summaryrefslogtreecommitdiff
path: root/global
diff options
context:
space:
mode:
authorLeif Johansson <leifj@sunet.se>2013-09-02 16:01:50 +0200
committerLeif Johansson <leifj@sunet.se>2013-09-02 16:01:50 +0200
commit7515782eb503152dfc3e84fee1260fb10d560df9 (patch)
treece0087dc774a156c6a74f11d3af92ef5686b4972 /global
import
Diffstat (limited to 'global')
-rw-r--r--global/overlay/etc/cosmos/keys/.placeholder0
-rw-r--r--global/overlay/etc/cron.d/cosmos4
-rw-r--r--global/overlay/etc/puppet/cosmos-modules.conf11
-rw-r--r--global/overlay/etc/puppet/cosmos-rules.yaml2
-rwxr-xr-xglobal/overlay/etc/puppet/cosmos_enc.py24
-rw-r--r--global/overlay/etc/puppet/hiera.yaml0
-rw-r--r--global/overlay/etc/puppet/manifests/cosmos-site.pp52
-rw-r--r--global/overlay/etc/puppet/puppet.conf14
-rwxr-xr-xglobal/post-tasks.d/010fix-ssh-perms23
-rwxr-xr-xglobal/post-tasks.d/015cosmos-trust16
-rwxr-xr-xglobal/post-tasks.d/020reports4
-rwxr-xr-xglobal/post-tasks.d/030puppet13
-rwxr-xr-xglobal/post-tasks.d/099autoremove4
-rwxr-xr-xglobal/post-tasks.d/999reboot3
-rwxr-xr-xglobal/pre-tasks.d/020common-tools16
-rwxr-xr-xglobal/pre-tasks.d/030puppet35
16 files changed, 221 insertions, 0 deletions
diff --git a/global/overlay/etc/cosmos/keys/.placeholder b/global/overlay/etc/cosmos/keys/.placeholder
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/global/overlay/etc/cosmos/keys/.placeholder
diff --git a/global/overlay/etc/cron.d/cosmos b/global/overlay/etc/cron.d/cosmos
new file mode 100644
index 0000000..b157bde
--- /dev/null
+++ b/global/overlay/etc/cron.d/cosmos
@@ -0,0 +1,4 @@
+SHELL=/bin/sh
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+*/15 * * * * root test -f /etc/no-automatic-cosmos || (cosmos update && cosmos apply)
diff --git a/global/overlay/etc/puppet/cosmos-modules.conf b/global/overlay/etc/puppet/cosmos-modules.conf
new file mode 100644
index 0000000..d8ad043
--- /dev/null
+++ b/global/overlay/etc/puppet/cosmos-modules.conf
@@ -0,0 +1,11 @@
+#
+# name source (puppetlabs fq name or git url) upgrade (yes/no)
+#
+concat puppetlabs/concat no
+stdlib puppetlabs/stdlib no
+ufw attachmentgenie/ufw no
+apt puppetlabs/apt no
+vcsrepo puppetlabs/vcsrepo no
+xinetd puppetlabs/xinetd no
+#golang elithrar/golang yes
+#python git://github.com/stankevich/puppet-python.git yes
diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml
new file mode 100644
index 0000000..d9dc495
--- /dev/null
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@@ -0,0 +1,2 @@
+'ns[0-9]?.mnt.se$':
+ nameserver:
diff --git a/global/overlay/etc/puppet/cosmos_enc.py b/global/overlay/etc/puppet/cosmos_enc.py
new file mode 100755
index 0000000..63c3a66
--- /dev/null
+++ b/global/overlay/etc/puppet/cosmos_enc.py
@@ -0,0 +1,24 @@
+#!/usr/bin/env python
+
+import sys
+import yaml
+import os
+import re
+
+rules_path = os.environ.get("COSMOS_RULES_PATH","/etc/puppet")
+
+node_name = sys.argv[1]
+
+rules = dict()
+for p in rules_path.split(":"):
+ rules_file = os.path.join(p,"cosmos-rules.yaml")
+ if os.path.exists(rules_file):
+ with open(rules_file) as fd:
+ rules.update(yaml.load(fd))
+
+classes = dict()
+for reg,cls in rules.iteritems():
+ if re.search(reg,node_name):
+ classes.update(cls)
+
+print yaml.dump(dict(classes=classes))
diff --git a/global/overlay/etc/puppet/hiera.yaml b/global/overlay/etc/puppet/hiera.yaml
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/global/overlay/etc/puppet/hiera.yaml
diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp
new file mode 100644
index 0000000..c276f84
--- /dev/null
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@@ -0,0 +1,52 @@
+# This manifest is managed using cosmos
+
+Exec {
+ path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+}
+
+# include some of this stuff for additional features
+
+#include cosmos::tools
+#include cosmos::motd
+#include cosmos::ntp
+#include cosmos::rngtools
+#include cosmos::preseed
+include ufw
+include apt
+include cosmos
+
+# you need a default node
+
+node default {
+
+}
+
+# edit and uncomment to manage ssh root keys in a simple way
+
+#class { 'cosmos::access':
+# keys => [
+# "ssh-rsa ..."
