summaryrefslogtreecommitdiff
path: root/global/overlay/etc/puppet/modules/sunet/manifests
diff options
context:
space:
mode:
Diffstat (limited to 'global/overlay/etc/puppet/modules/sunet/manifests')
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp4
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/etcd_node.pp44
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/fail2ban.pp14
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/nagios.pp49
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/server.pp4
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/wordpress.pp16
6 files changed, 129 insertions, 2 deletions
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp b/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp
index 8df416b..4b56a03 100644
--- a/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp
@@ -7,6 +7,8 @@ define sunet::docker_run(
$env = [],
$net = 'bridge',
$extra_parameters = [],
+ $command = "",
+ $hostname = undef,
) {
# Make container use unbound resolver on dockerhost
@@ -26,6 +28,7 @@ define sunet::docker_run(
'/etc/passwd:/etc/passwd:ro', # uid consistency
'/etc/group:/etc/group:ro', # gid consistency
]),
+ hostname => $hostname,
ports => $ports,
env => $env,
net => $net,
@@ -34,6 +37,7 @@ define sunet::docker_run(
]),
dns => $dns,
verify_checksum => false, # Rely on registry security for now. eduID risk #31.
+ command => $command,
pre_start => 'run-parts /usr/local/etc/docker.d',
post_start => 'run-parts /usr/local/etc/docker.d',
pre_stop => 'run-parts /usr/local/etc/docker.d',
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/etcd_node.pp b/global/overlay/etc/puppet/modules/sunet/manifests/etcd_node.pp
new file mode 100644
index 0000000..a80d355
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/etcd_node.pp
@@ -0,0 +1,44 @@
+define sunet::etcd_node(
+ $disco_url = undef,
+ $etcd_version = 'v2.0.8',
+ $proxy = true
+)
+{
+ include stdlib
+
+ file { ["/data/${name}","/data/${name}/${::hostname}"]: ensure => 'directory' }
+ $common_args = ["--discovery ${disco_url}",
+ "--name ${::hostname}",
+ "--data-dir /data",
+ "--key-file /etc/ssl/private/${::fqdn}_infra.key",
+ "--ca-file /etc/ssl/certs/infra.crt",
+ "--cert-file /etc/ssl/certs/${::fqdn}_infra.crt"]
+ if $proxy {
+ $args = concat($common_args,["--proxy on","--listen-client-urls http://0.0.0.0:4001,http://0.0.0.0:2379"])
+ } else {
+ $args = concat($common_args,["--initial-advertise-peer-urls http://${::ipaddress_eth1}:2380",
+ "--advertise-client-urls http://${::ipaddress_eth1}:2379",
+ "--listen-peer-urls http://0.0.0.0:2380",
+ "--listen-client-urls http://0.0.0.0:4001,http://0.0.0.0:2379",
+ "--peer-key-file /etc/ssl/private/${::fqdn}_infra.key",
+ "--peer-ca-file /etc/ssl/certs/infra.crt",
+ "--peer-cert-file /etc/ssl/certs/${::fqdn}_infra.crt"])
+ }
+ sunet::docker_run { "etcd_${name}":
+ image => 'quay.io/coreos/etcd',
+ imagetag => $etcd_version,
+ volumes => ["/data/${name}:/data","/etc/ssl:/etc/ssl"],
+ command => join($args," "),
+ ports => ["${::ipaddress_eth1}:2380:2380","${::ipaddress_eth1}:2379:2379","${::ipaddress_docker0}:4001:2379"]
+ }
+ if !$proxy {
+ ufw::allow { "allow-etcd-peer":
+ ip => "${::ipaddress_eth1}",
+ port => 2380
+ }
+ ufw::allow { "allow-etcd-client":
+ ip => "${::ipaddress_eth1}",
+ port => 2379
+ }
+ }
+}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/fail2ban.pp b/global/overlay/etc/puppet/modules/sunet/manifests/fail2ban.pp
new file mode 100644
index 0000000..01a9662
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/fail2ban.pp
@@ -0,0 +1,14 @@
+class sunet::fail2ban {
+
+ package {'fail2ban':
+ ensure => 'latest'
+ } ->
+ service {'fail2ban':
+ ensure => 'running'
+ }
+ exec {"fail2ban_defaults":
