6 files changed, 277 insertions, 7 deletions

diff --git a/global/overlay/etc/puppet/cosmos-modules.conf b/global/overlay/etc/puppet/cosmos-modules.conf
index af786c4..b0a91f4 100644
--- a/global/overlay/etc/puppet/cosmos-modules.conf
+++ b/global/overlay/etc/puppet/cosmos-modules.conf
@@ -8,6 +8,7 @@ ufw attachmentgenie/ufw no
 apt puppetlabs/apt no
 vcsrepo puppetlabs/vcsrepo no
 xinetd puppetlabs/xinetd no
-#golang elithrar/golang yes
-#python git://github.com/stankevich/puppet-python.git yes
+golang elithrar/golang yes
+python git://github.com/stankevich/puppet-python.git yes
+dhcp git://github.com/SUNET/puppetlabs-dhcp yes
 hiera-gpg git://github.com/SUNET/hiera-gpg.git no
diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml
index d9dc495..2244c7a 100644
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@@ -1,2 +1,6 @@
-'ns[0-9]?.mnt.se$':
-   nameserver:
+# Don't enable class sunet for all hosts until tested.
+#'\.sunet\.se$':
+#   sunet:
+'^cdr\d+\.sunet\.se$':
+   sunet-cdr:
+   sunet:
diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp
index c276f84..737045a 100644
--- a/global/overlay/etc/puppet/manifests/cosmos-site.pp
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@@ -17,7 +17,7 @@ include cosmos
 
 # you need a default node
 
-node default { 
+node default {
 
 }
 
@@ -33,8 +33,8 @@ node default {
 
 #class nameserver {
 #   package {'bind9':
-#      ensure => latest 
-#   } 
+#      ensure => latest
+#   }
 #   service {'bind9':
 #      ensure => running
 #   }
@@ -50,3 +50,228 @@ node default {
 #   }
 #}
 
