From 7515782eb503152dfc3e84fee1260fb10d560df9 Mon Sep 17 00:00:00 2001 From: Leif Johansson Date: Mon, 2 Sep 2013 16:01:50 +0200 Subject: import --- global/overlay/etc/cosmos/keys/.placeholder | 0 global/overlay/etc/cron.d/cosmos | 4 ++ global/overlay/etc/puppet/cosmos-modules.conf | 11 +++++ global/overlay/etc/puppet/cosmos-rules.yaml | 2 + global/overlay/etc/puppet/cosmos_enc.py | 24 ++++++++++ global/overlay/etc/puppet/hiera.yaml | 0 global/overlay/etc/puppet/manifests/cosmos-site.pp | 52 ++++++++++++++++++++++ global/overlay/etc/puppet/puppet.conf | 14 ++++++ global/post-tasks.d/010fix-ssh-perms | 23 ++++++++++ global/post-tasks.d/015cosmos-trust | 16 +++++++ global/post-tasks.d/020reports | 4 ++ global/post-tasks.d/030puppet | 13 ++++++ global/post-tasks.d/099autoremove | 4 ++ global/post-tasks.d/999reboot | 3 ++ global/pre-tasks.d/020common-tools | 16 +++++++ global/pre-tasks.d/030puppet | 35 +++++++++++++++ 16 files changed, 221 insertions(+) create mode 100644 global/overlay/etc/cosmos/keys/.placeholder create mode 100644 global/overlay/etc/cron.d/cosmos create mode 100644 global/overlay/etc/puppet/cosmos-modules.conf create mode 100644 global/overlay/etc/puppet/cosmos-rules.yaml create mode 100755 global/overlay/etc/puppet/cosmos_enc.py create mode 100644 global/overlay/etc/puppet/hiera.yaml create mode 100644 global/overlay/etc/puppet/manifests/cosmos-site.pp create mode 100644 global/overlay/etc/puppet/puppet.conf create mode 100755 global/post-tasks.d/010fix-ssh-perms create mode 100755 global/post-tasks.d/015cosmos-trust create mode 100755 global/post-tasks.d/020reports create mode 100755 global/post-tasks.d/030puppet create mode 100755 global/post-tasks.d/099autoremove create mode 100755 global/post-tasks.d/999reboot create mode 100755 global/pre-tasks.d/020common-tools create mode 100755 global/pre-tasks.d/030puppet (limited to 'global') diff --git a/global/overlay/etc/cosmos/keys/.placeholder b/global/overlay/etc/cosmos/keys/.placeholder new file mode 100644 index 0000000..e69de29 diff --git a/global/overlay/etc/cron.d/cosmos b/global/overlay/etc/cron.d/cosmos new file mode 100644 index 0000000..b157bde --- /dev/null +++ b/global/overlay/etc/cron.d/cosmos @@ -0,0 +1,4 @@ +SHELL=/bin/sh +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +*/15 * * * * root test -f /etc/no-automatic-cosmos || (cosmos update && cosmos apply) diff --git a/global/overlay/etc/puppet/cosmos-modules.conf b/global/overlay/etc/puppet/cosmos-modules.conf new file mode 100644 index 0000000..d8ad043 --- /dev/null +++ b/global/overlay/etc/puppet/cosmos-modules.conf @@ -0,0 +1,11 @@ +# +# name source (puppetlabs fq name or git url) upgrade (yes/no) +# +concat puppetlabs/concat no +stdlib puppetlabs/stdlib no +ufw attachmentgenie/ufw no +apt puppetlabs/apt no +vcsrepo puppetlabs/vcsrepo no +xinetd puppetlabs/xinetd no +#golang elithrar/golang yes +#python git://github.com/stankevich/puppet-python.git yes diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml new file mode 100644 index 0000000..d9dc495 --- /dev/null +++ b/global/overlay/etc/puppet/cosmos-rules.yaml @@ -0,0 +1,2 @@ +'ns[0-9]?.mnt.se$': + nameserver: diff --git a/global/overlay/etc/puppet/cosmos_enc.py b/global/overlay/etc/puppet/cosmos_enc.py new file mode 100755 index 0000000..63c3a66 --- /dev/null +++ b/global/overlay/etc/puppet/cosmos_enc.py @@ -0,0 +1,24 @@ +#!