-modules/*
+keys
+ssl
.vagrant
[puppet/modules/apt]
checkout = git clone git://git.fluxo.info/puppet-apt.git apt
-[puppet/modules/autofs]
-checkout = git clone git://git.fluxo.info/puppet-autofs.git autofs
+[puppet/modules/augeas]
+checkout = git clone git://git.fluxo.info/puppet-augeas.git augeas
[puppet/modules/autossh]
checkout = git clone git://git.fluxo.info/puppet-autossh.git autossh
[puppet/modules/bitcoind]
checkout = git clone git://git.fluxo.info/puppet-bitcoind.git bitcoind
-[puppet/modules/common]
-checkout = git clone git://git.fluxo.info/puppet-common.git common
-
[puppet/modules/concat]
checkout = git clone git://git.fluxo.info/puppet-concat.git concat
[puppet/modules/hydra]
checkout = git clone git://git.fluxo.info/puppet-hydra.git hydra
-[puppet/modules/icecast]
-checkout = git clone git://git.fluxo.info/puppet-icecast.git icecast
-
[puppet/modules/ikiwiki]
checkout = git clone git://git.fluxo.info/puppet-ikiwiki.git ikiwiki
[puppet/modules/mumble]
checkout = git clone git://git.fluxo.info/puppet-mumble.git mumble
-[puppet/modules/munin]
-checkout = git clone git://git.fluxo.info/puppet-munin.git munin
-
[puppet/modules/mysql]
checkout = git clone git://git.fluxo.info/puppet-mysql.git mysql
-[puppet/modules/nagios]
-checkout = git clone git://git.fluxo.info/puppet-nagios.git nagios
-
[puppet/modules/nfs]
checkout = git clone git://git.fluxo.info/puppet-nfs.git nfs
[puppet/modules/onion]
checkout = git clone git://git.fluxo.info/puppet-onion.git onion
-[puppet/modules/pear]
-checkout = git clone git://git.fluxo.info/puppet-pear.git pear
-
[puppet/modules/php]
checkout = git clone git://git.fluxo.info/puppet-php.git php
[puppet/modules/shorewall]
checkout = git clone git://git.fluxo.info/puppet-shorewall.git shorewall
-[puppet/modules/smartmonster]
-checkout = git clone git://git.fluxo.info/puppet-smartmonster.git smartmonster
-
[puppet/modules/smartmontools]
checkout = git clone git://git.fluxo.info/puppet-smartmontools.git smartmontools
rm -rf modules
git checkout modules
-post_update:
- git config receive.denyCurrentBranch ignore
- cd .git/hooks && ln -sf ../../bin/post-update
-
post_receive:
git config receive.denyCurrentBranch ignore
cd .git/hooks && ln -sf ../../bin/post-receive
all the modules in a different subtree, use
make symlinks MODULES=/path/to/puppet/modules
+
+Recommended puppet modules
+--------------------------
+
+This repository plays well with other puppet modules hosted at https://git.fluxo.info, some of them
+based on https://gitlab.com/shared-puppet-modules-group.
TODO
====
-High priority
--------------
-
-- puppet: masterless:
- - keyringer/gpg integration.
- - https://github.com/compete/hiera_yamlgpg
- - https://github.com/crayfishx/hiera-gpg
- - https://github.com/sihil/hiera-eyaml-gpg
- - https://github.com/StackExchange/blackbox
- - http://ww.telent.net/2014/2/10/keeping_secrets_in_public_with_puppet
- - https://docs.puppetlabs.com/hiera/1/custom_backends.html
- - https://puppetlabs.com/blog/encrypt-your-data-using-hiera-eyaml
- - https://packages.debian.org/jessie/hiera-eyaml
- - how to distribute keys outside the repo (i.e, avoiding all nodes to have all keys?):
- - add a monkeysphere auth subkey to every openpgp key used for backups.
- - make backupninja wrap around monkeysphere: http://web.monkeysphere.info/doc/user-ssh-advanced/
- - http://current.workingdirectory.net/posts/2011/puppet-without-masters/
- - http://andrewbunday.co.uk/2012/12/04/masterless-puppet-wrapper/
- - http://semicomplete.com/presentations/puppet-at-loggly/puppet-at-loggly.pdf.html
- - https://github.com/jordansissel/puppet-examples/tree/master/masterless
-- sshd:
- - https://stribika.github.io/2015/01/04/secure-secure-shell.html
- - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774711#60
- - enable ecdsa key.
- - ecdsa priority: alternatives:
- - unsupport ecdsa in the server.
- - export ecdsa pubkeys.
- - manage client's /root/.ssh/config: `HostKeyAlgorithms ssh-rsa`.
- - force option via rsync/rdiff handlers.
-- virtual: migrate to kvm/libvirt.
-- loginrecords: deploy module.
-- deploy https://github.com/wido/puppet-module-tcpwrappers
-- nodo:
- - run stages.
- - allow more resources to be declared via hiera.
- - fix hiera default boolean value when true.
- - easy way to toggle management of subsystems.
-
-Medium priority
----------------
-
-- apt: raspbian support, including unnatended-upgrades.
-- backup:
- - support for $dombr and $dobios on backupninja::sys for servers and physical machines.
- - sync-backups support for rsyncing from kvms / snapshots.
-- nodo:
- - cleanup and refactor.
- - uniform variable names.
- - use prompt.sh from bash-prompt as a submodule.
-- common: autoload.
-- general:
- - rollback of commits about charset.
- - switch to conf.d:
- - php ("refactor" branch), remove E_STRICT from production's error_reporting.
- - apache2.
- - sudoers.
-- backup: `sync-media-iterate [volume]`.
-- mail:
- - use ssl::dhparams, move to 2048 bit and use the standard file names and paths:
- - [Feature #4012: postfix: ship 2048bit dh parameters - Platform - LEAP Issue Tracker](https://leap.se/code/issues/4012)
-
-Low priority
-------------
-
-- merge, review, pull requests for all modules.
-- bind: nsupdate / dynamic dns:
- - http://linux.yyz.us/nsupdate/
- - http://linux.yyz.us/dns/ddns-server.html
- - http://caunter.ca/nsupdate.txt
- - http://www.rtfm-sarl.ch/articles/using-nsupdate.html
- - https://github.com/skx/dhcp.io/
-- munin: lvm monitoring.
-- pyroscope: torrent workflow: torrent-maker, magnet2torrent and torrent-reseed:
- - http://wiki.rtorrent.org/MagnetUri
- - http://dan.folkes.me/2012/04/19/converting-a-magnet-link-into-a-torrent/
- - https://github.com/danfolkes/Magnet2Torrent
- - http://code.google.com/p/pyroscope/wiki/CommandLineTools
- - https://trac.transmissionbt.com/ticket/4176
- - http://wiki.rtorrent.org/MagnetUri
- - https://github.com/rakshasa/rtorrent/issues/212
- - saving/restoring `.meta` and `~/rtorrent/.session` files.
-- support for http/https proxy inside web nodes:
- - encrypted ssl keys: http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11440.html
- - make all apache sites listen to 8080.
-- git:
- - gitolite: [monkeysphere integration](http://gitolite.com/gitolite/g2/monkeysphere.html).
- - gitweb clean urls.
- - email notifications.
- - https://packages.debian.org/jessie/git-notifier
- - https://github.com/mhagger/git-multimail
- - using OpenPGP?
-- syslog-ng: use conf.d.
-- etherpad: `You need to set a sessionKey value in settings.json`.
-- knock integration via https://github.com/juasiepo/knockd
-- apache:
- - try libapache2-modsecurity.
- - deploy https://git.immerda.ch/csp-report/
- - disable other_vhosts_access.log.
-- onion:
- - support for existing hidden service key, generated with tools like https://github.com/katmagic/Shallot
- - load balancing: http://archives.seul.org/tor/relays/Apr-2011/msg00022.html
-- nagios: snmp, nrpe, nsca
- - http://nagios.sourceforge.net/docs/3_0/addons.html
- - http://www.math.wisc.edu/~jheim/snmp/
-- ssh access restrictions:
- - denyhosts, but we don't want to log IPs.