+# ]
+#}
+
+# example config for the nameserver class which is matched in cosmos-rules.yaml
+
+#class nameserver {
+# package {'bind9':
+# ensure => latest
+# }
+# service {'bind9':
+# ensure => running
+# }
+# ufw::allow { "allow-dns-udp":
+# ip => 'any',
+# port => 53,
+# proto => "udp"
+# }
+# ufw::allow { "allow-dns-tcp":
+# ip => 'any',
+# port => 53,
+# proto => "tcp"
+# }
+#}
+
diff --git a/global/overlay/etc/puppet/puppet.conf b/global/overlay/etc/puppet/puppet.conf
new file mode 100644
index 0000000..0ba85f4
--- /dev/null
+++ b/global/overlay/etc/puppet/puppet.conf
@@ -0,0 +1,14 @@
+[main]
+logdir=/var/log/puppet
+vardir=/var/lib/puppet
+ssldir=/var/lib/puppet/ssl
+rundir=/var/run/puppet
+factpath=$vardir/lib/facter
+templatedir=$confdir/templates
+node_terminus = exec
+external_nodes = /etc/puppet/cosmos_enc.py
+
+[master]
+# These are needed when the puppetmaster is run by passenger
+# and can safely be removed if webrick is used.
+ssl_client_header = SSL_CLIENT_S_DN
diff --git a/global/post-tasks.d/010fix-ssh-perms b/global/post-tasks.d/010fix-ssh-perms
new file mode 100755
index 0000000..87636d7
--- /dev/null
+++ b/global/post-tasks.d/010fix-ssh-perms
@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# Re-used example from SJD
+#
+
+if test -d /root/.ssh && \
+ test `stat -t /root/.ssh | cut -d\ -f5` != 0; then
+ chown root.root /root/.ssh
+fi
+
+if test -d /root/.ssh && \
+ test `stat -c %a /root/.ssh` != 700; then
+ chmod 700 /root/.ssh
+fi
+
+if test -f /root/.ssh/authorized_keys; then
+ if test `stat -t /root/.ssh/authorized_keys | cut -d\ -f5` != 0; then
+ chown root.root /root/.ssh/authorized_keys
+ fi
+ if test `stat --printf=%a /root/.ssh/authorized_keys` != 600; then
+ chmod 600 /root/.ssh/authorized_keys
+ fi
+fi
diff --git a/global/post-tasks.d/015cosmos-trust b/global/post-tasks.d/015cosmos-trust
new file mode 100755
index 0000000..ad2c066
--- /dev/null
+++ b/global/post-tasks.d/015cosmos-trust
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+for k in /etc/cosmos/keys/*.pub; do
+ fp=`cosmos gpg --with-colons --with-fingerprint < $k| awk -F: '$1 == "pub" {print $5}'`
+ cosmos gpg --with-colons --fingerprint | grep -q ":$fp:" || cosmos gpg --import < $k
+done
+
+for fp in `cosmos gpg --with-colons --fingerprint | awk -F: '$1 == "pub" {print $5}'`; do
+ seen="no"
+ for k in /etc/cosmos/keys/*.pub; do
+ cosmos gpg --with-colons --with-fingerprint < $k | grep -q ":$fp:" && seen="yes"
+ done
+ if [ "x$seen" = "xno" ]; then
+ cosmos gpg --yes --batch --delete-key $fp || true
+ fi
+done
diff --git a/global/post-tasks.d/020reports b/global/post-tasks.d/020reports
new file mode 100755
index 0000000..091a236
--- /dev/null
+++ b/global/post-tasks.d/020reports
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+rm -f /var/run/facts.json
