers":; - "ps_apache2": script => "ps_"; - } - - package { - "apache2": ensure => installed; - } - - case $php5 { - "true": { - package { - "php5-suhosin": ensure => installed; - } - - file { "/etc/php5/conf.d/suhosin.ini": - source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/php5/conf.d/suhosin.ini", - "puppet:///modules/apache2/common/etc/php5/conf.d/suhosin.ini" ], - require => Package["apache2", "php5-suhosin"], - notify => Exec["force-reload-apache2"]; - } - } - } - - define activate_apache_site($ensure=present, $site=$name) { - case $site { - "": { $base = $name } - default: { $base = $site } - } - - case $ensure { - present: { - file { "/etc/apache2/sites-enabled/$name": - ensure => "/etc/apache2/sites-available/$base", - require => Package["apache2"], - notify => Exec["reload-apache2"]; - } - } - absent: { - file { "/etc/apache2/sites-enabled/$name": - ensure => $ensure, - notify => Exec["reload-apache2"]; - } - } - default: { err ( "Unknown ensure value: '$ensure'" ) } - } - } - - define enable_module($ensure=present) { - case $ensure { - present: { - exec { - "/usr/sbin/a2enmod $name": - unless => "/bin/sh -c '[ -L /etc/apache2/mods-enabled/${name}.load ]'", - notify => Exec["force-reload-apache2"], - } - } - absent: { - exec { - "/usr/sbin/a2dismod $name": - onlyif => "/bin/sh -c '[ -L /etc/apache2/mods-enabled/${name}.load ]'", - notify => Exec["force-reload-apache2"], - } - } - default: { err ( "Unknown ensure value: '$ensure'" ) } - } - } - - enable_module { - "info":; - "status":; - } - - activate_apache_site { - "00-default": site => "default-debian.org"; - "000-default": ensure => absent; - } - - file { - "/etc/apache2/conf.d/ressource-limits": - content => template("apache2/ressource-limits.erb"), - require => Package["apache2"], - notify => Exec["reload-apache2"]; - "/etc/apache2/conf.d/security": - source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/conf.d/security", - "puppet:///modules/apache2/common/etc/apache2/conf.d/security" ], - require => Package["apache2"], - notify => Exec["reload-apache2"]; - "/etc/apache2/conf.d/local-serverinfo": - source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/conf.d/local-serverinfo", - "puppet:///modules/apache2/common/etc/apache2/conf.d/local-serverinfo" ], - require => Package["apache2"], - notify => Exec["reload-apache2"]; - "/etc/apache2/conf.d/server-status": - source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/conf.d/server-status", - "puppet:///modules/apache2/common/etc/apache2/conf.d/server-status" ], - require => Package["apache2"], - notify => Exec["reload-apache2"]; - - "/etc/apache2/sites-available/default-debian.org": - content => template("apache2/default-debian.org.erb"), - require => Package["apache2"], - notify => Exec["reload-apache2"]; - - "/etc/apache2/sites-available/common-ssl.inc": - source => [ "puppet:///modules/apache2/per-host/$fqdn//etc/apache2/sites-available/common-ssl.inc", - "puppet:///modules/apache2/common/etc/apache2/sites-available/common-ssl.inc" ], - require => Package["apache2"], - notify => Exec["reload-apache2"]; - - "/etc/logrotate.d/apache2": - source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/logrotate.d/apache2", - "puppet:///modules/apache2/common/etc/logrotate.d/apache2" ]; - - "/srv/www": - mode => 755, - ensure => directory; - "/srv/www/default.debian.org": - mode => 755, - ensure => directory; - "/srv/www/default.debian.org/htdocs": - mode => 755, - ensure => directory; - "/srv/www/default.debian.org/htdocs/index.html": - content => template("apache2/default-index.html"); - - # sometimes this is a symlink - #"/var/log/apache2": - # mode => 755, - # ensure => directory; - } - - exec { - "reload-apache2": - command => "/etc/init.d/apache2 reload", - refreshonly => true; - "force-reload-apache2": - command => "/etc/init.d/apache2 force-reload", - refreshonly => true; - } - case $hostname { - chopin,franck,morricone,bizet: { - package { - "libapache2-mod-macro": ensure => installed; - } - enable_module { - "macro":; - } - file { - "/etc/apache2/conf.d/puppet-builddlist": - content => template("apache2/conf-builddlist.erb"), - require => Package["apache2"], - notify => Exec["reload-apache2"]; - } - } - } - - case $hostname { - busoni,duarte,holter,lindberg,master,powell,rore: { - @ferm::rule { "dsa-http-limit": - prio => "20", - description => "limit HTTP DOS", - chain => 'http_limit', - rule => ' - mod limit limit-burst 60 limit 15/minute jump ACCEPT; - jump DROP' - } - @ferm::rule { "dsa-http-soso": - prio => "21", - description => "slow soso spider", - chain => 'limit_sosospider', - rule => ' - mod connlimit connlimit-above 2 connlimit-mask 21 jump DROP; - jump http_limit' - } - @ferm::rule { "dsa-http-yahoo": - prio => "21", - description => "slow yahoo spider", - chain => 'limit_yahoo', - rule => ' - mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; - jump http_limit' - } - @ferm::rule { "dsa-http-google": - prio => "21", - description => "slow google spider", - chain => 'limit_google', - rule => ' - mod connlimit connlimit-above 2 connlimit-mask 19 jump DROP; - jump http_limit' - } - @ferm::rule { "dsa-http-bing": - prio => "21", - description => "slow bing spider", - chain => 'limit_bing', - rule => ' - mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; - jump http_limit' - } - @ferm::rule { "dsa-http-baidu": - prio => "21", - description => "slow baidu spider", - chain => 'limit_baidu', - rule => ' - mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; - jump http_limit' - } - @ferm::rule { "dsa-http-rules": - prio => "22", - description => "http subchain", - chain => 'http', - rule => ' - saddr ( 74.6.22.182 74.6.18.240 67.195.0.0/16 ) jump limit_yahoo; - saddr 124.115.0.0/21 jump limit_sosospider; - saddr (65.52.0.0/14 207.46.0.0/16) jump limit_bing; - saddr (66.249.64.0/19) jump limit_google; - saddr (123.125.71.0/24 119.63.192.0/21 180.76.0.0/16) jump limit_baidu; - - mod recent name HTTPDOS update seconds 1800 jump log_or_drop; - mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT; - mod recent name HTTPDOS set jump log_or_drop' - } - @ferm::rule { "dsa-http": - prio => "23", - description => "Allow web access", - rule => "proto tcp dport (http https) jump http" - } - } - default: { - @ferm::rule { "dsa-http": - prio => "23", - description => "Allow web access", - rule => "&SERVICE(tcp, (http https))" - } - } - } - @ferm::rule { "dsa-http-v6": - domain => "(ip6)", - prio => "23", - description => "Allow web access", - rule => "&SERVICE(tcp, (http https))" - } + + package { 'apache2': + ensure => installed, + } + + service { 'apache2': + ensure => running, + require => Package['apache2'], + } + + apache2::module { 'info': } + apache2::module { 'status': } + + apache2::site { '00-default': + site => 'default-debian.org', + template => 'apache2/default-debian.org.erb', + } + + apache2::site { '000-default': + ensure => absent, + } + + apache2::config { 'ressource-limits': + template => 'apache2/ressource-limits.erb', + } + + apache2::config { 'security': + config => 'puppet:///modules/apache2/security', + } + + apache2::config { 'local-serverinfo': + config => 'puppet:///modules/apache2/local-serverinfo', + } + + apache2::config { 'server-status': + config => 'puppet:///modules/apache2/server-status', + } + + file { '/etc/apache2/sites-available/common-ssl.inc': + source => 'puppet:///modules/apache2/common-ssl.inc', + require => Package['apache2'], + notify => Service['apache2'], + } + + file { '/etc/logrotate.d/apache2': + source => 'puppet:///modules/apache2/apache2.logrotate', + } + + file { [ '/srv/www', '/srv/www/default.debian.org', '/srv/www/default.debian.org/htdocs' ]: + ensure => directory, + mode => '0755', + } + + file { '/srv/www/default.debian.org/htdocs/index.html': + content => template('apache2/default-index.html'), + } + + munin::check { 'apache_accesses': } + munin::check { 'apache_processes': } + munin::check { 'apache_volume': } + munin::check { 'apache_servers': } + munin::check { 'ps_apache2': + script => 'ps_', + } + + if $php5 { + package { 'php5-suhosin': + ensure => installed, + require => Package['apache2'], + } + + file { '/etc/php5/conf.d/suhosin.ini': + source => 'puppet:///modules/apache2/suhosin.ini', + require => Package['php5-suhosin'], + notify => Service['apache2'], + } + } + + if $::hostname in [busoni,duarte,holter,lindberg,master,powell,rore] { + include apache2::dynamic + } else { + @ferm::rule { 'dsa-http': + prio => '23', + description => 'Allow web access', + rule => '&SERVICE(tcp, (http https))' + } + } + + @ferm::rule { 'dsa-http-v6': + domain => '(ip6)', + prio => '23', + description => 'Allow web access', + rule => '&SERVICE(tcp, (http https))' + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/apache2/manifests/module.pp b/modules/apache2/manifests/module.pp new file mode 100644 index 00000000..3a6922bd --- /dev/null +++ b/modules/apache2/manifests/module.pp @@ -0,0 +1,17 @@ +define apache2::module ($ensure = present) { + case $ensure { + present: { + exec { "/usr/sbin/a2enmod ${name}": + creates => "/etc/apache2/mods-enabled/${name}.load", + notify => Service['apache2'] + } + } + absent: { + exec { "/usr/sbin/a2dismod ${name}": + onlyif => "test -L /etc/apache2/mods-enabled/${name}.load", + notify => Service['apache2'] + } + } + default: { err ( "Unknown ensure value: '$ensure'" ) } + } +} diff --git a/modules/apache2/manifests/security_mirror.pp b/modules/apache2/manifests/security_mirror.pp deleted file mode 100644 index 853b9f89..00000000 --- a/modules/apache2/manifests/security_mirror.pp +++ /dev/null @@ -1,19 +0,0 @@ -class apache2::security_mirror { - include apache2 - file { - "/etc/apache2/sites-available/security.debian.org": - source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/sites-available/security.debian.org", - "puppet:///modules/apache2/common/etc/apache2/sites-available/security.debian.org" ]; - - } - - activate_apache_site { - "010-security.debian.org": site => "security.debian.org"; - "security.debian.org": ensure => absent; - } - -} - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/apache2/manifests/site.pp b/modules/apache2/manifests/site.pp new file mode 100644 index 00000000..708e6fa0 --- /dev/null +++ b/modules/apache2/manifests/site.pp @@ -0,0 +1,48 @@ +define apache2::site ( + $config = undef, + $template = undef, + $ensure = present, + $site = undef +) { + + include apache2 + + if ! ($config or $template) { + err ( "No configuration found for ${name}" ) + } + + if $site { + $base = $site + } else { + $base = $name + } + + $target = "/etc/apache2/sites-available/${base}" + + $link_target = $ensure ? { + present => $target, + absent => absent, + default => err ( "Unknown ensure value: '$ensure'" ), + } + + if $template { + file { $target: + ensure => $ensure, + content => template($template), + require => Package['apache2'], + notify => Service['apache2'], + } + } else { + file { $target: + ensure => $ensure, + source => $config, + require => Package['apache2'], + notify => Service['apache2'], + } + } + + file { "/etc/apache2/sites-enabled/${name}": + ensure => $link_target, + notify => Service['apache2'], + } +} diff --git a/modules/apache2/manifests/www_mirror.pp b/modules/apache2/manifests/www_mirror.pp deleted file mode 100644 index 136e571e..00000000 --- a/modules/apache2/manifests/www_mirror.pp +++ /dev/null @@ -1,20 +0,0 @@ -class apache2::www_mirror { - include apache2 - file { - "/etc/apache2/sites-available/www.debian.org": - source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/sites-available/www.debian.org", - "puppet:///modules/apache2/common/etc/apache2/sites-available/www.debian.org" ], - notify => Exec["reload-apache2"], - ; - } - - activate_apache_site { - "010-www.debian.org": site => "www.debian.org"; - "www.debian.org": ensure => absent; - } - -} - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/apache2/templates/conf-builddlist.erb b/modules/apache2/templates/conf-builddlist.erb deleted file mode 100644 index 1aa47587..00000000 --- a/modules/apache2/templates/conf-builddlist.erb +++ /dev/null @@ -1,26 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - - - -<%= - lines = [] - - allnodeinfo.keys.sort.each do |node| - next unless allnodeinfo[node]['purpose'] - if allnodeinfo[node]['purpose'].include?('buildd') - lines << " # #{allnodeinfo[node]['hostname'].to_s}" - allnodeinfo[node]['ipHostNumber'].each do |addr| - lines << " allow from #{addr}" - end - end - end - - lines.join("\n") -# vim:set et: -# vim:set sts=2 ts=2: -# vim:set shiftwidth=2: -%> - diff --git a/modules/apt-keys/manifests/init.pp b/modules/apt-keys/manifests/init.pp deleted file mode 100644 index bb3574eb..00000000 --- a/modules/apt-keys/manifests/init.pp +++ /dev/null @@ -1,29 +0,0 @@ -class apt-keys { - file { - "/etc/apt/trusted-keys.d/": - ensure => directory, - purge => true, - notify => Exec["apt-keys-update"], - ; - - "/etc/apt/trusted-keys.d/backports.org.asc": - source => "puppet:///modules/apt-keys/backports.org.asc", - mode => 664, - notify => Exec["apt-keys-update"], - ; - "/etc/apt/trusted-keys.d/db.debian.org.asc": - source => "puppet:///modules/apt-keys/db.debian.org.asc", - mode => 664, - notify => Exec["apt-keys-update"], - ; - } - - exec { "apt-keys-update": - command => '/bin/true && for keyfile in /etc/apt/trusted-keys.d/*; do apt-key add $keyfile; done', - refreshonly => true - } -} - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/buildd/manifests/init.pp b/modules/buildd/manifests/init.pp index f001291b..01dca34d 100644 --- a/modules/buildd/manifests/init.pp +++ b/modules/buildd/manifests/init.pp @@ -1,51 +1,43 @@ class buildd { - package { - "schroot": ensure => installed; - "sbuild": ensure => installed; - "apt-transport-https": ensure => installed; - "debootstrap": ensure => installed; - "dupload": ensure => installed; - } + package { [ + 'schroot', + 'sbuild', + 'apt-transport-https', + 'debootstrap', + 'dupload' + ]: + ensure => installed + } - file { - "/etc/apt/preferences.d/buildd": - ensure => absent - ; + site::linux_module { 'dm_snapshot': } - "/etc/apt/sources.list.d/buildd.list": - content => template("buildd/etc/apt/sources.list.d/buildd.list.erb"), - require => Package["apt-transport-https"], - notify => Exec["apt-get update"], - ; + site::aptrepo { 'buildd': + content => template('buildd/etc/apt/sources.list.d/buildd.list.erb'), + key => 'puppet:///modules/buildd/buildd.debian.org.asc', + } - "/etc/apt/trusted-keys.d/buildd.debian.org.asc": - source => "puppet:///modules/buildd/buildd.debian.org.asc", - mode => 664, - notify => Exec["apt-keys-update"], - ; - "/etc/schroot/mount-defaults": - content => template("buildd/etc/schroot/mount-defaults.erb"), - require => Package["sbuild"] - ; - "/etc/cron.d/dsa-buildd": - source => "puppet:///modules/buildd/cron.d-dsa-buildd", - require => Package["debian.org"] - ; - "/etc/dupload.conf": - source => "puppet:///modules/buildd/dupload.conf", - require => Package["dupload"] - ; - "/etc/default/schroot": - source => "puppet:///modules/buildd/default-schroot", - require => Package["schroot"] - ; - } - - case $kernel { - Linux: { linux_module { "dm_snapshot": ensure => present; } } - } + file { '/etc/apt/preferences.d/buildd': + ensure => absent + } + file { '/etc/schroot/mount-defaults': + content => template('buildd/etc/schroot/mount-defaults.erb'), + require => Package['sbuild'], + } + file { '/etc/schroot/mount-defaults': + content => template('buildd/etc/schroot/mount-defaults.erb'), + require => Package['sbuild'], + } + file { '/etc/cron.d/dsa-buildd': + source => 'puppet:///modules/buildd/cron.d-dsa-buildd', + require => Package['debian.org'] + } + file { '/etc/dupload.conf': + source => 'puppet:///modules/buildd/dupload.conf', + require => Package['dupload'], + } + file { '/etc/default/schroot': + source => 'puppet:///modules/buildd/default-schroot', + require => Package['schroot'] + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/buildd/templates/etc/schroot/mount-defaults.erb b/modules/buildd/templates/etc/schroot/mount-defaults.erb index ec016d9c..9dc2d518 100644 --- a/modules/buildd/templates/etc/schroot/mount-defaults.erb +++ b/modules/buildd/templates/etc/schroot/mount-defaults.erb @@ -7,7 +7,7 @@ # (CHROOT_PATH) # # -<% if nodeinfo['ldap'].has_key?('architecture') and nodeinfo['ldap']['architecture'][0].start_with?('kfreebsd') -%> +<% if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('architecture') and scope.lookupvar('site::nodeinfo')['ldap']['architecture'][0].start_with?('kfreebsd') -%> # kFreeBSD version proc /proc linprocfs defaults 0 0 dev /dev devfs rw,bind 0 0 diff --git a/modules/clamav/manifests/init.pp b/modules/clamav/manifests/init.pp index 885258bf..47c4109d 100644 --- a/modules/clamav/manifests/init.pp +++ b/modules/clamav/manifests/init.pp @@ -1,24 +1,22 @@ class clamav { - package { - "clamav-daemon": ensure => installed; - "clamav-freshclam": ensure => installed; - "clamav-unofficial-sigs": ensure => installed; - } - file { - "/etc/clamav-unofficial-sigs.dsa.conf": - require => Package["clamav-unofficial-sigs"], - source => [ "puppet:///modules/clamav/clamav-unofficial-sigs.dsa.conf" ] - ; - "/etc/clamav-unofficial-sigs.conf": - require => Package["clamav-unofficial-sigs"], - source => [ "puppet:///modules/clamav/clamav-unofficial-sigs.conf" ] - ; - "/var/lib/clamav/mbl.ndb": - ensure => absent, - ; - } -} + package { [ + 'clamav-daemon', + 'clamav-freshclam', + 'clamav-unofficial-sigs' + ]: + ensure => installed + } + + file { '/var/lib/clamav/mbl.ndb': + ensure => absent + } + file { '/etc/clamav-unofficial-sigs.dsa.conf': + require => Package['clamav-unofficial-sigs'], + source => [ 'puppet:///modules/clamav/clamav-unofficial-sigs.dsa.conf' ] + } + file { '/etc/clamav-unofficial-sigs.conf': + require => Package['clamav-unofficial-sigs'], + source => [ 'puppet:///modules/clamav/clamav-unofficial-sigs.conf' ] + } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: +} diff --git a/modules/dacs/manifests/init.pp b/modules/dacs/manifests/init.pp index 79cf4841..377dfa9d 100644 --- a/modules/dacs/manifests/init.pp +++ b/modules/dacs/manifests/init.pp @@ -1,153 +1,89 @@ class dacs { - package { - "dacs": ensure => installed; - "libapache2-mod-dacs": ensure => installed; - } - - file { - "/var/log/dacs": - ensure => directory, - owner => root, - group => www-data, - mode => 770, - purge => true - ; - "/etc/dacs/federations": - require => Package["libapache2-mod-dacs"], - ensure => directory, - owner => root, - group => www-data, - mode => 750, - purge => true - ; - - "/etc/dacs/federations/debian.org/": - require => Package["libapache2-mod-dacs"], - ensure => directory, - owner => root, - group => www-data, - mode => 750, - purge => true - ; - - "/etc/dacs/federations/debian.org/DEBIAN": - require => Package["libapache2-mod-dacs"], - ensure => directory, - owner => root, - group => www-data, - mode => 750, - purge => true - ; - - "/etc/dacs/federations/debian.org/DEBIAN/acls": - require => Package["libapache2-mod-dacs"], - ensure => directory, - owner => root, - group => www-data, - mode => 750, - purge => true - ; - - "/etc/dacs/federations/debian.org/DEBIAN/groups": - require => Package["libapache2-mod-dacs"], - ensure => directory, - owner => root, - group => www-data, - mode => 750, - purge => true - ; - - "/etc/dacs/federations/debian.org/DEBIAN/groups/DACS": - require => Package["libapache2-mod-dacs"], - ensure => directory, - owner => root, - group => www-data, - mode => 750, - purge => true - ; - - "/etc/dacs/federations/site.conf": - require => Package["libapache2-mod-dacs"], - source => [ "puppet:///modules/dacs/per-host/$fqdn/site.conf", - "puppet:///modules/dacs/common/site.conf" ], - mode => 640, - owner => root, - group => www-data - ; - - "/etc/dacs/federations/debian.org/DEBIAN/dacs.conf": - require => Package["libapache2-mod-dacs"], - source => [ "puppet:///modules/dacs/per-host/$fqdn/dacs.conf", - "puppet:///modules/dacs/common/dacs.conf" ], - mode => 640, - owner => root, - group => www-data - ; - - "/etc/dacs/federations/debian.org/DEBIAN/acls/revocations": - require => Package["libapache2-mod-dacs"], - source => [ "puppet:///modules/dacs/per-host/$fqdn/revocations", - "puppet:///modules/dacs/common/revocations" ], - mode => 640, - owner => root, - group => www-data - ; - - "/etc/dacs/federations/debian.org/DEBIAN/groups/DACS/jurisdictions.grp": - require => Package["libapache2-mod-dacs"], - source => [ "puppet:///modules/dacs/per-host/$fqdn/jurisdictions.grp", - "puppet:///modules/dacs/common/jurisdictions.grp" ], - mode => 640, - owner => root, - group => www-data - ; - - "/etc/dacs/federations/debian.org/DEBIAN/acls/acl-noauth.0": - require => Package["libapache2-mod-dacs"], - source => [ "puppet:///modules/dacs/per-host/$fqdn/acl-noauth.0", - "puppet:///modules/dacs/common/acl-noauth.0" ], - mode => 640, - owner => root, - group => www-data, - notify => Exec["dacsacl"] - ; - - "/etc/dacs/federations/debian.org/DEBIAN/acls/acl-private.0": - require => Package["libapache2-mod-dacs"], - source => [ "puppet:///modules/dacs/per-host/$fqdn/acl-private.0", - "puppet:///modules/dacs/common/acl-private.0" ], - mode => 640, - owner => root, - group => www-data, - notify => Exec["dacsacl"] - ; - - "/etc/dacs/federations/debian.org/federation_keyfile": - require => Package["libapache2-mod-dacs"], - source => "puppet:///modules/dacs/private/debian.org_federation_keyfile", - mode => 640, - owner => root, - group => www-data - ; - - "/etc/dacs/federations/debian.org/DEBIAN/jurisdiction_keyfile": - require => Package["libapache2-mod-dacs"], - source => "puppet:///modules/dacs/private/DEBIAN_jurisdiction_keyfile", - mode => 640, - owner => root, - group => www-data - ; - - } - - exec { - "dacsacl": - command => "dacsacl -sc /etc/dacs/federations/site.conf -c /etc/dacs/federations/debian.org/DEBIAN/dacs.conf -uj DEBIAN && chown root:www-data /etc/dacs/federations/debian.org/DEBIAN/acls/INDEX", - refreshonly => true, - } - + package { 'dacs': + ensure => installed, + } + package { 'libapache2-mod-dacs': + ensure => installed, + } + + file { '/var/log/dacs': + ensure => directory, + owner => root, + group => www-data, + mode => '0770', + purge => true, + } + file { [ + '/etc/dacs/federations', + '/etc/dacs/federations/debian.org/', + '/etc/dacs/federations/debian.org/DEBIAN', + '/etc/dacs/federations/debian.org/DEBIAN/acls', + '/etc/dacs/federations/debian.org/DEBIAN/groups', + '/etc/dacs/federations/debian.org/DEBIAN/groups/DACS' + ]: + ensure => directory, + owner => root, + group => www-data, + mode => '0750', + require => Package['libapache2-mod-dacs'], + purge => true + } + file { '/etc/dacs/federations/site.conf': + source => 'puppet:///modules/dacs/common/site.conf', + mode => '0640', + owner => root, + group => www-data + } + file { '/etc/dacs/federations/debian.org/DEBIAN/dacs.conf': + source => 'puppet:///modules/dacs/common/dacs.conf', + mode => '0640', + owner => root, + group => www-data + } + file { '/etc/dacs/federations/debian.org/DEBIAN/acls/revocations': + source => 'puppet:///modules/dacs/common/revocations', + mode => '0640', + owner => root, + group => www-data + } + file { '/etc/dacs/federations/debian.org/DEBIAN/groups/DACS/jurisdictions.grp': + source => 'puppet:///modules/dacs/common/jurisdictions.grp', + mode => '0640', + owner => root, + group => www-data + } + file { '/etc/dacs/federations/debian.org/DEBIAN/acls/acl-noauth.0': + source => [ 'puppet:///modules/dacs/per-host/$fqdn/acl-noauth.0', + 'puppet:///modules/dacs/common/acl-noauth.0' ], + mode => '0640', + owner => root, + group => www-data, + notify => Exec['dacsacl'] + } + file { '/etc/dacs/federations/debian.org/DEBIAN/acls/acl-private.0': + source => [ 'puppet:///modules/dacs/per-host/$fqdn/acl-private.0', + 'puppet:///modules/dacs/common/acl-private.0' ], + mode => '0640', + owner => root, + group => www-data, + notify => Exec['dacsacl'] + } + file { '/etc/dacs/federations/debian.org/federation_keyfile': + source => 'puppet:///modules/dacs/private/debian.org_federation_keyfile', + mode => '0640', + owner => root, + group => www-data + } + file { '/etc/dacs/federations/debian.org/DEBIAN/jurisdiction_keyfile': + source => 'puppet:///modules/dacs/private/DEBIAN_jurisdiction_keyfile', + mode => '0640', + owner => root, + group => www-data + } + + exec { 'dacsacl': + command => 'dacsacl -sc /etc/dacs/federations/site.conf -c /etc/dacs/federations/debian.org/DEBIAN/dacs.conf -uj DEBIAN && chown root:www-data /etc/dacs/federations/debian.org/DEBIAN/acls/INDEX', + refreshonly => true, + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/apt-keys/files/backports.org.asc b/modules/debian-org/files/backports.org.asc similarity index 100% rename from modules/apt-keys/files/backports.org.asc rename to modules/debian-org/files/backports.org.asc diff --git a/modules/apt-keys/files/db.debian.org.asc b/modules/debian-org/files/db.debian.org.asc similarity index 100% rename from modules/apt-keys/files/db.debian.org.asc rename to modules/debian-org/files/db.debian.org.asc diff --git a/modules/debian-org/lib/facter/ipaddresses.rb b/modules/debian-org/lib/facter/ipaddresses.rb index 80b59bd3..0832063d 100644 --- a/modules/debian-org/lib/facter/ipaddresses.rb +++ b/modules/debian-org/lib/facter/ipaddresses.rb @@ -12,7 +12,7 @@ Facter.add("v4ips") do end ret = addrs.join(",") if ret.empty? - ret = 'no' + ret = '' end setcode do ret @@ -37,7 +37,7 @@ Facter.add("v4ips") do ret = addrs.join(",") if ret.empty? - ret = 'no' + ret = '' end ret end @@ -57,7 +57,7 @@ Facter.add("v6ips") do end ret = addrs.join(",") if ret.empty? - ret = 'no' + ret = '' end setcode do ret diff --git a/modules/debian-org/manifests/init.pp b/modules/debian-org/manifests/init.pp index 7d4bf5c3..30998c35 100644 --- a/modules/debian-org/manifests/init.pp +++ b/modules/debian-org/manifests/init.pp @@ -1,220 +1,168 @@ -define sysctl($key, $value, $ensure=present) { - file { - "/etc/sysctl.d/$name.conf": - ensure => $ensure, - owner => root, - group => root, - mode => 0644, - content => "$key = $value\n", - notify => Exec["procps restart"], - } -} +class debian-org { -define set_alternatives($linkto) { - exec { - "/usr/sbin/update-alternatives --set $name $linkto": - unless => "/bin/sh -c '! [ -e $linkto ] || ! [ -e /etc/alternatives/$name ] || ([ -L /etc/alternatives/$name ] && [ /etc/alternatives/$name -ef $linkto ])'" - } -} + $debianadmin = [ + 'debian-archive-debian-samhain-reports@master.debian.org', + 'debian-admin@ftbfs.de', + 'weasel@debian.org', + 'steve@lobefin.net', + 'paravoid@debian.org' + ] -define linux_module ($ensure) { - case $ensure { - present: { - exec { "append_module_${name}": - command => "echo '${name}' >> /etc/modules", - unless => "grep -q -F -x '${name}' /etc/modules", - } - } - absent: { - exec { "remove_module_${name}": - command => "sed -i -e'/^${name}\$/d' /etc/modules", - onlyif => "grep -q -F -x '${name}' /etc/modules", - } - } - default: { - err("invalid ensure value ${ensure}") - } - } -} + package { [ + 'apt-utils', + 'bash-completion', + 'debian.org', + 'dnsutils', + 'dsa-munin-plugins', + 'klogd', + 'less', + 'lsb-release', + 'libfilesystem-ruby1.8', + 'molly-guard', + 'mtr-tiny', + 'nload', + 'pciutils', + 'rsyslog', + 'sysklogd', + ]: + ensure => installed, + } + munin::check { [ + 'cpu', + 'entropy', + 'forks', + 'interrupts', + 'iostat', + 'irqstats', + 'load', + 'memory', + 'ntp_offset', + 'ntp_states', + 'open_files', + 'open_inodes', + 'processes', + 'swap', + 'uptime', + 'vmstat', + ]: + } -class debian-org { - $debianadmin = [ "debian-archive-debian-samhain-reports@master.debian.org", "debian-admin@ftbfs.de", "weasel@debian.org", "steve@lobefin.net", "paravoid@debian.org" ] - package { - "apt-utils": ensure => installed; - "bash-completion": ensure => installed; - "debian.org": ensure => installed; - "dnsutils": ensure => installed; - "dsa-munin-plugins": ensure => installed; - "klogd": ensure => purged; - "less": ensure => installed; - "lsb-release": ensure => installed; - "libfilesystem-ruby1.8": ensure => installed; - "molly-guard": ensure => installed; - "mtr-tiny": ensure => installed; - "nload": ensure => installed; - "pciutils": ensure => installed; - "rsyslog": ensure => purged; - "sysklogd": ensure => purged; - } - case getfromhash($nodeinfo, 'broken-rtc') { - true: { - package { - fake-hwclock: ensure => installed; - } - } - } - case $debarchitecture { - "armhf": {} - default: { - file { - "/etc/apt/sources.list.d/security.list": - content => template("debian-org/etc/apt/sources.list.d/security.list.erb"), - notify => Exec["apt-get update"]; - "/etc/apt/sources.list.d/backports.org.list": - content => template("debian-org/etc/apt/sources.list.d/backports.org.list.erb"), - notify => Exec["apt-get update"]; - "/etc/apt/sources.list.d/volatile.list": - content => template("debian-org/etc/apt/sources.list.d/volatile.list.erb"), - notify => Exec["apt-get update"]; - } - } - } - file { - "/etc/apt/preferences": - source => "puppet:///modules/debian-org/apt.preferences"; - "/etc/apt/sources.list.d/debian.org.list": - content => template("debian-org/etc/apt/sources.list.d/debian.org.list.erb"), - notify => Exec["apt-get update"]; - "/etc/apt/apt.conf.d/local-compression": - source => "puppet:///modules/debian-org/apt.conf.d/local-compression"; - "/etc/apt/apt.conf.d/local-recommends": - source => "puppet:///modules/debian-org/apt.conf.d/local-recommends"; - "/etc/apt/apt.conf.d/local-pdiffs": - source => "puppet:///modules/debian-org/apt.conf.d/local-pdiffs"; - "/etc/timezone": - source => "puppet:///modules/debian-org/timezone", - notify => Exec["dpkg-reconfigure tzdata -pcritical -fnoninteractive"]; - "/etc/puppet/puppet.conf": - # require => Package["puppet"], - source => "puppet:///modules/debian-org/puppet.conf" - ; - "/etc/default/puppet": - # require => Package["puppet"], - source => "puppet:///modules/debian-org/puppet.default" - ; + if getfromhash($site::nodeinfo, 'broken-rtc') { + package { 'fake-hwclock': + ensure => installed + } + } - "/etc/cron.d/dsa-puppet-stuff": - source => "puppet:///modules/debian-org/dsa-puppet-stuff.cron", - require => Package["debian.org"] - ; - "/etc/ldap/ldap.conf": - require => Package["debian.org"], - source => "puppet:///modules/debian-org/ldap.conf", - ; - "/etc/pam.d/common-session": - require => Package["debian.org"], - content => template("debian-org/pam.common-session.erb"), - ; - "/etc/rc.local": - mode => 0755, - source => "puppet:///modules/debian-org/rc.local", - notify => Exec["rc.local start"], - ; - "/etc/molly-guard/run.d/15-acquire-reboot-lock": - mode => 0755, - source => "puppet:///modules/debian-org/molly-guard-acquire-reboot-lock", - require => Package["molly-guard"], - ; + # This really means 'not wheezy' - "/etc/dsa": - mode => 0755, - ensure => directory, - ; - "/etc/dsa/cron.ignore.dsa-puppet-stuff": - source => "puppet:///modules/debian-org/dsa-puppet-stuff.cron.ignore", - require => Package["debian.org"] - ; - } - - # set mmap_min_addr to 4096 to mitigate - # Linux NULL-pointer dereference exploits - sysctl { - "mmap_min_addr" : - key => "vm.mmap_min_addr", - value => 4096, - } - - set_alternatives { - "editor": - linkto => "/usr/bin/vim.basic", - } - - mailalias { - "samhain-reports": - recipient => $debianadmin, - ensure => present; - } + if $::debarchitecture != 'armhf' { + site::aptrepo { 'security': + template => 'debian-org/etc/apt/sources.list.d/security.list.erb', + } + site::aptrepo { 'backports.org': + template => 'debian-org/etc/apt/sources.list.d/backports.org.list.erb', + key => 'puppet:///modules/debian-org/backports.org.asc', + } + site::aptrepo { 'volatile': + template => 'debian-org/etc/apt/sources.list.d/volatile.list.erb', + } + } - exec { - "dpkg-reconfigure tzdata -pcritical -fnoninteractive": - path => "/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true; - "apt-get update": - command => 'apt-get update', - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true; - "puppetmaster restart": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true; - "rc.local start": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true; - "procps restart": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true; - "init q": - refreshonly => true; - } -} + site::aptrepo { 'debian.org': + template => 'debian-org/etc/apt/sources.list.d/debian.org.list.erb', + key => 'puppet:///modules/debian-org/db.debian.org.asc', + } -class debian-proliant inherits debian-org { - package { - "hpacucli": ensure => installed; - "hp-health": ensure => installed; - "arrayprobe": ensure => installed; - } - case $lsbdistcodename { - 'lenny': { - package { - "cpqarrayd": ensure => installed; - } - } - } - case $debarchitecture { - "amd64": { - package { "lib32gcc1": ensure => installed; } - } - } - file { - "/etc/apt/sources.list.d/debian.restricted.list": - content => template("debian-org/etc/apt/sources.list.d/debian.restricted.list.erb"), - notify => Exec["apt-get update"]; - } -} + file { '/etc/apt/preferences': + source => 'puppet:///modules/debian-org/apt.preferences', + } + file { '/etc/apt/trusted-keys.d/': + ensure => directory, + purge => true, + } + file { '/etc/apt/apt.conf.d/local-compression': + source => 'puppet:///modules/debian-org/apt.conf.d/local-compression', + } + file { '/etc/apt/apt.conf.d/local-recommends': + source => 'puppet:///modules/debian-org/apt.conf.d/local-recommends', + } + file { '/etc/apt/apt.conf.d/local-pdiffs': + source => 'puppet:///modules/debian-org/apt.conf.d/local-pdiffs', + } + file { '/etc/timezone': + source => 'puppet:///modules/debian-org/timezone', + notify => Exec['dpkg-reconfigure tzdata -pcritical -fnoninteractive'], + } + file { '/etc/puppet/puppet.conf': + source => 'puppet:///modules/debian-org/puppet.conf', + } + file { '/etc/default/puppet': + source => 'puppet:///modules/debian-org/puppet.default', + } + file { '/etc/cron.d/dsa-puppet-stuff': + source => 'puppet:///modules/debian-org/dsa-puppet-stuff.cron', + require => Package['debian.org'], + } + file { '/etc/ldap/ldap.conf': + require => Package['debian.org'], + source => 'puppet:///modules/debian-org/ldap.conf', + } + file { '/etc/pam.d/common-session': + require => Package['debian.org'], + content => template('debian-org/pam.common-session.erb'), + } + file { '/etc/rc.local': + mode => '0755', + source => 'puppet:///modules/debian-org/rc.local', + notify => Exec['rc.local start'], + } + file { '/etc/molly-guard/run.d/15-acquire-reboot-lock': + mode => '0755', + source => 'puppet:///modules/debian-org/molly-guard-acquire-reboot-lock', + require => Package['molly-guard'], + } + file { '/etc/dsa': + ensure => directory, + mode => '0755', + } + file { '/etc/dsa/cron.ignore.dsa-puppet-stuff': + source => 'puppet:///modules/debian-org/dsa-puppet-stuff.cron.ignore', + require => Package['debian.org'] + } + + # set mmap_min_addr to 4096 to mitigate + # Linux NULL-pointer dereference exploits + site::sysctl { 'mmap_min_addr': + key => 'vm.mmap_min_addr', + value => '4096', + } + site::alternative { 'editor': + linkto => '/usr/bin/vim.basic', + } + mailalias { 'samhain-reports': + ensure => present, + recipient => $debianadmin, + } + + exec { 'apt-get update': + path => '/usr/bin:/usr/sbin:/bin:/sbin', + refreshonly => true, + }-> Package <| |> -class debian-radvd inherits debian-org { - sysctl { - "dsa-accept-ra-default" : - key => "net.ipv6.conf.default.accept_ra", - value => 0, - } - sysctl { - "dsa-accept-ra-all" : - key => "net.ipv6.conf.all.accept_ra", - value => 0, - } + exec { 'dpkg-reconfigure tzdata -pcritical -fnoninteractive': + path => '/usr/bin:/usr/sbin:/bin:/sbin', + refreshonly => true + } + exec { 'puppetmaster restart': + path => '/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin', + refreshonly => true + } + exec { 'rc.local start': + path => '/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin', + refreshonly => true + } + exec { 'init q': + refreshonly => true + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/debian-org/manifests/proliant.pp b/modules/debian-org/manifests/proliant.pp new file mode 100644 index 00000000..04b9cdd3 --- /dev/null +++ b/modules/debian-org/manifests/proliant.pp @@ -0,0 +1,30 @@ +class debian-org::proliant { + + site::aptrepo { 'debian.restricted': + template => 'debian-org/etc/apt/sources.list.d/debian.restricted.list.erb', + } + + package { 'hpacucli': + ensure => installed, + } + package { 'hp-health': + ensure => installed, + } + package { 'arrayprobe': + ensure => installed, + } + + if $::lsbdistcodename == 'lenny' { + package { 'cpqarrayd': + ensure => installed, + } + } + + if $::debarchitecture == 'amd64' { + package { 'lib32gcc1': + ensure => installed, + } + } +} + + diff --git a/modules/debian-org/manifests/radvd.pp b/modules/debian-org/manifests/radvd.pp new file mode 100644 index 00000000..b9eeb808 --- /dev/null +++ b/modules/debian-org/manifests/radvd.pp @@ -0,0 +1,10 @@ +class debian-org::radvd { + site::sysctl { 'dsa-accept-ra-default': + key => 'net.ipv6.conf.default.accept_ra', + value => 0, + } + site::sysctl { 'dsa-accept-ra-all': + key => 'net.ipv6.conf.all.accept_ra', + value => 0, + } +} diff --git a/modules/entropykey/manifests/init.pp b/modules/entropykey/manifests/init.pp index 8f91cf55..6d327fc6 100644 --- a/modules/entropykey/manifests/init.pp +++ b/modules/entropykey/manifests/init.pp @@ -1,86 +1,18 @@ -class entropykey::provider { - package { - "ekeyd": ensure => installed; - } - - file { - "/etc/entropykey/ekeyd.conf": - source => "puppet:///modules/entropykey/ekeyd.conf", - notify => Exec['restart_ekeyd'], - require => [ Package['ekeyd'] ], - ; - # our CRL expires after a while (2 or 4 weeks?), so we have - # to restart stunnel so it loads the new CRL. - "/etc/cron.weekly/stunnel-ekey-restart": - content => "#!/bin/sh\n# This file is under puppet control\nenv -i /etc/init.d/stunnel4 restart puppet-ekeyd > /dev/null\n", - mode => "555", - ; - } - - exec { - "restart_ekeyd": - command => "true && cd / && env -i /etc/init.d/ekeyd restart", - require => [ File['/etc/entropykey/ekeyd.conf'] ], - refreshonly => true, - ; - } - - include "stunnel4" - stunnel4::stunnel_server { - "ekeyd": - accept => 18888, - connect => "127.0.0.1:8888", - ; - } -} - -class entropykey::local_consumer { - package { - "ekeyd-egd-linux": ensure => installed; - } - - file { - "/etc/default/ekeyd-egd-linux": - source => "puppet:///modules/entropykey/ekeyd-egd-linux", - notify => Exec['restart_ekeyd-egd-linux'], - require => [ Package['ekeyd-egd-linux'] ], - ; - } - - exec { - "restart_ekeyd-egd-linux": - command => "true && cd / && env -i /etc/init.d/ekeyd-egd-linux restart", - require => [ File['/etc/default/ekeyd-egd-linux'] ], - refreshonly => true, - ; - } -} - -class entropykey::remote_consumer inherits entropykey::local_consumer { - include "stunnel4" - stunnel4::stunnel_client { - "ekeyd": - accept => "127.0.0.1:8888", - connecthost => "${entropy_provider}", - connectport => 18888, - ; - } -} - class entropykey { - case getfromhash($nodeinfo, 'entropy_key') { - true: { include entropykey::provider } - } - $entropy_provider = entropy_provider($fqdn, $nodeinfo) - case $entropy_provider { - false: {} - local: { include entropykey::local_consumer } - default: { include entropykey::remote_consumer } - } + if getfromhash($site::nodeinfo, 'entropy_key') { + include entropykey::provider + } + + $entropy_provider = entropy_provider($::fqdn, $site::nodeinfo) + case $entropy_provider { + false: {} + local: { include entropykey::local_consumer } + default: { + class { 'entropykey::remote_consumer': + entropy_provider => $entropy_provider, + } + } + } } - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/entropykey/manifests/local_consumer.pp b/modules/entropykey/manifests/local_consumer.pp new file mode 100644 index 00000000..ecfe24c2 --- /dev/null +++ b/modules/entropykey/manifests/local_consumer.pp @@ -0,0 +1,14 @@ +class entropykey::local_consumer { + + package { 'ekeyd-egd-linux': ensure => installed } + + file { '/etc/default/ekeyd-egd-linux': + source => 'puppet:///modules/entropykey/ekeyd-egd-linux', + notify => Service['ekeyd-egd-linux'], + require => Package['ekeyd-egd-linux'], + } + + service { 'ekeyd-egd-linux': + require => File['/etc/default/ekeyd-egd-linux'], + } +} diff --git a/modules/entropykey/manifests/provider.pp b/modules/entropykey/manifests/provider.pp new file mode 100644 index 00000000..99148102 --- /dev/null +++ b/modules/entropykey/manifests/provider.pp @@ -0,0 +1,27 @@ +class entropykey::provider { + + package { 'ekeyd': ensure => installed } + + file { '/etc/entropykey/ekeyd.conf': + source => 'puppet:///modules/entropykey/ekeyd.conf', + notify => Service['ekeyd'], + require => Package['ekeyd'], + } + + # our CRL expires after a while (2 or 4 weeks?), so we have + # to restart stunnel so it loads the new CRL. + file { '/etc/cron.weekly/stunnel-ekey-restart': + content => '#!/bin/sh\n# This file is under puppet control\nenv -i /etc/init.d/stunnel4 restart puppet-ekeyd > /dev/null\n', + mode => '0555', + } + + service { 'ekeyd': + ensure => running, + require => File['/etc/entropykey/ekeyd.conf'], + } + + stunnel4::stunnel_server { 'ekeyd': + accept => 18888, + connect => '127.0.0.1:8888', + } +} diff --git a/modules/entropykey/manifests/remote_consumer.pp b/modules/entropykey/manifests/remote_consumer.pp new file mode 100644 index 00000000..20d14774 --- /dev/null +++ b/modules/entropykey/manifests/remote_consumer.pp @@ -0,0 +1,8 @@ +class entropykey::remote_consumer ($entropy_provider) inherits entropykey::local_consumer { + + stunnel4::stunnel_client { 'ekeyd': + accept => '127.0.0.1:8888', + connecthost => $entropy_provider, + connectport => 18888, + } +} diff --git a/modules/exim/manifests/init.pp b/modules/exim/manifests/init.pp index a448d2ae..e18f0aab 100644 --- a/modules/exim/manifests/init.pp +++ b/modules/exim/manifests/init.pp @@ -1,190 +1,148 @@ class exim { - activate_munin_check { - "ps_exim4": script => "ps_"; - "exim_mailqueue":; - "exim_mailstats":; - "postfix_mailqueue": ensure => absent; - "postfix_mailstats": ensure => absent; - "postfix_mailvolume": ensure => absent; - } + munin::check { 'ps_exim4': script => 'ps_' } + munin::check { 'exim_mailqueue': } + munin::check { 'exim_mailstats': } - package { exim4-daemon-heavy: ensure => installed } + munin::check { 'postfix_mailqueue': ensure => absent } + munin::check { 'postfix_mailstats': ensure => absent } + munin::check { 'postfix_mailvolume': ensure => absent } - file { - "/etc/exim4/": - ensure => directory, - owner => root, - group => root, - mode => 755, - purge => true - ; - "/etc/exim4/Git": - ensure => directory, - purge => true, - force => true, - recurse => true, - source => "puppet:///files/empty/" - ; - "/etc/exim4/conf.d": - ensure => directory, - purge => true, - force => true, - recurse => true, - source => "puppet:///files/empty/" - ; - "/etc/exim4/ssl": - ensure => directory, - owner => root, - group => Debian-exim, - mode => 750, - require => Package["exim4-daemon-heavy"], - purge => true - ; - "/etc/mailname": - content => template("exim/mailname.erb"), - ; - "/etc/exim4/exim4.conf": - content => template("exim/eximconf.erb"), - require => Package["exim4-daemon-heavy"], - notify => Exec["exim4 reload"] - ; - "/etc/exim4/manualroute": - require => Package["exim4-daemon-heavy"], - content => template("exim/manualroute.erb") - ; - "/etc/exim4/host_blacklist": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/per-host/$fqdn/host_blacklist", - "puppet:///modules/exim/common/host_blacklist" ] - ; - "/etc/exim4/blacklist": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/per-host/$fqdn/blacklist", - "puppet:///modules/exim/common/blacklist" ] - ; - "/etc/exim4/callout_users": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/per-host/$fqdn/callout_users", - "puppet:///modules/exim/common/callout_users" ] - ; - "/etc/exim4/grey_users": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/per-host/$fqdn/grey_users", - "puppet:///modules/exim/common/grey_users" ] - ; - "/etc/exim4/helo-check": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/per-host/$fqdn/helo-check", - "puppet:///modules/exim/common/helo-check" ] - ; - "/etc/exim4/locals": - require => Package["exim4-daemon-heavy"], - content => template("exim/locals.erb") - ; - "/etc/exim4/localusers": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/per-host/$fqdn/localusers", - "puppet:///modules/exim/common/localusers" ] - ; - "/etc/exim4/rbllist": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/per-host/$fqdn/rbllist", - "puppet:///modules/exim/common/rbllist" ] - ; - "/etc/exim4/rhsbllist": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/per-host/$fqdn/rhsbllist", - "puppet:///modules/exim/common/rhsbllist" ] - ; - "/etc/exim4/virtualdomains": - require => Package["exim4-daemon-heavy"], - content => template("exim/virtualdomains.erb") - ; - "/etc/exim4/whitelist": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/per-host/$fqdn/whitelist", - "puppet:///modules/exim/common/whitelist" ] - ; - "/etc/exim4/submission-domains": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/per-host/$fqdn/submission-domains", - "puppet:///modules/exim/common/submission-domains" ] - ; - "/etc/logrotate.d/exim4-base": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/per-host/$fqdn/logrotate-exim4-base", - "puppet:///modules/exim/common/logrotate-exim4-base" ] - ; - "/etc/logrotate.d/exim4-paniclog": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/per-host/$fqdn/logrotate-exim4-paniclog", - "puppet:///modules/exim/common/logrotate-exim4-paniclog" ] - ; - "/etc/exim4/ssl/thishost.crt": - require => Package["exim4-daemon-heavy"], - source => "puppet:///modules/exim/certs/$fqdn.crt", - owner => root, - group => Debian-exim, - mode => 640 - ; - "/etc/exim4/ssl/thishost.key": - require => Package["exim4-daemon-heavy"], - source => "puppet:///modules/exim/certs/$fqdn.key", - owner => root, - group => Debian-exim, - mode => 640 - ; - "/etc/exim4/ssl/ca.crt": - require => Package["exim4-daemon-heavy"], - source => "puppet:///modules/exim/certs/ca.crt", - owner => root, - group => Debian-exim, - mode => 640 - ; - "/etc/exim4/ssl/ca.crl": - require => Package["exim4-daemon-heavy"], - source => "puppet:///modules/exim/certs/ca.crl", - owner => root, - group => Debian-exim, - mode => 640 - ; - "/var/log/exim4": - mode => 2750, - ensure => directory, - owner => Debian-exim, - group => maillog - ; - } + package { 'exim4-daemon-heavy': ensure => installed } - exec { "exim4 reload": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - } + service { 'exim4': + ensure => running, + require => File['/etc/exim4/exim4.conf'], + } - case getfromhash($nodeinfo, 'mail_port') { - /^(\d+)$/: { $mail_port = $1 } - default: { $mail_port = 'smtp' } - } + file { '/etc/exim4/': + ensure => directory, + mode => '0755', + require => Package['exim4-daemon-heavy'], + purge => true, + } + file { '/etc/exim4/Git': + ensure => directory, + purge => true, + force => true, + recurse => true, + source => 'puppet:///files/empty/', + } + file { '/etc/exim4/conf.d': + ensure => directory, + purge => true, + force => true, + recurse => true, + source => 'puppet:///files/empty/', + } + file { '/etc/exim4/ssl': + ensure => directory, + group => Debian-exim, + mode => '0750', + purge => true, + } + file { '/etc/exim4/exim4.conf': + content => template('exim/eximconf.erb'), + notify => Service['exim4'], + } + file { '/etc/mailname': + content => template('exim/mailname.erb'), + } + file { '/etc/exim4/manualroute': + content => template('exim/manualroute.erb') + } + file { '/etc/exim4/locals': + content => template('exim/locals.erb') + } + file { '/etc/exim4/virtualdomains': + content => template('exim/virtualdomains.erb'), + } + file { '/etc/exim4/submission-domains': + content => template('exim/common/submission-domains.erb'), + } + file { '/etc/exim4/host_blacklist': + source => 'puppet:///modules/exim/common/host_blacklist', + } + file { '/etc/exim4/blacklist': + source => 'puppet:///modules/exim/common/blacklist', + } + file { '/etc/exim4/callout_users': + source => 'puppet:///modules/exim/common/callout_users', + } + file { '/etc/exim4/grey_users': + source => 'puppet:///modules/exim/common/grey_users', + } + file { '/etc/exim4/helo-check': + source => 'puppet:///modules/exim/common/helo-check', + } + file { '/etc/exim4/localusers': + source => 'puppet:///modules/exim/common/localusers', + } + file { '/etc/exim4/rbllist': + source => 'puppet:///modules/exim/common/rbllist', + } + file { '/etc/exim4/rhsbllist': + source => 'puppet:///modules/exim/common/rhsbllist', + } + file { '/etc/exim4/whitelist': + source => 'puppet:///modules/exim/common/whitelist', + } + file { '/etc/logrotate.d/exim4-base': + source => 'puppet:///modules/exim/common/logrotate-exim4-base', + } + file { '/etc/logrotate.d/exim4-paniclog': + source => 'puppet:///modules/exim/common/logrotate-exim4-paniclog' + } + file { '/etc/exim4/ssl/thishost.crt': + source => "puppet:///modules/exim/certs/${::fqdn}.crt", + group => Debian-exim, + mode => '0640', + } + file { '/etc/exim4/ssl/thishost.key': + source => "puppet:///modules/exim/certs/${::fqdn}.key", + group => Debian-exim, + mode => '0640', + } + file { '/etc/exim4/ssl/ca.crt': + source => 'puppet:///modules/exim/certs/ca.crt', + group => Debian-exim, + mode => '0640', + } + file { '/etc/exim4/ssl/ca.crl': + source => 'puppet:///modules/exim/certs/ca.crl', + group => Debian-exim, + mode => '0640', + } + file { '/var/log/exim4': + ensure => directory, + mode => '2750', + owner => Debian-exim, + group => maillog, + } + + case getfromhash($site::nodeinfo, 'mail_port') { + /^(\d+)$/: { $mail_port = $1 } + default: { $mail_port = 'smtp' } + } + + @ferm::rule { 'dsa-exim': + description => 'Allow SMTP', + rule => '&SERVICE_RANGE(tcp, $mail_port, \$SMTP_SOURCES)' + } + + @ferm::rule { 'dsa-exim-v6': + description => 'Allow SMTP', + domain => 'ip6', + rule => '&SERVICE_RANGE(tcp, $mail_port, \$SMTP_V6_SOURCES)' + } + + # Do we actually want this? I'm only doing it because it's harmless + # and makes the logs quiet. There are better ways of making logs quiet, + # though. + @ferm::rule { 'dsa-ident': + domain => '(ip ip6)', + description => 'Allow ident access', + rule => '&SERVICE(tcp, 113)' + } - @ferm::rule { "dsa-exim": - description => "Allow SMTP", - rule => "&SERVICE_RANGE(tcp, $mail_port, \$SMTP_SOURCES)" - } - @ferm::rule { "dsa-exim-v6": - description => "Allow SMTP", - domain => "ip6", - rule => "&SERVICE_RANGE(tcp, $mail_port, \$SMTP_V6_SOURCES)" - } - # Do we actually want this? I'm only doing it because it's harmless - # and makes the logs quiet. There are better ways of making logs quiet, - # though. - @ferm::rule { "dsa-ident": - domain => "(ip ip6)", - description => "Allow ident access", - rule => "&SERVICE(tcp, 113)" - } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/exim/manifests/mx.pp b/modules/exim/manifests/mx.pp index 8a81592e..c1b4fdbc 100644 --- a/modules/exim/manifests/mx.pp +++ b/modules/exim/manifests/mx.pp @@ -1,37 +1,26 @@ class exim::mx inherits exim { - include clamav - include postgrey + include clamav + include postgrey - file { - "/etc/exim4/ccTLD.txt": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/common/ccTLD.txt" ] - ; - "/etc/exim4/surbl_whitelist.txt": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/common/surbl_whitelist.txt" ] - ; - "/etc/exim4/exim_surbl.pl": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///modules/exim/common/exim_surbl.pl" ], - notify => Exec["exim4 restart"] - ; - } - exec { "exim4 restart": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - } - @ferm::rule { "dsa-exim-submission": - description => "Allow SMTP", - rule => "&SERVICE_RANGE(tcp, submission, \$SMTP_SOURCES)" - } - @ferm::rule { "dsa-exim-v6-submission": - description => "Allow SMTP", - domain => "ip6", - rule => "&SERVICE_RANGE(tcp, submission, \$SMTP_V6_SOURCES)" - } -} + file { '/etc/exim4/ccTLD.txt': + source => 'puppet:///modules/exim/common/ccTLD.txt', + } + file { '/etc/exim4/surbl_whitelist.txt': + source => 'puppet:///modules/exim/common/surbl_whitelist.txt', + } + file { '/etc/exim4/exim_surbl.pl': + source => 'puppet:///modules/exim/common/exim_surbl.pl', + notify => Service['exim4'], + } + + @ferm::rule { 'dsa-exim-submission': + description => 'Allow SMTP', + rule => '&SERVICE_RANGE(tcp, submission, \$SMTP_SOURCES)' + } + @ferm::rule { 'dsa-exim-v6-submission': + description => 'Allow SMTP', + domain => 'ip6', + rule => '&SERVICE_RANGE(tcp, submission, \$SMTP_V6_SOURCES)', + } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: +} diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index 575ad0c5..9877917b 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -32,7 +32,7 @@ # flushing' operations, but should be populated with a list # of trusted machines. Wildcards are not permitted # bsmtp_domains - Domains that we deliver locally via bsmtp -<%- if nodeinfo['mailrelay'] -%> +<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> # mailhubdomains - Domains for which we are the MX, but the mail is relayed # elsewhere. This is designed for use with small volume or # restricted machines that need to use a smarthost for mail @@ -76,7 +76,7 @@ # MAIN CONFIGURATION SETTINGS # ###################################################################### -<%- if nodeinfo.has_key?('heavy_exim') and nodeinfo['heavy_exim'] -%> +<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%> perl_startup = do '/etc/exim4/exim_surbl.pl' <%- end -%> @@ -87,7 +87,7 @@ perl_startup = do '/etc/exim4/exim_surbl.pl' acl_smtp_helo = check_helo acl_smtp_rcpt = ${if ={$interface_port}{587} {check_submission}{check_recipient}} acl_smtp_data = check_message -<%- if nodeinfo.has_key?('heavy_exim') and nodeinfo['heavy_exim'] -%> +<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%> acl_smtp_mime = acl_check_mime <%- end -%> acl_smtp_predata = acl_check_predata @@ -121,9 +121,9 @@ localpartlist postmasterish = postmaster : abuse : hostmaster hostlist debianhosts = <; ; 127.0.0.1 ; ::1 ; /var/lib/misc/thishost/debianhosts ; 89.16.166.49 ; 82.195.75.76 ; 2001:41b8:202:deb:bab5:0:52c3:4b4c -hostlist reservedaddrs = <%= nodeinfo['reservedaddrs'] %> +hostlist reservedaddrs = <%= scope.lookupvar('site::nodeinfo')['reservedaddrs'] %> -<%- if nodeinfo['mailrelay'] -%> +<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> # Domains we relay for; that is domains that aren't considered local but we # accept mail for them. domainlist mailhubdomains = lsearch;/etc/exim4/manualroute @@ -169,7 +169,7 @@ timeout_frozen_after=14d message_size_limit = 100M message_logs = false smtp_accept_max_per_host = ${if match_ip {$sender_host_address}{+debianhosts}{0}{7}} -<%- if nodeinfo.has_key?('heavy_exim') and nodeinfo['heavy_exim'] -%> +<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%> smtp_accept_max = 300 smtp_accept_queue = 200 smtp_accept_queue_per_connection = 50 @@ -188,7 +188,7 @@ check_spool_space = 20M delay_warning = -<%- if nodeinfo.has_key?('heavy_exim') and nodeinfo['heavy_exim'] -%> +<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%> message_body_visible = 5000 queue_run_max = 50 deliver_queue_load_max = 50 @@ -210,16 +210,16 @@ ports = [] out = "daemon_smtp_ports = " ports << 25 -if nodeinfo['bugsmaster'] or nodeinfo['bugsmx'] +if scope.lookupvar('site::nodeinfo')['bugsmaster'] or scope.lookupvar('site::nodeinfo')['bugsmx'] ports << 587 end -if not nodeinfo['mail_port'].to_s.empty? - ports << nodeinfo['mail_port'] +if not scope.lookupvar('site::nodeinfo')['mail_port'].to_s.empty? + ports << scope.lookupvar('site::nodeinfo')['mail_port'] end -if nodeinfo['mailrelay'] - ports << nodeinfo['smarthost_port'] +if scope.lookupvar('site::nodeinfo')['mailrelay'] + ports << scope.lookupvar('site::nodeinfo')['smarthost_port'] end out += ports.uniq.sort.join(" : ") @@ -289,7 +289,7 @@ acl_getprofile: hosts = !+debianhosts set acl_m_rprf = localonly -<%- if nodeinfo['mailrelay'] -%> +<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> warn local_parts = +local_only_users domains = +mailhubdomains hosts = !+debianhosts @@ -298,28 +298,28 @@ acl_getprofile: <%- end -%> accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} -<%- if nodeinfo['rtmaster'] -%> +<%- if scope.lookupvar('site::nodeinfo')['rtmaster'] -%> warn domains = rt.debian.org set acl_m_rprf = RTMail accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} <%- end -%> -<%- if nodeinfo['bugsmx'] -%> +<%- if scope.lookupvar('site::nodeinfo')['bugsmx'] -%> warn domains = bugs.debian.org set acl_m_rprf = BugsMail accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} <%- end -%> -<%- if nodeinfo['packagesmaster'] -%> +<%- if scope.lookupvar('site::nodeinfo')['packagesmaster'] -%> warn domains = packages.debian.org set acl_m_rprf = PackagesMail accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} <%- end -%> -<%- if nodeinfo['packagesqamaster'] -%> +<%- if scope.lookupvar('site::nodeinfo')['packagesqamaster'] -%> warn recipients = owner@packages.qa.debian.org : postmaster@packages.qa.debian.org set acl_m_rprf = PTSOwner @@ -391,11 +391,11 @@ check_helo: warn set acl_c_scr = 0 -<%- if nodeinfo['mailrelay'] -%> +<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> accept verify = certificate <%- end -%> -<%- if nodeinfo['smarthost'].empty? -%> +<%- if scope.lookupvar('site::nodeinfo')['smarthost'].empty? -%> # These are in HELO acl so that they are only run once. They increment a counter, # so we don't want it to increment per rcpt to. @@ -487,7 +487,7 @@ check_submission: # We do this by testing for an empty sending host field. accept hosts = +debianhosts -<%- if nodeinfo['mailrelay'] -%> +<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> accept verify = certificate <%- end -%> @@ -508,7 +508,7 @@ check_submission: endpass verify = recipient -<%- if nodeinfo['mailrelay'] -%> +<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> accept domains = +mailhubdomains endpass verify = recipient/callout=30s,defer_ok,use_sender,no_cache @@ -523,7 +523,7 @@ check_submission: #!!# ACL that is used after the RCPT command check_recipient: -<%- if nodeinfo['mailrelay'] -%> +<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> accept verify = certificate <%- end -%> @@ -636,7 +636,7 @@ check_recipient: warn condition = ${if eq{$acl_m_prf}{localonly}} set acl_m_lrc = ${if eq{$acl_m_lrc}{}{$local_part@$domain}{$acl_m_lrc, $local_part@$domain}} -<%- if nodeinfo['packagesmaster'] -%> +<%- if scope.lookupvar('site::nodeinfo')['packagesmaster'] -%> warn condition = ${if eq {$acl_m_prf}{PackagesMail}} condition = ${if eq {$sender_address}{$local_part@$domain}} message = X-Packages-FromTo-Same: yes @@ -714,7 +714,7 @@ check_recipient: condition = ${if eq{$acl_m_act}{450}{yes}{no}} <%- end -%> -<%- if nodeinfo['rtmaster'] -%> +<%- if scope.lookupvar('site::nodeinfo')['rtmaster'] -%> warn condition = ${if eq{$acl_m_prf}{RTMail}} set acl_m12 = ${if def:acl_m12 {$acl_m12} {${if or{{match{$local_part}{\N[^+]+\+\d+\N}}{match{$local_part}{\N[^+]+\+new\N}}{match{$local_part}{3520}}{match{$local_part}{3645}}} {RTMailRecipientHasSubaddress}}}} # temporary hack because weasel screwed up and gave people an rt-3520@ address, which doesn't really work normally. and rt-3645 @@ -805,7 +805,7 @@ check_recipient: senders = ${if exists{/etc/exim4/blacklist}{/etc/exim4/blacklist}{}} message = We have blacklisted <$sender_address>. Please stop mailing us -<%- if nodeinfo['smarthost'].empty? -%> +<%- if scope.lookupvar('site::nodeinfo')['smarthost'].empty? -%> deny message = host $sender_host_address is listed in $dnslist_domain; see $dnslist_text dnslists = ${if match_domain{$domain}{+virtual_domains}\ {${if exists {${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}\ @@ -825,7 +825,7 @@ check_recipient: domains = +handled_domains !hosts = +debianhosts : WHITELIST -<%- if nodeinfo['smarthost'].empty? -%> +<%- if scope.lookupvar('site::nodeinfo')['smarthost'].empty? -%> deny domains = +handled_domains local_parts = ${if match_domain{$domain}{+virtual_domains}\ {${if exists {${extract{directory}{VDOMAINDATA}{${value}/callout_users}}}\ @@ -836,7 +836,7 @@ check_recipient: !verify = sender/callout=90s,maxwait=300s <%- end -%> -<%- if nodeinfo['mailrelay'] -%> +<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> accept domains = +mailhubdomains endpass verify = recipient/callout=30s,defer_ok,use_sender,no_cache @@ -852,7 +852,7 @@ check_recipient: deny message = relay not permitted -<%- if nodeinfo.has_key?('heavy_exim') and nodeinfo['heavy_exim'] -%> +<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%> acl_check_mime: accept verify = certificate @@ -895,7 +895,7 @@ check_message: # header. Take their crack pipe away. drop condition = ${if match{${lc:$h_From:}}{\Npostmaster@([^.]+\.)?debian\.org\N}} -<%- if nodeinfo['rtmaster'] -%> +<%- if scope.lookupvar('site::nodeinfo')['rtmaster'] -%> deny condition = ${if eq {$acl_m_prf}{RTMail}} condition = ${if and{{!match {${lc:$rh_Subject:}} {debian rt}} \ {!match {${lc:$rh_Subject:]}} {\N\[rt.debian.org \N}} \ @@ -903,7 +903,7 @@ check_message: message = messages to the Request Tracker system require a subject tag or a subaddress <%- end -%> -<%- if nodeinfo['packagesqamaster'] -%> +<%- if scope.lookupvar('site::nodeinfo')['packagesqamaster'] -%> deny !hosts = +debianhosts : 217.196.43.134 condition = ${if eq {$acl_m_prf}{PTSMail}} condition = ${if def:h_X-PTS-Approved:{false}{true}} @@ -961,7 +961,7 @@ check_message: message = X-malware detected: $malware_name <%- end -%> -<%- if nodeinfo.has_key?('heavy_exim') and nodeinfo['heavy_exim'] -%> +<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%> discard condition = ${if <{$message_size}{256000}} condition = ${if eq {$acl_m_prf}{blackhole}} set acl_m_srb = ${perl{surblspamcheck}} @@ -988,7 +988,7 @@ check_message: !verify = header_sender message = No valid sender found in the From:, Sender: and Reply-to: headers -<%- if nodeinfo['packagesmaster'] -%> +<%- if scope.lookupvar('site::nodeinfo')['packagesmaster'] -%> deny message = Congratulations, you scored $spam_score points. log_message = spam: $spam_score points. condition = ${if eq {$acl_m_prf}{PackagesMail}} @@ -1036,7 +1036,7 @@ begin routers # An address is passed to each in turn until it is accepted. # ###################################################################### -<%- if nodeinfo['mailrelay'] -%> +<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%> relay_manualroute: driver = manualroute domains = +mailhubdomains @@ -1067,15 +1067,15 @@ ipliteral: <%= out = "" -if not nodeinfo['smarthost'].empty? +if not scope.lookupvar('site::nodeinfo')['smarthost'].empty? out = ' smarthost: debug_print = "R: smarthost for $local_part@$domain" driver = manualroute domains = !+handled_domains transport = remote_smtp_smarthost - route_list = * ' + nodeinfo['smarthost'] - if nodeinfo['smarthost'] == 'mailout.debian.org' + route_list = * ' + scope.lookupvar('site::nodeinfo')['smarthost'] + if scope.lookupvar('site::nodeinfo')['smarthost'] == 'mailout.debian.org' out += '/MX' end out += ' @@ -1310,7 +1310,7 @@ localuser: # Everything before here should apply only to the local domains with a # domains= rule -<%- if nodeinfo['packagesmaster'] -%> +<%- if scope.lookupvar('site::nodeinfo')['packagesmaster'] -%> # This router delivers for packages.d.o packages: debug_print = "R: packages for $local_part@$domain" @@ -1328,7 +1328,7 @@ packages: no_more <%- end -%> -<%- if nodeinfo['rtmaster'] -%> +<%- if scope.lookupvar('site::nodeinfo')['rtmaster'] -%> # This router delivers for rt.d.o rt_force_new_verbose: debug_print = "R: rt for $local_part+new@$domain" @@ -1452,9 +1452,9 @@ virt_users: <%= out = "" -if nodeinfo['bugsmaster'] or nodeinfo['bugsmx'] +if scope.lookupvar('site::nodeinfo')['bugsmaster'] or scope.lookupvar('site::nodeinfo')['bugsmx'] domain = 'bugs.debian.org' - if nodeinfo['bugsmaster'] + if scope.lookupvar('site::nodeinfo')['bugsmaster'] domain = 'bugs-master.debian.org' end out = ' @@ -1573,17 +1573,17 @@ remote_smtp: <%= out = "" -if not nodeinfo['smarthost'].empty? +if not scope.lookupvar('site::nodeinfo')['smarthost'].empty? out = ' remote_smtp_smarthost: debug_print = "T: remote_smtp_smarthost for $local_part@$domain" driver = smtp delay_after_cutoff = false port = ' - out += nodeinfo['smarthost_port'].to_s + "\n" + out += scope.lookupvar('site::nodeinfo')['smarthost_port'].to_s + "\n" if has_variable?("exim_ssl_certs") && exim_ssl_certs == "true" out += ' tls_tempfail_tryclear = false - hosts_require_tls = ' + nodeinfo['smarthost'] + ' + hosts_require_tls = ' + scope.lookupvar('site::nodeinfo')['smarthost'] + ' tls_certificate = /etc/exim4/ssl/thishost.crt tls_privatekey = /etc/exim4/ssl/thishost.key ' @@ -1610,7 +1610,7 @@ bsmtp: {$value}fail}\ }} -<%- if nodeinfo['bugsmaster'] or nodeinfo['bugsmx'] -%> +<%- if scope.lookupvar('site::nodeinfo')['bugsmaster'] or scope.lookupvar('site::nodeinfo')['bugsmx'] -%> bugs_pipe: driver = pipe command = /org/bugs.debian.org/mail/run-procmail @@ -1623,7 +1623,7 @@ bugs_pipe: user = debbugs <%- end -%> -<%- if nodeinfo['rtmaster'] -%> +<%- if scope.lookupvar('site::nodeinfo')['rtmaster'] -%> rt_pipe: debug_print = "T: rt_pipe for $local_part${local_part_suffix}@$domain" driver = pipe diff --git a/modules/exim/templates/manualroute.erb b/modules/exim/templates/manualroute.erb index 40062d8d..0e57849a 100644 --- a/modules/exim/templates/manualroute.erb +++ b/modules/exim/templates/manualroute.erb @@ -12,20 +12,20 @@ mxmatches = [ fqdn ] routes = [] extraroutes = [] -if nodeinfo['mailrelay'] +if scope.lookupvar('site::nodeinfo')['mailrelay'] mxmatches << 'mailout.debian.org' extraroutes = [ "keyring.debian.org:\t\tkaufmann.debian.org" ] end mxregex = Regexp.new('^\d+\s+(.*)\.$') -allnodeinfo.keys.sort.each do |host| - next unless allnodeinfo[host]['mXRecord'] - allnodeinfo[host]['mXRecord'].each do |mx| +scope.lookupvar('site::allnodeinfo').keys.sort.each do |host| + next unless scope.lookupvar('site::allnodeinfo')[host]['mXRecord'] + scope.lookupvar('site::allnodeinfo')[host]['mXRecord'].each do |mx| mxmatch = mxregex.match(mx) if mxmatches.include?(mxmatch[1]) route = host + ":\t\t" + host - if localinfo.has_key?(host) and localinfo[host].has_key?('mail_port') and localinfo[host]['mail_port'].to_s != '' - route += "::" + localinfo[host]['mail_port'].to_s + if scope.lookupvar('site::localinfo').has_key?(host) and scope.lookupvar('site::localinfo')[host].has_key?