summaryrefslogtreecommitdiff
path: root/global/overlay
diff options
context:
space:
mode:
Diffstat (limited to 'global/overlay')
-rw-r--r--global/overlay/etc/cosmos/keys/leifj-0AD478D6.pub57
-rw-r--r--global/overlay/etc/puppet/cosmos-modules.conf4
-rw-r--r--global/overlay/etc/puppet/manifests/cosmos-site.pp116
-rwxr-xr-xglobal/overlay/usr/local/bin/docker-cleanup46
4 files changed, 187 insertions, 36 deletions
diff --git a/global/overlay/etc/cosmos/keys/leifj-0AD478D6.pub b/global/overlay/etc/cosmos/keys/leifj-0AD478D6.pub
new file mode 100644
index 0000000..2bc06c0
--- /dev/null
+++ b/global/overlay/etc/cosmos/keys/leifj-0AD478D6.pub
@@ -0,0 +1,57 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1
+
+mQENBFJK9qIBCACypED81H1N4YmhMJrb4uOtTDzo+lFZDVVOcK11+NhTFl+AZZFn
+WH/7UPn+q5ZZBd/IhONfb5QGw5FzTyBWHsbAteXgCvHAIyumwhQzhZnow6myyC6/
+MwDhomT5rb3MkCKCyQMNfj/yMgL6ZRsXVhlGOLMmOekRfKe2wiC5BhRaQQwPZPwg
+FS5D0Tro8Xfxjk98u8rNpQXi9walRAffRY+byhkPiBj0sVA2RXK9Dx2DL3EY0xx0
+7r6Qhs2XkbXNDDCHRuChhHSHwWC16VS9x7Nhfg2EwKqmMGRNREikjwzDl/aHKz+F
+XTLONdmc83sRyklqgH90f3na6s/RT5XTb08xABEBAAG0HUxlaWYgSm9oYW5zc29u
+IDxsZWlmakBtbnQuc2U+iQE+BBMBAgAoAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIe
+AQIXgAUCVC5LXQUJA8SIMQAKCRDXOtZDCtR41tNCB/0a/qYLTSDhst5ViuN9r+Bj
+P6N8E0lUDuqcgNzQHkItkt3wBQQQmC9k3XKpoG6fqP13Zh0KSLSICgl4tQIKm2es
+iQ7YkLvf3iJuAtH0ezIdXBUf7GPwQUu9LdbsXVSz7sedy2B60Jypp85PKBIXhTFP
+xcawET2pOcnY1eO48l55nlTyNrGGFKGCMuwgUmgoBLQ8bsfDdBZete1pdQa4wQNP
+4R5Ij7BQpo229HLqlIJgX9lIjH6B9Byo1YIrnaO+8e8A9KG89WDYkD2+WdP/i0Ci
+YAryC+Q3SBeaf3/JtMYEdrdQEEDnn9vdbViEeJsH8Zm1bEbHC6h0TLMo9nl2TaCh
+tB9MZWlmIEpvaGFuc3NvbiA8bGVpZmpAc3VuZXQuc2U+iQE+BBMBAgAoAhsDBgsJ
+CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVC5LYQUJA8SIMQAKCRDXOtZDCtR41vGa
+CACOrTXM3VKyMdMZTX6873zb030UezvbtkUyYC9jybb1t+8OBiM2s5OFbE8AGwkE
+GdYI0behwNnPq0FzRarMGhIQDHTqjfg5qhEMnKUGuhG9lzWLZsVEQwNqfAJU6eOs
+DXXMvt4foLvYjsMYPTDm6i90FqDSyslr5j2bqgzP21hnxXiaCzCpplRfQo+AyVhl
+w5F25fmnESNsG+HCA7wsVdATg858SUFfgPe0N1fIP0MVR1LTtDWdTLU2G6QFNkok
+kDAX69FT85/TqBXAJ/46/R8pLKld/GJM8BgNP9YUi2seUr1cf4OTqFUxWHs8JcAG
+Yty9R2f3M0UrjpgW6RblRWs7tCBMZWlmIEpvaGFuc3NvbiA8bGVpZmpAbm9yZHUu
+bmV0PokBPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAlQuS2UF
+CQPEiDEACgkQ1zrWQwrUeNYt1Qf9F489tYvbRpKMdehExF7T2omKyrn4RjRckKBx
+LpbQ/F+dqApO8kMyTCokYLEDonHLh2dUEsDyflJhq8RGhs6dnWpnFRLW0A9sc8Jq
+iJLJDBDSAHRudq/6Y9B4s5LYFs7bFgdSuh68W7nQjxD4lEmymYpgWLw19mJ1v99H
+aMx7mkJ5fEZN2krFb8bYvYj8LpA6nGvkxp1zoqLv2Pj5gTdiL2z4ns79+ZFWFAgj
+34FJSPNf5WLhUmRerIOU5Dnuk/DMsLyHw/mjoidsGfcPK7imTB7ZiSKJapBSOWow
+1rX1iR9JB3yu/z4e2/FR1fCnmDX2tO44bIQihjQl7I/NGfp4l7kBDQRSSvaiAQgA
+vpNbRTng0uIDMRIEZH4lSxxXpsCVkIhmR2IbQ4I4esOpgfBt1mfv4A9gjKeQ4BxU
