summaryrefslogtreecommitdiff
path: root/global/overlay/etc/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'global/overlay/etc/puppet')
-rw-r--r--global/overlay/etc/puppet/cosmos-db.yaml6
-rw-r--r--global/overlay/etc/puppet/cosmos-rules.yaml2
-rw-r--r--global/overlay/etc/puppet/manifests/cosmos-site.pp63
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/add_user_to_group.pp7
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/system_user.pp22
5 files changed, 88 insertions, 12 deletions
diff --git a/global/overlay/etc/puppet/cosmos-db.yaml b/global/overlay/etc/puppet/cosmos-db.yaml
index d8a83ca..a84fd5f 100644
--- a/global/overlay/etc/puppet/cosmos-db.yaml
+++ b/global/overlay/etc/puppet/cosmos-db.yaml
@@ -89,9 +89,9 @@ classes:
sunetops: null
swamidops: null
sto-tug-kvm2.swamid.se:
- dockerhost: null
mailclient: *id002
sshaccess: null
+ sunet::dockerhost: null
sunetops: null
swamidops: null
webserver: null
@@ -138,7 +138,7 @@ members:
lobo2.lab.sunet.se]
docker_signer: [mdx2.swamid.se]
dockerhost: [www2.eduid.se, reep.tid.isoc.org, datasets.sunet.se, mdx1.swamid.se,
- mdx2.swamid.se, sto-tug-kvm2.swamid.se, docker.sunet.se, registry.swamid.se]
+ mdx2.swamid.se, docker.sunet.se, registry.swamid.se]
entropyserver: [random1.nordu.net, random2.nordu.net]
mailclient: [ca.sunet.se, cdr1.sunet.se, web-f1.sunet.se, web-db2.sunet.se, sto-tug-kvm-lab2.swamid.se,
datasets.sunet.se, mdx1.swamid.se, sto-tug-kvm-lab1.swamid.se, web-a1.sunet.se,
@@ -156,7 +156,7 @@ members:
lobo2.lab.sunet.se]
sunet-cdr: [cdr1.sunet.se, cdr2.sunet.se]
sunet::dockerhost: [web-f1.sunet.se, web-db2.sunet.se, web-a1.sunet.se, web-db1.sunet.se,
- web-a2.sunet.se]
+ sto-tug-kvm2.swamid.se, web-a2.sunet.se]
sunetops: [ca.sunet.se, cdr1.sunet.se, cdr1.sunet.se, web-f1.sunet.se, web-db2.sunet.se,
sto-tug-kvm-lab2.swamid.se, datasets.sunet.se, mdx1.swamid.se, sto-tug-kvm-lab1.swamid.se,
web-a1.sunet.se, wp.sunet.se, mdx2.swamid.se, samltest.swamid.se, web-db1.sunet.se,
diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml
index dc2b9c0..5035639 100644
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@@ -31,7 +31,7 @@ mdx2.swamid.se:
sto-tug-kvm2.swamid.se:
sshaccess:
webserver:
- dockerhost:
+ sunet::dockerhost:
reep.tid.isoc.org:
sshaccess:
swamidops:
diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp
index a519ccf..92e3804 100644
--- a/global/overlay/etc/puppet/manifests/cosmos-site.pp
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@@ -697,17 +697,64 @@ node 'cdr1.sunet.se' {
}
node 'sto-tug-kvm2.swamid.se' {
- docker::image {'docker.sunet.se/flog/postgresql-9.3': }
- file {'/opt/docker/postgresql_data':
- ensure => 'directory',
- }
+ #class { 'fail2ban': }
+ file {'/var/docker':
+ ensure => 'directory',
+ } ->
+ sunet::system_user {'postgres-system-user':
+ username => 'postgres',
+ group => 'postgres',
+ } ->
+ sunet::add_user_to_group { 'postgres_ssl_cert_access':
+ username => 'postgres',
+ group => 'ssl-cert',
+ } ->
+ sunet::system_user {'www-data-system-user':
+ username => 'www-data',
+ group => 'www-data',
+ } ->
+ file {'/var/docker/postgresql_data':
+ ensure => 'directory',
+ owner => 'postgres',
+ group => 'postgres',
+ mode => '0700',
+ } ->
file {'/var/log/flog_db':
ensure => 'directory',
- }
- docker::run {'flog_db':
+ owner => 'root',
+ group => 'postgres',
+ mode => '1775',
+ } ->
+ file {'/var/postgresbackup':
+ ensure => 'directory',
+ owner => 'root',
+ group => 'postgres',
+ mode => '1775',
+ } ->
+ file {'/var/log/flog_app':
+ ensure => 'directory',
+ owner => 'root',
+ group => 'www-data',
+ mode => '1775',
+ } ->
+ file {'/var/log/flog_cron':
+ ensure => 'directory',
+ owner => 'root',
+ group => 'www-data',
+ mode => '1775',
+ } ->
+ sunet::docker_run {'flog_db':
image => 'docker.sunet.se/flog/postgresql-9.3',
- use_name => true,
- volumes => ['/opt/docker/postgresql_data/:/var/lib/postgresql/','/var/log/flog_db/:/var/log/postgresql/'],
+ volumes => ['/opt/flog/postgres/ssl:/etc/ssl', '/var/docker/postgresql_data/:/var/lib/postgresql/','/var/log/flog_db/:/var/log/postgresql/'],
+ } ->
+ sunet::docker_run {'flog_app':
+ image => 'docker.sunet.se/flog/flog_app',
+ volumes => ['/opt/flog/dotenv:/opt/flog/.env','/var/log/flog/:/opt/flog/logs/'],
+ } ->
+ sunet::docker_run {'flog_nginx':
+ image => 'docker.sunet.se/flog/nginx',
+ ports => ['80:80', '443:443'],
+ volumes => ['/opt/flog/nginx/sites-enabled/:/etc/nginx/sites-enabled/','/opt/flog/nginx/certs/:/etc/nginx/certs', '/var/log/flog_nginx/:/var/log/nginx'],
}
}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/add_user_to_group.pp b/global/overlay/etc/puppet/modules/sunet/manifests/add_user_to_group.pp
new file mode 100644
index 0000000..348d9c5
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/add_user_to_group.pp
@@ -0,0 +1,7 @@
+# Add a user to a group
+define sunet::add_user_to_group($username, $group) {
+ exec {"add_user_${username}_to_group_${group}_exec":
+ command => "adduser --quiet $username $group",
+ path => ['/usr/local/sbin', '/usr/local/bin', '/usr/sbin', '/usr/bin', '/sbin', '/bin', ],
+ }
+}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/system_user.pp b/global/overlay/etc/puppet/modules/sunet/manifests/system_user.pp
new file mode 100644
index 0000000..819ef4a
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/system_user.pp
@@ -0,0 +1,22 @@
+define sunet::system_user(
+ $username,
+ $group,
+ $system = true,
+ $shell = '/bin/false'
+ ) {
+
+ user { $username :
+ ensure => present,
+ name => $username,
+ membership => minimum,
+ system => $system,
+ require => Group[ $group ],
+ shell => $shell,
+ }
+
+ group { $group :
+ ensure => present,
+ name => $group,
+ }
+
+}