('mail_port') and scope.lookupvar('site::localinfo')[host]['mail_port'].to_s != '' + route += "::" + scope.lookupvar('site::localinfo')[host]['mail_port'].to_s end routes << route end diff --git a/modules/exim/templates/submission-domains.erb b/modules/exim/templates/submission-domains.erb new file mode 100644 index 00000000..4759822d --- /dev/null +++ b/modules/exim/templates/submission-domains.erb @@ -0,0 +1,8 @@ +## +### THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +### USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +### + +<%= if scope.lookupvar('::hostname') == 'busoni' %> +bugs.debian.org +<%= end %> diff --git a/modules/ferm/manifests/ftp.pp b/modules/ferm/manifests/ftp.pp index 7c666a1f..51d79fb8 100644 --- a/modules/ferm/manifests/ftp.pp +++ b/modules/ferm/manifests/ftp.pp @@ -1,7 +1,7 @@ class ferm::ftp { - @ferm::rule { "dsa-ftp": - domain => "(ip ip6)", - description => "Allow ftp access", - rule => "&SERVICE(tcp, 21)" - } + @ferm::rule { 'dsa-ftp': + domain => '(ip ip6)', + description => 'Allow ftp access', + rule => '&SERVICE(tcp, 21)', + } } diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp index 2850c4a9..4332dad7 100644 --- a/modules/ferm/manifests/init.pp +++ b/modules/ferm/manifests/init.pp @@ -1,117 +1,77 @@ class ferm { - define rule($domain="ip", $table="filter", $chain="INPUT", $rule, $description="", $prio="00", $notarule=false) { - file { - "/etc/ferm/dsa.d/${prio}_${name}": - ensure => present, - owner => root, - group => root, - mode => 0400, - content => template("ferm/ferm-rule.erb"), - notify => Exec["ferm restart"], - } - } + # realize (i.e. enable) all @ferm::rule virtual resources + Ferm::Rule <| |> - # realize (i.e. enable) all @ferm::rule virtual resources - Ferm::Rule <| |> + File { mode => '0400' } - package { - ferm: ensure => installed; - ulogd: ensure => installed; - } + package { 'ferm': + ensure => installed + } + package { 'ulogd': + ensure => installed + } - file { - "/etc/ferm/dsa.d": - ensure => directory, - purge => true, - force => true, - recurse => true, - source => "puppet:///files/empty/", - notify => Exec["ferm restart"], - require => Package["ferm"]; - "/etc/ferm": - ensure => directory, - mode => 0755; - "/etc/ferm/conf.d": - ensure => directory, - require => Package["ferm"]; - "/etc/default/ferm": - source => "puppet:///modules/ferm/ferm.default", - require => Package["ferm"], - notify => Exec["ferm restart"]; - "/etc/ferm/ferm.conf": - source => "puppet:///modules/ferm/ferm.conf", - require => Package["ferm"], - mode => 0400, - notify => Exec["ferm restart"]; - "/etc/ferm/conf.d/me.conf": - content => template("ferm/me.conf.erb"), - require => Package["ferm"], - mode => 0400, - notify => Exec["ferm restart"]; - "/etc/ferm/conf.d/defs.conf": - content => template("ferm/defs.conf.erb"), - require => Package["ferm"], - mode => 0400, - notify => Exec["ferm restart"]; - "/etc/ferm/conf.d/interfaces.conf": - content => template("ferm/interfaces.conf.erb"), - require => Package["ferm"], - mode => 0400, - notify => Exec["ferm restart"]; - "/etc/logrotate.d/ulogd": - source => "puppet:///modules/ferm/logrotate-ulogd", - require => Package["debian.org"], - ; - } + service { 'ferm': + hasstatus => false, + status => '/bin/true', + refreshonly => true, + } - $munin_ips = split(regsubst($v4ips, '([^,]+)', 'ip_\1', 'G'), ',') + $munin_ips = split(regsubst($v4ips, '([^,]+)', 'ip_\1', 'G'), ',') - activate_munin_check { - $munin_ips: script => "ip_"; - } + munin::check { $munin_ips: script => 'ip_', } - define munin_ipv6_plugin() { - file { - "/etc/munin/plugins/$name": - content => "#!/bin/bash\n# This file is under puppet control\n. /usr/share/munin/plugins/ip_\n", - mode => 555, - notify => Exec["munin-node restart"], - ; - } - } - case $v6ips { - 'no': {} - default: { - $munin6_ips = split(regsubst($v6ips, '([^,]+)', 'ip_\1', 'G'), ',') - munin_ipv6_plugin { - $munin6_ips: ; - } - # get rid of old stuff - $munin6_ip6s = split(regsubst($v6ips, '([^,]+)', 'ip6_\1', 'G'), ',') - activate_munin_check { - $munin6_ip6s: ensure => absent; - } - } - } + if $v6ips { + $munin6_ips = split(regsubst($v6ips, '([^,]+)', 'ip_\1', 'G'), ',') + munin::check { $munin6_ips: script => 'ip_', } + } + # get rid of old stuff + $munin6_ip6s = split(regsubst($v6ips, '([^,]+)', 'ip6_\1', 'G'), ',') + munin::check { $munin6_ip6s: ensure => absent } - case getfromhash($nodeinfo, 'buildd') { - true: { - file { - "/etc/ferm/conf.d/load_ftp_conntrack.conf": - source => "puppet:///modules/ferm/conntrack_ftp.conf", - require => Package["ferm"], - notify => Exec["ferm restart"]; - } - } - } + file { '/etc/ferm': + ensure => directory, + notify => Service['ferm'], + require => Package['ferm'], + mode => '0755' + } + file { '/etc/ferm/dsa.d': + ensure => directory, + purge => true, + force => true, + recurse => true, + source => 'puppet:///files/empty/', + } + file { '/etc/ferm/conf.d': + ensure => directory, + } + file { '/etc/default/ferm': + source => 'puppet:///modules/ferm/ferm.default', + require => Package['ferm'], + notify => Service['ferm'], + } + file { '/etc/ferm/ferm.conf': + source => 'puppet:///modules/ferm/ferm.conf', + } + file { '/etc/ferm/conf.d/me.conf': + content => template('ferm/me.conf.erb'), + } + file { '/etc/ferm/conf.d/defs.conf': + content => template('ferm/defs.conf.erb'), + } + file { '/etc/ferm/conf.d/interfaces.conf': + content => template('ferm/interfaces.conf.erb'), + } + file { '/etc/logrotate.d/ulogd': + source => 'puppet:///modules/ferm/logrotate-ulogd', + require => Package['debian.org'], + } + + if getfromhash($site::nodeinfo, 'buildd') { + file { '/etc/ferm/conf.d/load_ftp_conntrack.conf': + source => 'puppet:///modules/ferm/conntrack_ftp.conf', + } + } - exec { - "ferm restart": - command => "/etc/init.d/ferm restart", - refreshonly => true, - } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/ferm/manifests/nfs-server.pp b/modules/ferm/manifests/nfs-server.pp deleted file mode 100644 index 8fc4f1a3..00000000 --- a/modules/ferm/manifests/nfs-server.pp +++ /dev/null @@ -1,27 +0,0 @@ -class ferm::nfs-server { - @ferm::rule { "dsa-portmap": - domain => "(ip ip6)", - description => "Allow portmap access", - rule => "&TCP_UDP_SERVICE(111)" - } - @ferm::rule { "dsa-nfs": - domain => "(ip ip6)", - description => "Allow nfsd access", - rule => "&TCP_UDP_SERVICE(2049)" - } - @ferm::rule { "dsa-status": - domain => "(ip ip6)", - description => "Allow statd access", - rule => "&TCP_UDP_SERVICE(10000)" - } - @ferm::rule { "dsa-mountd": - domain => "(ip ip6)", - description => "Allow mountd access", - rule => "&TCP_UDP_SERVICE(10002)" - } - @ferm::rule { "dsa-lockd": - domain => "(ip ip6)", - description => "Allow lockd access", - rule => "&TCP_UDP_SERVICE(10003)" - } -} diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp index 374da372..83e28947 100644 --- a/modules/ferm/manifests/per-host.pp +++ b/modules/ferm/manifests/per-host.pp @@ -1,254 +1,244 @@ class ferm::per-host { - case $::hostname { - ancina,zandonai,zelenka: { - include ferm::zivit - } - } - - case $::hostname { - chopin,franck,gluck,kassia,klecker,lobos,morricone,ravel,ries,rietz,saens,schein,santoro,steffani,valente,villa,wieck,stabile,bizet: { - include ferm::ftp - } - } + if $::hostname in [ancina,zandonai,zelenka] { + include ferm::zivit + } - case $::hostname { - piatti,samosa: { - @ferm::rule { "dsa-udd-stunnel": - description => "port 8080 for udd stunnel", - rule => "&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))" - } - } - danzi: { - @ferm::rule { - "dsa-postgres-danzi": - description => "Allow postgress access", - rule => "&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 ))" - ; - "dsa-postgres2-danzi": - description => "Allow postgress access2", - rule => "&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))" - ; - "dsa-postgres3-danzi": - description => "Allow postgress access2", - rule => "&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))" - ; - } + if $::hostname in [chopin,franck,gluck,kassia,klecker,lobos,morricone,ravel,ries,rietz,saens,schein,santoro,steffani,valente,villa,wieck,stabile,bizet] { + include ferm::ftp + } - } - abel,alwyn,rietz: { - @ferm::rule { "dsa-tftp": - description => "Allow tftp access", - rule => "&SERVICE(udp, 69)" - } - } - paganini: { - @ferm::rule { "dsa-dhcp": - description => "Allow dhcp access", - rule => "&SERVICE(udp, 67)" - } - @ferm::rule { "dsa-tftp": - description => "Allow tftp access", - rule => "&SERVICE(udp, 69)" - } - } - handel: { - @ferm::rule { "dsa-puppet": - description => "Allow puppet access", - rule => "&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V4)" - } - @ferm::rule { "dsa-puppet-v6": - domain => 'ip6', - description => "Allow puppet access", - rule => "&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V6)" - } - } - powell: { - @ferm::rule { "dsa-powell-v6-tunnel": - description => "Allow powell to use V6 tunnel broker", - rule => "proto ipv6 saddr 212.227.117.6 jump ACCEPT" - } - @ferm::rule { "dsa-powell-btseed": - domain => "(ip ip6)", - description => "Allow powell to seed BT", - rule => "proto tcp dport 8000:8100 jump ACCEPT" - } - } - heininen,lotti: { - @ferm::rule { "dsa-syslog": - description => "Allow syslog access", - rule => "&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V4)" - } - @ferm::rule { "dsa-syslog-v6": - domain => 'ip6', - description => "Allow syslog access", - rule => "&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V6)" - } - } - kaufmann: { - @ferm::rule { "dsa-hkp": - domain => "(ip ip6)", - description => "Allow hkp access", - rule => "&SERVICE(tcp, 11371)" - } - } - gombert: { - @ferm::rule { "dsa-infinoted": - domain => "(ip ip6)", - description => "Allow infinoted access", - rule => "&SERVICE(tcp, 6523)" - } - } - bendel,liszt: { - @ferm::rule { "smtp": - domain => "(ip ip6)", - description => "Allow smtp access", - rule => "&SERVICE(tcp, 25)" - } - } - draghi: { - #@ferm::rule { "dsa-bind": - # domain => "(ip ip6)", - # description => "Allow nameserver access", - # rule => "&TCP_UDP_SERVICE(53)" - #} - @ferm::rule { "dsa-finger": - domain => "(ip ip6)", - description => "Allow finger access", - rule => "&SERVICE(tcp, 79)" - } - @ferm::rule { "dsa-ldap": - domain => "(ip ip6)", - description => "Allow ldap access", - rule => "&SERVICE(tcp, 389)" - } - @ferm::rule { "dsa-ldaps": - domain => "(ip ip6)", - description => "Allow ldaps access", - rule => "&SERVICE(tcp, 636)" - } - } - cilea: { - file { - "/etc/ferm/conf.d/load_sip_conntrack.conf": - source => "puppet:///modules/ferm/conntrack_sip.conf", - require => Package["ferm"], - notify => Exec["ferm restart"]; - } - @ferm::rule { "dsa-sip": - domain => "(ip ip6)", - description => "Allow sip access", - rule => "&TCP_UDP_SERVICE(5060)" - } - @ferm::rule { "dsa-sipx": - domain => "(ip ip6)", - description => "Allow sipx access", - rule => "&TCP_UDP_SERVICE(5080)" - } - } - scelsi: { - @ferm::rule { "dc11-icecast": - domain => "(ip ip6)", - description => "Allow icecast access", - rule => "&SERVICE(tcp, 8000)" - } + case $::hostname { + piatti,samosa: { + @ferm::rule { 'dsa-udd-stunnel': + description => 'port 8080 for udd stunnel', + rule => '&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))' + } + } + danzi: { + @ferm::rule { 'dsa-postgres-danzi': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 ))' + } + @ferm::rule { 'dsa-postgres2-danzi': + description => 'Allow postgress access2', + rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))' + } + @ferm::rule { 'dsa-postgres3-danzi': + description => 'Allow postgress access2', + rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))' + } + } + abel,alwyn,rietz: { + @ferm::rule { 'dsa-tftp': + description => 'Allow tftp access', + rule => '&SERVICE(udp, 69)' + } + } + paganini: { + @ferm::rule { 'dsa-dhcp': + description => 'Allow dhcp access', + rule => '&SERVICE(udp, 67)' + } + @ferm::rule { 'dsa-tftp': + description => 'Allow tftp access', + rule => '&SERVICE(udp, 69)' + } + } + handel: { + @ferm::rule { 'dsa-puppet': + description => 'Allow puppet access', + rule => '&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V4)' + } + @ferm::rule { 'dsa-puppet-v6': + domain => 'ip6', + description => 'Allow puppet access', + rule => '&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V6)' + } + } + powell: { + @ferm::rule { 'dsa-powell-v6-tunnel': + description => 'Allow powell to use V6 tunnel broker', + rule => 'proto ipv6 saddr 212.227.117.6 jump ACCEPT' + } + @ferm::rule { 'dsa-powell-btseed': + domain => '(ip ip6)', + description => 'Allow powell to seed BT', + rule => 'proto tcp dport 8000:8100 jump ACCEPT' + } + } + heininen,lotti: { + @ferm::rule { 'dsa-syslog': + description => 'Allow syslog access', + rule => '&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V4)' + } + @ferm::rule { 'dsa-syslog-v6': + domain => 'ip6', + description => 'Allow syslog access', + rule => '&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V6)' + } + } + kaufmann: { + @ferm::rule { 'dsa-hkp': + domain => '(ip ip6)', + description => 'Allow hkp access', + rule => '&SERVICE(tcp, 11371)' + } + } + gombert: { + @ferm::rule { 'dsa-infinoted': + domain => '(ip ip6)', + description => 'Allow infinoted access', + rule => '&SERVICE(tcp, 6523)' + } + } + bendel,liszt: { + @ferm::rule { 'smtp': + domain => '(ip ip6)', + description => 'Allow smtp access', + rule => '&SERVICE(tcp, 25)' + } + } + draghi: { + #@ferm::rule { 'dsa-bind': + # domain => '(ip ip6)', + # description => 'Allow nameserver access', + # rule => '&TCP_UDP_SERVICE(53)' + #} + @ferm::rule { 'dsa-finger': + domain => '(ip ip6)', + description => 'Allow finger access', + rule => '&SERVICE(tcp, 79)' + } + @ferm::rule { 'dsa-ldap': + domain => '(ip ip6)', + description => 'Allow ldap access', + rule => '&SERVICE(tcp, 389)' + } + @ferm::rule { 'dsa-ldaps': + domain => '(ip ip6)', + description => 'Allow ldaps access', + rule => '&SERVICE(tcp, 636)' + } + } + cilea: { + file { + '/etc/ferm/conf.d/load_sip_conntrack.conf': + source => 'puppet:///modules/ferm/conntrack_sip.conf', + require => Package['ferm'], + notify => Exec['ferm restart']; + } + @ferm::rule { 'dsa-sip': + domain => '(ip ip6)', + description => 'Allow sip access', + rule => '&TCP_UDP_SERVICE(5060)' + } + @ferm::rule { 'dsa-sipx': + domain => '(ip ip6)', + description => 'Allow sipx access', + rule => '&TCP_UDP_SERVICE(5080)' + } + } + scelsi: { + @ferm::rule { 'dc11-icecast': + domain => '(ip ip6)', + description => 'Allow icecast access', + rule => '&SERVICE(tcp, 8000)' + } + } + default: {} } - } - case $hostname { rautavaara,luchesi: { - @ferm::rule { "dsa-to-kfreebsd": - description => "Traffic routed to kfreebsd hosts", - chain => 'to-kfreebsd', - rule => 'proto icmp ACCEPT; - source ($FREEBSD_SSH_ACCESS $HOST_NAGIOS_V4) proto tcp dport 22 ACCEPT; - source ($HOST_MAILRELAY_V4 $HOST_NAGIOS_V4) proto tcp dport 25 ACCEPT; - source ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) proto tcp dport 4949 ACCEPT; - source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT; - source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT - ' - } - @ferm::rule { "dsa-from-kfreebsd": - description => "Traffic routed from kfreebsd vlan/bridge", - chain => 'from-kfreebsd', - rule => 'proto icmp ACCEPT; - proto tcp dport (21 22 80 53 443) ACCEPT; - proto udp dport (53 123) ACCEPT; - proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost - proto tcp dport 5140 daddr (82.195.75.98 206.12.19.121) ACCEPT; # loghost - proto tcp dport 11371 daddr 82.195.75.107 ACCEPT; # keyring host - proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT - ' - } - }} - case $hostname { - rautavaara: { - @ferm::rule { "dsa-routing": - description => "forward chain", - chain => "FORWARD", - rule => ' - def $ADDRESS_FASCH=194.177.211.201; - def $ADDRESS_FIELD=194.177.211.210; - def $FREEBSD_HOSTS=($ADDRESS_FASCH $ADDRESS_FIELD); + if $::hostname in [rautavaara,luchesi] { + @ferm::rule { 'dsa-to-kfreebsd': + description => 'Traffic routed to kfreebsd hosts', + chain => 'to-kfreebsd', + rule => 'proto icmp ACCEPT; +source ($FREEBSD_SSH_ACCESS $HOST_NAGIOS_V4) proto tcp dport 22 ACCEPT; +source ($HOST_MAILRELAY_V4 $HOST_NAGIOS_V4) proto tcp dport 25 ACCEPT; +source ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) proto tcp dport 4949 ACCEPT; +source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT; +source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT +' + } + @ferm::rule { 'dsa-from-kfreebsd': + description => 'Traffic routed from kfreebsd vlan/bridge', + chain => 'from-kfreebsd', + rule => 'proto icmp ACCEPT; +proto tcp dport (21 22 80 53 443) ACCEPT; +proto udp dport (53 123) ACCEPT; +proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost +proto tcp dport 5140 daddr (82.195.75.98 206.12.19.121) ACCEPT; # loghost +proto tcp dport 11371 daddr 82.195.75.107 ACCEPT; # keyring host +proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT +' + } + } + case $::hostname { + rautavaara: { + @ferm::rule { 'dsa-routing': + description => 'forward chain', + chain => 'FORWARD', + rule => 'def $ADDRESS_FASCH=194.177.211.201; +def $ADDRESS_FIELD=194.177.211.210; +def $FREEBSD_HOSTS=($ADDRESS_FASCH $ADDRESS_FIELD); - policy ACCEPT; - mod state state (ESTABLISHED RELATED) ACCEPT; - interface vlan11 outerface eth0 jump from-kfreebsd; - interface eth0 destination ($FREEBSD_HOSTS) jump to-kfreebsd; - ULOG ulog-prefix "REJECT FORWARD: "; - REJECT reject-with icmp-admin-prohibited - ' - } - } - luchesi: { - @ferm::rule { "dsa-routing": - description => "forward chain", - chain => "FORWARD", - rule => ' - def $ADDRESS_FANO=206.12.19.110; - def $ADDRESS_FINZI=206.12.19.111; - def $FREEBSD_HOSTS=($ADDRESS_FANO $ADDRESS_FINZI); +policy ACCEPT; +mod state state (ESTABLISHED RELATED) ACCEPT; +interface vlan11 outerface eth0 jump from-kfreebsd; +interface eth0 destination ($FREEBSD_HOSTS) jump to-kfreebsd; +ULOG ulog-prefix "REJECT FORWARD: "; +REJECT reject-with icmp-admin-prohibited +' + } + } + luchesi: { + @ferm::rule { 'dsa-routing': + description => 'forward chain', + chain => 'FORWARD', + rule => 'def $ADDRESS_FANO=206.12.19.110; +def $ADDRESS_FINZI=206.12.19.111; +def $FREEBSD_HOSTS=($ADDRESS_FANO $ADDRESS_FINZI); - policy ACCEPT; - mod state state (ESTABLISHED RELATED) ACCEPT; - interface br0 outerface br0 ACCEPT; +policy ACCEPT; +mod state state (ESTABLISHED RELATED) ACCEPT; +interface br0 outerface br0 ACCEPT; - interface br2 outerface br0 jump from-kfreebsd; - interface br0 destination ($FREEBSD_HOSTS) jump to-kfreebsd; - ULOG ulog-prefix "REJECT FORWARD: "; - REJECT reject-with icmp-admin-prohibited - ' - } - } - } +interface br2 outerface br0 jump from-kfreebsd; +interface br0 destination ($FREEBSD_HOSTS) jump to-kfreebsd; +ULOG ulog-prefix "REJECT FORWARD: "; +REJECT reject-with icmp-admin-prohibited +' + } + } + default: {} + } - # redirect snapshot into varnish - case $::hostname { - sibelius: { - @ferm::rule { "dsa-snapshot-varnish": - rule => '&SERVICE(tcp, 6081)', - } - @ferm::rule { "dsa-nat-snapshot-varnish": - table => 'nat', - chain => 'PREROUTING', - rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081', - } - } - stabile: { - @ferm::rule { "dsa-snapshot-varnish": - rule => '&SERVICE(tcp, 6081)', - } - @ferm::rule { "dsa-nat-snapshot-varnish": - table => 'nat', - chain => 'PREROUTING', - rule => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081', - } - } - } + # redirect snapshot into varnish + case $::hostname { + sibelius: { + @ferm::rule { 'dsa-snapshot-varnish': + rule => '&SERVICE(tcp, 6081)', + } + @ferm::rule { 'dsa-nat-snapshot-varnish': + table => 'nat', + chain => 'PREROUTING', + rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081', + } + } + stabile: { + @ferm::rule { 'dsa-snapshot-varnish': + rule => '&SERVICE(tcp, 6081)', + } + @ferm::rule { 'dsa-nat-snapshot-varnish': + table => 'nat', + chain => 'PREROUTING', + rule => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081', + } + } + default: {} + } - if $::rsyncd == 'true' { - include ferm::rsync - } + if $::rsyncd == true { + include ferm::rsync + } } - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/ferm/manifests/rsync.pp b/modules/ferm/manifests/rsync.pp index 390bce2b..44feab65 100644 --- a/modules/ferm/manifests/rsync.pp +++ b/modules/ferm/manifests/rsync.pp @@ -1,8 +1,8 @@ class ferm::rsync { - @ferm::rule { "dsa-rsync": - domain => "(ip ip6)", - description => "Allow rsync access", - rule => "&SERVICE(tcp, 873)" - } + @ferm::rule { 'dsa-rsync': + domain => '(ip ip6)', + description => 'Allow rsync access', + rule => '&SERVICE(tcp, 873)' + } } diff --git a/modules/ferm/manifests/rule.pp b/modules/ferm/manifests/rule.pp new file mode 100644 index 00000000..7eef2a21 --- /dev/null +++ b/modules/ferm/manifests/rule.pp @@ -0,0 +1,19 @@ +define ferm::rule( + $rule, + $domain='ip', + $table='filter', + $chain='INPUT', + $description='', + $prio='00', + $notarule=false +) { + file { + "/etc/ferm/dsa.d/${prio}_${name}": + ensure => present, + mode => '0400', + content => template('ferm/ferm-rule.erb'), + notify => Service['ferm'], + } +} + + diff --git a/modules/ferm/manifests/zivit.pp b/modules/ferm/manifests/zivit.pp index e392b3fe..b513a3b1 100644 --- a/modules/ferm/manifests/zivit.pp +++ b/modules/ferm/manifests/zivit.pp @@ -1,15 +1,15 @@ class ferm::zivit { - @ferm::rule { "dsa-zivit-rrdcollect": - description => "port 6666 for rrdcollect for zivit", - rule => "&SERVICE_RANGE(tcp, 6666, ( 10.130.18.71 ))" - } - @ferm::rule { "dsa-zivit-zabbix": - description => "port 10050 for zabbix for zivit", - rule => "&SERVICE_RANGE(tcp, 10050, ( 10.130.18.76 ))" - } - @ferm::rule { "dsa-time": - description => "Allow time access", - rule => "&SERVICE_RANGE(tcp, time, \$HOST_NAGIOS_V4)" - } + @ferm::rule { 'dsa-zivit-rrdcollect': + description => 'port 6666 for rrdcollect for zivit', + rule => '&SERVICE_RANGE(tcp, 6666, ( 10.130.18.71 ))' + } + @ferm::rule { 'dsa-zivit-zabbix': + description => 'port 10050 for zabbix for zivit', + rule => '&SERVICE_RANGE(tcp, 10050, ( 10.130.18.76 ))' + } + @ferm::rule { 'dsa-time': + description => 'Allow time access', + rule => '&SERVICE_RANGE(tcp, time, \$HOST_NAGIOS_V4)' + } } diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb index d46bee1e..3af87c48 100644 --- a/modules/ferm/templates/defs.conf.erb +++ b/modules/ferm/templates/defs.conf.erb @@ -21,9 +21,9 @@ @def $HOST_MAILRELAY_V4 = (<%= mailrelay = [] - localinfo.keys.sort.each do |node| - if localinfo[node]['mailrelay'] - allnodeinfo[node]['ipHostNumber'].each do |ip| + scope.lookupvar('site::localinfo').keys.sort.each do |node| + if scope.lookupvar('site::localinfo')[node]['mailrelay'] + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip| next if ip =~ /:/ mailrelay << ip end @@ -35,9 +35,9 @@ @def $HOST_MAILRELAY_V6 = (<%= mailrelay = [] - localinfo.keys.sort.each do |node| - if localinfo[node]['mailrelay'] - allnodeinfo[node]['ipHostNumber'].each do |ip| + scope.lookupvar('site::localinfo').keys.sort.each do |node| + if scope.lookupvar('site::localinfo')[node]['mailrelay'] + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip| next if ip =~ /\./ mailrelay << ip end @@ -51,9 +51,9 @@ @def $HOST_NAGIOS_V4 = (<%= nagii = [] - localinfo.keys.sort.each do |node| - if localinfo[node]['nagiosmaster'] or localinfo[node]['extranrpeclient'] - allnodeinfo[node]['ipHostNumber'].each do |ip| + scope.lookupvar('site::localinfo').keys.sort.each do |node| + if scope.lookupvar('site::localinfo')[node]['nagiosmaster'] or scope.lookupvar('site::localinfo')[node]['extranrpeclient'] + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip| next if ip =~ /:/ nagii << ip end @@ -65,9 +65,9 @@ @def $HOST_NAGIOS_V6 = (<%= nagii = [] - localinfo.keys.sort.each do |node| - if localinfo[node]['nagiosmaster'] or localinfo[node]['extranrpeclient'] - allnodeinfo[node]['ipHostNumber'].each do |ip| + scope.lookupvar('site::localinfo').keys.sort.each do |node| + if scope.lookupvar('site::localinfo')[node]['nagiosmaster'] or scope.lookupvar('site::localinfo')[node]['extranrpeclient'] + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip| next if ip =~ /\./ nagii << ip end @@ -81,9 +81,9 @@ @def $HOST_MUNIN_V4 = (<%= munins = [] - localinfo.keys.sort.each do |node| - if localinfo[node]['muninmaster'] - allnodeinfo[node]['ipHostNumber'].each do |ip| + scope.lookupvar('site::localinfo').keys.sort.each do |node| + if scope.lookupvar('site::localinfo')[node]['muninmaster'] + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip| next if ip =~ /:/ munins << ip end @@ -95,9 +95,9 @@ @def $HOST_MUNIN_V6 = (<%= munins = [] - localinfo.keys.sort.each do |node| - if localinfo[node]['muninmaster'] - allnodeinfo[node]['ipHostNumber'].each do |ip| + scope.lookupvar('site::localinfo').keys.sort.each do |node| + if scope.lookupvar('site::localinfo')[node]['muninmaster'] + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip| next if ip =~ /\./ munins << ip end @@ -111,9 +111,9 @@ @def $HOST_DB_V6 = (<%= dbs = [] - localinfo.keys.sort.each do |node| - if localinfo[node]['dbmaster'] - allnodeinfo[node]['ipHostNumber'].each do |ip| + scope.lookupvar('site::localinfo').keys.sort.each do |node| + if scope.lookupvar('site::localinfo')[node]['dbmaster'] + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip| next if ip =~ /\./ dbs << ip end @@ -125,9 +125,9 @@ @def $HOST_DB_V4 = (<%= dbs = [] - localinfo.keys.sort.each do |node| - if localinfo[node]['dbmaster'] - allnodeinfo[node]['ipHostNumber'].each do |ip| + scope.lookupvar('site::localinfo').keys.sort.each do |node| + if scope.lookupvar('site::localinfo')[node]['dbmaster'] + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip| next if ip =~ /:/ dbs << ip end @@ -141,9 +141,9 @@ @def $HOST_DEBIAN_V4 = (<%= dbs = [] - allnodeinfo.keys.sort.each do |node| - next unless allnodeinfo[node].has_key?