+
+ufw::allow {"allow-ssh-tcp":
+   ip => 'any',
+   port => 22,
+   proto => 'tcp'
+}
+
+node 'sto-tug-kvm1.swamid.se' {
+
+  class { 'dhcp':
+      dnsdomain    => [ 'eduid.se','sunet.se' ],
+      nameservers  => ['130.242.80.14','130.242.80.99'],
+      ntpservers   => ['pool.ntp.org'],
+      interfaces   => ['eth0'],
+      #pxeserver    => '130.242.125.5',
+      #pxefilename  => 'pxelinux.0'
+   }
+
+   class { 'sunet-dhcp-hosts': }
+
+}
+
+class sunet-dhcp-hosts {
+
+   dhcp::pool {'sunet-servernet-tug-130.242.125.64/26':
+      network => '130.242.125.64',
+      mask => '255.255.255.192',
+      gateway => '130.242.125.65',
+      range => ''
+   }
+
+   dhcp::pool {'sunet-servernet-fre-130.242.125.128/26':
+      network => '130.242.125.128',
+      mask => '255.255.255.192',
+      gateway => '130.242.125.129',
+      range => ''
+   }
+
+   dhcp::pool {'install':
+      network => '130.242.125.0',
+      mask => '255.255.255.192',
+      gateway => '130.242.125.1',
+      range => ''
+   }
+
+   dhcp::pool {'eduid-tug-IdP':
+      network => '130.242.130.0',
+      mask => '255.255.255.248',
+      gateway => '130.242.130.1',
+      range => ''
+   }
+
+   dhcp::pool {'eduid-tug-auth':
+      network => '130.242.130.8',
+      mask => '255.255.255.248',
+      gateway => '130.242.130.9',
+      range => ''
+   }
+
+   dhcp::pool {'eduid-tug-other':
+      network => '130.242.130.16',
+      mask => '255.255.255.240',
+      gateway => '130.242.130.17',
+      range => ''
+   }
+
+   dhcp::pool {'eduid-fre-IdP':
+      network => '130.242.130.64',
+      mask => '255.255.255.248',
+      gateway => '130.242.130.65',
+      range => ''
+   }
+
+   dhcp::pool {'eduid-fre-auth':
+      network => '130.242.130.72',
+      mask => '255.255.255.248',
+      gateway => '130.242.130.73',
+      range => ''
+   }
+
+   dhcp::pool {'eduid-fre-other':
+      network => '130.242.130.80',
+      mask => '255.255.255.240',
+      gateway => '130.242.130.81',
+      range => ''
+   }
+
+   dhcp::pool {'eduid-lla-other':
+      network => '130.242.130.144',
+      mask => '255.255.255.240',
+      gateway => '130.242.130.145',
+      range => ''
+   }
+
+
+   # eduID TUG hosts
+
+   dhcp::host { 'kvmidp-tug-2_eth0':    mac => "24:b6:fd:fe:fa:51", ip => "130.242.130.4", hostname => 'kvmidp-tug-2'; }
+   dhcp::host { 'kvmidp-tug-2_eth1':    mac => "24:b6:fd:fe:fa:52", ip => "130.242.130.4", hostname => 'kvmidp-tug-2'; }
+
+   dhcp::host { 'idp-tug-2a':           mac => "52:54:00:01:00:01", ip => "130.242.130.5"; }
+
+   dhcp::host { 'idp-tug-2b':           mac => "52:54:00:01:00:02", ip => "130.242.130.6"; }
+
+   dhcp::host { 'auth-tug-2_eth0':      mac => "f0:4d:a2:73:4e:9b", ip => "130.242.130.12", hostname => 'auth-tug-2'; }
+   dhcp::host { 'auth-tug-2_eth1':      mac => "f0:4d:a2:73:4e:9c", ip => "130.242.130.12", hostname => 'auth-tug-2'; }
+
+   dhcp::host { 'kvm-tug-2_eth0':       mac => "f0:4d:a2:73:4f:82", ip => "130.242.130.20", hostname => 'kvm-tug-2'; }
+   dhcp::host { 'kvm-tug-2_eth1':       mac => "f0:4d:a2:73:4f:83", ip => "130.242.130.20", hostname => 'kvm-tug-2'; }
+
+   dhcp::host { 'db-tug-2_eth0':        mac => "24:b6:fd:fe:fa:f0", ip => "130.242.130.21", hostname => 'db-tug-2'; }
+   dhcp::host { 'db-tug-2_eth1':        mac => "24:b6:fd:fe:fa:f1", ip => "130.242.130.21", hostname => 'db-tug-2'; }
+
+   dhcp::host { 'mq-tug-2':             mac => "52:54:00:03:00:22", ip => "130.242.130.22"; }
+
+   dhcp::host { 'worker-tug-2':         mac => "52:54:00:03:00:23", ip => "130.242.130.23"; }
+
+   dhcp::host { 'signup-tug-2':         mac => "52:54:00:03:00:24", ip => "130.242.130.24"; }
+
+   dhcp::host { 'helpdesk-tug-2':       mac => "52:54:00:03:00:25", ip => "130.242.130.25"; }
+
+   dhcp::host { 'www-tug-2':            mac => "52:54:00:03:00:26", ip => "130.242.130.26"; }
+
+   dhcp::host { 'dashboard-tug-2_eth0': mac => "f0:4d:a2:73:4f:0d", ip => "130.242.130.30", hostname => 'dashboard-tug-2'; }
+   dhcp::host { 'dashboard-tug-2_eth1': mac => "f0:4d:a2:73:4f:0e", ip => "130.242.130.30", hostname => 'dashboard-tug-2'; }
+
+
+   # eduID FRE hosts
+
+   dhcp::host { 'kvmidp-fre-3_eth0':    mac => "18:03:73:41:f3:e8", ip => "130.242.130.68", hostname => 'kvmidp-fre-3'; }
+   dhcp::host { 'kvmidp-fre-3_eth1':    mac => "18:03:73:41:f3:e9", ip => "130.242.130.68", hostname => 'kvmidp-fre-3'; }
+
+   dhcp::host { 'idp-fre-3a':           mac => "52:54:00:04:00:01", ip => "130.242.130.69"; }
+
+   dhcp::host { 'idp-fre-3b':           mac => "52:54:00:04:00:02", ip => "130.242.130.70"; }
+
+   dhcp::host { 'auth-fre-3_eth0':      mac => "18:03:73:0f:41:3c", ip => "130.242.130.76", hostname => 'auth-fre-3'; }
+   dhcp::host { 'auth-fre-3_eth1':      mac => "18:03:73:0f:41:3d", ip => "130.242.130.76", hostname => 'auth-fre-3'; }
+
+   dhcp::host { 'kvm-fre-3_eth0':       mac => "f0:4d:a2:73:4b:e3", ip => "130.242.130.84", hostname => 'kvm-fre-3'; }