+QtbFtojI94Ds638sc3fQJlm4V2HHkehBZE3OjlbGiG/nhx/2aNwysgdQ6vQgOX44
+5xEM7YviikmWFswdBZLe6q3zkumDNczIxFMVFMLJdaoq8eQ7gcliw1+1C1Ox/8Zj
+1YR1FWTvFxGhVdpviAsfGOgffCjHidEM/G/MKdoO71hJMEtkeiIxdJDK0cZ8VL8A
+OhFImbhaYYbmP5VgibrC5daJYDhPgSjBFErSVhItLPqXfBS9bzi3jSmyFBa6NPqG
+a/W8gAaZDzYzMSld+ro9XQARAQABiQElBBgBAgAPAhsMBQJULkt0BQkDxIhPAAoJ
+ENc61kMK1HjWFs8H/278wU3s1S6C3iqTmIQUpC0fOhfyrGyxDlfR98B6Q/LP1cEU
+v0bHZJJYGXgIG1KZmtP4ZpJFtLMlEYHuHijLx8MLFYqdx40t5IQVrpOazN2t7/fJ
+KK4XnxVWkhlL5oZ5AsMZZC2k3OCJNBFYsJ/3G7yzOVFkVlVGmwFY1NcFFO775lD+
+aZ785IbPo7ED/Lq9eWI+2jhjAQUbfqu9RiEkhBBea8w6T1UrT+d1IfOVizJictSj
+3bmgt3q1NGoUeT8tuOf+xSw9qrhpV4Je+gNzJKJvXr5MpGAtoIfoq7A0k08AnmNP
+1fp3A8n3HkGfZpr7RNWSQslE01POJgYXHEUjF3u5AQ0EUkr3bQEIANW8HiB0noRZ
+GbHzFRLGuGhQ2dbER/xnACqHMLX7tcFj+FJ39xsSi0sH2DGCq3QItbnpVTgU8tPD
+yycPy2CzJk3oofUNrtReejygyTy0l3AtAzQaDHdpa7O0i2QN8Fzct++rlPTth+mG
+ok7utxIZtLhBB1+Ve44z0kuLo1K1VqjSJrhoTpOPrylVVvf75di+q9tTo20QgK+R
+PERj3dimdFJ94CLriGxtqpJM3iSl6W3OhIPVGKTPZpAW0VcTTdkLjwe0YaF0wUD8
+B17opYENpfEcYBFVD39Rxx+FpHZdKNXFJnwUE07M2wfiT1xAhvad2QQ5dleeMXlm
+N0jhlTQX63sAEQEAAYkBJQQYAQIADwIbIAUCVC5LmQUJA8SHqQAKCRDXOtZDCtR4
+1uH8B/9/JMyrbb08oNMHj7vWr3vV9pz3pkfYwUkHDvEpLuFw1WRE1aBlabjDFbKf
+IXexUPQ5DSl6bMwipqOoOFuMt+I/cSif4Z+vB8pfB4qzO+0vD3GJo2JnlrVCx7Qt
+0lRBMNUpCTYrQ4jcZZPstb+DZMoexBzAX1oNdXLvw8eJUCBD9UrF5wIVWIZzUFAW
+o6HC9Mz/MFcxiA5VjxIfBuszsTG6qWph3AYwlXnhIj2Lx0Rv5y4P1Azdu1pSIJMG
+AP8ZDjLQvnNdf114Jz5nt7P+2a27LYMzcvXzuL6HTHV21kgpaX8X17PPkpDQnR9L
+/lWFUPuDp70FZckwDjstnl15le7E
+=W4ov
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/global/overlay/etc/puppet/cosmos-modules.conf b/global/overlay/etc/puppet/cosmos-modules.conf
index e1ef0e5..20c6106 100644
--- a/global/overlay/etc/puppet/cosmos-modules.conf
+++ b/global/overlay/etc/puppet/cosmos-modules.conf
@@ -1,4 +1,3 @@
-#
# name source (puppetlabs fq name or git url) upgrade (yes/no) tag-pattern
#
# NOTE that Git packages MUST be tagged with signatures by someone
@@ -13,6 +12,8 @@ apt git://github.com/SUNET/puppetlabs-apt.git yes sunet_dev-*
vcsrepo git://github.com/SUNET/puppetlabs-vcsrepo.git yes sunet-*
xinetd git://github.com/SUNET/puppetlabs-xinetd.git yes sunet-*
hiera-gpg git://github.com/SUNET/hiera-gpg.git yes sunet-*
+augeas git://github.com/SUNET/puppet-augeas.git yes sunet-*
+docker git://github.com/SUNET/garethr-docker.git yes sunet_dev-*
#
# Alternate sources you might or might not want to use:
#concat puppetlabs/concat no
@@ -33,4 +34,3 @@ hiera-gpg git://github.com/SUNET/hiera-gpg.git yes sunet-*
#nagios git://github.com/SUNET/puppet-nagios.git yes sunet-*
#staging git://github.com/SUNET/puppet-staging.git yes sunet-*
#apparmor git://github.com/SUNET/puppet-apparmor.git yes sunet-*
-#docker git://github.com/SUNET/garethr-docker.git yes sunet_dev-*
diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp
index c276f84..8bf5aee 100644
--- a/global/overlay/etc/puppet/manifests/cosmos-site.pp
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@@ -6,47 +6,95 @@ Exec {
# include some of this stuff for additional features
-#include cosmos::tools
-#include cosmos::motd
-#include cosmos::ntp
-#include cosmos::rngtools
-#include cosmos::preseed
+include cosmos::tools
+include cosmos::motd
+include cosmos::ntp
+include cosmos::rngtools
+include cosmos::preseed
include ufw
include apt
include cosmos
# you need a default node
-node default {
+node default {
+
+ class { 'sshserver': }
+ class { 'mailclient':
+ domain => 'smtp.nordu.net'
+ }
+ class { 'sshkeys': }
}
-# edit and uncomment to manage ssh root keys in a simple way
-
-#class { 'cosmos::access':
-# keys => [
-# "ssh-rsa ..."
-# ]
-#}
-
-# example config for the nameserver class which is matched in cosmos-rules.yaml
-
-#class nameserver {
-# package {'bind9':
-# ensure => latest
-# }
-# service {'bind9':
-# ensure => running
-# }
-# ufw::allow { "allow-dns-udp":
-# ip => 'any',
-# port => 53,
-# proto => "udp"
-# }
-# ufw::allow { "allow-dns-tcp":
-# ip => 'any',
-# port => 53,
-# proto => "tcp"
-# }
-#}
+class dockerhost {
+ apt::source {'docker_official':
+ location => 'https://get.docker.com/ubuntu',
+ release => 'docker',
+ repos => 'main',
+ key => 'A88D21E9',
+ include_src => false
+ }
+ package {'lxc-docker':
+ ensure => latest
+ }
+ class {'docker':
+ manage_package => false
+ }
+}
+class webserver {
+ ufw::allow { "allow-http":
+ ip => 'any',
+ port => 80
+ }
+ ufw::allow { "allow-https":
+ ip => 'any',
+ port => 443
+ }
+}
+
+class mailclient ($domain) {
+ cosmos::preseed::preseed_package {"postfix": ensure => present, domain => $domain}
+}
+
+class sshserver {
+ include augeas
+ augeas { "sshd_config":
+ context => "/files/etc/ssh/sshd_config",
+ changes => [
+ "set PasswordAuthentication no",
+ "set X11Forwarding no",
+ "set LogLevel VERBOSE", # log pubkey used for root login
+ ],
+ notify => Service['ssh'],
+ } ->
+ file_line {
+ 'no_sftp_subsystem':
+ path => '/etc/ssh/sshd_config',
+ match => 'Subsystem sftp /usr/lib/openssh/sftp-server',
+ line => '#Subsystem sftp /usr/lib/openssh/sftp-server',
+ notify => Service['ssh'],
+ }
+ ufw::allow { "allow-sshd":
+ ip => 'any',
+ port => 22
+ }
+}
+
+class sshkeys {
+ ssh_authorized_key {'leifj+neo':
+ ensure => present,
+ name => 'leifj+neo@mnt.se',
+ key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDVvB4gdJ6EWRmx8xUSxrhoUNnWxEf8ZwAqhzC1+7XBY/hSd/cbEotLB9gxgqt0CLW56VU4FPLTw8snD8tgsyZN6KH1Da7UXno8oMk8tJdwLQM0Ggx3aWuztItkDfBc3Lfvq5T07YfphqJO7rcSGbS4QQdflXuOM9JLi6NStVao0ia4aE6Tj68pVVb3++XYvqvbU6NtEICvkTxEY93YpnRSfeAi64hsbaqSTN4kpeltzoSD1Rikz2aQFtFXE03ZC48HtGGhdMFA/Ade6KWBDaXxHGARVQ9/UccfhaR2XSjVxSZ8FBNOzNsH4k9cQIb2ndkEOXZXnjF5ZjdI4ZU0F+t7',
