import "subsystems/firewall/local.pp"
import "subsystems/firewall/openvpn.pp"
import "subsystems/firewall/ppp.pp"
+import "subsystems/firewall/nas.pp"
+import "subsystems/firewall/redirect.pp"
+import "subsystems/firewall/mpd.pp"
# Import nodo classes
import "nodo.pp"
import "jabber.pp"
import "mumble.pp"
import "yacy.pp"
+import "nas.pp"
--- /dev/null
+class nodo::nas {
+ # Firewall rules
+ include firewall::nas
+
+ # DLNA
+ class { 'minidlna': }
+
+ #
+ # NFS
+ #
+ # References
+ # https://github.com/arioch/puppet-nfs
+ # https://github.com/stankevich/puppet-nfs
+ # https://github.com/camptocamp/puppet-nfs
+ # https://github.com/haraldsk/puppet-module-nfs/
+ # http://git.puppet.immerda.ch/?p=module-nfsd.git;a=summary
+ # http://wiki.debian.org/NFSServerSetup
+ # http://www.tldp.org/HOWTO/NFS-HOWTO/
+
+ # Main class
+ class { 'nfs':
+ server => true;
+ }
+
+ #
+ # FTP
+ #
+
+ # References
+ # https://forge.puppetlabs.com/tags/ftp
+ # https://forum.openwrt.org/viewtopic.php?id=12976
+ # http://download.pureftpd.org/pub/pure-ftpd/doc/FAQ
+ # http://www.massimilianomarini.com/04/02/2012/how-follow-symbolic-links-pure-ftpd
+
+ # Main class
+ class { 'pureftpd':
+ virtualchroot => true,
+ }
+
+ # Enable anonymous ftp
+ file { '/etc/pure-ftpd/conf/NoAnonymous':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 0644,
+ content => "no\n",
+ notify => Service[$pureftpd::params::service_name],
+ }
+
+ #
+ # Samba
+ #
+
+ # References
+ # https://github.com/ajjahn/puppet-samba
+ # https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetworkBrowsing.html#id2583364
+ # http://serverfault.com/questions/240217/dd-wrt-bonjour-netbios-etc-on-two-subnets
+ # http://www.linuxplanet.com/linuxplanet/tutorials/6600/2
+ # http://forums.fedoraforum.org/showthread.php?t=260519
+ # http://randombio.com/linuxsetup38.html
+
+ # Main class
+ class { 'samba::server':
+ workgroup => hiera('nodo::samba::workgroup', 'WORKGROUP'),
+ server_string => hiera('nodo::samba::server_string', 'Samba Server'),
+ interfaces => hiera('nodo::samba::interfacesp , 'lo eth0'),
+ security => hiera('nodo::samba::security', 'share'),
+ }
+
+ # We are avoiding multicast
+ # http://bda.ath.cx/blog/2009/01/24/multicast-routing-upnp-traffic-with-linux/
+ # http://linux-igd.sourceforge.net/documentation.php
+ set_samba_option {
+ # Remote announce won't work since routers don't forward broadcast traffic
+ #'remote announce': value => hiera('nodo::samba::remote_announce', '');
+ 'wins support': value => 'yes';
+ 'preferred master': value => 'yes';
+ 'domain master': value => 'yes';
+ }
+
+ #
+ # HTTP
+ #
+
+ # References
+ # https://github.com/camptocamp/puppet-lighttpd
+ # https://github.com/example42/puppet-lighttpd
+ # http://git.puppet.immerda.ch/?p=module-lighttpd.git;a=summary
+
+ # Main class
+ class { 'lighttpd': }
+
+ # Document root
+ file { '/var/www/data':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 0755,
+ }
+
+ #
+ # TFTP
+ #
+
+ # Main class
+ class { 'tftp':
+ directory => '/srv/tftp',
+ address => $::ipaddress,
+ options => '--ipv4 --timeout 60',
+ inetd => false,
+ }
+
+ # Rsync
+ include rsync::server
+
+ # MPD
+ include mpd
+ include mpd::client
+
+ #
+ # CUPS
+ #
+
+ # References
+ # https://github.com/mosen/puppet-cups
+ # https://github.com/camptocamp/puppet-cups
+
+ # Package
+ package { [ 'cups', 'cups-client' ]:
+ ensure => installed,
+ }
+
+ #
+ # Avahi
+ #
+
+ # References
+ # http://nfs-lan.sevka.info/
+ # http://en.gentoo-wiki.com/wiki/Avahi
+ # https://wiki.archlinux.org/index.php/Avahi
+ # http://packages.debian.org/wheezy/libnss-mdns
+ # http://packages.debian.org/wheezy/mdns-scan
+ # http://packages.debian.org/wheezy/avahi-discover
+ # http://askubuntu.com/questions/19590/how-do-i-share-nfs-mounts-over-zeroconf