- - using shorewall: http://www.debian-administration.org/articles/250#comment_16
- - alowed users / groups.
-- websites: freewvs.
-- puppet: bug report: debian wheezy puppet-common: needs the following patch: http://projects.puppetlabs.com/issues/10963
-- mail:
- - review dovecot recipient delimiter handling: to which mailbox messages should be sent?
- - mlmmj:
- - lists with hyphens are not working when mails are sent directly, but work when sent to an alias.
- - `mail::mlmmj::domain` needs updating or additional domains should be added into `relay_domains`.
-- drupal/wordpress:
- - cronjob/cli: switch to site user.
- - drupal_update: Do you really want to continue with the update process? (y/n):
- Do you really want to continue with the update process? (y/n): Aborting. [cancel],
- possibly related to https://www.drupal.org/node/443392
-- php / wordpress / wp-cli: composer installation and dependencies:
- - http://getcomposer.org/doc/00-intro.md#installation-nix
- - https://github.com/wp-cli/wp-cli/wiki/Alternative-Install-Methods
- - suhosin needs `suhosin.executor.include.whitelist = phar` on `/etc/php5/cli/conf.d/suhosin.ini`.
-- nodo: support for prosody:
- - https://github.com/dgoulet/prosody-otr
- - http://prosody.im/doc/creating_accounts#importing_from_ejabberd
- - config with good score at https://xmpp.net/index.php
-- mail:
- - support for [preventing SPAM connections with bird](http://www.debian-administration.org/article/715/Preventing_SPAM_connections_with_bird.).
- - schleuder: manage `/etc/schleuder/schleuder.conf`, using `superadminaddr: root` or other recipient, to avoid mails.
- sent as `root@localhost`.
- - deploy https://git.autistici.org/ale/smtp-fp/tree/master
- https://github.com/EFForg/starttls-everywhere
- - deploy https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration#Configuration_server_at_ISP
- https://git-ipuppet.immerda.ch/module-apache/commit/?id=058dbb366b96cae1f8fb0def65f73a698f1c375d
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577616
- - support for [preventing SPAM connections with bird](http://www.debian-administration.org/article/715/Preventing_SPAM_connections_with_bird.).
+* Nothing here? :P
config.vm.box = "jessie"
# Hostname
- config.vm.hostname = "puppet-bootstrap.example.org"
+ config.vm.hostname = "box.example.org"
# Shell provisioner to setup basic environment.
config.vm.provision :shell, :inline => "/vagrant/puppet/bin/provision"
end
# Share hiera configuration.
- config.vm.synced_folder "puppet/hiera", "/etc/puppet/hiera"
+ config.vm.synced_folder "puppet/config", "/etc/puppet/config"
# Forwarded ports
#config.vm.network "forwarded_port", guest: 80, host: 8081
# Puppet bootstrap dependencies.
#
+# Parameters
+BASENAME="`basename $0`"
+DEPLOY_DEPENDENCIES="rsync puppet-common hiera-eyaml"
+DEVELOP_DEPENDENCIES="git mr whois hiera-eyaml"
+
+# Additional wheezy dependencies if not using puppet-common from wheezy-backports
+#if [ "`head -c 1 /etc/debian_version`" == '7' ]; then
+# DEPLOY_DEPENDENCIES="$DEPLOY_DEPENDENCIES ruby-hiera-puppet"
+#fi
+
+# Set sudo config
+if [ "`whoami`" != 'root' ]; then
+ SUDO="sudo"
+
+ if ! sudo -n true; then
+ echo "Please set passwordless sudo."
+ exit 1
+ fi
+fi
+
# Install a package, thanks to the Hydra Suite.
function provision_package {
if [ -z "$1" ]; then
fi
}
-# Set sudo config
-if [ "`whoami`" != 'root' ]; then
- SUDO="sudo"
-fi
-
# Ensure basic packages are installed.
-for package in puppet git mr whois; do
- provision_package $package
-done
+if [ "$BASENAME" == "dependencies" ]; then
+ for package in $DEVELOP_DEPENDENCIES; do
+ provision_package $package
+ done
+fi
# Parameters
DIRNAME="`dirname $0`"
BASEDIR="$DIRNAME/.."
-DEPLOY_DEPENDENCIES="puppet ruby-sqlite3 ruby-activerecord ruby-activerecord-deprecated-finders"
# Determine hostname
if [ ! -z "$1" ]; then
FQDN="`cat /etc/hostname`"
fi
-# Check for manifest
-PUPPET_MANIFEST="$BASEDIR/puppet/manifests/nodes/$FQDN.pp"
+# Set manifest
+PUPPET_MANIFEST="$BASEDIR/manifests/nodes/$FQDN.pp"
if [ ! -e "$PUPPET_MANIFEST" ]; then
- echo "file not found: $PUPPET_MANIFEST"
+ PUPPET_MANIFEST="$BASEDIR/manifests/nodes/default.pp"
+fi
+
+# Check manifest
+if [ ! -e "$PUPPET_MANIFEST" ]; then
+ echo "No manifest found for $FQDN"
exit 1
fi
fi
# Run puppet apply
-PUPPET_OPTS="--confdir=$BASEDIR/puppet --modulepath=$BASEDIR/puppet/modules"
+PUPPET_OPTS="--confdir=$BASEDIR --modulepath=$BASEDIR/modules"
LC_ALL=C $SUDO puppet apply $PUPPET_OPTS $PUPPET_MANIFEST
# Parameters
GIT="git.fluxo.info"
-URL="https://$GIT/?a=project_index"
+URL="https://$GIT/projects.list"
CWD="`pwd`"
WORK="`dirname $0`/.."
touch .mrconfig
# Fetch repository list and updtate mrconfig
-curl --stderr - $URL | grep "^puppet-" | cut -d ' ' -f 1 | while read module; do
+curl --stderr - $URL | grep "^puppet-" | cut -d ' ' -f 1 | sed -e 's/\.git$//' | while read module; do
folder="`echo $module | sed -e 's/^puppet-//'`"
- folder="`basename $folder .git`"
if [ "$folder" != "bootstrap" ]; then
echo "Processing $folder..."
- mr config puppet/modules/$folder checkout="git clone git://$GIT/$module $folder"
+ mr config puppet/modules/$folder checkout="git clone https://$GIT/$module $folder"
fi
done
cd ..
unset GIT_DIR
-git checkout -f
+if [ -d ".git/annex" ]; then
+ git annex sync
+else
+ #git reset HEAD
+ git checkout -f
+fi
+
+git submodule sync --recursive
git submodule update --init --recursive
+
+cd -
+exec git update-server-info
+++ /dev/null
-#!/bin/sh
-
-cd ..
