diff options
Diffstat (limited to 'global/overlay/etc/puppet/modules/sunet/manifests')
14 files changed, 0 insertions, 571 deletions
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/add_user_to_group.pp b/global/overlay/etc/puppet/modules/sunet/manifests/add_user_to_group.pp deleted file mode 100644 index 348d9c5..0000000 --- a/global/overlay/etc/puppet/modules/sunet/manifests/add_user_to_group.pp +++ /dev/null @@ -1,7 +0,0 @@ -# Add a user to a group -define sunet::add_user_to_group($username, $group) { - exec {"add_user_${username}_to_group_${group}_exec": - command => "adduser --quiet $username $group", - path => ['/usr/local/sbin', '/usr/local/bin', '/usr/sbin', '/usr/bin', '/sbin', '/bin', ], - } -} diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/cloudimage.pp b/global/overlay/etc/puppet/modules/sunet/manifests/cloudimage.pp deleted file mode 100644 index d6400d7..0000000 --- a/global/overlay/etc/puppet/modules/sunet/manifests/cloudimage.pp +++ /dev/null @@ -1,38 +0,0 @@ -define sunet::cloudimage ( - $image_url = "https://cloud-images.ubuntu.com/trusty/current/trusty-server-cloudimg-amd64-disk1.img", - $dhcp = true, - $size = "1G", - $bridge = "br0", - $memory = "1024", - $cpus = "1", - $resolver = undef, - $ip = undef, - $netmask = undef, - $gateway = undef, - $ip6 = undef, - $netmask6 = "64", - $gateway6 = undef, - $tagpattern = undef, - $repo = undef -) -{ - package {'mtools': ensure => latest } - package {'libvirt-bin': ensure => latest } - package {'uuid-runtime': ensure => latest } - package {'virtinst': ensure => latest } - - $image_url_a = split($image_url,"/") - $image_name = $image_url_a[-1] - $image_src = "/var/lib/libvirt/images/${image_name}" - file { "/var/lib/libvirt/images/${name}": ensure => directory } -> - exec {"wget -O${image_src} ${image_url}": - onlyif => "test ! -f ${image_src}" - } - file { "/var/lib/libvirt/images/${name}/${name}-init.sh": - content => template("sunet/cloudimage/mk_cloud_image.erb"), - mode => "0755" - } -> - exec { "/var/lib/libvirt/images/${name}/${name}-init.sh": - onlyif => "test ! -f /var/lib/libvirt/images/${name}/${name}.img" - } -} diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp b/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp deleted file mode 100644 index 4b56a03..0000000 --- a/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp +++ /dev/null @@ -1,46 +0,0 @@ -# Common use of docker::run -define sunet::docker_run( - $image, - $imagetag = hiera('sunet_docker_default_tag', 'latest'), - $volumes = [], - $ports = [], - $env = [], - $net = 'bridge', - $extra_parameters = [], - $command = "", - $hostname = undef, -) { - - # Make container use unbound resolver on dockerhost - # If docker was just installed, facter will not know the IP of docker0. Thus the pick. - $dns = $net ? { - 'host' => [], # docker refuses --dns with --net host - default => [pick($::ipaddress_docker0, '172.17.42.1')], - } - - $image_tag = "${image}:${imagetag}" - docker::image { $image_tag : } -> - - docker::run {$name : - use_name => true, - image => $image_tag, - volumes => flatten([$volumes, - '/etc/passwd:/etc/passwd:ro', # uid consistency - '/etc/group:/etc/group:ro', # gid consistency - ]), - hostname => $hostname, - ports => $ports, - env => $env, - net => $net, - extra_parameters => flatten([$extra_parameters, - '--rm', - ]), - dns => $dns, - verify_checksum => false, # Rely on registry security for now. eduID risk #31. - command => $command, - pre_start => 'run-parts /usr/local/etc/docker.d', - post_start => 'run-parts /usr/local/etc/docker.d', - pre_stop => 'run-parts /usr/local/etc/docker.d', - } - -} diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp b/global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp deleted file mode 100644 index 67f75f9..0000000 --- a/global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp +++ /dev/null @@ -1,56 +0,0 @@ -# Install docker from https://get.docker.com/ubuntu -class sunet::dockerhost { - apt::source {'docker_official': - location => 'https://get.docker.com/ubuntu', - release => 'docker', - repos => 'main', - key => 'A88D21E9', - include_src => false - } - package {'lxc-docker': - ensure => latest, - } - - class {'docker': - manage_package => false, - } - - package { 'unbound': ensure => 'latest' } - service { 'unbound': ensure => 'running' } - - file { '/usr/local/etc/docker.d/20unbound': - ensure => file, - path => '/usr/local/etc/docker.d/20unbound', - mode => '0755', - content => template('sunet/dockerhost/20unbound.erb'), - } - - file { '/etc/logrotate.d/docker-containers': - ensure => file, - path => '/etc/logrotate.d/docker-containers', - mode => '0644', - content => template('sunet/dockerhost/logrotate_docker-containers.erb'), - } - - file { '/etc/unbound/unbound.conf.d/docker.conf': - ensure => file, - path => '/etc/unbound/unbound.conf.d/docker.conf', - mode => '0644', - content => template('sunet/dockerhost/unbound_docker.conf.erb'), - notify => Service['unbound'], - } - - ufw::allow { 'allow-docker-resolving_udp': - port => '53', - ip => $::ipaddress_docker0, # both IPv4 and IPv6 - from => '172.16.0.0/12', - proto => 'udp', - } - ufw::allow { 'allow-docker-resolving_tcp': - port => '53', - ip => $::ipaddress_docker0, # both IPv4 and IPv6 - from => '172.16.0.0/12', - proto => 'tcp', - } - -} diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp b/global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp deleted file mode 100644 index 9956e00..0000000 --- a/global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp +++ /dev/null @@ -1,12 +0,0 @@ -define sunet::encrypted_swap() { - - package { 'ecryptfs-utils': - ensure => 'installed' - } -> - - exec {'sunet_ecryptfs_setup_swap': - command => '/usr/bin/ecryptfs-setup-swap -f', - onlyif => 'grep swap /etc/fstab | grep -ve ^# -e cryptswap | grep -q swap', - } - -} diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/etcd_node.pp b/global/overlay/etc/puppet/modules/sunet/manifests/etcd_node.pp deleted file mode 100644 index a80d355..0000000 --- a/global/overlay/etc/puppet/modules/sunet/manifests/etcd_node.pp +++ /dev/null @@ -1,44 +0,0 @@ -define sunet::etcd_node( - $disco_url = undef, - $etcd_version = 'v2.0.8', - $proxy = true -) -{ - include stdlib - - file { ["/data/${name}","/data/${name}/${::hostname}"]: ensure => 'directory' } - $common_args = ["--discovery ${disco_url}", - "--name ${::hostname}", - "--data-dir /data", - "--key-file /etc/ssl/private/${::fqdn}_infra.key", - "--ca-file /etc/ssl/certs/infra.crt", - "--cert-file /etc/ssl/certs/${::fqdn}_infra.crt"] - if $proxy { - $args = concat($common_args,["--proxy on","--listen-client-urls http://0.0.0.0:4001,http://0.0.0.0:2379"]) - } else { - $args = concat($common_args,["--initial-advertise-peer-urls http://${::ipaddress_eth1}:2380", - "--advertise-client-urls http://${::ipaddress_eth1}:2379", - "--listen-peer-urls http://0.0.0.0:2380", - "--listen-client-urls http://0.0.0.0:4001,http://0.0.0.0:2379", - "--peer-key-file /etc/ssl/private/${::fqdn}_infra.key", - "--peer-ca-file /etc/ssl/certs/infra.crt", - "--peer-cert-file /etc/ssl/certs/${::fqdn}_infra.crt"]) - } - sunet::docker_run { "etcd_${name}": - image => 'quay.io/coreos/etcd', - imagetag => $etcd_version, - volumes => ["/data/${name}:/data","/etc/ssl:/etc/ssl"], - command => join($args," "), - ports => ["${::ipaddress_eth1}:2380:2380","${::ipaddress_eth1}:2379:2379","${::ipaddress_docker0}:4001:2379"] - } - if !