+ type => 'ssh-rsa',
+ user => 'root'
+ }
+ ssh_authorized_key {'linus':
+ ensure => present,
+ name => 'linus@nordu.net',
+ key => 'AAAAB3NzaC1kc3MAAACBAOgwalVrauBiUm0cJtiehqiXCarmP3LzpOVe/2Lhip3VyGNkCc0tI3ZcwTOuVSNbNAtUPbRFsp2qzNf6yHzDetolb+8oAWoLrNTnyJn/P6objJJ82U8EY1HK27flFpst1NBHzr9UQAKs+r51cszGHDjhXi001+liN2+qiaXRHmppAAAAFQDqf3RIdYsjmEK2ju8jBkcvhkYHQQAAAIEAydJS3s3eRXDiW5ynnQUZONjBwnBIhT6NEznb9FD/6QlfIL3Ay9sbxSQG3MKaC5xfS1TvjZBOTikYn0VFgzR6bXYJtscbH7Hu53X3uwzAi87pgwoE7/Rctf+o9RgGl/a7a/t+POHFYuOY4kSTqK/loKTu/y9BW0PbrPZ+cwIw1k4AAACBALbgqfua4HCdcCKA4Wv0SZ+p1xApNDi9CF33KhMvQ1wrQBCKBU+maTzO9phNFp1PjXv/JxhmkdHLL2lTo3iXdFSbpkwpBb9p649Kbko3L1XEUPZFz5Flt5H8L+FTTNnF5rHfadshr50r4DXYoEyfZFPEitthaS5dlesfyn/aHSN+',
+ type => 'ssh-rsa',
+ user => 'root'
+ }
+}
diff --git a/global/overlay/usr/local/bin/docker-cleanup b/global/overlay/usr/local/bin/docker-cleanup
new file mode 100755
index 0000000..f46942b
--- /dev/null
+++ b/global/overlay/usr/local/bin/docker-cleanup
@@ -0,0 +1,46 @@
+#!/bin/sh
+# Cleanup docker files: untagged containers and images.
+#
+# Use `docker-cleanup -n` for a dry run to see what would be deleted.
+
+untagged_containers() {
+ # Print containers using untagged images: $1 is used with awk's print: 0=line, 1=column 1.
+ # NOTE: "[0-9a-f]{12}" does not work with GNU Awk 3.1.7 (RHEL6).
+ # Ref: https://github.com/blueyed/dotfiles/commit/a14f0b4b#commitcomment-6736470
+ docker ps -a | tail -n +2 | awk '$2 ~ "^[0-9a-f]+$" {print $'$1'}'
+}
+
+untagged_images() {
+ # Print untagged images: $1 is used with awk's print: 0=line, 3=column 3.
+ # NOTE: intermediate images (via -a) seem to only cause
+ # "Error: Conflict, foobarid wasn't deleted" messages.
+ # Might be useful sometimes when Docker messed things up?!
+ # docker images -a | awk '$1 == "<none>" {print $'$1'}'
+ docker images | tail -n +2 | awk '$1 == "<none>" {print $'$1'}'
+}
+
+# Dry-run.
+if [ "$1" = "-n" ]; then
+ echo "=== Containers with uncommitted images: ==="
+ untagged_containers 0
+ echo
+
+ echo "=== Uncommitted images: ==="
+ untagged_images 0
+
+ exit
+fi
+if [ -n "$1" ]; then
+ echo "Cleanup docker files: remove untagged containers and images."
+ echo "Usage: ${0##*/} [-n]"
+ echo " -n: dry run: display what would get removed."
+ exit 1
+fi
+
+# Remove containers with untagged images.
+echo "Removing containers:" >&2
+untagged_containers 1 | xargs --no-run-if-empty docker rm --volumes=true
+
+# Remove untagged images
+echo "Removing images:" >&2
+untagged_images 3 | xargs --no-run-if-empty docker rmi