Mercurial > repos > other > Puppet
annotate manifests/templates.pp @ 411:83f2e944a43f
Set security settings on BDStrike.co.uk
Wordpress does some stuff that can be fixed with nonces and
LOTS of stuff that can't, so we need to change the CSP headers
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sat, 08 Oct 2022 12:15:52 +0100 |
| parents | 575764c36e16 |
| children | 6421c6f77eb8 |
| rev | line source |
|---|---|
|
32
6bbc86f6cee5
Tidy up ordering and dependencies (including making sure we have a necessary file for Fail2Ban to start)
IBBoard <dev@ibboard.co.uk>
parents:
25
diff
changeset
|
1 # Make sure packages come after their repos |
|
382
308b4149bee5
Add anchors to simplify dependencies
IBBoard <dev@ibboard.co.uk>
parents:
379
diff
changeset
|
2 File<| tag == 'repo-config' |> |
|
308b4149bee5
Add anchors to simplify dependencies
IBBoard <dev@ibboard.co.uk>
parents:
379
diff
changeset
|
3 -> anchor { 'Repo-config': } |
|
308b4149bee5
Add anchors to simplify dependencies
IBBoard <dev@ibboard.co.uk>
parents:
379
diff
changeset
|
4 -> YumRepo<| |> |
|
308b4149bee5
Add anchors to simplify dependencies
IBBoard <dev@ibboard.co.uk>
parents:
379
diff
changeset
|
5 -> anchor { 'Repos': } |
|
308b4149bee5
Add anchors to simplify dependencies
IBBoard <dev@ibboard.co.uk>
parents:
379
diff
changeset
|
6 -> Package<| |> |
|
32
6bbc86f6cee5
Tidy up ordering and dependencies (including making sure we have a necessary file for Fail2Ban to start)
IBBoard <dev@ibboard.co.uk>
parents:
25
diff
changeset
|
7 |
|
6bbc86f6cee5
Tidy up ordering and dependencies (including making sure we have a necessary file for Fail2Ban to start)
IBBoard <dev@ibboard.co.uk>
parents:
25
diff
changeset
|
8 # Make sure all files are in place before starting services |
| 298 | 9 # FIXME: Title matches are to fix a dependency cycle |
|
382
308b4149bee5
Add anchors to simplify dependencies
IBBoard <dev@ibboard.co.uk>
parents:
379
diff
changeset
|
10 File<| tag != 'post-service' and title != '/etc/sysconfig/ip6tables' and title != '/etc/sysconfig/iptables' |> |
|
308b4149bee5
Add anchors to simplify dependencies
IBBoard <dev@ibboard.co.uk>
parents:
379
diff
changeset
|
11 -> anchor { 'Pre-Service Files': } |
|
308b4149bee5
Add anchors to simplify dependencies
IBBoard <dev@ibboard.co.uk>
parents:
379
diff
changeset
|
12 -> Service<| |> |
| 246 | 13 |
| 14 # Set some shortcut variables | |
| 15 #$os = $operatingsystem | |
|
249
e9323ff8f451
Make EPEL work on multiple versions of CentOS
IBBoard <dev@ibboard.co.uk>
parents:
247
diff
changeset
|
16 $osver = $operatingsystemmajrelease |
| 246 | 17 $server = '' |
|
32
6bbc86f6cee5
Tidy up ordering and dependencies (including making sure we have a necessary file for Fail2Ban to start)
IBBoard <dev@ibboard.co.uk>
parents:
25
diff
changeset
|
18 |
|
6bbc86f6cee5
Tidy up ordering and dependencies (including making sure we have a necessary file for Fail2Ban to start)
IBBoard <dev@ibboard.co.uk>
parents:
25
diff
changeset
|
19 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
20 class basenode { |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
21 include sudo |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
22 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
23 include defaultusers |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
24 include logwatch |
|
24
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
25 |
|
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
26 file { '/etc/puppet/hiera.yaml': |
|
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
27 ensure => present, |
| 264 | 28 content => " |
| 29 # Let the system set defaults | |
| 30 version: 5 | |
| 31 ", | |
|
24
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
32 } |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
33 |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
34 if $operatingsystem == 'Ubuntu' { |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
35 file { '/etc/locale.gen': |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
36 ensure => present, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
37 content => "en_GB.UTF-8 UTF-8", |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
38 notify => Exec['Regen locales'] |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
39 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
40 exec { 'Regen locales': |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
41 command => 'locale-gen', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
42 refreshonly => true |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
43 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
44 # Don't waste space with Snap and do everything properly with system packages |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
45 [ 'lxd', 'core18', 'core20', 'snapd'].each |$snap| { |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
46 exec { "remove $snap snap package": |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
47 command => "snap remove $snap", |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
48 onlyif => "which snap && snap list $snap", |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
49 tag => 'snap', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
50 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
51 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
52 Exec<| tag == 'snap' |> -> |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
53 package { 'snapd': |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
54 ensure => purged, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
55 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
56 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
57 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
58 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
59 class basevpsnode ( |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
60 $primary_ip, |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
61 $proxy_4to6_ip_prefix = undef, |
| 279 | 62 $proxy_upstream = undef, |
| 326 | 63 $nat64_ranges = [], |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
64 $mailserver, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
65 $imapserver, |
| 326 | 66 $mailrelays = [], |
|
35
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
32
diff
changeset
|
67 $firewall_cmd = 'iptables', |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
68 ) { |
|
44
546dfa011f58
Remove "puppet" host name because we don't need it
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
69 |
|
40
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
70 if $firewall_cmd == 'iptables' { |
| 279 | 71 class { 'vpsfirewall': |
| 72 fw_protocol => $primary_ip =~ Stdlib::IP::Address::V6 ? { true => 'IPv6', default => 'IPv4'}, | |
| 73 } | |
|
40
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
74 } |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
75 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
76 #VPS is a self-mastered Puppet machine, so bodge a Hosts file |
| 302 | 77 if $primary_ip =~ Stdlib::IP::Address::V6 { |
| 78 $lo_ip = '::1' | |
| 79 } else { | |
| 80 $lo_ip = '127.0.0.1' | |
| 81 } | |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
82 file { '/etc/hosts': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
83 ensure => present, |
| 302 | 84 content => "${lo_ip} localhost\n${primary_ip} ${fqdn}", |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
85 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
86 |
|
313
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
87 if $proxy_4to6_ip_prefix != undef { |
|
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
88 # …:1 to …:9 for websites, …:10 for mail |
|
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
89 $ipv6_addresses = Integer[1, 10].map |$octet| { "$proxy_4to6_ip_prefix:$octet" } |
|
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
90 |
|
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
91 $ipv6_secondaries = join($ipv6_addresses, " ") |
|
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
92 |
|
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
93 augeas {'IPv6 secondary addresses': |
|
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
94 context => "/files/etc/sysconfig/network-scripts/ifcfg-eth0", |
|
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
95 changes => "set IPV6ADDR_SECONDARIES '\"$ipv6_secondaries\"'", |
|
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
96 } |
|
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
97 } |
|
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
98 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
99 require repos |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
100 include basenode |
| 246 | 101 include privat |
|
100
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
102 include dnsresolver |
|
396
e93588ec1ce3
Use "param" variables for settings instead of conditions
IBBoard <dev@ibboard.co.uk>
parents:
393
diff
changeset
|
103 include ::privat::params |
|
e93588ec1ce3
Use "param" variables for settings instead of conditions
IBBoard <dev@ibboard.co.uk>
parents:
393
diff
changeset
|
104 class { '::ssh': |
|
e93588ec1ce3
Use "param" variables for settings instead of conditions
IBBoard <dev@ibboard.co.uk>
parents:
393
diff
changeset
|
105 sshd_config_port => $::privat::params::ssh_port[$::fqdn] |
|
e93588ec1ce3
Use "param" variables for settings instead of conditions
IBBoard <dev@ibboard.co.uk>
parents:
393
diff
changeset
|
106 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
107 include vcs::server |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
108 include vcs::client |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
109 class { 'webserver': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
110 primary_ip => $primary_ip, |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
111 proxy_4to6_ip_prefix => $proxy_4to6_ip_prefix, |
|
313
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
112 proxy_4to6_mask => 124, |
| 279 | 113 proxy_upstream => $proxy_upstream, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
114 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
115 include cronjobs |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
116 include logrotate |
|
35
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
32
diff
changeset
|
117 class { 'fail2ban': |
|
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
32
diff
changeset
|
118 firewall_cmd => $firewall_cmd, |
|
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
32
diff
changeset
|
119 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
120 include tools |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
121 class { 'email': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
122 mailserver => $mailserver, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
123 imapserver => $imapserver, |
|
311
51d3748f8112
Configure Dovecot (IMAP) for PROXY protocol use
IBBoard <dev@ibboard.co.uk>
parents:
310
diff
changeset
|
124 mailserver_ip => $primary_ip, |
|
313
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
125 proxy_ip => $proxy_4to6_ip_prefix != undef ? { true => "${proxy_4to6_ip_prefix}:10", default => undef }, |
|
311
51d3748f8112
Configure Dovecot (IMAP) for PROXY protocol use
IBBoard <dev@ibboard.co.uk>
parents:
310
diff
changeset
|
126 proxy_upstream => $proxy_upstream, |
| 326 | 127 nat64_ranges => $nat64_ranges, |
| 128 mailrelays => $mailrelays, | |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
129 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
130 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
131 |
|
100
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
132 ## Classes to allow facet behaviour using preconfigured setups of classes |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
133 |
| 279 | 134 class vpsfirewall ($fw_protocol) { |
|
40
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
135 resources { "firewall": |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
