# This manifest is managed using cosmos Exec { path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", } # include some of this stuff for additional features include cosmos::tools include cosmos::motd include cosmos::ntp #include cosmos::rngtools #include cosmos::preseed include ufw include apt include cosmos # you need a default node node default { } # example config for the nameserver class which is matched in cosmos-rules.yaml #class nameserver { # package {'bind9': # ensure => latest # } # service {'bind9': # ensure => running # } # ufw::allow { "allow-dns-udp": # ip => 'any', # port => 53, # proto => "udp" # } # ufw::allow { "allow-dns-tcp": # ip => 'any', # port => 53, # proto => "tcp" # } #} node 'sto-tug-kvm1.swamid.se' { class { 'dhcp': dnsdomain => [ 'eduid.se','sunet.se' ], nameservers => ['130.242.80.14','130.242.80.99'], ntpservers => ['ntp1.nordu.net','ntp2.nordu.net','Time1.Stupi.SE'], interfaces => ['eth0'], #pxeserver => '130.242.125.5', #pxefilename => 'pxelinux.0', default_lease_time => '86400', max_lease_time => '172800', } class { 'sunet-dhcp-hosts': } } node 'sto-tug-kvm-lab1.swamid.se' { package {'python-vm-builder': ensure => 'installed', } -> cosmos::dhcp_kvm { 'samltest.swamid.se': mac => '52:54:00:3a:0a:e4', repo => 'git://git.nordu.net/sunet-ops.git', tagpattern => 'sunet-ops', cpus => '1', memory => '1024', } cosmos::dhcp_kvm { 'dane.lab.sunet.se': mac => '52:54:00:8d:88:5f', repo => 'git://git.nordu.net/sunet-ops.git', tagpattern => 'sunet-ops', cpus => '1', memory => '1024', } cosmos::dhcp_kvm { 'meta.swamid.se': mac => '52:54:00:1c:72:1a', repo => 'git://git.nordu.net/sunet-ops.git', tagpattern => 'sunet-ops', cpus => '1', memory => '1024', } } class sunet-dhcp-hosts { dhcp::pool {'sunet-servernet-tug-130.242.125.64/26': network => '130.242.125.64', mask => '255.255.255.192', gateway => '130.242.125.65', range => '' } dhcp::pool {'sunet-servernet-fre-130.242.125.128/26': network => '130.242.125.128', mask => '255.255.255.192', gateway => '130.242.125.129', range => '' } dhcp::pool {'install': network => '130.242.125.0', mask => '255.255.255.192', gateway => '130.242.125.1', range => '' } dhcp::pool {'eduid-tug-IdP': network => '130.242.130.0', mask => '255.255.255.248', gateway => '130.242.130.1', range => '' } dhcp::pool {'eduid-tug-auth': network => '130.242.130.8', mask => '255.255.255.248', gateway => '130.242.130.9', range => '' } dhcp::pool {'eduid-tug-other': network => '130.242.130.16', mask => '255.255.255.240', gateway => '130.242.130.17', range => '' } dhcp::pool {'eduid-fre-IdP': network => '130.242.130.64', mask => '255.255.255.248', gateway => '130.242.130.65', range => '' } dhcp::pool {'eduid-fre-auth': network => '130.242.130.72', mask => '255.255.255.248', gateway => '130.242.130.73', range => '' } dhcp::pool {'eduid-fre-other': network => '130.242.130.80', mask => '255.255.255.240', gateway => '130.242.130.81', range => '' } dhcp::pool {'eduid-lla-other': network => '130.242.130.144', mask => '255.255.255.240', gateway => '130.242.130.145', range => '' } # eduID TUG hosts dhcp::host { 'kvmidp-tug-3_eth0': mac => "24:b6:fd:fe:fa:51", ip => "130.242.130.4", hostname => 'kvmidp-tug-3'; } dhcp::host { 'kvmidp-tug-3_eth1': mac => "24:b6:fd:fe:fa:52", ip => "130.242.130.4", hostname => 'kvmidp-tug-3'; } dhcp::host { 'idp-tug-3a': mac => "52:54:00:01:00:01", ip => "130.242.130.5"; } dhcp::host { 'idp-tug-3b': mac => "52:54:00:01:00:02", ip => "130.242.130.6"; } dhcp::host { 'auth-tug-3_eth0': mac => "f0:4d:a2:73:4e:9b", ip => "130.242.130.12", hostname => 'auth-tug-3'; } dhcp::host { 'auth-tug-3_eth1': mac => "f0:4d:a2:73:4e:9c", ip => "130.242.130.12", hostname => 'auth-tug-3'; } dhcp::host { 'kvm-tug-3_eth0': mac => "f0:4d:a2:73:4f:82", ip => "130.242.130.20", hostname => 'kvm-tug-3'; } dhcp::host { 'kvm-tug-3_eth1': mac => "f0:4d:a2:73:4f:83", ip => "130.242.130.20", hostname => 'kvm-tug-3'; } dhcp::host { 'db-tug-3_eth0': mac => "24:b6:fd:fe:fa:f0", ip => "130.242.130.21", hostname => 'db-tug-3'; } dhcp::host { 'db-tug-3_eth1': mac => "24:b6:fd:fe:fa:f1", ip => "130.242.130.21", hostname => 'db-tug-3'; } dhcp::host { 'mq-tug-3': mac => "52:54:00:03:00:22", ip => "130.242.130.22"; } dhcp::host { 'worker-tug-3': mac => "52:54:00:03:00:23", ip => "130.242.130.23"; } dhcp::host { 'signup-tug-3': mac => "52:54:00:03:00:24", ip => "130.242.130.24"; } dhcp::host { 'helpdesk-tug-3': mac => "52:54:00:03:00:25", ip => "130.242.130.25"; } dhcp::host { 'www-tug-3': mac => "52:54:00:03:00:26", ip => "130.242.130.26"; } dhcp::host { 'monitor-tug-3': mac => "52:54:00:03:00:27", ip => "130.242.130.27"; } dhcp::host { 'kvmapp-tug-3_eth0': mac => "f0:4d:a2:73:4f:0d", ip => "130.242.130.30", hostname => 'kvmapp-tug-3'; } dhcp::host { 'kvmapp-tug-3_eth1': mac => "f0:4d:a2:73:4f:0e", ip => "130.242.130.30", hostname => 'kvmapp-tug-3'; } # eduID FRE hosts dhcp::host { 'kvmidp-fre-3_eth0': mac => "18:03:73:41:f3:e8", ip => "130.242.130.68", hostname => 'kvmidp-fre-3'; } dhcp::host { 'kvmidp-fre-3_eth1': mac => "18:03:73:41:f3:e9", ip => "130.242.130.68", hostname => 'kvmidp-fre-3'; } dhcp::host { 'idp-fre-3a': mac => "52:54:00:04:00:01", ip => "130.242.130.69"; } dhcp::host { 'idp-fre-3b': mac => "52:54:00:04:00:02", ip => "130.242.130.70"; } dhcp::host { 'auth-fre-3_eth0': mac => "18:03:73:0f:41:3c", ip => "130.242.130.76", hostname => 'auth-fre-3'; } dhcp::host { 'auth-fre-3_eth1': mac => "18:03:73:0f:41:3d", ip => "130.242.130.76", hostname => 'auth-fre-3'; } dhcp::host { 'kvm-fre-3_eth0': mac => "f0:4d:a2:73:4b:e3", ip => "130.242.130.84", hostname => 'kvm-fre-3'; } dhcp::host { 'kvm-fre-3_eth1': mac => "f0:4d:a2:73:4b:e4", ip => "130.242.130.84", hostname => 'kvm-fre-3'; } dhcp::host { 'www-fre-3': mac => "52:54:00:06:00:01", ip => "130.242.130.86"; } dhcp::host { 'dashboard-fre-3': mac => "52:54:00:06:00:57", ip => "130.242.130.87"; } dhcp::host { 'signup-fre-3': mac => "52:54:00:06:00:58", ip => "130.242.130.88"; } dhcp::host { 'worker-fre-3': mac => "52:54:00:06:00:59", ip => "130.242.130.89"; } dhcp::host { 'mq-fre-3': mac => "52:54:00:06:00:5a", ip => "130.242.130.90"; } dhcp::host { 'db-fre-3_eth0': mac => "f0:4d:a2:73:4f:19", ip => "130.242.130.85", hostname => 'db-fre-3'; } dhcp::host { 'db-fre-3_eth1': mac => "f0:4d:a2:73:4f:1a", ip => "130.242.130.85", hostname => 'db-fre-3'; } dhcp::host { 'kvmapp-fre-3_eth0': mac => "78:45:c4:f7:90:ec", ip => "130.242.130.94", hostname => 'kvmapp-fre-3'; } dhcp::host { 'kvmapp-fre-3_eth1': mac => "78:45:c4:f7:90:ed", ip => "130.242.130.94", hostname => 'kvmapp-fre-3'; } # eduID LLA hosts dhcp::host { 'db-lla-3_eth0': mac => "f0:4d:a2:73:4e:08", ip => "130.242.130.148", hostname => 'db-lla-3'; } dhcp::host { 'db-lla-3_eth1': mac => "f0:4d:a2:73:4e:09", ip => "130.242.130.148", hostname => 'db-lla-3'; } # eduID Development subnets dhcp::pool {'eduid-tug-dev': network => '194.68.13.128', mask => '255.255.255.224', gateway => '194.68.13.129', range => '', options => 'domain-name-servers 109.105.111.31, 109.105.110.31', } dhcp::pool {'eduid-fre-dev': network => '194.68.13.160', mask => '255.255.255.224', gateway => '194.68.13.161', range => '', options => 'domain-name-servers 109.105.111.31, 109.105.110.31', } # eduID TUG development hosts dhcp::host { 'idp-tug-1': mac => "52:54:00:a0:00:92", ip => "194.68.13.146" } dhcp::host { 'testvm-tug-1': mac => "52:54:00:11:22:33", ip => "194.68.13.136" } dhcp::host { 'userdb-tug-1': mac => "52:54:00:93:22:29", ip => "194.68.13.132" } dhcp::host { 'userdb-tug-2': mac => "52:54:00:17:13:ff", ip => "194.68.13.133" } # eduID FRE development hosts dhcp::host { 'idp-fre-1': mac => "52:54:00:a1:00:b2", ip => "194.68.13.178" } dhcp::host { 'dash-fre-1': mac => "52:54:00:a2:00:a7", ip => "194.68.13.167" } dhcp::host { 'userdb-fre-1': mac => "52:54:00:17:13:f6", ip => "194.68.13.164" } # SUNET TUG hosts dhcp::host { 'samltest': mac => "52:54:00:3a:0a:e4", ip => "130.242.125.80" } dhcp::host { 'dane.lab': mac => "52:54:00:8d:88:5f", ip => "130.242.125.81" } dhcp::host { 'meta.swamid': mac => "52:54:00:1c:72:1a", ip => "130.242.125.82" } } class sunet { package { ['openssh-server', 'emacs23-nox']: ensure => 'installed' } -> ufw::allow { 'allow-ssh-sunet': port => '22', ip => 'any', # both IPv4 and IPv6 proto => 'tcp' } -> service { 'ssh': ensure => 'running', } sunet::server { 'sunet_server': } ssh_authorized_key {'leifj+neo': name => 'leifj+neo@mnt.se', ensure => present, key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDVvB4gdJ6EWRmx8xUSxrhoUNnWxEf8ZwAqhzC1+7XBY/hSd/cbEotLB9gxgqt0CLW56VU4FPLTw8snD8tgsyZN6KH1Da7UXno8oMk8tJdwLQM0Ggx3aWuztItkDfBc3Lfvq5T07YfphqJO7rcSGbS4QQdflXuOM9JLi6NStVao0ia4aE6Tj68pVVb3++XYvqvbU6NtEICvkTxEY93YpnRSfeAi64hsbaqSTN4kpeltzoSD1Rikz2aQFtFXE03ZC48HtGGhdMFA/Ade6KWBDaXxHGARVQ9/UccfhaR2XSjVxSZ8FBNOzNsH4k9cQIb2ndkEOXZXnjF5ZjdI4ZU0F+t7', type => 'ssh-rsa', user => 'root' } ssh_authorized_key {'ft+505152DD': name => 'fredrik+505152DD@thulin.net', ensure => present, key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCnskRpNxWJE/YgDR3o6sMWwwmbUJ8f2SJa0gHfHM+fcxxC2zQN9/9mqJSxS1E9QdeuRbbHpYxEUtHoX0vSrmia/VALDiQAMps51RBqq6YlrYqvP/Rb0hZ0Z4/YgjTosLdu1PeTzih6mwbyNNF0+gY987Ig31qXQytNF+9G1oSY9dgBAq52lu170QXTRwum4B6Gh4/pCnM6xx+7nY2oqlgvl2wYHVAOJ39W9r4y9kBhcVs51XvJqYehjaoyKYf1+PzA0FsvhJkZuG6ws5eEGSB90lAzKGyFZXedvOLmnFmqAraoLeuKajHIFJDfKNfHHbYpn8ERIfVW66nbqlXFO2g3', type => 'ssh-rsa', user => 'root' } ssh_authorized_key {'ft+4030CCAD': name => 'fredrik+4030CCAD@thulin.net', ensure => present, key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDCb2Nkstl2A2Av34oAeugSFAUZisR44EiN3+QHCfNiv2UtMvGQsz2uVRGS0zA7j2PjcrEA1AcstriONBZF/TodARbirX7u7ibJo4gfFJctSMHMBncwSKt5BR6cuCZpW9E7f05tVc3Z1SU1XlAn0OUuAt6UwluEehEKLKXDIHWfsGejlOTpy6x+++6/o1gfMoXpxYDRK70z8jWPfN6i/tt2q+Y0gjZWQP4CHGzFEUtTpOlFoqN4TzXaJushBhdMsiKllOm9wzHFuxlU/hNbDfn00vdOTPYpHkUluQUE7NtNznpeTWpl5qYL+n4uIChxjeZRBmUgD9t8YU4t3UZNksD/', type => 'ssh-rsa', user => 'root' } ssh_authorized_key {'swold+neo': name => 'swold+neo@sunet.se', ensure => present, key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDEH/7KWri49NdhCjXW8VEdDxFl3IfIFT6QjJ47TkhCZCPZdgFl8NLKUOBE1P4jrwB+f+G+ScQ9EYN2Mnf0VhjZ3twPq2S1fosu3jmA56qhQ2J6ZNG1SvVDkgT69HZ+yoxEzbkmWuhhlb7WWVzC3h1K5Rxs8Yr9GJzIpgqH5PzI73pMAS89MYOjkhqS8NOi4onB3llFnyFZeWDB+rXj8/Q6k1u2F9KN1fPxe3EiskaJPOkPn8dEe3pOAiu+FwWyinHxO9Z4gzf55XVE8oFd36LRpoJGr32vdScSPeCksrARluEHnkEHqg6cVLcDkKnHrPITuXKj54i/jYeYGetigEuV', type => 'ssh-rsa', user => 'root' } # OS hardening if $::hostname =~ /kvm/ { class {'bastion': fstab_fix_shm => false, sysctl_net_hardening => false, } } else { class {'bastion': fstab_fix_shm => false, fixperms_paranoia => true, } } } node 'samltest.swamid.se' { ssh_authorized_key {'hans-its-umu': name => 'haho0032@its-admins-MacBook-Pro.local', ensure => present, key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCo3A5CG7fKLBLw8vhJL6Q8iweADu7qyDUokAvKR1SUitBnYw0pnd3cv3T32S/mps51YIoyKwhv2q2UGW5kYMeZtH0YjBy+l93nVBjUCLlNkz0T5gq+ePVayiqv0hUy5VMDEqLmUOquYr3ao7FBRu34HxlEj26O6Ckvk5YTImGmGqMw6kQ4aI0oIkwk3VwO2vMWSD6lgT6YCsE9g7wkD4nJpkV1PEDOx8yxwFr0kUbL3/DpudBFew/FZa4Dq4H2brExa3Q/rrnoo1GAKLzHW/V8oa8eHbRQXwchgX63UbnzQjGiaLUc5bHZwEehp2TkLYx6encctIUGi447DVCfOTsz', type => 'ssh-rsa', user => 'root' } ssh_authorized_key {'roland-umu': type => 'ssh-rsa', key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQC+tLFDNA7UXr3ZXgp6qQq7pKsTStHb+8UIEO3Act7Va3c/dz9P8Bi4+y8h33t2SACsQHXXUXAgSfmgPi+tijZ/rJrKGZJkA5LPbntca40ePU/zNWKVKGylbdnv9vz2urrr3xOmcV7yD/91k+JLwzTWiNWF6IXQC0p43EvE6BdZnLGdGAU9DPj/5rtyxWlX9Lul516dmVD2+nI8UR5bnDNl83a3lLkQyEDZMIC8QujNV8fR3pgYeRKdC7WtPcaPGv5NaF9UweBDK+7QwHTJAuIZw6S7ArA7KgOF64evOuVL0tTEyuwMHGrlE+ylxN+zOAfDvEMrxnTATR6RMcvLmTJB', ensure => present, user => 'root', name => 'roland.hedberg@adm.umu.se' } } class swamidops { ssh_authorized_key {'roland-umu': type => 'ssh-rsa', key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQC+tLFDNA7UXr3ZXgp6qQq7pKsTStHb+8UIEO3Act7Va3c/dz9P8Bi4+y8h33t2SACsQHXXUXAgSfmgPi+tijZ/rJrKGZJkA5LPbntca40ePU/zNWKVKGylbdnv9vz2urrr3xOmcV7yD/91k+JLwzTWiNWF6IXQC0p43EvE6BdZnLGdGAU9DPj/5rtyxWlX9Lul516dmVD2+nI8UR5bnDNl83a3lLkQyEDZMIC8QujNV8fR3pgYeRKdC7WtPcaPGv5NaF9UweBDK+7QwHTJAuIZw6S7ArA7KgOF64evOuVL0tTEyuwMHGrlE+ylxN+zOAfDvEMrxnTATR6RMcvLmTJB', ensure => present, user => 'root', name => 'roland.hedberg@adm.umu.se' } ssh_authorized_key {'lordahl-hig': type => 'ssh-rsa', key => 'AAAAB3NzaC1yc2EAAAABIwAAAQEAoghSjIy5fx9SY6bCq39yY3+SVdPbeq+giJzkJgQNpRj7kv60gPimRZc793j/tBByb739b6WhK+Bx7VibJwop2Tuq22/gIAdY7shXeaGCDCfNkDwjAqEoct+DpoRHEojGghMooVj7gCgaEUJmArEjPMHqkQ3AGZISN6vvxcn7CPhcYtOlrUL/EWkPyrks5MHcmwDZpPCoY37XgJVp3H0GbidBLY869X926AH9DrORjQBgNVy2HnrxDDtKzX/o6UB6LTj2oUjmuMaEDXFdMgWBq7UHgguut8gp14o6k4aaWvjklcjckuW5BC7sdD46qkxzXPLhae2neRj2bziiyKnyYQ==', ensure => present, user => 'root', name => 'anders@merlin' } ssh_authorized_key {'aslund-umu': type => 'ssh-rsa', key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQC1fzNy2/nmIwyrHX2FJhjmkfc0BKqVMBKJoM+NyNI9T0tWe/Vmpa4xnRwZ/qBZgk1Gh2ttjY+PiT9Y1VXQLJ7YMNJezoD5xT3MmOlj5vQPP2d6ZC+pqADatBUpdnI65GQZfXSbiYVpc3b/WzieYKoGo8wk1JuXF1McEH5oXViUW96R4PuB+nXowSE1a7lmLXIiWov/qHa+5LwZQ8l8Xw46gh6AOtnvKJeUsgUvGMC/SnSBiZrfruyQCvNrzdjFQHKW79sWRPRBfU356583QmuqYprQ5gINA4zVbwfT1xaFYqsb+/IUX+Hcw5wlWdfTxhzvzelgg0qVVvRrqEhwMtgN', ensure => present, user => 'root', name => 'fredrik.aslund@umu.se/epass2003/130409' } } node 'dane.lab.sunet.se' { class {'sunet': } } node 'wp.sunet.se' { package {'libapache2-mod-php5': ensure => 'latest'} package {'php5-mysql': ensure => 'latest'} class {'apache': mpm_module => 'prefork', default_vhost => false } apache::mod {'php5': } apache::mod {'ssl': } apache::mod {'rewrite': } apache::vhost { 'wp.sunet.se': port => 80, docroot => '/opt/wordpress' } include mysql::server user {'wordpress': ensure => present, groups => 'www-data'} class { 'wordpress': wp_owner => 'wordpress', wp_group => 'www-data', db_user => 'wp', db_password => hiera('mysql_password', 'NOT_SET_IN_HIERA'), wp_multisite => false, wp_site_domain => 'wp.sunet.se', version => '3.8.1' } ufw::allow { 'allow-www-wordpress': port => '80', ip => 'any', # both IPv4 and IPv6 proto => 'tcp' } ufw::allow { 'allow-https-wordpress': port => '443', ip => 'any', # both IPv4 and IPv6 proto => 'tcp' } } class sunet-cdr { class { 'dhcp': dnsdomain => [ 'eduid.se','sunet.se','swamid.se' ], nameservers => ['130.242.80.14','130.242.80.99'], ntpservers => ['ntp1.nordu.net','ntp2.nordu.net','Time1.Stupi.SE'], interfaces => ['bond0'], #pxeserver => '130.242.125.5', #pxefilename => 'pxelinux.0' } class { 'sunet-dhcp-hosts': } } class entropyserver { include augeas apt::ppa {'ppa:ndn/pollen': } -> package {'pollen': } -> service {'pollen': ensure => 'running' } augeas { "pollen_defaults": incl => "/etc/default/pollen", lens => "Shellvars.lns", changes => [ 'set DEVICE "/dev/qrandom0"', ], notify => Service['pollen'], } -> ufw::allow { "allow-pollen-http-tcp": ip => 'any', port => 80 } ufw::allow { "allow-pollen-https-tcp": ip => 'any', port => 443 } } class quantis { apt::ppa {'ppa:ndn/quantispci': } package {'quantispci-dkms': } }