('ipHostNumber') - allnodeinfo[node]['ipHostNumber'].each do |ip| + scope.lookupvar('site::allnodeinfo').keys.sort.each do |node| + next unless scope.lookupvar('site::allnodeinfo')[node].has_key?('ipHostNumber') + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip| next if ip =~ /:/ dbs << ip end @@ -154,9 +154,9 @@ @def $HOST_DEBIAN_V6 = (<%= dbs = [] - allnodeinfo.keys.sort.each do |node| - next unless allnodeinfo[node].has_key?('ipHostNumber') - allnodeinfo[node]['ipHostNumber'].each do |ip| + scope.lookupvar('site::allnodeinfo').keys.sort.each do |node| + next unless scope.lookupvar('site::allnodeinfo')[node].has_key?('ipHostNumber') + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip| next if ip =~ /\./ dbs << ip end diff --git a/modules/ferm/templates/interfaces.conf.erb b/modules/ferm/templates/interfaces.conf.erb index af6585a5..fbe96026 100644 --- a/modules/ferm/templates/interfaces.conf.erb +++ b/modules/ferm/templates/interfaces.conf.erb @@ -7,7 +7,7 @@ end %>); def $MUNIN6_IPS = (<%= begin - v6ips == 'no' ? '' : v6ips.split(',').join(' ') + v6ips == '' ? '' : v6ips.split(',').join(' ') rescue '' end diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb index 7069f592..2e5e18e8 100644 --- a/modules/ferm/templates/me.conf.erb +++ b/modules/ferm/templates/me.conf.erb @@ -9,8 +9,8 @@ out = [] restricted_purposes = {'kvm host', 'central syslog server', 'puppet master', 'jumphost'} restrict_ssh = %w{lebrun logtest01 geo1 geo2 geo3 beethoven tchaikovsky schroeder rossini draghi} -if (nodeinfo['ldap'].has_key?('purpose')) then - nodeinfo['ldap']['purpose'].each do |purp| +if (scope.lookupvar('site::nodeinfo')['ldap'].has_key?('purpose')) then + scope.lookupvar('site::nodeinfo')['ldap']['purpose'].each do |purp| if restricted_purposes.include?(purp) then restrict_ssh << hostname end @@ -49,7 +49,7 @@ out << "@def $SSH_V6_SOURCES = (#{ssh6allowed.join(' ')});" smtp4allowed = [] smtp6allowed = [] -if not nodeinfo['smarthost'].empty? +if not scope.lookupvar('site::nodeinfo')['smarthost'].empty? smtp4allowed << %w{$HOST_MAILRELAY_V4 $HOST_NAGIOS_V4} smtp6allowed << %w{$HOST_MAILRELAY_V6 $HOST_NAGIOS_V6} end diff --git a/modules/hardware/manifests/init.pp b/modules/hardware/manifests/init.pp new file mode 100644 index 00000000..bc5897e5 --- /dev/null +++ b/modules/hardware/manifests/init.pp @@ -0,0 +1,14 @@ +class hardware { + if $::smartarraycontroller { + include debian::proliant + } + + if $::productname == 'PowerEdge 2850' { + include megactl + } + + if $::mptraid { + include raidmpt + } + +} diff --git a/modules/hosts/manifests/init.pp b/modules/hosts/manifests/init.pp index cdd19017..47616af6 100644 --- a/modules/hosts/manifests/init.pp +++ b/modules/hosts/manifests/init.pp @@ -1,10 +1,5 @@ class hosts { - - file { - "/etc/hosts": content => template("hosts/etc-hosts.erb"); - } + file { '/etc/hosts': + content => template('hosts/etc-hosts.erb') + } } - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/kfreebsd/manifests/init.pp b/modules/kfreebsd/manifests/init.pp index 00a7449c..8ccfe318 100644 --- a/modules/kfreebsd/manifests/init.pp +++ b/modules/kfreebsd/manifests/init.pp @@ -1,15 +1,10 @@ class kfreebsd { - file { - "/etc/cron.d/dsa-killruby": - source => [ "puppet:///modules/kfreebsd/dsa-killruby" ], - ; - } - sysctl { - "maxfiles" : - key => "kern.maxfiles", - value => 65536, - } + file { '/etc/cron.d/dsa-killruby': + source => 'puppet:///modules/kfreebsd/dsa-killruby', + } + + site::sysctl { 'maxfiles': + key => 'kern.maxfiles', + value => 65536, + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/megactl/manifests/init.pp b/modules/megactl/manifests/init.pp index d15cb17e..3c376639 100644 --- a/modules/megactl/manifests/init.pp +++ b/modules/megactl/manifests/init.pp @@ -1,13 +1,9 @@ class megactl { - package { - megactl: ensure => installed; - } - file { - "/etc/apt/sources.list.d/debian.restricted.list": - content => template("debian-org/etc/apt/sources.list.d/debian.restricted.list.erb"), - notify => Exec["apt-get update"]; - } + package { 'megactl': + ensure => installed + } + + site::aptrepo { 'debian.restricted': + template => 'debian-org/etc/apt/sources.list.d/debian.restricted.list.erb', + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/monit/manifests/init.pp b/modules/monit/manifests/init.pp index 7792b086..4c9b736b 100644 --- a/modules/monit/manifests/init.pp +++ b/modules/monit/manifests/init.pp @@ -1,76 +1,53 @@ class monit { - package { "monit": ensure => installed } - $cmd = $::lsbdistcodename ? { - 'sid' => '/usr/bin/monit', - 'wheezy' => '/usr/bin/monit', - default => '/usr/sbin/monit', - } - - augeas { "inittab": - context => "/files/etc/inittab", - changes => [ "set mo/runlevels 2345", - "set mo/action respawn", - "set mo/process \"$cmd -d 300 -I -c /etc/monit/monitrc -s /var/lib/monit/monit.state\"", - ], - notify => Exec["init q"], - } - - file { - #"/etc/rc2.d/K99monit": - # ensure => "../init.d/monit"; - #"/etc/rc2.d/S99monit": - # ensure => absent; - - "/etc/monit/": - ensure => directory, - owner => root, - group => root, - mode => 755, - purge => true - ; - - "/etc/monit/monitrc": - content => template("monit/monitrc.erb"), - require => Package["monit"], - notify => Exec["monit stop"], - mode => 400 - ; - - "/etc/monit/monit.d": - ensure => directory, - owner => root, - group => root, - mode => 750, - purge => true - ; - - "/etc/monit/monit.d/01puppet": - source => "puppet:///modules/monit/puppet", - require => Package["monit"], - notify => Exec["monit stop"], - mode => 440 - ; - - "/etc/monit/monit.d/00debian.org": - source => "puppet:///modules/monit/debianorg", - require => Package["monit"], - notify => Exec["monit stop"], - mode => 440 - ; - - "/etc/default/monit": - content => template("monit/default.erb"), - require => Package["monit"], - notify => Exec["monit stop"] - ; - } - exec { "monit stop": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - } + package { 'monit': + ensure => installed + } + + $cmd = $::lsbdistcodename ? { + 'sid' => '/usr/bin/monit', + 'wheezy' => '/usr/bin/monit', + default => '/usr/sbin/monit', + } + + augeas { 'inittab': + context => '/files/etc/inittab', + changes => [ 'set mo/runlevels 2345', + 'set mo/action respawn', + "set mo/process \"$cmd -d 300 -I -c /etc/monit/monitrc -s /var/lib/monit/monit.state\"", + ], + notify => Exec['init q'], + } + + file { [ '/etc/monit/', '/etc/monit/monit.d']: + ensure => directory, + owner => root, + group => root, + mode => '0755', + purge => true, + notify => Exec['monit stop'], + require => Package['monit'], + } + file { '/etc/monit/monitrc': + content => template('monit/monitrc.erb'), + mode => '0400' + } + file { '/etc/monit/monit.d/01puppet': + source => 'puppet:///modules/monit/puppet', + mode => '0440' + } + file { '/etc/monit/monit.d/00debian.org': + source => 'puppet:///modules/monit/debianorg', + mode => '0440' + } + file { '/etc/default/monit': + content => template('monit/default.erb'), + require => Package['monit'], + notify => Exec['monit stop'] + } + + exec { 'monit stop': + path => '/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin', + refreshonly => true, + } } - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/motd/manifests/init.pp b/modules/motd/manifests/init.pp index 0de49360..ffa85733 100644 --- a/modules/motd/manifests/init.pp +++ b/modules/motd/manifests/init.pp @@ -1,15 +1,16 @@ class motd { - file { "/etc/motd.tail": - notify => Exec["updatemotd"], - content => template("motd/motd.erb") ; - "/etc/motd": - ensure => "/var/run/motd"; + + file { '/etc/motd.tail': + notify => Exec['updatemotd'], + content => template('motd/motd.erb') + } + file { '/etc/motd': + ensure => link, + target => '/var/run/motd' + } + + exec { 'updatemotd': + command => 'uname -snrvm > /var/run/motd && cat /etc/motd.tail >> /var/run/motd', + refreshonly => true, } - exec { "updatemotd": - command => "uname -snrvm > /var/run/motd && cat /etc/motd.tail >> /var/run/motd", - refreshonly => true - } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/motd/templates/motd.erb b/modules/motd/templates/motd.erb index 2087cbc2..47eb9521 100644 --- a/modules/motd/templates/motd.erb +++ b/modules/motd/templates/motd.erb @@ -18,32 +18,32 @@ def markup(l) end purp = '' -if nodeinfo.has_key?('nameinfo') - purp += wrap(nodeinfo['nameinfo']) + "\n\n" +if scope.lookupvar('site::nodeinfo').has_key?('nameinfo') + purp += wrap(scope.lookupvar('site::nodeinfo')['nameinfo']) + "\n\n" end purp += 'Welcome to ' + fqdn -if (nodeinfo['ldap'].has_key?('purpose')) - p = nodeinfo['ldap']['purpose'].clone() +if (scope.lookupvar('site::nodeinfo')['ldap'].has_key?('purpose')) + p = scope.lookupvar('site::nodeinfo')['ldap']['purpose'].clone() extra = '' if p.delete('buildd') purp += ", the Debian " - if nodeinfo['ldap'].has_key?('architecture') - purp += nodeinfo['ldap']['architecture'][0] + if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('architecture') + purp += scope.lookupvar('site::nodeinfo')['ldap']['architecture'][0] end purp += " build daemon" end if p.delete('porterbox') purp += ", the Debian " - if nodeinfo['ldap'].has_key?('architecture') - purp += nodeinfo['ldap']['architecture'][0] + if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('architecture') + purp += scope.lookupvar('site::nodeinfo')['ldap']['architecture'][0] end purp += " porterbox" extra += "\n" extra += "See 'dchroot -l' or 'schroot -l' for a list of available chroots.\n" - if nodeinfo['ldap'].has_key?('admin') + if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('admin') extra += "Please contact #{nodeinfo['ldap']['admin'][0]} for install requests,\n" extra += "following the recommendations in .\n" end @@ -51,7 +51,7 @@ if (nodeinfo['ldap'].has_key?('purpose')) if p.size() > 0 purp += ", used for the following services:\n" - nodeinfo['ldap']['purpose'].sort.each do |l| + scope.lookupvar('site::nodeinfo')['ldap']['purpose'].sort.each do |l| l = markup(l) purp += "\t" + l + "\n" end @@ -66,18 +66,18 @@ end purp += "\n" -if (nodeinfo['ldap'].has_key?('physicalHost')) +if (scope.lookupvar('site::nodeinfo')['ldap'].has_key?('physicalHost')) purp += wrap("This virtual server runs on the physical host #{nodeinfo['ldap']['physicalHost'][0]}, " + "which is hosted at #{nodeinfo['hoster']['longname']}." ) -elsif nodeinfo['hoster']['name'] +elsif scope.lookupvar('site::nodeinfo')['hoster']['name'] purp += wrap("This server is hosted at #{nodeinfo['hoster']['longname']}.") end vms = [] -allnodeinfo.keys.sort.each do |node| - if allnodeinfo[node]['physicalHost'] and allnodeinfo[node]['physicalHost'].include?(fqdn) +scope.lookupvar('site::allnodeinfo').keys.sort.each do |node| + if scope.lookupvar('site::allnodeinfo')[node]['physicalHost'] and scope.lookupvar('site::allnodeinfo')[node]['physicalHost'].include?(fqdn) vms << node end end @@ -85,9 +85,9 @@ unless vms.empty? purp += "\nThe following virtual machines run on this system:\n" vms.each do |node| purp += "\t- #{node}" - if allnodeinfo[node]['purpose'] + if scope.lookupvar('site::allnodeinfo')[node]['purpose'] purp += ":\n" - allnodeinfo[node]['purpose'].sort.each do |l| + scope.lookupvar('site::allnodeinfo')[node]['purpose'].sort.each do |l| l = markup(l) purp += "\t " + l + "\n" end @@ -98,8 +98,8 @@ unless vms.empty? end -if nodeinfo.has_key?('footer') - purp += "\n" + wrap(nodeinfo['footer']) + "\n" +if scope.lookupvar('site::nodeinfo').has_key?('footer') + purp += "\n" + wrap(scope.lookupvar('site::nodeinfo')['footer']) + "\n" end purp -%> diff --git a/modules/munin-node/manifests/init.pp b/modules/munin-node/manifests/init.pp deleted file mode 100644 index 72dbce1c..00000000 --- a/modules/munin-node/manifests/init.pp +++ /dev/null @@ -1,114 +0,0 @@ -define activate_munin_check($ensure=present, $script = none) { - case $script { - none: { $link = $name } - default: { $link = $script } - } - - case $ensure { - present: { - file { "/etc/munin/plugins/$name": - ensure => "/usr/share/munin/plugins/$link", - notify => Exec["munin-node restart"]; - } - } - default: { - file { "/etc/munin/plugins/$name": - ensure => $ensure, - notify => Exec["munin-node restart"]; - } - } - } -} - -class munin-node { - - package { munin-node: ensure => installed } - - activate_munin_check { - "cpu":; - "entropy":; - "forks":; - "interrupts":; - "iostat":; - "irqstats":; - "load":; - "memory":; - "ntp_offset":; - "ntp_states":; - "open_files":; - "open_inodes":; - "processes":; - "swap":; - "uptime":; - "vmstat":; - } - - case $spamd { - "true": { - activate_munin_check { "spamassassin":; } - } - } - - case $vsftpd { - "true": { - package { - "logtail": ensure => installed; - } - activate_munin_check { - "vsftpd":; - "ps_vsftpd": script => "ps_"; - } - } - } - - file { - "/etc/munin/munin-node.conf": - content => template("munin-node/munin-node.conf.erb"), - require => Package["munin-node"], - notify => Exec["munin-node restart"]; - - "/etc/munin/plugin-conf.d/munin-node": - content => template("munin-node/munin-node.plugin.conf.erb"), - require => Package["munin-node"], - notify => Exec["munin-node restart"]; - - "/etc/munin/plugins/df": - source => "puppet:///modules/munin-node/df-wrap", - mode => 555, - require => Package["munin-node"], - notify => Exec["munin-node restart"] - ; - "/etc/munin/plugins/df_abs": - source => "puppet:///modules/munin-node/df-wrap", - mode => 555, - require => Package["munin-node"], - notify => Exec["munin-node restart"] - ; - "/etc/munin/plugins/df_inode": - source => "puppet:///modules/munin-node/df-wrap", - mode => 555, - require => Package["munin-node"], - notify => Exec["munin-node restart"] - ; - } - - exec { "munin-node restart": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - } - @ferm::rule { "dsa-munin-v4": - description => "Allow munin from munin master", - rule => "proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN_V4 \$HOST_NAGIOS_V4) ACCEPT; }", - notarule => true, - } - @ferm::rule { "dsa-munin-v6": - description => "Allow munin from munin master", - domain => "ip6", - rule => "proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN_V6 \$HOST_NAGIOS_V6) ACCEPT; }", - notarule => true, - } -} - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/munin-node/manifests/master.pp b/modules/munin-node/manifests/master.pp deleted file mode 100644 index 23418891..00000000 --- a/modules/munin-node/manifests/master.pp +++ /dev/null @@ -1,14 +0,0 @@ -class munin-node::master inherits munin-node { - - package { munin: ensure => installed } - - file { - "/etc/munin/munin.conf": - content => template("munin-node/munin.conf.erb"), - require => Package["munin"]; - } -} - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/munin-node/files/df-wrap b/modules/munin/files/df-wrap similarity index 100% rename from modules/munin-node/files/df-wrap rename to modules/munin/files/df-wrap diff --git a/modules/munin/manifests/check.pp b/modules/munin/manifests/check.pp new file mode 100644 index 00000000..7e4a5c65 --- /dev/null +++ b/modules/munin/manifests/check.pp @@ -0,0 +1,22 @@ +define munin::check($ensure = present, $script = undef) { + + if $script { + $link = $script + } else { + $link = $name + } + + $link_target = $ensure ? { + present => "/usr/share/munin/plugins/${link}" + absent => absent, + default => err ( "Unknown ensure value: '$ensure'" ), + } + + file { "/etc/munin/plugins/${name}": + ensure => $link_target, + require => Package['munin-node'], + notify => Service['munin-node'], + } +} + + diff --git a/modules/munin/manifests/init.pp b/modules/munin/manifests/init.pp new file mode 100644 index 00000000..1ba4477a --- /dev/null +++ b/modules/munin/manifests/init.pp @@ -0,0 +1,43 @@ +class munin { + + package { 'munin-node': + ensure => installed + } + + service { 'munin-node': + ensure => running, + require => Package['munin-node'], + } + + file { '/etc/munin/munin-node.conf': + content => template('munin/munin-node.conf.erb') + require => Package['munin-node'], + notify => Service['munin-node'], + } + + file { '/etc/munin/plugin-conf.d/munin-node': + content => template('munin/munin-node.plugin.conf.erb'), + require => Package['munin-node'], + notify => Service['munin-node'], + } + + file { [ '/etc/munin/plugins/df', '/etc/munin/plugins/df_abs', '/etc/munin/plugins/df_inode' ]: + source => 'puppet:///modules/munin/df-wrap', + mode => '0555', + require => Package['munin-node'], + notify => Service['munin-node'], + } + + @ferm::rule { 'dsa-munin-v4': + description => 'Allow munin from munin master', + rule => 'proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN_V4 \$HOST_NAGIOS_V4) ACCEPT; }', + notarule => true, + } + + @ferm::rule { 'dsa-munin-v6': + description => 'Allow munin from munin master', + domain => 'ip6', + rule => 'proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN_V6 \$HOST_NAGIOS_V6) ACCEPT; }', + notarule => true, + } +} diff --git a/modules/munin/manifests/master.pp b/modules/munin/manifests/master.pp new file mode 100644 index 00000000..4706dfbf --- /dev/null +++ b/modules/munin/manifests/master.pp @@ -0,0 +1,11 @@ +class munin::master { + + package { 'munin': + ensure => installed + } + + file { '/etc/munin/munin.conf': + content => template('munin/munin.conf.erb'), + require => Package['munin']; + } +} diff --git a/modules/munin-node/templates/munin-node.conf.erb b/modules/munin/templates/munin-node.conf.erb similarity index 83% rename from modules/munin-node/templates/munin-node.conf.erb rename to modules/munin/templates/munin-node.conf.erb index 45cf119a..e5ef6ff7 100644 --- a/modules/munin-node/templates/munin-node.conf.erb +++ b/modules/munin/templates/munin-node.conf.erb @@ -40,9 +40,9 @@ ignore_file \.rpm(save|new)$ <%= str = '' -localinfo.keys.sort.each do |node| - if localinfo[node]['muninmaster'] - allnodeinfo[node]['ipHostNumber'].each do |ip| +scope.lookupvar('site::localinfo').keys.sort.each do |node| + if scope.lookupvar('site::localinfo')[node]['muninmaster'] + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip| str += "allow ^" + ip.split('.').join('\.') + "$\n" end end diff --git a/modules/munin-node/templates/munin-node.plugin.conf.erb b/modules/munin/templates/munin-node.plugin.conf.erb similarity index 100% rename from modules/munin-node/templates/munin-node.plugin.conf.erb rename to modules/munin/templates/munin-node.plugin.conf.erb diff --git a/modules/munin-node/templates/munin.conf.erb b/modules/munin/templates/munin.conf.erb similarity index 75% rename from modules/munin-node/templates/munin.conf.erb rename to modules/munin/templates/munin.conf.erb index 50468cb5..b223bd65 100644 --- a/modules/munin-node/templates/munin.conf.erb +++ b/modules/munin/templates/munin.conf.erb @@ -11,8 +11,8 @@ tmpldir /etc/munin/templates graph_strategy cgi <%= out = '' - localinfo.keys.sort.each do |node| - if not localinfo[node]['no_munin'] + scope.lookupvar('site::localinfo').keys.sort.each do |node| + if not scope.lookupvar('site::localinfo')[node]['no_munin'] out += '[' + node + '] address ' + node + ' diff --git a/modules/nagios/manifests/client.pp b/modules/nagios/manifests/client.pp index 33808c45..b72f002b 100644 --- a/modules/nagios/manifests/client.pp +++ b/modules/nagios/manifests/client.pp @@ -1,81 +1,64 @@ class nagios::client inherits nagios { - package { - dsa-nagios-nrpe-config: ensure => purged; - dsa-nagios-checks: ensure => installed; - } - file { - "/etc/default/nagios-nrpe-server": - source => [ "puppet:///modules/nagios/per-host/$fqdn/default", - "puppet:///modules/nagios/common/default" ], - require => Package["nagios-nrpe-server"], - notify => Exec["nagios-nrpe-server restart"], - ; - "/etc/default/nagios-nrpe": - ensure => absent, - notify => Exec["nagios-nrpe-server restart"], - ; - "/etc/nagios/nrpe.cfg": - content => template("nagios/nrpe.cfg.erb"), - require => Package["nagios-nrpe-server"], - notify => Exec["service nagios-nrpe-server reload"], - ; - "/etc/nagios/nrpe.d": - mode => 755, - require => Package["nagios-nrpe-server"], - ensure => directory, - ; - "/etc/nagios/nrpe.d/debianorg.cfg": - content => template("nagios/inc-debian.org.erb"), - require => Package["nagios-nrpe-server"], - notify => Exec["service nagios-nrpe-server reload"], - ; - "/etc/nagios/nrpe.d/nrpe_dsa.