136 purge => false, |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
137 } |
| 279 | 138 class { "my_fw": |
| 139 ip_version => $fw_protocol, | |
| 140 } | |
| 141 # Control what does and doesn't get pruned in the main filter chain | |
| 142 firewallchain { "INPUT:filter:$fw_protocol": | |
| 143 purge => true, | |
|
40
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
144 ignore => [ |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
145 '-j f2b-[^ ]+$', |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
146 '^(:|-A )f2b-', |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
147 '--comment "Great Firewall of China"', |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
148 '--comment "Do not purge', |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
149 ], |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
150 } |
| 279 | 151 if ($fw_protocol != "IPv6") { |
| 152 firewall { '010 Whitelist Googlebot': | |
| 153 source => '66.249.64.0/19', | |
| 154 dport => [80,443], | |
| 155 proto => tcp, | |
| 156 action => accept, | |
| 157 } | |
| 158 # Block a spammer hitting our contact forms (also on StopForumSpam list A LOT) | |
| 159 firewall { '099 Blacklist spammers 1': | |
| 160 source => '107.181.78.172', | |
| 161 dport => [80, 443], | |
| 162 proto => tcp, | |
| 163 action => 'reject', | |
| 164 } | |
| 165 firewall { '099 Blacklist IODC bot': | |
| 166 # IODC bot makes too many bad requests, and contact form is broken | |
| 167 # They don't publish a robots.txt name, so firewall it! | |
| 168 source => '86.153.145.149', | |
| 169 dport => [ 80, 443 ], | |
| 170 proto => tcp, | |
| 171 action => 'reject', | |
| 172 } | |
| 173 firewall { '099 Blacklist Baidu Brazil': | |
| 174 #Baidu got a Brazilian netblock and are hitting us hard | |
| 175 #Baidu doesn't honour "crawl-delay" in robots.txt | |
| 176 #Baidu gets firewalled | |
| 177 source => '131.161.8.0/22', | |
| 178 dport => [ 80, 443 ], | |
| 179 proto => tcp, | |
| 180 action => 'reject', | |
| 181 } | |
|
139
abaf384dc939
Block another annoying IP with a firewall rule
IBBoard <dev@ibboard.co.uk>
parents:
137
diff
changeset
|
182 } |
| 279 | 183 firewallchain { "GREATFIREWALLOFCHINA:filter:$fw_protocol": |
|
40
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
184 ensure => present, |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
185 } |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
186 firewall { '050 Check our Great Firewall Against China': |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
187 chain => 'INPUT', |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
188 jump => 'GREATFIREWALLOFCHINA', |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
189 } |
| 279 | 190 firewallchain { "Fail2Ban:filter:$fw_protocol": |
|
64
3bb824dabaae
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
IBBoard <dev@ibboard.co.uk>
parents:
61
diff
changeset
|
191 ensure => present, |
|
3bb824dabaae
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
IBBoard <dev@ibboard.co.uk>
parents:
61
diff
changeset
|
192 } |
|
3bb824dabaae
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
IBBoard <dev@ibboard.co.uk>
parents:
61
diff
changeset
|
193 firewall { '060 Check Fail2Ban': |
|
3bb824dabaae
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
IBBoard <dev@ibboard.co.uk>
parents:
61
diff
changeset
|
194 chain => 'INPUT', |
|
3bb824dabaae
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
IBBoard <dev@ibboard.co.uk>
parents:
61
diff
changeset
|
195 jump => 'Fail2Ban', |
|
3bb824dabaae
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
IBBoard <dev@ibboard.co.uk>
parents:
61
diff
changeset
|
196 } |
|
40
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
197 } |
|
222904296578
Add firewall handling when we run without APF
IBBoard <dev@ibboard.co.uk>
parents:
38
diff
changeset
|
198 |
|
100
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
199 class dnsresolver { |
|
290
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
200 package { 'unbound': |
|
100
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
201 ensure => present, |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
202 } |
|
290
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
203 package { 'named': |
|
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
204 ensure => absent, |
|
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
205 } |
|
100
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
206 |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
207 service { 'named': |
|
290
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
208 ensure => stopped, |
|
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
209 enable => false, |
|
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
210 } |
|
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
211 service { 'unbound': |
|
100
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
212 ensure => running, |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
213 enable => true, |
|
194
a08de3153548
Add a named.conf file to control cache/memory size
IBBoard <dev@ibboard.co.uk>
parents:
193
diff
changeset
|
214 } |
|
a08de3153548
Add a named.conf file to control cache/memory size
IBBoard <dev@ibboard.co.uk>
parents:
193
diff
changeset
|
215 |
|
a08de3153548
Add a named.conf file to control cache/memory size
IBBoard <dev@ibboard.co.uk>
parents:
193
diff
changeset
|
216 file { '/etc/named.conf': |
|
290
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
217 ensure => absent, |
|
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
218 } |
|
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
219 file { '/etc/unbound/unbound.conf': |
|
194
a08de3153548
Add a named.conf file to control cache/memory size
IBBoard <dev@ibboard.co.uk>
parents:
193
diff
changeset
|
220 ensure => present, |
| 247 | 221 source => [ |
|
290
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
222 "puppet:///common/unbound.conf-${::hostname}", |
|
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
223 "puppet:///common/unbound.conf", |
| 247 | 224 ], |
|
290
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
225 require => Package['unbound'], |
|
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
226 notify => Service['unbound'], |
|
100
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
227 } |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
228 file { '/etc/NetworkManager/conf.d': |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
229 ensure => directory |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
230 } |
|
100
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
231 file { '/etc/NetworkManager/conf.d/local-dns-resolver.conf': |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
232 ensure => present, |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
233 content => "[main] |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
234 dns=none", |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
235 } |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
236 |
|
101
a48b6011a084
Stop Bind trying IPv6, as we only have a link-local IP
IBBoard <dev@ibboard.co.uk>
parents:
100
diff
changeset
|
237 file { '/etc/sysconfig/named': |
|
290
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
238 ensure => absent, |
|
101
a48b6011a084
Stop Bind trying IPv6, as we only have a link-local IP
IBBoard <dev@ibboard.co.uk>
parents:
100
diff
changeset
|
239 } |
|
100
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
240 file { '/etc/resolv.conf': |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
241 ensure => file, |
|
301
1bfc290270cc
Fix sa-update by using IPv6 for local DNS cache
IBBoard <dev@ibboard.co.uk>
parents:
298
diff
changeset
|
242 # "ipaddress" key only exists for machines with IPv4 addresses |
|
1bfc290270cc
Fix sa-update by using IPv6 for local DNS cache
IBBoard <dev@ibboard.co.uk>
parents:
298
diff
changeset
|
243 content => has_key($facts, 'ipaddress') ? { true => "nameserver 127.0.0.1", default => "nameserver ::1" }, |
|
290
1182a180085d
Swap from Bind to Named for light-weight DNS
IBBoard <dev@ibboard.co.uk>
parents:
268
diff
changeset
|
244 require => Service['unbound'], |
| 246 | 245 tag => 'post-service', |
|
100
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
246 } |
|
fd3446c3b7b9
Set up a recursive localhost-only Bind server (assuming RH's safe and sane default configs)
IBBoard <dev@ibboard.co.uk>
parents:
99
diff
changeset
|
247 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
248 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
249 class repos { |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
250 if $operatingsystem == 'CentOS' { |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
251 yumrepo { 'epel': |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
252 mirrorlist => 'https://mirrors.fedoraproject.org/metalink?repo=epel-$releasever&arch=$basearch', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
253 descr => "Extra Packages for Enterprise Linux", |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
254 enabled => 1, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
255 failovermethod => absent, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
256 gpgcheck => 1, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
257 gpgkey => "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$osver", |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
258 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
259 file { "/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$osver": |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
260 ensure => present, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
261 source => "puppet:///common/RPM-GPG-KEY-EPEL-$osver", |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
262 tag => 'repo-config', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
263 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
264 yumrepo { 'ibboard': |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
265 baseurl => 'https://download.opensuse.org/repositories/home:/IBBoard:/server/CentOS_$releasever/', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
266 descr => 'Extra packages from IBBoard', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
267 enabled => 1, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
268 gpgcheck => 1, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
269 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
270 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
271 file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard': |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
272 ensure => present, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
273 source => 'puppet:///common/RPM-GPG-KEY-ibboard', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
274 tag => 'repo-config', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
275 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
276 yumrepo { 'webtatic': |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
277 ensure => absent, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
278 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
279 file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-webtatic-andy': |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
280 ensure => absent, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
281 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
282 file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-webtatic-el7': |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
283 ensure => absent, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
284 } |
|
409
621e78abf82c
Fix `requires devel` problem with CentOS
IBBoard <dev@ibboard.co.uk>
parents:
408
diff
changeset
|
285 # Python requires the `devel` package on CentOS, but by default the module tries to uninstall it |
|
621e78abf82c
Fix `requires devel` problem with CentOS
IBBoard <dev@ibboard.co.uk>
parents:
408
diff
changeset
|
286 $dev = 'present' |
|
621e78abf82c
Fix `requires devel` problem with CentOS