-unset GIT_DIR
-
-if [ -d ".git/annex" ]; then
- git annex sync
-else
- git reset HEAD
- git checkout -f
-fi
-
-git submodule update --init --recursive
-
-cd -
-exec git update-server-info
$SUDO apt-get update && DEBIAN_FRONTEND=noninteractive $SUDO apt-get dist-upgrade -y && $SUDO apt-get autoremove -y && $SUDO apt-get clean
# Ensure additional dependencies are installed.
-for package in usbutils; do
- provision_package $package
-done
-
-# Storeconfigs support
-for package in ruby-sqlite3 ruby-activerecord ruby-activerecord-deprecated-finders; do
+for package in $DEPLOY_DEPENDENCIES; do
provision_package $package
done
# Link hiera configuration if needed.
if [ ! -h "/etc/puppet/hiera.yaml" ]; then
$SUDO rm -f /etc/puppet/hiera.yaml
- $SUDO ln -s $DIRNAME/../hiera/hiera.yaml /etc/puppet/hiera.yaml
+ $SUDO ln -s $DIRNAME/../config/hiera.yaml /etc/puppet/hiera.yaml
fi
# Link puppet configuration if needed.
-if [ ! -h "/etc/puppet/puppet.conf" ]; then
+if [ ! -h "/etc/puppet/puppet.conf" ] && [ -e "$DIRNAME/../puppet.conf" ]; then
$SUDO rm -f /etc/puppet/puppet.conf
$SUDO ln -s $DIRNAME/../puppet.conf /etc/puppet/puppet.conf
fi
--- /dev/null
+---
+#
+# General
+#
+nodo::subsystem::apt::include_src : false
+nodo::subsystem::apt::use_next_release : false
+nodo::subsystem::monitor::use_nagios : false
+nodo::subsystem::monitor::address : "%{::fqdn}"
+
+#
+# Firewall
+#
+firewall::ssl_ratelimit : "s:ssl:200/min:20"
+firewall::local_net : false
+firewall::local::manage_host : true
+firewall::local::manage_iface : false
+
+#
+# Mail
+#
+mail::sympa::subdomain : "listas"
+mail::sympa::lang : "pt_BR"
+
+#
+# Monitoring
+#
+nodo::munin_node::allow: '127.0.0.1:192.168.0.[0-9]*:192.168.1.[0-9]*'
+
+#
+# Timezone and ntp
+#
+ntp::zone : "Brazil/East"
+ntp::pool : "south-america.pool.ntp.org"
+ntp::servers :
+ - 'a.ntp.br'
+ - 'b.ntp.br'
+ - 'c.ntp.br'
+
+#
+# Nameservers
+#
+# OpenDNS
+nodo::subsystem::resolver::nameservers:
+ - '208.67.222.222'
+ - '208.67.220.220'
+
+#
+# OpenSSH
+#
+sshd::use_storedconfigs : false
+sshd::manage_nagios : false
+sshd::listen_address : [ "%{::ipaddress}", '127.0.0.1' ]
+sshd::password_authentication : 'yes'
+sshd::shared_ip : 'yes'
+sshd::tcp_forwarding : 'yes'
+sshd::x11_forwarding : 'no'
+sshd::hardened : 'yes'
+sshd::print_motd : 'no'
+sshd::ports : [ 22 ]
+sshd::use_pam : 'no'
+
+#
+# Backup
+#
+backupninja::keystore: ''
---
:backends:
+ - eyaml
- yaml
:yaml:
# Right now vagrant and puppet are not fully supporting
# reconsidered in the future.
#
# See http://docs.vagrantup.com/v2/provisioning/puppet_apply.html
- :datadir: '%{settings::confdir}/hiera'
+ :datadir: '%{settings::confdir}/config'
+:eyaml:
+ :datadir: '%{settings::confdir}/config'
+ :extension: 'yaml'
+
+ # If using the pkcs7 encryptor (default)
+ :pkcs7_private_key: '%{settings::confdir}/keys/private_key.pkcs7.pem'
+ :pkcs7_public_key: '%{settings::confdir}/keys/public_key.pkcs7.pem'
:hierarchy:
#
# Put in the secrets folder all sensitive information that
- 'virtual/%{::virtual}'
- 'location/%{::nodo::location}'
- 'domain/%{::domain}'
- - bootstrap
+ - compiled
- common
--- /dev/null
+---
+#
+# Nodo
+#
+nodo::role 'vagrant'
+
+#
+# Classes
+#
+classes:
+ - 'database'
+ - 'apache'
+
+#
+# MySQL
+#
+# The following password is public information and therefore
+# shall not be user on production.
+mysql::server::rootpw: '9pRfteNbSFFyrHhackme'
+
+#
+# Backup
+#
+nodo::subsystem::backup::localhost : false
+nodo::subsystem::backup::encryptkey : 'none'
+nodo::subsystem::backup::password : 'hacked'
+
+#
+# Apache
+#
+apache::default_folder : '/vagrant'
+apache::default_user : 'vagrant'
+apache::default_group : 'vagrant'
+
+# Manage your app
+apache::sites:
+ myapp:
+ docroot : "/vagrant/"
+ server_alias : 'myapp vagrant localhost'
+ use : [ "Site myapp" ]
+ tag : 'all'
+ owner : vagrant
+ group : vagrant
+ mpm_user : vagrant
+ mpm_group : vagrant
+ password : '$5$NZfZqcdyZ3Xt$.kfZejriEJP3fc6RU0gBGEzMPQ/c3XiowVImB6VDrtD'
+ shell : '/bin/bash'
--- /dev/null
+# Collected resources patch
+
+* [Bug #10963: Collected resources with a puppet master fail on Ruby 1.9.x - Puppet - Puppet Labs](https://projects.puppetlabs.com/issues/10963).
-hiera/hiera.yaml
\ No newline at end of file
+config/hiera.yaml
\ No newline at end of file
+++ /dev/null
----
-#
-# Puppet Bootstrap Configuration Parameters.
-#
-# This file is responsible to set custom values to your new puppet repository
-# to reflect the custom configuration for your infrastructure.
-#
-# This configuration is useful mostly after you cloned the puppet-boostrap module
-# and want to configure it to boostrap a whole puppetmaster infrastructure.
-#
-
-# The base domain for your infrastructure.
-bootstrap::base_domain: 'vagrantup.com'
-
-#
-# Root password.
-#
-# Use "mkpasswd -m sha-512" to generate root and first user's passwords.
-bootstrap::root::password: ''
-
-#
-# First user account
-#
-# Do not include "ssh-rsa " into the sshkey definition.
-bootstrap::first_user: ''
-bootstrap::first_user::password: ''
-bootstrap::first_user::sshkey: ''
-bootstrap::first_user::email: ''
-
-#
-# First nodes
-#
-
-# Hostname of the first server
-bootstrap:first_hostname: ''
-
-# Create manifests and config for the first nodes?
-bootstrap::first_nodes: false
-
-# MySQL password
-mysql::server::rootpw: ''
-
-# Puppet master db password
-nodo::role::master::db_password: ''
+++ /dev/null
----
-#
-# General
-#
-nodo::subsystem::apt::include_src: false
-nodo::subsystem::apt::use_next_release: false
-nodo::subsystem::monitor::use_nagios: false
-nodo::subsystem::monitor::address: "%{::fqdn}"
-
-#
-# Firewall
-#
-firewall::ssl_ratelimit: "s:ssl:200/min:20"
-firewall::local_net: false
-firewall::local::manage_host: true
-firewall::local::manage_iface: false
-
-#
-# Mail
-#
-mail::sympa::subdomain: "listas"
-mail::sympa::lang: "pt_BR"
-
-#
-# Monitoring
-#
-nodo::munin_node::allow: '127.0.0.1:192.168.0.[0-9]*:192.168.1.[0-9]*'
-
-#
-# Wordpress
-#
-wordpress::locale: 'pt_BR'
-
-#
-# Timezone and ntp
-#
-ntp::zone: "Brazil/East"
-ntp::pool: "south-america.pool.ntp.org"
-ntp::servers:
- - 'a.ntp.br'
- - 'b.ntp.br'
- - 'c.ntp.br'
-
-#
-# Nameservers
-#
-# OpenDNS
-nodo::subsystem::resolver::nameservers:
- - '208.67.222.222'
- - '208.67.220.220'
-
-#
-# Puppet config
-#
-nodo::base::puppet_mode: 'apply'
+++ /dev/null
----
-#
-# MySQL
-#
-# The following password is public information and therefore
-# shall not be user on production.
-mysql::server::rootpw: '9pRfteNbSFFyrHhackme'
-
-#
-# Backup
-#
-nodo::subsystem::backup::localhost: false
-nodo::subsystem::backup::encryptkey: 'none'
-nodo::subsystem::backup::password: 'hacked'
--- /dev/null
+#
+# Sample kvmx file - https://kvmx.fluxo.info
+#
+
+# Which base box you should use. Leave unconfigured to use kvmx-create instead.
