summaryrefslogtreecommitdiff
path: root/global/overlay/etc/puppet/manifests/cosmos-site.pp
blob: 8bf5aeeb323b17d7f4218bc3e40a9f9c923d859e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
# This manifest is managed using cosmos

Exec {
  path => "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
}

# include some of this stuff for additional features

include cosmos::tools
include cosmos::motd
include cosmos::ntp
include cosmos::rngtools
include cosmos::preseed
include ufw
include apt
include cosmos

# you need a default node

node default {

   class { 'sshserver': }
   class { 'mailclient':
      domain => 'smtp.nordu.net'
   }
   class { 'sshkeys': }

}

class dockerhost {
  apt::source {'docker_official':
     location => 'https://get.docker.com/ubuntu',
     release  => 'docker',
     repos    => 'main',
     key      => 'A88D21E9',
     include_src => false
  }
  package {'lxc-docker':
     ensure   => latest
  }
  class {'docker':
     manage_package => false
  }
}

class webserver {
   ufw::allow { "allow-http":
      ip   => 'any',
      port => 80
   }
   ufw::allow { "allow-https":
      ip   => 'any',
      port => 443
   }
}

class mailclient ($domain) {
   cosmos::preseed::preseed_package {"postfix": ensure => present, domain => $domain}
}

class sshserver {
  include augeas
  augeas { "sshd_config":
    context => "/files/etc/ssh/sshd_config",
    changes => [
      "set PasswordAuthentication no",
      "set X11Forwarding no",
      "set LogLevel VERBOSE",  # log pubkey used for root login
    ],
    notify => Service['ssh'],
  } ->
    file_line {
      'no_sftp_subsystem':
        path        => '/etc/ssh/sshd_config',
        match       => 'Subsystem sftp /usr/lib/openssh/sftp-server',
        line        => '#Subsystem sftp /usr/lib/openssh/sftp-server',
    notify => Service['ssh'],
  }
  ufw::allow { "allow-sshd":
      ip   => 'any',
      port => 22
  }
}

class sshkeys {
   ssh_authorized_key {'leifj+neo':
    ensure  => present,
    name    => 'leifj+neo@mnt.se',
    key     => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDVvB4gdJ6EWRmx8xUSxrhoUNnWxEf8ZwAqhzC1+7XBY/hSd/cbEotLB9gxgqt0CLW56VU4FPLTw8snD8tgsyZN6KH1Da7UXno8oMk8tJdwLQM0Ggx3aWuztItkDfBc3Lfvq5T07YfphqJO7rcSGbS4QQdflXuOM9JLi6NStVao0ia4aE6Tj68pVVb3++XYvqvbU6NtEICvkTxEY93YpnRSfeAi64hsbaqSTN4kpeltzoSD1Rikz2aQFtFXE03ZC48HtGGhdMFA/Ade6KWBDaXxHGARVQ9/UccfhaR2XSjVxSZ8FBNOzNsH4k9cQIb2ndkEOXZXnjF5ZjdI4ZU0F+t7',
    type    => 'ssh-rsa',
    user    => 'root'
  }
  ssh_authorized_key {'linus':
    ensure  => present,
    name    => 'linus@nordu.net',
    key     => 'AAAAB3NzaC1kc3MAAACBAOgwalVrauBiUm0cJtiehqiXCarmP3LzpOVe/2Lhip3VyGNkCc0tI3ZcwTOuVSNbNAtUPbRFsp2qzNf6yHzDetolb+8oAWoLrNTnyJn/P6objJJ82U8EY1HK27flFpst1NBHzr9UQAKs+r51cszGHDjhXi001+liN2+qiaXRHmppAAAAFQDqf3RIdYsjmEK2ju8jBkcvhkYHQQAAAIEAydJS3s3eRXDiW5ynnQUZONjBwnBIhT6NEznb9FD/6QlfIL3Ay9sbxSQG3MKaC5xfS1TvjZBOTikYn0VFgzR6bXYJtscbH7Hu53X3uwzAi87pgwoE7/Rctf+o9RgGl/a7a/t+POHFYuOY4kSTqK/loKTu/y9BW0PbrPZ+cwIw1k4AAACBALbgqfua4HCdcCKA4Wv0SZ+p1xApNDi9CF33KhMvQ1wrQBCKBU+maTzO9phNFp1PjXv/JxhmkdHLL2lTo3iXdFSbpkwpBb9p649Kbko3L1XEUPZFz5Flt5H8L+FTTNnF5rHfadshr50r4DXYoEyfZFPEitthaS5dlesfyn/aHSN+',
    type    => 'ssh-rsa',
    user    => 'root'
  }
}