IBBoard <dev@ibboard.co.uk>
parents:
408
diff
changeset
|
287 } |
|
621e78abf82c
Fix `requires devel` problem with CentOS
IBBoard <dev@ibboard.co.uk>
parents:
408
diff
changeset
|
288 else { |
|
621e78abf82c
Fix `requires devel` problem with CentOS
IBBoard <dev@ibboard.co.uk>
parents:
408
diff
changeset
|
289 # Other distros can take the default devel status |
|
621e78abf82c
Fix `requires devel` problem with CentOS
IBBoard <dev@ibboard.co.uk>
parents:
408
diff
changeset
|
290 $dev = $::python::params::dev |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
291 } |
| 148 | 292 |
|
272
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
293 if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '8') >= 0 { |
|
383
f9a6f6ff8256
Attempt to migrate CentOS8 to Streams automatically
IBBoard <dev@ibboard.co.uk>
parents:
382
diff
changeset
|
294 # The following may possibly work to ensure a CentOS Streams install. |
|
f9a6f6ff8256
Attempt to migrate CentOS8 to Streams automatically
IBBoard <dev@ibboard.co.uk>
parents:
382
diff
changeset
|
295 # Or it might fail for inexplicable reasons. |
|
f9a6f6ff8256
Attempt to migrate CentOS8 to Streams automatically
IBBoard <dev@ibboard.co.uk>
parents:
382
diff
changeset
|
296 # FIXME: Should be "centos-release-stream" to migrate (provides repos), but then that gets replaced by centos-stream-release, |
|
f9a6f6ff8256
Attempt to migrate CentOS8 to Streams automatically
IBBoard <dev@ibboard.co.uk>
parents:
382
diff
changeset
|
297 # which Puppet doesn't recognise as the same and so keeps trying to re-install. May need an "unless" or maybe "allow_virtual" |
|
f9a6f6ff8256
Attempt to migrate CentOS8 to Streams automatically
IBBoard <dev@ibboard.co.uk>
parents:
382
diff
changeset
|
298 package { 'centos-stream-release': |
|
f9a6f6ff8256
Attempt to migrate CentOS8 to Streams automatically
IBBoard <dev@ibboard.co.uk>
parents:
382
diff
changeset
|
299 ensure => installed, |
|
f9a6f6ff8256
Attempt to migrate CentOS8 to Streams automatically
IBBoard <dev@ibboard.co.uk>
parents:
382
diff
changeset
|
300 notify => Exec['migrate to streams']; |
|
f9a6f6ff8256
Attempt to migrate CentOS8 to Streams automatically
IBBoard <dev@ibboard.co.uk>
parents:
382
diff
changeset
|
301 } |
|
f9a6f6ff8256
Attempt to migrate CentOS8 to Streams automatically
IBBoard <dev@ibboard.co.uk>
parents:
382
diff
changeset
|
302 exec { 'migrate to streams': |
|
f9a6f6ff8256
Attempt to migrate CentOS8 to Streams automatically
IBBoard <dev@ibboard.co.uk>
parents:
382
diff
changeset
|
303 command => '/usr/bin/dnf swap centos-linux-repos centos-stream-repos; /usr/bin/dnf distro-sync -y', |
|
f9a6f6ff8256
Attempt to migrate CentOS8 to Streams automatically
IBBoard <dev@ibboard.co.uk>
parents:
382
diff
changeset
|
304 refreshonly => true |
|
f9a6f6ff8256
Attempt to migrate CentOS8 to Streams automatically
IBBoard <dev@ibboard.co.uk>
parents:
382
diff
changeset
|
305 } |
| 148 | 306 } |
|
272
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
307 |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
308 class { 'python': |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
309 ensure => 'present', |
|
401
f0ee7a16125d
Switch to Python 3 on all platforms
IBBoard <dev@ibboard.co.uk>
parents:
399
diff
changeset
|
310 version => 'python3', |
|
272
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
311 pip => 'present', |
|
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
312 use_epel => false, |
|
409
621e78abf82c
Fix `requires devel` problem with CentOS
IBBoard <dev@ibboard.co.uk>
parents:
408
diff
changeset
|
313 dev => $dev, |
|
272
c42fb28cff86
Update to a newer Python module
IBBoard <dev@ibboard.co.uk>
parents:
271
diff
changeset
|
314 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
315 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
316 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
317 class tools { |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
318 $packages = [ 'sqlite', 'bash-completion', 'nano', 'bzip2', 'mlocate', 'patch', 'tmux', 'wget', 'rsync' ] |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
319 package { $packages: |
|
131
0dd899a10ee1
Change all "latest" packages to "installed"
IBBoard <dev@ibboard.co.uk>
parents:
129
diff
changeset
|
320 ensure => installed; |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
321 } |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
322 if $osfamily == 'RedHat' { |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
323 package { 'yum-utils': |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
324 ensure => installed |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
325 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
326 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
327 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
328 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
329 class logrotate { |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
330 package { 'logrotate': |
|
131
0dd899a10ee1
Change all "latest" packages to "installed"
IBBoard <dev@ibboard.co.uk>
parents:
129
diff
changeset
|
331 ensure => installed; |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
332 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
333 file { '/etc/logrotate.d/httpd': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
334 ensure => present, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
335 source => 'puppet:///common/logrotate-httpd', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
336 require => Package['logrotate'], |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
337 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
338 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
339 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
340 class logwatch { |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
341 package { 'logwatch': |
|
131
0dd899a10ee1
Change all "latest" packages to "installed"
IBBoard <dev@ibboard.co.uk>
parents:
129
diff
changeset
|
342 ensure => installed; |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
343 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
344 File { |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
345 ensure => present, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
346 require => Package['logwatch'], |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
347 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
348 file { '/etc/cron.daily/0logwatch': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
349 source => 'puppet:///common/0logwatch'; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
350 } |
| 332 | 351 $logwatch_dirs = [ |
| 352 '/etc/logwatch/', | |
| 353 '/etc/logwatch/conf/', | |
| 354 '/etc/logwatch/conf/logfiles/', | |
| 355 '/etc/logwatch/conf/services/', | |
|
345
bad68f1b6467
Add updated Dovecot script to Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
342
diff
changeset
|
356 '/etc/logwatch/scripts/', |
|
bad68f1b6467
Add updated Dovecot script to Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
342
diff
changeset
|
357 '/etc/logwatch/scripts/services/', |
| 332 | 358 ] |
| 359 file { $logwatch_dirs: | |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
360 ensure => directory, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
361 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
362 file { '/etc/logwatch/conf/logwatch.conf': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
363 content => 'Detail = Med', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
364 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
365 file { '/etc/logwatch/conf/logfiles/http.conf': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
366 content => 'LogFile = apache/access_*.log', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
367 } |
| 332 | 368 file { '/etc/logwatch/conf/logfiles/http-error.conf': |
| 369 source => 'puppet:///common/logwatch/logfiles_http-error.conf', | |
|
126
8316d4e55e92
Fix Apache 2.4 Logwatch support
IBBoard <dev@ibboard.co.uk>
parents:
125
diff
changeset
|
370 } |
| 332 | 371 file { '/etc/logwatch/conf/logfiles/mysql.conf': |
| 372 source => 'puppet:///common/logwatch/logfiles_mysql.conf', | |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
373 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
374 file { '/etc/logwatch/conf/logfiles/php.conf': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
375 source => 'puppet:///common/logwatch/logfiles_php.conf', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
376 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
377 file { '/etc/logwatch/conf/services/php.conf': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
378 source => 'puppet:///common/logwatch/services_php.conf', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
379 } |
|
379
63adae1a374a
Fix and expand PHP logwatch config
IBBoard <dev@ibboard.co.uk>
parents:
378
diff
changeset
|
380 file { '/etc/logwatch/conf/services/contact-form.conf': |
|
63adae1a374a
Fix and expand PHP logwatch config
IBBoard <dev@ibboard.co.uk>
parents:
378
diff
changeset
|
381 source => 'puppet:///common/logwatch/services_contact-form.conf', |
|
63adae1a374a
Fix and expand PHP logwatch config
IBBoard <dev@ibboard.co.uk>
parents:
378
diff
changeset
|
382 } |
|
345
bad68f1b6467
Add updated Dovecot script to Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
342
diff
changeset
|
383 file { '/etc/logwatch/scripts/services/dovecot': |
|
bad68f1b6467
Add updated Dovecot script to Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
342
diff
changeset
|
384 source => 'puppet:///common/logwatch/dovecot', |
|
bad68f1b6467
Add updated Dovecot script to Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
342
diff
changeset
|
385 } |
|
346
61be075c5a68
Ignore X-Comment "SPF whitelisted" messages in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
345
diff
changeset
|
386 file { '/etc/logwatch/scripts/services/postfix': |
|
61be075c5a68
Ignore X-Comment "SPF whitelisted" messages in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
345
diff
changeset
|
387 source => 'puppet:///common/logwatch/postfix', |
|
61be075c5a68
Ignore X-Comment "SPF whitelisted" messages in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
345
diff
changeset
|
388 } |
|
347
73d7b3ec6263
Ignore log entries from Cron tasks running in user mode
IBBoard <dev@ibboard.co.uk>
parents:
346
diff
changeset
|
389 file { '/etc/logwatch/scripts/services/systemd': |
|
73d7b3ec6263
Ignore log entries from Cron tasks running in user mode
IBBoard <dev@ibboard.co.uk>
parents:
346
diff
changeset
|
390 source => 'puppet:///common/logwatch/systemd', |
|
73d7b3ec6263
Ignore log entries from Cron tasks running in user mode
IBBoard <dev@ibboard.co.uk>
parents:
346
diff
changeset
|
391 } |
|
379
63adae1a374a
Fix and expand PHP logwatch config
IBBoard <dev@ibboard.co.uk>
parents:
378
diff
changeset
|
392 file { '/etc/logwatch/scripts/services/php': |
|
63adae1a374a
Fix and expand PHP logwatch config
IBBoard <dev@ibboard.co.uk>
parents:
378
diff
changeset
|
393 source => 'puppet:///common/logwatch/php', |
|
63adae1a374a
Fix and expand PHP logwatch config
IBBoard <dev@ibboard.co.uk>
parents:
378
diff
changeset
|
394 } |
|
63adae1a374a
Fix and expand PHP logwatch config
IBBoard <dev@ibboard.co.uk>
parents:
378
diff
changeset
|
395 file { '/etc/logwatch/scripts/services/contact-form': |
|
63adae1a374a
Fix and expand PHP logwatch config
IBBoard <dev@ibboard.co.uk>
parents:
378
diff
changeset
|
396 source => 'puppet:///common/logwatch/contact-form', |
|
63adae1a374a
Fix and expand PHP logwatch config
IBBoard <dev@ibboard.co.uk>
parents:
378
diff
changeset
|
397 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
398 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
399 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
400 #Our web server with our configs, not just a stock one |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
401 class webserver ( |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