+#basebox="stretch"
+
+# First user name
+user="vagrant"
+
+# First user password
+password="vagrant"
+
+# Set this is you want to be able to share folders between host and guest.
+shared_folder="."
+shared_folder_mountpoint="/vagrant"
+
+# Folder to sync during provisioning in the format "/host/folder /guest/folder".
+provision_rsync="puppet /etc/puppet"
+
+# Options for provision_rsync
+provision_rsync_opts="--exclude=.git --exclude=keys --exclude=config/secrets"
+
+# Absolute path for a provision script located inside the guest.
+provision_command="/etc/puppet/bin/provision && /etc/puppet/bin/deploy"
+
+# Graphics
+# See https://wiki.archlinux.org/index.php/QEMU#Graphics
+#graphics="-vga std -nographic -vnc :$GUEST_DISPLAY"
+graphics="-vga qxl"
+
+# VNC Client
+#vnc_client="xtightvncviewer"
+#vnc_client="xvnc4viewer"
+#vnc_client="xvncviewer"
+vnc_client="virt-viewer"
+
+# Set this if you want to automatically attach an spice client when the machine
+# boots.
+run_spice_client="0"
+
+# Set additional hostfwd mappings
+#port_mapping="hostfwd=tcp:127.0.0.1:8080-:80,hostfwd=tcp:127.0.0.1:8443-:443"
+
+# Where the guest image is stored
+#image="$HOME/.local/share/kvmx/$VM/box.img"
+
+# Image size
+size="10G"
+
+# Image format: raw or qcow2
+format="qcow2"
+
+# Bootstrap method: custom or vmdeboostrap
+method="custom"
+
+# Hostname
+hostname="puppet"
+
+# Domain
+domain="example.org"
+
+# System arch
+arch="amd64"
+
+# Box distribution when bootstraping a new image
+version="stretch"
+
+# Debian mirror
+mirror="http://http.debian.net/debian/"
+
+# Enables remote administration using SSH. With this configuration enabled,
+# kvmx will be able to administer a running virtual machine using SSH access
+# inside the virtual machine.
+ssh_support="y"
+
+# Use a custom, per-virtual-machine generated SSH keypair. If you disable this
+# configuration but still want guest administration using SSH, the default
+# insecure keypair will be used.
+#
+# Please note that this setting won't take effect if you're using a basebox.
+# In that case the basebox keypair will be used if it exists, otherwise kvmx
+# fallsback to the default insecure keypair.
+#
+# This setting is used during virtual machine bootstrapping by kvmx-create.
+ssh_custom="y"
+
+# Bootloader (used only during bootstrapping by kvmx-create).
+bootloader="grub"
+++ /dev/null
-#
-# Puppet Bootstrap Configuration Manifest.
-#
-# This file is responsible to set custom configuration in the bootstrap
-# repository for values set in the hiera configuration.
-#
-# This manifest is useful mostly after you cloned the puppet-boostrap module
-# and want to configure it to boostrap a whole puppetmaster infrastructure.
-#
-
-#
-# Basic variables
-#
-$templates = "$bootstrap_path/templates"
-$base_domain = hiera('bootstrap::base_domain', "${::domain}")
-$first_hostname = hiera('bootstrap::first_hostname', "${::hostname}")
-$first_nodes = hiera('bootstrap::first_nodes', 'absent')
-$db_password = hiera('nodo::role::master::db_password', '')
-$mysql_rootpw = hiera('mysql::server::rootpw', '')
-$root_password = hiera('bootstrap::root::password', '')
-$first_user = hiera('bootstrap::first_user', 'user')
-$first_user_password = hiera('bootstrap::first_user::password', '')
-$first_user_sshkey = hiera('bootstrap::first_user::sshkey', '')
-$first_user_email = hiera('bootstrap::first_user::email', 'user@example.org')
-$resolvconf_nameservers = hiera('nodo::subsystem::resolver::nameservers', '201.6.2.152:201.6.2.32')
-$global_munin_allow = hiera('nodo::munin_node::allow', '192.168.0.[0-9]*')
-
-#
-# Check bootstrap configuration
-#
-
-if ($mysql_rootpw == '') {
- alert('You must set mysql::server::rootpw at your configuration')
- fail()
-}
-
-if ($db_password == '') {
- alert('You must set nodo::role::master::db_password at your configuration')
- fail()
-}
-
-if ($root_password == '') {
- alert('You must set bootstrap::root::password at your configuration')
- fail()
-}
-
-if ($first_user_password == '') {
- alert('You must set bootstrap::first_user::password at your configuration')
- fail()
-}
-
-#
-# Puppet configuration
-#
-file { "$bootstrap_path/puppet.conf":
- ensure => present,
- mode => 0644,
- content => template("$templates/puppet/puppet.conf.erb"),
-}
-
-# Fileserver configuration
-file { "$bootstrap_path/fileserver.conf":
- ensure => present,
- mode => 0644,
- content => template("$templates/puppet/fileserver.conf.erb"),
-}
-
-file { "$bootstrap_path/auth.conf":
- ensure => present,
- mode => 0644,
- content => template("$templates/puppet/auth.conf.erb"),
-}
-
-#
-# Basic users
-#
-file { "$bootstrap_path/modules/site_users/manifests/init.pp":
- ensure => present,
- mode => 0644,
- content => template("$templates/puppet/users.pp.erb"),
-}
-
-#
-# Site files
-#
-
-file { "$bootstrap_path/modules/site_apache/files/htdocs/images/README.html":
- ensure => present,
- mode => 0644,
- content => template("$templates/apache/htdocs/images/README.html.erb"),
-}
-
-file { "$bootstrap_path/modules/site_apache/files/htdocs/index.html":
- ensure => present,
- mode => 0644,
- content => template("$templates/apache/htdocs/index.html.erb"),
-}
-
-file { "$bootstrap_path/modules/site_apache/files/htdocs/missing.html":
- ensure => present,
- mode => 0644,
- content => template("$templates/apache/htdocs/missing.html.erb"),
-}
-
-file { "$bootstrap_path/modules/site_apache/files/vhosts/git":
- ensure => present,
- mode => 0644,
- content => template("$templates/apache/vhosts/git.erb"),
-}
-
-file { "$bootstrap_path/modules/site_apache/files/vhosts/lists":
- ensure => present,
- mode => 0644,
- content => template("$templates/apache/vhosts/lists.erb"),
-}
-
-file { "$bootstrap_path/modules/site_apache/files/vhosts/mail":
- ensure => present,
- mode => 0644,
- content => template("$templates/apache/vhosts/mail.erb"),
-}
-
-file { "$bootstrap_path/modules/site_apache/files/vhosts/nagios":
- ensure => present,
- mode => 0644,
- content => template("$templates/apache/vhosts/nagios.erb"),
-}
-
-file { "$bootstrap_path/modules/site_apache/files/vhosts/wiki":
- ensure => present,
- mode => 0644,
- content => template("$templates/apache/vhosts/wiki.erb"),
-}
-
-file { "$bootstrap_path/modules/site_mail/files/aliases":
- ensure => present,
- mode => 0644,
- content => template("$templates/etc/aliases.erb"),
-}
-
-file { "$bootstrap_path/modules/site_nagios/files/htpasswd.users":
- ensure => present,
- mode => 0644,
- content => template("$templates/etc/nagios3/htpasswd.users.erb"),
-}
-
-file { "$bootstrap_path/modules/site_nginx/files/$domain":
- ensure => present,
- mode => 0644,
- content => template("$templates/etc/nginx/domain.erb"),
-}
-
-file { "$bootstrap_path/modules/site_postfix/files/tls_policy":
- ensure => present,
- mode => 0644,
- content => template("$templates/postfix/tls_policy.erb"),
-}
-
-#
-# Basic nodes
-#
-file { "$bootstrap_path/manifests/nodes.pp":
- ensure => present,
- mode => 0644,
- content => template("$templates/puppet/nodes.pp.erb"),
-}
-
-# First host
-file { "$bootstrap_path/manifests/nodes/$first_hostname.pp":
- ensure => $first_nodes,
- mode => 0644,
- content => template("$templates/puppet/server.pp.erb"),
-}
-
-# Master node
-file { "$bootstrap_path/manifests/nodes/$first_hostname-master.pp":
- ensure => $first_nodes,
- mode => 0644,
- content => template("$templates/puppet/master.pp.erb"),
-}
-
-# Proxy node
-file { "$bootstrap_path/manifests/nodes/$first_hostname-proxy.pp":
- ensure => $first_nodes,
- mode => 0644,
- content => template("$templates/puppet/proxy.pp.erb"),
-}
-
-# Web node
-file { "$bootstrap_path/manifests/nodes/$first_hostname-web.pp":
- ensure => $first_nodes,
- mode => 0644,
- content => template("$templates/puppet/web.pp.erb"),
-}
-
-# Storage node
-file { "$bootstrap_path/manifests/nodes/$first_hostname-storage.pp":
- ensure => $first_nodes,
- mode => 0644,
- content => template("$templates/puppet/storage.pp.erb"),
-}
-
-# Test node
-file { "$bootstrap_path/manifests/nodes/$first_hostname-test.pp":
- ensure => $first_nodes,
- mode => 0644,
- content => template("$templates/puppet/test.pp.erb"),
-}
+++ /dev/null
-#
-# This manifest is intended to configure the initial
-# machine wich will host the first puppetmaster
-# virtual machine.