+ # http://sophie.zarb.org/distrib/Mandriva/current/x86_64/rpms/pure-ftpd/files/1
+ # https://github.com/stahnma/puppet-module-avahi
+ # https://github.com/tjfontaine/airprint-generate
+ # http://mryoung.soundbomb.net/index.php/apple-airprint-with-linux-avahi
+ # http://lists.freedesktop.org/archives/avahi/2006-July/000824.html
+ # http://cups.org/documentation.php/doc-1.6/ref-cupsd-conf.html#BrowseLocalProtocols
+ # http://www.dns-sd.org/ServiceTypes.html
+
+ # Main class
+ include avahi
+
+ file { '/etc/avahi/services/rsync.service':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 0644,
+ source => 'puppet:///modules/site_avahi/services/rsync.service',
+ notify => Service['avahi-daemon'],
+ }
+
+ file { '/etc/avahi/services/http.service':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 0644,
+ source => 'puppet:///modules/site_avahi/services/http.service',
+ notify => Service['avahi-daemon'],
+ }
+
+ file { '/etc/avahi/services/samba.service':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 0644,
+ source => 'puppet:///modules/site_avahi/services/samba.service',
+ notify => Service['avahi-daemon'],
+ }
+
+ file { '/etc/avahi/services/ftp.service':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 0644,
+ source => 'puppet:///modules/site_avahi/services/ftp.service',
+ notify => Service['avahi-daemon'],
+ }
+
+ #
+ # Infinote / gobby
+ #
+
+ # References
+ # http://gobby.0x539.de/trac/wiki/Infinote/Infinoted
+ # http://www.webupd8.org/2011/04/how-to-set-up-and-use-gedit.html
+
+ # Package
+ package { 'infinoted':
+ ensure => installed,
+ }
+
+ #
+ # DAAP
+ #
+
+ # References
+ # http://packages.debian.org/stable/forked-daapd
+ # http://packages.debian.org/squeeze/mt-daapd
+ # https://github.com/stahnma/puppet-module-daap_server
+
+ # Main class, but package not available on wheezy
+ #class { 'daap_server':
+ # collection_name => 'Noise - DAAP',
+ # music_dir => '/var/cache/media/noise',
+ #}
+
+ #
+ # Media folders
+ #
+
+ # Main class
+ class { 'media::folders': }
+
+ # Make sure basic media exist, no matter if there is an external disk attached
+ $cache = hiera('nodo::media::folders', '')
+
+ if $cache != '' {
+ file { "${cache}":
+ ensure => directory,
+ }
+ }
+}
--- /dev/null
+# Share a folder pubicly using FTP, Samba, NFS, DLNA, etc.
+define share(
+ $description,
+ $folder,
+ $dlna_type = '',
+ $nfs_export_target = '127.0.0.1',
+ $nfs_export_options = 'ro,sync,no_subtree_check'
+) {
+
+ # DLNA share
+ if $dlna_type != '' {
+ minidlna::share { $folder:
+ type => $dlna_type,
+ }
+ }
+
+ # Samba share
+ samba::server::share { $name:
+ comment => $description,
+ path => $folder,
+ guest_only => true,
+ guest_ok => true,
+ browsable => true,
+ create_mask => 0777,
+ directory_mask => 0777,
+ }
+
+ # NFS export
+ nfs::export { $name:
+ export_directory => $folder,
+ export_target => $nfs_export_target,
+ export_options => $nfs_export_options,
+ }
+
+ # HTTP and FTP symlinks to media assets
+ file { [ "/var/www/data/${name}", "/home/ftp/${name}" ]:
+ ensure => $folder,
+ require => File['/var/www/data', '/home/ftp'],
+ }
+
+ # Avahi service
+ file { "/etc/avahi/services/nfs-${name}.service":
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 0644,
+ source => "puppet:///modules/site_avahi/services/nfs-${name}.service",
+ notify => Service['avahi-daemon'],
+ }
+
+ # Make sure basic media exist, no matter which disk is attached
+ $cache = hiera('nodo::media::folders', '')
+
+ if $cache != '' {
+ file { [ "${cache}/${name}" ]:
+ ensure => directory,
+ }
+ }
+}
--- /dev/null
+class firewall::mpd {
+ # MPD http stream
+ shorewall::rule { 'mpd-http-stream':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '8000',
+ order => 200,