402 $primary_ip, |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
403 $proxy_4to6_ip_prefix = undef, |
|
313
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
404 $proxy_4to6_mask = undef, |
| 279 | 405 $proxy_upstream = undef, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
406 ) { |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
407 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
408 #Setup base website parameters |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
409 class { 'website': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
410 base_dir => '/srv/sites', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
411 primary_ip => $primary_ip, |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
412 proxy_4to6_ip_prefix => $proxy_4to6_ip_prefix, |
|
313
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
413 proxy_4to6_mask => $proxy_4to6_mask, |
| 279 | 414 proxy_upstream => $proxy_upstream, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
415 default_owner => $defaultusers::default_user, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
416 default_group => $defaultusers::default_user, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
417 default_tld => 'co.uk', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
418 default_extra_tlds => [ 'com' ], |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
419 } |
| 110 | 420 |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
421 if $operatingsystem == 'CentOS' { |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
422 $php_suffix = '' |
|
399
2c6065b5be5e
Switch to config-based PHP extensions
IBBoard <dev@ibboard.co.uk>
parents:
396
diff
changeset
|
423 $variant_prefix = '' |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
424 $extra_prefix = 'pecl-' |
|
408
8a2efdcc5a98
Fix typo in `extra_extras` variable on CentOS
IBBoard <dev@ibboard.co.uk>
parents:
407
diff
changeset
|
425 $extra_extras = { 'process' => {} } |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
426 if versioncmp($operatingsystemrelease, '8') >= 0 { |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
427 yumrepo { 'remirepo-safe': |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
428 mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/safe/$basearch/mirror', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
429 descr => "Extra CentOS packages from Remi", |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
430 enabled => 1, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
431 failovermethod => absent, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
432 gpgcheck => 1, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
433 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
434 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
435 yumrepo { 'remirepo-php': |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
436 mirrorlist => 'http://cdn.remirepo.net/enterprise/8/modular/$basearch/mirror', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
437 descr => 'Remi\'s Modular repository for Enterprise Linux 8 - $basearch', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
438 enabled => 1, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
439 failovermethod => absent, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
440 gpgcheck => 1, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
441 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
442 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
443 file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-remi': |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
444 ensure => present, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
445 source => 'puppet:///common/RPM-GPG-KEY-remi.el8', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
446 tag => 'repo-config', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
447 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
448 } else { |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
449 yumrepo { 'remirepo-safe': |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
450 mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/safe/mirror', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
451 descr => "Extra CentOS packages from Remi", |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
452 enabled => 1, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
453 failovermethod => absent, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
454 gpgcheck => 1, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
455 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
456 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
457 yumrepo { 'remirepo-php': |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
458 mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/php74/mirror', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
459 descr => "PHP7.4 for CentOS from Remi", |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
460 enabled => 1, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
461 failovermethod => absent, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
462 gpgcheck => 1, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
463 gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
464 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
465 file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-remi': |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
466 ensure => present, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
467 source => 'puppet:///common/RPM-GPG-KEY-remi', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
468 tag => 'repo-config', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
469 } |
| 320 | 470 } |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
471 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
472 elsif $operatingsystem == 'Ubuntu' { |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
473 $php_suffix = '' |
|
399
2c6065b5be5e
Switch to config-based PHP extensions
IBBoard <dev@ibboard.co.uk>
parents:
396
diff
changeset
|
474 $variant_prefix = 'php-' |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
475 $extra_prefix = '' |
|
399
2c6065b5be5e
Switch to config-based PHP extensions
IBBoard <dev@ibboard.co.uk>
parents:
396
diff
changeset
|
476 $extra_extras = {} |
| 238 | 477 } |
| 110 | 478 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
479 #Configure the PHP version to use |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
480 class { 'website::php': |
|
350
85d2c0079af9
Make opcache core and add APCu for object caching
IBBoard <dev@ibboard.co.uk>
parents:
347
diff
changeset
|
481 suffix => $php_suffix, |
|
335
aa9f570d6a9c
Switch to PHP 7.4 now that NextCloud has reached v18
IBBoard <dev@ibboard.co.uk>
parents:
334
diff
changeset
|
482 module => ($operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '8') >= 0) ? { true => 'remi-7.4', default => undef }, |
|
399
2c6065b5be5e
Switch to config-based PHP extensions
IBBoard <dev@ibboard.co.uk>
parents:
396
diff
changeset
|
483 extras => { |
|
2c6065b5be5e
Switch to config-based PHP extensions
IBBoard <dev@ibboard.co.uk>
parents:
396
diff
changeset
|
484 'intl' => {}, |
|
2c6065b5be5e
Switch to config-based PHP extensions
IBBoard <dev@ibboard.co.uk>
parents:
396
diff
changeset
|
485 "${extra_prefix}imagick" => { |
|
2c6065b5be5e
Switch to config-based PHP extensions
IBBoard <dev@ibboard.co.uk>
parents:
396
diff
changeset
|
486 package_prefix => $variant_prefix |
|
2c6065b5be5e
Switch to config-based PHP extensions
IBBoard <dev@ibboard.co.uk>
parents:
396
diff
changeset
|
487 }, |
|
2c6065b5be5e
Switch to config-based PHP extensions
IBBoard <dev@ibboard.co.uk>
parents:
396
diff
changeset
|
488 'bcmath' => {}, |
|
2c6065b5be5e
Switch to config-based PHP extensions
IBBoard <dev@ibboard.co.uk>
parents:
396
diff
changeset
|
489 "${extra_prefix}zip" => {}, |
|
2c6065b5be5e
Switch to config-based PHP extensions
IBBoard <dev@ibboard.co.uk>
parents:
396
diff
changeset
|
490 'json' => {}, |
|
2c6065b5be5e
Switch to config-based PHP extensions
IBBoard <dev@ibboard.co.uk>
parents:
396
diff
changeset
|
491 "${extra_prefix}apcu" => { |
|
2c6065b5be5e
Switch to config-based PHP extensions
IBBoard <dev@ibboard.co.uk>
parents:
396
diff
changeset
|
492 package_prefix => $variant_prefix |
|
2c6065b5be5e
Switch to config-based PHP extensions
IBBoard <dev@ibboard.co.uk>
parents:
396
diff
changeset
|
493 }, |
|
2c6065b5be5e
Switch to config-based PHP extensions
IBBoard <dev@ibboard.co.uk>
parents:
396
diff
changeset
|
494 'gmp' => {}, |
|
2c6065b5be5e
Switch to config-based PHP extensions
IBBoard <dev@ibboard.co.uk>
parents:
396
diff
changeset
|
495 'enchant' => {} |
|
2c6065b5be5e
Switch to config-based PHP extensions
IBBoard <dev@ibboard.co.uk>
parents:
396
diff
changeset
|
496 } + $extra_extras, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
497 } |
|
24
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
498 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
499 #Setup MySQL, using (private) templates to make sure that we set non-std passwords and a default user |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
500 if $operatingsystem == 'CentOS' { |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
501 if versioncmp($operatingsystemrelease, '7') >= 0 { |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
502 $mysqlpackage = 'mariadb' |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
503 $mysqlsuffix = '' |
|
24
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
504 |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
505 # Required for SELinux rule setting/status checks |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
506 if versioncmp($operatingsystemrelease, '8') >= 0 { |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
507 $semanage_package_name = 'policycoreutils-python-utils' |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
508 } else { |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
509 $semanage_package_name = 'policycoreutils-python' |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
510 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
511 |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
512 package { 'policycoreutils-python': |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
513 name => $semanage_package_name, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
514 ensure => present, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
515 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
516 |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
517 $extra_packages = [ |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
518 'perl-Sys-Syslog', #Required for Perl SPF checking |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
519 ] |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
520 |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
521 package { $extra_packages: |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
522 ensure => installed |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
523 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
524 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
525 else { |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
526 $mysqlpackage = 'mysql' |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
527 $mysqlsuffix = '55w' |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
528 } |
|
393
a948419a23b1
Fix MySQL package names on Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
529 $phpmysqlsuffix = 'nd' |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
530 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
531 elsif $operatingsystem == 'Ubuntu' { |
|
24
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
532 $mysqlpackage = 'mariadb' |
|
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
533 $mysqlsuffix = '' |
|
393
a948419a23b1
Fix MySQL package names on Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
534 $phpmysqlsuffix = '' |
|
24
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
535 } |
|