/usr/bin/env python + +import sys +import yaml +import os +import re + +rules_path = os.environ.get("COSMOS_RULES_PATH","/etc/puppet") + +node_name = sys.argv[1] + +rules = dict() +for p in rules_path.split(":"): + rules_file = os.path.join(p,"cosmos-rules.yaml") + if os.path.exists(rules_file): + with open(rules_file) as fd: + rules.update(yaml.load(fd)) + +classes = dict() +for reg,cls in rules.iteritems(): + if re.search(reg,node_name): + classes.update(cls) + +print yaml.dump(dict(classes=classes)) diff --git a/global/overlay/etc/puppet/hiera.yaml b/global/overlay/etc/puppet/hiera.yaml new file mode 100644 index 0000000..e69de29 diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp new file mode 100644 index 0000000..c276f84 --- /dev/null +++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp @@ -0,0 +1,52 @@ +# This manifest is managed using cosmos + +Exec { + path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", +} + +# include some of this stuff for additional features + +#include cosmos::tools +#include cosmos::motd +#include cosmos::ntp +#include cosmos::rngtools +#include cosmos::preseed +include ufw +include apt +include cosmos + +# you need a default node + +node default { + +} + +# edit and uncomment to manage ssh root keys in a simple way + +#class { 'cosmos::access': +# keys => [ +# "ssh-rsa ..." +# ] +#} + +# example config for the nameserver class which is matched in cosmos-rules.yaml + +#class nameserver { +# package {'bind9': +# ensure => latest +# } +# service {'bind9': +# ensure => running +# } +# ufw::allow { "allow-dns-udp": +# ip => 'any', +# port => 53, +# proto => "udp" +# } +# ufw::allow { "allow-dns-tcp": +# ip => 'any', +# port => 53, +# proto => "tcp" +# } +#} + diff --git a/global/overlay/etc/puppet/puppet.conf b/global/overlay/etc/puppet/puppet.conf new file mode 100644 index 0000000..0ba85f4 --- /dev/null +++ b/global/overlay/etc/puppet/puppet.conf @@ -0,0 +1,14 @@ +[main] +logdir=/var/log/puppet +vardir=/var/lib/puppet +ssldir=/var/lib/puppet/ssl +rundir=/var/run/puppet +factpath=$vardir/lib/facter +templatedir=$confdir/templates +node_terminus = exec +external_nodes = /etc/puppet/cosmos_enc.py + +[master] +# These are needed when the puppetmaster is run by passenger +# and can safely be removed if webrick is used. +ssl_client_header = SSL_CLIENT_S_DN diff --git a/global/post-tasks.d/010fix-ssh-perms b/global/post-tasks.d/010fix-ssh-perms new file mode 100755 index 0000000..87636d7 --- /dev/null +++ b/global/post-tasks.d/010fix-ssh-perms @@ -0,0 +1,23 @@ +#!/bin/sh +# +# Re-used example from SJD +# + +if test -d /root/.ssh && \ + test `stat -t /root/.ssh | cut -d\ -f5` != 0; then + chown root.root /root/.ssh +fi + +if test -d /root/.ssh && \ + test `stat -c %a /root/.ssh` != 700; then + chmod 700 /root/.ssh +fi + +if test -f /root/.ssh/authorized_keys; then + if test `stat -t /root/.ssh/authorized_keys | cut -d\ -f5` != 0; then + chown root.root /root/.ssh/authorized_keys + fi + if test `stat --printf=%a /root/.ssh/authorized_keys` != 600; then + chmod 600 /root/.ssh/authorized_keys + fi +fi diff --git a/global/post-tasks.d/015cosmos-trust b/global/post-tasks.d/015cosmos-trust new file mode 100755 index 0000000..ad2c066 --- /dev/null +++ b/global/post-tasks.d/015cosmos-trust @@ -0,0 +1,16 @@ +#!