diff options
Diffstat (limited to 'global/overlay/etc/puppet')
| -rw-r--r-- | global/overlay/etc/puppet/cosmos-db.yaml | 154 | ||||
| -rw-r--r-- | global/overlay/etc/puppet/cosmos-modules.conf | 54 | ||||
| -rw-r--r-- | global/overlay/etc/puppet/cosmos-rules.yaml | 52 | ||||
| -rwxr-xr-x | global/overlay/etc/puppet/cosmos_config_version | 11 | ||||
| -rw-r--r-- | global/overlay/etc/puppet/facter/cosmos.rb | 22 | ||||
| -rw-r--r-- | global/overlay/etc/puppet/manifests/cosmos-site.pp | 835 | ||||
| -rw-r--r-- | global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp | 12 | ||||
| -rw-r--r-- | global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp | 19 | ||||
| -rw-r--r-- | global/overlay/etc/puppet/modules/sunet/manifests/server.pp | 87 | ||||
| -rw-r--r-- | global/overlay/etc/puppet/puppet.conf | 5 |
10 files changed, 1179 insertions, 72 deletions
diff --git a/global/overlay/etc/puppet/cosmos-db.yaml b/global/overlay/etc/puppet/cosmos-db.yaml new file mode 100644 index 0000000..ce4fcbc --- /dev/null +++ b/global/overlay/etc/puppet/cosmos-db.yaml @@ -0,0 +1,154 @@ +classes: + cdr1.sunet.se: + mailclient: &id001 {domain: sunet.se} + sshaccess: null + sunet-cdr: null + sunetops: null + cdr2.sunet.se: + mailclient: *id001 + sshaccess: null + sunet-cdr: null + sunetops: null + dane.lab.sunet.se: + mailclient: *id001 + sshaccess: null + sunetops: null + datasets.sunet.se: + dockerhost: null + mailclient: *id001 + sshaccess: null + sunetops: null + webserver: null + docker.sunet.se: + dockerhost: null + mailclient: *id001 + sshaccess: null + sunetops: null + webserver: null + lobo2.lab.sunet.se: + mailclient: *id001 + sshaccess: null + sunetops: null + md-master.reep.refeds.org: {sshaccess: null, swamidops: null} + mdx1.swamid.se: + dockerhost: null + mailclient: &id002 {domain: sunet.se} + signer: null + sshaccess: null + sunetops: null + swamidops: null + mdx2.swamid.se: + docker_signer: null + dockerhost: null + mailclient: *id002 + sshaccess: null + sunetops: null + swamidops: null + meta.swamid.se: + mailclient: *id002 + sshaccess: null + sunetops: null + swamidops: null + random1.nordu.net: {entropyserver: null, quantis: null} + random2.nordu.net: {entropyserver: null, quantis: null} + reep.tid.isoc.org: {dockerhost: null, sshaccess: null, swamidops: null} + registry.swamid.se: + dockerhost: null + mailclient: *id002 + sshaccess: null + sunetops: null + swamidops: null + webserver: null + samltest.swamid.se: + mailclient: *id002 + sshaccess: null + sunetops: null + swamidops: null + sto-fre-kvm1.swamid.se: + mailclient: *id002 + sshaccess: null + sunetops: null + swamidops: null + sto-tug-kvm-lab1.swamid.se: + mailclient: *id002 + sshaccess: null + sunetops: null + swamidops: null + sto-tug-kvm-lab2.swamid.se: + mailclient: *id002 + sshaccess: null + sunetops: null + swamidops: null + sto-tug-kvm1.swamid.se: + mailclient: *id002 + sshaccess: null + sunetops: null + swamidops: null + sto-tug-kvm2.swamid.se: + dockerhost: null + mailclient: *id002 + sshaccess: null + sunetops: null + swamidops: null + web-a1.sunet.se: + dockerhost: null + mailclient: *id001 + sshaccess: null + sunetops: null + webappserver: null + web-a2.sunet.se: + dockerhost: null + mailclient: *id001 + sshaccess: null + sunetops: null + webappserver: null + web-f1.sunet.se: + dockerhost: null + mailclient: *id001 + sshaccess: null + sunetops: null + webfrontend: null + wp.sunet.se: + mailclient: *id001 + sshaccess: null + sunetops: null + www2.eduid.se: {dockerhost: null} +members: + all: [cdr1.sunet.se, sto-tug-kvm2.swamid.se, datasets.sunet.se, reep.tid.isoc.org, + random1.nordu.net, md-master.reep.refeds.org, random2.nordu.net, sto-tug-kvm-lab2.swamid.se, + sto-tug-kvm1.swamid.se, web-a2.sunet.se, www2.eduid.se, cdr2.sunet.se, mdx1.swamid.se, + web-f1.sunet.se, meta.swamid.se, registry.swamid.se, dane.lab.sunet.se, mdx2.swamid.se, + samltest.swamid.se, wp.sunet.se, docker.sunet.se, lobo2.lab.sunet.se, sto-tug-kvm-lab1.swamid.se, + sto-fre-kvm1.swamid.se, web-a1.sunet.se] + docker_signer: [mdx2.swamid.se] + dockerhost: [sto-tug-kvm2.swamid.se, datasets.sunet.se, reep.tid.isoc.org, web-a2.sunet.se, + www2.eduid.se, mdx1.swamid.se, web-f1.sunet.se, registry.swamid.se, mdx2.swamid.se, + docker.sunet.se, web-a1.sunet.se] + entropyserver: [random1.nordu.net, random2.nordu.net] + mailclient: [cdr1.sunet.se, sto-tug-kvm2.swamid.se, datasets.sunet.se, sto-tug-kvm-lab2.swamid.se, + sto-tug-kvm1.swamid.se, web-a2.sunet.se, cdr2.sunet.se, mdx1.swamid.se, web-f1.sunet.se, + meta.swamid.se, registry.swamid.se, dane.lab.sunet.se, mdx2.swamid.se, samltest.swamid.se, + wp.sunet.se, docker.sunet.se, lobo2.lab.sunet.se, sto-tug-kvm-lab1.swamid.se, + sto-fre-kvm1.swamid.se, web-a1.sunet.se] + quantis: [random1.nordu.net, random2.nordu.net] + signer: [mdx1.swamid.se] + sshaccess: [cdr1.sunet.se, cdr1.sunet.se, sto-tug-kvm2.swamid.se, datasets.sunet.se, + reep.tid.isoc.org, md-master.reep.refeds.org, sto-tug-kvm-lab2.swamid.se, sto-tug-kvm1.swamid.se, + web-a2.sunet.se, cdr2.sunet.se, cdr2.sunet.se, mdx1.swamid.se, web-f1.sunet.se, + meta.swamid.se, registry.swamid.se, dane.lab.sunet.se, mdx2.swamid.se, samltest.swamid.se, + wp.sunet.se, docker.sunet.se, lobo2.lab.sunet.se, sto-tug-kvm-lab1.swamid.se, + sto-fre-kvm1.swamid.se, web-a1.sunet.se] + sunet-cdr: [cdr1.sunet.se, cdr2.sunet.se] + sunetops: [cdr1.sunet.se, cdr1.sunet.se, sto-tug-kvm2.swamid.se, datasets.sunet.se, + sto-tug-kvm-lab2.swamid.se, sto-tug-kvm1.swamid.se, web-a2.sunet.se, cdr2.sunet.se, + cdr2.sunet.se, mdx1.swamid.se, web-f1.sunet.se, meta.swamid.se, registry.swamid.se, + dane.lab.sunet.se, mdx2.swamid.se, samltest.swamid.se, wp.sunet.se, docker.sunet.se, + lobo2.lab.sunet.se, sto-tug-kvm-lab1.swamid.se, sto-fre-kvm1.swamid.se, web-a1.sunet.se] + swamidops: [sto-tug-kvm2.swamid.se, reep.tid.isoc.org, md-master.reep.refeds.org, + sto-tug-kvm-lab2.swamid.se, sto-tug-kvm1.swamid.se, mdx1.swamid.se, meta.swamid.se, + registry.swamid.se, mdx2.swamid.se, samltest.swamid.se, sto-tug-kvm-lab1.swamid.se, + sto-fre-kvm1.swamid.se] + webappserver: [web-a2.sunet.se, web-a1.sunet.se] + webfrontend: [web-f1.sunet.se] + webserver: [datasets.sunet.se, registry.swamid.se, docker.sunet.se] + diff --git a/global/overlay/etc/puppet/cosmos-modules.conf b/global/overlay/etc/puppet/cosmos-modules.conf index e1ef0e5..80c0216 100644 --- a/global/overlay/etc/puppet/cosmos-modules.conf +++ b/global/overlay/etc/puppet/cosmos-modules.conf @@ -1,36 +1,20 @@ +# name source (puppetlabs fq name or git url) upgrade (yes/no) # -# name source (puppetlabs fq name or git url) upgrade (yes/no) tag-pattern -# -# NOTE that Git packages MUST be tagged with signatures by someone -# in the Cosmos trust list. That is why all the URLs point to forked -# versions in the SUNET github organization. -# -concat git://github.com/SUNET/puppetlabs-concat.git yes sunet-* -stdlib git://github.com/SUNET/puppetlabs-stdlib.git yes sunet-* -cosmos git://github.com/SUNET/puppet-cosmos.git yes sunet-* -ufw git://github.com/SUNET/puppet-module-ufw.git yes sunet_dev-* -apt git://github.com/SUNET/puppetlabs-apt.git yes sunet_dev-* -vcsrepo git://github.com/SUNET/puppetlabs-vcsrepo.git yes sunet-* -xinetd git://github.com/SUNET/puppetlabs-xinetd.git yes sunet-* -hiera-gpg git://github.com/SUNET/hiera-gpg.git yes sunet-* -# -# Alternate sources you might or might not want to use: -#concat puppetlabs/concat no -#stdlib puppetlabs/stdlib no -#ufw attachmentgenie/ufw no -#apt puppetlabs/apt no -#vcsrepo puppetlabs/vcsrepo no -#xinetd puppetlabs/xinetd no -#cosmos git://github.com/leifj/puppet-cosmos.git yes -#python git://github.com/SUNET/puppet-python.git yes sunet-* -#erlang git://github.com/SUNET/garethr-erlang.git yes sunet-* -#rabbitmq git://github.com/SUNET/puppetlabs-rabbitmq.git yes sunet_dev-* -#pound git://github.com/SUNET/puppet-pound.git yes sunet_dev-* -#augeas git://github.com/SUNET/puppet-augeas.git yes sunet-* -#bastion git://github.com/SUNET/puppet-bastion.git yes sunet-* -#postgresql git://github.com/SUNET/puppetlabs-postgresql.git yes sunet_dev-* -#munin git://github.com/SUNET/ssm-munin.git yes sunet-* -#nagios git://github.com/SUNET/puppet-nagios.git yes sunet-* -#staging git://github.com/SUNET/puppet-staging.git yes sunet-* -#apparmor git://github.com/SUNET/puppet-apparmor.git yes sunet-* -#docker git://github.com/SUNET/garethr-docker.git yes sunet_dev-* +concat git://github.com/SUNET/puppetlabs-concat.git yes sunet-* +stdlib git://github.com/SUNET/puppetlabs-stdlib.git yes sunet-* +cosmos git://github.com/SUNET/puppet-cosmos.git yes sunet-* +ufw git://github.com/SUNET/puppet-module-ufw.git yes sunet-* +apt git://github.com/SUNET/puppetlabs-apt.git no sunet-* +vcsrepo git://github.com/SUNET/puppetlabs-vcsrepo.git no sunet-* +xinetd git://github.com/SUNET/puppetlabs-xinetd.git no sunet-* +python git://github.com/SUNET/puppet-python.git yes sunet-* +hiera-gpg git://github.com/SUNET/hiera-gpg.git no sunet-* +pound git://github.com/SUNET/puppet-pound.git yes sunet-* +augeas git://github.com/SUNET/puppet-augeas.git yes sunet-* +bastion git://github.com/SUNET/puppet-bastion.git yes sunet-* +apache puppetlabs/apache no +pyff git://github.com/samlbits/puppet-pyff.git yes puppet-pyff-* +postgresql git://github.com/SUNET/puppetlabs-postgresql.git yes sunet-* +dhcp git://github.com/SUNET/puppetlabs-dhcp.git yes sunet-* +varnish git://github.com/samlbits/puppet-varnish.git yes puppet-varnish-* +docker git://github.com/SUNET/garethr-docker.git yes sunet-* diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml index d9dc495..4b93245 100644 --- a/global/overlay/etc/puppet/cosmos-rules.yaml +++ b/global/overlay/etc/puppet/cosmos-rules.yaml @@ -1,2 +1,50 @@ -'ns[0-9]?.mnt.se$': - nameserver: +'^cdr\d+\.sunet\.se$': + sshaccess: + sunet-cdr: + sunetops: +'\.swamid\.se$': + sshaccess: + sunetops: + swamidops: + mailclient: + domain: sunet.se +'\.sunet\.se$': + sshaccess: + sunetops: + mailclient: + domain: sunet.se +registry.swamid.se: + dockerhost: + webserver: +datasets.sunet.se: + dockerhost: + webserver: +docker.sunet.se: + dockerhost: + webserver: +mdx1.swamid.se: + dockerhost: + signer: +mdx2.swamid.se: + dockerhost: + docker_signer: +sto-tug-kvm2.swamid.se: + dockerhost: +reep.tid.isoc.org: + sshaccess: + swamidops: + dockerhost: +md-master.reep.refeds.org: + sshaccess: + swamidops: +'^random\d+\.nordu\.net$': + entropyserver: + quantis: +www2.eduid.se: + dockerhost: +'^web-.+\.sunet\.se$': + dockerhost: +'^web-a[0-9]+\.sunet\.se$': + webappserver: +'^web-f[0-9]+\.sunet\.se$': + webfrontend: diff --git a/global/overlay/etc/puppet/cosmos_config_version b/global/overlay/etc/puppet/cosmos_config_version new file mode 100755 index 0000000..57786fd --- /dev/null +++ b/global/overlay/etc/puppet/cosmos_config_version @@ -0,0 +1,11 @@ +#!