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/generated/nrpe_dsa.cfg" ], - require => Package["dsa-nagios-checks"], - notify => Exec["service nagios-nrpe-server reload"], - ; + package { 'dsa-nagios-nrpe-config': + ensure => purged + } + package { 'dsa-nagios-checks': + ensure => installed + } - "/etc/nagios/obsolete-packages-ignore": - source => [ "puppet:///modules/nagios/per-host/$fqdn/obsolete-packages-ignore", - "puppet:///modules/nagios/common/obsolete-packages-ignore" ], - require => Package["dsa-nagios-checks"], - ; + service { 'nagios-nrpe-server': + ensure => running, + hasstatus => false, + pattern => 'nrpe', + } - "/etc/nagios/obsolete-packages-ignore.d/hostspecific": - content => template("nagios/obsolete-packages-ignore.d-hostspecific.erb"), - require => Package["dsa-nagios-checks"], - ; - } + @ferm::rule { 'dsa-nagios-v4': + description => 'Allow nrpe from nagios master', + rule => 'proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V4) ACCEPT; }', + notarule => true, + } + @ferm::rule { 'dsa-nagios-v6': + description => 'Allow nrpe from nagios master', + domain => 'ip6', + rule => 'proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V6) ACCEPT; }', + notarule => true, + } - exec { - "nagios-nrpe-server restart": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - ; - "service nagios-nrpe-server reload": -# remove after lenny EOL (lenny has no service binary) -# -cut- - command => "/etc/init.d/nagios-nrpe-server reload", -# -cut- - refreshonly => true, - ; - } + file { '/etc/default/nagios-nrpe-server': + source => 'puppet:///modules/nagios/common/default', + require => Package['nagios-nrpe-server'], + notify => Service['nagios-nrpe-server'], + } + file { '/etc/default/nagios-nrpe': + ensure => absent, + notify => Service['nagios-nrpe-server'], + } + file { '/etc/nagios/': + ensure => directory, + require => Package['nagios-nrpe-server'], + notify => Service['nagios-nrpe-server'], + } + file { '/etc/nagios/nrpe.cfg': + content => template('nagios/nrpe.cfg.erb'), + } + file { '/etc/nagios/nrpe.d': + ensure => directory, + mode => '0755', + } + file { '/etc/nagios/nrpe.d/debianorg.cfg': + content => template('nagios/inc-debian.org.erb'), + } + file { '/etc/nagios/nrpe.d/nrpe_dsa.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/generated/nrpe_dsa.cfg', + } + file { '/etc/nagios/obsolete-packages-ignore': + source => 'puppet:///modules/nagios/common/obsolete-packages-ignore', + require => Package['dsa-nagios-checks'], + } + file { '/etc/nagios/obsolete-packages-ignore.d/hostspecific': + content => template('nagios/obsolete-packages-ignore.d-hostspecific.erb'), + require => Package['dsa-nagios-checks'], + } - @ferm::rule { - "dsa-nagios-v4": - description => "Allow nrpe from nagios master", - rule => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V4) ACCEPT; }", - notarule => true, - ; - "dsa-nagios-v6": - description => "Allow nrpe from nagios master", - domain => "ip6", - rule => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V6) ACCEPT; }", - notarule => true, - ; - } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/nagios/manifests/init.pp b/modules/nagios/manifests/init.pp index 4975a413..3149da3e 100644 --- a/modules/nagios/manifests/init.pp +++ b/modules/nagios/manifests/init.pp @@ -1,8 +1,5 @@ class nagios { - package { - nagios-nrpe-server: ensure => installed; + package { 'nagios-nrpe-server': + ensure => installed } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/nagios/manifests/server.pp b/modules/nagios/manifests/server.pp index f73d8ad2..2ab72a84 100644 --- a/modules/nagios/manifests/server.pp +++ b/modules/nagios/manifests/server.pp @@ -1,88 +1,75 @@ -class nagios::server inherits nagios::client { - package { - nagios3: ensure => installed; - nagios-nrpe-plugin: ensure => installed; - nagios-plugins: ensure => installed; - nagios-images: ensure => installed; - } - - file { - "/etc/nagios-plugins/config/local-dsa-checkcommands.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/static/checkcommands.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; - "/etc/nagios-plugins/config/local-dsa-eventhandlers.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/static/eventhandlers.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; - - "/etc/nagios3/cgi.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/static/cgi.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; - "/etc/nagios3/nagios.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/static/nagios.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; +class nagios::server { - "/etc/nagios3/puppetconf.d": - mode => 755, - require => Package["nagios3"], - ensure => directory; - - "/etc/nagios3/puppetconf.d/contacts.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/static/conf.d/contacts.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; - "/etc/nagios3/puppetconf.d/generic-host.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/static/conf.d/generic-host.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; - "/etc/nagios3/puppetconf.d/generic-service.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/static/conf.d/generic-service.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; - "/etc/nagios3/puppetconf.d/timeperiods.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/static/conf.d/timeperiods.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; - - "/etc/nagios3/puppetconf.d/auto-dependencies.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-dependencies.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; - "/etc/nagios3/puppetconf.d/auto-hostextinfo.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-hostextinfo.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; - "/etc/nagios3/puppetconf.d/auto-hostgroups.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-hostgroups.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; - "/etc/nagios3/puppetconf.d/auto-hosts.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-hosts.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; - "/etc/nagios3/puppetconf.d/auto-serviceextinfo.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-serviceextinfo.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; - "/etc/nagios3/puppetconf.d/auto-servicegroups.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-servicegroups.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; - "/etc/nagios3/puppetconf.d/auto-services.cfg": - source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-services.cfg" ], - require => Package["nagios3"], - notify => Exec["nagios3 reload"]; + package { [ + 'nagios3', + 'nagios-nrpe-plugin', + 'nagios-plugins', + 'nagios-images' + ] + ensure => installed + } + service { 'nagios3': + ensure => running, } - exec { "nagios3 reload": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, + file { '/etc/nagios-plugins/config': + ensure => directory, + require => Package['nagios3'], + notify => Service['nagios3'], + } + file { '/etc/nagios3': + ensure => directory, + require => Package['nagios3'], + notify => Service['nagios3'], + } + file { '/etc/nagios3/puppetconf.d': + ensure => directory, + mode => '0755', + } + file { '/etc/nagios-plugins/config/local-dsa-checkcommands.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/static/checkcommands.cfg', + } + file { '/etc/nagios-plugins/config/local-dsa-eventhandlers.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/static/eventhandlers.cfg', + } + file { '/etc/nagios3/cgi.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/static/cgi.cfg', + } + file { '/etc/nagios3/nagios.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/static/nagios.cfg', + } + file { '/etc/nagios3/puppetconf.d/contacts.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/static/conf.d/contacts.cfg', + } + file { '/etc/nagios3/puppetconf.d/generic-host.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/static/conf.d/generic-host.cfg', + } + file { '/etc/nagios3/puppetconf.d/generic-service.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/static/conf.d/generic-service.cfg', + } + file { '/etc/nagios3/puppetconf.d/timeperiods.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/static/conf.d/timeperiods.cfg', + } + file { '/etc/nagios3/puppetconf.d/auto-dependencies.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-dependencies.cfg', + } + file { '/etc/nagios3/puppetconf.d/auto-hostextinfo.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-hostextinfo.cfg', + } + file { '/etc/nagios3/puppetconf.d/auto-hostgroups.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-hostgroups.cfg', + } + file { '/etc/nagios3/puppetconf.d/auto-hosts.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-hosts.cfg', + } + file { '/etc/nagios3/puppetconf.d/auto-serviceextinfo.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-serviceextinfo.cfg', + } + file { '/etc/nagios3/puppetconf.d/auto-servicegroups.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-servicegroups.cfg', + } + file { '/etc/nagios3/puppetconf.d/auto-services.cfg': + source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-services.cfg', } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/nagios/templates/inc-debian.org.erb b/modules/nagios/templates/inc-debian.org.erb index 5732e2a3..b06c3284 100644 --- a/modules/nagios/templates/inc-debian.org.erb +++ b/modules/nagios/templates/inc-debian.org.erb @@ -5,9 +5,9 @@ <%= nagii = [] -localinfo.keys.sort.each do |node| - if localinfo[node]['nagiosmaster'] or localinfo[node]['extranrpeclient'] - nagii << allnodeinfo[node]['ipHostNumber'] +scope.lookupvar('site::localinfo').keys.sort.each do |node| + if scope.lookupvar('site::localinfo')[node]['nagiosmaster'] or scope.lookupvar('site::localinfo')[node]['extranrpeclient'] + nagii << scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'] end end diff --git a/modules/named/manifests/authoritative.pp b/modules/named/manifests/authoritative.pp index 4ffba00d..a1024d88 100644 --- a/modules/named/manifests/authoritative.pp +++ b/modules/named/manifests/authoritative.pp @@ -1,20 +1,15 @@ class named::authoritative inherits named { - file { - "/etc/bind/named.conf.debian-zones": - source => [ "puppet:///modules/named/per-host/$fqdn/named.conf.debian-zones", - "puppet:///modules/named/common/named.conf.debian-zones" ], - notify => Exec["bind9 reload"]; - "/etc/bind/named.conf.options": - content => template("named/named.conf.options.erb"), - notify => Exec["bind9 reload"]; - } - file { "/etc/bind/named.conf.shared-keys": - mode => 640, - owner => root, - group => bind, - } + file { '/etc/bind/named.conf.debian-zones': + source => 'puppet:///modules/named/common/named.conf.debian-zones', + notify => Service['bind9'], + } + file { '/etc/bind/named.conf.options': + content => template('named/named.conf.options.erb'), + notify => Service['bind9'], + } + file { '/etc/bind/named.conf.shared-keys': + mode => '0640', + owner => root, + group => bind, + } } - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/named/manifests/geodns.pp b/modules/named/manifests/geodns.pp index 76cfe3c6..1dd57113 100644 --- a/modules/named/manifests/geodns.pp +++ b/modules/named/manifests/geodns.pp @@ -1,75 +1,47 @@ class named::geodns inherits named { - activate_munin_check { - "bind_views": script => bind; - } + munin::check { 'bind_views': + script => bind + } - file { - "/etc/bind/named.conf.options": - content => template("named/named.conf.options.erb"), - notify => Exec["bind9 reload"]; - "/etc/apt/sources.list.d/geoip.list": - content => template("debian-org/etc/apt/sources.list.d/geoip.list.erb"), - notify => Exec["apt-get update"], - ; - "/etc/bind/named.conf.local": - source => [ "puppet:///modules/named/per-host/$fqdn/named.conf.local", - "puppet:///modules/named/common/named.conf.local" ], - require => Package["bind9"], - notify => Exec["bind9 restart"], - owner => root, - group => root, - ; - "/etc/bind/named.conf.acl": - source => [ "puppet:///modules/named/per-host/$fqdn/named.conf.acl", - "puppet:///modules/named/common/named.conf.acl" ], - require => Package["bind9"], - notify => Exec["bind9 restart"], - owner => root, - group => root, - ; - "/etc/bind/geodns": - ensure => directory, - owner => root, - group => root, - mode => 755, - ; - "/etc/bind/geodns/zonefiles": - ensure => directory, - owner => geodnssync, - group => geodnssync, - mode => 755, - ; - "/etc/bind/geodns/named.conf.geo": - source => [ "puppet:///modules/named/per-host/$fqdn/named.conf.geo", - "puppet:///modules/named/common/named.conf.geo" ], - require => Package["bind9"], - notify => Exec["bind9 restart"], - owner => root, - group => root, - ; - "/etc/bind/geodns/trigger": - source => [ "puppet:///modules/named/per-host/$fqdn/trigger", - "puppet:///modules/named/common/trigger" ], - owner => root, - group => root, - mode => 555, - ; - "/etc/ssh/userkeys/geodnssync": - source => [ "puppet:///modules/named/per-host/$fqdn/authorized_keys", - "puppet:///modules/named/common/authorized_keys" ], - owner => root, - group => geodnssync, - mode => 440, - ; - "/etc/cron.d/dsa-boot-geodnssync": - source => [ "puppet:///modules/named/per-host/$fqdn/cron-geo", - "puppet:///modules/named/common/cron-geo" ], - owner => root, - group => root, - ; - } -} + site::aptrepo { 'geoip': + template => 'debian-org/etc/apt/sources.list.d/geoip.list.erb', + } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: + file { '/etc/bind/': + ensure => directory, + require => Package['bind9'], + notify => Service['bind9'], + } + file { '/etc/bind/geodns': + ensure => directory, + } + file { '/etc/bind/named.conf.options': + content => template('named/named.conf.options.erb'), + } + file { '/etc/bind/named.conf.local': + source => 'puppet:///modules/named/common/named.conf.local', + } + file { '/etc/bind/named.conf.acl': + source => 'puppet:///modules/named/common/named.conf.acl', + } + file { '/etc/bind/geodns/zonefiles': + ensure => directory, + owner => geodnssync, + group => geodnssync, + mode => '0755', + } + file { '/etc/bind/geodns/named.conf.geo': + source => 'puppet:///modules/named/common/named.conf.geo', + } + file { '/etc/bind/geodns/trigger': + source => 'puppet:///modules/named/common/trigger', + } + file { '/etc/ssh/userkeys/geodnssync': + source => 'puppet:///modules/named/common/authorized_keys', + group => geodnssync, + mode => '0440', + } + file { '/etc/cron.d/dsa-boot-geodnssync': + source => 'puppet:///modules/named/common/cron-geo' + } +} diff --git a/modules/named/manifests/init.pp b/modules/named/manifests/init.pp index 8cfa4080..28a666b5 100644 --- a/modules/named/manifests/init.pp +++ b/modules/named/manifests/init.pp @@ -1,37 +1,25 @@ class named { - activate_munin_check { - "bind":; - } - package { - bind9: ensure => installed; - } + munin::check { 'bind': } - exec { - "bind9 restart": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - ; - "bind9 reload": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - ; - } - file { - "/var/log/bind9": - ensure => directory, - owner => bind, - group => bind, - mode => 775, - ; - } - @ferm::rule { "dsa-bind": - domain => "(ip ip6)", - description => "Allow nameserver access", - rule => "&TCP_UDP_SERVICE(53)" - } -} + package { 'bind9': + ensure => installed + } + + service { 'bind9': + ensure => running, + } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: + @ferm::rule { 'dsa-bind': + domain => '(ip ip6)', + description => 'Allow nameserver access', + rule => '&TCP_UDP_SERVICE(53)' + } + + file { '/var/log/bind9': + ensure => directory, + owner => bind, + group => bind, + mode => '0775', + } +} diff --git a/modules/named/manifests/recursor.pp b/modules/named/manifests/recursor.pp index 66227c4b..3bd06d9b 100644 --- a/modules/named/manifests/recursor.pp +++ b/modules/named/manifests/recursor.pp @@ -1,12 +1,7 @@ class named::recursor inherits named { - file { - "/etc/bind/named.conf.options": - content => template("named/named.conf.options.erb"), - notify => Exec["bind9 reload"]; - } -} - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: + file { '/etc/bind/named.conf.options': + content => template('named/named.conf.options.erb'), + notify => Service['bind9'], + } +} diff --git a/modules/named/templates/named.conf.options.erb b/modules/named/templates/named.conf.options.erb index e093aa4e..4224254d 100644 --- a/modules/named/templates/named.conf.options.erb +++ b/modules/named/templates/named.conf.options.erb @@ -6,9 +6,9 @@ acl Nagios { <%= str = '' - localinfo.keys.sort.each do |node| - if localinfo[node]['nagiosmaster'] - allnodeinfo[node]['ipHostNumber'].each do |ip| + scope.lookupvar('site::localinfo').keys.sort.each do |node| + if scope.lookupvar('site::localinfo')[node]['nagiosmaster'] + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip| str += "\t" + ip + "/32;\n" end end diff --git a/modules/nfs-server/manifests/init.pp b/modules/nfs-server/manifests/init.pp index d14a6ca3..b9ff8885 100644 --- a/modules/nfs-server/manifests/init.pp +++ b/modules/nfs-server/manifests/init.pp @@ -1,31 +1,60 @@ class nfs-server { - include ferm::nfs-server + package { [ + 'nfs-common', + 'nfs-kernel-server' + ]: + ensure => installed + } - package { - nfs-common: ensure => installed; - nfs-kernel-server: ensure => installed; - } + service { 'nfs-common': + hasstatus => false, + status => '/bin/true', + refreshonly => true, + } + service { 'nfs-kernel-server': + hasstatus => false, + status => '/bin/true', + refreshonly => true, + } - file { - "/etc/default/nfs-common": - source => "puppet:///modules/nfs-server/nfs-common.default", - require => Package["nfs-common"], - notify => Exec["nfs-common restart"]; - "/etc/default/nfs-kernel-server": - source => "puppet:///modules/nfs-server/nfs-kernel-server.default", - require => Package["nfs-kernel-server"], - notify => Exec["nfs-kernel-server restart"]; - "/etc/modprobe.d/lockd.local": - source => "puppet:///modules/nfs-server/lockd.local.modprobe"; - } + @ferm::rule { 'dsa-portmap': + domain => '(ip ip6)', + description => 'Allow portmap access', + rule => '&TCP_UDP_SERVICE(111)' + } + @ferm::rule { 'dsa-nfs': + domain => '(ip ip6)', + description => 'Allow nfsd access', + rule => '&TCP_UDP_SERVICE(2049)' + } + @ferm::rule { 'dsa-status': + domain => '(ip ip6)', + description => 'Allow statd access', + rule => '&TCP_UDP_SERVICE(10000)' + } + @ferm::rule { 'dsa-mountd': + domain => '(ip ip6)', + description => 'Allow mountd access', + rule => '&TCP_UDP_SERVICE(10002)' + } + @ferm::rule { 'dsa-lockd': + domain => '(ip ip6)', + description => 'Allow lockd access', + rule => '&TCP_UDP_SERVICE(10003)' + } - exec { - "nfs-common restart": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true; - "nfs-kernel-server restart": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true; - } + file { '/etc/default/nfs-common': + source => 'puppet:///modules/nfs-server/nfs-common.default', + require => Package['nfs-common'], + notify => Service['nfs-common'], + } + file { '/etc/default/nfs-kernel-server': + source => 'puppet:///modules/nfs-server/nfs-kernel-server.default', + require => Package['nfs-kernel-server'], + notify => Service['nfs-kernel-server'], + } + file { '/etc/modprobe.d/lockd.local': + source => 'puppet:///modules/nfs-server/lockd.local.modprobe' + } } diff --git a/modules/ntp/manifests/client.pp b/modules/ntp/manifests/client.pp new file mode 100644 index 00000000..aa877a1a --- /dev/null +++ b/modules/ntp/manifests/client.pp @@ -0,0 +1,24 @@ +class ntp::client { + file { '/etc/default/ntp': + source => 'puppet:///modules/ntp/etc-default-ntp', + require => Package['ntp'], + notify => Service['ntp'] + } + file { '/etc/ntp.keys.d/': + ensure => directory, + require => Package['ntp'], + notify => Service['ntp'] + } + file { '/etc/ntp.keys.d/ntpkey_iff_merikanto': + source => 'puppet:///modules/ntp/ntpkey_iff_merikanto.pub', + } + file { '/etc/ntp.keys.d/ntpkey_iff_orff': + source => 'puppet:///modules/ntp/ntpkey_iff_orff.pub', + } + file { '/etc/ntp.keys.d/ntpkey_iff_ravel': + source => 'puppet:///modules/ntp/ntpkey_iff_ravel.pub', + } + file { '/etc/ntp.keys.d/ntpkey_iff_busoni': + source => 'puppet:///modules/ntp/ntpkey_iff_busoni.pub', + } +} diff --git a/modules/ntp/manifests/init.pp b/modules/ntp/manifests/init.pp index 74a5a322..26aa2d4f 100644 --- a/modules/ntp/manifests/init.pp +++ b/modules/ntp/manifests/init.pp @@ -1,107 +1,43 @@ class ntp { - package { ntp: ensure => installed } - file { - "/var/lib/ntp/": - ensure => directory, - owner => ntp, - group => ntp, - mode => 755, - require => Package["ntp"] - ; - "/var/lib/ntp": - ensure => directory, - owner => ntp, - group => ntp, - mode => 755, - require => Package["ntp"] - ; - "/etc/ntp.conf": - owner => root, - group => root, - mode => 444, - content => template("ntp/ntp.conf"), - notify => Exec["ntp restart"], - require => Package["ntp"] - ; - "/etc/ntp.keys.d": - owner => root, - group => ntp, - mode => 750, - ensure => directory, - require => Package["ntp"] - ; - } - case getfromhash($nodeinfo, 'timeserver') { - true: { - file { - "/var/lib/ntp/leap-seconds.list": - owner => root, - group => root, - mode => 444, - source => [ "puppet:///modules/ntp/leap-seconds.list" ], - require => Package["ntp"], - notify => Exec["ntp restart"], - ; - } - } - default: { - file { - "/etc/default/ntp": - owner => root, - group => root, - mode => 444, - source => [ "puppet:///modules/ntp/etc-default-ntp" ], - require => Package["ntp"], - notify => Exec["ntp restart"], - ; - "/etc/ntp.keys.d/ntpkey_iff_merikanto": - owner => root, - group => root, - mode => 444, - source => [ "puppet:///modules/ntp/ntpkey_iff_merikanto.pub" ], - require => Package["ntp"], - notify => Exec["ntp restart"], - ; - "/etc/ntp.keys.d/ntpkey_iff_orff": - owner => root, - group => root, - mode => 444, - source => [ "puppet:///modules/ntp/ntpkey_iff_orff.pub" ], - require => Package["ntp"], - notify => Exec["ntp restart"], - ; - "/etc/ntp.keys.d/ntpkey_iff_ravel": - owner => root, - group => root, - mode => 444, - source => [ "puppet:///modules/ntp/ntpkey_iff_ravel.pub" ], - require => Package["ntp"], - notify => Exec["ntp restart"], - ; - "/etc/ntp.keys.d/ntpkey_iff_busoni": - owner => root, - group => root, - mode => 444, - source => [ "puppet:///modules/ntp/ntpkey_iff_busoni.pub" ], - require => Package["ntp"], - notify => Exec["ntp restart"], - ; - } - } - } + package { 'ntp': + ensure => installed + } + service { 'ntp': + ensure => running, + require => Package['ntp'] + } - exec { "ntp restart": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - } - @ferm::rule { "dsa-ntp": - domain => "(ip ip6)", - description => "Allow ntp access", - rule => "&SERVICE(udp, 123)" - } + @ferm::rule { 'dsa-ntp': + domain => '(ip ip6)', + description => 'Allow ntp access', + rule => '&SERVICE(udp, 123)' + } + + file { '/var/lib/ntp': + ensure => directory, + owner => ntp, + group => ntp, + mode => '0755', + require => Package['ntp'] + } + file { '/etc/ntp.conf': + content => template('ntp/ntp.conf'), + notify => Service['ntp'], + require => Package['ntp'] + } + file { '/etc/ntp.keys.d': + ensure => directory, + group => ntp, + mode => '0750', + notify => Service['ntp'], + require => Package['ntp'] + } + + if getfromhash($site::nodeinfo, 'timeserver') { + include ntp::timeserver + } else { + include ntp::client + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/ntp/manifests/timeserver.pp b/modules/ntp/manifests/timeserver.pp new file mode 100644 index 00000000..f86ddf47 --- /dev/null +++ b/modules/ntp/manifests/timeserver.pp @@ -0,0 +1,7 @@ +class ntp::timeserver { + file { '/var/lib/ntp/leap-seconds.list': + source => 'puppet:///modules/ntp/leap-seconds.list', + require => Package['ntp'], + notify => Service['ntp'], + } +} diff --git a/modules/ntp/templates/ntp.conf b/modules/ntp/templates/ntp.conf index 94787968..11c5c3c4 100644 --- a/modules/ntp/templates/ntp.conf +++ b/modules/ntp/templates/ntp.conf @@ -14,7 +14,7 @@ filegen clockstats file clockstats type day enable crypto randfile /dev/urandom keysdir /etc/ntp.keys.d -<% if nodeinfo['timeserver'] -%> +<% if scope.lookupvar('site::nodeinfo')['timeserver'] -%> server 0.debian.pool.ntp.org iburst dynamic server 1.debian.pool.ntp.org iburst dynamic server 2.debian.pool.ntp.org iburst dynamic @@ -26,7 +26,7 @@ server ntp.grnet.gr iburst <% end -%> <% elsif fqdn == "ancina.debian.org" -%> server ntp.ugent.be iburst dynamic -<% elsif nodeinfo['misc']['natted'] -%> +<% elsif scope.lookupvar('site::nodeinfo')['misc']['natted'] -%> # autokey doesn't work behind nat # merikanto's and orff's ipv4 IP, hard coded for the benefit of hosts diff --git a/modules/ntpdate/manifests/init.pp b/modules/ntpdate/manifests/init.pp index 37de5af5..ca21a4db 100644 --- a/modules/ntpdate/manifests/init.pp +++ b/modules/ntpdate/manifests/init.pp @@ -1,21 +1,15 @@ class ntpdate { - case getfromhash($nodeinfo, 'broken-rtc') { - true: { - package { - ntpdate: ensure => installed; - lockfile-progs: ensure => installed; - } - file { - "/etc/default/ntpdate": - owner => root, - group => root, - mode => 444, - content => template("ntpdate/etc-default-ntpdate.erb"), - ; - } - } - } + + if getfromhash($site::nodeinfo, 'broken-rtc') { + package { [ + 'ntpdate', + 'lockfile-progs' + ]: + ensure => installed + } + + file { '/etc/default/ntpdate': + content => template('ntpdate/etc-default-ntpdate.erb'), + } + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/portforwarder/manifests/init.pp b/modules/portforwarder/manifests/init.pp index 83d11cf6..8fd01c34 100644 --- a/modules/portforwarder/manifests/init.pp +++ b/modules/portforwarder/manifests/init.pp @@ -1,30 +1,22 @@ class portforwarder { - # do not depend on xinetd, yet. it might uninstall other inetds - # for now this will have to be done manually - file { - "/etc/ssh/userkeys/portforwarder": - content => template("portforwarder/authorized_keys.erb"), - mode => 444, - ; - "/etc/xinetd.d": - ensure => directory, - owner => root, - group => root, - mode => 755, - ; - "/etc/xinetd.d/dsa-portforwader": - content => template("portforwarder/xinetd.erb"), - notify => Exec["xinetd reload"] - ; - } + # do not depend on xinetd, yet. it might uninstall other inetds + # for now this will have to be done manually + file { '/etc/ssh/userkeys/portforwarder': + content => template('portforwarder/authorized_keys.erb'), + } + file { '/etc/xinetd.d': + ensure => directory, + owner => root, + group => root, + mode => '0755', + } + file { '/etc/xinetd.d/dsa-portforwader': + content => template('portforwarder/xinetd.erb'), + notify => Exec['xinetd reload'] + } - exec { - "xinetd reload": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - ; - } + exec { 'xinetd reload': + path => '/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin', + refreshonly => true, + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/portforwarder/templates/authorized_keys.erb b/modules/portforwarder/templates/authorized_keys.erb index 5cb76624..1ffd9e84 100644 --- a/modules/portforwarder/templates/authorized_keys.erb +++ b/modules/portforwarder/templates/authorized_keys.erb @@ -29,7 +29,7 @@ config.each_pair do |sourcehost, services| if allowed_ports.length > 0 sshkey = getportforwarderkey(sourcehost) - remote_ip = allnodeinfo[sourcehost]['ipHostNumber'].join(',') + remote_ip = scope.lookupvar('site::allnodeinfo')[sourcehost]['ipHostNumber'].join(',') local_bind = '127.101.%d.%d'%[ (sourcehost.hash / 256 % 256), sourcehost.hash % 256 ] lines << "# from #{sourcehost}" diff --git a/modules/postgres/manifests/init.pp b/modules/postgres/manifests/init.pp index bb2b7689..4edc5c8a 100644 --- a/modules/postgres/manifests/init.pp +++ b/modules/postgres/manifests/init.pp @@ -1,19 +1,17 @@ class postgres { - activate_munin_check { - "postgres_bgwriter":; - "postgres_connections_db":; - "postgres_cache_ALL": script => "postgres_cache_"; - "postgres_querylength_ALL": script => "postgres_querylength_"; - "postgres_size_ALL": script => "postgres_size_"; - } - file { - "/etc/munin/plugin-conf.d/local-postgres": - source => "puppet:///modules/postgres/plugin.conf", - ; - } -} - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: + munin::check { 'postgres_bgwriter': } + munin::check { 'postgres_connections_db': } + munin::check { 'postgres_cache_ALL': + script => 'postgres_cache_' + } + munin::check { 'postgres_querylength_ALL': + script => 'postgres_querylength_' + } + munin::check { 'postgres_size_ALL': + script => 'postgres_size_' + } + file { '/etc/munin/plugin-conf.d/local-postgres': + source => 'puppet:///modules/postgres/plugin.conf', + } +} diff --git a/modules/postgrey/manifests/init.pp b/modules/postgrey/manifests/init.pp index 678665ee..44139743 100644 --- a/modules/postgrey/manifests/init.pp +++ b/modules/postgrey/manifests/init.pp @@ -1,19 +1,17 @@ class postgrey { - package { "postgrey": ensure => installed; } - file { - "/etc/default/postgrey": - source => "puppet:///modules/postgrey/default", - require => Package["postgrey"], - notify => Exec["postgrey restart"] - ; - } + package { 'postgrey': + ensure => installed + } - exec { "postgrey restart": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - } + service { 'postgrey': + ensure => running, + require => Package['postgrey'] + } + + file { '/etc/default/postgrey': + source => 'puppet:///modules/postgrey/default', + require => Package['postgrey'], + notify => Service['postgrey'] + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb b/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb index 41a071af..deb07d95 100644 --- a/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb +++ b/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb @@ -27,7 +27,7 @@ module Puppet::Parser::Functions end v6ips = lookupvar('v6ips') - if v6ips and v6ips != "no" + if v6ips and v6ips != "" nodeinfo['misc']['v6addrs'] = v6ips.split(',') end end diff --git a/modules/puppetmaster/manifests/init.pp b/modules/puppetmaster/manifests/init.pp index b702a158..c48ef599 100644 --- a/modules/puppetmaster/manifests/init.pp +++ b/modules/puppetmaster/manifests/init.pp @@ -1,5 +1,2 @@ class puppetmaster { } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/raidmpt/manifests/init.pp b/modules/raidmpt/manifests/init.pp index 814fd5b4..c6884aa8 100644 --- a/modules/raidmpt/manifests/init.pp +++ b/modules/raidmpt/manifests/init.pp @@ -1,21 +1,16 @@ class raidmpt { - package { - mpt-status: ensure => installed; - } - file { - "/etc/default/mpt-statusd": - content => "# This file is under puppet control\nRUN_DAEMON=no\n", - notify => Exec["mpt-statusd-stop"], - ; - } - exec { - "mpt-statusd-stop": - command => 'pidfile=/var/run/mpt-statusd.pid; ! [ -e "$pidfile" ] || /sbin/start-stop-daemon --oknodo --stop --signal TERM --quiet --pidfile "$pidfile"; rm -f "$pidfile"; pkill -INT -P 1 -u 0 -f "/usr/bin/daemon /etc/init.d/mpt-statusd check_mpt"', - refreshonly => true, - ; - } + package { 'mpt-status': + ensure => installed + } + + file { '/etc/default/mpt-statusd': + content => "# This file is under puppet control\nRUN_DAEMON=no\n", + notify => Exec['mpt-statusd-stop'], + } + + exec { 'mpt-statusd-stop': + command => 'pidfile=/var/run/mpt-statusd.pid; ! [ -e "$pidfile" ] || /sbin/start-stop-daemon --oknodo --stop --signal TERM --quiet --pidfile "$pidfile"; rm -f "$pidfile"; pkill -INT -P 1 -u 0 -f "/usr/bin/daemon /etc/init.d/mpt-statusd check_mpt"', + refreshonly => true, + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/resolv/manifests/init.pp b/modules/resolv/manifests/init.pp index 1934cfa1..59f3147f 100644 --- a/modules/resolv/manifests/init.pp +++ b/modules/resolv/manifests/init.pp @@ -1,8 +1,6 @@ class resolv { - file { "/etc/resolv.conf": - content => template("resolv/resolv.conf.erb"); + + file { '/etc/resolv.conf': + content => template('resolv/resolv.conf.erb'); } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/resolv/templates/resolv.conf.erb b/modules/resolv/templates/resolv.conf.erb index 531b5165..dfea7786 100644 --- a/modules/resolv/templates/resolv.conf.erb +++ b/modules/resolv/templates/resolv.conf.erb @@ -12,9 +12,9 @@ if %w{draghi liszt}.include?(hostname) nameservers << "127.0.0.1" end -nameservers += nodeinfo['hoster']['nameservers'] if nodeinfo['hoster']['nameservers'] -searchpaths += nodeinfo['hoster']['searchpaths'] if nodeinfo['hoster']['searchpaths'] -options += nodeinfo['hoster']['resolvoptions'] if nodeinfo['hoster']['resolvoptions'] +nameservers += scope.lookupvar('site::nodeinfo')['hoster']['nameservers'] if scope.lookupvar('site::nodeinfo')['hoster']['nameservers'] +searchpaths += scope.lookupvar('site::nodeinfo')['hoster']['searchpaths'] if scope.lookupvar('site::nodeinfo')['hoster']['searchpaths'] +options += scope.lookupvar('site::nodeinfo')['hoster']['resolvoptions'] if scope.lookupvar('site::nodeinfo')['hoster']['resolvoptions'] searchpaths << "debian.org" diff --git a/modules/apache2/files/common/etc/apache2/sites-available/backports.debian.org b/modules/roles/files/backports_mirror/backports.debian.org similarity index 100% rename from modules/apache2/files/common/etc/apache2/sites-available/backports.debian.org rename to modules/roles/files/backports_mirror/backports.debian.org diff --git a/modules/apache2/files/common/etc/apache2/sites-available/www.backports.org b/modules/roles/files/backports_mirror/www.backports.org similarity index 100% rename from modules/apache2/files/common/etc/apache2/sites-available/www.backports.org rename to modules/roles/files/backports_mirror/www.backports.org diff --git a/modules/apache2/files/common/etc/apache2/sites-available/ftp-upcoming.debian.org b/modules/roles/files/ftp-upcoming_mirror/ftp-upcoming.debian.org similarity index 100% rename from modules/apache2/files/common/etc/apache2/sites-available/ftp-upcoming.debian.org rename to modules/roles/files/ftp-upcoming_mirror/ftp-upcoming.debian.org diff --git a/modules/apache2/files/common/etc/apache2/sites-available/security.debian.org b/modules/roles/files/security_mirror/security.debian.org similarity index 100% rename from modules/apache2/files/common/etc/apache2/sites-available/security.debian.org rename to modules/roles/files/security_mirror/security.debian.org diff --git a/modules/apache2/files/common/etc/apache2/sites-available/www.debian.org b/modules/roles/files/www_mirror/www.debian.org similarity index 100% rename from modules/apache2/files/common/etc/apache2/sites-available/www.debian.org rename to modules/roles/files/www_mirror/www.debian.org diff --git a/modules/roles/manifests/backports_mirror.pp b/modules/roles/manifests/backports_mirror.pp new file mode 100644 index 00000000..d8f49307 --- /dev/null +++ b/modules/roles/manifests/backports_mirror.pp @@ -0,0 +1,13 @@ +class roles::backports_mirror { + apache2::site { '010-backports.debian.org': + site => 'backports.debian.org', + config => 'puppet:///modules/roles/backports_mirror/backports.debian.org', + } + + apache2::site { '010-www.backports.org': + site => 'www.backports.org', + config => 'puppet:///modules/roles/backports_mirror/www.backports.org', + } + + apache2::module { 'rewrite': } +} diff --git a/modules/roles/manifests/dakmaster.pp b/modules/roles/manifests/dakmaster.pp new file mode 100644 index 00000000..08a14819 --- /dev/null +++ b/modules/roles/manifests/dakmaster.pp @@ -0,0 +1,13 @@ +class roles::dakmaster { + + package { 'libapache2-mod-macro': + ensure => installed, + } + + apache2::module { 'macro': } + + apache2::config { 'puppet-builddlist': + template => 'roles/conf-builddlist.erb', + } + +} diff --git a/modules/roles/manifests/ftp-upcoming_mirror.pp b/modules/roles/manifests/ftp-upcoming_mirror.pp new file mode 100644 index 00000000..8c12dd3d --- /dev/null +++ b/modules/roles/manifests/ftp-upcoming_mirror.pp @@ -0,0 +1,7 @@ +class roles::ftp-upcoming_mirror { + + apache2::site { '010-ftp-upcoming.debian.org': + site => 'ftp-upcoming.debian.org', + config => 'puppet:///modules/roles/ftp-upcoming_mirror/ftp-upcoming.debian.org', + } +} diff --git a/modules/roles/manifests/security_mirror.pp b/modules/roles/manifests/security_mirror.pp new file mode 100644 index 00000000..13cba753 --- /dev/null +++ b/modules/roles/manifests/security_mirror.pp @@ -0,0 +1,11 @@ +class roles::security_mirror { + + apache2::site { '010-security.debian.org': + site => 'security.debian.org', + config => 'puppet:///modules/roles/security_mirror/security.debian.org' + } + + apache2::site { 'security.debian.org': + ensure => absent, + } +} diff --git a/modules/roles/manifests/www_mirror.pp b/modules/roles/manifests/www_mirror.pp new file mode 100644 index 00000000..5baa0060 --- /dev/null +++ b/modules/roles/manifests/www_mirror.pp @@ -0,0 +1,11 @@ +class roles::www_mirror { + + apache2::site { '010-www.debian.org': + site => 'www.debian.org', + config => 'puppet:///modules/roles/www_mirror/www.debian.org', + } + + apache2::site { 'www.debian.org': + ensure => absent, + } +} diff --git a/modules/roles/templates/conf-builddlist.erb b/modules/roles/templates/conf-builddlist.erb new file mode 100644 index 00000000..d216cdc9 --- /dev/null +++ b/modules/roles/templates/conf-builddlist.erb @@ -0,0 +1,26 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + + + +<%= + lines = [] + + scope.lookupvar('site::allnodeinfo').keys.sort.each do |node| + next unless scope.lookupvar('site::allnodeinfo')[node]['purpose'] + if scope.lookupvar('site::allnodeinfo')[node]['purpose'].include?('buildd') + lines << " # #{scope.lookupvar('site::allnodeinfo')[node]['hostname'].to_s}" + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |addr| + lines << " allow from #{addr}" + end + end + end + + lines.join("\n") +# vim:set et: +# vim:set sts=2 ts=2: +# vim:set shiftwidth=2: +%> + diff --git a/modules/rsyncd-log/manifests/init.pp b/modules/rsyncd-log/manifests/init.pp index 28e3c784..0ae5951d 100644 --- a/modules/rsyncd-log/manifests/init.pp +++ b/modules/rsyncd-log/manifests/init.pp @@ -1,17 +1,10 @@ class rsyncd-log { - file { - "/etc/logrotate.d/dsa-rsyncd": - source => "puppet:///modules/rsyncd-log/logrotate.d-dsa-rsyncd", - require => Package["debian.org"], - ; - "/var/log/rsyncd": - ensure => directory, - owner => root, - group => root, - mode => 755, - ; - } + file { '/etc/logrotate.d/dsa-rsyncd': + source => 'puppet:///modules/rsyncd-log/logrotate.d-dsa-rsyncd', + require => Package['debian.org'], + } + file { '/var/log/rsyncd': + ensure => directory, + mode => '0755', + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/samhain/manifests/init.pp b/modules/samhain/manifests/init.pp index f32a96bf..cfee73e1 100644 --- a/modules/samhain/manifests/init.pp +++ b/modules/samhain/manifests/init.pp @@ -1,19 +1,16 @@ class samhain { - package { samhain: ensure => installed } + package { 'samhain': + ensure => installed + } - file { "/etc/samhain/samhainrc": - content => template("samhain/samhainrc.erb"), - require => Package["samhain"], - notify => Exec["samhain reload"], - } + service { 'samhain': + ensure => running + } - exec { "samhain reload": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - } + file { '/etc/samhain/samhainrc': + content => template('samhain/samhainrc.erb'), + require => Package['samhain'], + notify => Service['samhain'] + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: - diff --git a/modules/samhain/templates/samhainrc.erb b/modules/samhain/templates/samhainrc.erb index fb151249..92ccea10 100644 --- a/modules/samhain/templates/samhainrc.erb +++ b/modules/samhain/templates/samhainrc.erb @@ -67,7 +67,7 @@ # RedefIgnoreNone=(no default) # RedefUser0=(no default) # RedefUser1=(no default) -<% if nodeinfo['buildd'] -%> +<% if scope.lookupvar('site::nodeinfo')['buildd'] -%> IgnoreMissing=/etc/lvm/archive/.*.vg <% end -%> @@ -133,7 +133,7 @@ file=/etc/nagios file=/etc/nagios/nrpe.d file=/etc/nagios/obsolete-packages-ignore.d file=/etc/bind/geodns -<% if nodeinfo['nagiosmaster'] -%> +<% if scope.lookupvar('site::nodeinfo')['nagiosmaster'] -%> file=/etc/nagios3/puppetconf.d <% end -%> file=/etc/puppet @@ -150,7 +150,7 @@ file=/etc/ferm/ file=/etc/ferm/conf.d file=/etc/ferm/dsa.d file=/etc/rc.local -<% unless lsbdistcodename == 'lenny' %> +<% unless scope.lookupvar('::lsbdistcodename') == 'lenny' %> file=/etc/unbound <% end -%> file=/etc/dsa @@ -217,7 +217,7 @@ file=/var/log/syslog ## This file might be created or removed by the system sometimes. ## file=/etc/resolv.conf -<% if nodeinfo['buildd'] -%> +<% if scope.lookupvar('site::nodeinfo')['buildd'] -%> file=/etc/dupload.conf <% end -%> file=/etc/resolv.conf.pcmcia.save @@ -266,7 +266,7 @@ file=/etc/ssh/sshd_config file=/etc/dsa/cron.ignore.dsa-puppet-stuff <%= out="" -if nodeinfo['heavy_exim'] +if scope.lookupvar('site::nodeinfo')['heavy_exim'] out = ' file=/etc/exim4/surbl_whitelist.txt file=/etc/exim4/exim_surbl.pl @@ -373,7 +373,7 @@ file=/etc/monit/monit.d/01puppet file=/etc/monit/monit.d/00debian.org file=/etc/cron.d/dsa-puppet-stuff file=/etc/cron.d/dsa-buildd -<% if nodeinfo['nagiosmaster'] -%> +<% if scope.lookupvar('site::nodeinfo')['nagiosmaster'] -%> file=/etc/nagios3/puppetconf.d/auto-hostgroups.cfg file=/etc/nagios3/puppetconf.d/auto-hosts.cfg file=/etc/nagios3/puppetconf.d/auto-services.cfg @@ -383,10 +383,10 @@ file=/etc/nagios3/puppetconf.d/auto-serviceextinfo.cfg file=/etc/nagios3/puppetconf.d/auto-servicegroups.cfg file=/etc/nagios3/puppetconf.d/contacts.cfg <% end -%> -<% if nodeinfo['muninmaster'] -%> +<% if scope.lookupvar('site::nodeinfo')['muninmaster'] -%> file=/etc/munin/munin.conf <% end -%> -<% if nodeinfo['puppetmaster'] -%> +<% if scope.lookupvar('site::nodeinfo')['puppetmaster'] -%> dir=8/etc/puppet <% end -%> <% if classes.include?