$proxy { - ufw::allow { "allow-etcd-peer": - ip => "${::ipaddress_eth1}", - port => 2380 - } - ufw::allow { "allow-etcd-client": - ip => "${::ipaddress_eth1}", - port => 2379 - } - } -} diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp b/global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp deleted file mode 100644 index 8ff7325..0000000 --- a/global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp +++ /dev/null @@ -1,19 +0,0 @@ -define sunet::ethernet_bonding() { - # Set up prerequisites for Ethernet LACP bonding of eth0 and eth1, - # for all physical hosts that are running Ubuntu. - # - # Bonding requires setup in /etc/network/interfaces as well. - # - if $::is_virtual == 'false' and $::operatingsystem == 'Ubuntu' { - if $::operatingsystemrelease <= '12.04' { - package {'ifenslave': ensure => 'present' } - } else { - package {'ifenslave-2.6': ensure => 'present' } - } - - file_line { 'load_module_at_boot': - path => '/etc/modules', - line => 'bonding', - } - } -} diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/fail2ban.pp b/global/overlay/etc/puppet/modules/sunet/manifests/fail2ban.pp deleted file mode 100644 index 01a9662..0000000 --- a/global/overlay/etc/puppet/modules/sunet/manifests/fail2ban.pp +++ /dev/null @@ -1,14 +0,0 @@ -class sunet::fail2ban { - - package {'fail2ban': - ensure => 'latest' - } -> - service {'fail2ban': - ensure => 'running' - } - exec {"fail2ban_defaults": - refreshonly => true, - subscribe => Service['fail2ban'], - command => "sleep 5; /usr/bin/fail2ban-client set ssh bantime 600800" - } -} diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/flog.pp b/global/overlay/etc/puppet/modules/sunet/manifests/flog.pp deleted file mode 100644 index 553e83b..0000000 --- a/global/overlay/etc/puppet/modules/sunet/manifests/flog.pp +++ /dev/null @@ -1,82 +0,0 @@ -class sunet::flog { - - $postgres_password = hiera('flog_postgres_password', 'NOT_SET_IN_HIERA') - - file {'/var/docker': - ensure => 'directory', - } -> - sunet::system_user {'postgres-system-user': - username => 'postgres', - group => 'postgres', - } -> - sunet::add_user_to_group { 'postgres_ssl_cert_access': - username => 'postgres', - group => 'ssl-cert', - } -> - sunet::system_user {'www-data-system-user': - username => 'www-data', - group => 'www-data', - } -> - sunet::system_user {'memcache-system-user': - username => 'memcache', - group => 'memcache', - } -> - file {'/var/docker/postgresql_data': - ensure => 'directory', - owner => 'postgres', - group => 'root', - mode => '0770', - } -> - file {'/var/docker/postgresql_data/backup': - ensure => 'directory', - owner => 'postgres', - group => 'root', - mode => '0770', - } -> - file {'/var/log/flog_db': - ensure => 'directory', - owner => 'root', - group => 'postgres', - mode => '1775', - } -> - file {'/var/log/flog_app': - ensure => 'directory', - owner => 'root', - group => 'www-data', - mode => '1775', - } -> - file {'/var/log/flog_cron': - ensure => 'directory', - owner => 'root', - group => 'www-data', - mode => '1775', - } -> - file { "/opt/flog/nginx/certs/flog.sunet.se.key": - ensure => file, - path => "/opt/flog/nginx/certs/flog.sunet.se.key", - mode => '0640', - content => hiera('server_cert_key', 'NOT_SET_IN_HIERA'), - } -> - file { "/opt/flog/dotenv": - ensure => file, - path => "/opt/flog/dotenv", - mode => '0640', - content => template('sunet/flog/dotenv.erb'), - } -> - sunet::docker_run {'flog_db': - image => 'docker.sunet.se/flog/postgresql-9.3', - volumes => ['/etc/ssl:/etc/ssl', '/var/docker/postgresql_data/:/var/lib/postgresql/','/var/log/flog_db/:/var/log/postgresql/'], - } -> - sunet::docker_run {'flog_app': - image => 'docker.sunet.se/flog/flog_app', - volumes => ['/opt/flog/dotenv:/opt/flog/.env','/var/log/flog/:/opt/flog/logs/'], - } -> - sunet::docker_run {'memcached': - image => 'docker.sunet.se/library/memcached', - } -> - sunet::docker_run {'flog_nginx': - image => 'docker.sunet.se/flog/nginx', - ports => ['80:80', '443:443'], - volumes => ['/opt/flog/nginx/sites-enabled/:/etc/nginx/sites-enabled/','/opt/flog/nginx/certs/:/etc/nginx/certs', '/var/log/flog_nginx/:/var/log/nginx'], - } -} diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/ici_ca.pp b/global/overlay/etc/puppet/modules/sunet/manifests/ici_ca.pp deleted file mode 100644 index 3658142..0000000 --- a/global/overlay/etc/puppet/modules/sunet/manifests/ici_ca.pp +++ /dev/null @@ -1,38 +0,0 @@ -define