-#
-
-# The server role
-class { 'nodo:
- role => 'server',
-}
-
-# Creates vserver for administrative node
-nodo::vserver::instance { "$hostname-master":
- context => '2',
- puppetmaster => true,
-}
-
-# Create a host entry for this puppet node
-host { "puppet":
- ensure => present,
- ip => "192.168.0.2",
- host_aliases => [ "puppet.$domain", "admin" ],
-}
+++ /dev/null
-#
-# This manifest is intended to configure the initial
-# puppetmaster node.
-#
-# Once it's running it can setup all the other nodes.
-#
-
-# Include the master node configuration
-class { 'nodo':
- role => 'master',
-}
+++ /dev/null
-#
-# This manifest is intended to configure a vagrant
-# virtual machine.
-#
-
-#
-# Class definitions
-#
-
-# Vagrant classes
-class { 'nodo':
- role => 'vagrant',
-}
-
-#
-# LAMP example
-#
-#include database
-#
-#class { 'apache':
-# default_folder => '/vagrant',
-# default_user => 'vagrant',
-# default_group => 'vagrant',
-#}
-#
-# If you want to manage another website
-#apache::site { "myapp":
-# docroot => "/vagrant/",
-# server_alias => 'myapp vagrant localhost',
-# use => [ "Site myapp" ],
-# tag => 'all',
-# owner => vagrant,
-# group => vagrant,
-# mpm_user => vagrant,
-# mpm_group => vagrant,
-# password => '$5$NZfZqcdyZ3Xt$.kfZejriEJP3fc6RU0gBGEzMPQ/c3XiowVImB6VDrtD',
-# shell => '/bin/bash',
-#}
+++ /dev/null
-../hiera
\ No newline at end of file
+++ /dev/null
-..
\ No newline at end of file
+++ /dev/null
-class site_bind {
- #
- # See http://oreilly.com/pub/a/oreilly/networking/news/views_0501.html
- # http://www.debian-administration.org/articles/355
-
- # This is needed so we can comment out the inclusion of
- # /etc/bind/named.conf.default-zones
- #file { '/etc/bind/named.conf':
- # ensure => present,
- # owner => root,
- # group => root,
- # mode => 0644,
- # source => 'puppet:///modules/site_bind/named.conf',
- # notify => Service['bind9'],
- #}
-}
+++ /dev/null
-# /etc/aliases
-mailer-daemon: postmaster
-postmaster: root
-nobody: root
-hostmaster: root
-usenet: root
-news: root
-webmaster: root
-www: root
-ftp: root
-abuse: root
-noc: root
-security: root
-reprepro: root
+++ /dev/null
-class site_users::admin inherits user {
- # root user and password
- #user::manage { "root":
- # tag => "admin",
- # homedir => '/root',
- # password => '$5$zpdXgIaLKMDckKx9$qTS9WbmS/zylFwPu1orq.779CNnAiA9VoGdFNU94jz/',
- #}
-
- # first user config
- #user::manage { "user":
- # tag => "admin",
- # groups => [ "sudo", ],
- # password => '$5$D8kCEIo5/MNCA7Tz$VhGg2MNDs21JzX9HgxSWMupA5GD5MXnKwDuveMSdPH7',
- # sshkey => [ "WRONG" ],
- #}
-}
+++ /dev/null
-class site_users::backup inherits user {
- # define third-party hosted backup users here
-}
+++ /dev/null
-class site_users {
-}
+++ /dev/null
-class site_users::virtual inherits user {
- # define custom users here
-}
+++ /dev/null
-class site_websites::admin inherits websites::hosting::admin {
- # An administrative Trac instance
- #apache::site { "admin":
- # docroot => "${apache::sites_folder}/admin/trac/htdocs",
- # use => [ "Trac admin" ],
- # redirect_match => "trac",
- # mpm => false,
- # tag => 'all',
- #}
-
- apache::site { "munin":
- docroot => '/var/www/munin',
- owner => "munin",
- group => "munin",
- mpm => false,
- tag => 'all',
- }
-
- apache::site { "nagios":
- source => true,
- docroot => '/usr/share/nagios3/htdocs',
- mpm => false,
- tag => 'all',
- }
-}
+++ /dev/null
-class site_websites inherits websites::hosting {
- # Website definitions: always use tagged resources
- apache::site { "git":
- source => true,
- docroot => '/var/git/repositories',
- mpm => false,
- tag => 'all',
- }
-
- #apache::site { "site":
- # source => true,
- # ticket => '001',
- # docroot => '/var/www/site',
- # tag => 'all',
- #}
-
- #database::instance { "site":
- # password => 'xxx',
- # tag => 'all',
- #}
-}
+++ /dev/null
-[main]
- thin_storeconfigs = true
- storeconfigs = true
- dbadapter = sqlite3
+++ /dev/null
-<pre>
-When not explicitly mentioned, the use of these images is restricted to <%= base_domain %>
-</pre>
+++ /dev/null
-<html><head>
-<meta http-equiv="refresh" content="1;url=http://<%= domain %>">
-<title><%= domain %></title></head><body>
-
-<center>
- <p><code>You are being redirected to <a href="http://<%= domain %>">http://<%= domain %></a>.</code></p>
-</center>
-
-</body></html>
+++ /dev/null
-<html>
-<head>
-<title>404 - Not Found</title>
-</head>
-<body>
- <center>
- <pre>
- The address you are trying to reach could not be found. :(
- </pre>
- </center>
-</body>
-</html>
+++ /dev/null
-# begin vhost for cgit
-<VirtualHost *:80>
- ServerName git.<%= domain %>
- ServerAlias gitweb.<%= domain %>
-
- ServerSignature Off
-
- Alias /cgit.css /var/www/htdocs/cgit/cgit.css
- Alias /cgit.png /var/www/htdocs/cgit/cgit.png
-
- ScriptAlias /cgi-bin/ /var/www/htdocs/cgit/
-
- DocumentRoot /var/git/repositories
- <Directory /var/git/repositories>
- AllowOverride None
- Options +ExecCGI
- Order allow,deny
- Allow from all
-
- DirectoryIndex /cgi-bin/cgit.cgi
-
- RewriteEngine on
