2 files changed, 86 insertions, 39 deletions

diff --git a/global/overlay/etc/puppet/cosmos-modules.conf b/global/overlay/etc/puppet/cosmos-modules.conf
index af786c4..6a89c4f 100644
--- a/global/overlay/etc/puppet/cosmos-modules.conf
+++ b/global/overlay/etc/puppet/cosmos-modules.conf
@@ -3,11 +3,10 @@
 #
 concat puppetlabs/concat no
 stdlib puppetlabs/stdlib no
-cosmos git://github.com/leifj/puppet-cosmos.git yes
+cosmos git://github.com/SUNET/puppet-cosmos.git yes ct-ops-*
 ufw attachmentgenie/ufw no
 apt puppetlabs/apt no
 vcsrepo puppetlabs/vcsrepo no
-xinetd puppetlabs/xinetd no
-#golang elithrar/golang yes
-#python git://github.com/stankevich/puppet-python.git yes
-hiera-gpg git://github.com/SUNET/hiera-gpg.git no
+hiera-gpg git://github.com/SUNET/hiera-gpg.git no ct-ops-*
+docker git://github.com/SUNET/garethr-docker.git yes ct-ops-*
+augeas git://github.com/SUNET/puppet-augeas.git yes ct-ops-*
diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp
index c276f84..8bf5aee 100644
--- a/global/overlay/etc/puppet/manifests/cosmos-site.pp
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@@ -6,47 +6,95 @@ Exec {
 
 # include some of this stuff for additional features
 
-#include cosmos::tools
-#include cosmos::motd
-#include cosmos::ntp
-#include cosmos::rngtools
-#include cosmos::preseed
+include cosmos::tools
+include cosmos::motd
+include cosmos::ntp
+include cosmos::rngtools
+include cosmos::preseed
 include ufw
 include apt
 include cosmos
 
 # you need a default node
 
-node default { 
+node default {
+
+   class { 'sshserver': }
+   class { 'mailclient':
+      domain => 'smtp.nordu.net'
+   }
+   class { 'sshkeys': }
 
 }
 
-# edit and uncomment to manage ssh root keys in a simple way
-
-#class { 'cosmos::access':
-#   keys => [
-#      "ssh-rsa ..."
-#   ]
-#}
-
-# example config for the nameserver class which is matched in cosmos-rules.yaml
-
-#class nameserver {
-#   package {'bind9':
-#      ensure => latest 
-#   } 
-#   service {'bind9':
-#      ensure => running
-#   }
-#   ufw::allow { "allow-dns-udp":
-#      ip   => 'any',
-#      port => 53,
-#      proto => "udp"
-#   }
-#   ufw::allow { "allow-dns-tcp":
-#      ip   => 'any',
-#      port => 53,
-#      proto => "tcp"
-#   }
-#}
+class dockerhost {
+  apt::source {'docker_official':
+     location => 'https://get.docker.com/ubuntu',
+     release  => 'docker',
+     repos    => 'main',
+     key      => 'A88D21E9',
+     include_src => false
+  }
+  package {'lxc-docker':
+     ensure   => latest
+  }
+  class {'docker':
+     manage_package => false
+  }
+}
 
+class webserver {
+   ufw::allow { "allow-http":
+      ip   => 'any',
+      port => 80
+   }
+   ufw::allow { "allow-https":
+      ip   => 'any',
+      port => 443
+   }
+}
+
+class mailclient ($domain) {
+   cosmos::preseed::preseed_package {"postfix": ensure => present, domain => $domain}
+}
+
+class sshserver {
+  include augeas
+  augeas { "sshd_config":
+    context => "/files/etc/ssh/sshd_config",
+    changes => [
+      "set PasswordAuthentication no",
+      "set X11Forwarding no",
+      "set LogLevel VERBOSE",  # log pubkey used for root login
+    ],
+    notify => Service['ssh'],
+  } ->
+    file_line {
+      'no_sftp_subsystem':
+        path        => '/etc/ssh/sshd_config',
+        match       => 'Subsystem sftp /usr/lib/openssh/sftp-server',
+        line        => '#Subsystem sftp /usr/lib/openssh/sftp-server',
+    notify => Service['ssh'],
+  }
+  ufw::allow { "allow-sshd":
+      ip   => 'any',
+      port => 22
+  }
+}
+
+class sshkeys {
+   ssh_authorized_key {'leifj+neo':
+    ensure  => present,
+    name    => 'leifj+neo@mnt.se',
+    key     => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDVvB4gdJ6EWRmx8xUSxrhoUNnWxEf8ZwAqhzC1+7XBY/hSd/cbEotLB9gxgqt0CLW56VU4FPLTw8snD8tgsyZN6KH1Da7UXno8oMk8tJdwLQM0Ggx3aWuztItkDfBc3Lfvq5T07YfphqJO7rcSGbS4QQdflXuOM9JLi6NStVao0ia4aE6Tj68pVVb3++XYvqvbU6NtEICvkTxEY93YpnRSfeAi64hsbaqSTN4kpeltzoSD1Rikz2aQFtFXE03ZC48HtGGhdMFA/Ade6KWBDaXxHGARVQ9/UccfhaR2XSjVxSZ8FBNOzNsH4k9cQIb2ndkEOXZXnjF5ZjdI4ZU0F+t7',
+    type    => 'ssh-rsa',
+    user    => 'root'
+  }
+  ssh_authorized_key {'linus':
+    ensure  => present,
+    name    => 'linus@nordu.net',
+    key     => 'AAAAB3NzaC1kc3MAAACBAOgwalVrauBiUm0cJtiehqiXCarmP3LzpOVe/2Lhip3VyGNkCc0tI3ZcwTOuVSNbNAtUPbRFsp2qzNf6yHzDetolb+8oAWoLrNTnyJn/P6objJJ82U8EY1HK27flFpst1NBHzr9UQAKs+r51cszGHDjhXi001+liN2+qiaXRHmppAAAAFQDqf3RIdYsjmEK2ju8jBkcvhkYHQQAAAIEAydJS3s3eRXDiW5ynnQUZONjBwnBIhT6NEznb9FD/6QlfIL3Ay9sbxSQG3MKaC5xfS1TvjZBOTikYn0VFgzR6bXYJtscbH7Hu53X3uwzAi87pgwoE7/Rctf+o9RgGl/a7a/t+POHFYuOY4kSTqK/loKTu/y9BW0PbrPZ+cwIw1k4AAACBALbgqfua4HCdcCKA4Wv0SZ+p1xApNDi9CF33KhMvQ1wrQBCKBU+maTzO9phNFp1PjXv/JxhmkdHLL2lTo3iXdFSbpkwpBb9p649Kbko3L1XEUPZFz5Flt5H8L+FTTNnF5rHfadshr50r4DXYoEyfZFPEitthaS5dlesfyn/aHSN+',
+    type    => 'ssh-rsa',
+    user    => 'root'
+  }
+}