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
536 else { |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
537 fail("No MySQL support for ${operatingsystem}") |
|
24
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
538 } |
| 402 | 539 include ::defaultusers::params |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
540 class { 'website::mysql': |
| 402 | 541 mysqluser => $::defaultusers::params::mysql_user, |
| 542 mysqlpassword => $::defaultusers::params::mysql_password, | |
|
24
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
543 mysqlprefix => $mysqlpackage, |
|
204330fea19a
Use MariaDB on CentOS7 and manage hiera.yaml (to avoid warnings)
IBBoard <dev@ibboard.co.uk>
parents:
18
diff
changeset
|
544 mysqlsuffix => $mysqlsuffix, |
| 110 | 545 phpsuffix => $php_suffix, |
|
393
a948419a23b1
Fix MySQL package names on Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
546 phpmysqlsuffix => $phpmysqlsuffix |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
547 } |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
548 |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
549 # Additional supporting directories that aren't served as sites |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
550 file { [ '/srv/sites/errorhandling', '/srv/sites/private', '/srv/cms' ]: |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
551 ensure => directory, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
552 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
553 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
554 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
555 class ibboardvpsnode ( |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
556 $primary_ip, |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
557 $proxy_4to6_ip_prefix = undef, |
| 279 | 558 $proxy_upstream = undef, |
| 326 | 559 $nat64_ranges = [], |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
560 $mailserver, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
561 $imapserver, |
| 326 | 562 $mailrelays = [], |
|
35
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
32
diff
changeset
|
563 $firewall_cmd = 'iptables', |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
564 ){ |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
565 class { 'basevpsnode': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
566 primary_ip => $primary_ip, |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
567 proxy_4to6_ip_prefix => $proxy_4to6_ip_prefix, |
| 279 | 568 proxy_upstream => $proxy_upstream, |
| 326 | 569 nat64_ranges => $nat64_ranges, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
570 mailserver => $mailserver, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
571 imapserver => $imapserver, |
| 326 | 572 mailrelays => $mailrelays, |
|
35
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
32
diff
changeset
|
573 firewall_cmd => $firewall_cmd, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
574 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
575 |
|
267
edeedd13262c
Set a sensible default timezone for VPS
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
576 # Set timezone to something sensible |
|
edeedd13262c
Set a sensible default timezone for VPS
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
577 file { "/etc/localtime": |
|
edeedd13262c
Set a sensible default timezone for VPS
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
578 ensure => 'link', |
|
edeedd13262c
Set a sensible default timezone for VPS
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
579 target => '/usr/share/zoneinfo/Europe/London', |
|
edeedd13262c
Set a sensible default timezone for VPS
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
580 } |
|
edeedd13262c
Set a sensible default timezone for VPS
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
581 |
| 410 | 582 package { 'mod_cspnonce': |
| 583 ensure => "installed", | |
| 584 } | |
| 585 | |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
586 # Common modules used by multiple sites (mod_auth_basic is safe because we HTTPS all the things) |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
587 $mods = [ |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
588 'auth_basic', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
589 'authn_core', |
|
146
816e35f86a5d
Remove mod_auth_token and replace with mod_xsendfile
IBBoard <dev@ibboard.co.uk>
parents:
145
diff
changeset
|
590 'authn_file', |
|
816e35f86a5d
Remove mod_auth_token and replace with mod_xsendfile
IBBoard <dev@ibboard.co.uk>
parents:
145
diff
changeset
|
591 'authz_user', |
|
816e35f86a5d
Remove mod_auth_token and replace with mod_xsendfile
IBBoard <dev@ibboard.co.uk>
parents:
145
diff
changeset
|
592 'deflate', |
| 410 | 593 'xsendfile', |
| 594 'cspnonce' | |
|
146
816e35f86a5d
Remove mod_auth_token and replace with mod_xsendfile
IBBoard <dev@ibboard.co.uk>
parents:
145
diff
changeset
|
595 ] |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
596 apache::mod { |
|
146
816e35f86a5d
Remove mod_auth_token and replace with mod_xsendfile
IBBoard <dev@ibboard.co.uk>
parents:
145
diff
changeset
|
597 $mods:; |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
598 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
599 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
600 #Configure our sites, using templates for the custom fragments where the extra content is too long |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
601 class { "devsite": |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
602 proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:01", default => undef } |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
603 } |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
604 class { "adminsite": |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
605 proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:02", default => undef } |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
606 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
607 website::https::multitld { 'www.ibboard': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
608 proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:03", default => undef }, |
| 246 | 609 custom_fragment => template("privat/apache/ibboard.fragment"), |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
610 letsencrypt_name => 'ibboard.co.uk', |
|
236
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
611 csp_override => { |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
612 "report-uri" => "https://ibboard.report-uri.com/r/d/csp/enforce", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
613 "default-src" => "'none'", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
614 "img-src" => "'self' https://live.staticflickr.com/", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
615 "script-src" => "'self'", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
616 "style-src" => "'self'", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
617 "font-src" => "'self'", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
618 "form-action" => "'self'", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
619 "connect-src" => "'self'", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
620 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
621 } |
|
374
5f4fc00f8189
Add mail and imap redirect websites
IBBoard <dev@ibboard.co.uk>
parents:
364
diff
changeset
|
622 website::https::redir { 'mail.ibboard.co.uk': |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
623 proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:03", default => undef }, |
|
374
5f4fc00f8189
Add mail and imap redirect websites
IBBoard <dev@ibboard.co.uk>
parents:
364
diff
changeset
|
624 redir => 'https://ibboard.co.uk/', |
|
5f4fc00f8189
Add mail and imap redirect websites
IBBoard <dev@ibboard.co.uk>
parents:
364
diff
changeset
|
625 docroot => "${website::basedir}/ibboard", |
|
5f4fc00f8189
Add mail and imap redirect websites
IBBoard <dev@ibboard.co.uk>
parents:
364
diff
changeset
|
626 letsencrypt_name => 'ibboard.co.uk', |
|
5f4fc00f8189
Add mail and imap redirect websites
IBBoard <dev@ibboard.co.uk>
parents:
364
diff
changeset
|
627 separate_log => true, |
|
5f4fc00f8189
Add mail and imap redirect websites
IBBoard <dev@ibboard.co.uk>
parents:
364
diff
changeset
|
628 } |
|
5f4fc00f8189
Add mail and imap redirect websites
IBBoard <dev@ibboard.co.uk>
parents:
364
diff
changeset
|
629 website::https::redir { 'imap.ibboard.co.uk': |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
630 proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:03", default => undef }, |
|
374
5f4fc00f8189
Add mail and imap redirect websites
IBBoard <dev@ibboard.co.uk>
parents:
364
diff
changeset
|
631 redir => 'https://ibboard.co.uk/', |
|
5f4fc00f8189
Add mail and imap redirect websites
IBBoard <dev@ibboard.co.uk>
parents:
364
diff
changeset
|
632 docroot => "${website::basedir}/ibboard", |
|
5f4fc00f8189
Add mail and imap redirect websites
IBBoard <dev@ibboard.co.uk>
parents:
364
diff
changeset
|
633 letsencrypt_name => 'ibboard.co.uk', |
|
5f4fc00f8189
Add mail and imap redirect websites
IBBoard <dev@ibboard.co.uk>
parents:
364
diff
changeset
|
634 separate_log => true, |
|
5f4fc00f8189
Add mail and imap redirect websites
IBBoard <dev@ibboard.co.uk>
parents:
364
diff
changeset
|
635 } |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
636 class { "hiveworldterrasite": |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
637 proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:04", default => undef } |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
638 } |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
639 class { "bdstrikesite": |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
640 proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:05", default => undef } |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
641 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
642 website::https::multitld { 'www.abiknight': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
643 proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:06", default => undef }, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
644 custom_fragment => "$website::htmlphpfragment |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
645 ErrorDocument 404 /error.php", |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
646 letsencrypt_name => 'abiknight.co.uk', |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
647 } |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
648 website::https::multitld { 'www.warfoundry': |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
649 proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:07", default => undef }, |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
650 letsencrypt_name => 'warfoundry.co.uk', |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
651 custom_fragment => template("privat/apache/warfoundry.fragment"), |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
652 } |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
653 class { "webmailpimsite": |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
654 proxy_4to6_ip_pim => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:08", default => undef }, |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
655 proxy_4to6_ip_webmail => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:09", default => undef }, |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
656 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
657 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
658 |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
659 class adminsite ($proxy_4to6_ip) { |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
660 apache::mod { 'info':; 'status':; 'cgi':; } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
661 website::https::multitld { 'admin.ibboard': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
662 proxy_4to6_ip => $proxy_4to6_ip, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