- RewriteCond %{REQUEST_FILENAME} !-f
- RewriteRule ^.*$ /cgi-bin/cgit.cgi/$0 [L,PT]
- </Directory>
-
- ErrorLog /var/log/apache2/cgit.openezx.org/error.log
- CustomLog /var/log/apache2/cgit.openezx.org/access.log common
-</VirtualHost>
-# end vhost for git
+++ /dev/null
-# begin vhost for git
-<VirtualHost *:80>
- # Recipe based on http://josephspiros.com/2009/07/26/configuring-gitweb-for-apache-on-debian
-
- ServerName git.<%= domain %>
- ServerAlias gitweb.<%= domain %>
- SetEnv GITWEB_CONFIG /etc/gitweb.conf
- HeaderName HEADER
- DocumentRoot /var/git/repositories
- Alias /gitweb.css /usr/share/gitweb/gitweb.css
- Alias /git-favicon.png /usr/share/gitweb/git-favicon.png
- Alias /git-logo.png /usr/share/gitweb/git-logo.png
-
- ScriptAlias /gitweb /usr/lib/cgi-bin/gitweb.cgi
- RewriteEngine on
-
- # Rewrite all other paths that aren't git repo internals to gitweb
- RewriteRule ^/$ /gitweb [PT]
- RewriteRule ^/(.*\.git/(?!/?(HEAD|info|objects|refs)).*)?$ /gitweb%{REQUEST_URI} [L,PT]
-</VirtualHost>
-# end vhost for git
+++ /dev/null
-# begin vhost for lists.<%= domain %>
-<VirtualHost *:80>
- ServerName lists.<%= domain %>
- DocumentRoot /var/www/data/lists
-
- RedirectMatch ^/$ https://lists.<%= domain %>/wws
- Alias /static-sympa /var/lib/sympa/static_content
- Alias /wwsicons /usr/share/sympa/icons
- ScriptAlias /wws /var/www/data/lists/wwsympa.fcgi
-
- <IfModule mod_fcgid.c>
- IPCCommTimeout 120
- MaxProcessCount 2
- </IfModule>
-
- SuexecUserGroup sympa sympa
-
- <Location /wws>
- SetHandler fcgid-script
- </Location>
-</VirtualHost>
-# end vhost for lists.<%= domain %>
+++ /dev/null
-# begin vhost for mail.<%= domain >
-<VirtualHost *:80>
- ServerName mail.<%= domain >
- #DocumentRoot /usr/share/squirrelmail
- DocumentRoot /var/lib/roundcube
-
- # begin squirrel config
- <Directory /usr/share/squirrelmail>
- Options Indexes FollowSymLinks
- <IfModule mod_php4.c>
- php_flag register_globals off
- </IfModule>
- <IfModule mod_php5.c>
- php_flag register_globals off
- </IfModule>
- <IfModule mod_dir.c>
- DirectoryIndex index.php
- </IfModule>
-
- # access to configtest is limited by default to prevent information leak
- <Files configtest.php>
- order deny,allow
- deny from all
- allow from 127.0.0.1
- </Files>
- </Directory>
- # end squirrel config
-
- # begin roundcube config
- # Access to tinymce files
- Alias /roundcube/program/js/tiny_mce/ /usr/share/tinymce/www/
- Alias /roundcube /var/lib/roundcube
-
- <Directory "/usr/share/tinymce/www/">
- Options Indexes MultiViews FollowSymLinks
- AllowOverride None
- Order allow,deny
- allow from all
- </Directory>
-
- <Directory /var/lib/roundcube/>
- Options +FollowSymLinks
- # This is needed to parse /var/lib/roundcube/.htaccess. See its
- # content before setting AllowOverride to None.
- AllowOverride All
- order allow,deny
- allow from all
- </Directory>
-
- # Protecting basic directories:
- <Directory /var/lib/roundcube/config>
- Options -FollowSymLinks
- AllowOverride None
- </Directory>
-
- <Directory /var/lib/roundcube/temp>
- Options -FollowSymLinks
- AllowOverride None
- Order allow,deny
- Deny from all
- </Directory>
-
- <Directory /var/lib/roundcube/logs>
- Options -FollowSymLinks
- AllowOverride None
- Order allow,deny
- Deny from all
- </Directory>
- # end roundcube config
-
-</VirtualHost>
-# end vhost for mail.<%= domain >
+++ /dev/null
-# begin vhost for nagios
-<VirtualHost *:80>
- ServerName nagios.<%= domain >
- DocumentRoot /usr/share/nagios3/htdocs
-
- # apache configuration for nagios 3.x
- # note to users of nagios 1.x and 2.x:
- # throughout this file are commented out sections which preserve
- # backwards compatibility with bookmarks/config forî<80><80>older nagios versios.
- # simply look for lines following "nagios 1.x:" and "nagios 2.x" comments.
-
- ScriptAlias /cgi-bin/nagios3 /usr/lib/cgi-bin/nagios3
- ScriptAlias /nagios3/cgi-bin /usr/lib/cgi-bin/nagios3
- # nagios 1.x:
- #ScriptAlias /cgi-bin/nagios /usr/lib/cgi-bin/nagios3
- #ScriptAlias /nagios/cgi-bin /usr/lib/cgi-bin/nagios3
- # nagios 2.x:
- #ScriptAlias /cgi-bin/nagios2 /usr/lib/cgi-bin/nagios3
- #ScriptAlias /nagios2/cgi-bin /usr/lib/cgi-bin/nagios3
-
- # Where the stylesheets (config files) reside
- Alias /nagios3/stylesheets /etc/nagios3/stylesheets
- # nagios 1.x:
- #Alias /nagios/stylesheets /etc/nagios3/stylesheets
- # nagios 2.x:
- #Alias /nagios2/stylesheets /etc/nagios3/stylesheets
-
- # Where the HTML pages live
- Alias /nagios3 /usr/share/nagios3/htdocs
- # nagios 2.x:
- #Alias /nagios2 /usr/share/nagios3/htdocs
- # nagios 1.x:
- #Alias /nagios /usr/share/nagios3/htdocs
-
- <DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3)>
- Options FollowSymLinks
-
- DirectoryIndex index.html
-
- AllowOverride AuthConfig
- Order Allow,Deny
- Allow From All
-
- AuthName "Nagios Access"
- AuthType Basic
- AuthUserFile /etc/nagios3/htpasswd.users
- # nagios 1.x:
- #AuthUserFile /etc/nagios/htpasswd.users
- require valid-user
- </DirectoryMatch>
-
- # Enable this ScriptAlias if you want to enable the grouplist patch.