+facter -p -y > /var/run/facts.yaml
diff --git a/global/post-tasks.d/030puppet b/global/post-tasks.d/030puppet
new file mode 100755
index 0000000..6b1d33a
--- /dev/null
+++ b/global/post-tasks.d/030puppet
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+if [ "x$COSMOS_VERBOSE" = "xy" ]; then
+ args="--verbose"
+else
+ args="--logdest=syslog"
+fi
+
+if [ -f /usr/bin/puppet -a -d /etc/puppet/manifests ]; then
+ for m in `find /etc/puppet/manifests -name \*.pp`; do
+ puppet apply $args $m
+ done
+fi
diff --git a/global/post-tasks.d/099autoremove b/global/post-tasks.d/099autoremove
new file mode 100755
index 0000000..2cc6996
--- /dev/null
+++ b/global/post-tasks.d/099autoremove
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+apt-get -qq update
+apt-get -qq -y autoremove
diff --git a/global/post-tasks.d/999reboot b/global/post-tasks.d/999reboot
new file mode 100755
index 0000000..5331446
--- /dev/null
+++ b/global/post-tasks.d/999reboot
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+test -f /var/run/reboot-required -a ! -f /etc/cosmos-manual-reboot && reboot
diff --git a/global/pre-tasks.d/020common-tools b/global/pre-tasks.d/020common-tools
new file mode 100755
index 0000000..eaca6ea
--- /dev/null
+++ b/global/pre-tasks.d/020common-tools
@@ -0,0 +1,16 @@
+#!/bin/sh
+#
+# Re-used example from SJD
+#
+
+set -e
+
+stamp="$COSMOS_BASE/stamps/common-tools-v01.stamp"
+
+if ! test -f $stamp; then
+ apt-get -y install vim traceroute tcpdump molly-guard less rsync git-core unattended-upgrades ntp
+ update-alternatives --set editor /usr/bin/vim.basic
+
+ mkdir -p `dirname $stamp`
+ touch $stamp
+fi
diff --git a/global/pre-tasks.d/030puppet b/global/pre-tasks.d/030puppet
new file mode 100755
index 0000000..2dc0b80
--- /dev/null
+++ b/global/pre-tasks.d/030puppet
@@ -0,0 +1,35 @@
+#!/bin/sh
+#
+# Re-used example from SJD
+#
+
+set -e
+
+stamp="$COSMOS_BASE/stamps/puppet-tools-v01.stamp"
+
+if ! test -f $stamp -a -f /usr/bin/puppet; then
+ codename=`lsb_release -c| awk '{print $2}'`
+ wget -c http://apt.puppetlabs.com/puppetlabs-release-${codename}.deb
+ dpkg -i puppetlabs-release-${codename}.deb
+ rm -f puppetlabs-release-${codename}.deb*
+ apt-get update
+ apt-get -y install puppet-common
+
+ mkdir -p `dirname $stamp`
+ touch $stamp
+fi
+
+python -c "import yaml" 2>/dev/null || apt-get -y install python-yaml
+
+if [ -f /etc/puppet/cosmos-modules.conf ]; then
+ grep -E -v "^#" /etc/puppet/cosmos-modules.conf | (
+ cd /etc/puppet/modules && while read module src update; do
+ if [ ! -d /etc/puppet/modules/$module ]; then
+ echo $src | grep -q "://" && git clone $src $module || puppet module install $src
+ else
+ if [ "x$update" = "xyes" ]; then
+ echo $src | grep -q "://" && (cd /etc/puppet/modules/$module && git pull -q) || puppet module upgrade $src
+ fi
+ fi
+ done)
+fi