/bin/sh + +for k in /etc/cosmos/keys/*.pub; do + fp=`cosmos gpg --with-colons --with-fingerprint < $k| awk -F: '$1 == "pub" {print $5}'` + cosmos gpg --with-colons --fingerprint | grep -q ":$fp:" || cosmos gpg --import < $k +done + +for fp in `cosmos gpg --with-colons --fingerprint | awk -F: '$1 == "pub" {print $5}'`; do + seen="no" + for k in /etc/cosmos/keys/*.pub; do + cosmos gpg --with-colons --with-fingerprint < $k | grep -q ":$fp:" && seen="yes" + done + if [ "x$seen" = "xno" ]; then + cosmos gpg --yes --batch --delete-key $fp || true + fi +done diff --git a/global/post-tasks.d/020reports b/global/post-tasks.d/020reports new file mode 100755 index 0000000..091a236 --- /dev/null +++ b/global/post-tasks.d/020reports @@ -0,0 +1,4 @@ +#!/bin/sh + +rm -f /var/run/facts.json +facter -p -y > /var/run/facts.yaml diff --git a/global/post-tasks.d/030puppet b/global/post-tasks.d/030puppet new file mode 100755 index 0000000..6b1d33a --- /dev/null +++ b/global/post-tasks.d/030puppet @@ -0,0 +1,13 @@ +#!/bin/sh + +if [ "x$COSMOS_VERBOSE" = "xy" ]; then + args="--verbose" +else + args="--logdest=syslog" +fi + +if [ -f /usr/bin/puppet -a -d /etc/puppet/manifests ]; then + for m in `find /etc/puppet/manifests -name \*.pp`; do + puppet apply $args $m + done +fi diff --git a/global/post-tasks.d/099autoremove b/global/post-tasks.d/099autoremove new file mode 100755 index 0000000..2cc6996 --- /dev/null +++ b/global/post-tasks.d/099autoremove @@ -0,0 +1,4 @@ +#!/bin/sh + +apt-get -qq update +apt-get -qq -y autoremove diff --git a/global/post-tasks.d/999reboot b/global/post-tasks.d/999reboot new file mode 100755 index 0000000..5331446 --- /dev/null +++ b/global/post-tasks.d/999reboot @@ -0,0 +1,3 @@ +#!/bin/sh + +test -f /var/run/reboot-required -a ! -f /etc/cosmos-manual-reboot && reboot diff --git a/global/pre-tasks.d/020common-tools b/global/pre-tasks.d/020common-tools new file mode 100755 index 0000000..eaca6ea --- /dev/null +++ b/global/pre-tasks.d/020common-tools @@ -0,0 +1,16 @@ +#!/bin/sh +# +# Re-used example from SJD +# + +set -e + +stamp="$COSMOS_BASE/stamps/common-tools-v01.stamp" + +if ! test -f $stamp; then + apt-get -y install vim traceroute tcpdump molly-guard less rsync git-core unattended-upgrades ntp + update-alternatives --set editor /usr/bin/vim.basic + + mkdir -p `dirname $stamp` + touch $stamp +fi diff --git a/global/pre-tasks.d/030puppet b/global/pre-tasks.d/030puppet new file mode 100755 index 0000000..2dc0b80 --- /dev/null +++ b/global/pre-tasks.d/030puppet @@ -0,0 +1,35 @@ +#!/bin/sh +# +# Re-used example from SJD +# + +set -e + +stamp="$COSMOS_BASE/stamps/puppet-tools-v01.stamp" + +if ! test -f $stamp -a -f /usr/bin/puppet; then + codename=`lsb_release -c| awk '{print $2}'` + wget -c http://apt.puppetlabs.com/puppetlabs-release-${codename}.deb + dpkg -i puppetlabs-release-${codename}.deb + rm -f puppetlabs-release-${codename}.deb* + apt-get update + apt-get -y install puppet-common + + mkdir -p `dirname $stamp` + touch $stamp +fi + +python -c "import yaml" 2>/dev/null || apt-get -y install python-yaml + +if [ -f /etc/puppet/cosmos-modules.conf ]; then + grep -E -v "^#" /etc/puppet/cosmos-modules.conf | ( + cd /etc/puppet/modules && while read module src update; do + if [ ! -d /etc/puppet/modules/$module ]; then + echo $src | grep -q "://" && git clone $src $module || puppet module install $src + else + if [ "x$update" = "xyes" ]; then + echo $src | grep -q "://" && (cd /etc/puppet/modules/$module && git pull -q) || puppet module upgrade $src + fi + fi + done) +fi -- cgit v1.1