- # See http://apan.sourceforge.net/download.html for more info
- # It allows you to see a clickable list of all hostgroups in the
- # left pane of the Nagios web interface
- # XXX This is not tested for nagios 2.x use at your own peril
- #ScriptAlias /nagios3/side.html /usr/lib/cgi-bin/nagios3/grouplist.cgi
- # nagios 1.x:
- #ScriptAlias /nagios/side.html /usr/lib/cgi-bin/nagios3/grouplist.cgi
-</VirtualHost>
-# end vhost for nagios
+++ /dev/null
-# begin vhost for wiki.<%= domain >
-<VirtualHost *:80>
- ServerName wiki.<%= domain >
- DocumentRoot /var/www/data/wiki
-
- # begin wiki config
- <Directory /var/www/data/wiki>
- Options Indexes Includes FollowSymLinks MultiViews
- AllowOverride All
- </Directory>
- # end wiki config
-
- <IfModule mpm_itk_module>
- AssignUserId wiki wiki
- </IfModule>
-</VirtualHost>
-# end vhost for wiki.<%= domain >
+++ /dev/null
-# /etc/aliases
-mailer-daemon: postmaster
-postmaster: root
-nobody: root
-hostmaster: root
-usenet: root
-news: root
-webmaster: root
-www: root
-ftp: root
-abuse: root
-noc: root
-security: root
-reprepro: root
-root: <%= first_user_email %>
+++ /dev/null
-nagiosadmin:0FCabjvUTHvxF
+++ /dev/null
-# <%= domain %> proxy config
-
-# Set the max size for file uploads
-client_max_body_size 100M;
-
-# SNI Configuration
-server {
- listen 443 default;
- server_name _;
- ssl on;
- ssl_certificate /etc/ssl/certs/blank.crt;
- ssl_certificate_key /etc/ssl/private/blank.pem;
- return 403;
-}
-
-server {
- # see config tips at
- # http://blog.taragana.com/index.php/archive/nginx-hacking-tips/
-
- # Don't log anything
- access_log /dev/null;
- error_log /dev/null;
-
- # simple reverse-proxy
- listen 80;
- server_name *.<%= domain %> <%= domain %>
-
- # enable HSTS header
- add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
-
- # https redirection by default
- rewrite ^(.*) https://$host$1 redirect;
-
- # rewrite rules for backups.<%= domain %>
- #if ($host ~* ^backups\.<%= domain %>$) {
- # rewrite ^(.*) https://$host$1 redirect;
- # break;
- #}
-
- # rewrite rules for admin.<%= domain %>
- #if ($host ~* ^admin\.<%= domain %>$) {
- # rewrite ^(.*) https://$host$1 redirect;
- # break;
- #}
-
- # rewrite rules for munin.<%= domain %>
- #if ($host ~* ^munin\.<%= domain %>$) {
- # rewrite ^(.*) https://$host$1 redirect;
- # break;
- #}
-
- # rewrite rules for trac.<%= domain %>
- #if ($host ~* ^trac\.<%= domain %>$) {
- # rewrite ^(.*) https://$host$1 redirect;
- # break;
- #}
-
- # rewrite rules for nagios.<%= domain %>
- #if ($host ~* ^nagios\.<%= domain %>$) {
- # rewrite ^(.*) https://$host$1 redirect;
- # break;
- #}
-
- # rewrite rules for htpasswd.<%= domain %>
- #if ($host ~* ^htpasswd\.<%= domain %>$) {
- # rewrite ^(.*) https://$host$1 redirect;
- # break;
- #}
-
- # rewrite rules for postfixadmin.<%= domain %>
- #if ($host ~* ^postfixadmin\.<%= domain %>$) {
- # rewrite ^(.*) https://$host$1 redirect;
- # break;
- #}
-
- # rewrite rules for mail.<%= domain %>
- #if ($host ~* ^mail\.<%= domain %>$) {
- # rewrite ^(.*) https://$host$1 redirect;
- # break;
- #}
-
- # rewrite rules for lists.<%= domain %>
- #if ($host ~* ^lists\.<%= domain %>$) {
- # rewrite ^(.*) https://$host$1 redirect;
- # break;
- #}
-
- # pass requests for dynamic content
- location / {
- proxy_set_header Host $http_host;
- proxy_pass http://weblocal:80;
- }
-
-}
-
-server {
- # https reverse proxy
- listen 443;
- server_name *.<%= domain %> <%= domain %>;
-
- # Don't log anything
- access_log /dev/null;
- error_log /dev/null;
-
- ssl on;
- ssl_certificate /etc/ssl/certs/cert.crt;
- ssl_certificate_key /etc/ssl/private/cert.pem;
-
- ssl_session_timeout 5m;
-
- ssl_protocols SSLv3 TLSv1;
- ssl_ciphers HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH;
- ssl_prefer_server_ciphers on;
- ssl_dhparam /etc/ssl/dhparams/dhparams_2048.pem;
-
- # Set the max size for file uploads
- client_max_body_size 100M;
-
- location / {
- # preserve http header and set forwarded proto
- proxy_set_header Host $http_host;
- proxy_set_header X-Forwarded-Proto https;
-
- proxy_read_timeout 120;
- proxy_connect_timeout 120;
-
- # rewrite rules for admin.<%= domain %>
- if ($host ~* ^admin\.<%= domain %>$) {
- proxy_pass http://admin:80;
- break;
- }
-
- # rewrite rules for munin.<%= domain %>
- if ($host ~* ^munin\.<%= domain %>$) {
- proxy_pass http://admin:80;
- break;
- }
-
- # rewrite rules for trac.<%= domain %>
- if ($host ~* ^trac\.<%= domain %>$) {
- proxy_pass http://admin:80;
- break;
- }
-
- # rewrite rules for nagios.<%= domain %>
- if ($host ~* ^nagios\.<%= domain %>$) {
- proxy_pass http://admin:80;
- break;
- }
-
- # rewrite rules for postfixadmin.<%= domain %>
- if ($host ~* ^postfixadmin\.<%= domain %>$) {
- proxy_pass http://mail:80;
- break;
- }
-
- # rewrite rules for mail.<%= domain %>
- if ($host ~* ^mail\.<%= domain %>$) {
- proxy_pass http://mail:80;
- break;
- }
-
- # rewrite rules for lists.<%= domain %>
- if ($host ~* ^lists\.<%= domain %>$) {
- proxy_pass http://mail:80;
- break;
- }
-
- # default proxy pass
- proxy_pass http://weblocal:80;
- }
-
-}
+++ /dev/null
-# This is the default auth.conf file, which implements the default rules
-# used by the puppet master. (That is, the rules below will still apply
-# even if this file is deleted.)
-#
-# The ACLs are evaluated in top-down order. More specific stanzas should
-# be towards the top of the file and more general ones at the bottom;
-# otherwise, the general rules may "steal" requests that should be
-# governed by the specific rules.
-#
-# See http://docs.puppetlabs.com/guides/rest_auth_conf.html for a more complete
-# description of auth.conf's behavior.
-#
-# Supported syntax:
-# Each stanza in auth.conf starts with a path to match, followed
-# by optional modifiers, and finally, a series of allow or deny
-# directives.
-#
-# Example Stanza
-# ---------------------------------
-# path /path/to/resource # simple prefix match
-# # path ~ regex # alternately, regex match
-# [environment envlist]
-# [method methodlist]
-# [auth[enthicated] {yes|no|on|off|any}]
-# allow [host|backreference|*|regex]
-# deny [host|backreference|*|regex]
-# allow_ip [ip|cidr|ip_wildcard|*]
-# deny_ip [ip|cidr|ip_wildcard|*]
-#
-# The path match can either be a simple prefix match or a regular
-# expression. `path /file` would match both `/file_metadata` and
-# `/file_content`. Regex matches allow the use of backreferences
-# in the allow/deny directives.
-#
-# The regex syntax is the same as for Ruby regex, and captures backreferences
-# for use in the `allow` and `deny` lines of that stanza
-#
-# Examples:
-#
-# path ~ ^/path/to/resource # Equivalent to `path /path/to/resource`.
-# allow * # Allow all authenticated nodes (since auth
-# # defaults to `yes`).
-#
-# path ~ ^/catalog/([^/]+)$ # Permit nodes to access their own catalog (by
-# allow $1 # certname), but not any other node's catalog.
-#
-# path ~ ^/file_(metadata|content)/extra_files/ # Only allow certain nodes to
-# auth yes # access the "extra_files"
-# allow /^(.+)\.example\.com$/ # mount point; note this must
-# allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule,
-# # since it is more specific.
-#
-# environment:: restrict an ACL to a comma-separated list of environments
-# method:: restrict an ACL to a comma-separated list of HTTP methods
-# auth:: restrict an ACL to an authenticated or unauthenticated request
-# the default when unspecified is to restrict the ACL to authenticated requests
-# (ie exactly as if auth yes was present).
-#
-
-### Authenticated ACLs - these rules apply only when the client
-### has a valid certificate and is thus authenticated
-
-# allow nodes to retrieve their own catalog
-path ~ ^/catalog/([^/]+)$
-method find
-allow $1
-
-# allow nodes to retrieve their own node definition
-path ~ ^/node/([^/]+)$
-method find
-allow $1
-
-# allow all nodes to access the certificates services
-path /certificate_revocation_list/ca
-method find
-allow *
-
-# allow all nodes to store their own reports
-path ~ ^/report/([^/]+)$
-method save
-allow $1
-
-# Allow all nodes to access all file services; this is necessary for
-# pluginsync, file serving from modules, and file serving from custom
-# mount points (see fileserver.conf). Note that the `/file` prefix matches
-# requests to both the file_metadata and file_content paths. See "Examples"
-# above if you need more granular access control for custom mount points.