663 force_no_index => false, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
664 ssl_ca_chain => '', |
| 246 | 665 custom_fragment => template("privat/apache/admin.fragment"), |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
666 } |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
667 if $osfamily == 'RedHat' { |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
668 $cron_user = 'apache' |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
669 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
670 elsif $osfamily == 'Debian' { |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
671 $cron_user = 'www-data' |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
672 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
673 cron { 'loadavg': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
674 command => '/usr/local/bin/run-loadavg-logger', |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
675 user => $cron_user, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
676 minute => '*/6' |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
677 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
678 cron { 'awstats': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
679 command => '/usr/local/bin/update-awstats > /srv/sites/admin/awstats.log', |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
680 user => $cron_user, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
681 hour => '*/6', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
682 minute => '0' |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
683 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
684 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
685 |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
686 class hiveworldterrasite ($proxy_4to6_ip) { |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
687 website::https::multitld { 'www.hiveworldterra': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
688 proxy_4to6_ip => $proxy_4to6_ip, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
689 force_no_www => false, |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
690 letsencrypt_name => 'hiveworldterra.co.uk', |
| 246 | 691 custom_fragment => template("privat/apache/hwt.fragment"), |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
692 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
693 website::https::multitld { 'forums.hiveworldterra': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
694 proxy_4to6_ip => $proxy_4to6_ip, |
|
331
f69e2d197302
Separate some certs to make migration easier
IBBoard <dev@ibboard.co.uk>
parents:
330
diff
changeset
|
695 letsencrypt_name => 'forums.hiveworldterra.co.uk', |
| 246 | 696 custom_fragment => template("privat/apache/forums.fragment"), |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
697 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
698 website::https::multitld { 'skins.hiveworldterra': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
699 proxy_4to6_ip => $proxy_4to6_ip, |
| 334 | 700 letsencrypt_name => 'skins.hiveworldterra.co.uk', |
| 246 | 701 custom_fragment => template("privat/apache/skins.fragment"), |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
702 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
703 website::https::redir { 'hiveworldterra.ibboard.co.uk': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
704 proxy_4to6_ip => $proxy_4to6_ip, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
705 redir => 'https://www.hiveworldterra.co.uk/', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
706 docroot => "${website::basedir}/hiveworldterra", |
| 334 | 707 letsencrypt_name => 'hiveworldterra.ibboard.co.uk', |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
708 separate_log => true, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
709 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
710 } |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
711 class bdstrikesite ($proxy_4to6_ip) { |
|
331
f69e2d197302
Separate some certs to make migration easier
IBBoard <dev@ibboard.co.uk>
parents:
330
diff
changeset
|
712 website::https::multitld { 'www.bdstrike': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
713 proxy_4to6_ip => $proxy_4to6_ip, |
| 145 | 714 docroot_owner => $defaultusers::secondary_user, |
| 715 docroot_group => 'editors', | |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
716 letsencrypt_name => 'bdstrike.co.uk', |
| 246 | 717 custom_fragment => template("privat/apache/bdstrike.fragment"), |
|
411
83f2e944a43f
Set security settings on BDStrike.co.uk
IBBoard <dev@ibboard.co.uk>
parents:
410
diff
changeset
|
718 csp_override => { |
|
83f2e944a43f
Set security settings on BDStrike.co.uk
IBBoard <dev@ibboard.co.uk>
parents:
410
diff
changeset
|
719 "report-uri" => "https://ibboard.report-uri.com/r/d/csp/enforce", |
|
364
8224f42ee05b
Expand BDStrike CSP to allow more styling and fonts
IBBoard <dev@ibboard.co.uk>
parents:
362
diff
changeset
|
720 "font-src" => "'self' https://fonts.gstatic.com/ data:", |
|
411
83f2e944a43f
Set security settings on BDStrike.co.uk
IBBoard <dev@ibboard.co.uk>
parents:
410
diff
changeset
|
721 "img-src" => "'self' https://secure.gravatar.com/ data:", |
|
83f2e944a43f
Set security settings on BDStrike.co.uk
IBBoard <dev@ibboard.co.uk>
parents:
410
diff
changeset
|
722 "style-src" => "'self' https://fonts.googleapis.com/ 'unsafe-inline'", |
|
83f2e944a43f
Set security settings on BDStrike.co.uk
IBBoard <dev@ibboard.co.uk>
parents:
410
diff
changeset
|
723 "connect-src" => "'self' https://www.sandbox.paypal.com/ https://www.paypal.com/", |
|
83f2e944a43f
Set security settings on BDStrike.co.uk
IBBoard <dev@ibboard.co.uk>
parents:
410
diff
changeset
|
724 "frame-ancestors" => "'self'" |
|
83f2e944a43f
Set security settings on BDStrike.co.uk
IBBoard <dev@ibboard.co.uk>
parents:
410
diff
changeset
|
725 }, |
|
83f2e944a43f
Set security settings on BDStrike.co.uk
IBBoard <dev@ibboard.co.uk>
parents:
410
diff
changeset
|
726 csp_report_override => { |
|
83f2e944a43f
Set security settings on BDStrike.co.uk
IBBoard <dev@ibboard.co.uk>
parents:
410
diff
changeset
|
727 "report-uri" => "https://ibboard.report-uri.com/r/d/csp/enforce", |
|
83f2e944a43f
Set security settings on BDStrike.co.uk
IBBoard <dev@ibboard.co.uk>
parents:
410
diff
changeset
|
728 "font-src" => "'self' https://fonts.gstatic.com/ data:", # TODO: What's generating it? |
|
83f2e944a43f
Set security settings on BDStrike.co.uk
IBBoard <dev@ibboard.co.uk>
parents:
410
diff
changeset
|
729 "img-src" => "'self' https://secure.gravatar.com/ data:", |
|
83f2e944a43f
Set security settings on BDStrike.co.uk
IBBoard <dev@ibboard.co.uk>
parents:
410
diff
changeset
|
730 "style-src" => "'self' https://fonts.googleapis.com/ 'nonce-%{CSP_NONCE}e' 'unsafe-hashes' 'sha256-anQSeQoEnQnBulZOQkDOFf+e6xBIGmqh7M8YFT992co=' 'sha256-zJDyuABAg68wtWDFyIh+RRe+6Vm/r+BLwaNRCGNVyXI=' 'sha256-qMalr/MPLUDW4lX/rq/cGp1Eu/H0cu0Yg98pdu69Jxs=' 'sha256-mshqJ+hidJMRDeNLHknuDAeYLOPg2OTIIA3nZmHgi9U=' 'sha256-YnRUd/QjP/NuFgfjMHhNfMCqXh0RQIGdvQfMCOf6qkw=' 'sha256-EwdiFJgqhefinoeAymrWxOYW4kza2Ekos5MY0PlXYI0=' 'sha256-G4K9vh8e+37+l69S+lHTyX3CfcK95mQUgyxYPCb7uME=' 'sha256-t6oewASd7J1vBg5mQtX4hl8bg8FeegYFM3scKLIhYUc=' 'sha256-mAQYxa3mIYqoLBrm1zLu6sLajr8vUHVFLYNpl6dAakM=' 'sha256-A8foknjCsFBi1PlRehOrHq0pVySigUurqAUgZ2y2U8c=' 'sha256-biLFinpqYMtWHmXfkA1BPeCY0/fNt46SAZ+BBk5YUog=' 'sha256-WzSByVQ8yW/DKrr77TWVt7WEMzueRcfJZImOkjTBKmc='", |
|
83f2e944a43f
Set security settings on BDStrike.co.uk
IBBoard <dev@ibboard.co.uk>
parents:
410
diff
changeset
|
731 "connect-src" => "'self' https://www.sandbox.paypal.com/ https://www.paypal.com/", |
|
236
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
235
diff
changeset
|
732 }, |
| 145 | 733 } |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
734 $aliases = [ |
|
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
735 'strikecreations.co.uk', |
|
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
736 'strikecreations.com', |
|
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
737 'www.strikecreations.com' ] |
|
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
738 |
|
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
739 website::https::redir { 'www.strikecreations.co.uk': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
740 proxy_4to6_ip => $proxy_4to6_ip, |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
741 redir => 'https://bdstrike.co.uk/', |
|
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
742 serveraliases => $aliases, |
| 145 | 743 docroot => "${website::basedir}/bdstrike", |
| 744 docroot_owner => $defaultusers::secondary_user, | |
| 745 docroot_group => 'editors', | |
|
331
f69e2d197302
Separate some certs to make migration easier
IBBoard <dev@ibboard.co.uk>
parents:
330
diff
changeset
|
746 letsencrypt_name => 'strikecreations.com', |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
747 separate_log => true, |
| 145 | 748 } |
|
235
e602c5f974ac
Make a cron job for updating Wordpress
IBBoard <dev@ibboard.co.uk>
parents:
200
diff
changeset
|
749 cron { 'wordpress_cron': |
|
e602c5f974ac
Make a cron job for updating Wordpress
IBBoard <dev@ibboard.co.uk>
parents:
200
diff
changeset
|
750 # Run "php -f wp-cron.php" on a schedule so that we can auto-update |
|
e602c5f974ac
Make a cron job for updating Wordpress
IBBoard <dev@ibboard.co.uk>
parents:
200
diff
changeset
|
751 # without giving Apache full write access! |
|
e602c5f974ac
Make a cron job for updating Wordpress
IBBoard <dev@ibboard.co.uk>
parents:
200
diff
changeset
|
752 command => "/usr/local/bin/bdstrike-cron", |
|
e602c5f974ac
Make a cron job for updating Wordpress
IBBoard <dev@ibboard.co.uk>
parents:
200
diff
changeset
|
753 user => $defaultusers::default_user, |
|
e602c5f974ac
Make a cron job for updating Wordpress
IBBoard <dev@ibboard.co.uk>
parents:
200
diff
changeset
|
754 minute => '*/15', |
|
e602c5f974ac
Make a cron job for updating Wordpress
IBBoard <dev@ibboard.co.uk>
parents:
200
diff
changeset
|
755 } |
| 145 | 756 } |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
757 class devsite ($proxy_4to6_ip) { |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
758 if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '8') >= 0 { |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
759 $mod_wsgi_prefix = 'run/wsgi/' |
|
261
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
258
diff
changeset
|
760 } else { |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
761 $mod_wsgi_prefix = undef |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
762 } |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
763 class { 'apache::mod::wsgi': |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
764 wsgi_socket_prefix => $mod_wsgi_prefix, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
765 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
766 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
767 website::https::multitld { 'dev.ibboard': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
768 proxy_4to6_ip => $proxy_4to6_ip, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
769 #Make sure we're the first one hit for the tiny fraction of "no support" cases we care about (potentially Python for Mercurial!) |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
770 # http://en.wikipedia.org/wiki/Server_Name_Indication#No_support |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
771 priority => 1, |
|
157
c6b1b42f3e4b
Move all sites to separate LetsEncrypt certs to make adding future domains easier
IBBoard <dev@ibboard.co.uk>
parents:
154
diff
changeset
|
772 letsencrypt_name => 'dev.ibboard.co.uk', |
| 246 | 773 custom_fragment => template("privat/apache/dev.fragment"), |
|
281
af7df930a670
Add 4-to-6 proxy and mod_remoteip setup
IBBoard <dev@ibboard.co.uk>
parents:
279
diff
changeset
|
774 proxy_fragment => template("privat/apache/dev-proxy.fragment"), |
|
52
be1e9773a12c
Mercurial repo versions index.php files etc, so removing index.php breaks things!