/bin/sh + +set -e + +set -a +COSMOS_CONF_DIR="/etc/cosmos" +. /etc/cosmos/cosmos.conf +COSMOS_VERBOSE="yes" +set +a + +/etc/cosmos/update.d/25verify-git 2>/dev/null | grep ^"tag " | head -1 | cut -b 5- diff --git a/global/overlay/etc/puppet/facter/cosmos.rb b/global/overlay/etc/puppet/facter/cosmos.rb new file mode 100644 index 0000000..d810082 --- /dev/null +++ b/global/overlay/etc/puppet/facter/cosmos.rb @@ -0,0 +1,22 @@ +# +# Extract local Cosmos configuration +# +require 'facter' +Facter.add(:cosmos_repo) do + setcode do + Facter::Util::Resolution.exec("sh -c '. /etc/cosmos/cosmos.conf && echo $COSMOS_REPO'") + end +end + +Facter.add(:cosmos_tag_pattern) do + setcode do + Facter::Util::Resolution.exec("sh -c '. /etc/cosmos/cosmos.conf && echo $COSMOS_UPDATE_VERIFY_GIT_TAG_PATTERN'") + end +end + +Facter.add(:cosmos_repo_origin_url) do + setcode do + Facter::Util::Resolution.exec("sh -c '. /etc/cosmos/cosmos.conf && cd $COSMOS_REPO && git remote show -n origin | grep \"Fetch URL\" | awk \"{print \\$NF }\"'") + end +end + diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp index c276f84..218f69b 100644 --- a/global/overlay/etc/puppet/manifests/cosmos-site.pp +++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp @@ -4,49 +4,818 @@ Exec { path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", } -# include some of this stuff for additional features - -#include cosmos::tools -#include cosmos::motd -#include cosmos::ntp -#include cosmos::rngtools -#include cosmos::preseed +include cosmos::tools +include cosmos::motd +include cosmos::ntp +include cosmos::rngtools +include cosmos::preseed include ufw include apt include cosmos # you need a default node -node default { +node default { + +} + +class dockerhost { + apt::source {'docker_official': + location => 'https://get.docker.com/ubuntu', + release => 'docker', + repos => 'main', + key => 'A88D21E9', + include_src => false + } + package {'lxc-docker': + ensure => latest + } + class {'docker': + manage_package => false + } +} + +class webserver { + ufw::allow { "allow-http": + ip => 'any', + port => 80 + } + ufw::allow { "allow-https": + ip => 'any', + port => 443 + } +} + +class mailclient ($domain) { + cosmos::preseed::preseed_package {"postfix": ensure => present, domain => $domain} +} + +node 'sto-tug-kvm1.swamid.se' { + + package {'python-vm-builder': + ensure => 'installed', + } -> + + cosmos::dhcp_kvm { 'registry.swamid.se': + mac => '52:54:00:52:53:0b', + repo => 'git://git.nordu.net/sunet-ops.git', + tagpattern => 'sunet-ops', + cpus => '1', + memory => '2048', + } + + cosmos::dhcp_kvm { 'mdx1.swamid.se': + mac => '52:54:00:fe:bc:09', + repo => 'git://git.nordu.net/sunet-ops.git', + tagpattern => 'sunet-ops', + cpus => '1', + memory => '2048', + } + + cosmos::dhcp_kvm { 'md-master.reep.refeds.org': + mac => '52:54:00:39:8d:ac', + repo => 'git://git.nordu.net/sunet-ops.git', + tagpattern => 'sunet-ops', + cpus => '1', + memory => '2048', + } +} + +node 'sto-fre-kvm1.swamid.se' { + package {'python-vm-builder': + ensure => 'installed', + } -> + + cosmos::dhcp_kvm { 'mdx2.swamid.se': + mac => '52:54:00:30:be:dd', + repo => 'git://git.nordu.net/sunet-ops.git', + tagpattern => 'sunet-ops', + cpus => '1', + memory => '2048', + } + +} + +node 'reep.tid.isoc.org' { + +} + +node 'datasets.sunet.se' { + docker::image {'dockerfile/redis': } + docker::image {'docker.sunet.se/datasets': } + file {'/opt/lobo2-redis-data': + ensure => 'directory', + } + file {'/etc/ssl': + ensure => 'directory', + } + docker::run {'redis': + image => 'dockerfile/redis', + use_name => true, + volumes => ['/opt/lobo2-redis-data:/data','/var/log:/var/log'], + verify_checksum => false, + } + docker::run {'datasets': + image => 'docker.sunet.se/datasets', + use_name => true, + env => ['BASE_URL=https://datasets.sunet.se'], + volumes => ['/etc/ssl:/etc/ssl','/var/log:/var/log'], + ports => ['80:80','443:443'], + links => ['redis:redis'], + start_on => 'docker-redis', + verify_checksum => false, + } +} + +node 'docker.sunet.se' { + docker::image {'registry': } + docker::image {'leifj/pound': } + docker::run {'sunetregistry': + use_name => true, + image => 'registry', + ports => ['80:5000'], + volumes => ['/opt/registry:/tmp/registry'] + } + docker::run {'pound': + image => 'leifj/pound', + links => ['sunetregistry:backend'], + volumes => ['/etc/ssl:/etc/ssl'], + ports => ['443:443'] + } +} + +class docker_signer { + docker::image {'docker.samlbits.net/varnish': } + docker::image {'docker.samlbits.net/pyff': } + docker::run {'pyff': + image => 'docker.samlbits.net/pyff', + volumes => ['/opt/swamid-metadata:/opt/swamid-metadata'], + env => ['DATADIR=/opt/swamid-metadata','LOGLEVEL=INFO'] + } + docker::run {'varnish': + image => 'docker.samlbits.net/varnish', + links => ['pyff:backend'], + ports => ['80:80'] + } + cron {'update-swamid-metadata': + command => "cd /opt/swamid-metadata && git pull -q", + user => root, + minute => '*/5' + } +} + +class signer { + include cosmos::httpsproxy + class {'varnish': + domain => 'swamid.se', + backends => { + mdx => 'http://localhost:8000/' + }, + vhosts => { + mdx => 'mdx.swamid.se' + } + } + class {'pyff': + load => ["/opt/metadata"], + port => 8000, + address => '0.0.0.0', + validUntil => 'P10D', + cacheDuration => 'PT5H', + replace => false + } + cron {'update-swamid-metadata': + command => "cd /opt/swamid-metadata && git pull -q", + user => root, + minute => '*/5' + } +} + +node 'md-master.reep.refeds.org' { + #include cosmos::httpsproxy + class {'pyff': + load => ['/opt/peer/vf_repo'], + validUntil => 'P10D', + cacheDuration => 'PT5H' + } +} + +node 'registry.swamid.se' { + class {'pyff': + load => ['/opt/peer/media/vf_repo'], + validUntil => 'P30D', + cacheDuration => 'PT24H', + replace => false, + port => 8000, + address => '127.0.0.1' + } + $peerpkg = ['xmlsec1','libxmlsec1-openssl','libpq-dev','postgresql','postgresql-client'] + package { $peerpkg: ensure => installed } + python::virtualenv { '/opt/peer': + ensure => present + } + python::pip { 'peer==0.13.0': + pkgname => 'peer==0.13.0', + virtualenv => '/opt/peer' + } + + #class { 'postgresql::server': } + + #postgresql::server::db { 'peer': + # encoding => 'utf-8', + # user => 'peer', + # password => postgresql_password('peer', hiera('peer_db_password')), + #} +} + +node 'sto-tug-kvm-lab1.swamid.se' { + + package {'python-vm-builder': + ensure => 'installed', + } -> + + cosmos::dhcp_kvm { 'samltest.swamid.se': + mac => '52:54:00:3a:0a:e4', + repo => 'git://git.nordu.net/sunet-ops.git', + tagpattern => 'sunet-ops', + cpus => '1', + memory => '1024', + } + + cosmos::dhcp_kvm { 'dane.lab.sunet.se': + mac => '52:54:00:8d:88:5f', + repo => 'git://git.nordu.net/sunet-ops.git', + tagpattern => 'sunet-ops', + cpus => '1', + memory => '1024', + } + + cosmos::dhcp_kvm { 'lobo2.lab.sunet.se': + mac => '52:54:00:5e:72:91', + repo => 'git://git.nordu.net/sunet-ops.git', + tagpattern => 'sunet-ops', + cpus => '1', + memory => '1024', + } + cosmos::dhcp_kvm { 'meta.swamid.se': + mac => '52:54:00:1c:72:1a', + repo => 'git://git.nordu.net/sunet-ops.git', + tagpattern => 'sunet-ops', + cpus => '1', + memory => '1024', + } } -# edit and uncomment to manage ssh root keys in a simple way +class sunet-dhcp-hosts { + + dhcp::pool {'sunet-servernet-tug-130.242.125.64/26': + network => '130.242.125.64', + mask => '255.255.255.192', + gateway => '130.242.125.65', + range => '' + } + + dhcp::pool {'sunet-servernet-fre-130.242.125.128/26': + network => '130.242.125.128', + mask => '255.255.255.192', + gateway => '130.242.125.129', + range => '' + } + + dhcp::pool {'install': + network => '130.242.125.0', + mask => '255.255.255.192', + gateway => '130.242.125.1', + range => '' + } + + dhcp::pool {'eduid-tug-IdP': + network => '130.242.130.0', + mask => '255.255.255.248', + gateway => '130.242.130.1', + range => '' + } + + dhcp::pool {'eduid-tug-auth': + network => '130.242.130.8', + mask => '255.255.255.248', + gateway => '130.242.130.9', + range => '' + } + + dhcp::pool {'eduid-tug-other': + network => '130.242.130.16', + mask => '255.255.255.240', + gateway => '130.242.130.17', + range => '' + } + + dhcp::pool {'eduid-fre-IdP': + network => '130.242.130.64', + mask => '255.255.255.248', + gateway => '130.242.130.65', + range => '' + } + + dhcp::pool {'eduid-fre-auth': + network => '130.242.130.72', + mask => '255.255.255.248', + gateway => '130.242.130.73', + range => '' + } + + dhcp::pool {'eduid-fre-other': + network => '130.242.130.80', + mask => '255.255.255.240', + gateway => '130.242.130.81', + range => '' + } + + dhcp::pool {'eduid-lla-other': + network => '130.242.130.144', + mask => '255.255.255.240', + gateway => '130.242.130.145', + range => '' + } + + dhcp::pool {'eduid-lla-auth': + network => '130.242.130.136', + mask => '255.255.255.248', + gateway => '130.242.130.137', + range => '' + } + + + # eduID TUG hosts + + dhcp::host { 'kvmidp-tug-3_eth0': mac => "24:b6:fd:fe:fa:51", ip => "130.242.130.4", hostname => 'kvmidp-tug-3'; } + dhcp::host { 'kvmidp-tug-3_eth1': mac => "24:b6:fd:fe:fa:52", ip => "130.242.130.4", hostname => 'kvmidp-tug-3'; } + + dhcp::host { 'idp-tug-3a': mac => "52:54:00:01:00:01", ip => "130.242.130.5"; } + + dhcp::host { 'idp-tug-3b': mac => "52:54:00:01:00:02", ip => "130.242.130.6"; } + + dhcp::host { 'auth-tug-3_eth0': mac => "f0:4d:a2:73:4e:9b", ip => "130.242.130.12", hostname => 'auth-tug-3'; } + dhcp::host { 'auth-tug-3_eth1': mac => "f0:4d:a2:73:4e:9c", ip => "130.242.130.12", hostname => 'auth-tug-3'; } + + dhcp::host { 'kvm-tug-3_eth0': mac => "f0:4d:a2:73:4f:82", ip => "130.242.130.20", hostname => 'kvm-tug-3'; } + dhcp::host { 'kvm-tug-3_eth1': mac => "f0:4d:a2:73:4f:83", ip => "130.242.130.20", hostname => 'kvm-tug-3'; } + + dhcp::host { 'db-tug-3_eth0': mac => "24:b6:fd:fe:fa:f0", ip => "130.242.130.21", hostname => 'db-tug-3'; } + dhcp::host { 'db-tug-3_eth1': mac => "24:b6:fd:fe:fa:f1", ip => "130.242.130.21", hostname => 'db-tug-3'; } + + dhcp::host { 'mq-tug-3': mac => "52:54:00:03:00:22", ip => "130.242.130.22"; } + dhcp::host { 'worker-tug-3': mac => "52:54:00:03:00:23", ip => "130.242.130.23"; } + dhcp::host { 'signup-tug-3': mac => "52:54:00:03:00:24", ip => "130.242.130.24"; } + dhcp::host { 'helpdesk-tug-3': mac => "52:54:00:03:00:25", ip => "130.242.130.25"; } + dhcp::host { 'www-tug-3': mac => "52:54:00:03:00:26", ip => "130.242.130.26"; } + dhcp::host { 'monitor-tug-3': mac => "52:54:00:03:00:27", ip => "130.242.130.27"; } + + dhcp::host { 'kvmapp-tug-3_eth0': mac => "f0:4d:a2:73:4f:0d", ip => "130.242.130.30", hostname => 'kvmapp-tug-3'; } + dhcp::host { 'kvmapp-tug-3_eth1': mac => "f0:4d:a2:73:4f:0e", ip => "130.242.130.30", hostname => 'kvmapp-tug-3'; } + + + # eduID FRE hosts + + dhcp::host { 'kvmidp-fre-3_eth0': mac => "18:03:73:41:f3:e8", ip => "130.242.130.68", hostname => 'kvmidp-fre-3'; } + dhcp::host { 'kvmidp-fre-3_eth1': mac => "18:03:73:41:f3:e9", ip => "130.242.130.68", hostname => 'kvmidp-fre-3'; } + + dhcp::host { 'idp-fre-3a': mac => "52:54:00:04:00:01", ip => "130.242.130.69"; } + + dhcp::host { 'idp-fre-3b': mac => "52:54:00:04:00:02", ip => "130.242.130.70"; } + + dhcp::host { 'auth-fre-3_eth0': mac => "18:03:73:0f:41:3c", ip => "130.242.130.76", hostname => 'auth-fre-3'; } + dhcp::host { 'auth-fre-3_eth1': mac => "18:03:73:0f:41:3d", ip => "130.242.130.76", hostname => 'auth-fre-3'; } + + dhcp::host { 'kvm-fre-3_eth0': mac => "f0:4d:a2:73:4b:e3", ip => "130.242.130.84", hostname => 'kvm-fre-3'; } + dhcp::host { 'kvm-fre-3_eth1': mac => "f0:4d:a2:73:4b:e4", ip => "130.242.130.84", hostname => 'kvm-fre-3'; } + + dhcp::host { 'www-fre-3': mac => "52:54:00:06:00:01", ip => "130.242.130.86"; } + dhcp::host { 'dashboard-fre-3': mac => "52:54:00:06:00:57", ip => "130.242.130.87"; } + dhcp::host { 'signup-fre-3': mac => "52:54:00:06:00:58", ip => "130.242.130.88"; } + dhcp::host { 'worker-fre-3': mac => "52:54:00:06:00:59", ip => "130.242.130.89"; } + dhcp::host { 'mq-fre-3': mac => "52:54:00:06:00:5a", ip => "130.242.130.90"; } + dhcp::host { 'monitor-fre-3': mac => "52:54:00:06:00:5b", ip => "130.242.130.91"; } + + dhcp::host { 'db-fre-3_eth0': mac => "f0:4d:a2:73:4f:19", ip => "130.242.130.85", hostname => 'db-fre-3'; } + dhcp::host { 'db-fre-3_eth1': mac => "f0:4d:a2:73:4f:1a", ip => "130.242.130.85", hostname => 'db-fre-3'; } + + dhcp::host { 'kvmapp-fre-3_eth0': mac => "78:45:c4:f7:90:ec", ip => "130.242.130.94", hostname => 'kvmapp-fre-3'; } + dhcp::host { 'kvmapp-fre-3_eth1': mac => "78:45:c4:f7:90:ed", ip => "130.242.130.94", hostname => 'kvmapp-fre-3'; } + + # eduID LLA hosts + + dhcp::host { 'db-lla-3_eth0': mac => "b0:83:fe:e2:27:4c", ip => "130.242.130.148", hostname => 'db-lla-3'; } + dhcp::host { 'db-lla-3_eth1': mac => "b0:83:fe:e2:27:4d", ip => "130.242.130.148", hostname => 'db-lla-3'; } + + dhcp::host { 'auth-lla-3_eth0': mac => "b0:83:fe:e2:27:c6", ip => "130.242.130.140", hostname => 'auth-lla-3'; } + dhcp::host { 'auth-lla-3_eth1': mac => "b0:83:fe:e2:27:c7", ip => "130.242.130.140", hostname => 'auth-lla-3'; } + + + # eduID Development subnets + #dhcp::pool {'eduid-tug-dev': + # network => '194.68.13.128', + # mask => '255.255.255.224', + # gateway => '194.68.13.129', + # range => '', + # options => 'domain-name-servers 109.105.111.31, 109.105.110.31', + #} + + #dhcp::pool {'eduid-fre-dev': + # network => '194.68.13.160', + # mask => '255.255.255.224', + # gateway => '194.68.13.161', + # range => '', + # options => 'domain-name-servers 109.105.111.31, 109.105.110.31', + #} + + dhcp::pool {'eduid-dev-tug': + network => '130.242.130.192', + mask => '255.255.255.224', + gateway => '130.242.130.193', + range => '' + } -#class { 'cosmos::access': -# keys => [ -# "ssh-rsa ..." -# ] -#} + # One big subnet used for now + #dhcp::pool {'eduid-dev-tug-IdP': + # network => '130.242.130.192', + # mask => '255.255.255.248', + # gateway => '130.242.130.201', + # range => '' + #} -# example config for the nameserver class which is matched in cosmos-rules.yaml + # One big subnet used for now + #dhcp::pool {'eduid-dev-tug-auth': + # network => '130.242.130.200', + # mask => '255.255.255.248', + # gateway => '130.242.130.201', + # range => '' + #} -#class nameserver { -# package {'bind9': -# ensure => latest -# } -# service {'bind9': -# ensure => running -# } -# ufw::allow { "allow-dns-udp": -# ip => 'any', -# port => 53, -# proto => "udp" -# } -# ufw::allow { "allow-dns-tcp": -# ip => 'any', -# port => 53, -# proto => "tcp" -# } -#} + # One big subnet used for now + #dhcp::pool {'eduid-dev-tug-other': + # network => '130.242.130.208', + # mask => '255.255.255.240', + # gateway => '130.242.130.209', + # range => '' + #} + # eduID TUG development hosts + dhcp::host { 'worker-fre-1': mac => "52:54:00:a0:01:c4", ip => "130.242.130.196" } + dhcp::host { 'actions-tug-1': mac => "52:54:00:a0:01:c5", ip => "130.242.130.197" } + dhcp::host { 'mq-tug-1': mac => "52:54:00:a0:01:c6", ip => "130.242.130.198" } + dhcp::host { 'proxy-tug-1': mac => "52:54:00:a0:01:c7", ip => "130.242.130.199" } + + dhcp::host { 'auth-fre-1_eth0': mac => "78:45:c4:f7:91:67", ip => "130.242.130.204", hostname => 'auth-fre-1'; } + dhcp::host { 'auth-fre-1_eth1': mac => "78:45:c4:f7:91:68", ip => "130.242.130.204", hostname => 'auth-fre-1'; } + + dhcp::host { 'auth-tug-1_eth0': mac => "78:45:c4:f8:43:c5", ip => "130.242.130.205", hostname => 'auth-tug-1'; } + dhcp::host { 'auth-tug-1_eth1': mac => "78:45:c4:f8:43:c6", ip => "130.242.130.205", hostname => 'auth-tug-1'; } + + dhcp::host { 'signup-tug-1': mac => "52:54:00:a0:01:d4", ip => "130.242.130.212" } + + dhcp::host { 'dash-fre-1': mac => "52:54:00:a0:01:d5", ip => "130.242.130.213" } + + dhcp::host { 'idp-fre-1': mac => "52:54:00:a0:01:d6", ip => "130.242.130.214" } + + dhcp::host { 'idp-tug-1': mac => "52:54:00:a0:01:d7", ip => "130.242.130.215" } + + dhcp::host { 'kvm-fre-1_eth0': mac => "78:45:c4:f8:45:15", ip => "130.242.130.216", hostname => 'kvm-fre-1'; } + dhcp::host { 'kvm-fre-1_eth1': mac => "78:45:c4:f8:45:16", ip => "130.242.130.216", hostname => 'kvm-fre-1'; } + + dhcp::host { 'kvm-tug-1_eth0': mac => "78:45:c4:f8:47:be", ip => "130.242.130.217", hostname => 'kvm-tug-1'; } + dhcp::host { 'kvm-tug-1_eth1': mac => "78:45:c4:f8:47:bf", ip => "130.242.130.217", hostname => 'kvm-tug-1'; } + + dhcp::host { 'monitor-fre-1': mac => "52:54:00:a0:01:da", ip => "130.242.130.218" } + + dhcp::host { 'mq-fre-1': mac => "52:54:00:a0:01:db", ip => "130.242.130.219" } + + dhcp::host { 'userdb-fre-1': mac => "52:54:00:a0:01:dc", ip => "130.242.130.220" } + + dhcp::host { 'userdb-tug-1': mac => "52:54:00:a0:01:dd", ip => "130.242.130.221" } + + dhcp::host { 'userdb-tug-2': mac => "52:54:00:a0:01:de", ip => "130.242.130.222" } + + + #dhcp::host { 'idp-tug-1': mac => "52:54:00:a0:00:92", ip => "194.68.13.146" } + + #dhcp::host { 'testvm-tug-1': mac => "52:54:00:11:22:33", ip => "194.68.13.136" } + + #dhcp::host { 'userdb-tug-1': mac => "52:54:00:93:22:29", ip => "194.68.13.132" } + #dhcp::host { 'userdb-tug-2': mac => "52:54:00:17:13:ff", ip => "194.68.13.133" } + + # eduID FRE development hosts + #dhcp::host { 'idp-fre-1': mac => "52:54:00:a1:00:b2", ip => "194.68.13.178" } + + #dhcp::host { 'dash-fre-1': mac => "52:54:00:a2:00:a7", ip => "194.68.13.167" } + + #dhcp::host { 'userdb-fre-1': mac => "52:54:00:17:13:f6", ip => "194.68.13.164" } + + # SUNET TUG hosts + + dhcp::host { 'samltest': mac => "52:54:00:3a:0a:e4", ip => "130.242.125.80" } + dhcp::host { 'dane.lab': mac => "52:54:00:8d:88:5f", ip => "130.242.125.81" } + dhcp::host { 'meta.swamid': mac => "52:54:00:1c:72:1a", ip => "130.242.125.82" } + dhcp::host { 'md-master.reep': mac => "52:54:00:39:8d:ac", ip => "130.242.125.83" } + dhcp::host { 'lobo2.lab': mac => "52:54:00:5e:72:91", ip => "130.242.125.86" } + + # SUNET TUG eduID hosts (KVM host cdr1.sunet.se) + dhcp::host { 'backup-tug-3': mac => "52:54:00:f2:7d:54", ip => "130.242.125.84" } + dhcp::host { 'proxy-tug-3': mac => "52:54:00:f2:7d:55", ip => "130.242.125.85" } + + # SWAMID production + dhcp::host { 'registry.swamid': mac => "52:54:00:52:53:0b", ip => "130.242.125.90" } + dhcp::host { 'mdx1.swamid': mac => "52:54:00:fe:bc:09", ip => "130.242.125.91" } + dhcp::host { 'mdx2.swamid': mac => "52:54:00:30:be:dd", ip => "130.242.125.92" } +} + +class sshaccess { + package { ['openssh-server', 'emacs23-nox']: + ensure => 'installed' + } + + ufw::allow { 'allow-ssh-sunet': + port => '22', + ip => 'any', # both IPv4 and IPv6 + proto => 'tcp' + } -> + service { 'ssh': + ensure => 'running', + } +} + +class sunetops { + + sunet::server { 'sunet_server': } + + ssh_authorized_key {'leifj+neo': + ensure => present, + name => 'leifj+neo@mnt.se', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDVvB4gdJ6EWRmx8xUSxrhoUNnWxEf8ZwAqhzC1+7XBY/hSd/cbEotLB9gxgqt0CLW56VU4FPLTw8snD8tgsyZN6KH1Da7UXno8oMk8tJdwLQM0Ggx3aWuztItkDfBc3Lfvq5T07YfphqJO7rcSGbS4QQdflXuOM9JLi6NStVao0ia4aE6Tj68pVVb3++XYvqvbU6NtEICvkTxEY93YpnRSfeAi64hsbaqSTN4kpeltzoSD1Rikz2aQFtFXE03ZC48HtGGhdMFA/Ade6KWBDaXxHGARVQ9/UccfhaR2XSjVxSZ8FBNOzNsH4k9cQIb2ndkEOXZXnjF5ZjdI4ZU0F+t7', + type => 'ssh-rsa', + user => 'root' + } + + ssh_authorized_key {'ft+505152DD': + ensure => present, + name => 'fredrik+505152DD@thulin.net', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCnskRpNxWJE/YgDR3o6sMWwwmbUJ8f2SJa0gHfHM+fcxxC2zQN9/9mqJSxS1E9QdeuRbbHpYxEUtHoX0vSrmia/VALDiQAMps51RBqq6YlrYqvP/Rb0hZ0Z4/YgjTosLdu1PeTzih6mwbyNNF0+gY987Ig31qXQytNF+9G1oSY9dgBAq52lu170QXTRwum4B6Gh4/pCnM6xx+7nY2oqlgvl2wYHVAOJ39W9r4y9kBhcVs51XvJqYehjaoyKYf1+PzA0FsvhJkZuG6ws5eEGSB90lAzKGyFZXedvOLmnFmqAraoLeuKajHIFJDfKNfHHbYpn8ERIfVW66nbqlXFO2g3', + type => 'ssh-rsa', + user => 'root' + } + + ssh_authorized_key {'ft+4030CCAD': + ensure => present, + name => 'fredrik+4030CCAD@thulin.net', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDCb2Nkstl2A2Av34oAeugSFAUZisR44EiN3+QHCfNiv2UtMvGQsz2uVRGS0zA7j2PjcrEA1AcstriONBZF/TodARbirX7u7ibJo4gfFJctSMHMBncwSKt5BR6cuCZpW9E7f05tVc3Z1SU1XlAn0OUuAt6UwluEehEKLKXDIHWfsGejlOTpy6x+++6/o1gfMoXpxYDRK70z8jWPfN6i/tt2q+Y0gjZWQP4CHGzFEUtTpOlFoqN4TzXaJushBhdMsiKllOm9wzHFuxlU/hNbDfn00vdOTPYpHkUluQUE7NtNznpeTWpl5qYL+n4uIChxjeZRBmUgD9t8YU4t3UZNksD/', + type => 'ssh-rsa', + user => 'root' + } + + ssh_authorized_key {'swold+neo': + ensure => absent, + name => 'swold+neo@sunet.se', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDEH/7KWri49NdhCjXW8VEdDxFl3IfIFT6QjJ47TkhCZCPZdgFl8NLKUOBE1P4jrwB+f+G+ScQ9EYN2Mnf0VhjZ3twPq2S1fosu3jmA56qhQ2J6ZNG1SvVDkgT69HZ+yoxEzbkmWuhhlb7WWVzC3h1K5Rxs8Yr9GJzIpgqH5PzI73pMAS89MYOjkhqS8NOi4onB3llFnyFZeWDB+rXj8/Q6k1u2F9KN1fPxe3EiskaJPOkPn8dEe3pOAiu+FwWyinHxO9Z4gzf55XVE8oFd36LRpoJGr32vdScSPeCksrARluEHnkEHqg6cVLcDkKnHrPITuXKj54i/jYeYGetigEuV', + type => 'ssh-rsa', + user => 'root' + } + + ssh_authorized_key {'lundberg+9303C5DB': + type => 'ssh-rsa', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDAHMfn9PSWjGGAkMY6rh1yffdYgnlhoIC5E5NWdc5XUlY9oNYW2zhMpyhepfoh1YYv5V1QNTuO3f0zhD+ZeqPvnnA74fBM4yvWU4Qttwv2drsFOsU7nRbGSwQdww9IDidtxRuAjW5HJ9mTOJuYrIFAEHgg1Pv8sZKzHNWuZiz4I34CN2NbaZOu4eYG6pdzvB6kfYl5iL/esfhBZfegA+7x4qXvMLHEKb7wCRBABCfWu6Yy1E0jUdRWBFdqp5zsjuQlk8minh892m2C1tFcyub5dCWgLYtiQRpIjz16lMk1cM+fgS9YM7Ev62bBpRynU2wCfg1QpYMpxIq54q/XLlYv', + ensure => present, + user => 'root', + name => 'lundberg+9303C5DB' + } + + ssh_authorized_key {'salu+82A313B2': + ensure => present, + name => 'salu+82A313B2@nordu.net', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDeqxYSykQRs9Wbh+uRCYqRUjsFfdlc4//bs3dbedE/8kZWvvSmBlcqizXKVSlABrwyqGDpxW9bD+lRC53zArDMaqYUQbkzYs0NYYeE1bA4HUI/f4SgDn7PKicJLcbIOFTEjdOAqoi+KXji6Y5kxmcNYcU/XbyUln7FCItIFTXLF6VJBR1edokXAtsQBeD+H+xJA34Ha4TkBPKSeYjt+OoCZSjW0cz9g/+T59WsLZ/uJPZNqTgP5QOnBBmqURXDosXhjfPRrUQAyySM9D0riqMY4gtUgVvvnSXZqgquk0/79JjR10QAFmauxRdYmTBG7NU8EM7bXqUeuEFQIl9aiIe3', + type => 'ssh-rsa', + user => 'root' + } + + ssh_authorized_key {'dennis+3EE4E6C7': + ensure => present, + name => 'dennis+3EE4E6C7@nordu.net', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQC314jSJ575zgXl2xzwzLRLwoNaP7eXN6NlWOPq47qmoUfR1uZPPbZhvKDmMMc4WQhNPzWDFkX29tcHJar0KXVYM0zNV/hkXlh3Z9suAVFJgzdQ+VW3GsNDffYt4GHM8gUtYxdiQKhA78rIIvcvjy/e0c87lQ0zwDQjruLRw2t1mP1roVsadGnRn4H2rHnlmYqsyJrd2L/MQeKxFh0t3zKu3Hp2mGoSFpFe/5uMaHE//ZOO3tVf3fBWX3p19f6sK6kqYsSR4vMAP08cWf32xFEeNHf4ljbanQ/NIo3iPybpzGXVsPpTHXylLS+vYzDf9mOcxovhsKnJrJ3gdkqEfQyd', + type => 'ssh-rsa', + user => 'root' + } + + # OS hardening + if $::hostname =~ /kvm/ { + class {'bastion': + fstab_fix_shm => false, + sysctl_net_hardening => false, + } + } elsif $::hostname =~ /random/ { # pollen requires exec on /tmp + class {'bastion': + fixperms_enable => false, + fixperms_paranoia => false, + } + } else { + class {'bastion': + fstab_fix_shm => false, + fixperms_paranoia => true, + } + } +} + +node 'samltest.swamid.se' { + + ssh_authorized_key {'hans-its-umu': + name => 'haho0032@its-admins-MacBook-Pro.local', + ensure => present, + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCo3A5CG7fKLBLw8vhJL6Q8iweADu7qyDUokAvKR1SUitBnYw0pnd3cv3T32S/mps51YIoyKwhv2q2UGW5kYMeZtH0YjBy+l93nVBjUCLlNkz0T5gq+ePVayiqv0hUy5VMDEqLmUOquYr3ao7FBRu34HxlEj26O6Ckvk5YTImGmGqMw6kQ4aI0oIkwk3VwO2vMWSD6lgT6YCsE9g7wkD4nJpkV1PEDOx8yxwFr0kUbL3/DpudBFew/FZa4Dq4H2brExa3Q/rrnoo1GAKLzHW/V8oa8eHbRQXwchgX63UbnzQjGiaLUc5bHZwEehp2TkLYx6encctIUGi447DVCfOTsz', + type => 'ssh-rsa', + user => 'root' + } +} + +class swamidops { + ssh_authorized_key {'roland-umu': + type => 'ssh-rsa', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQC+tLFDNA7UXr3ZXgp6qQq7pKsTStHb+8UIEO3Act7Va3c/dz9P8Bi4+y8h33t2SACsQHXXUXAgSfmgPi+tijZ/rJrKGZJkA5LPbntca40ePU/zNWKVKGylbdnv9vz2urrr3xOmcV7yD/91k+JLwzTWiNWF6IXQC0p43EvE6BdZnLGdGAU9DPj/5rtyxWlX9Lul516dmVD2+nI8UR5bnDNl83a3lLkQyEDZMIC8QujNV8fR3pgYeRKdC7WtPcaPGv5NaF9UweBDK+7QwHTJAuIZw6S7ArA7KgOF64evOuVL0tTEyuwMHGrlE+ylxN+zOAfDvEMrxnTATR6RMcvLmTJB', + ensure => present, + user => 'root', + name => 'roland.hedberg@adm.umu.se' + } + ssh_authorized_key {'lordahl-hig': + type => 'ssh-rsa', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCJ9ab81Sm3NUoOFjgM9F9HrKKTVc0sEVqUCLeWPfp6yHPuxFrejJDZVkASfGj/1XsjUQ60TrvwzYn1rsSeEwdGKFexfrQJ2SfugOWOAsPiYCZ3o3xa8ki951HYy2aeVCedlLRoVagn2iUP1uqVmwImxrV8CydaaQYUJgP/qD0Iy5MWxAJGRIVMKnnACs+F8dgULq0P/pID85QXAZkSuGl4urkp2+tCHxAiMxscbtDtsoV71ILZ+OQQJe4kDb5si6rE730JXeBuEPU1k//+5HbGspoI7SuZUeiFfoKLXppoFkHS+ShI4oC3PIbe76f+tpwbUBGrJw/9vzBWOBiVrSnR', + ensure => present, + user => 'root', + name => 'anders@merlin' + } + ssh_authorized_key {'aslund-umu': + type => 'ssh-rsa', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCZMok+obrCgHY0atsLp777lBrxvMYEHmHK0+DXHBnRBH9CK9gjquH3fmv/Eq1bHm4UUOOJ0zk67mVdFcOwX4p7XbxHolURLFPu1QBWgiT6vRGrWOthcDa1I5iSJ0ez7SBrtD4Si5juKq1T6mNVEbHn9NlOoGR4NVGQI1v90bywnhdT9m12Y487e4HYyjDE3G/S0v6Pkj4uaehrWHAbrgXYEkleuhGJesNQrfxDx31BZbqJs8wqZ9csgHaBgiiN/lplsZlL7GuHqytoSPKwVJ7EK/ZvFLir3IoP5G9IR0eUY4+SZUEjmxJL+JyBXGQJPJx1qIPiQZSb+38tBT2742Fx', + ensure => present, + user => 'root', + name => 'fredrik.aslund@umu.se-yubikey-neo' + } +} + +node 'wp.sunet.se' { + package {'libapache2-mod-php5': ensure => 'latest'} + package {'php5-mysql': ensure => 'latest'} + class {'apache': + mpm_module => 'prefork', + default_vhost => false + } + apache::mod {'php5': } + apache::mod {'ssl': } + apache::mod {'rewrite': } + apache::vhost { 'wp.sunet.se': + port => 80, + docroot => '/opt/wordpress' + } + include mysql::server + user {'wordpress': ensure => present, groups => 'www-data'} + class { 'wordpress': + wp_owner => 'wordpress', + wp_group => 'www-data', + db_user => 'wp', + db_password => hiera('mysql_password', 'NOT_SET_IN_HIERA'), + wp_multisite => false, + wp_site_domain => 'wp.sunet.se', + version => '3.8.1' + } + ufw::allow { 'allow-www-wordpress': + port => '80', + ip => 'any', # both IPv4 and IPv6 + proto => 'tcp' + } + ufw::allow { 'allow-https-wordpress': + port => '443', + ip => 'any', # both IPv4 and IPv6 + proto => 'tcp' + } +} + +node 'cdr1.sunet.se' { + + package {'python-vm-builder': + ensure => 'installed', + } -> + + cosmos::dhcp_kvm { 'backup-tug-3.eduid.se': + mac => '52:54:00:f2:7d:54', + repo => 'git://git.nordu.net/eduid-ops.git', + tagpattern => 'eduid-v3', + cpus => '1', + memory => '512', + suite => 'trusty', + extras => '--addpkg linux-image-generic --tmpfs -', + } + + cosmos::dhcp_kvm { 'proxy-tug-3.eduid.se': + mac => '52:54:00:f2:7d:55', + repo => 'git://git.nordu.net/eduid-ops.git', + tagpattern => 'eduid-v3', + cpus => '1', + memory => '512', + suite => 'trusty', + extras => '--addpkg linux-image-generic --tmpfs -', + } + +} + +node 'sto-tug-kvm2.swamid.se' { + docker::image {'docker.sunet.se/flog/postgresql-9.3': } + file {'/opt/docker/postgresql_data': + ensure => 'directory', + } + file {'/var/log/flog_db': + ensure => 'directory', + } + docker::run {'flog_db': + image => 'docker.sunet.se/flog/postgresql-9.3', + use_name => true, + volumes => ['/opt/docker/postgresql_data/:/var/lib/postgresql/','/var/log/flog_db/:/var/log/postgresql/'], + } +} + +class sunet-cdr { + + # Listen on br0 if it exists (cdr1), otherwise bond0 (cdr2). + $interface = $::ipaddress_br0 ? { + undef => 'bond0', + default => 'br0', + } + + class { 'dhcp': + dnsdomain => [ 'eduid.se','sunet.se','swamid.se' ], + nameservers => ['130.242.80.14','130.242.80.99'], + ntpservers => ['ntp1.nordu.net','ntp2.nordu.net','Time1.Stupi.SE'], + interfaces => [$interface], + #pxeserver => '130.242.125.5', + #pxefilename => 'pxelinux.0' + } + + class { 'sunet-dhcp-hosts': } + +} + +class entropyserver { + + include augeas + + apt::ppa {'ppa:ndn/pollen': } -> + package {'pollen': } -> + service {'pollen': + ensure => 'running' + } + augeas { "pollen_defaults": + incl => "/etc/default/pollen", + lens => "Shellvars.lns", + changes => [ + 'set DEVICE "/dev/qrandom0"', + ], + notify => Service['pollen'], + } -> + ufw::allow { "allow-pollen-http-tcp": + ip => 'any', + port => 80 + } + ufw::allow { "allow-pollen-https-tcp": + ip => 