('named::geodns') -%> @@ -396,10 +396,10 @@ dir=1/etc/bind/geodns dir=1/etc/bind file=/etc/bind/named.conf.debian-zones <% end -%> -<% if fqdn == "dijkstra.debian.org" -%> +<% if scope.lookupvar('::fqdn') == "dijkstra.debian.org" -%> dir=4/etc/dsa-kvm <% end -%> -<% if nodeinfo['buildd'] -%> +<% if scope.lookupvar('site::nodeinfo')['buildd'] -%> dir=3/etc/lvm <% end -%> dir=1/etc/ferm/dsa.d @@ -407,7 +407,7 @@ file=/etc/ferm/conf.d/me.conf file=/etc/ferm/conf.d/defs.conf file=/etc/ferm/ferm.conf dir=2/etc/ssl/debian -<% unless lsbdistcodename == 'lenny' %> +<% unless scope.lookupvar('::lsbdistcodename') == 'lenny' %> file=/etc/unbound/unbound.conf <% end -%> diff --git a/modules/site/manifests/alternative.pp b/modules/site/manifests/alternative.pp new file mode 100644 index 00000000..94d08881 --- /dev/null +++ b/modules/site/manifests/alternative.pp @@ -0,0 +1,17 @@ +define site::alternative ($linkto, $ensure = present) { + case $ensure { + present: { + exec { + "/usr/sbin/update-alternatives --set ${name} ${linkto}": + unless => "[ $(update-alternatives --query ${name} | grep ^Value | awk '{print \$2}') = ${linkto} ]", + } + } + absent: { + exec { + "/usr/sbin/update-alternatives --remove ${name} ${linkto}": + unless => "[ $(update-alternatives --query ${name} | grep ^Value | awk '{print \$2}') != ${linkto} ]", + } + } + default: { err ( "Unknown ensure value: '$ensure'" ) } + } +} diff --git a/modules/site/manifests/aptrepo.pp b/modules/site/manifests/aptrepo.pp new file mode 100644 index 00000000..eb03d465 --- /dev/null +++ b/modules/site/manifests/aptrepo.pp @@ -0,0 +1,39 @@ +class site::aptrepo ($key = undef, $template = undef, $config = undef, $ensure = present) { + + if $key { + exec { "apt-key-update-${name}": + command => "apt-key add /etc/apt/trusted-keys.d/${name}", + refreshonly => true, + } + + file { "/etc/apt/trusted-keys.d/${name}": + source => $key, + mode => '0664', + notify => Exec["apt-key-update-${name}"] + } + } + + case $ensure { + present: {} + absent: {} + default: { err ( "Unknown ensure value: '$ensure'" ) } + } + + if ! ($template or $config) { + err ( "Can't find configuration for ${name}" ) + } + + if $template { + file { "/etc/apt/sources.list.d/${name}.list": + ensure => $ensure, + content => template($template), + notify => Exec['apt-get update'], + } + } else { + file { "/etc/apt/sources.list.d/${name}.list": + ensure => $ensure, + source => $config, + notify => Exec['apt-get update'], + } + } +} diff --git a/modules/site/manifests/init.pp b/modules/site/manifests/init.pp new file mode 100644 index 00000000..01caca74 --- /dev/null +++ b/modules/site/manifests/init.pp @@ -0,0 +1,13 @@ +class site { + + $localinfo = yamlinfo('*', '/etc/puppet/modules/debian-org/misc/local.yaml') + $nodeinfo = nodeinfo($::fqdn, '/etc/puppet/modules/debian-org/misc/local.yaml') + $allnodeinfo = allnodeinfo('sshRSAHostKey ipHostNumber', 'purpose mXRecord physicalHost purpose') + notice( sprintf('hoster for %s is %s', $::fqdn, getfromhash($nodeinfo, 'hoster', 'name') ) ) + + service { 'procps': + hasstatus => false, + status => '/bin/true', + refreshonly => true, + } +} diff --git a/modules/site/manifests/linux_module.pp b/modules/site/manifests/linux_module.pp new file mode 100644 index 00000000..62b2197a --- /dev/null +++ b/modules/site/manifests/linux_module.pp @@ -0,0 +1,19 @@ +define site::linux_module ($ensure = present) { + case $ensure { + present: { + exec { "append_module_${name}": + command => "echo '${name}' >> /etc/modules", + unless => "grep -q -F -x '${name}' /etc/modules", + } + } + absent: { + exec { "remove_module_${name}": + command => "sed -i -e'/^${name}\$/d' /etc/modules", + onlyif => "grep -q -F -x '${name}' /etc/modules", + } + } + default: { + err("invalid ensure value ${ensure}") + } + } +} diff --git a/modules/site/manifests/sysctl.pp b/modules/site/manifests/sysctl.pp new file mode 100644 index 00000000..9786c8e5 --- /dev/null +++ b/modules/site/manifests/sysctl.pp @@ -0,0 +1,18 @@ +define site::sysctl ($key, $value, $ensure = present) { + include site + case $ensure { + present: {} + absent: {} + default: { err ( "Unknown ensure value: '$ensure'" ) } + } + + file { + "/etc/sysctl.d/${name}.conf": + ensure => $ensure, + owner => root, + group => root, + mode => '0644', + content => "${key} = ${value}\n", + notify => Service['procps'] + } +} diff --git a/modules/ssh/manifests/init.pp b/modules/ssh/manifests/init.pp index a9161888..b7df1810 100644 --- a/modules/ssh/manifests/init.pp +++ b/modules/ssh/manifests/init.pp @@ -1,46 +1,38 @@ class ssh { - package { - openssh-client: ensure => installed; - openssh-server: ensure => installed; - } - file { "/etc/ssh/ssh_config": - content => template("ssh/ssh_config.erb"), - require => Package["openssh-client"] - ; - "/etc/ssh/sshd_config": - content => template("ssh/sshd_config.erb"), - require => Package["openssh-server"], - notify => Exec["ssh restart"] - ; - "/etc/ssh/userkeys": - ensure => directory, - owner => root, - group => root, - mode => 755, - ; - "/etc/ssh/userkeys/root": - content => template("ssh/authorized_keys.erb"), - mode => 444, - require => Package["openssh-server"] - ; + package { [ 'openssh-client', 'openssh-server']: + ensure => installed + } + + service { 'ssh': + ensure => running } - exec { "ssh restart": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - } + @ferm::rule { 'dsa-ssh': + description => 'Allow SSH from DSA', + rule => '&SERVICE_RANGE(tcp, ssh, \$SSH_SOURCES)' + } + @ferm::rule { 'dsa-ssh-v6': + description => 'Allow SSH from DSA', + domain => 'ip6', + rule => '&SERVICE_RANGE(tcp, ssh, \$SSH_V6_SOURCES)' + } - @ferm::rule { "dsa-ssh": - description => "Allow SSH from DSA", - rule => "&SERVICE_RANGE(tcp, ssh, \$SSH_SOURCES)" - } - @ferm::rule { "dsa-ssh-v6": - description => "Allow SSH from DSA", - domain => "ip6", - rule => "&SERVICE_RANGE(tcp, ssh, \$SSH_V6_SOURCES)" - } + file { '/etc/ssh/ssh_config': + content => template('ssh/ssh_config.erb'), + require => Package['openssh-client'] + } + file { '/etc/ssh/sshd_config': + content => template('ssh/sshd_config.erb'), + require => Package['openssh-server'], + notify => Service['ssh'] + } + file { '/etc/ssh/userkeys': + ensure => directory, + mode => '0755', + require => Package['openssh-server'] + } + file { '/etc/ssh/userkeys/root': + content => template('ssh/authorized_keys.erb'), + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/ssh/templates/authorized_keys.erb b/modules/ssh/templates/authorized_keys.erb index 71a96455..0a19d72e 100644 --- a/modules/ssh/templates/authorized_keys.erb +++ b/modules/ssh/templates/authorized_keys.erb @@ -1,5 +1,5 @@ # local admin -<%= hosterkeys = case nodeinfo['hoster']['name'] +<%= hosterkeys = case scope.lookupvar('site::nodeinfo')['hoster']['name'] when "ubcece" then "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvEEyxznxleAhk98K7SkAeAKWibijL5uFjIl1+tr8rz+XmFsjabTK2+hQXkgzmU+jqQ2+MPp6btfAq9Oe27GQYWUFfsAZMRb907dReFQYPKbPhQZoo5LUfkrCiR3tD0Nm2JfepTV0079K1+Q50EMImttwbI94FfSoSgTxgF4rCoLpUgmF0IHDR1+kTGow7YnuS1Y/I1zKAbofg8KBGXOLArkcZbxArt25Y2wlnE+ZHIb3Rn3pYc3/KmPPvEQy9IkR/uzzkWSaCBVMFJEO0ejjWrV4HR64GlKUPQ0CekSYn1EErY55CF5sWkasXhflluwSf7b+/jedDM1A1Vrp9Z/F8Q== chrisd" end @@ -36,9 +36,9 @@ ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAuGJnElqbhgLtmJp/de8s42cAwKrkAhFq5u8EAkauEv6B <%= machine_keys = case fqdn when "beethoven.debian.org" then out = '' - allnodeinfo.keys.sort.each do |node| - out += '# ' + allnodeinfo[node]['hostname'].to_s + ' -command="/usr/lib/da-backup/da-backup-ssh-wrap ' + allnodeinfo[node]['hostname'].to_s + '",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,from="' + allnodeinfo[node]['ipHostNumber'].join(',') + '" ' + allnodeinfo[node]['sshRSAHostKey'].to_s + ' + scope.lookupvar('site::allnodeinfo').keys.sort.each do |node| + out += '# ' + scope.lookupvar('site::allnodeinfo')[node]['hostname'].to_s + ' +command="/usr/lib/da-backup/da-backup-ssh-wrap ' + scope.lookupvar('site::allnodeinfo')[node]['hostname'].to_s + '",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,from="' + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].join(',') + '" ' + scope.lookupvar('site::allnodeinfo')[node]['sshRSAHostKey'].to_s + ' ' end diff --git a/modules/ssl/manifests/init.pp b/modules/ssl/manifests/init.pp index 391da0a4..86094b1a 100644 --- a/modules/ssl/manifests/init.pp +++ b/modules/ssl/manifests/init.pp @@ -1,57 +1,46 @@ class ssl { - package { openssl: ensure => installed } - file { - "/etc/ssl/debian": - ensure => directory, - mode => 755, - purge => true, - recurse => true, - force => true, - source => "puppet:///files/empty/" - ; - "/etc/ssl/debian/certs": - ensure => directory, - mode => 755, - source => "puppet:///files/empty/" - ; - "/etc/ssl/debian/crls": - ensure => directory, - mode => 755, - purge => true, - force => true, - recurse => true, - source => "puppet:///files/empty/" - ; - "/etc/ssl/debian/keys": - ensure => directory, - mode => 750, - purge => true, - force => true, - recurse => true, - source => "puppet:///files/empty/" - ; - "/etc/ssl/debian/certs/thishost.crt": - source => "puppet:///modules/ssl/clientcerts/$fqdn.client.crt", - notify => Exec["c_rehash /etc/ssl/debian/certs"], - ; - "/etc/ssl/debian/keys/thishost.key": - source => "puppet:///modules/ssl/clientcerts/$fqdn.key", - mode => 640 - ; - "/etc/ssl/debian/certs/ca.crt": - source => "puppet:///modules/ssl/clientcerts/ca.crt", - notify => Exec["c_rehash /etc/ssl/debian/certs"], - ; - "/etc/ssl/debian/crls/ca.crl": - source => "puppet:///modules/ssl/clientcerts/ca.crl", - ; - } + package { 'openssl': + ensure => installed + } - exec { "c_rehash /etc/ssl/debian/certs": - refreshonly => true, - } + file { '/etc/ssl/debian': + ensure => directory, + mode => '0755', + purge => true, + recurse => true, + force => true, + source => 'puppet:///files/empty/' + } + file { '/etc/ssl/debian/certs': + ensure => directory, + mode => '0755', + } + file { '/etc/ssl/debian/crls': + ensure => directory, + mode => '0755', + } + file { '/etc/ssl/debian/keys': + ensure => directory, + mode => '0750', + } + file { '/etc/ssl/debian/certs/thishost.crt': + source => "puppet:///modules/ssl/clientcerts/${::fqdn}.client.crt", + notify => Exec['c_rehash /etc/ssl/debian/certs'], + } + file { '/etc/ssl/debian/keys/thishost.key': + source => "puppet:///modules/ssl/clientcerts/${::fqdn}.key", + mode => '0640' + } + file { '/etc/ssl/debian/certs/ca.crt': + source => 'puppet:///modules/ssl/clientcerts/ca.crt', + notify => Exec['c_rehash /etc/ssl/debian/certs'], + } + file { '/etc/ssl/debian/crls/ca.crl': + source => 'puppet:///modules/ssl/clientcerts/ca.crl', + } + + exec { 'c_rehash /etc/ssl/debian/certs': + refreshonly => true, + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/stunnel4/manifests/client.pp b/modules/stunnel4/manifests/client.pp new file mode 100644 index 00000000..26945e2e --- /dev/null +++ b/modules/stunnel4/manifests/client.pp @@ -0,0 +1,19 @@ +define stunnel4::client($accept, $connecthost, $connectport) { + + include stunnel4 + + file { "/etc/stunnel/puppet-${name}-peer.pem": + content => generate('/bin/cat', "/etc/puppet/modules/exim/files/certs/${connecthost}.crt", + '/etc/puppet/modules/exim/files/certs/ca.crt'), + notify => Exec["restart_stunnel_${name}"], + } + + stunnel_generic { $name: + client => true, + verify => 3, + cafile => "/etc/stunnel/puppet-${name}-peer.pem", + accept => $accept, + connect => "${connecthost}:${connectport}", + } +} + diff --git a/modules/stunnel4/manifests/generic.pp b/modules/stunnel4/manifests/generic.pp new file mode 100644 index 00000000..9c357096 --- /dev/null +++ b/modules/stunnel4/manifests/generic.pp @@ -0,0 +1,30 @@ +define stunnel4::generic ($client, $verify, $cafile, $accept, $connect, $crlfile=false, $local=false) { + + include stunnel4 + + file { "/etc/stunnel/puppet-${name}.conf": + content => template('stunnel4/stunnel.conf.erb'), + notify => Exec["restart_stunnel_${name}"], + } + + if $client { + $certfile = '/etc/ssl/debian/certs/thishost.crt' + $keyfile = '/etc/ssl/debian/keys/thishost.key' + } else { + $certfile = '/etc/exim4/ssl/thishost.crt' + $keyfile = '/etc/exim4/ssl/thishost.key' + } + + exec { "restart_stunnel_${name}": + command => "true && cd / && env -i /etc/init.d/stunnel4 restart puppet-${name}", + require => [ + File['/etc/stunnel/stunnel.conf'], + File['/etc/init.d/stunnel4'], + Exec['enable_stunnel4'], + Exec['kill_file_override'], + Package['stunnel4'] + ], + subscribe => [ File[$certfile], File[$keyfile] ], + refreshonly => true, + } +} diff --git a/modules/stunnel4/manifests/init.pp b/modules/stunnel4/manifests/init.pp index d7668467..300eb521 100644 --- a/modules/stunnel4/manifests/init.pp +++ b/modules/stunnel4/manifests/init.pp @@ -1,126 +1,30 @@ class stunnel4 { - define stunnel_generic($client, $verify, $cafile, $crlfile=false, $accept, $connect, $local=false) { - file { - "/etc/stunnel": - ensure => directory, - owner => root, - group => root, - mode => 755, - ; - "/etc/stunnel/puppet-${name}.conf": - content => template("stunnel4/stunnel.conf.erb"), - notify => Exec["restart_stunnel_${name}"], - ; - "/etc/init.d/stunnel4": - source => "puppet:///modules/stunnel4/etc-init.d-stunnel4", - mode => 555, - ; - } - case $client { - true: { - $certfile = "/etc/ssl/debian/certs/thishost.crt" - $keyfile = "/etc/ssl/debian/keys/thishost.key" - } - default: { - $certfile = "/etc/exim4/ssl/thishost.crt" - $keyfile = "/etc/exim4/ssl/thishost.key" - } - } - - exec { - "restart_stunnel_${name}": - command => "true && cd / && env -i /etc/init.d/stunnel4 restart puppet-${name}", - require => [ File['/etc/stunnel/stunnel.conf'], - File['/etc/init.d/stunnel4'], - Exec['enable_stunnel4'], - Exec['kill_file_override'], - Package['stunnel4'] - ], - subscribe => [ File[$certfile], - File[$keyfile] - ], - refreshonly => true, - ; - } - } - - # define an stunnel listener, listening for SSL connections on $accept, - # connecting to plaintext service $connect using local source address $local - # - # unfortunately stunnel is really bad about verifying its peer, - # all we can be certain of is that they are signed by our CA, - # not who they are. So do not use in places where the identity of - # the caller is important. Use dsa-portforwarder for that. - define stunnel_server($accept, $connect, $local = "127.0.0.1") { - stunnel_generic { - "${name}": - client => false, - verify => 2, - cafile => "/etc/exim4/ssl/ca.crt", - crlfile => "/etc/exim4/ssl/crl.crt", - accept => "${accept}", - connect => "${connect}", - ; - } - @ferm::rule { - "stunnel-${name}": - description => "stunnel ${name}", - rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V4)", - ; - "stunnel-${name}-v6": - domain => 'ip6', - description => "stunnel ${name}", - rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V6)", - ; - } - } - define stunnel_client($accept, $connecthost, $connectport) { - file { - "/etc/stunnel/puppet-${name}-peer.pem": - # source => "puppet:///modules/exim/certs/${connecthost}.crt", - content => generate("/bin/cat", "/etc/puppet/modules/exim/files/certs/${connecthost}.crt", - "/etc/puppet/modules/exim/files/certs/ca.crt"), - notify => Exec["restart_stunnel_${name}"], - ; - } - stunnel_generic { - "${name}": - client => true, - verify => 3, - cafile => "/etc/stunnel/puppet-${name}-peer.pem", - accept => "${accept}", - connect => "${connecthost}:${connectport}", - ; - } - } - - - package { - "stunnel4": ensure => installed; - } - - file { - "/etc/stunnel/stunnel.conf": - ensure => absent, - require => [ Package['stunnel4'] ], - ; - } - - exec { - "enable_stunnel4": - command => "sed -i -e 's/^ENABLED=/#&/; \$a ENABLED=1 # added by puppet' /etc/default/stunnel4", - unless => "grep -q '^ENABLED=1' /etc/default/stunnel4", - require => [ Package['stunnel4'] ], - ; - "kill_file_override": - command => "sed -i -e 's/^FILES=/#&/' /etc/default/stunnel4", - onlyif => "grep -q '^FILES=' /etc/default/stunnel4", - require => [ Package['stunnel4'] ], - ; - } + package { 'stunnel4': + ensure => installed + } + + file { '/etc/stunnel': + ensure => directory, + mode => '0755', + } + file { '/etc/init.d/stunnel4': + source => 'puppet:///modules/stunnel4/etc-init.d-stunnel4', + mode => '0555', + } + file { '/etc/stunnel/stunnel.conf': + ensure => absent, + require => Package['stunnel4'], + } + + exec { 'enable_stunnel4': + command => 'sed -i -e \'s/^ENABLED=/#&/; \$a ENABLED=1 # added by puppet\' /etc/default/stunnel4', + unless => 'grep -q \'^ENABLED=1\' /etc/default/stunnel4', + require => Package['stunnel4'], + } + exec { 'kill_file_override': + command => 'sed -i -e \'s/^FILES=/#&/\' /etc/default/stunnel4', + onlyif => 'grep -q \'^FILES=\' /etc/default/stunnel4', + require => Package['stunnel4'], + } } - -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/stunnel4/manifests/server.pp b/modules/stunnel4/manifests/server.pp new file mode 100644 index 00000000..54672af9 --- /dev/null +++ b/modules/stunnel4/manifests/server.pp @@ -0,0 +1,32 @@ +define stunnel4::server($accept, $connect, $local = '127.0.0.1') { +# define an stunnel listener, listening for SSL connections on $accept, +# connecting to plaintext service $connect using local source address $local +# +# unfortunately stunnel is really bad about verifying its peer, +# all we can be certain of is that they are signed by our CA, +# not who they are. So do not use in places where the identity of +# the caller is important. Use dsa-portforwarder for that. + + include stunnel4 + + stunnel_generic { $name: + client => false, + verify => 2, + cafile => '/etc/exim4/ssl/ca.crt', + crlfile => '/etc/exim4/ssl/crl.crt', + accept => $accept, + connect => $connect + } + + @ferm::rule { + "stunnel-${name}": + description => "stunnel ${name}", + rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V4)" + } + @ferm::rule { "stunnel-${name}-v6": + domain => 'ip6', + description => "stunnel ${name}", + rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V6)" + } + +} diff --git a/modules/sudo/files/common/pam b/modules/sudo/files/pam similarity index 100% rename from modules/sudo/files/common/pam rename to modules/sudo/files/pam diff --git a/modules/sudo/files/common/sudoers b/modules/sudo/files/sudoers similarity index 100% rename from modules/sudo/files/common/sudoers rename to modules/sudo/files/sudoers diff --git a/modules/sudo/files/lenny/sudoers b/modules/sudo/files/sudoers.lenny similarity index 100% rename from modules/sudo/files/lenny/sudoers rename to modules/sudo/files/sudoers.lenny diff --git a/modules/sudo/manifests/init.pp b/modules/sudo/manifests/init.pp index 1f7dc91c..0bb9d0f6 100644 --- a/modules/sudo/manifests/init.pp +++ b/modules/sudo/manifests/init.pp @@ -1,39 +1,18 @@ class sudo { - package { sudo: ensure => installed } - file { - "/etc/pam.d/sudo": - source => [ "puppet:///modules/sudo/per-host/$fqdn/pam", - "puppet:///modules/sudo/common/pam" ], - require => Package["sudo"], - ; - } + package { 'sudo': + ensure => installed + } - case $lsbdistcodename { - 'lenny': { - file { - "/etc/sudoers": - owner => root, - group => root, - mode => 440, - source => [ "puppet:///modules/sudo/lenny/sudoers" ], - require => Package["sudo"], - ; - } - } - default: { - file { - "/etc/sudoers": - owner => root, - group => root, - mode => 440, - source => [ "puppet:///modules/sudo/common/sudoers" ], - require => Package["sudo"], - ; - } - } - } + file { '/etc/pam.d/sudo': + source => 'puppet:///modules/sudo/common/pam', + require => Package['sudo'], + } + + file { '/etc/sudoers': + mode => '0440', + source => [ "puppet:///modules/sudo/sudoers.${::lsbdistcodename}", + 'puppet:///modules/sudo/sudoers' ], + require => Package['sudo'], + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/syslog-ng/manifests/init.pp b/modules/syslog-ng/manifests/init.pp index b1490d93..36704e20 100644 --- a/modules/syslog-ng/manifests/init.pp +++ b/modules/syslog-ng/manifests/init.pp @@ -1,30 +1,24 @@ class syslog-ng { - package { - "syslog-ng": ensure => installed; - } + package { 'syslog-ng': + ensure => installed + } - file { - "/etc/syslog-ng/syslog-ng.conf": - content => template("syslog-ng/syslog-ng.conf.erb"), - require => Package["syslog-ng"], - notify => Exec["syslog-ng reload"], - ; - "/etc/default/syslog-ng": - require => Package["syslog-ng"], - source => "puppet:///modules/syslog-ng/syslog-ng.default", - notify => Exec["syslog-ng reload"], - ; - "/etc/logrotate.d/syslog-ng": - require => Package["syslog-ng"], - source => "puppet:///modules/syslog-ng/syslog-ng.logrotate", - ; - } - exec { - "syslog-ng reload": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true; - } + service { 'syslog-ng': + ensure => running + } + + file { '/etc/syslog-ng/syslog-ng.conf': + content => template('syslog-ng/syslog-ng.conf.erb'), + require => Package['syslog-ng'], + notify => Service['syslog-ng'] + } + file { '/etc/default/syslog-ng': + source => 'puppet:///modules/syslog-ng/syslog-ng.default', + require => Package['syslog-ng'], + notify => Service['syslog-ng'] + } + file { '/etc/logrotate.d/syslog-ng': + source => 'puppet:///modules/syslog-ng/syslog-ng.logrotate', + require => Package['syslog-ng'] + } } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: diff --git a/modules/unbound/manifests/init.pp b/modules/unbound/manifests/init.pp index f01b7fd7..9a110df2 100644 --- a/modules/unbound/manifests/init.pp +++ b/modules/unbound/manifests/init.pp @@ -1,68 +1,58 @@ class unbound { - package { - unbound: ensure => installed; - } - exec { - "unbound restart": - path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", - refreshonly => true, - ; - } - file { - "/var/lib/unbound": - ensure => directory, - owner => unbound, - group => unbound, - require => Package["unbound"], - mode => 775, - ; - "/var/lib/unbound/root.key": - ensure => present, - replace => false, - owner => unbound, - group => unbound, - mode => 644, - source => [ "puppet:///modules/unbound/root.key" ], - ; - "/var/lib/unbound/debian.org.key": - ensure => present, - replace => false, - owner => unbound, - group => unbound, - mode => 644, - source => [ "puppet:///modules/unbound/debian.org.key" ], - ; - "/etc/unbound/unbound.conf": - content => template("unbound/unbound.conf.erb"), - require => [ Package["unbound"], File['/var/lib/unbound/root.key'], File['/var/lib/unbound/debian.org.key'] ], - notify => Exec["unbound restart"], - owner => root, - group => root, - ; - } + package { 'unbound': + ensure => installed + } - case getfromhash($nodeinfo, 'misc', 'resolver-recursive') { - true: { - case getfromhash($nodeinfo, 'hoster', 'allow_dns_query') { - false: {} - default: { - @ferm::rule { "dsa-dns": - domain => "ip", - description => "Allow nameserver access", - rule => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv4(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))), - } - @ferm::rule { "dsa-dns6": - domain => "ip6", - description => "Allow nameserver access", - rule => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv6(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))), - } - } - } - } - } -} + service { 'unbound': + ensure => running, + } + + file { '/var/lib/unbound': + ensure => directory, + owner => unbound, + group => unbound, + require => Package['unbound'], + mode => '0775', + } + file { '/var/lib/unbound/root.key': + ensure => present, + replace => false, + owner => unbound, + group => unbound, + mode => '0644', + source => 'puppet:///modules/unbound/root.key' + } + file { '/var/lib/unbound/debian.org.key': + ensure => present, + replace => false, + owner => unbound, + group => unbound, + mode => '0644', + source => 'puppet:///modules/unbound/debian.org.key' + } + file { '/etc/unbound/unbound.conf': + content => template('unbound/unbound.conf.erb'), + require => [ + Package['unbound'], + File['/var/lib/unbound/root.key'], + File['/var/lib/unbound/debian.org.key'] + ], + notify => Service['unbound'] + } -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: + if getfromhash($site::nodeinfo, 'misc', 'resolver-recursive') { + if getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query') { + @ferm::rule { 'dsa-dns': + domain => 'ip', + description => 'Allow nameserver access', + rule => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv4(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))), + } + @ferm::rule { 'dsa-dns6': + domain => 'ip6', + description => 'Allow nameserver access', + rule => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv6(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))), + } + } + } +} diff --git a/modules/unbound/templates/unbound.conf.erb b/modules/unbound/templates/unbound.conf.erb index 9a2c8373..c11df43f 100644 --- a/modules/unbound/templates/unbound.conf.erb +++ b/modules/unbound/templates/unbound.conf.erb @@ -8,7 +8,7 @@ server: <%= out = [] - if nodeinfo['misc']['resolver-recursive'] and nodeinfo['hoster']['allow_dns_query'] + if scope.lookupvar('site::nodeinfo')['misc']['resolver-recursive'] and scope.lookupvar('site::nodeinfo')['hoster']['allow_dns_query'] out << " interface: 0.0.0.0" out << " interface: ::0" out << "" @@ -50,8 +50,8 @@ server: <%= out = [] - if not nodeinfo['misc']['resolver-recursive'] and not nodeinfo['hoster']['nameservers_break_dnssec'] - forwarders = nodeinfo['hoster']['nameservers'] + if not scope.lookupvar('site::nodeinfo')['misc']['resolver-recursive'] and not scope.lookupvar('site::nodeinfo')['hoster']['nameservers_break_dnssec'] + forwarders = scope.lookupvar('site::nodeinfo')['hoster']['nameservers'] forwarders ||= [] out << 'forward-zone:' -- 2.39.2