IBBoard <dev@ibboard.co.uk>
parents:
44
diff
changeset
|
775 force_no_index => false, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
776 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
777 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
778 |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
779 class webmailpimsite ($proxy_4to6_ip_pim, $proxy_4to6_ip_webmail) { |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
780 # Webmail and Personal Information Management (PIM) sites |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
781 website::https { 'webmail.ibboard.co.uk': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
782 proxy_4to6_ip => $proxy_4to6_ip_webmail, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
783 force_no_index => false, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
784 ssl_ca_chain => '', |
| 246 | 785 custom_fragment => template("privat/apache/webmail.fragment"), |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
786 } |
|
396
e93588ec1ce3
Use "param" variables for settings instead of conditions
IBBoard <dev@ibboard.co.uk>
parents:
393
diff
changeset
|
787 include ::apache::params |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
788 website::https { 'pim.ibboard.co.uk': |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
789 proxy_4to6_ip => $proxy_4to6_ip_pim, |
|
396
e93588ec1ce3
Use "param" variables for settings instead of conditions
IBBoard <dev@ibboard.co.uk>
parents:
393
diff
changeset
|
790 docroot_owner => $apache::params::user, |
|
242
7d8e664ebcc9
Change owner/group on Nextcloud for easy upgrade
IBBoard <dev@ibboard.co.uk>
parents:
241
diff
changeset
|
791 docroot_group => 'editors', |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
792 force_no_index => false, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
793 lockdown_requests => false, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
794 ssl_ca_chain => '', |
|
265
bf2b8912c414
Make PIM site skip CSP headers - NextCloud manages them
IBBoard <dev@ibboard.co.uk>
parents:
264
diff
changeset
|
795 csp => false, |
|
bf2b8912c414
Make PIM site skip CSP headers - NextCloud manages them
IBBoard <dev@ibboard.co.uk>
parents:
264
diff
changeset
|
796 csp_report => false, |
| 246 | 797 custom_fragment => template("privat/apache/pim.fragment"), |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
798 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
799 cron { 'owncloudcron': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
800 command => "/usr/local/bin/owncloud-cron", |
| 402 | 801 user => $apache::params::user, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
802 minute => '*/15', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
803 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
804 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
805 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
806 class email ( |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
807 $mailserver, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
808 $imapserver, |
|
311
51d3748f8112
Configure Dovecot (IMAP) for PROXY protocol use
IBBoard <dev@ibboard.co.uk>
parents:
310
diff
changeset
|
809 $mailserver_ip, |
|
313
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
810 $proxy_ip = undef, |
|
311
51d3748f8112
Configure Dovecot (IMAP) for PROXY protocol use
IBBoard <dev@ibboard.co.uk>
parents:
310
diff
changeset
|
811 $proxy_upstream = [], |
| 326 | 812 $nat64_ranges = [], |
| 813 $mailrelays = [], | |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
814 ){ |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
815 class { 'postfix': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
816 mailserver => $mailserver, |
|
313
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
817 mailserver_ip => $mailserver_ip, |
|
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
818 mailserver_proxy => $proxy_ip, |
|
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
819 proxy_upstream => $proxy_upstream, |
| 326 | 820 mailrelays => $mailrelays, |
| 821 nat64_ranges => $nat64_ranges, | |
|
317
2a20a5b7f65a
Swap IPv6 Postfix to "all" protocols to support PROXY
IBBoard <dev@ibboard.co.uk>
parents:
313
diff
changeset
|
822 protocols => $mailserver_ip =~ Stdlib::IP::Address::V6 ? { true => 'all', default => 'ipv4' }, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
823 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
824 class { 'dovecot': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
825 imapserver => $imapserver, |
|
311
51d3748f8112
Configure Dovecot (IMAP) for PROXY protocol use
IBBoard <dev@ibboard.co.uk>
parents:
310
diff
changeset
|
826 imapserver_ip => $mailserver_ip, |
|
313
49e66019faf7
Configure Postfix for IPv6 w/proxy
IBBoard <dev@ibboard.co.uk>
parents:
311
diff
changeset
|
827 imapserver_proxy => $proxy_ip, |
|
311
51d3748f8112
Configure Dovecot (IMAP) for PROXY protocol use
IBBoard <dev@ibboard.co.uk>
parents:
310
diff
changeset
|
828 proxy_upstream => $proxy_upstream, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
829 } |
|
177
1b605c38b375
Add missing dependencies for SpamAssassin rules
IBBoard <dev@ibboard.co.uk>
parents:
176
diff
changeset
|
830 # Unspecified SpamAssassin config dependencies that started |
|
1b605c38b375
Add missing dependencies for SpamAssassin rules
IBBoard <dev@ibboard.co.uk>
parents:
176
diff
changeset
|
831 # showing up as errors in our logs |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
832 if $osfamily == 'RedHat' { |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
833 $spamassassin_deps = ['perl-File-MimeInfo'] |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
834 $spamassassin_dir = '/etc/mail/spamassassin/' |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
835 $amavis_dir = '/etc/amavisd/' |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
836 $amavis_service = 'amavisd' |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
837 # CentOS has a Clam service, but we call on demand (Ubuntu doesn't have a service) |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
838 service { 'clamd@amavisd': |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
839 ensure => 'stopped', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
840 enable=> 'mask', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
841 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
842 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
843 elsif $osfamily == 'Debian' { |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
844 $spamassassin_deps = ['libfile-mimeinfo-perl'] |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
845 $spamassassin_dir = '/etc/spamassassin/' |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
846 $amavis_dir = '/etc/amavis/' |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
847 $amavis_service = 'amavis' |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
848 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
849 package { $spamassassin_deps: |
|
177
1b605c38b375
Add missing dependencies for SpamAssassin rules
IBBoard <dev@ibboard.co.uk>
parents:
176
diff
changeset
|
850 ensure => installed, |
|
1b605c38b375
Add missing dependencies for SpamAssassin rules
IBBoard <dev@ibboard.co.uk>
parents:
176
diff
changeset
|
851 } |
|
140
6eef7cec8658
Remove ClamAV from server config
IBBoard <dev@ibboard.co.uk>
parents:
139
diff
changeset
|
852 package { [ 'amavisd-new' ]: |
| 85 | 853 ensure => installed, |
| 854 tag => 'av', | |
| 855 } | |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
856 service { $amavis_service: |
|
86
4f59d2fcd521
Make sure that Amavis daemon is running so mail gets delivered after reboot!
IBBoard <dev@ibboard.co.uk>
parents:
85
diff
changeset
|
857 ensure => 'running', |
|
4f59d2fcd521
Make sure that Amavis daemon is running so mail gets delivered after reboot!
IBBoard <dev@ibboard.co.uk>
parents:
85
diff
changeset
|
858 enable => 'true', |
|
4f59d2fcd521
Make sure that Amavis daemon is running so mail gets delivered after reboot!
