summaryrefslogtreecommitdiff
path: root/global/overlay/etc/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'global/overlay/etc/puppet')
-rw-r--r--global/overlay/etc/puppet/cosmos-modules.conf9
-rw-r--r--global/overlay/etc/puppet/manifests/cosmos-site.pp116
2 files changed, 86 insertions, 39 deletions
diff --git a/global/overlay/etc/puppet/cosmos-modules.conf b/global/overlay/etc/puppet/cosmos-modules.conf
index af786c4..6a89c4f 100644
--- a/global/overlay/etc/puppet/cosmos-modules.conf
+++ b/global/overlay/etc/puppet/cosmos-modules.conf
@@ -3,11 +3,10 @@
#
concat puppetlabs/concat no
stdlib puppetlabs/stdlib no
-cosmos git://github.com/leifj/puppet-cosmos.git yes
+cosmos git://github.com/SUNET/puppet-cosmos.git yes ct-ops-*
ufw attachmentgenie/ufw no
apt puppetlabs/apt no
vcsrepo puppetlabs/vcsrepo no
-xinetd puppetlabs/xinetd no
-#golang elithrar/golang yes
-#python git://github.com/stankevich/puppet-python.git yes
-hiera-gpg git://github.com/SUNET/hiera-gpg.git no
+hiera-gpg git://github.com/SUNET/hiera-gpg.git no ct-ops-*
+docker git://github.com/SUNET/garethr-docker.git yes ct-ops-*
+augeas git://github.com/SUNET/puppet-augeas.git yes ct-ops-*
diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp
index c276f84..8bf5aee 100644
--- a/global/overlay/etc/puppet/manifests/cosmos-site.pp
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@@ -6,47 +6,95 @@ Exec {
# include some of this stuff for additional features
-#include cosmos::tools
-#include cosmos::motd
-#include cosmos::ntp
-#include cosmos::rngtools
-#include cosmos::preseed
+include cosmos::tools
+include cosmos::motd
+include cosmos::ntp
+include cosmos::rngtools
+include cosmos::preseed
include ufw
include apt
include cosmos
# you need a default node
-node default {
+node default {
+
+ class { 'sshserver': }
+ class { 'mailclient':
+ domain => 'smtp.nordu.net'
+ }
+ class { 'sshkeys': }
}
-# edit and uncomment to manage ssh root keys in a simple way
-
-#class { 'cosmos::access':
-# keys => [
-# "ssh-rsa ..."
-# ]
-#}
-
-# example config for the nameserver class which is matched in cosmos-rules.yaml
-
-#class nameserver {
-# package {'bind9':
-# ensure => latest
-# }
-# service {'bind9':
-# ensure => running
-# }
-# ufw::allow { "allow-dns-udp":
-# ip => 'any',
-# port => 53,
-# proto => "udp"
-# }
-# ufw::allow { "allow-dns-tcp":
-# ip => 'any',
-# port => 53,
-# proto => "tcp"
-# }
-#}
+class dockerhost {
+ apt::source {'docker_official':
+ location => 'https://get.docker.com/ubuntu',
+ release => 'docker',
+ repos => 'main',
+ key => 'A88D21E9',
+ include_src => false
+ }
+ package {'lxc-docker':
+ ensure => latest
+ }
+ class {'docker':
+ manage_package => false
+ }
+}
+class webserver {
+ ufw::allow { "allow-http":
+ ip => 'any',
+ port => 80
+ }
+ ufw::allow { "allow-https":
+ ip => 'any',
+ port => 443
+ }
+}
+
+class mailclient ($domain) {
+ cosmos::preseed::preseed_package {"postfix": ensure => present, domain => $domain}
+}
+
+class sshserver {
+ include augeas
+ augeas { "sshd_config":
+ context => "/files/etc/ssh/sshd_config",
+ changes => [
+ "set PasswordAuthentication no",
+ "set X11Forwarding no",
+ "set LogLevel VERBOSE", # log pubkey used for root login
+ ],
+ notify => Service['ssh'],
+ } ->
+ file_line {
+ 'no_sftp_subsystem':
+ path => '/etc/ssh/sshd_config',
+ match => 'Subsystem sftp /usr/lib/openssh/sftp-server',
+ line => '#Subsystem sftp /usr/lib/openssh/sftp-server',
+ notify => Service['ssh'],
+ }
+ ufw::allow { "allow-sshd":
+ ip => 'any',
+ port => 22
+ }
+}
+
+class sshkeys {
+ ssh_authorized_key {'leifj+neo':
+ ensure => present,
+ name => 'leifj+neo@mnt.se',
+ key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDVvB4gdJ6EWRmx8xUSxrhoUNnWxEf8ZwAqhzC1+7XBY/hSd/cbEotLB9gxgqt0CLW56VU4FPLTw8snD8tgsyZN6KH1Da7UXno8oMk8tJdwLQM0Ggx3aWuztItkDfBc3Lfvq5T07YfphqJO7rcSGbS4QQdflXuOM9JLi6NStVao0ia4aE6Tj68pVVb3++XYvqvbU6NtEICvkTxEY93YpnRSfeAi64hsbaqSTN4kpeltzoSD1Rikz2aQFtFXE03ZC48HtGGhdMFA/Ade6KWBDaXxHGARVQ9/UccfhaR2XSjVxSZ8FBNOzNsH4k9cQIb2ndkEOXZXnjF5ZjdI4ZU0F+t7',
+ type => 'ssh-rsa',
+ user => 'root'
+ }
+ ssh_authorized_key {'linus':
+ ensure => present,
+ name => 'linus@nordu.net',
+ key => 'AAAAB3NzaC1kc3MAAACBAOgwalVrauBiUm0cJtiehqiXCarmP3LzpOVe/2Lhip3VyGNkCc0tI3ZcwTOuVSNbNAtUPbRFsp2qzNf6yHzDetolb+8oAWoLrNTnyJn/P6objJJ82U8EY1HK27flFpst1NBHzr9UQAKs+r51cszGHDjhXi001+liN2+qiaXRHmppAAAAFQDqf3RIdYsjmEK2ju8jBkcvhkYHQQAAAIEAydJS3s3eRXDiW5ynnQUZONjBwnBIhT6NEznb9FD/6QlfIL3Ay9sbxSQG3MKaC5xfS1TvjZBOTikYn0VFgzR6bXYJtscbH7Hu53X3uwzAi87pgwoE7/Rctf+o9RgGl/a7a/t+POHFYuOY4kSTqK/loKTu/y9BW0PbrPZ+cwIw1k4AAACBALbgqfua4HCdcCKA4Wv0SZ+p1xApNDi9CF33KhMvQ1wrQBCKBU+maTzO9phNFp1PjXv/JxhmkdHLL2lTo3iXdFSbpkwpBb9p649Kbko3L1XEUPZFz5Flt5H8L+FTTNnF5rHfadshr50r4DXYoEyfZFPEitthaS5dlesfyn/aHSN+',
+ type => 'ssh-rsa',
+ user => 'root'
+ }
+}