-path /file
-allow *
-
-### Unauthenticated ACLs, for clients without valid certificates; authenticated
-### clients can also access these paths, though they rarely need to.
-
-# allow access to the CA certificate; unauthenticated nodes need this
-# in order to validate the puppet master's certificate
-path /certificate/ca
-auth any
-method find
-allow *
-
-# allow nodes to retrieve the certificate they requested earlier
-path /certificate/
-auth any
-method find
-allow *
-
-# allow nodes to request a new certificate
-path /certificate_request
-auth any
-method find, save
-allow *
-
-path /v2.0/environments
-method find
-allow *
-
-# deny everything else; this ACL is not strictly necessary, but
-# illustrates the default policy.
-path /
-auth any
+++ /dev/null
-# See http://docs.puppetlabs.com/guides/file_serving.html
-
-# Files
-[files]
- path /etc/puppet/files
- allow *.<%= base_domain %>
-
-# SSL keys
-[ssl]
- path /etc/puppet/keys/ssl
- deny *
-
-# SSH keys
-[ssh]
- path /etc/puppet/keys/ssh/%h
- allow *
-
-# Public keys
-[pubkeys]
- path /etc/puppet/keys/public
- allow *
+++ /dev/null
-node '<%= hostname %>-master.<%= domain %>' {
- $main_master = true
- include nodo::master
-
- # encrypted data remote backup
- #backup::rdiff { "other-host":
- # port => "10102",
- #}
-
-}
+++ /dev/null
-#
-# Node definitions.
-#
-
-<%- if first_nodes == 'present' then -%>
-import "nodes/<%= first_hostname %>.pp"
-import "nodes/<%= first_hostname %>-master.pp"
-import "nodes/<%= first_hostname %>-proxy.pp"
-import "nodes/<%= first_hostname %>-web.pp"
-import "nodes/<%= first_hostname %>-storage.pp"
-import "nodes/<%= first_hostname %>-test.pp"
-<%- else -%>
-#import "nodes/example.pp"
-<%- end -%>
+++ /dev/null
-node '<%= hostname %>-proxy.<%= domain %>' {
- #$mail_delivery = 'tunnel'
- #$mail_hostname = 'mail'
- #$mail_ssh_port = '2202'
-
- include nodo::proxy
-
- # encrypted data remote backup
- #backup::rdiff { "other-host":
- # port => "10102",
- #}
-
- # reference to admin vserver
- host { "<%= hostname %>-master":
- ensure => present,
- ip => "192.168.0.2",
- host_aliases => [ "<%= hostname %>-master.<%= domain %>", "puppet", "admin" ],
- notify => Service["nginx"],
- }
-
- # reference to proxy vserver
- #host { "<%= hostname %>-proxy":
- # ensure => present,
- # ip => "192.168.0.3",
- # host_aliases => [ "<%= hostname %>-proxy.<%= domain %>", "<%= hostname %>-proxy" ],
- # notify => Service["nginx"],
- #}
-
- # reference to web vserver
- host { "<%= hostname %>-web":
- ensure => present,
- ip => "192.168.0.4",
- host_aliases => [ "<%= hostname %>-web.<%= domain %>", "<%= hostname %>-web", "weblocal" ],
- notify => Service["nginx"],
- }
-
- # reference to storage vserver
- host { "<%= hostname %>-storage":
- ensure => present,
- ip => "192.168.0.5",
- host_aliases => [ "<%= hostname %>-storage.<%= domain %>", "<%= hostname %>-storage" ],
- notify => Service["nginx"],
- }
-
- # reference to test vserver
- host { "<%= hostname %>-test":
- ensure => present,
- ip => "192.168.0.6",
- host_aliases => [ "<%= hostname %>-test.<%= domain %>", "<%= hostname %>-test" ],
- notify => Service["nginx"],
- }
-
-}
+++ /dev/null
-[main]
-logdir = /var/log/puppet
-vardir = /var/lib/puppetmaster
-ssldir = $vardir/ssl
-rundir = /var/run/puppet
-factpath = $vardir/lib/facter
-pluginsync = true
-
-[master]
-templatedir = $vardir/templates
-masterport = 8140
-autosign = false
-storeconfigs = true
-dbadapter = sqlite3
-#dbadapter = mysql
-#dbserver = localhost
-#dbuser = puppet
-#dbpassword = <%= db_password %>
-dbconnections = 15
-certname = puppet.<%= base_domain %>
-ssl_client_header = SSL_CLIENT_S_DN
-ssl_client_verify_header = SSL_CLIENT_VERIFY
-
-[agent]
-server = puppet.<%= base_domain %>
-vardir = /var/lib/puppet
-ssldir = $vardir/ssl
-runinterval = 7200
-puppetport = 8139
-configtimeout = 300
+++ /dev/null
-node '<%= hostname %>.<%= domain %>' {
- #$mail_delivery = 'tunnel'
- #$mail_hostname = 'mail'
- #$mail_ssh_port = '2202'
- $shorewall_dmz = true
- $resolvconf_nameservers = $opendns_nameservers
- $has_ups = false
- include nodo::server
-
- #
- # Linux-VServers
- #
- #nodo::vserver::instance { "<%= hostname %>-master":
- # context => '2',
- # puppetmaster => true,
- #}
-
- #nodo::vserver::instance { "<%= hostname %>-proxy":
- # context => '3',
- # proxy => true,
- #}
-
- #nodo::vserver::instance { "<%= hostname %>-web":
- # context => '4',
- # gitd => true,
- #}
-
- #nodo::vserver::instance { "<%= hostname %>-storage":
- # context => '5',
- #}
-
- #nodo::vserver::instance { "<%= hostname %>-test":
- # context => '6',
- # memory_limit => 500,
- #}
-
- # encrypted data remote backup
- #backup::rdiff { "other-host":
- # port => "10105",
- #}
-}
+++ /dev/null
-node '<%= hostname %>-storage.<%= domain %>' {
- #$mail_delivery = 'tunnel'
- #$mail_hostname = 'mail'
- #$mail_ssh_port = '2202'
-
- include nodo::storage
-
- # encrypted data remote backup
- #backup::rdiff { "other-host":
- # port => "10102",
- #}
-
-}
+++ /dev/null
-node '<%= hostname %>-test.<%= domain %>' {
- #$mail_delivery = 'tunnel'
- #$mail_hostname = 'mail'
- #$mail_ssh_port = '2202'
-
- include nodo::test
-
- # encrypted data remote backup
- #backup::rdiff { "other-host":
- # port => "10102",
- #}
-
-}
+++ /dev/null
-class users::virtual inherits user {
- # define custom users here
-}
-
-class users::backup inherits user {
- # define third-party hosted backup users here
-}
-
-class users::admin inherits user {
- # root user and password
- user::manage { "root":
- tag => "admin",
- homedir => '/root',
- password => '<%= root_password %>',
- }
-
- # first user config
- user::manage { "<%= first_user %>":
- tag => "admin",
- groups => [ "sudo", ],
- password => '<%= first_user_password %>',
- sshkey => [ "<%= first_user_sshkey %>" ],
- }
-
-}
+++ /dev/null
-node '<%= hostname %>-web.<%= domain %>' {
- #$mail_delivery = 'tunnel'
- #$mail_hostname = 'mail'
- #$mail_ssh_port = '2202'
-
- include nodo::web
-
- # encrypted data remote backup
- #backup::rdiff { "other-host":
- # port => "10102",
- #}
-
-}
projects / debian.git / commitdiff