sunet::ici_ca($pkcs11_module="/usr/lib/softhsm/libsofthsm.so", - $pkcs11_pin=undef, - $pkcs11_key_slot="0", - $pkcs11_key_id="abcd", - $autosign_dir=undef, - $autosign_type="peer", - $public_repo_url=undef, - $public_repo_dir=undef) -{ - apt::ppa {'ppa:leifj/ici': } -> - package { 'ici': ensure => latest } -> - exec { '${name}_setup_ca': - command => "/usr/bin/ici ${name} init", - creates => "/var/lib/ici/${name}" - } -> - file { '${name}_ca_config': - path => "/var/lib/ici/${name}/ca.config", - content => template("sunet/ici_ca/ca.config.erb") - } - if $public_repo_dir and $public_repo_url { - cron {'ici_publish': - command => "test -f /var/lib/ici/${name}/ca.crt && /usr/bin/ici ${name} gencrl && /usr/bin/ici ${name} publish ${public_repo_dir}", - user => "root", - minute => "*/5" - } - } -} - -define sunet::ici_ca::autosign($ca=undef, - $autosign_dir=undef, - $autosign_type="client") -{ - cron {"ici_autosign_${name}": - command => "test -f /var/lib/ici/${ca}/ca.crt && /usr/bin/ici ${ca} issue -t ${autosign_type} -d 365 --copy-extensions ${autosign_dir}", - user => "root", - minute => "*/5" - } -} diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/nagios.pp b/global/overlay/etc/puppet/modules/sunet/manifests/nagios.pp deleted file mode 100644 index 91ccf6c..0000000 --- a/global/overlay/etc/puppet/modules/sunet/manifests/nagios.pp +++ /dev/null @@ -1,49 +0,0 @@ -class sunet::nagios { - - $nagios_ip_v4 = hiera('nagios_ip_v4', '109.105.111.111') - $nagios_ip_v6 = hiera('nagios_ip_v6', '2001:948:4:6::111') - $allowed_hosts = "${nagios_ip_v4},${nagios_ip_v6}" - - package {'nagios-nrpe-server': - ensure => 'installed', - } - service {'nagios-nrpe-server': - ensure => 'running', - enable => 'true', - require => Package['nagios-nrpe-server'], - } - file { "/etc/nagios/nrpe.cfg" : - notify => Service['nagios-nrpe-server'], - ensure => 'file', - mode => '0640', - group => 'nagios', - require => Package['nagios-nrpe-server'], - content => template('sunet/nagioshost/nrpe.cfg.erb'), - } - file { "/usr/lib/nagios/plugins/check_uptime.pl" : - ensure => 'file', - mode => '0751', - group => 'nagios', - require => Package['nagios-nrpe-server'], - content => template('sunet/nagioshost/check_uptime.pl.erb'), - } - file { "/usr/lib/nagios/plugins/check_reboot" : - ensure => 'file', - mode => '0751', - group => 'nagios', - require => Package['nagios-nrpe-server'], - content => template('sunet/nagioshost/check_reboot.erb'), - } - ufw::allow { "allow-nrpe-v4": - from => "${nagios_ip_v4}", - ip => 'any', - proto => 'tcp', - port => 5666 - } - ufw::allow { "allow-nrpe-v6": - from => "${nagios_ip_v6}", - ip => 'any', - proto => 'tcp', - port => 5666 - } -} diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/server.pp b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp deleted file mode 100644 index d89302f..0000000 --- a/global/overlay/etc/puppet/modules/sunet/manifests/server.pp +++ /dev/null @@ -1,91 +0,0 @@ -define sunet::server() { - - # fail2ban - class { 'sunet::fail2ban': } - - # Set up encrypted swap - sunet::encrypted_swap { 'sunet_encrypted_swap': } - - # Add prerequisites for ethernet bonding, if physical server - sunet::ethernet_bonding { 'sunet_ethernet_bonding': } - -# Removed until SWAMID hosts can have their ufw module updated / ft -# # Ignore IPv6 multicast -# ufw::deny { 'ignore_v6_multicast': -# ip => 'ff02::1', -# proto => 'any' # 'ufw' has a hard-coded list of protocols, which does not include 'ipv6-icmp' :( -# } - -# # Ignore IPv6 multicast PIM router talk -# ufw::deny { 'ignore_v6_multicast_PIM': -# ip => 'ff02::d', -# proto => 'any' # 'ufw' has a hard-coded list of protocols, which does not include 'ipv6-icmp' :( -# } - - include augeas - augeas { "sshd_config": - context => "/files/etc/ssh/sshd_config", - changes => [ - "set PasswordAuthentication no", - "set X11Forwarding no", - "set LogLevel VERBOSE", # log pubkey used for root login - ], - notify => Service['ssh'], - } -> - file_line { - 'no_sftp_subsystem': - path => '/etc/ssh/sshd_config', - match => 'Subsystem sftp /usr/lib/openssh/sftp-server', - line => '#Subsystem sftp /usr/lib/openssh/sftp-server', - notify => Service['ssh'], - } - - # already declared in puppet-cosmos/manifests/ntp.pp - #service { 'ntp': - # ensure => 'running', - #} - - # Don't use pool.ntp.org servers, but rather DHCP provided NTP servers - line { 'no_pool_ntp_org_servers': - file => '/etc/ntp.conf', - line => '^server .