+ action => 'ACCEPT';
+ }
+
+ # MPD client access
+ shorewall::rule { 'mpd-daemon':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '6600',
+ order => 200,
+ action => 'ACCEPT';
+ }
+}
--- /dev/null
+class firewall::nas {
+ # Basic firewall rules
+ include shorewall::rules::ftp
+ include shorewall::rules::tftp
+ include shorewall::rules::http
+ include shorewall::rules::nfsd
+ include shorewall::rules::rsync
+ include firewall::printer
+ include firewall::torrent
+ include firewall::mpd
+
+ # Additional ports needed by NFS
+ # Got using rpcinfo -p and netstat -ap
+ shorewall::rule { 'nfs-1':
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '35150,43902,46661,46661,46661,50340,54814,57170,58403,59780',
+ ratelimit => '-',
+ order => 100,
+ }
+
+ shorewall::rule { 'nfs-2':
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '938,38511,43195,53081,53081,53081,38521,45238,52664,52400,60331',
+ ratelimit => '-',
+ order => 100,
+ }
+
+ # See http://www.shorewall.net/samba.htm
+ shorewall::rule { 'samba':
+ action => 'SMB/ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => '-',
+ destinationport => '-',
+ ratelimit => '-',
+ order => 100,
+ }
+
+ shorewall::rule { 'netbios-1':
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '137,138,139',
+ ratelimit => '-',
+ order => 100,
+ }
+
+ shorewall::rule { 'netbios-2':
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '137,138,139',
+ ratelimit => '-',
+ order => 100,
+ }
+
+ # DLNA
+ #
+ # https://wiki.archlinux.org/index.php/MiniDLNA
+ # http://netpatia.blogspot.co.uk/2011/03/setup-your-own-dlna-server.html
+ # http://wiki.alpinelinux.org/wiki/IPTV_How_To
+ # http://mediatomb.cc/dokuwiki/faq:faq
+ # http://packages.debian.org/wheezy/djmount
+ # http://packages.debian.org/wheezy/gupnp-tools
+ #
+ # Optional:
+ #
+ # http://www.shorewall.net/UPnP.html
+ #
+ # linux-igd package
+ # /etc/default/linux-igd
+ # /etc/upnpd.conf
+
+ shorewall::rule { "dlna-1":
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp,udp',
+ destinationport => "1900",
+ ratelimit => '-',
+ order => 102,
+ }
+
+ shorewall::rule { "dlna-2":
+ action => 'ACCEPT',
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp,udp',
+ destinationport => "8200",
+ ratelimit => '-',
+ order => 103,
+ }
+
+ shorewall::rule { "dlna-3":
+ action => 'allowinUPnP',
+ source => 'net',
+ destination => '$FW',
+ order => 104,
+ }
+
+ shorewall::rule { "dlna-4":
+ action => 'forwardUPnP',
+ source => 'net',
+ destination => '$FW',
+ order => 105,
+ }
+
+ # Enable multicast
+ augeas { 'enable_multicast':
+ changes => 'set /files/etc/shorewall/shorewall.conf/MULTICAST Yes',
+ lens => 'Shellvars.lns',
+ incl => '/etc/shorewall/shorewall.conf',
+ notify => Service[shorewall];
+ }
+
+ # DAAP
+ shorewall::rule { 'daap-1':
+ source => 'net',
+ destination => '$FW',
+ proto => 'tcp',
+ destinationport => '3689',
+ order => 300,
+ action => 'ACCEPT';
+ }
+
+ shorewall::rule { 'daap-2':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '3689',
+ order => 301,
+ action => 'ACCEPT';
+ }
+
+ # Avahi/mDNS
+ shorewall::rule { 'mdns':
+ source => 'net',
+ destination => '$FW',
+ proto => 'udp',
+ destinationport => '5353',
+ order => 400,
+ action => 'ACCEPT';
+ }
+}
--- /dev/null
+class firewall::redirect::ssh($destinationport) {
+ # When the box is in an internal network and we want to provide
+ # and external access through a shared real IP, we have to
+ # redirect requests coming from another port to port 22.
+ shorewall::rule { "ssh-redirect-1":
+ action => 'DNAT',
+ source => 'net',
+ destination => "fw:$ipaddress:22",
+ proto => 'tcp',
+ destinationport => $destinationport,
+ ratelimit => '-',
+ order => $destinationport,
+ }
+}
projects / puppet-nodo.git / commitdiff