+ refreshonly => true,
+ subscribe => Service['fail2ban'],
+ command => "sleep 5; /usr/bin/fail2ban-client set ssh bantime 600800"
+ }
+}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/nagios.pp b/global/overlay/etc/puppet/modules/sunet/manifests/nagios.pp
new file mode 100644
index 0000000..91ccf6c
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/nagios.pp
@@ -0,0 +1,49 @@
+class sunet::nagios {
+
+ $nagios_ip_v4 = hiera('nagios_ip_v4', '109.105.111.111')
+ $nagios_ip_v6 = hiera('nagios_ip_v6', '2001:948:4:6::111')
+ $allowed_hosts = "${nagios_ip_v4},${nagios_ip_v6}"
+
+ package {'nagios-nrpe-server':
+ ensure => 'installed',
+ }
+ service {'nagios-nrpe-server':
+ ensure => 'running',
+ enable => 'true',
+ require => Package['nagios-nrpe-server'],
+ }
+ file { "/etc/nagios/nrpe.cfg" :
+ notify => Service['nagios-nrpe-server'],
+ ensure => 'file',
+ mode => '0640',
+ group => 'nagios',
+ require => Package['nagios-nrpe-server'],
+ content => template('sunet/nagioshost/nrpe.cfg.erb'),
+ }
+ file { "/usr/lib/nagios/plugins/check_uptime.pl" :
+ ensure => 'file',
+ mode => '0751',
+ group => 'nagios',
+ require => Package['nagios-nrpe-server'],
+ content => template('sunet/nagioshost/check_uptime.pl.erb'),
+ }
+ file { "/usr/lib/nagios/plugins/check_reboot" :
+ ensure => 'file',
+ mode => '0751',
+ group => 'nagios',
+ require => Package['nagios-nrpe-server'],
+ content => template('sunet/nagioshost/check_reboot.erb'),
+ }
+ ufw::allow { "allow-nrpe-v4":
+ from => "${nagios_ip_v4}",
+ ip => 'any',
+ proto => 'tcp',
+ port => 5666
+ }
+ ufw::allow { "allow-nrpe-v6":
+ from => "${nagios_ip_v6}",
+ ip => 'any',
+ proto => 'tcp',
+ port => 5666
+ }
+}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/server.pp b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp
index 14df323..d89302f 100644
--- a/global/overlay/etc/puppet/modules/sunet/manifests/server.pp
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp
@@ -1,5 +1,8 @@
define sunet::server() {
+ # fail2ban
+ class { 'sunet::fail2ban': }
+
# Set up encrypted swap
sunet::encrypted_swap { 'sunet_encrypted_swap': }
@@ -84,4 +87,5 @@ define line($file, $line, $ensure = 'present') {
}
}
}
+
}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/wordpress.pp b/global/overlay/etc/puppet/modules/sunet/manifests/wordpress.pp
index 8daef2e..6f6abed 100644
--- a/global/overlay/etc/puppet/modules/sunet/manifests/wordpress.pp
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/wordpress.pp
@@ -5,12 +5,12 @@ $db_host = undef,
$wordpress_version = "4.1.1",
$myqsl_version = "5.7")
{
+ include augeas
$db_hostname = $db_host ? {
undef => "${name}_mysql.docker",
default => $db_host
}
$pwd = hiera("${name}_db_password",'NOT_SET_IN_HIERA')
- file {"/data": ensure => directory } ->
file {"/data/${name}": ensure => directory } ->
file {"/data/${name}/html": ensure => directory } ->
sunet::docker_run { "${name}_wordpress":
@@ -18,7 +18,8 @@ $myqsl_version = "5.7")
imagetag => $wordpress_version,
volumes => ["/data/${name}/html:/var/www/html"],
ports => ["8080:80"],
- env => [ "WORDPRESS_DB_HOST=${db_hostname}",
+ env => [ "SERVICE_NAME=${name}",
+ "WORDPRESS_DB_HOST=${db_hostname}",
"WORDPRESS_DB_USER=${name}",
"WORDPRESS_DB_NAME=${name}",
"WORDPRESS_DB_PASSWORD=${pwd}" ]
@@ -37,5 +38,16 @@ $myqsl_version = "5.7")
"MYSQL_ROOT_PASSWORD=${pwd}",
"MYSQL_DATABASE=${name}"]
}
+ package {'automysqlbackup': ensure => latest } ->
+ augeas { 'automysqlbackup_settings':
+ incl => "/etc/default/automysqlbackup",
+ lens => "Shellvars.lns",
+ changes => [
+ "set USERNAME ${name}",
+ "set PASSWORD ${pwd}",
+ "set DBHOST ${db_hostname}",
+ "set DBNAMES ${name}"
+ ]
+ }
}
}
generated by cgit v1.1 at 2024-12-26 15:56:57 +0000