'any', + port => 443 + } +} + +class fail2ban { + + include augeas + + package {'fail2ban': ensure => 'latest'} + augeas { "fail2ban_defaults": + incl => "/etc/fail2ban/jail.conf", + lens => "Shellvars.lns", + changes => [ + 'set bantime "604800"', + ], + notify => Service['fail2ban'], + } +} + +class quantis { + apt::ppa {'ppa:ndn/quantispci': } + package {'quantispci-dkms': } +} + +class webcommon { + docker::image {'coreos/etcd': } +} + +class webfrontend { + class { 'webcommon': } + docker::image {'docker.sunet.se/pound': } + docker::image {'docker.sunet.se/varnish': } +} + +class webappserver { + class { 'webcommon': } +} diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp b/global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp new file mode 100644 index 0000000..9956e00 --- /dev/null +++ b/global/overlay/etc/puppet/modules/sunet/manifests/encrypted_swap.pp @@ -0,0 +1,12 @@ +define sunet::encrypted_swap() { + + package { 'ecryptfs-utils': + ensure => 'installed' + } -> + + exec {'sunet_ecryptfs_setup_swap': + command => '/usr/bin/ecryptfs-setup-swap -f', + onlyif => 'grep swap /etc/fstab | grep -ve ^# -e cryptswap | grep -q swap', + } + +} diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp b/global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp new file mode 100644 index 0000000..8ff7325 --- /dev/null +++ b/global/overlay/etc/puppet/modules/sunet/manifests/ethernet_bonding.pp @@ -0,0 +1,19 @@ +define sunet::ethernet_bonding() { + # Set up prerequisites for Ethernet LACP bonding of eth0 and eth1, + # for all physical hosts that are running Ubuntu. + # + # Bonding requires setup in /etc/network/interfaces as well. + # + if $::is_virtual == 'false' and $::operatingsystem == 'Ubuntu' { + if $::operatingsystemrelease <= '12.04' { + package {'ifenslave': ensure => 'present' } + } else { + package {'ifenslave-2.6': ensure => 'present' } + } + + file_line { 'load_module_at_boot': + path => '/etc/modules', + line => 'bonding', + } + } +} diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/server.pp b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp new file mode 100644 index 0000000..14df323 --- /dev/null +++ b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp @@ -0,0 +1,87 @@ +define sunet::server() { + + # Set up encrypted swap + sunet::encrypted_swap { 'sunet_encrypted_swap': } + + # Add prerequisites for ethernet bonding, if physical server + sunet::ethernet_bonding { 'sunet_ethernet_bonding': } + +# Removed until SWAMID hosts can have their ufw module updated / ft +# # Ignore IPv6 multicast +# ufw::deny { 'ignore_v6_multicast': +# ip => 'ff02::1', +# proto => 'any' # 'ufw' has a hard-coded list of protocols, which does not include 'ipv6-icmp' :( +# } + +# # Ignore IPv6 multicast PIM router talk +# ufw::deny { 'ignore_v6_multicast_PIM': +# ip => 'ff02::d', +# proto => 'any' # 'ufw' has a hard-coded list of protocols, which does not include 'ipv6-icmp' :( +# } + + include augeas + augeas { "sshd_config": + context => "/files/etc/ssh/sshd_config", + changes => [ + "set PasswordAuthentication no", + "set X11Forwarding no", + "set LogLevel VERBOSE", # log pubkey used for root login + ], + notify => Service['ssh'], + } -> + file_line { + 'no_sftp_subsystem': + path => '/etc/ssh/sshd_config', + match => 'Subsystem sftp /usr/lib/openssh/sftp-server', + line => '#Subsystem sftp /usr/lib/openssh/sftp-server', + notify => Service['ssh'], + } + + # already declared in puppet-cosmos/manifests/ntp.pp + #service { 'ntp': + # ensure => 'running', + #} + + # Don't use pool.ntp.org servers, but rather DHCP provided NTP servers + line { 'no_pool_ntp_org_servers': + file => '/etc/ntp.conf', + line => '^server .*\.pool\.ntp\.org', + ensure => 'comment', + notify => Service['ntp'], + } + + file { '/var/cache/scriptherder': + ensure => 'directory', + path => '/var/cache/scriptherder', + mode => '1777', # like /tmp, so user-cronjobs can also use scriptherder + } + + +} + +# from http://projects.puppetlabs.com/projects/puppet/wiki/Simple_Text_Patterns/5 +define line($file, $line, $ensure = 'present') { + case $ensure { + default : { err ( "unknown ensure value ${ensure}" ) } + present: { + exec { "/bin/echo '${line}' >> '${file}'": + unless => "/bin/grep -qFx '${line}' '${file}'" + } + } + absent: { + exec { "/usr/bin/perl -ni -e 'print unless /^\\Q${line}\\E\$/' '${file}'": + onlyif => "/bin/grep -qFx '${line}' '${file}'" + } + } + uncomment: { + exec { "/bin/sed -i -e'/${line}/s/^#\\+//' '${file}'": + onlyif => "/bin/grep '${line}' '${file}' | /bin/grep '^#' | /usr/bin/wc -l" + } + } + comment: { + exec { "/bin/sed -i -e'/${line}/s/^\\(.\\+\\)$/#\\1/' '${file}'": + onlyif => "/usr/bin/test `/bin/grep '${line}' '${file}' | /bin/grep -v '^#' | /usr/bin/wc -l` -ne 0" + } + } + } +} diff --git a/global/overlay/etc/puppet/puppet.conf b/global/overlay/etc/puppet/puppet.conf index 88871f0..ec11255 100644 --- a/global/overlay/etc/puppet/puppet.conf +++ b/global/overlay/etc/puppet/puppet.conf @@ -3,8 +3,9 @@ logdir=/var/log/puppet vardir=/var/lib/puppet ssldir=/var/lib/puppet/ssl rundir=/var/run/puppet -factpath=$vardir/lib/facter -templatedir=$confdir/templates +# factpath is supposed to be colon-delimeted, but that does not appear to work +# (tested with 'strace -f facter --puppet something' - does not split on colon in Puppet 3.4.2). +factpath=/etc/puppet/facter node_terminus = exec external_nodes = /etc/puppet/cosmos_enc.py basemodulepath = /etc/puppet/modules:/etc/puppet/cosmos-modules:/usr/share/puppet/modules |