+   dhcp::host { 'kvm-fre-3_eth1':       mac => "f0:4d:a2:73:4b:e4", ip => "130.242.130.84", hostname => 'kvm-fre-3'; }
+
+   dhcp::host { 'www-fre-3':            mac => "52:54:00:06:00:01", ip => "130.242.130.86"; }
+   dhcp::host { 'dashboard-fre-3':      mac => "52:54:00:06:00:57", ip => "130.242.130.87"; }
+   dhcp::host { 'signup-fre-3':         mac => "52:54:00:06:00:58", ip => "130.242.130.88"; }
+   dhcp::host { 'worker-fre-3':         mac => "52:54:00:06:00:59", ip => "130.242.130.89"; }
+   dhcp::host { 'mq-fre-3':             mac => "52:54:00:06:00:5a", ip => "130.242.130.90"; }
+
+   dhcp::host { 'db-fre-3_eth0':        mac => "f0:4d:a2:73:4f:19", ip => "130.242.130.85", hostname => 'db-fre-3'; }
+   dhcp::host { 'db-fre-3_eth1':        mac => "f0:4d:a2:73:4f:1a", ip => "130.242.130.85", hostname => 'db-fre-3'; }
+
+   dhcp::host { 'kvmapp-fre-3_eth0':    mac => "78:45:c4:f7:90:ec", ip => "130.242.130.94", hostname => 'kvmapp-fre-3'; }
+   dhcp::host { 'kvmapp-fre-3_eth1':    mac => "78:45:c4:f7:90:ed", ip => "130.242.130.94", hostname => 'kvmapp-fre-3'; }
+
+   # eduID LLA hosts
+
+   dhcp::host { 'db-lla-2_eth0':        mac => "f0:4d:a2:73:4e:08", ip => "130.242.130.148", hostname => 'db-lla-2'; }
+   dhcp::host { 'db-lla-2_eth1':        mac => "f0:4d:a2:73:4e:09", ip => "130.242.130.148", hostname => 'db-lla-2'; }
+
+
+
+   # eduID Development subnets
+   dhcp::pool {'eduid-tug-dev':
+      network => '194.68.13.128',
+      mask    => '255.255.255.224',
+      gateway => '194.68.13.129',
+      range   => '',
+      options => 'domain-name-servers 109.105.111.31, 109.105.110.31',
+   }
+
+   dhcp::pool {'eduid-fre-dev':
+      network => '194.68.13.160',
+      mask    => '255.255.255.224',
+      gateway => '194.68.13.161',
+      range   => '',
+      options => 'domain-name-servers 109.105.111.31, 109.105.110.31',
+   }
+
+   # eduID TUG development hosts
+   dhcp::host { 'idp-tug-1':    mac => "52:54:00:a0:00:92", ip => "194.68.13.146" }
+
+   dhcp::host { 'testvm-tug-1': mac => "52:54:00:11:22:33", ip => "194.68.13.136" }
+
+   dhcp::host { 'userdb-tug-1': mac => "52:54:00:93:22:29", ip => "194.68.13.132" }
+   dhcp::host { 'userdb-tug-2': mac => "52:54:00:17:13:ff", ip => "194.68.13.133" }
+
+   # eduID FRE development hosts
+   dhcp::host { 'idp-fre-1':    mac => "52:54:00:a1:00:b2", ip => "194.68.13.178" }
+
+   dhcp::host { 'dash-fre-1':   mac => "52:54:00:a2:00:a7", ip => "194.68.13.167" }
+
+   dhcp::host { 'userdb-fre-1': mac => "52:54:00:17:13:f6", ip => "194.68.13.164" }
+
+}
+
+class sunet {
+
+  # Until we have proper Puppet managing of SSH
+  #ufw::allow { 'allow-ssh-sunet':
+  #  port  => '22',
+  #  proto => 'tcp'
+  #}
+
+  package { 'emacs23-nox':
+    ensure => 'installed'
+  }
+
+  sunet::server { 'sunet_server': }
+
+}
+
+class sunet-cdr {
+
+  class { 'dhcp':
+      dnsdomain    => [ 'eduid.se','sunet.se' ],
+      nameservers  => ['130.242.80.14','130.242.80.99'],
+      ntpservers   => ['pool.ntp.org'],
+      interfaces   => ['bond0'],
+      #pxeserver    => '130.242.125.5',
+      #pxefilename  => 'pxelinux.0'
+   }
+
+   class { 'sunet-dhcp-hosts': }
+
+}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp b/global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp
new file mode 100644
index 0000000..9956e00
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp
@@ -0,0 +1,12 @@
+define sunet::encrypted_swap() {
+
+  package { 'ecryptfs-utils':
+    ensure => 'installed'
+  } ->
+
+  exec {'sunet_ecryptfs_setup_swap':
+    command => '/usr/bin/ecryptfs-setup-swap -f',
+    onlyif  => 'grep swap /etc/fstab | grep -ve ^# -e cryptswap | grep -q swap',
+  }
+
+}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp b/global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp
new file mode 100644
index 0000000..8ff7325
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp
@@ -0,0 +1,19 @@
+define sunet::ethernet_bonding() {
+  # Set up prerequisites for Ethernet LACP bonding of eth0 and eth1,
+  # for all physical hosts that are running Ubuntu.
+  #
+  # Bonding requires setup in /etc/network/interfaces as well.
+  #
+  if $::is_virtual == 'false' and $::operatingsystem == 'Ubuntu' {
+    if $::operatingsystemrelease <= '12.04' {
+      package {'ifenslave': ensure => 'present' }
+    } else {
+      package {'ifenslave-2.6': ensure => 'present' }
+    }
+
+    file_line { 'load_module_at_boot':
+      path => '/etc/modules',
+      line => 'bonding',
+    }
+  }
+}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/server.pp b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp
new file mode 100644
index 0000000..9215c8f
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp
@@ -0,0 +1,9 @@
+define sunet::server() {
+
+  # Set up encrypted swap
+  sunet::encrypted_swap { 'sunet_encrypted_swap': }
+
+  # Add prerequisites for ethernet bonding, if physical server
+  sunet::ethernet_bonding { 'sunet_ethernet_bonding': }
+
+}