IBBoard <dev@ibboard.co.uk>
parents:
85
diff
changeset
|
859 } |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
860 file { "${amavis_dir}amavisd.conf": |
| 85 | 861 ensure => present, |
| 862 source => 'puppet:///private/postfix/amavisd.conf', | |
| 863 tag => 'av', | |
| 864 } | |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
865 file { "${spamassassin_dir}local.cf": |
|
163
4e53d77fa586
Manage SpamAssassin local config
IBBoard <dev@ibboard.co.uk>
parents:
162
diff
changeset
|
866 ensure => present, |
|
4e53d77fa586
Manage SpamAssassin local config
IBBoard <dev@ibboard.co.uk>
parents:
162
diff
changeset
|
867 source => 'puppet:///private/postfix/spamassassin-local.cf', |
|
4e53d77fa586
Manage SpamAssassin local config
IBBoard <dev@ibboard.co.uk>
parents:
162
diff
changeset
|
868 tag => 'av', |
|
4e53d77fa586
Manage SpamAssassin local config
IBBoard <dev@ibboard.co.uk>
parents:
162
diff
changeset
|
869 } |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
870 file { "${spamassassin_dir}ole2macro.cf": |
|
142
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
871 ensure => present, |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
872 source => 'puppet:///common/ole2macro.cf', |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
873 tag => 'av', |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
874 } |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
875 file { "${spamassassin_dir}ole2macro.pm": |
|
142
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
876 ensure => present, |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
877 source => 'puppet:///common/spamassassin-vba-macro-master/ole2macro.pm', |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
878 tag => 'av', |
|
dae1088dd218
Add OLE detection to SpamAssassin without ClamAV
IBBoard <dev@ibboard.co.uk>
parents:
141
diff
changeset
|
879 } |
| 85 | 880 Package<| tag == 'av' |> -> File<| tag == 'av' |> |
|
87
6be21a984126
Make sure that config file changes for changes trigger a reload
IBBoard <dev@ibboard.co.uk>
parents:
86
diff
changeset
|
881 File<| tag == 'av' |> { |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
385
diff
changeset
|
882 notify => Service[$amavis_service], |
|
87
6be21a984126
Make sure that config file changes for changes trigger a reload
IBBoard <dev@ibboard.co.uk>
parents:
86
diff
changeset
|
883 } |
|
125
ca711ab45f17
Schedule Postwhite to run regularly
IBBoard <dev@ibboard.co.uk>
parents:
122
diff
changeset
|
884 cron { 'Postwhite': |
|
129
16a931df5fd7
Filter what we see in Postwhite cron output
IBBoard <dev@ibboard.co.uk>
parents:
128
diff
changeset
|
885 command => "/usr/local/bin/postwhite 2>&1| grep -vE '^(Starting|Recursively|Getting|Querying|Removing|Sorting|$)'", |
|
125
ca711ab45f17
Schedule Postwhite to run regularly
IBBoard <dev@ibboard.co.uk>
parents:
122
diff
changeset
|
886 user => 'root', |
|
ca711ab45f17
Schedule Postwhite to run regularly
IBBoard <dev@ibboard.co.uk>
parents:
122
diff
changeset
|
887 weekday => 0, |
|
128
379089631403
Fix rookie cron mistake - don't run Postwhite EVERY MINUTE!
IBBoard <dev@ibboard.co.uk>
parents:
126
diff
changeset
|
888 hour => 2, |
|
379089631403
Fix rookie cron mistake - don't run Postwhite EVERY MINUTE!
IBBoard <dev@ibboard.co.uk>
parents:
126
diff
changeset
|
889 minute => 0, |
|
125
ca711ab45f17
Schedule Postwhite to run regularly
IBBoard <dev@ibboard.co.uk>
parents:
122
diff
changeset
|
890 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
891 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
892 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
893 class cronjobs { |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
894 # Add Mutt for scripts that send emails, but stop it clogging the disk by keeping copies of emails |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
895 package { 'mutt': |
|
131
0dd899a10ee1
Change all "latest" packages to "installed"
IBBoard <dev@ibboard.co.uk>
parents:
129
diff
changeset
|
896 ensure => installed, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
897 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
898 file { '/etc/Muttrc.local': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
899 content => 'set copy = no', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
900 require => Package['mutt'], |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
901 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
902 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
903 # General server-wide cron jobs |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
904 Cron { user => 'root' } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
905 cron { 'backupalldbs': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
906 command => "/usr/local/bin/backupalldbs", |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
907 monthday => "*/2", |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
908 hour => "4", |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
909 minute => "9" |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
910 } |
|
323
002203790815
Stop running Great Firewall Against China on IPv6 machines
IBBoard <dev@ibboard.co.uk>
parents:
322
diff
changeset
|
911 # Only run the Great Firewall Against China on IPv4 (since we don't have an IPv6 list |
|
002203790815
Stop running Great Firewall Against China on IPv6 machines
IBBoard <dev@ibboard.co.uk>
parents:
322
diff
changeset
|
912 # and the PROXY forwards the IPs to services, but not at the network level) |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
913 cron { 'greatfirewallofchina': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
914 command => '/usr/local/bin/update-great-firewall-of-china', |
|
323
002203790815
Stop running Great Firewall Against China on IPv6 machines
IBBoard <dev@ibboard.co.uk>
parents:
322
diff
changeset
|
915 ensure => has_key($facts, 'ipaddress') ? { true => "present", default => "absent" }, |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
916 hour => 3, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
917 minute => 30 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
918 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
919 cron { 'permissions': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
920 command => '/usr/local/bin/set-permissions', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
921 hour => 3, |
|
14
534e584f21ce
Tweak time on permission setting script so that it is less likely to clash with LoadAVG run every 6 minutes
IBBoard <dev@ibboard.co.uk>
parents:
13
diff
changeset
|
922 minute => 2 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
923 } |
|
55
ce8eaaca6a34
Update firewalling so that we block the right ports when using iptables directly
IBBoard <dev@ibboard.co.uk>
parents:
54
diff
changeset
|
924 # Since we're only managing the local server, use our script that wraps "puppet apply" instead of PuppetMaster |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
925 cron { 'puppet': |
|
268
9f054191b9db
Filter new log line from puppet-apply output
IBBoard <dev@ibboard.co.uk>
parents:
267
diff
changeset
|
926 command => '/usr/local/bin/puppet-apply | grep -v "Compiled catalog for\|Finished catalog run in\|Applied catalog in"', |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
927 hour => '*/6', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
928 minute => 5 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
929 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
930 cron { 'purgecaches': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
931 command => "/usr/local/bin/purge-caches", |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
932 hour => '4', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
933 minute => '15', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
934 weekday => '1', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
935 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
936 # Notify of uncommitted files |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
937 cron { 'check-mercurial-committed': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
938 command => "/usr/local/bin/check-hg-status", |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
939 hour => '4', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
940 minute => '20', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
941 weekday => '0-6/3', #Sunday, Wednesday and Saturday morning |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
942 } |
|
93
74678cd7a200
Run cron job to notify of available updates
IBBoard <dev@ibboard.co.uk>
parents:
91
diff
changeset
|
943 # Notify of available updates |
|
74678cd7a200
Run cron job to notify of available updates
IBBoard <dev@ibboard.co.uk>
parents:
91
diff
changeset
|
944 cron { 'check-yum-updates': |
| 407 | 945 command => '/usr/bin/yum check-update | grep -E "^[^ ]+ +[0-9a-z_:\.\+-]+ +[^ ]+ *$"', |
|
93
74678cd7a200
Run cron job to notify of available updates
IBBoard <dev@ibboard.co.uk>
parents:
91
diff
changeset
|
946 hour => '4', |
|
74678cd7a200
Run cron job to notify of available updates
IBBoard <dev@ibboard.co.uk>
parents:
91
diff
changeset
|
947 minute => '30', |
|
74678cd7a200
Run cron job to notify of available updates
IBBoard <dev@ibboard.co.uk>
parents:
91
diff
changeset
|
948 weekday => '0-6/3', #Sunday, Wednesday and Saturday morning |
|
74678cd7a200
Run cron job to notify of available updates
IBBoard <dev@ibboard.co.uk>
parents:
91
diff
changeset
|
949 } |
|
97
b69e3f6708d6
Add another regular command to check that we've not got services requiring a restart
IBBoard <dev@ibboard.co.uk>
parents:
96
diff
changeset
|
950 # And check whether anything needs restarting |
|
b69e3f6708d6
Add another regular command to check that we've not got services requiring a restart
IBBoard <dev@ibboard.co.uk>
parents:
96
diff
changeset
|
951 cron { 'check-needs-restarting': |
|
b69e3f6708d6
Add another regular command to check that we've not got services requiring a restart
IBBoard <dev@ibboard.co.uk>
parents:
96
diff
changeset
|
952 command => '/usr/bin/needs-restarting|grep -v "/usr/lib/systemd\|/usr/sbin/lvmetad\|/usr/lib/polkit-1/polkitd"', |
|
b69e3f6708d6
Add another regular command to check that we've not got services requiring a restart
IBBoard <dev@ibboard.co.uk>
parents:
96
diff
changeset
|
953 hour => '4', |
|
b69e3f6708d6
Add another regular command to check that we've not got services requiring a restart
IBBoard <dev@ibboard.co.uk>
parents:
96
diff
changeset
|
954 minute => '45', |
|
b69e3f6708d6
Add another regular command to check that we've not got services requiring a restart
IBBoard <dev@ibboard.co.uk>
parents:
96
diff
changeset
|
955 weekday => '0-6/3', #Sunday, Wednesday and Saturday morning |
|
b69e3f6708d6
Add another regular command to check that we've not got services requiring a restart
IBBoard <dev@ibboard.co.uk>
parents:
96
diff
changeset
|
956 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
957 } |