summaryrefslogtreecommitdiff
path: root/global/overlay/etc/puppet/modules/sunet/manifests
diff options
context:
space:
mode:
Diffstat (limited to 'global/overlay/etc/puppet/modules/sunet/manifests')
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp42
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp56
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp12
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp19
4 files changed, 129 insertions, 0 deletions
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp b/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp
new file mode 100644
index 0000000..8df416b
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp
@@ -0,0 +1,42 @@
+# Common use of docker::run
+define sunet::docker_run(
+ $image,
+ $imagetag = hiera('sunet_docker_default_tag', 'latest'),
+ $volumes = [],
+ $ports = [],
+ $env = [],
+ $net = 'bridge',
+ $extra_parameters = [],
+) {
+
+ # Make container use unbound resolver on dockerhost
+ # If docker was just installed, facter will not know the IP of docker0. Thus the pick.
+ $dns = $net ? {
+ 'host' => [], # docker refuses --dns with --net host
+ default => [pick($::ipaddress_docker0, '172.17.42.1')],
+ }
+
+ $image_tag = "${image}:${imagetag}"
+ docker::image { $image_tag : } ->
+
+ docker::run {$name :
+ use_name => true,
+ image => $image_tag,
+ volumes => flatten([$volumes,
+ '/etc/passwd:/etc/passwd:ro', # uid consistency
+ '/etc/group:/etc/group:ro', # gid consistency
+ ]),
+ ports => $ports,
+ env => $env,
+ net => $net,
+ extra_parameters => flatten([$extra_parameters,
+ '--rm',
+ ]),
+ dns => $dns,
+ verify_checksum => false, # Rely on registry security for now. eduID risk #31.
+ pre_start => 'run-parts /usr/local/etc/docker.d',
+ post_start => 'run-parts /usr/local/etc/docker.d',
+ pre_stop => 'run-parts /usr/local/etc/docker.d',
+ }
+
+}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp b/global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp
new file mode 100644
index 0000000..67f75f9
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp
@@ -0,0 +1,56 @@
+# Install docker from https://get.docker.com/ubuntu
+class sunet::dockerhost {
+ apt::source {'docker_official':
+ location => 'https://get.docker.com/ubuntu',
+ release => 'docker',
+ repos => 'main',
+ key => 'A88D21E9',
+ include_src => false
+ }
+ package {'lxc-docker':
+ ensure => latest,
+ }
+
+ class {'docker':
+ manage_package => false,
+ }
+
+ package { 'unbound': ensure => 'latest' }
+ service { 'unbound': ensure => 'running' }
+
+ file { '/usr/local/etc/docker.d/20unbound':
+ ensure => file,
+ path => '/usr/local/etc/docker.d/20unbound',
+ mode => '0755',
+ content => template('sunet/dockerhost/20unbound.erb'),
+ }
+
+ file { '/etc/logrotate.d/docker-containers':
+ ensure => file,
+ path => '/etc/logrotate.d/docker-containers',
+ mode => '0644',
+ content => template('sunet/dockerhost/logrotate_docker-containers.erb'),
+ }
+
+ file { '/etc/unbound/unbound.conf.d/docker.conf':
+ ensure => file,
+ path => '/etc/unbound/unbound.conf.d/docker.conf',
+ mode => '0644',
+ content => template('sunet/dockerhost/unbound_docker.conf.erb'),
+ notify => Service['unbound'],
+ }
+
+ ufw::allow { 'allow-docker-resolving_udp':
+ port => '53',
+ ip => $::ipaddress_docker0, # both IPv4 and IPv6
+ from => '172.16.0.0/12',
+ proto => 'udp',
+ }
+ ufw::allow { 'allow-docker-resolving_tcp':
+ port => '53',
+ ip => $::ipaddress_docker0, # both IPv4 and IPv6
+ from => '172.16.0.0/12',
+ proto => 'tcp',
+ }
+
+}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp b/global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp
new file mode 100644
index 0000000..9956e00
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp
@@ -0,0 +1,12 @@
+define sunet::encrypted_swap() {
+
+ package { 'ecryptfs-utils':
+ ensure => 'installed'
+ } ->
+
+ exec {'sunet_ecryptfs_setup_swap':
+ command => '/usr/bin/ecryptfs-setup-swap -f',
+ onlyif => 'grep swap /etc/fstab | grep -ve ^# -e cryptswap | grep -q swap',
+ }
+
+}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp b/global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp
new file mode 100644
index 0000000..8ff7325
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp
@@ -0,0 +1,19 @@
+define sunet::ethernet_bonding() {
+ # Set up prerequisites for Ethernet LACP bonding of eth0 and eth1,
+ # for all physical hosts that are running Ubuntu.
+ #
+ # Bonding requires setup in /etc/network/interfaces as well.
+ #
+ if $::is_virtual == 'false' and $::operatingsystem == 'Ubuntu' {
+ if $::operatingsystemrelease <= '12.04' {
+ package {'ifenslave': ensure => 'present' }
+ } else {
+ package {'ifenslave-2.6': ensure => 'present' }
+ }
+
+ file_line { 'load_module_at_boot':
+ path => '/etc/modules',
+ line => 'bonding',
+ }
+ }
+}
generated by cgit v1.1 at 2024-10-08 19:26:14 +0000