*\.pool\.ntp\.org', - ensure => 'comment', - notify => Service['ntp'], - } - - file { '/var/cache/scriptherder': - ensure => 'directory', - path => '/var/cache/scriptherder', - mode => '1777', # like /tmp, so user-cronjobs can also use scriptherder - } - - -} - -# from http://projects.puppetlabs.com/projects/puppet/wiki/Simple_Text_Patterns/5 -define line($file, $line, $ensure = 'present') { - case $ensure { - default : { err ( "unknown ensure value ${ensure}" ) } - present: { - exec { "/bin/echo '${line}' >> '${file}'": - unless => "/bin/grep -qFx '${line}' '${file}'" - } - } - absent: { - exec { "/usr/bin/perl -ni -e 'print unless /^\\Q${line}\\E\$/' '${file}'": - onlyif => "/bin/grep -qFx '${line}' '${file}'" - } - } - uncomment: { - exec { "/bin/sed -i -e'/${line}/s/^#\\+//' '${file}'": - onlyif => "/bin/grep '${line}' '${file}' | /bin/grep '^#' | /usr/bin/wc -l" - } - } - comment: { - exec { "/bin/sed -i -e'/${line}/s/^\\(.\\+\\)$/#\\1/' '${file}'": - onlyif => "/usr/bin/test `/bin/grep '${line}' '${file}' | /bin/grep -v '^#' | /usr/bin/wc -l` -ne 0" - } - } - } - -} diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/system_user.pp b/global/overlay/etc/puppet/modules/sunet/manifests/system_user.pp deleted file mode 100644 index 819ef4a..0000000 --- a/global/overlay/etc/puppet/modules/sunet/manifests/system_user.pp +++ /dev/null @@ -1,22 +0,0 @@ -define sunet::system_user( - $username, - $group, - $system = true, - $shell = '/bin/false' - ) { - - user { $username : - ensure => present, - name => $username, - membership => minimum, - system => $system, - require => Group[ $group ], - shell => $shell, - } - - group { $group : - ensure => present, - name => $group, - } - -} diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/wordpress.pp b/global/overlay/etc/puppet/modules/sunet/manifests/wordpress.pp deleted file mode 100644 index 6f6abed..0000000 --- a/global/overlay/etc/puppet/modules/sunet/manifests/wordpress.pp +++ /dev/null @@ -1,53 +0,0 @@ -# a basic wp setup using docker - -define sunet::wordpress ( -$db_host = undef, -$wordpress_version = "4.1.1", -$myqsl_version = "5.7") -{ - include augeas - $db_hostname = $db_host ? { - undef => "${name}_mysql.docker", - default => $db_host - } - $pwd = hiera("${name}_db_password",'NOT_SET_IN_HIERA') - file {"/data/${name}": ensure => directory } -> - file {"/data/${name}/html": ensure => directory } -> - sunet::docker_run { "${name}_wordpress": - image => "wordpress", - imagetag => $wordpress_version, - volumes => ["/data/${name}/html:/var/www/html"], - ports => ["8080:80"], - env => [ "SERVICE_NAME=${name}", - "WORDPRESS_DB_HOST=${db_hostname}", - "WORDPRESS_DB_USER=${name}", - "WORDPRESS_DB_NAME=${name}", - "WORDPRESS_DB_PASSWORD=${pwd}" ] - } - - if (!$db_host) { - file {"/data/${name}/db": ensure => directory } - group { 'mysql': ensure => 'present', system => true } -> - user { 'mysql': ensure => 'present', groups => 'mysql', system => true } -> - sunet::docker_run { "${name}_mysql": - image => "mysql", - imagetag => $mysql_version, - volumes => ["/data/${name}/db:/var/lib/mysql"], - env => ["MYSQL_USER=${name}", - "MYSQL_PASSWORD=${pwd}", - "MYSQL_ROOT_PASSWORD=${pwd}", - "MYSQL_DATABASE=${name}"] - } - package {'automysqlbackup': ensure => latest } -> - augeas { 'automysqlbackup_settings': - incl => "/etc/default/automysqlbackup", - lens => "Shellvars.lns", - changes => [ - "set USERNAME ${name}", - "set PASSWORD ${pwd}", - "set DBHOST ${db_hostname}", - "set DBNAMES ${name}" - ] - } - } -} |