diff options
Diffstat (limited to 'global/overlay')
5 files changed, 88 insertions, 12 deletions
diff --git a/global/overlay/etc/puppet/cosmos-db.yaml b/global/overlay/etc/puppet/cosmos-db.yaml index d8a83ca..a84fd5f 100644 --- a/global/overlay/etc/puppet/cosmos-db.yaml +++ b/global/overlay/etc/puppet/cosmos-db.yaml @@ -89,9 +89,9 @@ classes: sunetops: null swamidops: null sto-tug-kvm2.swamid.se: - dockerhost: null mailclient: *id002 sshaccess: null + sunet::dockerhost: null sunetops: null swamidops: null webserver: null @@ -138,7 +138,7 @@ members: lobo2.lab.sunet.se] docker_signer: [mdx2.swamid.se] dockerhost: [www2.eduid.se, reep.tid.isoc.org, datasets.sunet.se, mdx1.swamid.se, - mdx2.swamid.se, sto-tug-kvm2.swamid.se, docker.sunet.se, registry.swamid.se] + mdx2.swamid.se, docker.sunet.se, registry.swamid.se] entropyserver: [random1.nordu.net, random2.nordu.net] mailclient: [ca.sunet.se, cdr1.sunet.se, web-f1.sunet.se, web-db2.sunet.se, sto-tug-kvm-lab2.swamid.se, datasets.sunet.se, mdx1.swamid.se, sto-tug-kvm-lab1.swamid.se, web-a1.sunet.se, @@ -156,7 +156,7 @@ members: lobo2.lab.sunet.se] sunet-cdr: [cdr1.sunet.se, cdr2.sunet.se] sunet::dockerhost: [web-f1.sunet.se, web-db2.sunet.se, web-a1.sunet.se, web-db1.sunet.se, - web-a2.sunet.se] + sto-tug-kvm2.swamid.se, web-a2.sunet.se] sunetops: [ca.sunet.se, cdr1.sunet.se, cdr1.sunet.se, web-f1.sunet.se, web-db2.sunet.se, sto-tug-kvm-lab2.swamid.se, datasets.sunet.se, mdx1.swamid.se, sto-tug-kvm-lab1.swamid.se, web-a1.sunet.se, wp.sunet.se, mdx2.swamid.se, samltest.swamid.se, web-db1.sunet.se, diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml index dc2b9c0..5035639 100644 --- a/global/overlay/etc/puppet/cosmos-rules.yaml +++ b/global/overlay/etc/puppet/cosmos-rules.yaml @@ -31,7 +31,7 @@ mdx2.swamid.se: sto-tug-kvm2.swamid.se: sshaccess: webserver: - dockerhost: + sunet::dockerhost: reep.tid.isoc.org: sshaccess: swamidops: diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp index a519ccf..92e3804 100644 --- a/global/overlay/etc/puppet/manifests/cosmos-site.pp +++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp @@ -697,17 +697,64 @@ node 'cdr1.sunet.se' { } node 'sto-tug-kvm2.swamid.se' { - docker::image {'docker.sunet.se/flog/postgresql-9.3': } - file {'/opt/docker/postgresql_data': - ensure => 'directory', - } + #class { 'fail2ban': } + file {'/var/docker': + ensure => 'directory', + } -> + sunet::system_user {'postgres-system-user': + username => 'postgres', + group => 'postgres', + } -> + sunet::add_user_to_group { 'postgres_ssl_cert_access': + username => 'postgres', + group => 'ssl-cert', + } -> + sunet::system_user {'www-data-system-user': + username => 'www-data', + group => 'www-data', + } -> + file {'/var/docker/postgresql_data': + ensure => 'directory', + owner => 'postgres', + group => 'postgres', + mode => '0700', + } -> file {'/var/log/flog_db': ensure => 'directory', - } - docker::run {'flog_db': + owner => 'root', + group => 'postgres', + mode => '1775', + } -> + file {'/var/postgresbackup': + ensure => 'directory', + owner => 'root', + group => 'postgres', + mode => '1775', + } -> + file {'/var/log/flog_app': + ensure => 'directory', + owner => 'root', + group => 'www-data', + mode => '1775', + } -> + file {'/var/log/flog_cron': + ensure => 'directory', + owner => 'root', + group => 'www-data', + mode => '1775', + } -> + sunet::docker_run {'flog_db': image => 'docker.sunet.se/flog/postgresql-9.3', - use_name => true, - volumes => ['/opt/docker/postgresql_data/:/var/lib/postgresql/','/var/log/flog_db/:/var/log/postgresql/'], + volumes => ['/opt/flog/postgres/ssl:/etc/ssl', '/var/docker/postgresql_data/:/var/lib/postgresql/','/var/log/flog_db/:/var/log/postgresql/'], + } -> + sunet::docker_run {'flog_app': + image => 'docker.sunet.se/flog/flog_app', + volumes => ['/opt/flog/dotenv:/opt/flog/.env','/var/log/flog/:/opt/flog/logs/'], + } -> + sunet::docker_run {'flog_nginx': + image => 'docker.sunet.se/flog/nginx', + ports => ['80:80', '443:443'], + volumes => ['/opt/flog/nginx/sites-enabled/:/etc/nginx/sites-enabled/','/opt/flog/nginx/certs/:/etc/nginx/certs', '/var/log/flog_nginx/:/var/log/nginx'], } } diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/add_user_to_group.pp b/global/overlay/etc/puppet/modules/sunet/manifests/add_user_to_group.pp new file mode 100644 index 0000000..348d9c5 --- /dev/null +++ b/global/overlay/etc/puppet/modules/sunet/manifests/add_user_to_group.pp @@ -0,0 +1,7 @@ +# Add a user to a group +define sunet::add_user_to_group($username, $group) { + exec {"add_user_${username}_to_group_${group}_exec": + command => "adduser --quiet $username $group", + path => ['/usr/local/sbin', '/usr/local/bin', '/usr/sbin', '/usr/bin', '/sbin', '/bin', ], + } +} diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/system_user.pp b/global/overlay/etc/puppet/modules/sunet/manifests/system_user.pp new file mode 100644 index 0000000..819ef4a --- /dev/null +++ b/global/overlay/etc/puppet/modules/sunet/manifests/system_user.pp @@ -0,0 +1,22 @@ +define sunet::system_user( + $username, + $group, + $system = true, + $shell = '/bin/false' + ) { + + user { $username : + ensure => present, + name => $username, + membership => minimum, + system => $system, + require => Group[ $group ], + shell => $shell, + } + + group { $group : + ensure => present, + name => $group, + } + +} |